Home » Industry Watch » The Technological
Enhancements vs SecurityAn Apple rewrite of computer security history. Be scared. Be really scared.
Apple's dismissal of the 'InputManagers hole' as an issue of enhancement rather than security at first caught security researchers off guard. For the umpteenth time. As the same hole has been filed as a bug for years and dismissed the same way each time. Happily The Technological are now able to show why Apple were in fact correct all along.
Put simply: Apple are professionals. They're not alarmists. And time and again history finds the great corporate entities speaking words of calm when everyone else is running around like the posters at the MacRumors forums.
1.
From: NASA Space Center Product Security
To: Craig Bowen, The Wizard, Conan, Iceman, The Force, Powerspike, Phoenix, Electron, Nom, Prime Suspect, Mendax, Train Trax, Syn, Masked Avenger, The Phreakers Five, Ivan Trotsky, The Real Article, Blue Thunder, The Parmaster
Subject: Re: VMS SYSTEM Account Wide Open with Default Factory Password 'SYSTEM'
Thank you for filing this issue via NASA's bug reporting system. NASA take every report of a potential security problem very seriously.
After examining your report we do not believe that the issue is a security vulnerability. The 'SYSTEM' account can only be accessed by persons with actual physical access to the computers and as such they already have the privileges of the authenticated user. In other words, intrusion is not possible because the user already has a login account.
In addition, system administrators are able at any time to change the password for the 'SYSTEM' account.
And yes, we are aware a frightening number of intercontinental ballistic missiles carrying nuclear warheads are protected only by a password set in the factory to '00000000'. But #1) this is not a NASA matter; #2) again the silo administrators are able to change these passwords at any time; and #3) you need actual physical access to the silo to fire the missile.
When filing a bug report, other Classification values are available to describe the type of issue: 'Performance', 'Crash or Data Loss', 'Serious Bug', 'Other Bug/Has Workaround', 'Feature (New)', and 'Enhancement'. We have changed the classification from 'Security' to 'Enhancement' to assist the engineering teams in handling this request.
If you have any questions or concerns please feel free to let us know.
Thank you.
2.
From: Usenet Product Security
To: David L Smith (Bart Kwyjibo)
Subject: Re: Risk for Proliferation of MS Word Macro Virus on Usenet
Thank you for filing this issue via Usenet's bug reporting system. Usenet take every report of a potential security problem very seriously.
After examining your report we do not believe that the issue is a security vulnerability. Only authorised users of MS Word can in fact activate macro viruses, and in such case they're running the malware already.
And yes, we are aware of a frightening number of catastrophic flaws in Microsoft software, but #1) this is not a Usenet matter; #2) users can stop using Microsoft software at any time; and #3) you need actual physical access to a computer to run Microsoft software.
When filing a bug report, other Classification values are available to describe the type of issue: 'Performance', 'Crash or Data Loss', 'Serious Bug', 'Other Bug/Has Workaround', 'Feature (New)', and 'Enhancement'. We have changed the classification from 'Security' to 'Enhancement' to assist the engineering teams in handling this request.
If you have any questions or concerns please feel free to let us know.
Thank you.
3.
From: Microsoft Product Security
To: Michael Buen, Onel Guzman
Subject: Re: Risk for Worldwide Worm Outbreak Through MS Outlook
Thank you for filing this issue via Microsoft's bug reporting system. Microsoft take every report of a potential security problem very seriously.
After examining your report we do not believe that the issue is a security vulnerability. Only authorised users of MS Windows can in fact run MS Outlook, and if MS Outlook is infected then the users are running the malware already.
And yes, we are aware of a frightening number of catastrophic flaws in our software, but #1) this is not a Microsoft matter; #2) users can stop using our software at any time; and #3) you need actual physical access to a computer to run Microsoft software.
When filing a bug report, other Classification values are available to describe the type of issue: 'Performance', 'Crash or Data Loss', 'Serious Bug', 'Other Bug/Has Workaround', 'Feature (New)', and 'Enhancement'. We have changed the classification from 'Security' to 'Enhancement' to assist the engineering teams in handling this request.
If you have any questions or concerns please feel free to let us know.
Thank you.
4.
From: Cornell University Product Security
To: Robert Tappan Morris
Subject: Re: Risk for Worldwide Worm Outbreak
Thank you for filing this issue via Cornell University's bug reporting system. Cornell University take every report of a potential security problem very seriously.
After examining your report we do not believe that the issue is a security vulnerability. Only authorised users of the Cornell University network can in fact access it, and if their computers are infected then they are running the malware already.
