Apple might be scrambling to shore up security holes in the aftermath of a published Java vulnerability exploit, but significantly ramping up security efforts to better address Mac OS X malware doesn't seem imminent, security experts say.
Security experts say that Apple's ability to repair the recently published Java exploit will likely be a strong indicator of the company's ability to deliver timely security updates to plug an increasing number of exploited security holes.
As of late, the company has come under fire for the lengthy time spans between security updates. Security experts say that Apple's laissez-faire attitude about security was most recently demonstrated with a gaping Java security hole in the Mac OS X platform, which the company has yet to fix almost six months after it was disclosed in December 2008.
While the Java error was made public and patched by its creator, Sun Microsystems, on Dec. 3, it has yet to be addressed with an update by Apple -- which has its own version of Sun's Java for the Mac OS X. Until Apple releases a patch, Mac users will have to disable Java applets in their browsers as well as open "safe" files after downloading in Safari to protect themselves against malware attacks.
Apple did not respond to inquiries from Channelweb.com regarding the Java flaw.
Meanwhile, the flaws in Apple's security update process were most notably illustrated by Apple security researcher Landon Fuller, who published a proof-of-concept exploit for Apple's Java vulnerability earlier this month in an effort to draw attention to the long-standing problem in the Mac OS X operating system.
"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller said in a blog post Thursday. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been made public knowledge for six months, I have decided to release my own proof of concept to demonstrate the issue."
The Java vulnerability, considered by other vendors to be "critical" by allowing remote code execution, enables remote hackers to completely circumvent the Java sandbox and run arbitrary commands on users' Mac systems that could be used for identity theft and other criminal activities conducted online. Users can subsequently become infected with information-stealing malware by visiting a Web page hosting a malicious Java applet.
Critics say that the Apple security update process falls short of adequately preparing the Mac OS X platform for the possibility of attack, especially when compared to competing vendors such as Microsoft, which issues a spate of security updates on the second Tuesday of the month.
"(Apple's) security team is still far from sight of being as large and diverse in both backgrounds and skillsets as that of other vendors," said Larry Highsmith, CEO of information assurance security firm Subreption, in an e-mail. "Many of their current approaches to securing the OS internal are flawed by design, and some are poorly implemented. Their implementation of ASLR is largely flawed, even more than Microsoft's, their approach to memory protections enforcement is as well broken."
Security experts say that the recently published exploit code for Apple's Java vulnerability will likely force Apple to bump up the issue in the queue, due to the fact that "users will be exposed to widespread abuse," Highsmith said.
But whether the issue will galvanize Apple into speeding up security updates or adopting a monthly patch rotation cycle remains to be seen. Experts say that Apple lacks necessary manpower to create and test patches on a monthly basis and doesn't have the extensive security team needed to develop significant changes to Mac OS X internals that would make the platform more resilient to sophisticated malware attacks.
Meanwhile, the company's historic lack of emphasis on security issues has left Apple underprepared to deal with future Mac-malware, while putting it behind competing vendors such as Microsoft in terms of its ability to address security issues, experts say.
"Microsoft indeed has better security response capabilities, but this is due to their dedicated budget to security, historical background and some other likely questionable practices that hopefully won't be taken as inspiration for Apple," Highsmith said.
The recently published exploit code for the Java bug is not the only flaw to plague the Mac platform. Apple researcher Kevin Finisterre posted exploit code on hacker forum milworm.com that exposed a previously published buffer overflow vulnerability that could be exploited via Apple's Web browser Safari.
Both exploits reflect a burgeoning trend of malware created to target the Mac OS X. Starting in January, Mac OS X users were pummeled with two variants of a Mac-only iServices Trojan distributed via pirated versions of Apple's productivity suite iWorks and cracked Adobe Photoshop CS4 applications.
Researchers later discovered in April that both Trojan variants developed into a full-fledged Mac botnet. So far, Mac malware seems to be relegated to targeted attacks as opposed to widespread exploitation experienced by Windows systems.
Apple researcher Kevin Finisterre said that so far Apple has done a decent job of combating attacks on the Mac platform, such as stamping out the use of input managers. And the Cupertino, Calif.-based company also hired the former head of security architecture at One Laptop per Child (OLPC) Ivan Krstic to help fend off malware threats directed at the Mac OS X platform. Churning out updates in a monthly patch cycle wouldn't necessarily benefit Apple in light of the fact that attacks on the Mac platform remain limited in number, Finisterre said.
"Unfortunately, there's always going to be some (Mac) bugs that aren't patched. I don't know what the outcome of prioritizing some of those versus others [would be]," Finisterre said. "If there's known exploit code, that bumps the priority up almost instantly."
However, security experts say that Mac users can expect to see more drive-by and browser attacks targeting Safari and QuickTime vulnerabilities down the road, as well as exploits in other imaging and other media formats particular to the Mac. And as market share grows, hackers will refine their techniques to obfuscate the malware and further elevate privileges, Finisterre said, adding that Apple has a history of "falling prey to old bugs that already have existing CVE [Common Vulnerabilities and Exposures] numbers and patches."
Finisterre added that down the road, Apple managers will have to find ways to stay on top of security in their open-source components if they want to adequately protect their platform.
"In the past, from a statistical standpoint, it may not make sense to try to focus on attacking a Mac, which would not net you many victims," Finisterre said. "As the market growsthese numbers change."
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
