Apple strongly denies getting information from SecureWorks

Apple strongly denies getting information from SecureWorks

Summary: I posed some questions to Apple when I wrote "Apple patches Wi-Fi but refuses to give researchers due credit" to try and pin down exactly what Apple acknowledges to have received from SecureWorks or not. I was a bit surprised when I got all of them answered based on my past experience so I will have to give Apple some credit for not dodging any of the questions this time and answering in a straight forward manner. The answers also surprised me since this puts Apple and the two security researchers David Maynor and Jon Ellch on a collision course at Toorcon 2006 and there is no backing out at either end.

SHARE:
TOPICS: Apple
73

I posed some questions to Apple when I wrote "Apple patches Wi-Fi but refuses to give researchers due credit" to try and pin down exactly what Apple acknowledges to have received from SecureWorks or not.  I was a bit surprised when I got all of them answered based on my past experience so I will have to give Apple some credit for not dodging any of the questions this time and answering in a straight forward manner.  The answers also surprised me since this puts Apple and the two security researchers David Maynor and Jon Ellch on a collision course at Toorcon 2006 and there is no backing out at either end.  [Update 11:59 PM: David Burke gives a great analysis to the following response.]

Here is the word-for-word email response from Director of Mac PR Lynn Fox:

George,

Answers to your questions are below.

We noticed that there was a question on your blog for us that was not included in your below email (on packet captures), so we've also answered that question for you too.

• Did SecureWorks ever disclose any Wi-Fi vulnerabilities to Apple?

The only vulnerability mentioned by David Maynor was FreeBSD vulnerability CVE-2006-0226. This does not affect Apple products.

• Did SecureWorks ever disclose the packet captures of the malicious payload used to trigger said vulnerabilities?

No. Packet captures were promised repeatedly but never delivered.

• Did SecureWorks ever provide driver disassemblies pertaining to said Wi-Fi vulnerabilities?

No. While SecureWorks did provide a driver disassembly, it did not indicate a Wi-Fi vulnerability in any Apple product.

• Did SecureWorks ever provide crash dumps pertaining to said Wi-Fi vulnerabilities?

No. While we received crash dumps from SecureWorks, they didn't have anything to do with Mac OS X or any other Apple product.

• Did SecureWorks ever point to the location of the vulnerable code of said Wi-Fi vulnerabilities?

No.

• Do any of the current patches released by Apple match any of the characteristics of the information provided by SecureWorks?

No.

I'd also like to comment on this excerpt from your post:

"'Fox also said Apple staff were already aware of the flaw when SecureWorks contacted them about it prior to their Black Hat presentation, and that Apple had already determined that the wireless flaw addressed in the FreeBSD patch was not exploitable on any of the Mac products'

Now this statement has come back to haunt Apple. Ironically, I had accidentally stumbled upon this when I asked Maynor and Ellch in my video interview if the Wi-Fi vulnerability was anything "like" the FreeBSD hack back in January. I could have sworn I got a funny reaction from Maynor and Ellch but I figured they only reacted that way because not many people knew about the FreeBSD flaw. Little did I know at the time that I had actually stumbled upon the truth and that the Apple Wi-Fi flaw was EXACTLY like the FreeBSD flaw because it's all the same code."

The code flaws we addressed with the Wi-Fi security updates we released on September 21 are not based on the same code as the FreeBSD flaw.

We think this helps clarify what we've been saying all along and helps put this topic to rest.

Feel free to post my email to your blog word-for-word to avoid any confusion.

Lynn Fox

Director, Mac PR

Apple

Things keep getting more interesting every day.  More to come on this.

Topic: Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

73 comments
Log in or register to join the discussion
  • Strong words

    George:

    That is a strong denial. Thank you for posting that.
    bkwatch
    • Yes, very strong, and it only gets more interesting from here on out

      It's going to get even more interesting after this. Trust me on that.
      georgeou
      • so also says Rich Mogull

        Rich made a similar comment today.


