6 Ways Apple Is Polishing Mac Security
Apple no longer markets Macs as malware-free, but rather "built for security," and refines protection in Mountain Lion.
In fact, that was Apple's security-related marketing message, but only until earlier this month, when the company refreshed its "Why you'll love a Mac" reasoning. The revision instead highlights how "built-in defenses in OS X keep you safe from unknowingly downloading malicious software on your Mac."
Malicious software on a Mac, can it be true? Indeed, fair Apple aficionados, and as the company previews OS X 10.8, a.k.a. "Mountain Lion"--due in July--here are six signs that Mac security continues to mature, as it must.
1. Flashback Previews Mac Malware Future
Apple's change in language was no doubt spurred by fallout from the Trojan Mac attack known as Flashback, which infected an estimated 600,000 Macs, including 274 in Cupertino, where Apple is headquartered.
Why didn't Apple OS X devices previously see mountains of malware? That question has been argued to no end. Previous thinking often centered on network effects--namely, attackers were skilled at writing Windows malware, and the majority of people use Windows, hence why bother with Macs? In the wake of Flashback, however, Macs are facing more mature threats, and that's led Apple to get more forceful on the security front, for example by releasing OS X and Safari updates that disable old or unused versions of Flash and restrict how Java plug-ins launch.
2. "Malware," Says Apple In Crowded Room
In other words, Apple's security posture has been changing. In fact, Craig Federighi, Apple's VP of Mac software engineering, this month even pitched the forthcoming OS X Mountain Lion feature dubbed Gate Keeper as a way "to help keep your system free from malware" at Apple's 23rd Worldwide Developers Conference.
[ Will Apple's planned upgrade treadmill annoy even ardent device fans? See Apple Obsolescence Debate: More Analysis Please, Fanboys. ]
3. Walled Gardens: OS X Cultivates iOS Restrictions
Gate Keeper does that by channeling aspects of iOS on Mac OS X. For starters, Apple has started requiring developers to sandbox their applications, defined by Apple as "restricting what actions programs can perform on your Mac, what files they can access, and what other programs they can launch." In short, sandboxing reduces the potential "attack surface" that a rogue application can exploit, which in security terms qualifies as a "good thing."
4. Enforce Background Checks For Apps
More Gate Keeper goodness is that it allows users to restrict application execution based on origin. Users can set OS X to allow only applications obtained via the Mac App Store or from a trusted developer. Apple is building a database of developer ID codes and a related tracking system. For people who decide to keep the current "anything goes" approach, Apple is still putting new controls in place to ensure that any user-installed applications must ask permission before accessing a user's personal information, such as contacts or calendar data.
5. Receive Daily Apple Security Updates
Historically, Apple's approach to security information--barring Flashback and a fix for Mac Defender--has been consistent: silence. In other words, Apple would neither confirm nor deny any security vulnerabilities in its products until, at some future date, it released a security update to patch the issue, at which point the related update notes might--or might not--detail the vulnerabilities that had been patched.
While Apple isn't suddenly promising immediate full disclosure, it does at least appear to be refining its patching approach. According to Apple news site iClarified, for example, the OS X Mountain Lion Security Update Test 1.0, pushed Monday, includes daily checks for security updates, plus "the ability to install required security updates automatically or after restarting your Mac," meaning that Mac users can see much more timely--and automatic--security updates, which should help the company more quickly nuke any forthcoming Flashback spawn. Finally, the security update also touted having "a more secure connection to Apple's update servers," which is notable, given how the Flame malware was able to spoof a Microsoft certificate, allowing it to use Windows Update to automatically install the malware on targeted Windows PCs.
6. Full Disk Encryption For All
If Apple has recently refined its security tune, it's important to acknowledge that the company has already included some key information security features as standard in its operating system. Chief amongst those is FileVault 2, introduced with Apple OS X 10.7 (Lion), which offers full-disk encryption. The previous FileVault feature, for comparison, only encrypted a user's home folder.
Contrast that "security for all" approach with Microsoft's offerings. Notably, Windows Vista and Windows 7 included BitLocker full disk encryption, although only with the Enterprise and Ultimate versions. Likewise, the feature is built into only the Pro and Enterprise versions of Windows 8.
Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)