Tuesday, September 29, 2009

Lousy Apple Security

Criminey, these guys have a lackadaisical attitude to security:

If you use any Apple program on Windows you may have noticed recently a rather odd Apple Software Update dialog box telling you under the Updates heading that you need the iPhone Configuration Utility 2.1. I did, and my reaction was: "I do?" ...

A little investigation revealed that the iPhone Configuration Utility is actually a tool for business system administrators to set up and administer corporate iPhones . Even if I were using an iPhone, I'd need that program like I'd need season tickets to the Detroit Lions. So, I haven't installed it-and I really wish Apple would stop bugging about it.

I didn't think anything more about it. I don't install programs I don't need or plan on testing. Others though did and they discovered that this completely unneeded Apple shovelware for 99.9999% of all users installs not just a configuration program, but the Apache Web server as well. For the tiny number of people who do need it, this lets corporate iPhone users 'phone' in to the business Web server for updates.

For the millions of everyone else having a Web server on your PC is horrible security risk. It's hard enough keeping Windows secure, but adding a totally unregulated Web server to the mix is like throwing matches at a pool of gasoline.

What was Apple thinking!? Actually, I rather doubt they were thinking.

So they installed web server software (!) on millions of computers. But don't worry, nobody would think of attacking a web server.

This says something really, really bad about Apple's attitude about security. Quite frankly, it doesn't seem that their customer's security registers on their concern-o-meter. Not that this is new. This is not a failure of their technology, or even necessarily of their code. Rather, it's a repeated breakdown of their process. They simply do not have a process in place that makes people think that they need to protect their customers.

Fail.

UPDATE 30 September 2009 17:31: Hmmm:

Wonder if someone is listening.

3 comments:

Ian Argent said...

Oi flipping vey.

And I was wondering why I didn't install quicktime just last week... (Sadly - I went and did the deed. Time to rip some stuff out).

For the first time in - ever - I think I'm glad my provider blocks port 80.

Ripping out the apple bumph now.

And, oddly enough, discovering I have sfotware from Dassault on my system - when did I get a Eurofighter sim? It's actually a 3d modeler

Tam said...

I can't believe that even the guys at Cupertino use Safari. I'd almost... almost rather use Exploder.

blogger said...

Actually, if you turn off ActiveX off (I mean OFF off, not just MOSTLY off), then I quite like IE 8. From a security perspective, the only downside it has is you have to wait until Patch Tuesday for any fixes, where Firefox auto-updates overnight. Other than that, Microsoft has doen a nice job on the security front.

But Apple has an equally crummy update history. Worse, really, because their update mechanism is "We'll fix it when we're good and ready". Which was kind of the point of this post.