Posted on 06/05/2015 6:05:07 PM PDT by for-q-clinton
NEW YORK (CNNMoney) —So much for the argument "Apple computers are safer and bug-free."
It's not true. We're accustomed to annoying glitches in PCs. But the past few years have shown that Macs, iPads and iPhones have them too.
So far in 2015, five major flaws have affected Apple products.
Just this week, we encountered a nasty bug that lets hackers bury computer viruses so deep inside Macs, you'll never find it. A week earlier, a flaw appeared that lets a text message crash an iPhone.
These are significant issues, and neither has been fixed yet.
Faulty code is found in every operating system, app and software program. But Apple has an outdated strategy for fixing them.
Remember when Apple would advertise it was safer than Windows? No more. Apple is now where Microsoft was a decade ago.
The problem
Computer engineers, hackers and people familiar with the company's practices explained that Apple is doing five things wrong in its approach to security.
1) Apple's security updates are irregular and infrequent. Last year, it took Apple 100 days to fix a problem that some folks at Google found. (And when Apple finally did patch the hole, its supposed fix was weak and easily bypassed by hackers.)
In 2012, Oracle quickly moved to patch its Java program that was susceptible to a terrible, information-stealing malware called Flashback. But Apple waited two whole months to issue a fix -- even though an estimated 650,000 Macs were infected.
"They don't appear to have a regular patch schedule like Microsoft, nor do they appear to patch continuously like Google does with Chrome," said Tod Beardsley, a research manager at cybersecurity firm Rapid7.. "Sometimes, patches are slow to arrive, but then again, sometimes patches are difficult to develop."
Sure, issuing quick fixes sometimes backfires. In this sense, Apple treats bugs like it does products. It's usually a little late to the game, but it plans to do the job right.
But waiting too long can have devastating effects, leaving Apple customers vulnerable to hacks and theft of personal information.
2) Secrecy. Apple keeps quiet about its security holes.
For example, Apple didn't admit the latest Mac bug is even real (because that would entice hackers to exploit it). And while it acknowledges the text message flaw and offers advice for how to fix it, Apple hasn't explained the bug's root cause.
"Apple works in mysterious ways. It has a reputation for being tight-lipped when it comes to confirming the existence of security issues," Beardsley said.
Transparency would keep customers alert and help the large community of Apple developers suggest fixes. In this sense, secrecy is harmful.
3) Updates are only for the latest software. If you're still using old versions of the Mac operating system, Apple has forsaken you.
For example, Apple patched a serious vulnerability in April -- but only for its latest version, Yosemite. That means it left behind 47% of its users, those who use the operating systems Mavericks, Mountain Lion, Lion, and Snow Leopard, according to industry figures gathered by Net Market Share.
Apple's defense? Customers can upgrade to the latest version for free. That's true, but not entirely fair. Some older laptops can't handle the latest software.
4) Unwillingness to pay. Apple is one of the only major tech companies that doesn't reward researchers -- with money -- for finding potentially disastrous computer bugs.
Although criminals and spies are willing to pay $150,000 for an iPhone bug that hasn't been made public, Apple pays nothing. Zip. Zilch.
5) No admission of guilt. This is what frustrates security folks the most. Apple doesn't tend to acknowledge when it's wrong. When hackers broke into celebrity iCloud accounts and exposed nude photos last year, Apple CEO Tim Cook said the company would beef up security measures. But he blamed users, saying the problem was "not really an engineering thing."
But security features that would have prevented the celebrity iCloud episode -- like requiring a text message as a second passcode -- are precisely an engineering problem. To Apple's credit, it eventually added that crucial feature to iCloud.
Dealing with Apple isn't easy. Security researcher Xeno Kovah said that even in the most serious cases, when he had to report a critical software flaw to the Carnegie Mellon's Computer Emergency Readiness Team, Apple was still not as "responsive or accurate" as other companies.
"Apple has a bug fixing problem," he said.
It's so bad that 684 independent Apple developers launched a formal campaign in 2012 and wrote a letter begging Apple to improve its bug-reporting system. They say little has changed.
