Apple needs to open up says Mozilla security chief

by Steve Ragan - Sep 17 2008, 11:05

At the IT Security World conference on Monday, Window Snyder, the security chief at Mozilla Corp., gave a keynote on multi-layer defenses. The core news emerging from her talk is that Apple Inc., rivals only to Microsoft in operating system market share, needs to be more open with how it handles security.

Apple needs to open up regarding security says Mozilla security chief Window Snyder. (IMG:Apple)

Snyder is a “big” Apple fan, she says, “but one of my big problems with Apple is we don't get to hear what they're doing with security. I'd have a lot more confidence if they would communicate that stuff.”This has always been the case with Apple, which recently released another round of security fixes for its OS X platform. Often the complaint you see from reporters and security experts is that too little information is released when discussing security problems on Apple-branded products. There are issues with how patching is handled and some security researchers refuse to work with the company because vulnerability reports are often ignored or nothing is done about emerging issues.In 2007, Thor Larholm, a noted security expert who discovered issues in Safari for Windows within two hours of release, made his opinions clear by saying: “Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser...”Apple has made some improvements in the way it talks about security. Yet, unlike Microsoft Corp., Apple does not offer security-only insight into its products, nor does it discuss processes and planning when working on new security features or services.Examples of the sealed-lip ethos portrayed by Apple's security team can be confirmed by their own wording, which states: “For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.”The recent update to OS X addresses security issues that Apple never informed end users of ahead of time, instead opting to leave them vulnerable until the next patch cycle. Even then, users are given only the basics about the security issue, and nothing more.“They have a real opportunity there to show the rest of the security industry what they're doing because I think they are doing good work,” said Snyder, adding that it is painful when end users have to rely on marketing to know if something is secure or not.So, will Cupertino-based Apple open up and become more informative? It's highly unlikely, not least because it has made keeping secrets and building hype almost an industry standard. Why would security matters be any different?

Talkback

Add your comment (no registration required)

page: 1

PaulSep 17th, 2008 - 15:01:51

I don't get why Apple should do this at all. The benefit is more to the security related research industry and not Apple.

If Apple needs the help of this group of people then it might change its stance, like Microsoft had to. I am an Apple consumer and I have much more faith in Apple than I do in these security related researchers. These guys are only out to make a name for themselves, take little risk themselves and are constantly harping about why XYZ company does not discuss things with them openly.

But unless they can articulate the benefit to Apple, I simply don't see why Apple should change its behavior regarding this issue. Secondly Apple has to feel that this is really a benefit.

Instead these guys should stop supporting Apple, by not using its products. On the one hand they use Apple computers and then complain about communication from Apple. If they think its that important, let them discard their Apple computers and focus on making Firefox, IE, Chrome and whatever else more secure and let the marketplace decide what they want.

Report this comment

Doug PetroskySep 17th, 2008 - 22:13:58

I guess I don't really get it ether. The 'potential' security holes that Apple constantly patches are just that until someone exploits them. Disclosing information about the hole before you have a fix is where huge exploits come from. Even disclosure after patching (because everyone does not patch immediately) seems a bit dangerous for your installed base.

I understand allowing users to make informed choices and how it 'can' make them safer. But by disclosing, you expose more people to risk. This is an interesting line and one I'm willing to let apple continue to dance along because so far things have been good.

It is hard to say you have to change when you still have a near 100% success rate.

Report this comment

Ron McElfreshSep 17th, 2008 - 23:28:40

All one has to do to view Apple's 'track record' on security is to count the number of actual public exploits vs. vulnerabilities. All major operating systems and many applications on those systems have vulnerabilities. The real issue for Apple and for the company's customers is an exploit first, vulnerability second.

How does Apple's track record for common public exploits of those vulnerabilities when compare to Windows? What's the score? 125,000 to, uh, zero?

I would like to see Apple improve to reduce even the few vulnerabilities they have, but their position seems like it's working quite well.

Report this comment

page: 1

Add your comment (no registration required)

Security

Apple needs to open up says Mozilla security chief

Talkback

Latest

Latest Articles on Monsters&Critics

In The Tech Herald

Site

The Fine Print