« Digging the hole deeper | Main | Is a five-letter name that hard to spell? »

An iTunes Patch? Really?

Last night, Apple released iTunes 7.7.1, which, according to the release notes, "does stuff gooder". Oh, those Apple release notes, chock full o' useful.

So I can now use iTunes and get...I don't know, something out of it besides music and stuff for my iPhone.

Of course, every Mac OS X box running Apple's unpatched BIND is still a danger to anyone who uses it, but the important thing is, iTunes got an update. Apple still hasn't applied a very small patch, that according to everyone else, at worst might slow down very busy DNS servers, but would still protect them from current active exploits. (By "Everyone else" I do mean, literally, every other OS vendor affected by this bug. Apple is the only one not to have patched yet.) But the important thing is:

iTunes got an update

Oh, and when I say that any Mac OS X box running Apple's unpatched BIND is dangerous, I mean just that. If you use a an unpatched DNS server, aka "Apple", (After all, they're the only vendor not to have released a patch), that DNS server could have been poisoned so that even though, by all available data, you clicked on a link that said "irs.ustreas.gov", where you actually go is vastly different. Oh, you didn't actually click all those advertisements? Congratulations, you didn't need to. The helpful DNS exploit routed you to a server that did that for you. But the important thing is:

iTunes got an update

Apple's non-handling of this DNS exploit is, on every possible level, not just spectacularly bad, but completely unacceptable. Were Apple getting the kind of silent treatment and runaround from one of their vendors that they are giving to their customers, you can bet they'd be all up that vendor's ass, and not in the fun way. Some have raised the point, "Well, did you report this to Apple? If not, how can they be expected to know?" My reply:

"When people like Paul Vixie, aka, "Mr. BIND", CERT, and others at that level specifically notify you two months before they publicly announce the exploit, it is perfectly reasonable to assume that a security report from such an authoritative source is taken seriously in the two months of breathing room provided by the reporters of the problem. When, on July 8th, over three weeks ago, this vulnerability becomes public knowledge, and everyone involved in the networking field is talking about it, it is not unreasonable to assume that the proper people at Apple say "Oh SHIT", and get moving on it. When there are active exploits being used against this vulnerability, and reported in places like the NANOG list, it is not unreasonable to expect that making sure their servers aren't a danger to their customers and the public Internet would take a slightly higher priority than making sure my fucking iPhone backups go faster or whatever the fuck was fixed in iTunes 7.7.1."

In other words, if Apple is incapable of fixing a critical security issue unless it is reported in RADAR, then they are either stupid, or so controlled by a rigid, ineffective, overly complicated process that they should not be trusted with critical services.

Stupid or incompetent, it's really up to them. Either is equally applicable.

Let me put this in perspective: When a smallish number of Mobileme customers were unable to get email and sync their data, Apple not only apologized, within days of the fuckup, but gave them an extension on their service. Personal email and related services with no guarantee of uptime that only affect Mobileme subscribers, not 100% of Apple's customers get a rapid response and palliative action.

Yet, a critical security hole, that make Apple's OS products dangerous to 100% of Mac OS X users, and the public Internet at large is not fixed months after the private notification, and weeks after the public notification, and Apple's only response is "We take security seriously"?

Bullshit. Complete Bullshit.

What everyone with any kind of Apple Rep should be demanding is not only a patch, immediately, but a public apology, and an explanation of the corrective measures that Apple is going to take to keep this kind of monumental cockup from happening again. If Apple can't do that, then every Apple customer needs to seriously question the wisdom of using Apple OS's in situations where they aren't actively protected by more competent platforms.

Like Windows.

But hey, let's keep in mind what's important:

iTunes got an update

Technorati Tags:
Apple, Stop Being Dumb, Security, Stop being stupid, TEH STOOPUD

Categories: Mac OS X Scripts

Posted by John C. Welch at 09:10 | Permalink

Comments

Warning for Notes users: The commenting system uses HTML.
I know this will be scary for some of you, especially Notes fans. However, open standards, rah-rah.
If you want to use less-than or greater-than signs, or other similar charachters that HTML reserves,
you'll simply have to learn to do it the HTML way. Luckily, HTML is kind of popular, no matter what
your re-educators have told you, and you can easily find help on the intertubes.

