I find this a bit concerning not because Apple was hit, but because getting hit by some Java-malware necessitates a public statement. Anyone here in an organization of more than about 10 users likely has one or more of them with malware of some sort on their device right now, and it is treated as just the cost of the platform. In my organization I'm sort of the paranoid in that I treat every exposure as a serious event, but I am very much alone on that.
An interesting question is whether this is merely a blip or part of a trend. Apple's user base must be an enormously tempting target for malware creators.
Apple invites this kind of reaction by not being transparent and not cooperating with the larger security community, for reasons that are difficult to understand.
This week's episode of the the podcast run by the Intego Mac Antivirus company talked about a new malware affecting Macos that was severe enough that Apple released Xprotect signatures for it, but didn't provide details to the rest of the security community, so anti-virus vendors had to reverse engineer the Xprotect signatures to figure out what they were for. Apple usually only updates Xprotect for the highest severity malware that's circulating widely.
Most of the tech industry participates in information sharing through groups like the Cyber Tech Accord, the Cyber Threat Alliance, and several others. Apple is conspicuously absent from these groups.
What reason does Apple have to withhold information about vulnerabilities from the rest of the industry? It just puts their customers at risk. They have a trillion dollars. There's no reason they couldn't dedicate entire teams to disseminating information in a responsible way, just like every other tech company that you've heard of.
In the case of these Big Sur / Catalina patches, what benefit is it for them to not share their plans if they are in fact planning to release patches once the "regressions" are accounted for?
Apple aren't doing this to eliminate malware from their systems. Probably just gearing up to the point where it's impossible to run any application that Apple isn't getting a cut of (or is free).
Realistically, malware only affects a tiny fraction of users, and only a further tiny fraction suffer demonstrable loss from it.
It sounds like they're just like everyone else then: in which case, even more users were vulnerable, and Apple has even more incentive to secure their system. Is there anything I'm missing here?
It's a bad move for apple. A good relationship with the community of security researchers is crucial - they're talented folks and their research results grab headlines. It takes just a tiny amount of corporate humility and public thanks to win their respect, and in return get goodwill. Treating the community badly will get ensure the next guy won't even try to cooperate.
Over the last several years, Microsoft's MSRC has balanced this very well. Google has done well recently, too. Lots of clued-in people in both places.
I actually think you have it all wrong. For while malicious applications can do all sorts of nefarious things they are still individual actors. I think at this point while we all detest the extremes of marketing the more pressing concern has to do with state sanctioned surveillance which would be much more feasible with such a centralized service as provided by Apple.
I truly find your comment disingenuous and suspect as you only mention apparent malware and virii while the tone I infered from the article seemed a little more nuanced.
So first of all - just because the end-user wants Apple to check for actively malicious programs doesn't mean they assent to all forms of control. Secondly, even on the matter of software deemed malicious by Apple, I think it's questionable how reasonable it is for Apple to entirely remove the end-user from the decision making process.
Even on really weakly policed platforms like windows, people still tend to leave virus scanners enabled; and on android similarly most people don't choose to expose themselves to unnecessary risk by sidestepping its store - at least as far as I know. Users regularly do really stupid things, so some level of external control is perhaps not unreasonable, but how much, and for what? And should Apple even get to be involved in that decision?
heh, given that Apple was previously directing staffers not to acknowledge it, when I read this headline all I could think of was Jobs telling a press conference "OSX now has malware. This is a new, must-have feature that will revolutionise the industry!"...
Risk to the average apple customer is? Do you think that most people need to worry about this? Point Apple is making is it's not needed for the vast majority of their users and if you feel better use a piece of paper.
So let's stipulate it can happen (because well it can happen). That would take both someone being targeted en masse (prior to apple having a fix in place) and it making a difference to the person or people it happened to. Is that really a big enough risk to spend time worrying about?
I think it has less to do with a concern over malware than it does with an opportunity to further control development for the platform.
I suspect Apple will retain the right to pull applications from user's computers for any TOS violation, not just those involving malware. Even when those TOS violations are due to a change in the TOS.
I think that it's reasonable if Apple doesn't want to provide support for fixing malware problems on systems that they've sold regardless of how any other company chooses to handle such issues. Also, this issue is obviously independent of OS as the exploited security hole is the users' lack of understanding. That said, the reason that I thought this article was hackernews worthy is because Apple is encouraging employees to knowingly withhold information about malicious software running on users' computers. I personally find that to be an inappropriate approach in almost any situation. What are your thoughts on this aspect of the article?
It really feels like the only thing that made Apple to be less prone to hacking and malware (and therefore more secure) than other OS is the lack of scrutiny by hackers and malware authors. This is a front door open kind of problem.
This is a good rebuttal, but it remains to be seen whether Apple can actually prevent "nearly every piece of malware" from getting through. To be quite honest, I'm not even the slightest bit familiar with their review and approval process, but I have difficulty believing it can continue to scale without introducing security holes.
I think you should find a security bug in any Apple product and report it before you make representations as to how they handle stuff like this. It's not that hard.
reply