Is Apple Changing Its Silent Security Stance?

Apple has long enjoyed its reputation as an impenetrable fortress, free from the malware and security threats that have plagued Windows, but the much-publicized Mac Defender phishing scam that attacked Macs in May has been a wake-up call. While security experts give Apple credit for its response to Mac Defender, they also say Apple needs to remain vigilant against a growing tide of future threats.

The growing popularity of Macs has made OS X an increasingly attractive target for hackers. During the third quarter of 2010 Apple computer shipments broke into double-digit marketshare for the first time since the 1990s, registering 10.4 percent of total U.S. computer shipments and making it the fourth largest computer maker in the country, according to Gartner.

This popularity is giving rise to new crops of malware that is pushing Apple into reconsidering its historically mum stance on security and adopt a more transparent disclosure model in the future, experts say.

’MacDefender proved that Apple users are just as likely to click on a malware link as Windows users,’ Andrew Storms, director of security for security firm nCircle, said. ’This insight is likely to encourage hackers to try enticing more Mac users into their traps.’

Sponsored post

Almost identical to age-old fake antivirus attacks for Windows, the Mac Defender scareware was a phishing attack that targeted users by redirecting them to fake security Web sites that requested credit card credentials in exchange for the bogus ’Mac Defender’ antivirus software.

The surge of Mac Defender scareware was followed by a malicious variant, known as MacGuard. Unlike other versions of Mac Defender, MacGuard bypassed password requirements, and automatically installed on Mac OS Xs, without any user intervention.

The attacks swept through users' Macs in May, pummeling tens of thousands of users and overwhelming Apple helpdesk personnel ill-equipped to deal with the onslaught of calls associated with the Mac Defender scareware.

Apple issued a security advisory May 24 warning users that the recent onslaught of MacDefender malware was a threat to its Mac OS X platform. Cupertino was quick to follow its warning with the rapid release of an out-of-cycle security update blocking the MacDefender malware.

Apple’s admission, and subseqent patch, was nothing short of groundbreaking for the company, security experts say.

’We know the MacDefender bug was significant to Apple because of the way they responded. Apple admitted that customers were experiencing the problem, and they went ahead and delivered a software tool to help users clean up the mess,’ said Storms. ’In a way, this was an admission from Apple that their software and their users are just as vulnerable as Windows users to malware attacks.’

However, although Apple eventually stepped up with a fix, its initial response was obfuscation.

Immediately following the attack, Apple reportedly issued a directive that prohibited support staff from offering help to users calling for assistance after becoming infected with the MacDefender malware.

Next: Apple Slow To React

According to a published memo, which ZDNet said was acquired from an outsourced support company, Apple reportedly prohibited its help desk personnel from showing customers how to force quit Safari on a Mac Defender call, how to remove it from the Login items, and how to stop the process of Mac Defender in their Activity Monitor, while explicitly forbidding support staff from referring customers to any forums or discussion board for resolution.

Days later, the company addressed the attack with an advisory and offered a temporary workaround to mitigate the problem.

Experts contend that the response was largely inadequate, especially compared to more experienced players such as Microsoft and Adobe, that have cultivated a comprehensive and systematic security and response process over the years.

’(The response) was a bit slow,’ said Charlie Miller, researcher with consulting firm Independent Security Evaluators. ’But the fact that Apple ships a built in anti-virus shows they provide at least a minimal protection against malware.’

However, experts agree that Apple’s admission represented a significant departure from the Cupertino, Calif.-based computer company’s traditional closed-mouth stance regarding security.

Storms said that in the past, Apple upheld a consistent policy of silence around its security flaws . The company has a track record of releasing bug fixes and alerts without including detailed information and mitigation advice that has become standard practice for other vendors.

For example, in June of 2010, Apple stealthily updated its Mac OS X with antimalware, which beefed up protection against a backdoor Trojan horse used by hackers to take over users' iMac or MacBooks, but failed to mention the update in its release notes for the new OS X 10.6.4, or the related security bulletin, which could ultimately serve to mislead and harm Mac users down the road.

