The Macalope Weekly: Unresolved issues

A bad bug was found in iOS 7 and Mavericks this week, so you know what that means: It’s time for the airing of the Apple grievances, whether or not they’re directly related to this or make any sense at all.

The sourest of grapes

The Macalope is not here to argue that Apple didn’t screw up royally or should not have gotten out a patch as quickly as possible. If you’re looking for his hoof-stamp-approved criticisms, read this piece by John Gruber about the questions this bug raises, and this one by Ashkan Soltani.

What he is here to take exception to, however, is the great rush to use this incident as an excuse to complain about stuff that’s not related to the bug or stuff that didn’t actually happen.

Writing for CNet, Seth Rosenblatt says “Apple’s culture of secrecy delays security response—again” (tip o’ the antlers to Shawn King).

If it wasn’t for the news reports of Apple’s “goto fail” fix released on Tuesday, you might not have known that there had been a security problem with your Macs.

If it wasn’t for news reports, you might not know news!

Except, Apple did reach out to members of the press and security community about the goto fail bug. Securosis’s Rich Mogull confirmed to the Macalope that he heard from the company and was told by Apple that the company had contacted a number of other people. That’s not the same thing as being frank and open with its customers about security, but it’s also not the same as “burying” the problem.

Emphasizing that he was speculating on Apple’s reasoning for the way that the update was published, Ash said in an email to CNET that Apple may have decided “to roll the TLS fix into 10.9.2 because they needed to put 10.9.2 out soon to fix these other vulnerabilities, and a separate patch would have delayed it.”

Well, that certainly sounds reasonable. Not, of course, as reasonable as assuming that Apple is incompetent or lazy or stupid or something. That’s clearly the thinking person’s path.

The evidence points to problems at Apple with alerting its users and fixing flaws in a timely manner. This is problematic because it’s not made clear to Mac and iPhone users how important an update is to their security.

By contrast, Google and Microsoft identify security fixes with standard terminology such as Medium, High, and Critical.

Code Blue. Orange. Medusa. Team Banzai.

Who cares what they’re called? Users should patch all of them.

Anyway, this is all well and good, but you know what this article needs? A quote from someone at a company that sells security software!

[Andrew Sudbury, CTO at security startup Abine,] added that the bigger issue at Apple is keeping iPhones and iPads secure.

Yes, the security of the most secure platform in existence is certainly a problem.

That grinding sound you hear is Sudbury’s ax. Here’s the deal: Security software vendors are ticked because Apple won’t let them sell their snake oil products on iOS. Any excuse is a good excuse to try to whine about that.

“iOS devices are a consumer device, and there’s nothing you as a user can do [to secure them.]”

Literally nothing. Installing updates in a timely manner and not visiting suspicious sites or clicking on suspicious links and not using public Wi-Fi are all nothing. They’re not even things, really. They don’t exist on a quantum-mechanical level. Look back through this paragraph and you’ll find that the Macalope never even mentioned them.

Never. Even. Mentioned. Them. In fact, you’re not even reading this column right now. You’re heating up a Hot Pocket.

Apple takes all their responsibility, and even security companies can’t help you,” he said.

Ah, there’s the hurt. Forget the fact that if Apple opened up iOS to the degree it would need to in order for these security products to work the platform would become less secure. But what’s important is that it would help security firms sell software.

Lobby Apple today to make iOS less secure!

Desperately seeking catharsis

Hey, you don’t have to take the horny one’s word on that. Instead why not take the word of Google’s head of Android, Sundar Pichai.

We cannot guarantee that Android is designed to be safe, the format was designed to give more freedom.

[CORRECTION: According to a transcript of the event that TechCrunch acquired from Google, Pichai was misquoted by a local site (tip o' the antlers to Peter Matthaei). In fact, according to their transcript, he makes exactly the opposite point. Now, from where the Macalope's sitting, that's belied by, well, reality. But there you go.]

And, as bumper stickers inform us, freedom isn’t free. Sometimes, in order to be free, you have to give crooks your banking information. Pretty sure that’s why we fought and won World War II, you guys.

In addition to trying to make iOS less secure in order to open up opportunities for security firms, this bug is also probably a great time to rehash old arguments.

Writing for ZDNet, Stilgherrian says “Apple’s goto fail needs a massive culture change to fix.”

Well, actually no, as it’s been fixed on both iOS and OS X. What you mean is that Apple may make a similar blunder again—assuming the bug wasn’t the act of an NSA mole or a covert CTU agent, suspended by a wire over a ticking copy of Xcode (no, 24 references are not dated, at least not anymore).

Now, the Macalope has long chastised Apple for its attitude toward security, and there is obviously still room for improvement. But that doesn’t mean that every lame charge leveled against the company is true.

Nothing must tarnish the image of Apple’s pretty, pretty garden, even if beneath the surface it’s rotten. Or poisoned.

Publishing a document describing the problems and referencing the relevant CVEs is tantamount to denying any problems exist.

That’s why I agree with Eugene Kaspersky, head of Kaspersky Lab, who nearly two years ago wrote that when it comes to security, Apple is 10 years behind Microsoft.

Ah, it’s pretty rich using the guy whose company’s Mac malware-fighting tool deleted user settings to knock Apple for a software bug.

Apple may be behind Microsoft in security procedures, but its platforms are targeted less than Windows and Android. Not to mention the fact that it also created the world’s most secure platform. Oh, but most security people don’t count that because it means their pals can’t sell software on it.

