When I read the headline about a security researcher who had published proof-of-concept code for a vulnerability, I was upset. To disseminate proof-of-concept code is to basically say, "Here is a way to attack computers for those of you who can't figure out how to do it yourselves." The analogy that comes to mind is to throw a gun on a playground and let kids figure out how to load it.
By the time I had finished reading the article, though, my attitude had changed.
The purpose of stunts such as this one is to embarrass a vendor into fixing problems and writing better software. The problem with that scheme is that even when it works exactly as planned, it is users who get hurt, not the vendor. A significant number of users just do not implement fixes when they are available. These people are the ones who suffer (along with all those innocent third parties who pay the price when the PCs belonging to inattentive users are compromised and added to a botnet).
What influenced my change of heart in this case was the fact that the vendor in question was Apple, which has been feckless on the topic of security for a long time. Apple gives people the false impression that they don't have to worry about security if they use a Mac. And perhaps because the company is invested in fostering that impression, Apple is grossly negligent in fixing problems. The proof-of-concept code in this case is proof that Apple has not provided a fix for a vulnerability that was identified six months ago. There is no excuse for that.
Apple has exuberantly criticized Microsoft for the security vulnerabilities of its products. The fact is, though, that that criticism is grossly misplaced. For its part, Microsoft has been extremely disciplined in ignoring Apple's advertisements.
The current Mac commercials specifically imply that Windows PCs are vulnerable to viruses and other attacks, and Macs are not. I can't disagree that PCs are frequent victims of viruses and other attacks, but so are Macs. In fact, the first viruses targeted Macs. Apple itself recommended in December 2008 that users buy antivirus software. It quickly recanted that statement, though, presumably for marketing purposes.
It certainly could not have been for real security reasons. A ZDNet summary of 2007 vulnerabilities showed that there were five times more vulnerabilities for Mac OS than for all types of Windows PC operating systems.
How can Apple get away with this blatant disregard for security? Its advertising claims seem comparable to an automobile manufacturer implying that its cars are completely safe and its competitors' cars are death traps, when we all know that all cars are inherently unsafe. Claims like those would surely draw the wrath of the Federal Trade Commission. Well, guess what: All commercial software has security vulnerabilities.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts