X

Microsoft blogger critiques Apple security

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
See full bio
Joris Evers
2 min read

Apple Computer might think it has all its security ducks in a row, but the truth is far from it, at least according to Stephen Toulouse, a program manager in Microsoft's Security Response Center.

In several postings on his personal blog, Toulouse critiques Apple's security coordination and communications. He compares it with Microsoft's efforts, of which he is a major part.

"Apple needs a public face of security to communicate guidance," Toulouse writes. He cites a Business Week article in which an Apple representative says everybody at the company cares about security, so there is no need for a security czar. "That's a little like saying the White House shouldn't have a Department of Homeland Security because, DUH, everyone in the government cares about security!" Toulouse responds.

He was also stung by comments made by Bud Tribble, Apple's vice president of technology, in a recent interview with CNET News.com. Tribble said that Apple's security alerts are similar to Microsoft's in content.

In response, Toulouse took a look at Apple's most recent alert and listed the differences between it and Microsoft's Security Bulletins:

-- "I note no mitigating factors in Apple's security communication for customers to assess their risk."
-- "I note no frequently asked questions in Apple's security communication to cover what an attacker could and could not do or any other information customers might ask about."
-- "I note no workarounds in Apple's security communication for people who cannot immediately deploy the update."
-- "I note no deployment information for enterprises in Apple's security communication."
-- "I note no severity rating for any of the issues again so customers can assess their risk since updating can be disruptive sometimes."
-- "I note no file manifests in Apple's security information for customers to check to make sure updates are applied properly if they wish."
-- "I note no caveats in Apple's security communication in case changes made in the update cause known application compatibility issues or support issues are discovered."
-- "I note no free support number for trouble with updates in Apple's security information in case customers need help applying the update."

The reality for Apple, Toulouse wrote, is that the Mac OS will experience increasing security threats over the next few years, and the company will have to seek outside expertise in the form of a head of security communications in the next 12 months.

"A lot of the attacks Apple is experiencing today are just like the most prevalent threats on Windows: Attacks that require the user to take an action first," Toulouse wrote. "We've learned the lesson of getting out there fast and providing clear prescriptive guidance."

Apple fans have long loved to point out the safety of using Mac OS X, which has mostly been left alone by hackers. But Mac OS X safety has been scrutinized in the past weeks, prompted by the discovery of two worms and the disclosure of a serious vulnerability. Apple has also had trouble with its most recent security patches.