Tribble on Apple's security troubles
When it comes to patches, Mac OS veteran Bud Tribble says the company doesn't believe in schedules or severity rankings.
On Monday, the Cupertino, Calif.-based company released the second set of Mac OS X security fixes in two weeks. Typically, Apple publishes its concise security alert on its Web site and Mac users will find the update when their computer checks for updates. That happens automatically every week on default Mac OS X installations.
But this time, Apple made Bud Tribble, one of the key architects of Mac OS, available to CNET News.com to talk about the security of Mac OS and the company's security update process.
Tribble, vice president of software technology, started at Apple in the early days of the company, as manager of the original software team and helped to design Mac OS. He rejoined Apple in 2002 after leaving the company to work on various ventures, including the NeXT Computer, which he helped found with current Apple CEO Steve Jobs.
Apple fans have long loved to point out the safety of using Mac OS X, which has mostly been left alone by hackers. But Mac OS X safety has been scrutinized in the past weeks, prompted by the discovery of two worms and the disclosure of a serious vulnerability. Security experts also have questioned the effectiveness of Apple's March 1 patch.
While recent events have some asking if Mac OS' charmed security life is over, Apple certainly doesn't think it is. The company's security updates are largely preemptive, Tribble notes. And though the company may start to talk about security in a more public forum, that doesn't mean it is overhauling its practices, for example by putting security patches on a schedule, like Microsoft, Oracle and Adobe Systems do, or plan to do.
Tribble recently spoke with CNET News.com to discuss Apple and its approach to security.
Q: Are you on any kind of schedule with security updates, or do you just issue them as they come along?
Tribble: We issue them as they are needed. We don't have a fixed schedule, say a monthly specific update. We actually are driven by making sure that the issues we find are addressed in a timely manner. We realize that certainly some IT managers desire a fixed schedule, but we think that the majority of our users are served by us getting the fixes out in a timely manner, when it makes sense.
You don't rate any of the vulnerabilities that you fix. Can you actually say which issue is considered the most severe?
Tribble: We don't do that. We don't, for example, say that these two are "critical" and the other ones are not critical. We don't do that, because we recommend that if we put out fixes in a security update, that you install them all. That's why we put them there.
One of the things we want to avoid is--say we started splitting hairs and calling some subset of them critical--I think we would end up with users eventually only installing the critical fixes, when we actually think that they should all be installed.
When you compare your security alerts with Microsoft's, for example, then you have less information in your alerts. Is that intentional?
Tribble: I am not sure we actually have less information. We describe the fixes, and we relate them to which components are being fixed. We have CVE (Common Vulnerabilities and Exposures) ID numbers, and we thank the people who submitted them. I think the actual content is pretty similar.
It is a big change that you're actually talking to the media about security. Is this part of a bigger change around Apple communicating its security updates?
Tribble: We feel like we have a very proactive approach to security and engineering and marketing and responding to these things. Communicating with you is just part of that.
You used to not talk about your updates at all. Now you are, is that part of a bigger change? Or is this the only change we're going to see?
Tribble: It is probably not true that we've never talked about things. I think that talking about these things and communicating is part of our overall approach to security.
Tribble: If users have feedback on other things they'd like to see, we always are listening to that. It has been satisfactory. As I say, communicating--whether it is in bulletins, or talking to you--we're always happy to talk about our security story, because we think we have a pretty good one.
In your current security update, you tweaked the download validation function. Does that update include anything that will protect users if they download files using an application other than Safari, iChat or Mail?
Tribble: The download validation that we do is in Safari and Mail and iChat. We strengthened that validation, and we believe that the vast majority of the issues that come up along these lines have to do with downloads that come in either through Safari, or iChat or Mail.
Some experts have suggested that you should put protections at a lower level in the operating system, so it would be impossible to make a file look innocent, while it is actually malicious. Have you taken that on and done any work on it?
Tribble: Well, yes. We're definitely always taking in the feedback. We're always listening to good ideas.
Of the issues that Apple addresses in its new update, is anything actually being abused or exploited for attacks on Mac users?
Tribble: That's a good point. None of these issues are things where there are exploits in the wild. In a way, you could say these are preemptive fixes to prevent potential problems from arising.
I think everything in the update is important from that standpoint. Things we're putting out increase the level of security in Mac OS X.
Last year, your security updates came about once a month, or with even longer pauses. Now you've released a security update two weeks after another. Does this indicate that you have to deal with a higher number of security issues in the OS, or is that just a coincidence?
Tribble: We tend to respond as rapidly to issues as they are found by the community. We're really driven more than anything by trying to get a timely response out there.
So the answer is no. Your issuing another patch within two weeks of your first patch doesn't mean that there are more vulnerabilities in Mac OS X to be fixed?
Tribble: I think it just means that we're working hard. We're not targeting any fixed schedule, we're actually trying to be timely in our response.
Another thing that experts sometimes suggest is that Mac OS security is suffering because it now runs on an Intel platform. Is that just a fairy tale?
Tribble: I don't believe that is true. Security issues target specific OSes, and the instruction set does not really have a huge effect on that. Furthermore, all of the mechanisms that we had and are developing are working equally well on PowerPC and Intel. If anyone is concerned that somehow moving to a new architecture, that somehow all of the security work that we have done in Mac OS gets left behind, that's not the case.
Some security researchers say Apple is a pain to deal with. The say you don't respond quickly and they feel like information on security vulnerabilities is going down a black hole. I am sure you don't agree with that assessment.
Tribble: There is a quite active security community out there in terms of CERT, FIRST and the BSD security community. We are in close touch with those guys. When there is external issues reported and we fix them, we thank the submitter. I would not agree with that characterization.
Do you have a process in place for responding to security researchers?
Tribble: Yes we do. There is a security Web page and there is a mail alias, which is product-security@apple.com.
In terms of your dealings with individual security researchers, do you feel like you have a good rapport with them? And is that important to you?
Tribble: I think we do. There is a very broad set of people out there who are doing something or other with security. I think we attempt to deal with them all with a pretty even-handed policy that optimizes us getting the information that we need to fix the issues.
Do you compare yourself with any other software vendor when it comes to security?
Tribble: We just do the best job we can. We are focused on it, all up and down the levels of the company. We know that it impacts the experience that our customers are going to have.
