Apple’s security efforts appear to uncharacteristically acknowledge that the Mac isn’t immune to today’s threats, such as giving Safari the ability to detect and disable outdated versions of the Adobe Flash plug-in, and changing its "Why you'll love a Mac" marketing material on the Mac website from “It doesn’t get viruses” to “It’s built to be safe.” Apple also reportedly plans to institute automatic updates to its upcoming OS X Mountain Lion operating system so that patching isn’t left up to users anymore.
Charlie Miller, a security researcher who has found several Apple vulnerabilities, says Apple's software is actually relatively secure; the company just doesn’t broadcast what it does security-wise. “I don’t believe they’ve found security religion, but at the same time, I think [Apple software] is pretty secure,” says Miller. “They march to a different drum: they secure stuff and don’t make a big deal out of it.”
Miller says Apple has been improving its security for some time now. “When they added ASLR [Address Space Layout Randomization] for iOS, they didn’t even tell anybody,” Miller says.
While Apple's shroud of secrecy in security and with the press -- Apple did not respond to media inquiries for this article -- isn't likely to change any time soon, recent events hint that it's shoring up its security in the face of new threats and even venturing out into the public eye. A member of Apple's security team is scheduled to give a briefing on iOS security next month at Black Hat USA in Las Vegas. Apple's manager of its platform security team Dallas De Atley's talk will be a first for Apple, which in 2008 at the eleventh hour canceled a session at Black Hat with three of its security engineers, called "Meet the Apple Security Experts."
Meanwhile, the Flashback Trojan is considered a wake-up call for Mac users' naive assumptions of immunity to malware. The botnet of some 600,000 Macs, most of which were in the U.S., sent a chill across the Mac community, and critics say it's time Apple stepped up and dispelled Mac user misconceptions about threats.
[The massive botnet of Mac computers left millions of dollars in potential profits on the table, researchers at Symantec say. See Flashback Botnet Click-Fraud Operation Could Have Been More Profitable.]
And here are four noteworthy security moves by Apple -- post-Flashback -- that appear to subtly do just that:
1. Safari browser now disables unpatched Adobe Flash plug-ins.
Adobe Flash Player is a popular attack vector, mainly because users don’t bother updating their plug-ins. Adobe, which offers automatic Flash updates now for Windows, is working on the same thing for Mac users.
Adobe’s Brad Arkin, senior director of security for products and services, early last month announced that Apple and Adobe had worked together to help prevent attacks against Flash Player with a new feature in Apple’s Safari 5.1.7 that disables older versions of Flash Player, and sends users to Adobe’s Flash Player Download page for an update.
The Mac version of Adobe’s Flash Player background updater is still in beta, so Arkin pointed to Apple’s move to help push users to update in the meantime. “Remember: The single most important thing we can do to protect ourselves from the bad guys is to stay up-to-date. A thank you to the security team at Apple for working with us to help protect our mutual customers!” Arkin said in a post about the vendors working together.
Rodrigo Branco, director of vulnerability and malware research at Qualys, says disabling Flash is definitely an option for Mac users now: “Flash by itself was always a problem ... now with updates for Safari, you can just disable Flash from the browser. You don’t need to patch it, you can disable it,” says Branco, who welcomed the new Safari feature.
The Flash feature comes on the heels of Apple halting Java plug-ins from automatically launching with Safari. Java, too, is a big fat target for attackers, and Apple’s adoption of these third-party, cross-platform apps has opened it up for vulnerabilities and as with Flashback, attacks.
2. Macs “don’t get viruses” claim is no longer on the Mac website.
Sometime in June, Apple made some key edits to its “Why you’ll love a Mac” Web page.
Apple edited its original wording from “It doesn’t get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part” to a more tempered: “It’s built to be safe. Built-in defenses in OS X keep you safe from unknowingly downloading malicious software on your Mac” and “Safety. Built right in,” which describes how OS X’s sandboxing works.
Graham Cluley, senior technology consultant at Sophos, discovered the edits on the site a couple of weeks ago and says it shows that Apple is becoming “bolder” in acknowledging that Mac OS X malware is a reality. “Mac malware is a reality these days, with regular users finding their computers are becoming infected. The problem may not be as significant as Windows malware, but it exists,” Cluley said in his post. “And there's no longer an emphasis on Apple customers having to ‘do nothing’ to keep their Macs malware-free.”
But Apple still doesn’t recommend that Macs run antivirus software. Nor do some key security experts, for that matter. Miller says you should only get AV for Mac if you’re “totally paranoid.” He says it doesn’t add up: “AV costs money, user resources, and can cause problems. On the other hand, it can protect you. But right now, there’s not that much of a threat [out there] for OS X [besides Flashback] and some others, he says.
“The equation lands on the side of ‘you don’t need it yet,’” he says.
3. Apple helped derail the Flashback botnet. Apple was criticized for being part of the problem with Flashback after taking two months to fix the reported Java flaw that the attack ultimately exploited.
“That was one of those situations where companies make their own version of something and part of that planning has to be to have response team that’s going to patch your version when vulns are found,” says Chris Wysopal, CTO at Veracode. “It took then eight weeks to release their fix to Java ... that shows security was not baked into the process.”
The patch for the flaw and the Flashback Removal Tool were released in May by Apple after Flashback, for OS X Lion and Mac OS X v10.6. Apple also issued an update for OS X Lion that killed Flashback in systems with no Java installed on them.
Apple joined the ranks of Microsoft by taking part in the in the takedown of the botnet, a tactic Microsoft has aggressively adopted over the past few years. Apple revealed that it was working with ISPs to dismantle Flashback’s command and control network: “In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network,” Apple said in its advisory.
4. OS X Mountain Lion to get automatic updates. It’s the next logical step: Apple plans to provide automatic updates for OS X Mountain Lion, according to Mac developer forums and industry reports. Apple also has touched on the release of its Gatekeeper technology, which will let users opt to run on their machine only apps from the Mac App Store that were authorized by Apple.
Still, any new security Apple offers will be incremental and careful not to disrupt its famed end-user experience. “At the end of the day, Apple is known for its focus on the end-user experience, which dictates the approach they take to every aspect of development,” says Marcus Carey, security researcher at Rapid7. “People should not expect Apple products to be the most secure options available, because that’s not their goal. Apple doesn’t want to create insecure products for sure, but their focus is on making magical, shiny things that their consumer base loves.”
But that may not matter. “I believe that consumers and organizations don’t typically buy Apple products because they are secure anyway -- they buy them because they are cool,” Carey says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.