Feature
News
9/18/2006
09:12 AM
Connect Directly
RSS
E-Mail
50%
50%

Has Apple Lost Its Security Shine?

With the latest large sets of security patches and an alleged wireless driver vulnerability, Mac OS X no longer seems invincible. Our expert delves into the real threats in the Apple world and outlines simple steps you can take to protect yourself.

First, there was Apple's massive May security update, which patched more than 40 vulnerabilities in Mac OS X and QuickTime. Then the company patched 26 more vulnerabilities in August. Almost simultaneously, security researchers took advantage of a wireless driver vulnerability to hack into a MacBook at this year's Black Hat conference.

What's going on here? Is the shine off Mac OS X? Is a raft of Windows-level security issues on the way for the secure-OS darling?

Relax, that's not about to happen. For starters, the MacBook that the security researchers hacked into was modified: The vulnerable driver was for a third-party wireless access device, not the AirPort card that's built into the MacBook.

While you should never be blasé or deliberately ignorant of security issues, the fact is, OS X is as secure as it ever was. What you're seeing is the natural evolution of the operating system's security as it becomes more popular.

Windows Security Vs. Mac Security
Mac OS X is, out of the box, a very secure OS. It is, however, not magically secure. While some Mac users like to propagate the myth of "Mac OS X's perfect security," the fact is that like any other well-designed OS, Mac OS X is highly resistant, but not invulnerable, to attack.

This is not to say that it's as bad as Windows at its worst. Early on in the history of Windows NT 4, Microsoft Office, and Internet Explorer, Microsoft made some decisions that, while not terrible from a user's point of view, created the nigh-crippling problems you see with Windows today. The worst of these is the administrator account in Windows, and the reliance of too many software packages on that account. The Windows administrator account is essentially the same as the all-powerful root account on Unix -- there are no files the administrator can't access and no actions the administrator can't perform -- and it's the default account on every version of NT through XP. So once you're running as root, then you're...well...root. There's nothing you can't do, and you aren't going to even get a warning about it.

The insecurity of this is exacerbated by Windows' very bad habit of, until fairly recently, not even asking for a password on the Administrator account. Auto-logon as root, no password needed. There aren't enough letters in the phrase "That's a Very Bad Idea" to adequately communicate the "bad idea-ness" of this bad idea. So if malware gets into your system, then it is running as root. There's very little any OS can do to stop a software process running with that kind of authority.

Apple has never done this. A user who is an "administrator" is not even close to root, but rather is a part of the OS "admin" group. That means that, if needed, the user can authenticate and run processes as root, but is not root on an ongoing basis. In fact, on Mac OS X, the ability to log on as root is disabled, and positive steps must be taken to enable this feature.

It's worth noting that Microsoft has taken a page from Apple in its upcoming Windows Vista operating system: When that OS is released next year, users will not be logged in as administrator/root by default.

So Why All The Patches?
The Mac security alerts and patches you're seeing lately are not a sign that Apple is flubbing the security of the OS, but rather that more people are taking OS X's security seriously and actively looking for vulnerabilities so that Apple can patch them. This was, ironically, predicted by Symantec in a much reviled security review paper back in 2005. In that Internet Security Threat Report, Symantec predicted that as Mac OS X becomes more popular, there will be more people looking for vulnerabilities in that OS (for good and ill), and so of course there will be an upswing in the number of vulnerabilities found. That's what you're seeing today.

This is not an inherently bad thing. It can be unsettling, but it's the best way to reduce vulnerabilities. If the only people looking for holes in Mac OS X were Apple employees, the OS would be a lot less secure. Vulnerabilities are not exploits. They're potential avenues for exploits, which is why it's critical that you keep your system up to date.

The truth is, all the malware for Mac OS X thus far has been rather lame, and not much of a danger to anyone who practices a few common-sense steps. The real threats in the Mac world are complacency and foolish behavior on the part of users.

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 20, 2014
CIOs need people who know the ins and outs of cloud software stacks and security, and, most of all, can break through cultural resistance.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.