Former Apple Security Engineer To Apple: 'Fix Your Sh-t'

[rflcptr]

stick in the mud detected.

 

[Terpfen]

I'm not trying to slam Apple here...

Yes, you are. That's pretty much your entire purpose in this subforum. You appear when you believe there's bad news for Apple and decide to nibble at the edges. You're less overt about it than the the comments in Apple news posts on this forum, but share the same goal.

Apparently Apple should have just left this security hole unpatched, because issuing a patch (using a distribution mechanism and swiftness that others yearn for) is an admission of a flaw and the jig is up.

 

[heatlesssun]

Apparently Apple should have just left this security hole unpatched, because issuing a patch (using a distribution mechanism and swiftness that others yearn for) is an admission of a flaw and the jig is up.

On phones, sure, but this wasn't patched at the same time for OS X and it did leave some people scratching their heads that Apple would reveal this without a ready to go patch for OS X. This was my point. I've given credit to Apple for having a much more secure desktop OS compared to Windows but not because inherent technological superiority. Phone security is a different matter but Apple does have a better distribution mechanism there than anyone else.

So if this is slamming Apple then it's slamming Apple, but I'm not saying anything here that's not been said buy many other very reasonable folks.

 

[Mr. Miyagi]

Apple released the OS X 10.9.2 today with the SSL fix. Check the App Store for the download.

 

[Terpfen]

On phones, sure, but this wasn't patched at the same time for OS X and it did leave some people scratching their heads that Apple would reveal this without a ready to go patch for OS X. This was my point. I've given credit to Apple for having a much more secure desktop OS compared to Windows but not because inherent technological superiority. Phone security is a different matter but Apple does have a better distribution mechanism there than anyone else.

So if this is slamming Apple then it's slamming Apple, but I'm not saying anything here that's not been said buy many other very reasonable folks.

And then 10.9.2 comes out, negating your position.

 

[heatlesssun]

And then 10.9.2 comes out, negating your position.

Not sure how patching a flaw this serious arising from a simple and stupid programming error negates anything I said. Stuff happens, that doesn't make Apple evil or bad in anyway but disclosing this flaw in OS X four days before the patch was released was a major point of criticism by many security folks.

 

[Terpfen]

Stuff happens, that doesn't make Apple evil or bad in anyway but disclosing this flaw in OS X four days before the patch was released was a major point of criticism by many security folks.

Apple did not disclose the flaw in OS X prior to publishing the 10.9.2. They disclosed the flaw in iOS 6 and 7 after patching it. Bloggers and researchers tested OS X for the flaw after it was patched in iOS and discovered it. Apple then released the fix as part of a pending point release.

I'm not seeing anything wrong in Apple's behavior.

 

[wonderfield]

Security experts should be more concerned at the lack of static analysis being employed in these projects, not so much at the manner in which they're disclosed.

 

[Terpfen]

Security experts should be more concerned at the lack of static analysis being employed in these projects, not so much at the manner in which they're disclosed.

Better late than never, considering this was discovered by an internal code review.

 

[MrCrispy]

Can we at least put the 'OSX is more secure and a better OS' myth to rest?

 

[Ruoh]

Can we at least put the 'OSX is more secure and a better OS' myth to rest?

Nope.

 

[heatlesssun]

Apple did not disclose the flaw in OS X prior to publishing the 10.9.2. They disclosed the flaw in iOS 6 and 7 after patching it. Bloggers and researchers tested OS X for the flaw after it was patched in iOS and discovered it. Apple then released the fix as part of a pending point release.

I'm not seeing anything wrong in Apple's behavior.

Fair enough, after looking at the timeline on this Apple was forced to admit the issue existed in OS X on Saturday after it was discovered there. However Apple kind of telegraphed the issue in OS X when it released it for iOS, they must have known that people would quickly discover the problem there too.

