Feeling Vulnerable? How Apple Is Feverishly Working To Secure iOS And The Mac4:00 PM EST Tue. Sep. 25, 2012
For years, Apple has touted security as a selling point for Macs. But to ensure that these claims remain valid, Apple has started rolling security technologies from the iOS side of the house into OS X. The goal, according to security experts, is to ensure Mac-specific threats remain firmly entrenched in the theoretical realm.
While Mac malware isn't yet a widespread problem, Apple is thinking ahead to ensure that it doesn't become one. In OS X 10.8 Mountain Lion, Apple added Gatekeeper, a security mechanism that allows OS X developers to digitally sign their apps, as well as application sandboxing, which keeps apps from accessing important system components and data. Both of these features debuted in iOS.
Apple did not respond to a request for comment on its security strategy. But experts have plenty to say about the moves Apple is making.
Kaspersky Lab CEO Eugene Kaspersky sees Apple's introduction of Gatekeeper in OS X Mountain Lion as a step in the right direction. "Gatekeeper essentially brings the iOS App Store model of verifying the legitimacy and security of apps to OS X, and I believe it will be a big turning point for keeping malware off OS X," he said.
Marc Maiffret, CTO at BeyondTrust, a Carlsbad, Calif.-based security vendor, says Apple's approach to securing applications in iOS is a solid strategy. "One thing Apple has done very right on the mobile side is how they control applications, and the way they have set up the App Store to limit malware. They are bringing that into the desktop with the App Store for OS X," Maiffret told CRN.
In Apple's first version of iOS, every process, and the Web browser, ran at root with no randomization, no data execution prevention, no sandboxing, and no code signing. Apple iOS 5, released last October, had all of these features included. Charlie Miller, former principal research consultant for Accuvant Labs, Denver, sees this as a sign of the progress Apple has made.
"The whole system has been slowly, over the last five years, getting better, in terms of the architecture and general security. You see more security being included," said Miller, who earlier this month joined Twitter in an as-yet unspecified capacity.
Dr. Robert Watson, a senior research associate at the University of Cambridge Computer Laboratory and member of the FreeBSD core team, says Apple's porting of security from iOS to OS X is a wise move. "Before the iPhone, the idea of running every application on a general-purpose computing platform in a tight sandbox was unthinkable in the commercial software world," Watson said in an interview. "Now they've begun to pull some of the benefits of that approach back onto the desktop platform."
Watson said DARPA-funded security technologies developed in the research community, and released as open source, became central foundations for mobile and conventional system sandboxing. Apple contributed significant improvements as it developed its own extensions, according to Watson, who is also a member of the board of directors of the FreeBSD Foundation.
Apple doesn't talk much about security but is clearly making it a priority to stay ahead of emerging threats, Rich Mogull, CEO of Securosis, a Phoenix-based security research firm, told CRN in June. "There is recognition on Apple's part that security is essential to the platform," said Mogull. "Apple realizes if they fall too far behind and malware becomes an issue, it will affect sales."
Apple has pulled off a delicate balancing act when it comes to its security marketing. It still touts the "proven, secure Unix foundation" of OS X on its website. For years, Apple fueled the flames with its "Get A Mac" advertising campaign, which centered on the notion that Macs were immune to the never-ending parade of Windows malware. But in June, comparisons between Macs and Windows PCs vanished without explanation.
Apple's partners believe the arrival of mature security threats, such as the Flashback botnet, have caused the company to adjust its message to match with the current reality.
"There is a sense of security in the Apple community that Apple itself promoted. Attacks have been so minimal that the OS has always been perceived as safe," said Marc A. Wolfe, CEO of Proactive, an Apple partner in Oakland, N.J. "But as Apple becomes more popular and gets bigger market share, there are going to be more attacks."
The perception that Mac users are more secure is still commonplace in businesses, according to David Sockol, president and CEO of Emagined Security, San Carlos, Calif. "Macs are based on Unix, which has been around a long time and has had lots of vulnerabilities that have been addressed," he said. "But any system has vulnerabilities, and we're seeing more malware being aimed at the Mac, so the idea that Mac users are more secure is a fallacy."
Nearly every debate on the issue of whether Macs are more secure than PCs begins with the observation that Apple's market share is far less than Microsoft's. While that argument contains some truth, experts say it does not tell the whole story.
Dave Schroeder, a senior systems engineer at the University of Wisconsin-Madison's Division of Information Technology, and a noted Apple security expert, says perceptions about Mac security are not always based in reality.
"Take the analogy of a country farmhouse with an unlocked door and an urban apartment with barred windows and locked deadbolts. The country house may be safer, but not necessarily more secure," Schroeder told CRN. "In the past, some have likened Mac OS X to the country farmhouse -- only safer because it's less of a target than the urban apartment. But that's not entirely accurate, either.
"The truth is that Mac OS X is an inherently secure operating system, but like any software it can have vulnerabilities which need to be addressed. It's also clear that far more malware targets Windows, and phishing and other social engineering attacks can impact users of any operating system," Schroeder said.
Apple does not schedule a regular patch update, nor does it have a public-facing security incident response team. Given Apple's notoriously slow response to patching Java, which led to the Flashback botnet in April, some experts believe these mechanisms could help the company avoid problems down the road, while also increasing its engagement with the security research community.
"While Apple has been quick to respond to threats, they never seem to discover them. They always seem to be in reaction mode. Stuff has slipped by them, which makes me wonder what level of monitoring they are doing," Andrew Plato, president of Anitian Enterprise Security, a Beaverton, Ore.-based security solution provider, told CRN.
Some researchers feel Apple's longstanding secrecy around security has put it on track for the type of comeuppance that Microsoft had a decade ago, when it was besieged by the Code Red worm and other security threats. That precarious situation prompted Bill Gates to pen his landmark Trustworthy Computing memo, and Microsoft eventually instituted its Security Development Lifecycle (SDL) model, in which security is built in from the earliest stages of the process.
Microsoft officials have been calling out Apple on security for years. In a February 2007 interview with Newsweek, then-CEO Gates insisted that Macs were less secure than Windows PCs. "Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine," Gates told Newsweek.
In 2006, Stephen Toulouse, head of communications for security response at the Microsoft Security Response Center, called on Apple to appoint a head of security and adopt a more proactive approach to handling security vulnerabilities and updates. "The only way you can tackle security issues is by getting out ahead of them and clearly communicating to your users the threat, and the clear guidance on how to be safe," Toulouse in a 2006 post to his personal blog.
So does Apple need to create and deploy its own SDL? According to Kaspersky, doing so could pay dividends down the road.
"All software has vulnerabilities, as all software is created by humans, and they always make mistakes. Just a few mistakes in for-Mac software are enough for the next Mac OS malware epidemic to break out," Kaspersky told CRN.
"Apple can learn a lot from Microsoft when it comes to security. In fact, it wouldn't be a bad idea Apple copying Microsoft's playbook word-for-word when it comes to security responses. Apple needs an SDL process to make sure developers build security into every stage of the software development process," Kaspersky said.
PUBLISHED SEPT. 26, 2012