Might we see Apple put its alerts on a schedule or adding information to its security alerts? Are there any plans for changes there?
Tribble: If users have feedback on other things they'd like to see, we always are listening to that. It has been satisfactory. As I say, communicating — whether it is in bulletins, or talking to you — we're always happy to talk about our security story, because we think we have a pretty good one.
In your current security update, you tweaked the download validation function. Does that update include anything that will protect users if they download files using an application other than Safari, iChat or Mail?
Tribble: The download validation that we do is in Safari and Mail and iChat. We strengthened that validation, and we believe that the vast majority of the issues that come up along these lines have to do with downloads that come in either through Safari, or iChat or Mail.
Some experts have suggested that you should put protections at a lower level in the operating system, so it would be impossible to make a file look innocent, while it is actually malicious. Have you taken that on and done any work on it?
Tribble: Well, yes. We're definitely always taking in the feedback. We're always listening to good ideas.
Of the issues that Apple addresses in its new update, is anything actually being abused or exploited for attacks on Mac users?
Tribble: That's a good point. None of these issues are things where there are exploits in the wild. In a way, you could say these are preemptive fixes to prevent potential problems from arising.
I think everything in the update is important from that standpoint. Things we're putting out increase the level of security in Mac OS X.
Last year, your security updates came about once a month, or with even longer pauses. Now you've released a security update two weeks after another. Does this indicate that you have to deal with a higher number of security issues in the OS, or is that just a coincidence?
Tribble: We tend to respond as rapidly to issues as they are found by the community. We're really driven more than anything by trying to get a timely response out there.
So the answer is no. Your issuing another patch within two weeks of your first patch doesn't mean that there are more vulnerabilities in Mac OS X to be fixed?
I think it just means that we're working hard. We're not targeting any fixed schedule, we're actually trying to be timely in our response.
Another thing that experts sometimes suggest is that Mac OS security is suffering because it now runs on an Intel platform. Is that just a fairy tale?
I don't believe that is true. Security issues target specific OSes, and the instruction set does not really have a huge effect on that. Furthermore, all of the mechanisms that we had and are developing are working equally well on PowerPC and Intel. If anyone is concerned that somehow moving to a new architecture, that somehow all of the security work that we have done in Mac OS gets left behind, that's not the case.
Some security researchers say Apple is a pain to deal with. The say you don't respond quickly and they feel like information on security vulnerabilities is going down a black hole. I am sure you don't agree with that assessment.
There is a quite active security community out there in terms of CERT, FIRST and the BSD security community. We are in close touch with those guys. When there is external issues reported and we fix them, we thank the submitter. I would not agree with that characterisation.
Do you have a process in place for responding to security researchers?
Yes we do. There is a security Web page and there is a mail alias, which is product-security@apple.com.
In terms of your dealings with individual security researchers, do you feel like you have a good rapport with them? And is that important to you?
I think we do. There is a very broad set of people out there who are doing something or other with security. I think we attempt to deal with them all with a pretty even-handed policy that optimises us getting the information that we need to fix the issues.
Do you compare yourself with any other software vendor when it comes to security?
We just do the best job we can. We are focused on it, all up and down the levels of the company. We know that it impacts the experience that our customers are going to have.
Talkback
I am so thrilled to find out someone is called Bud Tribble. That's a wonderful name you have there, Bud!
Now I must read the article...