Apple declined to comment for this story.
How Microsoft did it
Some of the best Apple hackers tell CNNMoney that Apple's bug-reporting system needs an overhaul, similar to the one Microsoft went through years ago.
Microsoft had to go through a long and painful awakening. Think back 15 years ago, when Windows products were the most used -- and hated. They were notoriously buggy. But then came a corporate turnaround.
In 2003, Microsoft introduced Patch Tuesday. Once a month, users would get a flood of updates to keep them safe. In 2005, Microsoft started hosting Blue Hat, an invitation-only security conference to meet face-to-face with curious (and often aggressive) researchers. Apple doesn't host a forum like that.
One of Microsoft's most successful strategies in improving security has been its "bug bounty" program, which was implemented in 2013. Microsoft stopped fighting the legion of hackers -- and turned them into a ragtag army of Microsoft guardians.
"Microsoft had worm after worm before meaningful security changes were made," said Katie Moussouris, Microsoft's former chief security strategist who implemented the bug bounty program. "Hopefully, Apple will adapt quickly."
Why the added pressure on Apple all of a sudden? The company is "a victim of its own success," Moussouris explained. Apple products are more popular than ever. More fingers on keyboards means more code is being explored. Inevitably, bugs will be found.
The good news: Apple is listening. And changes are coming.
Apple is aware of these issues, and the company is trying to improve how it communicates with researchers, according to a person familiar with the company's plans. Its main challenge now is dealing with its rapid growth. Apple gets inundated with reports about possible flaws, and its security team wants to do a better job of paying closer attention to the big security issues, separating the real bugs from the fake ones.
ping & spin please :-)
It’s almost as if the unstated goal of all articles, editorials etc, is to pick some controversial issue (OS security in this case), throw in some cherry-picked anecdotal ‘evidence’, make blanket statements and loosely worded proclamations.... then stand back and watch the fireworks as both sides duke it out.
No, none of this is new, or news worthy. This is FUD Season in advance of the World Wide Developers Conference starting Monday and always happens in advance of Apple's major announcements. Many of the assertions in this article are just wrong. . . Others are exaggerated. It is basically published for the purposes of FUD. . . Fear, Uncertainty, and Doubt.
There was a screw up that I ran into with iOS 8.3. Many of the most popular GPS receivers used in aviation stopped connecting to their apps. I was able to revert a few i devices back to 8.2, but then Apple stopped “signing” versions of 8.2 leaving one of the office iPads isles for its primary purpose. Supposed to be fixed with 8.4
Apple Products are Bullet Proof, So say we all...signed ibots
Oooooh goody. Words of wisdom from a guy who’s degree is in journalism PLUS he works for that well known tech company CNN.
Just another yob who doesn’t know his head from a whole in the ground
The "fappening" was not a failure of Apple's security. Apple already had two factor identification in place before any of the others implemented it. . . But the celebrities accounts were NOT compromised by hacking their passwords. They were compromised by social engineering their security questions. . . which only worked because they WERE celebrities and they published the answers to such questions in fanzine biographies. This is an example of this article not having a clue about the topic it is talking about.
I was a hardware tester on the Win95 team. We released Win95 with over 40,000 open bugs.
But it was still a great operating system :)
In addition, for-q-Clinton, not a single one of the vulnerabilities mentioned in the article except the text crashes has resulted in any effect on users. . . and the text crashed will not result in any possibility of lost data, it’s merely a denial of service attack, easily avoided. The current one requires that the attacker gain physical possession of the computer to exploit. . . while serious on a singular user basis, it is not a major system wide problem that could effect even a few hundreds of users out of the tens of millions that could be affected were it remotely exploitable.
The same applied to the Google discovered vulnerability last year.
Amazing.
Major straw man set up in the very first sentence.
Little point in reading further.
