Security and quality assurance experts reacted negatively to Apple Computer's efforts Tuesday to blame manufacturing problems
that resulted in iPod MP3 players shipping with a virus that affects Microsoft's Windows operating system.
Security professionals, including Microsoft's own product release virus scanning chief, called Apple's efforts to deflect
blame onto Microsoft misleading and said the batch of factory-infected iPods reveals a troubling lack of thoroughness in the
company's manufacturing process.
On Monday, Apple released a statement on its Web site noting that a "small number of video iPods shipped with a Windows virus,"
which the company identified as RavMonE.exe. The number of affected iPods is small -- less than 1 percent of all Video iPods
available for purchase after Sept. 12, 2006, the company said in its statement, adding "as you might imagine, we are upset
at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it."
That statement drew criticism from security experts, including Jonathan Poon, the man in charge of scanning Microsoft products
for viruses before they ship.
"It's not a matter of which platform the virus originated [on]. The fact that it's found on the portable player means that
there's an issue with how the quality checks, specifically the content check, was done," Poon wrote in a blog entry.
James "Randy" Abrams, who held Poon's job for more than a decade at Microsoft and is now director of technical education at
ESET, agreed.
"The Apple iPod incident was not about Microsoft having a hardy operating system, it was all about security and process,"
Abrams told InfoWorld in an e-mail message.
Viruses on Microsoft's network weren't unusual when Abrams was testing that company's products before shipping them, he said.
"I released software in an environment surrounded by Windows machines. Many machines on the corporate network were infected.
We never introduced a virus into the software in the release or manufacturing processes because we had a professional understanding
of what it took to release what we were supposed to," he said.
"That Apple would blame Microsoft demonstrates a lack of understanding of remedial security and manufacturing processes. Virus
was only a symptom of the problem. Apple didn't know what they were shipping," Abrams said.
Greg Joswiak, vice president of iPod product marketing at Apple declined to comment in detail about the iPod infections, but
did acknowledge that around 25 systems were infected by a Windows system that was used during manufacturing to test compatibility
with the devices. The RavMonE virus did not spread to the system through a network connection, but was installed by a peripheral
device, he said.
Joswiak declined to speculate on whether the worm was intentionally introduced, or whether it was spread from an iPod to the
machine.
He did, however, defend the company's manufacturing and quality control procedures.
"It was an exception to our process," he said. "We believe we have a good process and we're going forward."
Joswiak also stood by the company's statement regarding Windows.
"Isn't that true?" he responded when asked about the company's statement about Windows not being robust in the face of viruses.
"We tried to be open and explain what's going on. We're not trying to dismiss our role."
The news about the infected iPods was the second such story in recent days. On Monday, McDonald's admitted that 10,000 MP3 players that were given away in a promotion in Japan also contained a worm, identified as WORM-QQPASS.ADH.
Both Poon and Abrams said that Apple's response to the infected iPods fell short of McDonald's, even though the burger giant
has precious little experience in the consumer electronics space.
"The difference in how McDonald's and Apple handled similar incidents paints a stark difference between management integrity
and customer service focus," Abrams wrote.
"Both cases were flawed manufacturing processes. Mistakes can happen and smart companies accept responsibility, make things
right with the customer, and fix the problems. Lesser companies play the blame game," he wrote.
McDonald's fix: a single link to Trend Micro's "Housecall" online virus scanning service and an open offer to replace infected players for free also won praise over Apple's response:
a bunch of links to free antivirus software trials, including Microsoft's OneCare program, Poon wrote.
"Steve, if you need someone to advise on how to improve your quality checks, feel free to contact me," Poon said, referring
to Apple CEO Steve Jobs.
Software companies have long known about the potential to introduce viruses and other malicious code during the manufacturing
process, and have developed procedures to catch such infections.
Two such episodes in a week might indicate that malicious hackers have figured out that consumer device makers are less vigilant
in their oversight, said Dennis Szerszen, vice president of marketing and corporate strategy at SecureWave, an end point security
software vendor.
Apple may have had more lax oversight around the iPod because it wasn't software and wasn't, in itself, targeted by malicious
code, he said.
"There may have been less rigor because they weren't cutting and shipping an OS," he said.
Given that, Apple is lucky that it was a virus that shipped on the iPods rather than pornography, pirated software, or some
kind of religious or political propaganda that would have been even more damaging to Apple's name, Abrams said.
iPods and other consumer devices are increasingly finding their way onto enterprise networks, and are an increasingly common
vector for attacks, he said.
""The end point is the final frontier in enterprise security, because it's where you and I bring our recreational attitudes
and personal choices for how to work to bear," he said.
Companies should set up stringent policies about whether and how to use consumer electronics devices at work, but also set
up systems to monitor their use and prevent malicious attacks or infections that might be carried by iPods, PDAs, and other
consumer devices, Szerszen said.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
