What Microsoft can teach Apple about security response

What Microsoft can teach Apple about security response

Summary: Microsoft just released seven security updates to fix 23 vulnerabilities in Windows and other products. In February, Apple released a massive update that covered 51 vulnerabilities and also introduced an embarrassing security flaw. The contrast is striking.


Security vulnerabilities are a fact of life. Even the best-managed development processes will miss some attack vectors, leaving the software makers responsible for fixing the underlying vulnerabilities.

Speed of response is important. But equally important is how a software vendor communicates with its customers about those vulnerabilities.

This month, we have textbook examples of the right and wrong way to handle security flaws, courtesy of the two companies that together ship nearly 99% of all personal computers.

Let’s start with Microsoft.

Today is Patch Tuesday, the day Microsoft designates each month for delivery of security updates to customers.

I used to be a skeptic about the concept, but Patch Tuesday has proven itself over time. Microsoft still reserves the right to deliver an “out of band” security update in response to threats that are being actively exploited and can’t wait. But overall the system has worked well.

The level of transparency in Microsoft security bulletins is impressive. Today’s announcements included seven bulletins, each with details about the vulnerabilities it covers, the possible impact, and the urgency with which IT organizations should respond. Three of the seven bulletins are rated Critical. (ZDNet's Ryan Naraine has more details.)

Those seven updates address a total of 23 separate vulnerabilities. Bulletin MS12-030, for example, addresses seven vulnerabilities in Microsoft Excel. Bulletin MS12-034 closes nine security risks in a variety of Microsoft products, including the Microsoft .NET Framework, Silverlight, and Windows itself.

For each one of those exploits, the Microsoft Security team rates the likelihood that exploit code will be released. Six of seven bulletins this month earn a rating of "1 – Exploit code likely."

In addition, as is its custom, the Microsoft Security Response Center published a blog post today that goes into detail about the issues involved in these specific vulnerabilities. The post includes videos and deployment guidance. A separate post on the Microsoft Security Research & Defense blog addresses the technical issues involved in identifying vulnerabilities related to a patch first issued last year in response to the Duqu malware:

The Office document attack vector leveraged by the Duqu malware was addressed by MS11-087 – Duqu is no longer able to exploit that vulnerability after applying the security update. However, we wanted to be sure to address the vulnerable code wherever it appeared across the Microsoft code base. To that end, we have been working with Microsoft Research to develop a “Cloned Code Detection” system that we can run for every MSRC case to find any instance of the vulnerable code in any shipping product. This system is the one that found several of the copies of CVE-2011-3402 that we are now addressing with MS12-034.

If you are a consumer or a business user, you don’t need to know those details. You can install the updates and know that you’re protected from all the threats identified in those bulletins.

But if you’re an IT pro or a security researcher, those details are invaluable in helping you decide how to prioritize your testing and deployment plans for those updates.

Now, allow me to contrast that exhaustive security response and thorough communication strategy with the equivalent response from Apple, the developer of the world’s second most popular consumer operating system.

In February, Oracle issued a security patch to fix a critical Java vulnerability. Apple, which retains responsibility for delivering and maintaining Java SE Update 6, did not release their version of that patch until April 3, 49 days later.

During that seven-week window, more than 600,000 Apple customers were infected with malware simply by visiting a website they clicked in a list of Google search results. They did not indulge in unsafe behavior. They did not fall for social engineering or provide their administrator credentials. They did not know they had been infected, in fact. And now, by most estimates, several hundred thousand Mac owners are still infected with that malware, which contains a backdoor component that allows a remote attacker to download any software onto that Mac and to perform any action that the user can perform.

Apple, to this date, has acknowledged the existence of this malware only in a terse security bulletin, titled “About Flashback malware.” It has not explained how the malware works, nor how to remove it if one is running Mac OS X 10.5.

Another incident was less widespread but potentially more severe. Apple released update 10.7.3 to OS X Lion, its latest version, on February 1. That update addressed 51 separate vulnerabilities in OS X, of which 22 could result in “arbitrary code execution,” with one having the potential to execute arbitrary code with system privileges.

Given the sheer number of vulnerabilities fixed in that release, you’d be crazy to skip that update. But if you installed it, and you had previously encrypted your home directory using the version of FileVault included in Snow Leopard, a flaw in the update code would result in your system keeping a clear-text record of all login usernames and passwords in a file that any attacker could read with ease. The point of encryption is to prevent a thief from being able to access your data if he steals your computer. This blunder has the same effect as if you had written your PIN code on your ATM card and then had your wallet stolen.

