It seems the Python Software Foundation needs some help with a company in the UK that is trying to trademark the word "Python" for "software, servers, services… pretty much anything having to do with a computer".
So here, for the record, is our statement.
We at F-Secure use Python extensively in our organization, mainly on the back end and for internal tooling, but it's ubiquitous in our R&D work, and we encourage all our developers to embrace Python (in the fairly unlikely event that they are not already enthusiastic about it). To the best of our knowledge, our company is representative of the technology industry in Europe in general in this respect; apart from very specialized niche companies, everybody is using Python, and it would seem preposterousoutrageousinsane unfair to grant this trademark to anybody except the legitimate holder of the intellectual property rights for the Python programming language.
You know, maybe it's time for Apple to adjust its "security culture"?
Let's do some more searches. Here's what you'll get from apple.com when you search for "security updates":
Marketing material. Typical. Oh, support info is on the right-hand side. Alright, fair enough then, security is a support issue.
Here's what you'll get from apple.com/support/ when you search for "security updates":
The top result is from December of last year, and there are even older results below. But there does seem to be a mention of security updates inside the text. Opening the article finally links you to an index: Apple security updates.
The index shouldn't be so difficult to find. And it's kind of sad it needs to be in quotes to actually show up in the search results.
To be very frank, this advice was already behind the times when it was written in July 2012:
You just might want to get somebody to update that article with a mention of "exploits" and "drive-by attacks" and "watering holes" and… oh, you know, relevant stuff.
Look, here's the thing. Eleven years ago, Internet worms smacked around Windows so much — it ended up being a real wake up call. At which point, Microsoft made a big, and successful, effort to change its security culture.
But Apple?
Here's your corporate line:
"For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."
Here's the problem.
Apple not only refuses to confirm issues "until" patches are available — it doesn't even discuss them after the fact.
And why is that a problem?
Because we don't live in an era of Internet worms anymore. This is an era of Internet hacks! And information is valuable in that it allows for organizations with a large Mac user base to make informed threat assessments.
And the more Apple shares with the community, the better off everybody will be.
So please, consider making a change in Apple's culture of secrecy and denial.
You have talented, and friendly, security response analysts working for you. Why not highlight their efforts? Consider putting them front and center and applaud them for their good work. Own this problem, get in front of it.
Because it's the right thing to do.
Regards, Sean Sullivan Security Advisor, F-Secure Labs
By all measures, Java is the current title holder for the lowest hanging fruit in computer security. (And by Java, we mean JRE and its various browser plugins.) It wasn't always so. How did it happen? Let's review some highlights in the history of low hanging fruit.
From 2004 to 2008: Attacks shifted from Windows to Office.
2004, August — Windows XP Service Pack 2 was released.
2005, February — At RSA Conference, Microsoft announced the first beta of Microsoft Update.
2005, June — The initial release of Microsoft Update.
Result: Over time, fewer Microsoft Office vulnerabilities in the wild as Microsoft Update replaced Windows Update.
From 2008 to 2010: Attacks increasingly focused on Adobe.
Adobe wasn't surprised by the data. "Given the relative ubiquity and cross-platform reach of many of our products, Adobe has attracted — and will likely continue to attract — increasing attention from attackers."
Seems it isn't just "browsers" that can trigger Java.
From 2013 to 201X: Oracle either evolves or JRE becomes increasingly irrelevant.
Oracle releases its critical patch updates on the Tuesday closest to the 17th day of January, April, July and October. By releasing such updates on a day other (and later) than "Patch Tuesday", Oracle currently forces IT departments to schedule an additional patch maintenance assessment and testing meeting.
Yesterday, two of our analysts, Brod and Timo, tested a Facebook/Apple hack related Java exploit with our Anti-Virus for Mac.
And the result?
Our Mac AV blocked the exploit with a generic detection (created Nov. 19th 2012) called: Exploit:Java/Majava.B.
Nice!
So, how is the sample related? On February 15th, Mac malware samples were shared via a "Mac malware" mailing list. In the follow up discussion, two file hashes were shared, one of which is available via VirusTotal. And that sample turned out to be a Java exploit that drops a Windows backdoor. Brod analyzed the backdoor (detected as Trojan.Generic.8282738) and discovered that it attempts to connect to digitalinsight-ltd.com, one of the sinkholed C&Cs related to Friday's Mac malware.
Our generic detection, Exploit:Java/Majava.B, is used by our cross-platform antivirus scanning engine, so our Windows customers are protected, too. Our thanks to the analyst who shared the file hash (she knows who she is).
