“Balanced” Reports of Flaws

News agencies, and in particular CNET News.com, are falling over backwards trying to find news about flaws, worms, and viruses that attack anything other than Windows systems. They’re having a hard time making these stories meaningful, as in most cases with Apple software (including QuickTime), the flaws are not lethal, nor do any viruses or worms actually attack anything. In most cases with Linux software, fixes have already been available for months.

Recently exposed flaws in Apple’s QuickTime software for Windows and Mac OS X have some folks thinking that the Mac is as vulnerable as a Windows PC. Not true.

According to Another QuickTime flaw found by Dawn Kawamoto in CNET News.com:

Less than three weeks after Apple Computer issued an update to patch four security flaws in its QuickTime media player, a new “critical” problem has been discovered… “We don’t feel this flaw could result in an Internet worm, as it does require end-user interaction (such as clicking on a link to a malicious Web site or chat session). The affected component is, however, enabled by default,” [Mike Puterbaugh, eEye’s senior product marketing director] said.

Apple issued an update, QuickTime 7.0.3, to fix four previous flaws. The patch was posted to Apple’s Web site on Oct. 12.

But Mac OS X is not as vulnerable as Windows. Installer programs for Mac OS X require authentication to run, while installers for Windows XP don’t. Authentication stops the installation process to get your password. If something starts to install itself on your Mac, you’ll know because it will ask for your password. And even as the sole user (a.k.a. administrator) of a Mac OS X system, you don’t get access to system-critical files (known as root access in the language of system administrators). Administrators in Windows XP do, thereby allowing applications such as viruses access to those files too.

While there are at least 50 known viruses written for the older Mac “classic” operating system (version 9 and earlier), there are no known OS X viruses. You can bet that if one surfaces, it will make headlines around the world.

As reporters file story after story about Windows vulnerabilities and wait for the equivalent of the Scoop of the Lifetime in the form of a Mac virus, they also tend to exaggerate any potential Linux vulnerability. New worm targets Linux systems by Joris Evers of CNET News.com is an example:

A new worm that propagates by exploiting security vulnerabilities in Web server software is attacking Linux systems, antivirus companies warned on Monday…

But if you read a bit further into the article, you come across this:

The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February.

So what’s the big deal? These flaws were patched earlier this year. Linux zealots attacked the post with comments such as this one from Jeremy Akers:

I find it totally amazing that we have dozens of HIGH RISK Windows exploits every month that can affect a Windows box without any user intervention. And you’re getting all huffy over one low risk PHP exploit that has been patched for months and only affects systems running PHP with elevated privleges?

And Neel Bhatt posted this one:

This worm exploits three applications, not the Linux operating system. The same applications would have been equally exploitable if they would be running on any other operating system (Including different versions of Windows & even OS/2).

Now compare these flaws and vulnerabilities with the latest news from the Microsoft camp, as reported in Image-handling flaws put Windows PCs at risk by Joris Evers of CNET News.com:

Three security flaws in the way Windows handles certain graphics files could create an opening for spyware and Trojan horse attacks, Microsoft has warned. The vulnerabilities relate to how the operating system renders the Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats… Two of them could allow a remote intruder to gain complete control over a Windows PC… This type of vulnerability could be a conduit for the installation of spyware, Trojan horses, bots or other harmful programs on an unsuspecting user’s machine… Of the three vulnerabilities, the most serious affects all current Windows operating systems.

Whoa, wait a minute. Image files? Affecting all current versions of Windows? Windows Metafile (WMF) and Enhanced Metafile (EMF) are Windows-specific formats. These vulnerabilities could easily affect hundreds of thousands, if not millions, of PC users who click to view images. That sounds far more critical than any of the reported Apple and Linux flaws.

Even worse is Microsoft’s attitude about older versions of its Windows system. Take at face value what Microsoft’s CEO Steve Ballmer says in Newsmaker:  Ballmer says Microsoft is different by Mike Ricciuti:

Part of our pitch to enterprises is that we will help them save money [said Ballmer]. In terms of the trustworthiness of the platform, we have plenty of references and we have plenty of scale that should put to bed a lot of the legacy issues related to this stuff being enterprise-ready. We’ve had those issues for years. At some point, clearly those are legacy issues.

In other words, if Microsoft waits long enough, its security problems will be “legacy” problems to be solved by some other vendor.



“Balanced” Reports of Flaws — 1 Comment

  1. Pingback: Get Off Microsoft » Blog Archive » A Tale of Two Viral Exploits

Leave a Reply

Your email address will not be published. Required fields are marked *