The Apple Security Report: Is OS X Really Ten Years Behind?

May 15th, 2012

So there are widely published reports this week claiming that Apple has teamed up with Kaspersky Labs, publisher of antivirus software,  to receive advice on bolstering OS X security. How do we know that? Because Kaspersky’s chief technology officer, Nikolai Grebennikov, said so, according to an interview published in Computing. Since we’re talking about a heavy-hitter in the security software business, the quote is being taken as accurate.

But that doesn’t mean it’s necessarily true, because there are some other questionable statements from Grebennikov, particularly the one claiming that “Mac OS is really vulnerable,” that the Apple may be ten years behind Microsoft when it comes to shoring up OS security. More to the point, other than this single comment in a published interview, how do we know that Apple actually reached out to Kaspersky or any other security company for help?

So far, Apple hasn’t responded to our requests for comment, nor to Ars Technica, perhaps one of the few media outlets who attempted to confirm this report.

In the meantime, I asked security expert Rich Mogull, who has sharp ears when it comes to security issues, what he knew. His response? “I have no knowledge of Kaspersky working with Apple so I can’t comment on that. But it seems weird that Apple would allow a security partner to discuss the relationship in the press.”

What’s more, for reasons revealed later in this article, the original Computing story will probably be updated by the time you read it to correct the questionable claim about a partnership with Apple.

It’s also true that third-party companies are generally admonished not to announce anything about an Apple partnership without approval from the mother ship. Consider a recent story quoting a Foxconn executive that Apple is gearing up to produce that rumored smart TV. Turns out that this quote was buried in a single story, and could have been the result of an incorrect translation, since other media outlets present when this statement was allegedly made never confirmed it. Again, you have to believe that Foxconn respects the trade secrets and marketing plans of their clients and wouldn’t betray them in such a clumsy fashion, or at all. In fact, Foxconn has since denied the report.

When it comes to the state of OS X security, Mogull had some very pointed comments to make that sharply contradict those of the Kaspersky executive: “OS X is now very close to the latest versions of Windows in terms of security. This gap will close even more with Mountain Lion. That 10 year line shows a lack of understanding of the current operating system fundamentals.”

The largest security issue Apple faces, according to Mogull, is not necessarily the result of Apple’s own OS components: “Overall OS X security has improved dramatically in the past few years, especially with Lion. Apple still struggles due to extensive use of third party software, like Java or the many Open Source components included in the OS, which is out of its direct control. Their biggest current security issue is closing the gap of time between when one of those components is patched, and when Apple updates the OS with their version of the patch.”

A key example of that gap is Apple’s failure to inoculate Mac users against the Flashback virus in a timely fashion. Although Oracle patched Java to remove the vulnerability in February, it took weeks for Apple to get around to releasing a series of OS X patches to address the issue. And not before an estimated 600,000 Mac users were affected. Certainly Apple ought to explain what happened, and promise to do better.

It may well be that there was a communications problem between Apple and Java’s developer, Oracle. Maybe Oracle was late in delivering the patched source code to Apple from which to build an OS X updater. Maybe the efforts to build that updater were stalled because the fix generated other problems. Modern software is too complex to just release something without thorough testing. Even then, fixes can, themselves, introduce unexpected problems.

When Apple did release a new version of Java, they followed with two more in rapid-fire fashion, both of which removed the Flashback malware if it was present on a Mac, and, in the final release, disabled Java if it hasn’t been used lately. Apple also released a standalone Flashback remover and, later, Safari 5.1.7, which disables older versions of Flash. Indeed, the original Flashback malware exploited a Flash vulnerability before it was modified to target Java.

As Mogull states, Apple has taken positive steps towards enhancing OS X security. The new Mac App Store will soon insist that posted apps be sandboxed, meaning they will be walled off from the OS and other apps, so malware or other instabilities can’t impact your Mac. Mountain Lion’s Gatekeeper feature will help reduce the possibility of a Mac user launching a potentially malware-ridden app.

As to Kaspersky, after the original story came out, they walked it back, claiming the original quote was taken out of “context.” As quoted by Engadget, Kaspersky reportedly announced, “Apple did not invite or solicit Kaspersky Lab’s assistance in analyzing the Mac OS X platform. Kaspersky Lab has contacted to correct its article.” Or maybe Apple simply told them it was time to stop boasting about an alliance that didn’t really exist, but that’s just a casual assumption.

Meantime, I suppose it still possible that the keynote at the forthcoming Apple WWDC will mention enhanced OS X security, and how Apple is working with key industry players to make the Mac user experience safer.

But I’m more concerned that far too many members of the media believed Kaspersky without reaching out to a second source to confirm or deny that story, and I mean Apple.

| Print This Article Print This Article

6 Responses to “The Apple Security Report: Is OS X Really Ten Years Behind?”

  1. dfs says:

    Isn’t there something wrong with the way this current discussion is playing out in the press? The topic is OSX vulnerability. But we’ve never been told that OSX is invulnerable to attack, we’ve been told about the safety of Unix, and OSX is Unix-based. So why isn’t Unix even mentioned in the course of this discussion?

  2. Joe B. says:

    The media will handle this issue in the manner that best suites the media. They’re not really looking to present the situation in the most pragmatic way.

    If it brings them clicks, then they’ll make a big deal out of this. Their motivation won’t be to deliver the truth, the whole truth and nothing but the truth.

