安全无法旋转

Perhaps the most surprising aspect of the recently-publicized Mac OS X security vulnerabilities has been the press coverageCompared to the sensationalized and misleading coverage that appeared a month ago aboutIntego的“MP3Concept特洛伊木马”骗局, the response to the current URI-related vulnerabilities has been, well, measured and appropriate.

如果有的话,覆盖范围已经存在轻描淡写These are serious vulnerabilities which could be exploited for serious harmYou could reasonably argue that this is the worst security problem in the entire history of the Macintosh如果不是这样的话worst vulnerability, it’s certain up there.

这是坏消息。

在这一点上,值得注意的是a之间的区别漏洞利用A vulnerability is a security hole; an exploit is an action that takes advantage of a vulnerabilityAn unlocked car door is a vulnerability; when a thief opens the unlocked door and steals the car, that’s an exploit.

To date, all of Mac OS X’s URI-related security problems are mere vulnerabilities — there are no publicized exploits (other than无害的概念验证示例)。

That’s the good news.

The fact remains that the overall state of security on Mac OS X is very goodIt’s not as good as we thought it was two weeks ago, but that doesn’t mean it isn’t excellent overallThis might strike you as an odd thing for a Mac user to gloat about in light of the recently-publicized vulnerabilities, but it’s true.

But this is where non-technical Mac enthusiasts often go overboard, e.gby bragging that Mac OS X “has no vulnerabilities”, or that it “can’t be hacked”, etc这种说法毫无意义What does make sense, and is true, is that Mac OS X has had relatively few vulnerabilities exposed, and that when they have been publicized, Apple has closed them in reasonably short order.

不过,如果我能用这个词,那就太好了确定而不是公示在那最后一句话But I can’t, because the worst aspect of these security issues hasn’t been the vulnerabilities themselves, but Apple’s response to them.

它结束了Apple was notified about the Help Viewer ‘help:runscript’ URI vulnerability by someone named “Lixlpixel” on February 23, but as far as can be determined by anyone outside the company, Apple did nothing in response until last week, when the vulnerability was made public and garnered significant attention.

为什么10.3.4不能修复剩余的漏洞

Ostensibly, Lixlpixel did the right thing, or at least did what Apple would prefer people do when serious vulnerabilities are identifiedIdeally, notifying Apple privately would engender the same response as publicizing the vulnerability in the press.

但是,唉,显然不是“Sweep them under the rug” is not a serious security policy, and the IT press is taking notice例如。“苹果发布最新款Mac [SIC] version - with holes left in” by Kieren McCarthy in Techworld

麦卡锡让苹果公司承担两项任务:

  1. Mac OS X 10.3.4可以encompass Security Update 2004-05-24Indeed, this seems odd, given that (a) the security update was released prior to Mac OS X 10.3.4, and (b) 10.3.4’s release notes claim that it “Includes recent Mac OS X Security Updates.”

  2. Even after installing both Mac OS X 10.3.4 and Security Update 2004-05-24, the Launch Services/URI-related security vulnerabilities are not addressedThis seems odd, given the severity of the vulnerability and the amount of publicity it has received.

But in fact, although both #1 and #2 are true, neither is particularly odd.

Take #1 — updates which bump the version number of the entire OS are a big deal, and are in the works for a relatively long period of timeWork on 10.3.4 probably commenced even before 10.3.3 shipped back in MarchMore importantly, OS updates are rigorously tested before releaseSecurity Update 2004-05-24 for Panther was quite small: all it contained was an updated version of Help ViewerBut that doesn’t mean Apple could have just thrown it into the 10.3.4 update at the last momentAdding new software to the 10.3.4 update would have required restarting the testing process for the entire updateThe “add new features and fixes to the update” period probably closed weeks agoI.e., Mac OS X 10.3.4 was almost certainly slated for release long before these vulnerabilities came to light时机仅仅是巧合。

You can’t argue that Apple shouldn’t have released 10.3.4 when it didIt was ready to go, and contains numerous bug fixes and improvements.

Nor does it make sense to argue that Apple should have included a fix for the remaining URI/Launch Services vulnerabilities in 10.3.4. These vulnerabilities are not caused by a bug; they’re the result of an unfortunate confluence of seemingly unrelated featuresA proper solution is going to require:

  1. Design — finding a solution that closes the vulnerability but does not eliminate features that applications depend on.
  2. 工程。
  3. 本地化(Mac OS X支持多种语言)。
  4. 测试。

Many of the same people who are irrationally complaining that Apple hasn’t responded to these vulnerabilities by rushing a fix out the door are the same people who’ve complained in the past that Apple doesn’t thoroughly test its software updates记得iTunes 2 installer, which had a bug that could wipe out entire drive partitions? You can’t have it both ways, folks.

Just because the vulnerability is critical doesn’t change the amount of time it takes to put together a good and properly-tested solution.

