When Will Apple ‘Get’ Security Religion?

My recent mention of Apple in a speech at CeBIT Australia initiated the usual flurry of chatter and publications (example) regarding the company’s approach to security. As Apple’s security seems to be a hot topic of late (since Flashfake), I think this is an opportune time to talk some sense about this issue.

As you’ll know, today we see a widening rift between, on the one hand, Apple’s long-term alleged ‘Macs are malware-invincible’ campaign, and on the other – reality, i.e., that this campaign is… losing credibility, to put it mildly. So, will users have the nous to get to understand the real state of affairs, despite what Apple keeps telling them? What’s wrong with Apple’s security approach? Is there anything Apple can learn from Microsoft and other vendors in terms of security?

A decade ago network worms like Blaster and Sasser wreaked havoc on Microsoft’s Windows platform, forcing the company to make some tough – and costly – decisions. The most important was the creation of the Trustworthy Computing initiative, an executive directive that included a major rewrite of Windows XP SP2, an improved security response (Patch Tuesday, security advisories), and the mandatory SDL (Security Development Lifecycle) program that made the operating system more resilient to hacker attacks.

The recent Mac OS X Flashback botnet incident is Apple’s version of the network worm era. It is a wake-up call for a company that has traditionally ignored security.

To really get to the bottom of Apple’s negligence on security, we need to go back to 2006 and that famous Mac vs. PC commercial in which the PC is sneezing from a virus infection and the Mac passes the PC a tissue while dismissing any need for security since viruses pose no threat to Mac OS.


 
The ad was both clever and funny, but misleading. It helped perpetuate the false sense of security among the Mac faithful and ossify the mindset that security just wasn’t needed – because Macs are invincible, and don’t get viruses.

This complacency caused and continues to cause unacceptably long delays in applying patches for critical security flaws and responding to in-the-wild attacks.

Make no mistake about it, the iBotnet (Flashback/Flashfake infected more than 700,000 Macs) was entirely Apple’s fault. The Java patch (CVE-2012-0507) that fixed the vulnerability was issued for Windows on February 14, 2012. This same vulnerability affected Mac OS X too but Apple didn’t provide a fix until April 3, 2012! Apple left its users exposed for 49 days, providing a huge window of opportunity for malware writers to build a botnet. Unforgivable.

Think about it: almost one million Macs in a for-profit botnet owned by cyber-criminals. In terms of market share figures (the percentage of Mac users infected), this is the Mac version of Conficker on Windows. It’s the first in-the-wild malware attack on Mac OS X with such a large number of victims, and further confirmation that growth in Mac market share is providing a major incentive to attackers.

Flashback is particularly nasty because it spreads via drive-by downloads – no user interaction, no extra clicks, no admin password required. Simply surf to a rigged or hacked website, and the malware gets installed automatically. The known variants were used for click-fraud but it could have been even more dangerous because of the Trojan-downloader component that allowed the attackers to install additional malware onto the infected machines.

It’s clear that we have reached the market share tipping point for Mac OS to validate mass-malware attacks. The rule of thumb is: if market share is high enough, cyber-criminals will be motivated to invest in attacks. Malware authors have dabbled in Mac OS attacks in the past with DNS changers, scareware (fake anti-virus) attacks, and the usual phishing lures, but if you put everything together, you can see we’re entering a new phase.

The fact that Apple users have been brainwashed to ignore security threats means that vulnerable desktop applications will remain unpatched and there will always be a large pool of victims waiting to be infected.

If you leave an expensive car unlocked all night in the high street and it gets stolen, it’s you who’s to blame and who should have locked it – no question. Similarly, Apple is to blame for its current situation. The company is always late with supplying patches for known security problems. Java for Mac is just one example but, if you monitor Apple’s patch release process, you’ll find they are constantly late with fixes, especially for open-source components. WebKit and Safari are permanent security nightmares.

Then we have the whole “veil of secrecy” thing. Apple simply ignores all media queries about security problems. Whenever there is a legitimate threat, users get zero communication from Apple. There are no pre-patch advisories with mitigations for users. They don’t provide data to security vendors to help keep the ecosystem secure. When there’s an outbreak, Mac users have to rely on third-party guidance instead of getting help straight from Apple. Nice user respect!

The funny thing is, Apple can learn a lot from Microsoft when it comes to security. In fact, I think Apple should simply copy Microsoft’s playbook word-for-word when it comes to security response. Apple needs an SDL process to make sure developers build security into every stage of the software development process. SCADA, smart grid suppliers, and even the government of India have already adopted Microsoft’s SDL process, which proves that Microsoft is now leading the way on software security.

