Desktop platforms Toolkit

Apple talks up security

Ina Fried CNET News.com

Published: 03 Jun 2004 13:25 BST

Worse than it sounds?
Another critique, levelled by digital-security company @Stake, is that Apple has downplayed the threat of potential vulnerabilities in its descriptions of flaws.

In one example, Apple last month patched a series of holes including a buffer overflow in the Apple file-sharing system that could allow a remote attacker to take control of the system. Apple, though, described it as a correction "to improve the handling of long passwords."

"They are not characterising the issue so that people can make a security decision about it," Chris Wysopal, @Stake's vice president of research and development, said last month. Apple "seems to think that everyone will update their computers all the time, and that is not the way the world works".

In another case, a security company called eEye said Apple rated as minor a QuickTime flaw eEye had found. Apple said the flaw in the QuickTime movie player for Mac OS X could cause the player to crash, while eEye said the real problem was that it could allow malicious code to be executed.

Schiller said Apple will look into how it communicates the details of potential threats.

"Certainly that is criticism we will take," Schiller said. "If people think we can do a better job of communicating some of this to everybody, than we will do a better job."

But some Mac users say that as long as Apple keeps potential problems from becoming real headaches, they don't need more detail from the company.

"I haven't been burned yet," said Lauren Connolly, a system administrator at the California Institute of Technology who has used Macs for 20 years. Connolly said she has never had a system infected because of something Apple didn't patch, nor has she had problems with any of the patches Apple has put out.