Apple’s security response: slow, reactive, and generally ineffective

I found a graphic on Apple’s website that needed fixing:

Here’s the long version:

Flashback malware exposes big gaps in Apple security response

Apple’s been astonishingly successful with its Mac hardware in recent years. The dark side of that success is the attention they’ve begun to attract from online criminals.

Apple and its customers got a hint of what was in store with last year’s Mac Defender outbreak. This year, a much larger and more disturbing outbreak has infected more than 600,000 Macs with a piece of malware called Flashback.The entire Flashback episode has in fact exposed Apple’s security weak spots.

A lot of what Apple is learning about security today will show up in future editions of OS X and iOS, as the company presumably gets smarter about writing code. But what about the 60 or 70 million current Mac owners?

They have a right to expect much more of a security response from Apple than they’re getting now. As an Apple customer myself, I believe Apple deserves four key criticisms of its current approach to security.

Pretty tough dilemma for Apple, actually. In order to deal with current security threats, they have to communicate about them with customers. But a key piece of the Mac image is that this just doesn’t happen to them.

So far, protecting the Apple brand has won out over protecting Apple’s customers.

2 thoughts on “Apple’s security response: slow, reactive, and generally ineffective

  1. FUD.
    Flashback is not a virus, so the infographic “fix” does not really apply here (regarding flashback anyway).

    “In order to deal with security threats, one needs to communicate about them with customers”: I respectfully disagree, PR is not how you fix it. You take care of the actual vulnerabilities, that’s how you fix it.
    PR is just for the journalists “in the meantime” (while fix is on the way).

    Now you can measure the number of days it took to release a fix and stuff like that, then see how the release speed compares to other software companies and maybe get a sense of how fast/slow they are. That would be a much more interesting analysis.

    1. Oh God, you’re really going to go there?

      Technically, Flashback is a virus, because it does code injection. But even if you just call it by the generic term “malware,” it is a dangerous little beastie. Here’s what I had to say in response to similar ill-informed arguments in the comments at ZDNet:

      “Some commenters seem to have missed that point, so let me repeat those details more emphatically. The Flashback malware in its current incarnation does not use an installer. It does not require that the user enter a password or click OK in a dialog box. It is a drive-by download that installs itself silently and with absolutely no user action required, and it is triggered by the simple act of viewing a website using a Mac on which Java is installed.”

      The backdoor component includes a downloader component that is capable of installing new malware at the botnet master’s discretion.

      Meanwhile, this is what Apple released on April 3:

      “Java for OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7


      Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, Lion Server v10.7.3

      Impact: Multiple vulnerabilities in Java 1.6.0_29

      Description: Multiple vulnerabilities exist in Java 1.6.0_29, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_31”

      So you think “addressed” in this case isn’t the same as “fixed”? All righty then.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s