Toulouse: Apple soft on security


Microsoft's security response communications manager recently criticized the way Apple handles its security update communications, noting it's ill-prepared to handle what's bound to be an increasing number of security problems in coming years.

Stephen Toulouse, who has long been the public face of Microsoft's Security Response Center, laid into Apple this week about what he perceives as weaknesses in the Cupertino-based firm's security operations. In his personal blog, Toulouse said the company does not address security seriously enough and it should hire a security expert to fill a position similar to his own at Microsoft in order to better educate Apple users.

"Here's the reality: For the next couple of years, the Mac OS will experience increasing security threats, and, mark my words, the company will have to seek outside expertise in the form of a head of security communications in the next 12 months," he wrote. "Apple needs a person steeped in security issues, true technical analysis and who can lead a good security team to get good guidance out there."

Toulouse took issue with statements made last week by Apple Vice President of Software Technology Bud Tribble in a recent interview with Tribble had disagreed with his interviewer about Apple's seeming lack of information in its security updates in comparison to Microsoft's bulletins. He stated that "the actual content is pretty similar" to those of Microsoft.

Toulouse disagreed.

"I note no mitigating factors in Apple's security communication for customers to assess their risk," he said. "I note no frequently asked questions in Apple's security communication to cover what an attacker could and could not do or any other information customers might ask about. I note no workarounds in Apple's security communication for people who cannot immediately deploy the update."

Toulouse went on, describing at least five other major features that Microsoft includes in its bulletins that Apple does not. He also stated that Apple fails to take advantage of the latest communications tools to keep customers updated.

"Apple recently had to redo their most recent security update," he said. "In the original advisory, they note that a new version is available, so that's good. But there's no RSS feed around it."

As Toulouse's comments have spread across the internet, some Apple fans have attacked him on message boards for being hypocritical. They pointed to this week's double helping of IE vulnerabilities as proof that Microsoft isn't in a position to dole out security advice to Apple.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.