Monday, November 21, 2005

Competition Paying For Apple Security Flaws



As reported by MacMinute:

iTunes security flaw


November 18 - A story on CNET News.com today reports that security firm eEye Digital Security issued a warning yesterday that a "critical vulnerability" in iTunes could allow attackers to remotely take over a user's computer. "Although an Apple spokesman was not immediately available for comment, the company has a policy of not discussing or confirming security issues until it has conducted an investigation and issued any needed patches, according to Apple's posting on its site," notes the story. "eEye, meanwhile, does not provide extensive details on the flaws it finds until a vendor releases a patch to resolve the security flaw."


It makes me wonder sometimes ... are people legitimately looking for things like this or is Apple's competition finding these flaws, reporting them to companies like eEye, then said security firms overpublicize these security flaws?

It seems like evey week that Apple announces positive news ... something mysteriously pops up in the news around the Mac web about a bogus lawsuit or bogus security flaw ...

2 comments:

Middle-agedman said...

Security flaws in software? This is really a question of magnitude more than anything. It would be very difficult to make software completely bulletproof with the surplus of bored hackers we have on our hands, so the best that can be done is to keep security flaws from being major flaws and correccting the minor flaws as soon as possible.
Apple users will note that Apple is constantly and often updating their software and that many of the updates are specifically named "Security Updates". I have heard of relatively few if any "major" security issues with Apple software and typically all issues are corrected fairly quickly. Apple typically does not release software until it is reasonably well-tested, unlike "other" OS companies that leave their Windows open to instruders.
It is rather ingenuous of eEye to "alert" us to undisclosed security issues that have not description as to what they do or do not affect and whether they are major or minor. How are we to know whether or not to be concerned about these alleged risks if we don't even know what is going on?
This opens such companies to accusations of collusion from competition and amounts to a cheap shot on Apple.

Roland Dobbins said...

Any security flaw found in an OS or application is 'legitimate', irrespsective of the motivations of the finder. After all, you can be sure that the miscreants are constantly looking for holes to exploit!

So, it doesn't really matter whether or not 'the competition' are paying for the holes to be found - they are being found, and that's a Good Thing.