When I read the headline about a security researcher who had published proof-of-concept code for a vulnerability, I was upset. To disseminate proof-of-concept code is to basically say, "Here is a way to attack computers for those of you who can't figure out how to do it yourselves." The analogy that comes to mind is to throw a gun on a playground and let kids figure out how to load it.
By the time I had finished reading the article, though, my attitude had changed.
The purpose of stunts such as this one is to embarrass a vendor into fixing problems and writing better software. The problem with that scheme is that even when it works exactly as planned, it is users who get hurt, not the vendor. A significant number of users just do not implement fixes when they are available. These people are the ones who suffer (along with all those innocent third parties who pay the price when the PCs belonging to inattentive users are compromised and added to a botnet).
What influenced my change of heart in this case was the fact that the vendor in question was Apple, which has been feckless on the topic of security for a long time. Apple gives people the false impression that they don't have to worry about security if they use a Mac. And perhaps because the company is invested in fostering that impression, Apple is grossly negligent in fixing problems. The proof-of-concept code in this case is proof that Apple has not provided a fix for a vulnerability that was identified six months ago. There is no excuse for that.
Apple has exuberantly criticized Microsoft for the security vulnerabilities of its products. The fact is, though, that that criticism is grossly misplaced. For its part, Microsoft has been extremely disciplined in ignoring Apple's advertisements.
The current Mac commercials specifically imply that Windows PCs are vulnerable to viruses and other attacks, and Macs are not. I can't disagree that PCs are frequent victims of viruses and other attacks, but so are Macs. In fact, the first viruses targeted Macs. Apple itself recommended in December 2008 that users buy antivirus software. It quickly recanted that statement, though, presumably for marketing purposes.
It certainly could not have been for real security reasons. A ZDNet summary of 2007 vulnerabilities showed that there were five times more vulnerabilities for Mac OS than for all types of Windows PC operating systems.
How can Apple get away with this blatant disregard for security? Its advertising claims seem comparable to an automobile manufacturer implying that its cars are completely safe and its competitors' cars are death traps, when we all know that all cars are inherently unsafe. Claims like those would surely draw the wrath of the Federal Trade Commission. Well, guess what: All commercial software has security vulnerabilities.
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!