沟通细分

这不是为了免除苹果But if we’re going to place blame, we ought to place it preciselyLet’s break Apple’s responsibilities — as Mac OS X’s platform vendor — into two areas:

  • 设计/实施
  • 响应/通讯

Design/Implementation regards the security of Mac OS X, as it stands todayAppropriate questions are, e.g., Has Mac OS X been designed with security in mind? and How secure is Mac OS X today?

Response/Communication regards the way Apple deals with security issues on an ongoing basisAppropriate questions are, e.g., How quickly does Apple respond to new security issues? and What kind of information does Apple provide regarding Mac OS X security fixes and issues?

The first thing to note about these distinctions is that the first area — Design/Implementation — is really about Mac OS X, the product; whereas the second — Response/Communication — is really about Apple, the companyThe clueless and/or feeble-minded often conflate the two (cf疯狂的苹果谣言'经典“Guy About Had It With People Who Confuse ‘Apple’, ‘Mac’.“)In this case, the distinction is essential.

The second thing to note is that Mac OS X scores quite well by any reasonable standard with regard to its Design/Implementation; Apple on the other hand, scores poorly with regard to Response/Communication.

The major problem that’s been laid bare over the course of the last two weeks is not that Mac OS X has major design flaws, or that it’s about to be overrun with serious security exploitsThe problem is that Apple has been revealed as a company that treats security vulnerabilities as marketing problems, rather than as technical problems.

这不是一个启示严肃的技术出版物 - 特别是MDJ— have long been hounding Apple about its pathological reticence with regard to documenting security fixesHere’s an example from this week:

最近公布的'telnet'漏洞was fixed with an updated version of Terminal (version 1.4.2) included with the Mac OS X 10.3.4 update(The version of Terminal in 10.3.3 was 1.4.1.) You’d never know this by readingApple’s Security Update documentation, however, where the fix is apparently described thusly:

  • 终奌站:改进了URL的处理Credit to René Puls […] for reporting this issue.

I say “apparently” because it’s impossible to determine with certainty, based on this absurdly vague description, what problem has been addressed不知怎的,我怀疑先生Puls wrote a report stating nothing more than, “Dear Apple, I have discovered a security issue in which Terminal needs improved URL handling谢谢。”

我们能做的最好的就是猜测I’ve verified that the ‘telnet’ file-overwriting vulnerability is closed on 10.3.4 by trying it myselfAnd the above item is the only issue mentioned in the 10.3.4 security update release notes that could possibly applyBut it’s still a guess — for all we know, MrPuls的报告是关于一些人的其他终端的URL相关“改进”。

These descriptions are important, because they allow serious users to make informed decisions regarding updatesImagine you’re the administrator for a network of Macs in a creative agencyUpon the release of Mac OS X 10.3.4, you need to determine when (or if) to apply the upgrade to the Macs you’re responsible forA security fix for Terminal described as “Improves the handling of URLs” not only doesn’t help, it伤害A reasonable Mac admin for a creative agency — whose artists likely never even launch Terminal — is not going to be concerned about “improved URL handling”.

Whereas if Apple described the issue accurately — that it closes a vulnerability that allowed any remote web site to overwrite files simply by sending a ‘telnet’ protocol URI — well, that’s a fix you might want to roll out as soon as possible.

Thus, Design/Implementation-wise, Mac OS X 10.3.4 (combined with Security Update 2004-05-24) is fineIt fixes bugs and resolves security issuesThe only vulnerabilities which haven’t yet been resolved were discovered too recently for inclusion in these updates.

响应/沟通方面,然而,这是非常糟糕的One of the critical security issues — the Help Viewer exploit — was reported in February, privately, but apparently wasn’t acted upon until May, after it was publicizedAnother critical bug — the ‘telnet’ URI vulnerability — was fixed in 10.3.4, but the description of the fix was so vague that many Mac nerds didn’t even realize 10.3.4 contained a fix for the issue.

Apple’s upper management might want everyone to apply all software updates as soon as they come out, no questions asked, but that’s not how responsible computer experts workFaith in Apple’s updates requires trust, but trust is a function of both Design/Implementation响应/通讯。

信任但要验证is good advice; Apple’s euphemistic approach to documenting security updates makes verification difficult at best, and in some cases, impossibleIt’s frustrating, because Apple knows what’s been fixed, but they’re just not saying.

安全更新不是营销问题

In response to the significant publicity the Help Viewer vulnerability garnered, Apple issued a press statement — “Mac OS X Update Addresses Security Concern” — upon the release of Security Update 2004-05-24(Most Mac OS X security updates are not accompanied by press releases.) This PR typifies Apple’s marketing-slanted approach to communicating about security updates.

从显而易见的开始The only person quoted in the PR is Phil Schiller, who, of course, is “Apple’s senior vice president of Worldwide Product Marketing”Security experts and Mac IT professionals don’t want to hear from marketing executives; they want to hear from engineering executives.

然后就是公关本身的内容Off on the wrong foot in the first sentence:

Apple today posted a Mac OS X update to address a theoretical vulnerability in the Help Viewer application that could have been exposed when browsing the web.

