A Time-to-Patch: Apple 2006
Apple computer users mostly stayed off the radar screens of the criminal hacker community in 2006, even as the Cupertino, Calif., software company learned of an unprecedented number of serious security holes in its Mac OS X systems and other software. At the same time, many of those same flaws have made Web surfing more precarious for Apple's largest and fastest growing customer base -- Microsoft Windows users.
In a study of updates that Apple shipped last year to remedy serious security holes in products such as QuickTime and iTunes, Security Fix found that the company released patches to plug at least 104 critical security vulnerabilities. That is more than twice the number of severe security holes that the company patched in all of 2004 and 2005 combined.
Unlike other software makers, Apple doesn't rate the severity of software security flaws it discovers and patches. So, as with the previous time-to-patch analysis, the 2006 study looked solely at weaknesses that Apple's advisories said could provide attackers a way to remotely compromise the integrity of a targeted system.
More than two-thirds of the vulnerabilities included in this analysis were reported or disclosed by outside researchers. Security Fix contacted dozens of independent researchers who discovered Apple flaws to compile this report. Apple officials have repeatedly declined requests since December 2006 to provide data or any kind of meaningful response to this study.
On average, Apple took about 82 days to fix the most serious vulnerabilities in its software products last year. This figure represents a measurable improvement over Apple's 2004 and 2005 time-to-patch times, when Apple fixed security problems, on average, within about 91 days of notification. However, I should note, that Apple declined to disclose the dates that in-house researchers first learned of nearly one-third of the flaws examined in this study, so the true time-to-patch number may be higher (Apple also declined to provide missing dates for the 2004-2005 study.)
That's just a hunch, of course, but it's based on evidence collected during this review.
The study also shows that the company managed to correct flaws much more rapidly last year when it came to vulnerabilities that researchers detailed for Apple at the same time as they demonstrated them to the rest of the world. In the dozen cases during 2006 when Apple first learned of a vulnerability after a researcher posted proof of it online, the company fixed the problems in an average of 23 days -- or about 72 percent faster than it remedied privately reported vulnerabilities.
The practice of publicly airing details on previously undocumented and unpatched security flaws -- known in the industry as "full disclosure" -- stands in stark contrast to the private notification approach favored by software vendors, which industry heavyweights such as Apple and Microsoft like to call "responsible disclosure."
The software makers charge that when researchers publish details about unpatched security holes, criminals also get access and are more likely to attack computer users. During the time a patch is being created, the companies argue, customers become caught in the middle.
But advocates for full disclosure counter that responsible disclosure naively assumes that the vendor and the researcher are the only ones who know about the security weakness. More importantly, the argument continues, full disclosure shines a public spotlight on security problems, thereby preventing vendors from dragging their feet in fixing them.
Bruce Schneier, chief technical officer for security firm BT Counterpane, believes computer users are always better served by full disclosure.
"Things just don't get fixed quickly otherwise," he said. "That is the mechanism by which consumers know what they're buying, because there's no transparency in the market today. Report your vulnerabilities to Apple, fine, but you also have to publish them. This is how we as a species get smarter."
A researcher who asked to be identified by his online pseudonym "drunkenbatman," practiced full disclosure at least twice last year with his findings, posting images on his Web site that caused crashes for people who visited the site with Apple's Safari Web browser.
"I think these kinds of stats are valuable data because they show that there are consequences for responsible disclosure, in that if it gets disclosed openly, it gets fixed faster," drunkenbatman said in an online chat with Security Fix. "I know apologists will say, 'Well, yes, but Apple takes 90 days because they can integrate it with their existing development cycle, which makes things of a higher quality.' But it's not the customer's job to worry about what's easier for Apple."
Researchers chose full disclosure with Apple in 2006 more often than they did in the prior two years combined. In 2004 and 2005, Apple learned of serious vulnerabilities just four times through full disclosure.
