The Author – Bart Busschots
Creative Commons
Unless otherwise stated, the content on this site is licensed under Creative Commons Attribution, Noncommercial, No Derivative Works 3.0 License
Jul
30
OS X Users Vulnerable – Apple Still Don’t Get Security
Filed Under Computers & Tech, Security on July 30, 2008 at 4:43 pm
One of the things I really love about OS X is its Unix underpinnings. Under the hood we get all the *nix tools and utilities I’ve come to know and love. Printing with CUPS, remote shell with OpenSSH, Windows sharing with SAMBA, web publishing with Apache, and so on and so forth. This gives OS X great power, but it also places a great responsibility on Apple. Just like with any other software, vulnerabilities surface in open source programs. In general the open source community is very responsive to security issues, and patches are released quickly. Those patches protect those who update, but they leave those who don’t even more vulnerable. The reason for this is that the patches can generally be reverse engineered, making it easy for the bad guys to attack un-patched machines. In order to keep OS X secure Apple need to push out patches in the open source components in OS X to users as quickly as possible. This is where Apple fall down, they are notoriously slow at getting patches out.
[tags]Security, OS X, Apple, DNS, open source, BIND[/tags]
Last year Apple left it’s users vulnerable for months when it failed to push out a critical SAMBA update, now they are failing to push out a patch to ISC BIND to protect us from the critical DNS vulnerability that’s now threatening the web. The DNS flaw was announced on the 8th of June, and ISC BIND was patched that very same day, as indeed was Windows. In fact, there was a massive simultaneous release of patches because this flaw is so big and so dangerous. The fact that Apple didn’t take part in this simultaneous patch release indicates to me that they still don’t get security, and that they’re not ready to enter the enterprise.
Apple’s pathetic patching record means that I’d go so far as to call it professional negligence to deploy OS X Server in a corporate environment. It really pains me to have to say that, but Apple keep on proving my point by not patching the open source components in OS X in a timely fashion. Until we see a chance in Apple’s behaviour OS X has no place in a server room.
Unfortunately the problems are not confined to corporate server rooms. The DNS flaw affects any device that resolves DNS queries, that includes our home computers, and our Macs. Granted, in this case DNS servers are a much bigger and more tempting target, but your Mac is vulnerable none-the-less. What really annoys me about this is that Windows was patched on the 8th, as were all properly maintained Linux and Unix distributions. It really is just Mac users that still have to worry about this flaw, even if their ISP has patched their DNS servers. That stark reality really makes a mockery out of Apple’s security claims.
Apple need to fix their security practices soon, because one of these days Apple are going to get badly bitten by one of the flaws they fail to patch promptly. When the inevitable happens it won’t just be Apple’s reputation that will suffer, regular Mac users like you and I will be the ones bearing the brunt of Apple’s continuing hubris.
Bart,
First time reader.
While, from a technical standpoint, I agree with your comments, from a real-world, Mac admin running 60+ Macs and three Xserves, I feel it’s the old swimming analogy: Windows users need a life jacket because in the open waters of the Internet they can’t swim with out it (firewall, AV software, etc.). Mac users, however, can swim just fine without a jacket. So why do we need it?
Yes, there is the potential for the very situations you are warning us about. And I see 2/3rds of all motorcyclists without helmets. I wouldn’t ride without one, but…does that mean they will have an accident?
Yes, Apple could get better about patching known vulnerabilities. I just think with all of the stuff on their plate (iPhone 2.0 update, MobileMe, iPhone 3G rollout, etc) they just haven’t had time to breathe. And in their world security is very good. We Mac users have had a much better record at security than the Windows folks. And we all know Apple is a lean company, and they are going through some growing pains right now.
So where am I going with this? Apple may be acting a little snobbish by not getting these vulnerabilities fixed in a timely manner. But remember, Apple is not knocking on the Enterprise door. I think if they could sell a thousand Macs to some F500 company, to them it would just be sprinkles on the icing on the cake. They don’t need the Enterprise right now and it would really put them in a war they can’t win if they decided to fight for it. The iPhone is the Trojan horse. Once it gains some ground you may see them go after the low hanging fruit (disenchanted Windows-using CIOs).
Great post, nevertheless.