    And the only thing that OS X is ten years behind in, is the amount of money that it delivered to the security companies’ coffers. While a security company’s job is to keep it’s users safe, it real purpose is make its owners/shareholders as much money as possible. So if they can scare/con people into paying for their products by spreading FUD, then they would maximize it for every little event they can.

    No sane, knowledgeable person ever said that OS X is invulnerable. Even high security system deployed in the most secure facilities still have vulnerabilities. They may be hard to exploit, but nothing is impossible.

    And remember, the biggest security hole in any operating system or product is usually the user. Before the latest iteration of Flashback, all OS X malware relied on social engineering. It was no failure in the OS, it was a failure in users.

    And what these security companies always omit from their FUD missives is the fact that their software never protects against brand new attacks. So if some genius evil manages to create a piece of malware that could infiltrate the kernel, then their security software will have a very small chance of success against it.

  3. Don says:

    The real problem with the media in this discussion is their incapability of differentiating between a perceived vulnerability and the capability of criminal malware creators to access that vulnerability.

    As a comparison, the defense of one football team may see a vulnerability in one position of the other team’s offensive line, but unless they are capable of taking advantage of it the fact that the vulnerability exists is meaningless.

    Nobody has ever said that the Mac is invulnerable. It is simply clear that taking advantage of any vulnerabilities isn’t easy. Look at all the press (and supposed money) just one malware creator received as a result of infecting an ESTIMATED (not confirmed) 600,000 Macs. Are the “Apple is behind!” fanatics really saying that other malware makers wouldn’t do anything for the publicity and money?

    The problem is NOT vulnerability. It doesn’t matter how many vulnerabilities an OS has if malware can’t, for any reason, use that vulnerability. The only real problem is with successful attacks.

    So let’s see. Successful attacks against Macs: in the last 10 years a small handful.
    Successful attacks against Linux: under 1,000
    Successful attacks against Windows: perhaps as many as a MILLION or more.

    If you want to talk about real security, and not just the unrealized potential of malware, I know where the odds are. It may not stay that way, but as of this time, the absolute safest platform by far is the Mac.

  4. DaveD says:

    I prefer getting security advice from a knowledgeable individual/company with no software to push, no pay for referrals. Whenever observing an agenda to extract money, I will quickly move away from the scene.

    Playing with Ubuntu in VirtualBox, I see security updates often. The version is Lucid Lynx (10.04) released in April 2010 and remains on long-term support until April 2013. My impression is that Apple has not made OS X security fixes higher on their priority list.

    Security issues, I believe, are under wraps until corrected. The Java exploit was corrected in Windows. Those “individuals” who knew about it had months to concoct the Flashback malware due to Java for OS X not being fixed at the same time as Windows. We didn’t hear any buzz about Flashback on that platform.

  5. Louis Wheeler says:

    Let’s see if I have this right. The Unix internal permission system prevents computer viruses, worms, spyware, adware, most rootkits, because it limits the functions which an application can perform. Correct?

    Microsoft Windows does not have such a permission system, so It has no internal defenses and it must guard its periphery very will. Hence, Windows remains the primary victim of malware. It is practically impossible to operate a Windows system without anti-virus software, while Macs are routinely operated without it.

    Mac OSX users are accused of being naive, because they have never had a security problem and may have never heard of one on a Mac. Many windows converts feel naked without anti-virus software. They occasionally panic when they try to apply their Windows background to the Mac. They did this when it was discovered that the Mac had an open fire wall. They did not know that Apple was using an application firewall. What no one seemed to notice was that despite an open firewall, their Mac’s were not becoming corrupted. Ah! They said, there are just too few Macs for crackers to bother with. That excuse is getting tired. What they won’t admit is that Apple may know what it is doing.

    One area, often complained about, is that Apple is slow in fixing vulnerabilities in its Unix foundations and in Third party software. Apple can be slow because rarely can those vulnerabilities be turned into an exploit. If a PDF is corrupted, then you can’t view it. If an application is corrupted it won’t work. If there is a vulnerability in the Mac’s Unix foundations, it can only be exploited at the keyboard, not remotely, so there is no history of drive-by malware. Another thing unmentioned is that Apple’s Unix foundations are not kept up to date, hence we miss many of the exploits which plague Linux. Consequently, it is a mixed bag and nothing to panic about.

    Microsoft has been adopting a series of preventions which help it overcome its internal weaknesses. They are DEP, ASLR, Sand-boxing and virtualization. Apple has been attacked for being slow to adopt these technologies. The reason they were not made default on a Mac was that Apple was slow to move to a 64 bit operating system. Of course, you could turn them on in 10.7 Lion. 10.8 Mountain Lion leaves behind the 32 bit OS, and there are plenty of complaints about that. My four year old iMac 7,1 is the last model eligible for 10.8 and I need a firmware upgrade to run 64 bit.

    All computers are vulnerable to trojan horses and phishing attacks, because they mislead the user. Hence, they are practically the only ones we hear about on the Mac. Of course, the Anti-virus vendors always mislead us by using the word Virus to describe them.

    This is not to imply that the Mac is perfect, nothing is. But, since 95% of the malware is on Windows and the rest is on Linux, it would make sense from a business aspect to own a Mac.

    Then why is there so much noise about Mac vulnerabilities? It is a possible untapped resource for the Anti-virus vendors. Rarely do you even have to buy their software to clean up you machine. Please don’t pay these AV vendors. It only encourages them.

Leave Your Comment