This issue was first reported on an Apple support forum on February 6, five days after the update was released. It was publicized to the Cryptome mailing list on Friday, May 4. It has been widely reported in the media over the past 96 hours.

And yet Apple remains silent. The company has not published a support document acknowledging the issue. It has not offered any advice for affected Apple customers on how to tell whether they are a victim of this bug and, if so, how they can remediate it.

More importantly, no one has explained how such a horrendous security gaffe could pass code review and make it into the public release of a crucial OS X security update. If this kind of mistake can happen, who knows how many smaller, potentially more serious mistakes might also have slipped in to what are supposed to be security updates? And what does that kind of boneheaded code mistake say about the quality of iOS?

With great fanfare, Apple hired Window Snyder more than two years ago, with the avowed goal of helping to secure the Mac ecosystem. Snyder worked for Microsoft for several years before moving to Mozilla to work on securing Firefox.

Last year, Apple hired David Rice, a security superstar from the U.S. Navy,  as its global security director. His name and title are nowhere to be found anywhere on Apple's website.

Despite that influx of talent, Apple in the past year has been hit with its two biggest malware attacks in history, and the company’s response has been weak and mostly ineffectual.

As far as I’m concerned, Apple has serious work to do to restore its customers’ confidence. That work needs to start with a competent Chief Security Officer and a commitment to communicate with its customers about security issues. And it needs to cooperate with independent security researchers and its competitors. And yes, that includes Microsoft, which has a tremendous amount of knowledge gathered over more than a decade.

Security response is a cost of doing business. With $100 billion of cash on hand, Apple could afford to attack the security problem head-on. Instead, the company seems to be sticking its head in the sand.

See also:

Topics: Microsoft, Apple, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Obviously, we should all switch to Linux

    Consider this comment my own application of troll repellent.

    None of this would happen if EVERYONE switched to Linux and enabled LSM, whatever that is.

    Never mind that none of the applications you rely on would run. This is obviously the solution, and anyone who doesn't see that is clearly blind and stupid. I stake my reputation on it.

    If this is what you believe, please respond to this comment so that other visitors can ignore you.

    Thanks for your cooperation. We now return to our regularly scheduled Talkback section.
    Ed Bott
    • Forgot to mention...

      That the easiest fix for all of this is to unplug your machine.

      I stake my reputation on that. :)
      The one and only, Cylon Centurion
      • AND

        GO TO THE BEACH...!!!
      • LOL - that's perfect... "...reputation..." love it love it.

    • Mr. Bott, I am curious as to how many of Apple's customers

      Have "lost confidence" in Apple. I agree with your post, as your reasoning is sound, but having to interact with users of Apple products I must disagree with you on the point of Apple having to restore its customers confidence, as many I have seen have not lost it.

      They still cling to the myth that Apple's products are bug free, error free, uncrashable, and unable to be infected with anything, as (as you have pointed out) they are not told that these things have occurred, blindly purchasing items based on the words of the uninformed.

      They have become the perfect target, as they are confident that they can not be a target.

      (And my human half did enjoy your parody/impersonation of a regular talkback "contributor" to your blog, though I use that word lightly)
      Tim Cook
      • Eminently logical

        Perhaps I should have said "instilled genuine confidence rather than blind faith."
        Ed Bott
      • I'm an Apple user...

        or was. I now mainly use a Windows laptop, I don't turn my iMac on very often.

        I feel Apple has drunken too much of its own Koolaid. They have always been stoic about admitting problems with their hardware, but to take that into the security arena is just foolishness.

        Maybe they feel they have built up such an aura of invulnerability, that they are scared to admit that they have a problem, but that doesn't help the users, especially as they have been brought up in the belief that they do not need any anti-malware software installed on their machines; good a lot of the anti-malware software for OS X isn't particularly useful (yet), but they are totally unprepared and their supplier is letting them down at every turn.
      • To paraphrase the captain on Star Trek ... "Engage ..."

        It is now time to engage the Apple plan. Release a new MAC with an operating system that is invulnerable to all the current attacks and inform their customer base that the only way to upgrade to the new OS is to buy a new MAC. That should take care of those nasty hackers.
      • lost confidence?

        I couldn't have put it better myself. It is quite likely if you went into a "Mac Store" even today, under these circumstances, and asked an employee if you should install security software, they would put on the "Macs-don't-get-no-stinkin'-viruses" blinders and tell you you don't need to.
      • On Logic

        Putting nonsensical statements into the mouths of Apple's customers doesn't count much towards it.
      • As is the case with you and your ilk

        ... who have blind faith in anything produced by Microsoft and spent vast amounts of energy putting down everyone and everything else. To paraphrase you: they still cling to the belief that Microsoft's products are bug free, error free, uncrashable, and unlikely to be infected with anything (especially if MSE is installed), and that any alternative vendor is not be countenanced under any circumstances.