Sorry Blad_Rnr I completely disagree with your assessment. Do you even know what this vulnerability allows the unscrupulous to do?
The next time you type in the address for your favorite online retailer (you’re smart and never enter online stores via links) you could be re-directed to a server in Zimbabwe where the army makes and enforces all the laws for their own benefit.
I agree that Apple has as much business as it can handle right now and isn’t knocking on the door of enterprise. That’s a good thing because they’d get laughed right off the premises if they tried to get in the door today.
Thanks Blad_Rnr,
Forget about the enterprise. It’s not good enough to leave Education and home customers vulnerable like this either. Those are markets Apple certainly rely on. To extend your swimming analogy, every single Mac that is out on the internet is vulnerable, and there is no life jacket available.
There is exploit code out there so we really are not safe, and Apple are responsible for that. The fact that they’re busy is not an acceptable answer. Security should be the TOP priority, nothing should be able to trump it! Also, OS X uses BIND which has been patched. Apple don’t need to do anything more than compile it and package it.
The fact that Apple have not been targeted in the past does not offer any protection at all.
You’re dead right about the iPhone being a wedge to get Macs into the enterprise. The iPod, the iPhone, the quality of Mac hardware and the usability of OS X are all driving more and more people to the Mac. With each new Mac user the danger increases and Apple have a little less time to clean up their act.
Minor suggestion on the title, it should be;
Apple Still Doesn’t Get Security.
Hi Mathue,
You’ve hit on an interesting cultural thing there. Here in Ireland it’s normal to refer to a company using the plural, it is after all a collection of people. I know that in the US the singular is used instead. Since this is an Irish blog I’m going to keep my title the Irish way though. You may also notice that I don’t use US English spelling either.
Bart.
@ Bart and Clarus,
Listen, I agree with you both. My point is that just because there is the THREAT of a vulnerability doesn’t mean there WILL be.
I don’t want to hang my hat on that. But I have been a Mac user for 20 years, so cut me some slack:-) Never had a Mac virus. Never been compromised. Never been hacked. So this is where I’m coming from.
I can see both sides. Living in the Internet community it surely makes sense, at least concerning the DNS issue, for Apple to move.
Of course, maybe I’m just old…
I can understand the sense of security you get from 20 years of safety. I’d love to think it will last. But it just can’t if the Mac continues to grow in popularity like it currently is (which is a good thing). The Intel transition lowered the barriers to entry into the Mac attacking business significantly, and the continued growth of the Mac makes it a juicier target every day.
I’d be prepared to wager that some time over the next decade the Mac will suffer a serious compromise. It could be tomorrow, it could be next month, it could be next year, but I believe it will happen. Apple are just being too complacent. The fact that it hasn’t happened doesn’t mean it won’t!
I don’t often want to be wrong, but this time I do. I just don’t think I am!
Bart.
1) People have been “predicting” this for years. It still has not happened.
2) There “security” experts obviously have a vested interest here. To stay in business people need to be afraid of malware.
Hi Bill,
Bill, I’m Sorry to bust your conspiracy theory but the facts speak for themselves. You don’t need experts to tell you that Apple are slow to patch flaws with known public exploits. Off the top of my head I can give you three serious examples:
1) The ARDAgent privilage escalation vulnerability that is being used by the OS X Trojan that’s doing the rounds. That’s been known for weeks if not months at this stage but we’re all still vulnerable
2) The current DNS vulnerability. Three weeks later we’re still needlessly vulnerable.
3) The SAMBA flaw last year. It took the SAMBA guys a day or two to get a patch out, it took Apple MONTHS to push that out to users.
Apple are being reckless, and I don’t need a security expert to tell me that.
Bart.
You’re 100% correct. Apple is slow to patch VULNERABILITIES. You’re also 100% correct that SOME DAY this will cause problems for Mac users.
But you’re also ignoring the FACT that as of this date, no one is taking malicious advantage of these vulnerabilities. Just because you smell a wolf doesn’t mean there is one out there. Sure, we should be prepared to fight off a wolf if one ever arrives, but right now you’re crying wolf so strongly and so meaninglessly, that if and when a wolf actually appears, nobody will believe you. You’re defeating your own purpose.
