|Tuesday, May 2, 2006
11:50 - Malwhere?
John Gruber is all over the latest breathless AP piece on the cataclysmic collapse of the house-of-cards that is Mac OS X's virus/Trojan/malware security.
I love this bit:
The bugs reported by Ferris are legitimate bugs, but to my eyes (and Rosyna’s — who thinks Ferris is counting the same TIFF rendering bug twice), they’re all just ways to make an application crash, one of which has already been fixed in 10.4.6. But Ferris reports that this one, regarding Safari, “causes the application to crash, and or [sic] may allow for an attacker to execute arbitrary code”. Emphasis on the may in “may allow”, apparently, because the only thing his examples do is cause Safari to crash.
Anything that causes Safari to crash certainly sucks. And presumably Apple is working not just to fix these particular bugs, but to fix the architecture of Safari to make it less vulnerable in general to these sort of bugs in the system’s image-parsing routines. But the genius here — and I’m not sure whether the credit goes to Ferris or Goodin, so let’s just credit them both — is in the leap from bugs which, as Ferris originally described, “may allow for an attacker to execute arbitrary code”, to bugs which, in Goodin’s article, “potentially [allow] a criminal to execute code remotely and gain access to passwords and other sensitive information”.
Because, see, in Ferris’s original report, he meant “may” in the sense that they may, or they may not, but that he didn’t actually know whether it was possible and has no evidence that they could. But in Goodin’s AP story, that changes to “potentially”, which means “capable of being but not yet in existence; latent”, which is good journalism because “potentially allowing a criminal to execute code remotely” is much scarier-sounding than “definitely allowing a jerk to crash your web browser”.
I remember an early Dilbert strip that went like this:
Mail room guy: "It could be between one and a million."
Staffer: "It could be a million."
Executive: "Experts say a million."
Using that same awesome technique, I must point out a critical bug in iTunes 6.0.2: you can only set a star rating of 2 or less, because any rating you select is immediately doubled by the software. This can cause annoyance or can result in the loss or theft of critical information such as passwords and bank account numbers.
Well, it's true!
Anyway, Gruber also points out Apple's new ad campaign (and accompanying web campaign) that started circulating yesterday—timely, considering their "Viruses? What viruses?" message. I don't know if we can credit Apple for being clairvoyant here, but it certainly seems to be timed as though to counter these dumb AP articles and other recent ill-aimed volleys on subjects like Boot Camp from tech press denizens who would desperately love to not have to learn a new operating system.
Still, though, those ads are quite silly, and every bit as spoofable as the "Switch" campaign. Expect to see merciless parodies every-which-where starting nnnnnnnnnnnnnnnow!
First person to do one with "PC" playing video games and "Mac" standing around sulking gets a prize!