        But you would have to agree, the chances of the patches that Apple
        released last week having anything to do with Maynor/Ellch's
        exploit just dropped......
        bkwatch
        • Please don't assume anything yet

          Please don't assume anything yet. Like I said, this is getting very interesting. What Apple says now can be refuted with evidence. Just hold off on any judgements for now.
          georgeou
          • evidence?

            Anybody on SecureWorks' side that presents evidence to refute Apple's statement to you would expose themselves as irresponsible researchers. They should have sent that information to Apple already and cooperated with them. If M&E heve that info and haven't shared it, then they ruin their reputations.

            I don't believe it at all, I think you're just blowing smoke to inflate the hype.
            rwahrens1952
          • the problem with SecureWorks's evidence...

            is that apparently everyone that sees can't ever talk about it again...


            and that's not called evidence...that's called leaking...and is just as
            bad as a carefully constructed PR statement....
            bkwatch
          • another one

            Glenn Fleishmann is also now reporting to expect "strange
            things". That is now 3. Unforantlly I'll be a plane back from
            Europe during Toorcon, but I am sure we can expect something
            strange.

            I don't see much weasel room in Apple's last statement, George.

            And again to my friends at SecureWorks who are reading this: if
            you're going to do a demo, just annouce it. Don't leak it out this
            way. You are not making any friends. Good PR is about
            narrative, about telling a story -- not about making the most
            noise.
            bkwatch
          • That might be interesting....

            if we hadn't heard it 100 times before.

            When are you going to learn that innuendo is not reporting?
            jragosta
          • Toorcon in "a couple of days"

            George, are we finally in the "couple of days" window where we get
            to see your super-secret, time-stamped, evidence?
            dgtruckses
    • I totally agree, very strong words

      It?s incredible that they say Maynor was giving them what apparently amounted to junk. I mean are they saying he cannot even detect what kind of vulnerability applies to Mac products? Boy, that is bad.

      That?s crazy eh. That?s like saying someone who purports to be a doctor told a hospital that they could cure some of their patients back problems by surgically removing their tails. Not much good if the hospital treats humans and not monkeys.

      If all that is true then it not only makes Maynor look bad, it hurts SecureWorks pretty badly as well, I mean who is going to take a security company seriously if one of their top security guys is pushing useless junk at a vendor that doesn?t even apply in any way to their products.

      When Maynor told Apple what he had for them they just should have said forget it, I mean why bother. Obviously they must have realized this stuff was not going to be of any help.

      What I do not get?considering this stuff was pointless crap?why did it inspire Apple to do an internal audit? That is the weird part. Someone shows up with information that clearly ?does not apply? and Apple says ?Wow! We better do an audit on our wireless cards?. Crazy eh. And even more amazing, they found issues! Ha! Amazing how lucky things work out sometimes isnt it.
      Cayble
      • not so crazy

        That's not so crazy.

        Apple is not some loose cannon, like you guys seem to enjoy implying. It is a responsible company that makes a world class Operating System, and has been very responsible in the past in jumping in and patching vulnerabilities discovered by outside parties. At least three times in this year so far, they've done that.

        So, no, when the blogosphere goes bananas talking about a supposed Hack of their systems, Apple really does do the right and logical thing when it decides to do an internal audit of their wireless drivers. Anything less would be the crazy thing.

        Just because M&E don't send anything that backs up their public claims doesn't mean that Apple should sit back on their laurels and do nothing.

        Don't ask me why a couple of researchers would release a very public demo and then refuse (or be unable) to provide the manufacturer anything to show where their code is vulnerable. It doesn't make sense to me, either.

        But what also doesn't make sense is why Apple would do the kinds of things you and Ou have been accusing them of doing. Apple is and always has, been very protective of Apple's public reputation. I don't think they would "parse" words, nor lie directly, to try and deflect public criticizm when they know darn well that said researchers could then release damning evidence at an upcoming conference like Toorcon. Especially when the last two months have been enough to have every ear in the industry listening in when they do.

