Apple breaks silence on security

Apple Computer has been notoriously tight-lipped about security. But lately there have been some breaks in the company's traditional silence.

On Monday, the company released the second set of Mac OS X security fixes in two weeks. Typically, Apple publishes its concise security alert on its Web site and Mac users will find the update when their computer checks for updates. That happens automatically every week on default Mac OS X installations.

But this time, Apple made Bud Tribble, one of the key architects of Mac OS, available to CNET News.com, ZDNet UK's sister site, to talk about the security of Mac OS and the company's security update process.

Tribble, vice president of software technology, started at Apple in the early days of the company, as manager of the original software team and helped to design Mac OS. He rejoined Apple in 2002 after leaving the company to work on various ventures, including the NeXT Computer, which he helped found with current Apple chief executive Steve Jobs.

Apple fans have long loved to point out the safety of using Mac OS X, which has mostly been left alone by hackers. But Mac OS X safety has been scrutinised in the past weeks, prompted by the discovery of two worms and the disclosure of a serious vulnerability. Security experts also have questioned the effectiveness of Apple's 1 March patch.

While recent events have some asking if Mac OS' charmed security life is over, Apple certainly doesn't think it is. The company's security updates are largely preemptive, Tribble notes. And though the company may start to talk about security in a more public forum, that doesn't mean it is overhauling its practices, for example by putting security patches on a schedule, like Microsoft, Oracle and Adobe Systems do, or plan to do.

Q: Are you on any kind of schedule with security updates, or do you just issue them as they come along?
We issue them as they are needed. We don't have a fixed schedule, say a monthly specific update. We actually are driven by making sure that the issues we find are addressed in a timely manner. We realise that certainly some IT managers desire a fixed schedule, but we think that the majority of our users are served by us getting the fixes out in a timely manner, when it makes sense.

You don't rate any of the vulnerabilities that you fix. Can you actually say which issue is considered the most severe?
We don't do that. We don't, for example, say that these two are "critical" and the other ones are not critical. We don't do that, because we recommend that if we put out fixes in a security update, that you install them all. That's why we put them there.

One of the things we want to avoid is — say we started splitting hairs and calling some subset of them critical — I think we would end up with users eventually only installing the critical fixes, when we actually think that they should all be installed.

When you compare your security alerts with Microsoft's, for example, then you have less information in your alerts. Is that intentional?
I am not sure we actually have less information. We describe the fixes, and we relate them to which components are being fixed. We have CVE (Common Vulnerabilities and Exposures) ID numbers, and we thank the people who submitted them. I think the actual content is pretty similar.

It is a big change that you're actually talking to the media about security. Is this part of a bigger change around Apple communicating its security updates?
We feel like we have a very proactive approach to security and engineering and marketing and responding to these things. Communicating with you is just part of that.

You used to not talk about your updates at all. Now you are, is that part of a bigger change? Or is this the only change we're going to see?
It is probably not true that we've never talked about things. I think that talking about these things and communicating is part of our overall approach to security.