<<<
Wednesday, February 27, 2013
>>>
 
Things That Make You Go Hmmm… About Apple "Security" Posted by Sean @ 13:22 GMT

Dear Tim Cook,

Have you searched for the term "antivirus" lately? — I'm guessing not.

Here's what Google Instant is currently offering up:

google.com, antivirus

Hmm, "antivirus for mac" — very interesting.

You know, maybe it's time for Apple to adjust its "security culture"?

Let's do some more searches. Here's what you'll get from apple.com when you search for "security updates":

apple.com Search Results

Marketing material. Typical. Oh, support info is on the right-hand side. Alright, fair enough then, security is a support issue.

Here's what you'll get from apple.com/support/ when you search for "security updates":

apple.com/support/ Apple Support Search Results

The top result is from December of last year, and there are even older results below. But there does seem to be a mention of security updates inside the text. Opening the article finally links you to an index: Apple security updates.

The index shouldn't be so difficult to find. And it's kind of sad it needs to be in quotes to actually show up in the search results.

Apple Security Updates

So let's take a look at the most recent security update article:

About the security content of Java for OS X 2013-001 and Mac OS X v10.6 Update 13

At the very bottom of the page, there's a section about Malware removal:

Malware removal

This is the definition of the word "summary" as provided by Google:

google, summary definition

Not for nothing, but don't you think its kind of lame that "malware removal" isn't mentioned in the summary?

Now let's search for something else.

Here's something you'll find if you search apple.com/support/ for "antivirus":

Avoid harmful software

Avoid harmful software? Gee, great tip. If this was 2009.

These apps, called

Internet downloads and email enclosures?

To be very frank, this advice was already behind the times when it was written in July 2012:

Last Modified: Jul 31, 2012

You just might want to get somebody to update that article with a mention of "exploits" and "drive-by attacks" and "watering holes" and… oh, you know, relevant stuff.

Look, here's the thing. Eleven years ago, Internet worms smacked around Windows so much — it ended up being a real wake up call. At which point, Microsoft made a big, and successful, effort to change its security culture.

But Apple?

Here's your corporate line:

"For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."

Here's the problem.

Apple not only refuses to confirm issues "until" patches are available — it doesn't even discuss them after the fact.

And why is that a problem?

Because we don't live in an era of Internet worms anymore. This is an era of Internet hacks! And information is valuable in that it allows for organizations with a large Mac user base to make informed threat assessments.

And the more Apple shares with the community, the better off everybody will be.

So please, consider making a change in Apple's culture of secrecy and denial.

You have talented, and friendly, security response analysts working for you. Why not highlight their efforts? Consider putting them front and center and applaud them for their good work. Own this problem, get in front of it.

Because it's the right thing to do.

Regards,
Sean Sullivan
Security Advisor, F-Secure Labs






<<< Poika Visits Malaysia
|
Trademark Python™?? >>>