“Apple already had two factor identification in place before any of the others implemented it”
A quick search would show this to be false. Google implemented two-factor authentication in 2011, while Apple implemented in 2013:
http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html
http://www.cnet.com/news/apple-adds-two-step-verification-option-for-apple-ids/
Furthermore, the initial implementation of two-factor authentication didn’t apply to iCloud backups:
http://arstechnica.com/security/2013/05/icloud-users-take-note-apple-two-step-protection-wont-protect-your-data/
http://money.cnn.com/2013/05/30/technology/security/apple-security/
Apple actually made it difficult to use two-factor authentication at the time of the fappening (3-day waiting period?):
http://www.dailydot.com/technology/apple-icloud-two-step-verification/
Of course, that all seemed to change once the fappening happened:
“But the celebrities accounts were NOT compromised by hacking their passwords. They were compromised by social engineering their security questions. . . which only worked because they WERE celebrities and they published the answers to such questions in fanzine biographies. This is an example of this article not having a clue about the topic it is talking about.”
You have no way of knowing this, the only people who know how it was done are the people who did it. Besides vague statements of how it could have been done, there is little evidence floating around about how it was actually done. One way, as even Apple-loving websites admit, was a brute-force attack that exploited a flaw in the “Find My iPhone app”:
http://www.cultofmac.com/297709/apple-aware-icloud-security-flaw-6-months-fappening/
http://www.engadget.com/2014/09/01/find-my-iphone-exploit/
Before you say “it wasn’t the Find My iPhone exploit!” Why did Apple patch it the next day?
http://www.zdnet.com/article/apple-patches-find-my-iphone-exploit/
Exactly! Apple 2-factor authentication was difficult and hidden from the user. I know Microsoft was annoying me until I turned on 2 factor authentication. Constantly telling me to turn it on...turn it on...turn it on. Finally to make the reminder stop I turned it on :-)
Eh. Apple fixes flaws that surface.
Some are FUD.
There is no question they are safer. I’ve run a MAC for 6 years without a single virus.
My Windoz machine had me working as an unpaid, full-time MS support tech.
Hi for-q. Geez, don't you ever tire of this silly exercise?
Honestly, I'm not at all impressed by this story, as it's just a slam in the form of rehashed stuff everybody already knows. It brings nothing whatsoever to the discussion except crap to throw.
Microsoft has been the target of this kind of pointless, dumb crap writing for many years, and it's annoying as hell. Apple is now the target of crap that's just as pointless and dumb, and it's annoying too.
You see, regardless of who the target is, it's just too freakin' easy to throw a bunch of crap, and then when the target responds, throw more crap and claim that the reponses are all spin. There's no arguing with crap, you can't win, it's like wrestling with pigs.
Of course there's a grain of truth in any of the things mentioned in this story, but they're all twisted out of shape. Even you must admit the slant of the writing is egregious -- I found it hard to read without either laughing or cursing at its obvious bias and blatant stupidity.
Now, it's true I think Apple (like Microsoft, Google, and others) could improve their response to bug reports. That goes without saying, because no company has what I would call a sterling history of dealing with such things. I'm not defending Apple, per se, any more than I defend Microsoft or Google when they're the target of a slam.
The important thing to take away from this thread is that the slam article is comprised of old stories, nothing new or interesting, just some tired meat for the anti-Apple folks to slaver and drool over.
Have a good time, I guess. I'm going to find a thread that's interesting. Nothing personal, you understand. But I truly have a hard time understanding how you never seem to tire of this stuff. See ya on the flip-flop.
LOL
Look, this same slam article could have been written about Microsoft with very few changes, and it still would have been crap, and if I pointed out that the article was crap, you would have said I was defending Microsoft, and you'd be wrong again.
Don't you see, if crap gets thrown at a target and someone points out that crap is being thrown, that's not defending the target, it's characterizing the crap.
Maybe you don't see that. Oh well, have a good evening. Cheers.
You’re point was not to read the article or even discuss the subject at all. So yeah, you’re right, you’re not protection Apple - you’re protecting all of them.
You really know how to hack Swordswallower off. Like waving a Christian in front of a queer.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.