Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Software Update -- Did Apple Do Enough? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Software Update -- Did Apple Do Enough?

I've been reading alot of articles recently about Apple's Software Updates.  A couple of weeks ago, we talked about this in the ISC podcast, about Safari being automatically checked for installation if you have Apple Software Update installed.  Apple Software Update is Apple Inc.'s piece of software that keeps Quicktime, iTunes, and Safari updated on your Windows Machine.  It obviously does a lot more on our Apple's.

Now, I am an Apple user, an AVID Apple user.  I own no less then 15-20 of their products, and an avid Apple defender.  But even I said that Safari being automatically checked and enabled for download and installation on Windows machines was going a step too far.  I don't mind if it was there for download, but automatically checked?  Meh.

Now, I don't have a Windows machine, so I haven't been able to experience this myself, but apparently Apple issued an update to Software Update last week that moved Safari down to a block called "Optional Downloads", instead of being labeled as an update.  Well, it's a great step, but I still am of the opinion that Apple didn't go far enough.  Safari is still checked by default!?

What's the big deal?  It's just an update, or even an optional download.  Well, that's fine except that Safari was checked even on machines that didn't have Safari installed on it.  Apple wasn't the forcing the download on people, but it sure wasn't making it obvious that it was an optional download.

So my question is, did Apple go far enough?  I don't think they did, I would like to see it unchecked by default as an optional download.  I don't mind if Apple offers the Windows users a better browsing experience.  ;)  But I do mind if they make the browser seem like it's a part of an already existing installation.

The problem wouldn't be so bad, but I know at some point in the near future someone, whether it's Apple or some other agency , will report that Safari as "x" amount of market share, which me, as an Apple guy will say "Yeah! We have "X"!".  But will it really be a real metric?

Joel Esler

http://www.joelesler.net

Joel

454 Posts
ISC Handler
I agree with you, Joel. My wife, not knowing any better, just accepted Apple's updates. When I arrived home after work I found that my computer had a new install of Safari. Placed in the bad position of trying to explain to my wife all of the ramifications of accepting Apple's default updating choices or just uninstalling Apple's automatic updater (and of course Safari) I did the latter. Is my computer now more secure? I doubt it, as I now have to manually check for Apple's updates. Will other people do the same thing? I wonder.
Jerry

12 Posts
Have to disagree somewhat with Swa on this one. Microsoft does overstep its bounds, but it arguably has more of a perogative to add things to Windows - ditto Apple to MacOS - than Apple has a perogative to add to Windows.
KenF

1 Posts
My mother taught me that it is wrong to do something bad and then try to excuse it by saying that others do the same bad thing. To this day I believe she is right!

Maybe my disappointment comes from having high expectations from Apple.
Jerry

12 Posts
At least they are installing their own software and/or updates. Every time I get a notice of a new Java update, I have to go in and manually uncheck the 'option' to install Google Toolbar. Technically, this amounts to malware - installing unwanted and unrequested software, without notifying the user, under the guise of an update.
Lee

21 Posts
The process of installing updates involves a great deal of trust: Firstly, to have a mechanism for the "trusted" supplier to push an update (manually accepted or not), and then to install anything at the behest of the computer without clear demonstration that the software comes from the purported supplier (This is akin to "purchasing" with your credit card from someone who calls you on the phone, whom you must trust, "is this really channel 9 seeking donations?"). ...and did you read the License Agreement with that new iTunes update? I doubt it, it's just the usual, right?

From the security viewpoint there is a bucketful of risks before we get to our concern about whether Apple should have checked the box for us or not! It's amazing to me that there have not been more attacks exploiting the unusual level of trust we seem to have for our software updaters/suppliers.
MichaelH

4 Posts

Sign Up for Free or Log In to start participating in the conversation!