Here's what really is odd about this to me. Shouldn't this have shown up in testing? If I'm understanding this correctly, using software affected by this bug would never acknowledge any problem with certificates. So browsing site in Safari with an expired certificate for instance would never show any issue with the certificate. If what I said is correct, that means that Apple never tested these products against failure conditions with certificates. It's stuff like this why this was such a big deal, it just looks like the whole development and testing process of critical security functionality was completely borked for a long time.

EDIT: An expired certificate would checked correctly even with this bug.

 

[rflcptr]

 

[jbltecnicspro]

Haven't read much about it, but does this only affect Mavericks? Or is everything prior to the patch vulnerable? Like if I got an older Mac with Snow Leopard or Lion - will this affect me?

 

[heatlesssun]

Haven't read much about it, but does this only affect Mavericks? Or is everything prior to the patch vulnerable? Like if I got an older Mac with Snow Leopard or Lion - will this affect me?

Just Mavericks was effected by this.

 

[Sixthsense]

That former employee sounds really unprofessional, must have been a treat to work with.

And so is her fashion sense, seems like a troll (literally)

 

[Terpfen]

Can we at least put the 'OSX is more secure and a better OS' myth to rest?

That would require it to actually be mythical, when it's not.

 

[heatlesssun]

That would require it to actually be mythical, when it's not.

In practical terms OS X is more secure than Windows. But again, it's not because of any inherent technological superiority. I think the blog gives good factual overview of this bug: http://www.theguardian.com/technolo...vulnerability-how-did-it-happen-and-what-next. This was a longstanding issue, it took Apple a LOT of time to fix it and it looks like they never did basic testing of critical security functionality. And yes, this type of thing happens to everybody, Microsoft, Google, you name it. And that's the point, Apple doesn't seem to be any better than anyone else when it comes to software flaws and under the greater strain of the resources dedicated to Windows malware, I don't think OS X would fare any better. And it's stuff like this that makes that case well.

 

[Terpfen]

But again, it's not because of any inherent technological superiority.

Tell me more about the inferiority of the *nix security model to the NT model.

(That was a rhetorical statement. I actually don't want you to continue to sidetrack this thread.)

 

[heatlesssun]

Tell me more about the inferiority of the *nix security model to the NT model.

(That was a rhetorical statement. I actually don't want you to continue to sidetrack this thread.)

Security models don't necessarily protect against busted and improperly tested code as this case shows. Improperly tested code is inherently insecure and I don't think that you or Apple acknowledge that.

 

[Ocellaris]

Security models don't necessarily protect against busted and improperly tested code as this case shows. Improperly tested code is inherently insecure and I don't think that you or Apple acknowledge that.

Nearly all security bugs are the result of poor testing.

 

[Terpfen]

Improperly tested code is inherently insecure and I don't think that you or Apple acknowledge that.

How is my pointing out that the bug was discovered by an internal code review in any way a failure to acknowledge this? It's a giant neon animated Godzilla of acknowledgement.

If anything has failed here, it's your attempt to hijack this into a Windows good/Apple bad scenario.

 

[heatlesssun]

How is my pointing out that the bug was discovered by an internal code review in any way a failure to acknowledge this? It's a giant neon animated Godzilla of acknowledgement.

If anything has failed here, it's your attempt to hijack this into a Windows good/Apple bad scenario.

Why wasn't this discovered in testing? Simple testing against an altered certificate would have immediately uncovered the problem. If I had said last week "I bet Apple never tested Safari against bad certificates." you would have accused me of spreading FUD and without proof that would have been a fair thing to say. But apparently they didn't.

You can point fingers at me all you like, this was a basic and fundamental failure in testing important security functionality and it certainly doesn't at all demonstrate OS X's "great" security, it very much calls it into question.

 

[Cheetoz]

Got a laptop with OSX Mavericks. Got a server with Debian.

Just need android to get an issue to complete my SSL vulnerabilities trifecta.

 

[Terpfen]

You can point fingers at me all you like...

That isn't what's happening here. Quite the opposite.