        So, no, I don't see that Apple has any reason to lie.

        Of course, I don't see why any reasonable researchers would, either.

        But people do make mistakes. And maybe M&E did in this case, their demo certainly was full of holes, certainly raised more questions than it answered, at least.

        Also, their skill at PR certainly leaves a lot to be desired, too. (cigarette butts in the eye? Pulease! Motive anybody?)

        So stop being so deliberately obtuse in your reading of this situation. You have repeatedly spun Apple's responses to sound like you'd like them to, and have refused to take them at their word. Try reading their answers without letting your own bias twist things out of recognition, and you just might learn something.
        rwahrens1952
      • Seems reasonably prudent to me

        ---What I do not get?considering this stuff was pointless crap?why did it inspire Apple to do an internal audit?---

        Let's see, the press and the blogosphere is on fire with reports of an alleged vulnerability in your product. As far as you can tell from what you've been told, it's not relevant to your product. Do you, just in case, do a thorough study so you can be sure your product is safe, or do you just let things slide?
        tic swayback
        • and lo and behold!

          You find wireless vulnerabilities after all. But they must be just coincidences, right?
          JetJaguar
          • Actually, yes...

            ...since they're not the ones SecureWorks was discussing, and clearly SecureWorks had no clue about the actual vulnerabilities that were patched (assuming Apple is telling the truth here, which all evidence so far points to).

            How much credit does SecureWorks deserve for saying, "hey, there might be a vulnerability in your OS, go find it yourself"?
            tic swayback
          • I'm willing to suspend disbelief

            when it comes to spaceships making sound that carries through space when watching science fiction, but not when it comes to two sets or single instances of vulnerabilities affecting the same system on the same platform discovered at the same time by parties which were in communication with each other over the same issue, not being materially the same.

            What we're seeing is careful wording by Apple, and dancing worthy of the Nicholas Brothers (http://en.wikipedia.org/wiki/Nicholas_Brothers) from the apple-flavored koolaid drinkers. M&E have not lied, nor had any reason to.

            JetJaguar has spoken.
            JetJaguar
          • IOW

            IOW, you don't have any facts and you've managed to distort the
            facts that ARE available in order to foster your rabid hatred of
            Apple.

            And just what 'dancing' are you referring to? Apple's response was
            clear and concise.
            jragosta
          • If you start off with a clear bias...

            ...then you'll likely end up with biased conclusions.

            Again, Apple has clearly stated that the patches are for vulnerabilities that are unrelated to SecureWorks' claims and there are NO known exploits for the vulnerabilities. How much more clear can they be?

            ---M&E have not lied, nor had any reason to.---

            You don't think that getting headlines and notoriety would help them sell their new book on Wifi hacking, do you?

            ---JetJaguar has spoken---

            If only JetJaguar had some actual evidence or facts to back up his words.
            tic swayback
  • apologies

    ...are in order from those persons that have been accusing Apple of "parsing" words. This is as strong an indication so far that M&E and SecureWorks have not been playing this thing straight.

    If M&E show a demo (or even code) at Toorcon that they claim IS in support of their claims, then they have willfully withheld information from Apple that would have assisted them in identifying a vulnerability. That would be the height of irresponsibility.

    If they fail to show anything, then they expose themselves as frauds.

    Sounds like they've painted themselves into a corner.
    rwahrens1952
    • They have been parsing their words

      Apple PR has been giving me slick answers that dodged the question for the last 6 weeks and I stand by that statement and will not apologize for telling the truth. This is the first straight answer I got from them and I pointed that out. It's interesting to note that her answers are easily refutable so don?t assume this is done. It?s just starting to get interesting.
      georgeou
      • nice try

        That's a nice try, but you just saying it doesn't make it true.


        Like I said before - where's the beef? You've been talking, let's see you walk the walk...
        rwahrens1952