Last year, researchers told Apple and the rest of the world about more than a dozen previously unknown and serious security flaws. (Several vulnerabilities detailed in the accompanying chart were publicly disclosed before a patch was available, but they are not highlighted as full disclosure because other researchers had at an earlier date privately provided Apple details of the same flaws.)
There are indications that Apple is investing more resources in communicating with the security research community. Tom Ferris, a researcher who in last year's analysis was critical of the time it took Apple to respond to reports of new vulnerabilities, said the company has since improved on that front.
"Their response time has been a lot better for me than it was last year. I'm not getting the old automated response back, I'm actually getting a live person now," said Ferris, who reported seven of the holes featured in this study. "They seem to be taking these reports a lot more seriously, but they still have a long way to go as far as internally finding these vulnerabilities themselves."
The feedback I received most frequently from the Mac community when I posted the results of Apple's 2004-2005 time-to-patch analysis last year went something like this: "Who really cares whether Apple takes three months or nine months to fix a problem, so long as nobody is really attacking the platform?"
One popular response is that the paucity of attacks against the Mac vs. Windows machines has more to do with Apple's relatively small market share than it does the security of the underlying operating systems. If Apple only held a larger share of the market for Internet users, the idea goes, malware writers would shift their focus to begin attacking Mac users.
This theory holds that plunderable security holes in the Windows platform and Windows software are so bountiful and lucrative that cyber criminals simply can't be bothered to attack a relatively unfamiliar platform just to gain a few extra victims. With the advent of Intel-based Macs and a steadily growing Apple market share, that notion may soon be tested.
But one reality is becoming harder to ignore with each successive patch update from Cupertino: Increasingly, cross-platform Apple staples like iTunes, QuickTime -- and now Safari for Windows and the iPhone -- are beginning to blur the very definition of market share, at least from a security standpoint. The reality is that the implications of Apple's patch times now extend well beyond their potential impact on the core Mac user base.
For example, tens of millions of Windows users who own some version of an iPod also have iTunes installed. Apple's iPhone -- which already has somewhere close to a million users (the majority of them no doubt Windows customers) -- could bring its own share of security risks.
Apple recently ported Safari for use on Windows. About 20 percent of the serious flaws Apple patched last year were due to vulnerabilities in Safari or key Safari components.
"Apple's real platform is media -- not the operating system -- and that has much more market share or penetration than any other Apple product," said Dino Dai Zovi, a security researcher who has reported numerous vulnerabilities to Apple over the past several years.
Bundled with iTunes is QuickTime, an application that harbored approximately one-third of the most serious software vulnerabilities that Apple patched in 2006. In nearly all of those cases, the QuickTime flaws were similarly exploitable on both Windows and Mac systems, most often by merely getting the user to view a specially-crafted image file or video file.
In early December 2006, a computer worm powered by a QuickTime flaw spread rapidly among social networking site MySpace.com's 80 million users. The "QuickSpace" worm, as it was later dubbed, replicated by leveraging a flaw in the way QuickTime videos were embedded in Web pages. The payload was crafted to steal MySpace user names and passwords from people who visited a hijacked MySpace page. More than 100,000 MySpace users had their credentials filched as a result of the worm, which used compromised MySpace pages to blast out online ads for adult Web sites.
With such a high-profile demonstration of how this new weapon could be used, one might think that Apple would have sewn up the vulnerability in a matter of days. It did ... sort of: Apple provided an update that fixed the problem, but the patch was made available only for MySpace administrators and users. It took Apple until March 5 to plug the QuickTime hole in publicly available patch -- almost three months to the day after the QuickSpace worm first surfaced.
QuickTime flaws are among the arsenal of tools now embedded in the likes of "Mpack" and "IcePack," two of the more prevalent exploit creation kits sold on underground forums. In June of this year, thousands of legitimate Web sites were seeded with Trojan horse programs created with Mpack, dropping password-stealing programs on machines when users visited the sites without the aid of the latest QuickTime patches.