On the other hand, it has been estimated by the end of this year there will be 1,000,000 pieces of malware, in the wild, that are attacking Windows users. Recently, research showed that an unpatched Windows computer on the internet would be infected with malware within four minutes.
Where are your priorities? Do you really think that crying “wolf” is helping instead of harming? If so, you’re sadly mistaken.
Don, are you seriously saying that it’s wrong to call Apple out on needlessly exposing it’s users to real genuine threats? The vulnerabilities are public, the exploit code is in metasploit and patches exist, but Apple simply haven’t bothered to distribute them.
That’s not crying wolf. There is no imaginary threat here. It’s real.
The OS X trojan that’s doing the rounds. That’s real. It hasn’t done much harm yet, true. But it won’t be the last Trojan for OS X. It’s the start of a trend.
As for the DNS flaw, that’s real too. Not imagined. AT&T had a server compromised today. Linux and Windows server admins have the option to patch, Apple server admins don’t. You think that’s a good thing? You think the bad buys will look and say “oh, don’t attack that DNS server, it’s running OS X”? A DNS server is a DNS server is a DNS server. They’re all targets, so they all need to be patched, but the Apple ones CAN’T BE!
Yes, Apple users have not been targeted much in the past. That does not mean things will stay that way. And that certainly does not mean that we should not complain when Apple needlessly puts us in danger!
Bart.
Evening Bart,
Re: Don’t/Doesn’t
Huh, wild. I can’t say I’ve ever noticed this before, either when I’ve been in Ireland or reading the occasional newspaper article.
I’ll take your word for it and assume it’s something regional 🙂
Please specify how many actual human people you are directly aware of who have experienced os x security problems. I have been in this business since 1984. I don’t know a single os x user who has experienced such, and I don’t know a single windows user who hasn’t. Comparing the two is ludicrous.
Jim
Just adding my voice as an OS X Server admin – this is bad stuff and we can’t just let Apple ignore these issues. I love my Macs and a lot of what Apple does, but this isn’t just some unusable exploit that won’t likely go anywhere, this is a DNS *server* compromise!
The next time you visit Paypal, your online bank account or an online store it could be a fake site, simply because you are connected to a DNS server that has been compromised and is now giving out compromised information. If you knew your ISP was using Mac Servers would you now be worried? You should be!
I too have had decades of safe computing with Apple, but that’s not reason to give Apple slack in the face of a serious issue that HAS been fixed at the source!!! All they need to do is package up the Bind fixes and distribute it through Software Update.
Seriously, it should take an Engineer less than a day to do that, which should take priority over a lot of other things. I like a lot of things about Apple, but things like this infuriate me.
I have to disagree. This threat is really about your ISP or who ever you use for DNS services. For an individual home user, even one connected directly to the internet, this represents a virtually non-existent threat.
I find it laughable that people continue to bash apple on their patching practices seeing as the number of macs exploited by any of these security holes is zero or statistically close enough to zero.
Apple has a track record of patching real threats very quickly. So quickly, that up to this writing no mac user has any reason for concern. Now this may be dumb luck or it may be brilliant threat assessment. Neither of us knows for sure but numerous people went on the record saying that years ago OS X systems would be ravaged by viruses, adware and spyware. And nothing has happened.
Time for you to draw a line in the sand…..how soon will this lax attitude cause a major outbreak to spread through the Mac community? The end of this year? The end of next? I’m not going to hold my breath, nor am I loosing any sleep.
Doug,
The big issue here is OS X Server. Apple don’t just do desktops. They do servers too, and servers that run a DNS server. Yes, this is not a problem if you connect to the net through a NAT router, a small problem if you connect a Mac directly to the internet, and it’s a huge problem if you’re running an X-Serve as your DNS server.
You’ll notice in my post that I talk about running OS X in a server room. I do also mention the reality that Windows desktops and servers are patched while Apple desktops and servers are not. Fact. And the fact that BIND is patched but Apple haven’t bothered to ship it out is disgraceful.
We’ve all come to love the fact that life on the Mac is problem free with regards to security. I for one would like to see that continue, despite Apple’s ever increasing market share. If Apple don’t get better about patching it can’t continue. We’re no longer a niche market with a funny architecture, we’re 10% of the market on a standard Intel architecture. Times are a changing, and past security is no guarantee of future security, and certainly no excuse for poor security practices by Apple.