        I simply ask this: if Microsoft and its products were [b]half[/b] as good as you would like to pretend, then why would there be [i]any[/i] need to defend it so vigorously and so viciously, since nobody would be disagreeing with you?
    • Good one

      Not sure if the impersonated linux advocate will be deterred, I bet he won't.
    • The secret to a bullet-proof OS...

      ...is to not allow applications to run on it. Linux still has this going for it; for years, Macs, with minimal market penetration, similarly enjoyed a dearth of applications (or, as I suspect they referred to them in private, "blemishes upon the perfect brilliance of their pristine Operating System").

      The most useful tools are those that get a lot of use...and from time to time, they break. It's a byproduct of their being useful in the first place.
      • Good point!

        I have had far fewer problems with my Windows PC since I reduced the number of applications running on it and disconnected it from the internet.
    • Security: What Microsoft and Apple learned from BSD and GNU/Linux

      o firewalling enabled services (Apple still hasn't learned this)
      o not running as the Administrator (or proper use of discretionary access control)
      o address space layout randomization (ASLR)
      o sandboxing applications and services
      o software repositories (coming with Microsoft Windows 8)

      It's a shame that Microsoft and Apple didn't return the favor by porting popular applications like Microsoft Office and iTunes to GNU/Linux and BSD. (Note: I'm not suggesting that these applications should have been open-sourced.) It's also a shame that the U.S. DOJ did not break up Microsoft into an operating systems company and an applications company. This might have given Microsoft, as well as Apple (indirectly), a kick in the seat of the pants.
      Rabid Howler Monkey
      • They did return the favour

        By providing a good example of what to do with the Desktop Environment (KDE owes a heavy debt to the Windows 95 look, and Unity's left dock is fooling nobody by not being on the bottom.)
      • Yes, and decompiling the code of any new app in a debugger to check it for.

        virus like code blocks helps, too. The problem is that is all geek to most folks. The problem really boils down to who are the targets the malware creators want. Tech savvy folks who do as you suggest, or those who hate the hassle of poking around in their OS and just want to, as the fat guy in War Games said, "Run programs". I've used OS installations (hell, I've set them up) where all you suggest and more, as it became available, was used. I had no problems, but then, I wrote and compiled my first C compiler on an 8080 many decades ago, so I'm slightly familiar with all this. No one else outside of IT or Engineerings software department could. As long as the PC is a swiss army knife of potential uses, this will happen regardless of the OS used. My TI35 calculator and Rival Microwave can't be hacked, for instance. That's what the PC would need to be reduced to to prevent malware.
      • PS

        Oh, byt the way, owners of servers and other machines on the backbone of the internet deserve all the condemnation you can deal when it comes to their own installations. Security is not OS specific. They should be amongst the tech savvy, after all. Right?
      • Yet Android...

        .. has an enormous load of malware on it (and is Linux based).

        The true moral of the story here is.. once an OS is popular in the mainstream, malware writers are going to target it, and you can't possibly anticipate every attack strategy they will use.

        If the new Ubuntu gathers momentum enough to become popular, you can be sure we'll see malware of some sort creep into that as well. It's just the way it all works.

        Posturing about the security reliability of mainstream OS's is pointless on a non-leveled playing field.
      • RE: Yet Android...

        @PolymorphicNinja You have a nice soapbox. Mind if I use it for a moment?

        While Android is Linux, it is not [b]GNU/Linux[/b]. Apple has done a much better job implementing software repositories securely than has Google. However, the recent gaffe that allowed apps in the iOS app store to transparently access user's contact information shows that Apple's implementation is not perfect. Those iOS apps that siphoned off users contact information are (and/or were) malware. Plain and simple.

        I never stated (or implied) that GNU/Linux was either more secure or more safe than whatever OS(s) you happen to like and use. The features I listed were designed and are used to repel or limit attacks on BSD and Linux servers. In the server market, Linux, and even BSD, have plenty of market share to attract the miscreants. They also get used by high-profile enterprises. And they get compromised when sysadmins take their eye off the ball or when 0-day exploits are used.

        The GNU/Linux desktop, with its approx. 1.5% market share, currently enjoys being underneath the radar of the malware miscreants. That does help make desktop GNU/Linux safer than both Windows and OS X. At least, at the present time.
        Rabid Howler Monkey