And yes, we are aware of a frightening number of vulnerabilities in our network security, but #1) this is not a Cornell University matter; #2) users can stop using the Cornell University network at any time; and #3) you need to be actually connected to the Cornell University network to use its services.
When filing a bug report, other Classification values are available to describe the type of issue: 'Performance', 'Crash or Data Loss', 'Serious Bug', 'Other Bug/Has Workaround', 'Feature (New)', and 'Enhancement'. We have changed the classification from 'Security' to 'Enhancement' to assist the engineering teams in handling this request.
If you have any questions or concerns please feel free to let us know.
Thank you.
5.
From: AOL Product Security
To: Robert Tappan Morris
Subject: Re: Risk for Hacked AOL Accounts
Thank you for filing this issue via AOL's bug reporting system. AOL take every report of a potential security problem very seriously.
After examining your report we do not believe that the issue is a security vulnerability. Only activated AOL accounts can in fact enjoy the services of AOL, and if hackers, by legitimate or other means, gain access to AOL accounts then they are, with a high degree of probability, logging in to those accounts already.
And yes, we are aware of a frightening number of vulnerabilities in our system security, but #1) this is not an AOL matter; #2) provided they can find the secret number and are willing to argue it out for hours, users can stop using America Online at any time; and #3) you need to be actually connected to America Online to use our services.
When filing a bug report, other Classification values are available to describe the type of issue: 'Performance', 'Crash or Data Loss', 'Serious Bug', 'Other Bug/Has Workaround', 'Feature (New)', and 'Enhancement'. We have changed the classification from 'Security' to 'Enhancement' to assist the engineering teams in handling this request.
If you have any questions or concerns please feel free to let us know.
Thank you.
6.
From: MIT Product Security
To: Robert Tappan Morris
Subject: Re: Risk for Hacked MIT Servers
Thank you for filing this issue via MIT's bug reporting system. MIT take every report of a potential security problem very seriously.
After examining your report we do not believe that the issue is a security vulnerability. Only servers authenticated to connect to the MIT network are in fact connected to the MIT network, and if hackers, by legitimate or other means, gain access to MIT servers then they are, with a high degree of probability, using those servers already.
And yes, we are aware of a frightening number of vulnerabilities in our system security, but #1) this is not an MIT matter; #2) users can stop using the MIT network at any time; and #3) you need to be actually connected to the MIT network to use the network's services.
When filing a bug report, other Classification values are available to describe the type of issue: 'Performance', 'Crash or Data Loss', 'Serious Bug', 'Other Bug/Has Workaround', 'Feature (New)', and 'Enhancement'. We have changed the classification from 'Security' to 'Enhancement' to assist the engineering teams in handling this request.
If you have any questions or concerns please feel free to let us know.
Thank you.
7.
From: Mountain Bell Product Security
To: Kevin Mitnick
Subject: Re: Security Craters in Las Vegas Telephone Network
Thank you for filing this issue via Mountain Bell's bug reporting system. Mountain Bell take every report of a potential security problem very seriously.
After examining your report we do not believe that the issue is a security vulnerability. Telephone networks can only be hijacked by people capable of putting their fingers in small holes and drawing circles. In other words, use of the Las Vegas telephone network assumes the network is in use already.
When filing a bug report, other Classification values are available to describe the type of issue: 'Performance', 'Crash or Data Loss', 'Serious Bug', 'Other Bug/Has Workaround', 'Feature (New)', and 'Enhancement'. We have changed the classification from 'Security' to 'Enhancement' to assist the engineering teams in handling this request.
If you have any questions or concerns please feel free to let us know.
Thank you.
8.
From: Apple Product Security
To: DimBulb, JawnDoh, Mark Meadows
Subject: Re: Arbitrary execution of code in 'StartupItems'
Thank you for filing this issue via Apple's bug reporting system. Apple take every report of a potential security problem very seriously.
After examining your report we do not believe that the issue is a security vulnerability. Startup items can only be installed by people who know how to type, have some familiarity with a computer screen, and can win the occasional round of Scrabble. In other words, arbitrary code execution is not possible unless arbitrary code is being executed already.
When filing a bug report, other Classification values are available to describe the type of issue: 'Performance', 'Crash or Data Loss', 'Serious Bug', 'Other Bug/Has Workaround', 'Feature (New)', and 'Enhancement'. We have changed the classification from 'Security' to 'Enhancement' to assist the engineering teams in handling this request.
If you have any questions or concerns please feel free to let us know.
Thank you.
|