Apple, Mac OS X and security
Posted by Pierre Igot in: MacintoshJune 1st, 2004 • 12:55 am
There is quite a debate raging right now over Apple’s handling of the latest security flaw in Mac OS X. John Gruber writes a rather scathing piece entitled “Security Cannot Be Spun“, Erik Barzeski chimes in with his own criticism, and generates quite a bit of feedback in the process.
I can’t comment on the technical issues themselves and their relative seriousness. I haven’t explored the issue enough to comment.
What I can do, however, is comment on Apple’s recently updated technical note on security updates.
There are several things that are very wrong with this note. First of all, it’s a complete mess. It’s long enough to warrant a table of contents, but there isn’t one. You just scroll up and down and wonder what comes first, what comes next, etc.
Then there is the major issue of the recent Mac OS X 10.3.4 update and which security updates it includes. As John reports, the release notes for 10.3.4 state: “Includes recent Mac OS X Security Updates“. Given that the security update for the latest security flaw was released before 10.3.4, it’s only natural to infer from such phrasing that 10.3.4 includes the latest security update. But it does not!
How does Apple present the whole thing on the tech note about security updates? It puts 10.3.4 at the top, followed by “Security Update 2004-05-24 for Mac OS X 10.3.3 “Panther” and Mac OS X 10.3.3 Server“. Once again, the phrasing indicates that Security Update 2004-05-24 is not for 10.3.4, only for 10.3.3. But that’s not true! If you want to fix the security flaw, you have to install 10.3.4 and Security Update 2004-05-24!
How does Apple address this? By adding a note at the end of the section about Security Update 2004-05-24 that says:
Note: This update can also be installed on Mac OS X 10.3.4 and Mac OS X 10.3.4 Server
Yes, you’ve read it right: the update “can” also be installed on 10.3.4. Is this some kind of a joke? This is a tech note about security. It’s supposed to tell us what we must do in order to ensure that our system is as safe as possible! We don’t care about what we can do; we need to know about what needs to be done.
Finally, in an obvious bid to further encourage people to send them reports on security flaws, Apple proceeds to credit two individuals with reporting the latest security flaws, and includes their e-mail addresses in the text of the tech note. In other words, since this page is up on Apple web site and accessible to anyone, spammers are now free to use their e-mail address gathering robots to grab these two e-mail addresses and add them to their spam lists. If I were one of these two people, I would be delighted!
If this tech note is any indication of how seriously Apple takes security issues, including their own system software and the privacy of Mac users’ personal information, then we are all in very serious trouble! This is awful.
June 1st, 2004 at Jun 01, 04 | 3:32 am
René: Thanks a lot for the clarification. Glad to hear Apple did the right thing! I am assuming they did the same with the other person as well… In which case the last part of my blog entry about Apple’s respect for your privacy is indeed incorrect.
June 1st, 2004 at Jun 01, 04 | 3:31 am
Hi Pierre,
I don’t plan to join the security discussion right now, but wanted to add one thing in defense of Apple. As one of the two people who were credited in the tech note, I was contacted a few days before the official release and asked which contact info I would like to provide. The e-mail address was published with my explicit permission. (It’s an old but still active address of mine that is already clogged up with spam, I don’t think it can get much worse. ;-)
I agree that Apple’s handling of these security issues was sub-optimal in regards to other aspects, but they did ask very politely for permission before using my name and e-mail address in that tech note.
René