Microsoft recently admitted, via the Director of it's Security Response Centre, that it doesn't report every Windows security vulnerability discovered and subsequently fixed via patches and updates. No big deal you might think, as long as the holes get fixed that's all that matter. I happen to agree, however that most vocal section of Microsoft-haters the Mac and Linux fanboy brigade certainly did not. Indeed, there was much waving of arms and displaying of indignation that Microsoft was 'cheating the figures' by not declaring security updates so as to be able to claim it was more secure than it actually is. Odd then, that the same folk have not as yet starting kicking up a similar fuss when Apple is caught doing the same thing.
According to security researchers at Sophos Mac OS X (10.6.4) includes limited protection against the Pinhead-B Trojan, and claim that Apple "secretly updated" the anti-malware protection built-into it when it released the new version earlier this week. The OSX/Pinhead-B (AKA HellRTS amongst Apple security aficionados) update, in the file XProtect.plist containing elementary signatures of some Mac threats, was not documented by Apple at all.
"What's curious to me is why Apple didn't announce they were making this update in the release notes or security advisory that came with Mac OS X 10.6.4. It's almost as if they don't want to acknowledge that there could be a malware threat on Mac OS X" says Graham Cluley, senior technology consultant at Sophos. "Many Mac users seem oblivious to security threats which can run on their computers, even though Apple has now built-in some elementary protection" continued Cluley "this lack of awareness isn't helped when Apple issues an anti-malware security update by stealth, rather than informing the public what it has done. You have to wonder whether marketing motives are at play behind such decisions".
I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .
... How can you be surprised that no one is expressing outrage?
The source of outrage toward Microsoft's security practices is simply that they cherry pick the vulnerabilities to publish and then use the number of those publicised vulnerabilities as if that were all the vulnerabilities they know about. Then they contrast that number with bug reports for Linux, which are not cherry picked at all, as if the two numbers were equivalent. Then they declare Windows to be more secure than Linux or OS X.
Sure, not reporting the update could be overlooked, and as a Microsoft fan boy, I'm sure you believe it should be. Especially considering the obviously lopsided security track records of Mac OS X compared with Windows.
But what you are doing here is accusing users of Mac OS X, and perhaps even users of Linux, of a lack of integrity for the actions of Apple. Where do you get off doing that? As you said, yourself, the update was secretly deployed. So, how are users of Mac OS X, let alone Linux users, supposed to have found out about it? You're being the dumbest of asses here.
The question is, would Apple admit/publicise the update anyway? No. I only think Microsoft would publicise big threats and vulnerabilities that would affect a large Windows audience, such as a vulnerability in IE that could affect millions of people.
I'm not too in the know-how with trojans, malware, whatever on Macs but I think all need user consent - and as long as you don't go downloading torrents for free (should-be-commercial) software and untrusted websites to get big application titles for Macs, you should be absolutely fine. Mac OS X is a little bit more secure by design because right now all trojans (correct me if wrong), malware, whatever, need user consent (administrative privileges) to do the damage and collection of personal data that the trojan/malware/etc was programmed to do.
I own a MacBook Pro and I'm a fan of the Mac OS X experience but I am in no way surprised by the latest update Apple has done or the fact that more trojans are being made for the Mac platform; although it is very unsaturated and isn't much of a big deal for those that don't go to stupid ways to get popular applications and torrent sites.
OK, firstly if you had ever read any of my output you would not come to the conclusion that I'm a Microsoft fanboy, quite the opposite I would imagine.
Secondly, people get to know about the Apple update in the same way they get to know about the Microsoft updates that have been done 'secretly' in that they read the news stories that appear. Once they read them, it seems to me, the Linux/Mac brigade are all over 'Evil Microsoft' yet strangely silent about Apple doing the same thing. Even the dumbest of asses has to think that's a little, well, hypocritical. No?
Sure, not reporting the update could be overlooked, and as a Microsoft fan boy, I'm sure you believe it should be.
As you said, yourself, the update was secretly deployed. So, how are users of Mac OS X, let alone Linux users, supposed to have found out about it? You're being the dumbest of asses here.
... people get to know about the Apple update in the same way they get to know about the Microsoft updates that have been done 'secretly'
You quote the word secret as if I were the one to characterize the update that way. You did, not me.
... in that they read the news stories that appear.
You don't say! Could it be that I was pointing out the absurdity of calling the update secret? Naw!