This vulnerability was “theoretical” in the same sense that gravity is theoreticalIt’d be fair for Apple to note that the vulnerability had not been exploited for harm, but that doesn’t make the vulnerability any less real.

接下来是席勒的第一句话:

“Apple takes security very seriously and works quickly to address potential threats as we learn of them — in this case, before there was any actual risk to our customers.”

这是完全错误的Apple的客户at risk — and anyone who hasn’t yet installed the security update (or manually reassigned the ‘help’ URI to something other than Help Viewer) is still at riskApple could truthfully claim to have shipped the security update before any known harmful exploits for this vulnerability appeared, but that’s not what Schiller said.

Second, given that Lixlpixel reported the Help Viewer “help:runscript’ vulnerability in February, the idea that Apple “works quickly to address potential threats as [they] learn of them” deserves a raised eyebrowWhat the Help Viewer saga indicates is that Apple works quickly to address potential threats only after they’ve been publicized, not when they’ve been identified and reported to Apple privatelyI’m not saying that’s true — it’s possible that Lixlpixel’s report was too vague, or that it really did take three months to fix, or that it was simply an aberration — but that’s the perception.

说苹果“非常重视安全”毫无意义Judging by Apple’s actions, they do not.

席勒继续说道:

“While no operating system can be completely immune from all security issues, Mac OS X’s UNIX-based architecture has so far turned out to be much better than most.”

For all of Apple’s security-related hemming and hawing, this particular statement is pretty hard to argue withBut this is a statement about Design/Implementation, which no one is arguing aboutIt’s Apple’s Response/Communication that’s a problem, and which Apple continues to exacerbate with its use of euphemistic language.

Mac OS X的安全架构better than that of most other platformsAnd no reasonable person would argue that any system could be “completely immune from all security issues”Thus, Apple does not need tosecurity issues as they appear; they simple need to address them head-on, with plain language and the straight truth.

让事情变得更糟

If the purpose of Apple’s spin-control approach to addressing security issues is to improve the perception of Mac OS X, it not only isn’t working — it’s backfiringDue to the aforementioned “Apple”/”Mac” conflation, criticism of Apple is often interpreted, or even directed, as criticism of Mac OS X.

让我们回到Kieren McCarthy的严厉的文章in TechworldAll of the criticism in this article is effectively directed at Apple (i.eResponse/Communication), but the typical reader could easily be left with the impression that there are serious, ongoing security problems with Mac OS X (i.e. Design/Implementation).

Regarding the fact that 10.3.4 does not include the updated Help Viewer from Security Update 2004-05-24, McCarthy writes:

This is despite Apple’s声明的说法that the latest version: “Includes recent Mac OS X Security Updates.” On the OS’官方安全页面, Apple claims that Mac OS X 10.3.4 is “safe and secure”. “Because it’s built on Open Source standards, Mac OS X provides you with time-tested security and reliability not available on proprietary systems.” Its documentation also claims that security is at the core of the operating system.

However, not only does a patch rated “extremely critical” not come with the latest OS but Apple makes no mention of the need to download and install itIn fact, it claims it is already installed.

Now, if you note Apple’s precise language, they actually claim no such thing“Includes recent Mac OS X Security Updates” does not mean the same thing as “Includes所有recent Mac OS X Security Updates”.

But regardless if the statement can be defended as technically (or should I say “theoretically”?) true, it’s undeniably misleading. Especially given the amount of publicity it garnered just a few days before 10.3.4 shipped, it’s easy to see how a reasonable person would assume that “recent Mac OS X Security Updates” would include the one recent security update that everyone is talking about.

真相不会受到伤害As conjectured earlier, it’s almost certainly the case that Mac OS X 10.3.4 was done and in testing by the time Security Update 2004-05-24 was issuedIt was simply too late for inclusionA simple, explicit note that you still needed Security Update 2004-05-24此外to 10.3.4 is all it would have taken.

With regard to the remaining URI/Launch Services vulnerabilities, McCarthy writes:

Nonetheless, all Apple has produced by way of explanation is a short statement which reads: “Apple takes security very seriously and works quickly to address potential threats as we learn of them.”

Such apparent pomposity will do nothing to quell security companies’ criticism of AppleHead of Secunia, Niels Henrik Rasmussen, told us earlier this week: “Microsoft and most Linux distributions have learned the lesson and properly describe the nature and the impact of (most) vulnerabilities, allowing their customers to properly estimate the severity of a fixed issueThis is not possible when reading an Apple update.”

Replace “security companies” with “Fortune 500 corporations”, and you can see how the perception that Apple is not serious about security is costing themIt doesn’t matter whether it’s true or not; it’s the perception that matters.

The entire negative slant to McCarthy’s article — which is mirrored in其他technical press coverage of the 10.3.4 update — could have been avoided if Apple had simply stated the straight truth.

以前: 一瞥预防
下一个: 破窗户