In the past, the company has also come under fire for not responding quickly enough to security vulnerabilities reported by researchers. Apple’s laissez-faire attitude about security was pulled into the spotlight in 2009, when security researcher Landon Fuller published exploit code for a gaping Java vulnerability in the Mac OS X platform , which the company failed to repair almost six months after it was disclosed in December 2008.

Next: Changing Bad Habits Towards Security Response/strong>

Apple researcher Kevin Finisterre, former head of research and co-founder of Secure Network Operations said that historically Apple ’sucked at response.’

’You would send the vulnerability information and they would send a generic e-mail responder and then they wouldn’t talk to you about it,’ he said, drawing from his work on the Month of Apple Bugs, a project designed to draw attention to lax security policies of the company by publishing unpatched Mac OS X flaws.

Many security experts believe Apple’s slow response to security issues stems from an inadequate budget dedicated to security and their security team. Apple could not be reached for comment by CRN.

Apple has never given any indication of the size of its security research team, but for years, it didn't need a big team because Macs were a low priority target for hackers. Apple’s previous declarations that Mac users didn’t need a separate anti-virus tool on their computers also served to create a false sense of security.

’In general, for whatever reason, folks think it’s a more secure operating system. Just that in and of itself makes it a target,’ Finisterre said.

But the Mac OS X platform is far from secure, experts say. Larry Highsmith, Apple researcher and CEO of information assurance security firm Subreption, contended that it lacks a proper ASLR implementation -- a security mechanism involving the random position arrangements of key data areas in the address space -- and ships with a loosely knit kernel as part of its operating system for end customers.

Highsmith said that Apple’s security response team remains largely reactive -- as opposed to proactive -- to threats and continues to fall short with inconsistent communication to outside researchers, while lacking strong incentives for them to unveil and report vulnerabilities.

’They still offer no benefit to anybody who is gullible enough to ’work for free’ and report problems to them free of charge,’ Highsmith said.

Highsmith suggested that Apple could improve security response with something as ’simple has having a budget proportionally adequate to the heat they will receive.’

’Other vendors learned this the hard way. Microsoft now has a more-than-generous budget for security, because they know too well it is worth it,’ he said. ’Vulnerabilities, especially when not handled properly, can cost in the range of millions in PR, salaries, time investment, etc…’

Despite Apple's historically lax approach toward security, there are signs that the company is slowly improving its security posture and response.

Even before Mac Defender, Apple seemed to turn a corner in its security response and hiring practices, making it a point to hire known security experts. The company brought aboard U.S. Naval cryptography officer and NSA global network vulnerability analyst David Rice in January to take the position of director of global security. Prior to that, the company hired Ivan Krstic, former director of security architecture at One Laptop Per Child , to work on core security.

Apple Reaching Out To Research Community Meanwhile, the company is slowly abandoning its previous stance that the Mac OS X doesn’t need additional anti-virus while also stepping up internal update mechanisms.

In addition to addressing Mac Defender, Apple also began adding a daily update to its malware database.

"Apple maintains a list of known malicious software that is used during the safe download check to determine if a file contains malicious software. The list is stored locally, and with Security Update 2011-003 is updated daily by a background process," according to Apple's Web site.

Instead of only relying on security updates every few months, the system now updates frequently, ’much like an independent, commercial anti-virus,’ Miller said.

Security experts also say that Apple lately has made more of an effort to extend hands to the research community. Finisterre said that the turning point was after he discovered and disclosed a Bluetooth vulnerability.

’They listened, at the very least. I think they’ve loosened some of the restrictions, and they’re able to be a bit more candid than they previously were,’ he said. ’You cannot be in reactive mode at all times. The key to the game is being proactive by both engaging the community and your staff as much as possible. Getting people to think outside the box is usually the critical step that gets left out.

"As far as I am concerned, Apple has been making a steady pace in those directions for several years now." he added. "How far ahead of the curve or close to it they are, I honestly cannot say. ’