Usually I have nothing but good things to say about Apple, but as of late they seem to be dropping the ball when it comes to a few different things. This security hole is a huge deal. I don't need somebody comandeering my machine. Apple's hardware line has also seen some negativity in regard to quality. iBook recalls are no fun. Last but not least, everybody knows about Apple's crappy advertisement campaign for their beautiful OS. If Apple could pick up the pace on these things and not get negative press for them, I think they could increase huge in market share and installed user base.

Apple has joined MS in not responding to security problems. Apple's pulled the plug on the Mac, putting in only the minimum possible to get last few dollars from the Mac iLemmings.

Just as I predicted, now that Apple's market share is less than 2%, the death spiral is tightening with bad news stories coming at a faster rate. Looks like 2004 is going to be 20 miles of bad road for Mac idolators.

Sure, they would have broken the integration of their help system, but the actual security concern could have been addressed very very quickly simply by pushing out a security update that did what every responsible user has already done: assign a harmless default application to the help protocol Even better, it would trigger an alert with the option to open help viewer and run the script, open help viewer but not run the script, or not open help viewer at all. They could have protected everyone in late February and looked really responsible in the process. It was a win-win.

Although it seems like introducing a quick fix would have been the right way to go, I've too often seen a Microsoft security patch break an otherwise working system.

Fortunately, thanks to the responsiveness of the Mac community, information on how to protect one's system against this exploit has been spread almost as quickly as the news itself.

There is considerable discussion on this over at Macintosh News Network, with lixlpixel joining the discussion. What is NOT clear, however, is just HOW lixlpixel notified Apple. There is a specific location on Apple's website for contacting Apple about security issues, but as of yesterday AM lixlpixel has not acknowledged using that method. As such, a normal email to Apple may go unoticed by Apple for quite a while, thus explaining the delay.

I'm not an Apple apologist, but one would think that when finding a flaw this dangerous, one would at least navigate the Apple web site.

From the second page:

quote:
Originally posted by lixlpixel:
do you really believe i would make that public without telling Apple ?
I LOVE APPLE
i can't sleep since i did it - i only did it because of so many "new" (more or less serious) exploits for the Mac surfaced.
(and because Apple didn't respond on my bug report for over two months)


Excuse me, but you sent a BUG REPORT??? That bug report is probably buried deep in some developer's to do list and haven't been read by the right people yet.

Contact Apple directly at product-security@apple.com

NOW!!!!

Next time someone feels they have to make a security hole public because Apple didn't respond to your e-mail, bug report or something like that, please read this page first:

http://www.info.apple.com/usen/security/index.html

-End quote-

Now please excuse me while I read the rest of the discussion.

John, I'm not advocating that they offer up a quick fix, I'm saying they should have deliberately assigned a harmless default application to the help protocol. Which is the "fix" that everyone is employing. By deliberately breaking some of the system's interoperability without actually changing the functionality of the system, they would have short-circuited the negative publicity and protected their users.

Every once in awhile, the best temporary fix is to just unplug what's broken, fix it, then plug it back in.

Good point, though, Brutno, about what constitutes notification.

Posting the link for the Apple's "security flaw" email was a good idea. I have a question though. I went to www.apple.com and then tried to navigate my way toward the link provided (as I am assuming lixlpixel must have done) and I could not find the link. Doing an advanced search of the site for "submit security product" failed as well. How would you intuitively navigate to this security page? i.e. what obvious thing did I miss? I ask for a simple reason... if I didn't miss something simple and this page is very difficult to find, then Apple is making it difficult for security issues to be brought to their attention. Thanks!
Dave

Good question, Dave.

Use this path:

Apple(home):Support(tab at top of page):MoreResources(bottom left of page):Contacting Apple About Product Security Issues.... yields this page:

http://www.info.apple.com/usen/security/index.html

You are correct - it is NOT easy to find, took me about three minutes, but certainly worth the effort.

Thanks for asking!

lilpixie should know that you can't go down to the Apple Store and tell the blonde chick at the Genius Bar. I know, I know, if there is a blonde chick at the Genius Bar, she's sucking up all her pride to land the genius guy so she can afford implants, but work with me here!

lilpixie also should know that you can't report these issues to security guards at MacWorld. The security guards are only at the show to ensure that vendors do not take work away from union contractors by standing on foot-stools to plug in lamps or being over 5'11" and able to reach the lamps without assistance.

Finally, lilpixie should know that he can't report security problems in a major operating system to the lady who runs the computer lab at his elementary school. She is a nice lady, stays on top of the latest trends like System 7 and Windows 95, is a demon in bed with her husband the PE specialist, but she doesn't know $%^% about Mac OS X security!

Signed,

A real script kiddie

Thanks for the reply! I must be blind, and I feel silly for apparently missing something so obvious, but I am still unable to find the site via normal browsing methods. I can find it if I go to the Support tab and then go to the site support map link. I cannot find it simply by browsing. I do not even see the "more resources" link you had mentioned. I posted a screen shot of the support page on http://homepage.mac.com/stevejcowen/PhotoAlbum5.html just to see if maybe by doing so you (or someone else) can give me specifics on where the "more resources" link is. I am going to all of this trouble because I really am curious as to how difficult it is for someone to find the security page on Apple's web site. If it is as hard for people as it has been for me then I think Apple is being irresponsible at worst and just difficult to send security flaws to at the best. It seems like the security flaw email address should be on Apple's contact page as well. Anyway, thanks in advance for the reply, as well as being so helpful up to this point.
Dave

Hey Bryan...

Maybe in the TMO masthead you could add a bright orange button: "Click here to report a security issue to Apple". That would avoid these kinds of problems where people discover huge security holes and don't know where to report them. Whaddya think?

-Steve Jobs

Quote

RealityCheck wrote:
now that Apple's market share is less than 2%, the death spiral is tightening

MS just commented they have a user base of 7 million for Mac Office. That's paying customers. Most people I know just copy the CD's from their friends.

About half of the 70 million iTMS sales are done by mac users.

Apple virtually controls the video/movie market on the software/hardware side. It brings in a $#!% heap of money and prestige. The same goes for the professional music market.

The majority of the DTP market still relies on Apple.

And the percentage of home users is way beyond 2% "market share". In fact, when you factor in the fact that most "non creative" offices don't have macs, the 2% becomes a very respectable figure for the home market.

I know, feeding the ugly, stupid troll...

Remember: Do NOT feed the trolls.

Agreed, DO NOT feed the trolls. But you could have fun with the funny comments without giving into Reality Check. The funny comments are what make the dicsussion boards worth reading.

Dave, (and anyone else...)

Oops! Missed a few links. Here is the revised path:

Apple(home):Support(tab at top of page):Support Site Map (very bottom of page in small print):AppleProduct Security(far right under Site Tools & Services):

Above path yields this page where you will find the link:
http://www.info.apple.com/usen/security/index.html

Sorry about the miscue!

Again, difficult to find - you would think there would be a "Security" link on the Home page, but then again I am sure many people would submit items that were not *really* security issues. This is four steps, better than some sites, however.

Hope this helps, and I hope the website voodoo priests don't mess it up again!

I appreciate your patience/persistence with the link finding
Dave

Happy to help!

Here's another goodie called Paranoid Android that can help guard against URL-based attacks. Once Apple does repair the exploit, this may be something you'd still like to keep around, just to know what is going on with your system:

http://www.unsanity.com/haxies/pa