With the latest large sets of security patches and an alleged wireless driver vulnerability, Mac OS X no longer seems invincible. Our expert delves into the real threats in the Apple world and outlines simple steps you can take to protect yourself.
What's going on here? Is the shine off Mac OS X? Is a raft of Windows-level security issues on the way for the secure-OS darling?
Relax, that's not about to happen. For starters, the MacBook that the security researchers hacked into was modified: The vulnerable driver was for a third-party wireless access device, not the AirPort card that's built into the MacBook.
While you should never be blasé or deliberately ignorant of security issues, the fact is, OS X is as secure as it ever was. What you're seeing is the natural evolution of the operating system's security as it becomes more popular.
Windows Security Vs. Mac Security
Mac OS X is, out of the box, a very secure OS. It is, however, not magically secure. While some Mac users like to propagate the myth of "Mac OS X's perfect security," the fact is that like any other well-designed OS, Mac OS X is highly resistant, but not invulnerable, to attack.
This is not to say that it's as bad as Windows at its worst. Early on in the history of Windows NT 4, Microsoft Office, and Internet Explorer, Microsoft made some decisions that, while not terrible from a user's point of view, created the nigh-crippling problems you see with Windows today. The worst of these is the administrator account in Windows, and the reliance of too many software packages on that account. The Windows administrator account is essentially the same as the all-powerful root account on Unix -- there are no files the administrator can't access and no actions the administrator can't perform -- and it's the default account on every version of NT through XP. So once you're running as root, then you're...well...root. There's nothing you can't do, and you aren't going to even get a warning about it.
The insecurity of this is exacerbated by Windows' very bad habit of, until fairly recently, not even asking for a password on the Administrator account. Auto-logon as root, no password needed. There aren't enough letters in the phrase "That's a Very Bad Idea" to adequately communicate the "bad idea-ness" of this bad idea. So if malware gets into your system, then it is running as root. There's very little any OS can do to stop a software process running with that kind of authority.
Apple has never done this. A user who is an "administrator" is not even close to root, but rather is a part of the OS "admin" group. That means that, if needed, the user can authenticate and run processes as root, but is not root on an ongoing basis. In fact, on Mac OS X, the ability to log on as root is disabled, and positive steps must be taken to enable this feature.
It's worth noting that Microsoft has taken a page from Apple in its upcoming Windows Vista operating system: When that OS is released next year, users will not be logged in as administrator/root by default.
So Why All The Patches?
The Mac security alerts and patches you're seeing lately are not a sign that Apple is flubbing the security of the OS, but rather that more people are taking OS X's security seriously and actively looking for vulnerabilities so that Apple can patch them. This was, ironically, predicted by Symantec in a much reviled security review paper back in 2005. In that Internet Security Threat Report, Symantec predicted that as Mac OS X becomes more popular, there will be more people looking for vulnerabilities in that OS (for good and ill), and so of course there will be an upswing in the number of vulnerabilities found. That's what you're seeing today.
This is not an inherently bad thing. It can be unsettling, but it's the best way to reduce vulnerabilities. If the only people looking for holes in Mac OS X were Apple employees, the OS would be a lot less secure. Vulnerabilities are not exploits. They're potential avenues for exploits, which is why it's critical that you keep your system up to date.
The truth is, all the malware for Mac OS X thus far has been rather lame, and not much of a danger to anyone who practices a few common-sense steps. The real threats in the Mac world are complacency and foolish behavior on the part of users.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.