Bart.
This is simply astounding…
What this highlights to me is that certain Mac users (not all!) liken their machines to the Roman Empire – and have become similarly over confident and indolent, choosing to believe that “it will simply never happen to them”. It also reminds me of that old adage, “Pride goeth before a fall…”
The unconcerned posters have touted analogies with motorbike helmets, and some others that it hasn’t happened in 20 years worth of experience- so what? I don’t know if any of you have seen a motorbike accident involving someone without a helmet, but just because it didn’t happen 99 times, the 100th time may very well kill you, in a devastating way!
Besides, (and I’m very surprised at Blad_Rnr, if his experience is as extensive as he states), this is a *DNS* flaw – by it’s very nature, it is out in the wild! Citing the geekgasm that is the iPhone as the ‘excuse’ for not patching this gaping hole is pathetic at best.
Picture it! A court of law – with the security guard for a major city bank in the dock. The judge, in a loud, booming voice says, “You’ve been there for twenty years, had an exemplary record, and you left to visit the doughnut stand because they were selling a new flavour?!?”
The reply?
“Well, everything was all right up til then…”
One thing that hasn’t been mentioned here yet is Apple actually has improved their announce-to-patch time significantly from just a year or two ago. It doesn’t mean its up to par yet, but I do not think it at all fair to say they are making no effort. They certainly are making strides to solve this problem. Of course security conscious folks will never be satisfied but security cannot be the sole focus of a company. It must be weighed against competing concerns.
Any long time Mac OS X user will know what I mean. In the first few years of OS X we never saw Security Updates often let alone one every month or two like we see now.
I’d say they’re moving in the right direction. Eventually they’ll be where Bart wants them to be: patching same day as announcement.
That’s my sense of it.
The fact that we are seeing more security updates is of course a good thing, and indeed movement in the right direction. But something to bear in mind is how much Apple play up the security of OS X. When you talk big about security you also have to give it a high priority IMO.
Also, they’ll only move to where I want them to be if Mac users keep the pressure on Apple. By reminding people of security issues on OS X on this blog and on the various podcasts I contribute I’m play a very very small role in keeping the Mac community aware of security and keeping the pressure on Apple to keep moving in the right direction.
Bart.
Well, in fairness guys, this vulnerability was made known to all the big players (Microsoft, Sun, Apple) around the same time, so that a patch could be released on the same day.
Guess who didn’t? It’s not that they’re not fast enough, it’s that they were given the same lead time as EVERYONE else, and did nothing. Or at least, nothing anyone outside the company can benefit from to date. No matter how you slice it or dress it up, that’s *awful*. Outdone by Microsoft? In anything? Yikes…
Hey Bart,
Update is finally out from Apple:
http://support.apple.com/kb/HT2647
Took ’em long enough.
Looks like both the DNS and ARDAgent issues are resolved.
-Kevin
Saw that in my RSS feeds this morning. ’bout time!
Bart.
@ mathue – Bart and I have talked about this interesting difference in language a few times, the first one I noticed was the plural form for company names which has a certain amount of logic to it. The other one that took a LONG time to understand was how he would say “a HDR photo” while the correct (i.e. American) way of saying it would be “an HDR photo”. In American English the “h” is a hard sound like “aitch”, but in Ireland they pronounce it with a soft h like “haitch”, which means we’re both writing correctly. that kept us entertained for several days trying to figure out why we both thought we were right – while a simple VERBAL conversation would have resolved it in seconds!
[…] OS X Users Vulnerable – Apple Still Don’t Get Security […]
@ Allison Sheridan
Hey – firstly, a big hello! Bart’s usually got your podcast on in the office, so it’s nice to finally “meet” you!
As for the haitch/aitch thing, Irish/English speakers (i.e. non-American) are supposed to use it in a simlar vein as a ‘vowel’, e.g. “an historic event”, “working in an hotel”. I use it, in speech and the written word, unfortunately not too many others do, but there you go! Anyhow, I’ve gone waaaaay off topic!
Cheerio!
P.
[…] 2008 and Vista), on multiple architectures, in about 14 days. If you compare this to, for example, Apple’s patch speed, I’d say that Microsoft is definitely improving it’s security response […]