Apple: Taking OS X security seriously -- finally

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/anchordesk/stories/story/0,10738,2873326,00.html

Stephan Somogyi,
Contributing Columnist,
AnchorDesk
Wednesday, July 3, 2002  

During the days of Mac OS 9, Apple didn't need to pay much attention
to security. Attacks on Mac OS boxes were extremely rare, successful
ones well-nigh unheard-of. But Mac OS 9's excellent security record
does not automatically transfer to OS X just because both OSes
originate in Cupertino.

Thanks to Mac OS X's Unix plumbing, any vulnerabilities in Unix
software instantly become vulnerabilities in OS X. Unix vendors as a
rule have always been quick to issue both security alerts and fixes
for discovered holes. Which means that Apple now has a pretty high
standard to live up to.

If you're a Windows user, you've grown accustomed to the never-ending
stream of vulnerability announcements, interminable waits for fixes,
and, most recently, unilateral changes of your end-user licensing
agreement that grant Redmond remote admin privileges on your system.  
Trustworthy computing, indeed.

But this is a new ballgame for Apple. And its initial responses to
security flaws in OS X weren't anything to crow about. Apple would
keep completely quiet until it had a fix ready. When those fixes were
finally released, it was usually long after other Unix vendors had
delivered theirs.

I'M PLEASED TO REPORT that Apple appears to be changing its approach
to security announcements, that it's taking the crescendoing din of
security-related criticism to heart.

Last week, for example, a high-profile vulnerability in OpenSSH--a
system for securely transferring data to and from a remote
machine--was announced; Apple released a security update for OS X two
days after the fix became available. That two-day response time was a
welcome surprise; I hope it sets a precedent. While most other
commercial Unix vendors have been quicker than Apple in the past, of
the big names only Red Hat was a day faster than Apple in this
specific case.

More recently, Apple announced this past Monday morning that OS X
wasn't susceptible to a recently discovered widespread domain name
resolver (DNR) vulnerability.

THIS IS NOT TO SAY Apple has become perfect. Its OpenSSH update also
included two other, less timely security fixes. One was for an Apache
vulnerability whose fix was available from other vendors on June 18--a
10-day lag from Apple. The second fix was for the mod_ssl Apache
module, which allows Apache to provide secure Web connections.  
Unfortunately, this latter fix was already obsolete when Apple
released it; a new vulnerability had been discovered in the interim,
another update issued by mod_ssl's developers.

Apple needs to not only stake out, but also maintain an unshakable
hold on the moral high ground when it comes to its security policies.  
This is critical not only for the growing number of Mac OS X users,
especially if Apple wants to entice existing Windows users. It's
especially important if Apple wants to succeed with Xserve in the
server market.

Proof that Apple understands this last facet of OS security came over
the security-announce list on Monday. Apple announced it was hiring
SAIC's Common Criteria Testing Lab to give Mac OS X and Mac OS X
Server a going-over.

SAIC will test OS X and its Server sibling to something called the
Common Criteria Evaluation Assurance Level 3. If OS X passes, this
testing will verify that Apple has followed secure practices during
development and has actively looked for potential vulnerabilities. OS
X will then be tested against a set of standardized criteria to make
sure nothing obvious was overlooked.

IT SEEMS UNLIKELY that Apple would submit its OSes to such scrutiny if
it weren't confident that OS X will pass. But the announcement was
also a bit cagey: Apple didn't say which version of OS X will be
scrutinized--I assume it will be Jaguar rather than 10.1.

While such certification might at first glance smack of marketing and
buzzword compliance, the Common Criteria are not without substance.  
Given their status as an ISO standard, certification is a requirement
for government purchase in many countries.

The debate about the relative security of open source was recently
revived. While the jury is still out on whether closed or open source
yields more secure software, it's clear that open source produces
faster analysis of vulnerabilities and speedier fixes. While Apple's
speedy turnaround with the OpenSSH fix and the DNR announcement are
laudable indeed, two data points do not a trend plot. Apple's ongoing
behavior in this realm is the key to building and then maintaining
confidence among Mac OS X users, recommenders, and buyers.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.