 |
On Monday, the Cupertino, Calif.-based company released the second set of Mac OS X security fixes in two weeks. Typically, Apple publishes its concise security alert on its Web site and Mac users will find the update when their computer checks for updates. That happens automatically every week on default Mac OS X installations.
But this time, Apple made Bud Tribble, one of the key architects of Mac OS, available to CNET News.com to talk about the security of Mac OS and the company's security update process.
Tribble, vice president of software technology, started at Apple in the early days of the company, as manager of the original software team and helped to design Mac OS. He rejoined Apple in 2002 after leaving the company to work on various ventures, including the NeXT Computer, which he helped found with current Apple CEO Steve Jobs.
Apple fans have long loved to point out the safety of using Mac OS X, which has mostly been left alone by hackers. But Mac OS X safety has been scrutinized in the past weeks, prompted by the discovery of two worms and the disclosure of a serious vulnerability. Security experts also have questioned the effectiveness of Apple's March 1 patch.
While recent events have some asking if Mac OS' charmed security life is over, Apple certainly doesn't think it is. The company's security updates are largely preemptive, Tribble notes. And though the company may start to talk about security in a more public forum, that doesn't mean it is overhauling its practices, for example by putting security patches on a schedule, like Microsoft, Oracle and Adobe Systems do, or plan to do.
Tribble recently spoke with CNET News.com to discuss Apple and its approach to security.
Q: Are you on any kind of schedule
with security updates, or do you just issue them as they come along?
Tribble: We issue them as they are needed. We don't have a fixed
schedule, say a monthly specific update. We actually are driven by making sure
that the issues we find are addressed in a timely manner. We realize that
certainly some IT managers desire a fixed schedule, but we think that the
majority of our users are served by us getting the fixes out in a timely manner, when it makes sense.
You don't rate any of the vulnerabilities that you fix. Can you actually
say which issue is considered
the most severe?
Tribble: We don't do that. We don't, for example,
say that these two are "critical" and the other ones are not critical. We don't
do that, because we recommend that if we put out fixes in a security update,
that you install them all. That's why we put them there.
One of the things we want to avoid is--say we started splitting hairs and calling some subset of them critical--I think we would end up with users eventually only installing the critical fixes, when we actually think that they should all be installed.
When you compare your security alerts with Microsoft's, for example, then
you have less information in your alerts. Is that intentional?
Tribble: I am not
sure we actually have less information. We describe the fixes, and we relate
them to which components are being fixed. We have CVE (Common Vulnerabilities and Exposures) ID numbers, and we thank
the people who submitted them. I think the actual content is pretty similar.
It is a big change that you're actually talking to the media about
security. Is this part of a bigger change around Apple
communicating its security updates?
Tribble: We feel like we have a
very proactive approach to security and engineering and marketing and responding
to these things. Communicating with you is just part of that.
You used to not talk about your updates at all. Now you are, is that part
of a bigger change? Or is this the only change we're going to see?
Tribble: It is probably not true that we've never talked about things. I
think that talking about
Play video
There are currently no comments for this post.