|Home » Learning Curve
Apple have at long last released a security update which supposedly addresses the three holes found a fortnight ago. Strangely, this update doesn't have everyone feeling all fuzzy inside. For a full discussion of this issue, visit the CLIX forum by clicking the image at right.
The chief strength of Unix in this connected age is the fact that it has multiple perimeters; the glaring weakness of Windows is that it has but one.
The big difference between OS X and Unix is that OS X is not really Unix anymore and that there are not only chinks in the armour, there are holes.
Apple proudly call their core 'XNU' which stands for 'X is not Unix' and now it's coming back to haunt.
The 'fixes' Apple have applied to their latest OS update address symptoms but studiously ignore the disease. It is a disease they themselves have created.
The three exploits of a fortnight ago did not cause widespread havoc, but what concerns security professionals is that they exhibited the capability to do so and pointed to holes in Apple's 'armour'.
The 'download validation' Apple are now focusing on relies completely on a single perimeter of defence. Should the bad code get through this perimeter, it's all over. This is the malaise that is Windows and it should not affect a Unix platform ever.
Most OS X users still rely on Finder to show them what they have on disk, and Finder in turn is a 'face' on how the system itself works - and unless Apple are keeping it a big secret and not telling the world about it, no changes have occurred in this code.
Hardening a single perimeter is the kind of useless exercise cottage industries on the Windows platform are obsessed with - with less than satisfactory results. Antivirus software tries to analyse incoming mail and detect malicious code, but the authors of such code are generally at least one step ahead.
It doesn't take a lot of fantasy to see how OS X can be corrupted, download validation or no. Zip up the bad stuff - and then zip it up again, and again, and again. Is Apple Mail going to unarchive every archive and analyse every single bit and byte? Is Safari going to try?
Put a zip of a zip of a zip inside an ordinary application package. When run, have the application unzip the package and place a cute wolf in sheep's clothing somewhere easily accessible in the user's home area. The user sees the innocent icon, double-clicks it - and the next thing you know, tonnes of mail are being sent out with the same payload.
The bad stuff got inside the perimeter - and there was only one perimeter.
This is the game Microsoft have been playing for over six years. Microsoft are a powerful company with almost unlimited resources; they haven't shown any progress in winning their game (and never will).
Now Apple are playing the same game.
Apple can't get help from the Unix community on this one: this is not a Unix issue - it's an Apple issue. And Darwin is totally dead in the water anyway, and at best Apple had half a dozen outside contributors of merit - who were never allowed to push code - and they've tired of the exercise.
Apple have to fix this one on their own. And it's not a bug - it's a design issue.
Had they left well enough alone and stuck to Unix (POSIX), OS X wouldn't be having this issue - and even if they had, it would probably have been discovered (and fixed) before Apple got their hands on it.
At which point Apple would have only had to propagate the fix in their own code - something they're supposedly notorious at anyway, but still the same: the fix would have been there.
But they don't have that help today. The issues frightening OS X users are Apple's own.
The Chocolate Tunnel
Input Managers - The Cure
Peeking Inside the Chocolate Tunnel