Indeed, the fact that we're now seeing Apple programs like QuickTime showing up in these mass exploit tools appears to be a recognition by criminal hackers that at least this Apple component has achieved a sufficient market share to become a target worthy of automated attack, drunkenbatman said.
Earlier this month, criminals embedded a similar exploit in online ads that ran on job search giant Monster.com. The result: Nearly 50,000 people had their personal information and/or Monster.com login credentials stolen.
Posted by: Paul | September 4, 2007 9:02 AM | Report abuse
Posted by: Rick | September 4, 2007 9:21 AM | Report abuse
Posted by: Mike | September 4, 2007 10:18 AM | Report abuse
Posted by: Richard | September 4, 2007 10:21 AM | Report abuse
Posted by: Bk | September 4, 2007 10:29 AM | Report abuse
Posted by: Jon T | September 4, 2007 10:41 AM | Report abuse
Posted by: Judge C. Crater | September 4, 2007 10:55 AM | Report abuse
Posted by: Keyword | September 4, 2007 10:56 AM | Report abuse
Posted by: Charlie | September 4, 2007 11:29 AM | Report abuse
Posted by: TJ | September 4, 2007 11:33 AM | Report abuse
Posted by: Rick | September 4, 2007 11:41 AM | Report abuse
Posted by: Oh yeah, Pirillo hates Macs | September 4, 2007 12:00 PM | Report abuse
Posted by: cbum | September 4, 2007 12:32 PM | Report abuse
Posted by: Nyckelord | September 4, 2007 12:43 PM | Report abuse
Posted by: Charlie | September 4, 2007 1:09 PM | Report abuse
Posted by: Karl Johan | September 4, 2007 1:16 PM | Report abuse
Posted by: Brewer | September 4, 2007 1:35 PM | Report abuse
Posted by: Rewbie | September 4, 2007 1:49 PM | Report abuse
Posted by: bikerider1 | September 4, 2007 1:54 PM | Report abuse
Posted by: Charlie | September 4, 2007 1:58 PM | Report abuse
Posted by: Brewer | September 4, 2007 2:25 PM | Report abuse
Posted by: antibozo | September 4, 2007 3:14 PM | Report abuse
Posted by: Jim Goldbloom | September 4, 2007 3:15 PM | Report abuse
Posted by: Bill | September 4, 2007 3:16 PM | Report abuse
Posted by: antibozo | September 4, 2007 3:35 PM | Report abuse
Posted by: Norm | September 4, 2007 3:38 PM | Report abuse
Posted by: charlie | September 4, 2007 6:23 PM | Report abuse
Posted by: Richard | September 4, 2007 6:50 PM | Report abuse
Posted by: Transformer | September 4, 2007 8:30 PM | Report abuse
Posted by: TJ | September 4, 2007 9:19 PM | Report abuse
Posted by: Mark | September 5, 2007 12:24 AM | Report abuse
Posted by: Richard Dalziel-Sharpe | September 5, 2007 10:05 AM | Report abuse
Posted by: Dave | September 6, 2007 2:31 PM | Report abuse
Posted by: cbum | September 7, 2007 1:04 PM | Report abuse
Posted by: antibozo | September 7, 2007 7:49 PM | Report abuse
Posted by: cbum | September 8, 2007 4:54 PM | Report abuse
Posted by: antibozo | September 8, 2007 5:48 PM | Report abuse
Posted by: cbum | September 8, 2007 11:32 PM | Report abuse
Posted by: antibozo | September 9, 2007 1:26 AM | Report abuse
Posted by: cbum | September 9, 2007 2:25 AM | Report abuse
Posted by: antibozo | September 9, 2007 2:49 AM | Report abuse
Posted by: Paul Corsa | September 9, 2007 8:39 AM | Report abuse
Posted by: antibozo | September 10, 2007 2:12 AM | Report abuse
The comments to this entry are closed.