February 27, 2006
It's no coincidence that not long after security vendors began beating the drum about possible exploits of the Mac OS X operating system, unpatched flaws were uncovered, an analyst suggested Monday.
Rob Enderle, principal at the Enderle Group, reacted to the recent news of a pair of worms aimed at Mac OS X and a zero-day vulnerability of Apple Computer's operating system with accusations that the security industry hypes the danger in order to sell more security software.
"The job of security companies is to make the Apple platform look insecure," said Enderle. "They're now convinced that Apple is their next big revenue opportunity."
According to Enderle, that's what's behind recent security alerts and warnings, first for a pair of worms -- which Apple argued weren't worms at all -- then for an unpatched vulnerability that could let attackers hijack Macs.
"I'm not implying that there is collusion between security companies and hackers," said Enderle, "but security companies only make money if there are security exposures."
But he did claim that there was a connection between vulnerability disclosures and exploits, that the cause of the second was actually the first.
"By telling people about an exposure, you're telling someone else how to [exploit] it. I think security companies should spend more time catching criminals than telling them how to become one."
Enderle's perspective on exploit cause-and-effect isn't new, said John Pescatore, one of Gartner's security analysts. But he says it's a flawed argument.
"It's an old issue that keeps coming back," he said. "He's saying that if we never point out the vulnerability, the bad guys wouldn't attack.
"That's totally untrue."
Pescatore noted the history of publicizing security vulnerabilities, and how disclosing them has actually made users safer. "Before 2000, no one talked about vulnerabilities, and because of that, no one really patched. But then in 2001, Code Red and Nimda creamed massive amounts of Web servers and PCs because the bad guys found the vulnerabilities."
That's why vendors -- Microsoft in particular -- have moved to regular patching schedules and implemented automatic updating tools. In Pescatore's view, Microsoft didn't do it willingly, but was forced into the change by up-in-arms users. "Because no one talked about vulnerabilities, vendors took their time coming up with a patch. And when they did, no one implemented the patches.
"Microsoft would have been perfectly content not to have to issue a patch for the WMF [Windows Metafile] bug," Pescatore said, "if news about it hadn't been made public." But then the exploit, which was found by hackers, not legitimate researchers, could have attacked users that much longer.
"The pressure has to be on the vendors to make their software better," Pescatore said. "If we all shut up about vulnerabilities, yes, a lot these attacks wouldn't happen. But when one did, it would be ten times worse because we wouldn't be prepared."
And he discounted the idea that security firms had ulterior motives when they posted alerts on Mac OS X bugs and worms.
"Sure, security companies would love to sell anti-virus to every Mac user. But with Macs accounting for just 5 percent of corporate desktops, and half of those already covered by AV, it's not that big of a market for security vendors to stir things up."
About the Author(s)
You May Also Like