At the time, I called him a “glorious global megatroll” for that suggestion, but also wrote that Apple’s supposed invulnerability is a myth based on ancient history.

It is a myth. A myth perpetuated more by pundits intent on burning straw-man Apple fans that they’ve constructed than by anyone else.

Back when Windows was vulnerable to myriad viruses and worms, Bill Gates issued his Trustworth Computing memo and Microsoft completely re-engineered the way it made software. The Security Development Lifecycle (SDL) methodology was the result. Windows was dramatically improved—well, at least from a security standpoint—so much so that the attackers moved up the stack and tore Adobe’s products a new one.

Man, if only there were some company that was famous for keeping Adobe’s products off its platform. Surely it would be universally praised for its foresight and not pilloried for creating a “pretty garden.”

Apple’s goto fail is a clear sign that the magic garden …

A magical pretty garden. The Macalope regrets the omission.

… needs weeding—or even a good dose of Agent Orange, rather than endless Kool-Aid.

And here come the lazy Apple tropes, spilling out of Stilgherrian’s mouth like too many clowns out of a VW Bug!

It seems that when it comes to security, Apple still couldn’t find its butt with both hands. Perhaps it should be using Apple Maps to help. No, wait.

Ding-ding-ding-ding! Congratulations, you just won Lazy Apple Trope Bingo!

Disclosure: Stilgherrian has travelled to US security events twice as Microsoft’s guest …

Oh, so someone steeped in Microsoft’s security culture is a huge fan of Microsoft’s security culture? You don’t say.

The horror. The horror.

Let us continue our journey, like Charles Marlow, up this river of passions enflamed by a bug.

Computerworld’s Gregg Keizer says “Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks” (tip o’ the antlers to Peter Cohen).

AAAAAAIIIIIIIIEEEEEE!

As Apple issued an update for Mavericks, or OS X 10.9, as well as for its two predecessors, Mountain Lion (10.8) and Lion (10.7), Apple had nothing for Snow Leopard or its owners yesterday.

Keizer’s piece was like dropping a stone in a pool of misinformation and causing waves of crazy-making conclusions.

The Boy Genius Report’s Brad Reed declared “1 in 5 Macs now wide open to malware attacks.”

Wide. Open. Just walk right in and take whatever you like.

At least the L.A. Times’s Salvador Rodriguez phrased it as a question.

“Is Apple done supporting Snow Leopard and 19% of Macs?”

For his money, the Macalope prefers the take of CNNMoney’s Jose Pagliery.

“Apple ends security updates for Snow Leopard”

Macs are increasingly targeted by cyberattackers. The recently discovered security hole in Apple devices—which allowed outsiders access to emails, instant messages and online bank transactions—shows how significant updates can be. That bug was fixed earlier this week.

Pagliery doesn’t mention that the bug was only present in Mavericks and not earlier versions. Then you have to wait until the last paragraph for this:

Like Snow Leopard, Microsoft (MSFT, Fortune 500) has announced that it will discontinue security updates for Windows XP on April 8. That will pose a potentially much more serious security problem. An amazing 29% of computers across the globe are still running Windows XP, according to NetMarketShare.

That’s 29 percent of computers. What percentage of computers are running Snow Leopard?

Comparatively, just over 1% of the world’s PCs are running Snow Leopard.

But Apple makes the headline because Apple.

Unlike any of these writers apparently, the Macalope actually took the time to read the CVEs referenced in Apple’s 2014-001 security update. All of them. So thanks for making him have to be the one to do that. He hasn’t even had a chance to watch this week’s episode of Arrow yet and …

Well, anyway, here are a few interesting facts.

  • Most of the bugs patched either explicitly state they’re only present in Mavericks (such as the SSL bug that started this whole thing) or Mountain Lion. Most of the rest make use of technologies introduced after Snow Leopard, such as Sandboxing, and therefore could not even be present in Snow Leopard.
  • None of the CVEs lists anything prior to Lion as being affected. It’s unclear whether this means Snow Leopard is unaffected or Apple simply isn’t testing Snow Leopard for these bugs. The Macalope’s inclined to believe it’s the latter.
  • As far as the horny one can tell, only two CVEs could actually be in Snow Leopard itself. The first is a relatively non-critical but that allows “local users to bypass intended access restrictions by changing the current time on the system clock.” The second is more critical, allowing the execution of arbitrary code or a denial of service.
  • Several others relate to bugs in technologies outside the operating system per se, such as PHP and Apache. Users could update these on their own, although they would have to be aware of the need to update.

Has Apple discontinued security updates for Snow Leopard? It’s hard to say. Based on what he’s seen, the Macalope’s inclined to think it probably has. The Macalope and his editor are still waiting for Apple to respond to a request for clarification. I mean, the Macalope’s not going to hold off on watching that episode of Arrow to wait or anything. (Good thing too, because I just watched it and it is a doozy. —Ed.)

Whatever the case, what’s important is that this is a great excuse to throw a bunch of bugs in the air and pretend they all affect Snow Leopard when most of them don’t. That much is clear. And let’s also not address the question of who tries to write malware targeted at 1 percent of the desktop computing market.

Yeah. Why doesn’t the Macalope let Google’s Sundar Pichai have the last word:

If I had a company dedicated to malware, I would also be addressing my attacks on Android.

[ADDED: According to the transcript, Pichai did actually say this.]

Subscribe to the Apple @ Work Newsletter

Comments