Once they read them, it seems to me, the Linux/Mac brigade are all over 'Evil Microsoft' yet strangely silent about Apple doing the same thing. Even the dumbest of asses has to think that's a little, well, hypocritical. No?
It could be, if you are talking about the very same individuals. But you lump everyone together with the word brigade, which leaves no room for differentiating one user from another. Worse, you lump together Mac users and Linux users as if they are the same groups of users. As a Linux user, I have little interest in how Apple chooses to publicize their security updates or in whether its users treat Apple with the same skepticism directed toward Microsoft.
Microsoft has more than earned the skepticism and scorn heaped on it. And this may come as a surprise to you: so has Apple. Certainly, you won't hear Apple's users criticizing it with the same fervor you believe is necessary to your sense of fairness. But, neither will anyone hear Windows users criticizing Microsoft that way. That's just not how people are no matter what camp they live in.
And the point still stands. It isn't the behavior of the fans that is the problem. It is the behavior of their idols. In this case, Apple. In most other cases, Microsoft.
Firstly how are we calling this a real threat? The program in question is a trojan which requires some really stupid people to manually install it by entering in their root password. Anyone can be affected by trojan's if they install them, the real threat was the use of social engineering and calling the program iPhoto to trick users into running it. I hardly see how your comparison Win/Mac is credible here. This would be a kin to warning people shooting themselves is dangerous. And this hardly compares to the several security issues and flaws caused by the evolution of the MS Windows products. I will not sit here and diminish the MS products many people use but I will say they are not my taste. I programmed on them for several years and became sick of the protect to run strategy required for standard operation.
Mac's just work, and this is something that continues to be true, with very little overhead on the part of the user. Are they more expensive yes, but you get more value for your dollar in relevant preinstalled software and exceptional localized service and support.
Apple for a long while has remain sparse on detail with respect to security updates. This is a strategy I prefer to be honest. Who cares what the security flaw was as long as its fixed and why broadcast a way to circumvent a system by giving the details.
I guess the real irritant is the posting of a fanboy article in a MAC forum when your real audience is the Windows users. Try posting your ill informed articles there.
I started on Windows and swiftly moved to Apple within a year of dealing with Windows security.
Now I only maintain friends' Windows machines.
I don't trust Apple as far as security patches much either. I've not updated from 10.6.5 to 10.6.6 since I've found no sure way to disable the App Store program, even though there are security fixes and graphics upgrades; the latter I need badly on my Mini.
I never allow Apple to automatically install updates. Same as I'd like to tell all my Windows user friends, but it's too complicated for them to learn to update Windows on their own, so I just tell them they have the option and then put them on auto update at their request.
I was not aware of the secret security update for 10.6.4 or I don't recall it. If either Microsoft or Apple secretly add security fixes, I'm okay with it as long as it's not done to juggle numbers for marketing. I'm the only Mac user I know that has had two browsers hijacked. I fixed the problem on my own, but I constantly hear from my Windows user friends that they have some malware problems that I then fix for them.
Interesting you are alleging browser hijacking in OSX I have never seen that ever.
I do agree with you on the App Store thing though. I am not a fan of the move to a seemingly iTunes like distribution method.
This is where I will actually start to show some distain for the Apple brand.
1) I don't go with the flow and iPhone app store forces me to download whats popular. Is this what the think different approach to Mac App store is attempting? Search is great if you know what app you are looking for.
2) How will code signing in Objective-C / Cocoa and the Mac App store inhibit my ability to migrate and install apps on multiple machines?
3) Why is the app store better than say Mac Update.com, or Softpedia.com?
4) Why are we making your desktop / laptop experience more like a hamstrung iPad / iPhone?
5) Why would I want to track all my install metrics? Its none of your business what I install.
there are more but this App store thing really gets under my skin. Especially as a developer, DBA, etc. I often need things that are not polished apps, tools, utilities, servers, etc. which are open source. What good is the app store for this content. And heaven forbid they start to filter apps like the do with the iPhone. I suppose if you are totally new to computers and have no clue what software you need its a great marketing tool, but I personally dislike this forced update for the app store. Give me the regular updates and allow me to say no to that horrible idea.
"I suppose if you are totally new to computers and have no clue what software you need its a great marketing tool,".
That's it in my opinion. And maybe a bit of information mining for marketing.
I posted, some time back, looking for help on the Camino and Opera "hijacking" issue. Plenty looked but no ideas.
Both browsers went to the same bogus site every time they were started, while Safari and Firefox went anywhere I pointed them.