Last night, Apple released iTunes 7.7.1, which, according to the release notes, "does stuff gooder". Oh, those Apple release notes, chock full o' useful. So I can now use iTunes and get...I don't know, something out of it besides music and stuff for my iPhone. Of course, every Mac OS X box running Apple's unpatched BIND is still a danger to anyone who uses it, but the important thing is, iTunes got an update. Apple still hasn't applied a very small patch, that according to everyone else, at worst might slow down very busy DNS servers, but would still protect them from current active exploits. (By "Everyone else" I do mean, literally, every other OS vendor affected by this bug. Apple is the only one not to have patched yet.) But the important thing is: iTunes got an update Oh, and when I say that any Mac OS X box running Apple's unpatched BIND is dangerous, I mean just that. If you use a an unpatched DNS server, aka "Apple", (After all, they're the only vendor not to have released a patch), that DNS server could have been poisoned so that even though, by all available data, you clicked on a link that said "irs.ustreas.gov", where you actually go is vastly different. Oh, you didn't actually click all those advertisements? Congratulations, you didn't need to. The helpful DNS exploit routed you to a server that did that for you. But the important thing is: iTunes got an update Apple's non-handling of this DNS exploit is, on every possible level, not just spectacularly bad, but completely unacceptable. Were Apple getting the kind of silent treatment and runaround from one of their vendors that they are giving to their customers, you can bet they'd be all up that vendor's ass, and not in the fun way. Some have raised the point, "Well, did you report this to Apple? If not, how can they be expected to know?" My reply: "When people like Paul Vixie, aka, "Mr. BIND", CERT, and others at that level specifically notify you two months before they publicly announce the exploit, it is perfectly reasonable to assume that a security report from such an authoritative source is taken seriously in the two months of breathing room provided by the reporters of the problem. When, on July 8th, over three weeks ago, this vulnerability becomes public knowledge, and everyone involved in the networking field is talking about it, it is not unreasonable to assume that the proper people at Apple say "Oh SHIT", and get moving on it. When there are active exploits being used against this vulnerability, and reported in places like the NANOG list, it is not unreasonable to expect that making sure their servers aren't a danger to their customers and the public Internet would take a slightly higher priority than making sure my fucking iPhone backups go faster or whatever the fuck was fixed in iTunes 7.7.1." In other words, if Apple is incapable of fixing a critical security issue unless it is reported in RADAR, then they are either stupid, or so controlled by a rigid, ineffective, overly complicated process that they should not be trusted with critical services. Stupid or incompetent, it's really up to them. Either is equally applicable. Let me put this in perspective: When a smallish number of Mobileme customers were unable to get email and sync their data, Apple not only apologized, within days of the fuckup, but gave them an extension on their service. Personal email and related services with no guarantee of uptime that only affect Mobileme subscribers, not 100% of Apple's customers get a rapid response and palliative action. Yet, a critical security hole, that make Apple's OS products dangerous to 100% of Mac OS X users, and the public Internet at large is not fixed months after the private notification, and weeks after the public notification, and Apple's only response is "We take security seriously"? Bullshit. Complete Bullshit. What everyone with any kind of Apple Rep should be demanding is not only a patch, immediately, but a public apology, and an explanation of the corrective measures that Apple is going to take to keep this kind of monumental cockup from happening again. If Apple can't do that, then every Apple customer needs to seriously question the wisdom of using Apple OS's in situations where they aren't actively protected by more competent platforms. Like Windows. But hey, let's keep in mind what's important: iTunes got an update

Technorati Tags: Apple, Stop Being Dumb, Security, Stop being stupid, TEH STOOPUD