There’s a headline from one provocative blog this week suggesting that Apple has conceded “defeat” on the platform’s alleged resistance to malware. This comes in the wake of the reports earlier this year that over 600,000 Macs, over one percent of the estimated user base, was infected as a result of the Flashback outbreak. Therefore, Apple’s claims of enhanced security for oS X must not be believed, I suppose.
Now there are legitimate reasons to fault Apple. One is that they aren’t being as proactive as they should be to protect Mac users, as evidenced by the apparent “late” release of a fix for the Java security vulnerability that allowed Flashback to spread. That fix wasn’t released until months after Oracle reportedly plugged the hole.
As you might have noticed, Java is, these days, an optional install on a Mac. If you run a Web applet or full-blown application that requires Java, OS X will offer to install a copy for you if it’s not there already. After a period of disuse, it is disabled. Otherwise, you can get on with your life without being concerned about Java’s presence or lack thereof. Oracle reportedly took over development of the Mac version of Java, but why Apple didn’t distribute that update until it was too late for lots of Mac users is a question that cries out for a response. It may have been an error, or due to some programming issue that perhaps a future ex-Apple employee will reveal, if it matters anymore.
The point is that the problem was fixed, and infected Macs were easily repaired running the Apple updates. There was even a utility that dealt with Macs that were infected by another version of Flashback that didn’t use Java. In the interim, third-party Mac security apps were updated to address the Flashback outbreak, and there were even free removal apps. So it’s not as if there were no other solutions.
Unfortunately, there is that long-running and totally wrong assumption that Apple has long claimed OS X cannot be infected by malware. Until Flashback appeared, there were several lesser outbreaks that impacted some Mac users. A few were essentially social engineering schemes, where you’d visit a site that falsely claimed your Mac was infected by a computer virus, and offered to sell you a bogus app to fix the problem for a license fee. While the app in question could have infected your Mac with a real virus or some other form of malware, it’s main function, other than to fix a non-existent problem, was to separate you from your money. But it didn’t represent some sort of innate Mac vulnerability. There are Windows versions of such schemes as well, and no doubt even Linux users could be susceptible to the same sort of scam.
Evidently the controversy arose over some alleged changes in Apple’s security claims for the platform, and thus arises the perception that Apple has silently admitted to being wrong. Evidently the furore has arisen over the removal of the phrase, “It doesn’t get PC viruses,” and related information, as if that’s a significant factor. But that doesn’t change the fact that OS X is not susceptible to Windows-only malware, although some malware may impact all platforms. But the change in the description of OS X’s security capabilities appears to have been mostly designed to reflect the changes to Lion.
So there is a reference to sandboxing, which is a recent requirement for apps submitted to the Mac App Store, the XTS-AES 128 encryption capability of FileVault 2, and Apple’s promise to deliver needed security updates in a timely fashion. Well, they fell down on that promise with the Flashback episode, but a more recent Java fix arrived in a timely fashion. They learned from their mistake.
The profile for Mountain Lion includes the promise of even greater security with the Gatekeeper feature, which puts restrictions on the first launch of a newly downloaded or installed app. In addition to further beefing up OS X, there will be daily checks for security updates. You can no longer select the interval in System Preferences.
Does this mean that Mountain Lion will be totally safe from malware? Obviously not! Nobody in their right mind can make such a promise, let alone expect to keep it. At the same time, it does appear to me that Apple is definitely taking security seriously. Where Apple continues to fall down on the job is the low-key nature in which they seem to deal with the issue. You have to visit Apple’s site to learn the security protections afforded by OS X. When security updates are posted, there is no formal announcement. It just happens, and the media is forced to go over the documentation to figure out what fixes are included. You usually learn about Mac malware outbreaks in press releases from thirty-partly security software publishers.
Perhaps Apple doesn’t want to draw unneeded attention to potential Mac security issues. It’s easier to point to something on the site if someone complains. But maybe Tim Cook will realize that security is paramount these days for many existing and potential Mac users. We hear over and over again about hackers stealing banking information and other important financial data. We hear about attempts to hack government computers, and there are ubiquitous TV and radio ads about computers being infected with malware. Sure, those ads cover Windows-only products, although the lurid copy doesn’t say that. But Mac users are surely not blind to potential security threats. Apple just needs to be more forthcoming about the threat and the promise to make your computing life safer. It will make it easier to drown out the fear mongers who believe that the Flashback episode proved that the sky is falling.