these things and communicating is part of our overall approach to security.
Might we see Apple put its alerts on a schedule or adding information to
its security alerts? Are there any plans for changes there?
Tribble: If
users have feedback on other things they'd like to see, we always are listening
to that. It has been satisfactory. As I say, communicating--whether it is in
bulletins, or talking to you--we're always happy to talk about our security
story, because we think we have a pretty good one.
In your current
security update, you tweaked the download validation function. Does that
update include anything that will protect users if they download files using an
application other than Safari, iChat or Mail?
Tribble: The download
validation that we do is in Safari and Mail and iChat. We strengthened that
validation, and we believe that the vast majority of the issues that come up
along these lines have to do with downloads that come in either through Safari, or iChat or Mail.
Some experts have suggested that you should put
protections at a lower level in the operating system, so it would be
impossible to make a file look innocent, while it is actually malicious. Have
you taken that on and done any work on it?
Tribble: Well, yes. We're
definitely always taking in the feedback. We're always listening to good ideas.
Of the issues that Apple addresses in its new update, is anything actually
being abused or exploited for attacks on Mac users?
Tribble: That's a
good point. None of these issues are things where there are exploits in the
wild. In a way, you could say these are preemptive fixes to prevent potential problems from arising.
I think everything in the update is important from that standpoint. Things we're putting out increase the level of security in Mac OS X.
Last year, your security updates came about once a month, or with even
longer pauses. Now you've released a security update two weeks after another.
Does this indicate that you have to deal with a higher number of security issues
in the OS, or is that just a coincidence?
Tribble: We tend to respond as
rapidly to issues as they are found by the community. We're really driven more
than anything by trying to get a timely response out there.
So the answer is no. Your issuing another patch within two weeks of your
first patch doesn't mean that there are more vulnerabilities in Mac OS X to be
fixed?
Tribble: I think it just means that we're working hard. We're not
targeting any fixed schedule, we're actually trying to be timely in our response.
Another thing that experts sometimes suggest is that Mac OS security is
suffering because it now
runs on an Intel platform. Is that just a fairy tale?
Tribble: I
don't believe that is true. Security issues target specific OSes, and the
instruction set does not really have a huge effect on that. Furthermore, all of
the mechanisms that we had and are developing are working equally well on
PowerPC and Intel. If anyone is concerned that somehow moving to a new
architecture, that somehow all of the security work that we have done in Mac OS
gets left behind, that's not the case.
Some security researchers say Apple is a pain to deal with. The say you
don't respond quickly and they feel like information on security vulnerabilities
is going down a black hole. I am sure you don't agree with that assessment.
Tribble: There is a quite active security community out there in terms
of CERT, FIRST and the BSD security community. We are in close touch with those
guys. When there is external issues reported and we fix them, we thank the
submitter. I would not agree with that characterization.
Do you have a process in place for responding
to security researchers?
Tribble: Yes we do. There is a security Web
page and there is a mail alias, which is product-security@apple.com.
In terms of your dealings with individual security researchers, do you
feel like you have a good rapport with them? And is that important to you?
Tribble: I think we do. There is a very broad set of people out there
who are doing something or other with security. I think we attempt to deal with
them all with a pretty even-handed policy that optimizes us getting the
information that we need to fix the issues.
Do you compare yourself with any other software vendor when it comes to
security?
Tribble: We just do the best job we can. We are focused on it,
all up and down the levels of the company. We know that it impacts the experience that our customers are going to have.
Play video
There are currently no comments for this post.