Apple’s marketing folks won’t like it, but there’s no shame in Apple learning from Microsoft; at least, there shouldn’t be. Apple should copy Microsoft’s security advisories program so that users are properly informed when there’s a legitimate security threat. If Mac users have to wait ages for a patch, Apple should provide temporary mitigations. How about a scheduled Patch Day? This will help IT administrators prepare for patch deployment instead of being surprised by ad-hoc Mac OS X updates. When it comes to security response, Apple is stuck in the 1990s.

Ten years ago, “Trustworthy Computing” effectively rescued the Windows platform from malware armageddon. The security posture of the Windows operating system has improved and Microsoft’s security response process is now the standard that others – like Adobe – are copying.

Now it’s Apple’s turn. The company would help itself – and its users – immensely if it would use the Flashback attack as a reality check and reject the security-by-PR approach that has tricked its user base into complacency. Apple needs to take the security game seriously. We are no longer in 2006 when Macs were deemed safe from attacks and cute commercials could be used to brand an operating system as “superior”. Flashback is the first major Mac botnet, but you can bet there’ll be more. Apple cannot afford to ignore the lesson of Flashback.

Esteemed and respected Apple, are you listening?

11 Responses to “When Will Apple ‘Get’ Security Religion?”

  1. Great post. Apple has always been bit late in patching up security issues and on top of that Apple has always made the general users think Apple software are the most secure than other softwares available in market.

  2. I couldn’t agree more. The reality is that by forcing this illusion of invincibility upon users they have a differentiated product – or atleast the perception that it’s different. This increases their bottom line and I see them walking away from it very reluctantly.

  3. It is definitely like a breath of fresh air to see someone as prominent as yourself shining a bright light on a problem that Apple would seemingly rather just overlook.

    Right Said Fred sang it something like this: “I’m too sexy for my shirt, too sexy for my shirt, So sexy it hurts.”

    Apple’s version: “I’m too sexy for security, too sexy for security, So sexy it hurts.”

    If, as you pointed out, Apple doesn’t get security religion, they will come to know the hurt. It’s only a matter of time. Thanks for your insight!

  4. Nuff said. Aren’t revenues on pc enought for you? It’s not because you want to help me it’s because you want to earn more money. Hope apple will ban your software on theirs computers forever like on iOS devices.

  5. I’ve seen editorials in this vein for several years now, and while I heartily agree with the position, the response from Apple has consistently been a deafening silence. Therefor, I have to postulate that the answer to your question “…Apple, are you listening?” is that no, they are not listening.

    So, given the prevalence of Apple computers and devices in use today, and the fact that they don’t seem to care about security by design, (and we can’t make them care) the discussion I would like to see would be this: How do we best meet the challenge of mitigating these security risks despite Apple?

    Best regards,

    -Xander Sherry

  6. Thing is, Apple is not far from taking this to a level where Anti-virus software is obsolete.
    Mountain Lion will default to install Apps only from the App Store and having all other apps digitally signed and sandboxed.
    My bet is nobody will care about virus/trojans etc on Mac in less then 2 years.

  7. The need for Apple security is incident driven, like making backups years ago. Nobody had the urge to do backups untill they lost all their info. With apple it will be the same, people need to be seriously effected by these security issues first.

  8. Am not a great expert on PCs and less on Apple, but wasn’t there a story or fact that Apple lent a dollar or two from microsoft to make a comeback from. Remind me if am wrong but shame was not the priority then, so why should it be now.
    When I look in schools, offices, shopping supermarkets and almost everywhere, the workhorse of the world is PC and Apple seems to me the workhorse of fun.
    Well when the fun is done, it’s all back to serious work or if you get that chance, rest.
    So please tell me, after playing rich with an Apple, would security doors be left open in this way.

    Apple you do have a lot to learn and even more to practice

  9. Great article ! from my point of view i can see apple is running in a close circle .
    Im just amazed when i see there cloud service , What ‘IF’ my password cracked? I can’t imagine the trouble. Apple have NO or Almost Zero Security in many fields .

Trackbacks/Pingbacks

  1. Kaspersky on the OS X security tipping point « Mac Virus - June 4, 2012

    […] Kaspersky revisits one of his current hobby horses in the blog When Will Apple ‘Get’ Security Religion? and suggests that Apple can learn a lot from Microsoft and other vendors, notably in terms of […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: