Monday, January 4, 2016

Apple Security In 2015, Sorry : Grateful

--

It's been an annoying year of Apple security flaws, not because of the number but because there were so many which Apple sat on for many months on end. The year ended with, again, a huge round of fingers pointing at Apple's poor system for Enterprise developer security certificates, which once again were abused and applied to malware. This is the same damned problem that enabled the Wirelurker (Machook) malware that became evident in November 2014.

Another annoyance enabled by Apple has been a flaw in AppleScript the company has thoroughly ignored. Month after month the SANS @RISK security newsletter reported the same thing:
ID:     CVE-2015-7007
Title: Apple OS X Input Validation Code Execution Vulnerability
Vendor: Apple
Description: Script Editor in Apple OS X before 10.11.1 allows remote attackers to bypass an intended user-confirmation requirement for AppleScript execution via unspecified vectors.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
So has this been fixed via security updates in previous versions of OS X?!

Apple deserves a great big, steal toed boot, kick up the backside for being LAZY and IRRESPONSIBLE about software security. This isn't the first lousy year for Apple security. But I find it very sad that Apple is back to blowing off security issues yet again.

Having had my rant, it is useful to note, however, that Apple has indeed been busy patching security holes in 2015. We're left in a state of Sorry : Grateful. Here's a fun article laying out Apple's busy security year as well as commentary about the usefulness of counting CVEs as a method of judging the quality of a company's security.

Apple had more CVEs than any single MS product in 2015, but it doesn't really matter
Meaningless league table sparks silly schadenfreude
. . . However, simply guffawing at Cupertino is problematic for many reasons.

The first is that the CVE Details survey makes no distinction between severity of vulnerabilities in the list. A low-risk vulnerability (for example, something that can only be exploited by an authenticated local user with administrative privilege) is not the same as a remote code execution bug that's easily exploited.

Second – and this applies to all platforms – many security bugs are cross-platform. A good example is libpng, which is everywhere from browsers to smart-watches. It may have had only had four advisories in 2015, but that will have drawn patches from a lot of other vendors.

Third: CVE Details seems arbitrary in its assignment of CVE to project. Hence, for example, a bunch of LibreOffice/OpenOffice bugs are counted as Debian CVEs, as are some Oracle MySQL bugs.

Fourth: CVEs only count reported vulnerabilities. They don't count anything that's being hoarded, whether by security agencies or by black-hats, for example. And there's nothing good to come out of turning CVEs into some kind of marketing scorecard. . . .
The worst security problem for Mac users in 2015 was adware. Several software download sites now foist the stuff as a matter of course, a sick and sad trend. Meanwhile, 2015 was the year when it became clear that computer users on all platforms are fighting back against marketing abuse with adblocking software, resulting in a slow burn war between websites who make their revenue from advertising and users who are sick of:

A) Being surveilled across the Internet.
B) Having targeted ads foisted at them from every possible source and angle.
C) Having their Internet experiences turned into noise and annoyance from rude and puerile advertisements, click-jacking, hostile HTML5 Canvas images, popups, deceitful search engine results, hard sell, lies lies and lies.

Now that advertisers have gotten the hang of web advertising, 20 years after the web went public, web advertising has reached an all time low in quality and integrity. Foisting adware on unsuspecting victim users is merely more of the same.

What Will 2016 Bring?

- More marketing warz, no doubt. 
- An increased lash-back at user surveillance across the Internet. 
- New intra & inter-nation cyber attack vectors. 
- Apple being shoved in a corner and forced to repair their poor Enterprise developer certificate system. 
- Flash hell. 
- Java hell. 
- Fragmandroid security hell on steroids.
- Our stupid governments demanding backdoors in everything Internet, to the thorough detriment of the citizenry and the glee of the FUD mongers who want to turn the world into one massive TOTALITARIAN hell hole of Neo-Feudalism.
- Further stupendous displays of technology ignorance from politicians and world leaders as well as its ramifications.

That sort of thing. 

Meanwhile, BSD UNIX will continue to be the safest computer platform, including OS X. iOS will clean up its reputation again and reinforce the 'walled garden', including for Enterprise users. I expect a few malware and exploit attempts at watchOS, tvOS and of course OS X. I also expect surprises, giving me rise to write a few more than usually interesting posts in the blog.

Share and Enjoy 2016!

:-Derek

--