Has Apple Lost Its Security Shine? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

09:12 AM

Has Apple Lost Its Security Shine?

With the latest large sets of security patches and an alleged wireless driver vulnerability, Mac OS X no longer seems invincible. Our expert delves into the real threats in the Apple world and outlines simple steps you can take to protect yourself.

First, there was Apple's massive May security update, which patched more than 40 vulnerabilities in Mac OS X and QuickTime. Then the company patched 26 more vulnerabilities in August. Almost simultaneously, security researchers took advantage of a wireless driver vulnerability to hack into a MacBook at this year's Black Hat conference.

What's going on here? Is the shine off Mac OS X? Is a raft of Windows-level security issues on the way for the secure-OS darling?

Relax, that's not about to happen. For starters, the MacBook that the security researchers hacked into was modified: The vulnerable driver was for a third-party wireless access device, not the AirPort card that's built into the MacBook.

While you should never be blasé or deliberately ignorant of security issues, the fact is, OS X is as secure as it ever was. What you're seeing is the natural evolution of the operating system's security as it becomes more popular.

Windows Security Vs. Mac Security
Mac OS X is, out of the box, a very secure OS. It is, however, not magically secure. While some Mac users like to propagate the myth of "Mac OS X's perfect security," the fact is that like any other well-designed OS, Mac OS X is highly resistant, but not invulnerable, to attack.

This is not to say that it's as bad as Windows at its worst. Early on in the history of Windows NT 4, Microsoft Office, and Internet Explorer, Microsoft made some decisions that, while not terrible from a user's point of view, created the nigh-crippling problems you see with Windows today. The worst of these is the administrator account in Windows, and the reliance of too many software packages on that account. The Windows administrator account is essentially the same as the all-powerful root account on Unix -- there are no files the administrator can't access and no actions the administrator can't perform -- and it's the default account on every version of NT through XP. So once you're running as root, then you're...well...root. There's nothing you can't do, and you aren't going to even get a warning about it.

The insecurity of this is exacerbated by Windows' very bad habit of, until fairly recently, not even asking for a password on the Administrator account. Auto-logon as root, no password needed. There aren't enough letters in the phrase "That's a Very Bad Idea" to adequately communicate the "bad idea-ness" of this bad idea. So if malware gets into your system, then it is running as root. There's very little any OS can do to stop a software process running with that kind of authority.

Apple has never done this. A user who is an "administrator" is not even close to root, but rather is a part of the OS "admin" group. That means that, if needed, the user can authenticate and run processes as root, but is not root on an ongoing basis. In fact, on Mac OS X, the ability to log on as root is disabled, and positive steps must be taken to enable this feature.

It's worth noting that Microsoft has taken a page from Apple in its upcoming Windows Vista operating system: When that OS is released next year, users will not be logged in as administrator/root by default.

So Why All The Patches?
The Mac security alerts and patches you're seeing lately are not a sign that Apple is flubbing the security of the OS, but rather that more people are taking OS X's security seriously and actively looking for vulnerabilities so that Apple can patch them. This was, ironically, predicted by Symantec in a much reviled security review paper back in 2005. In that Internet Security Threat Report, Symantec predicted that as Mac OS X becomes more popular, there will be more people looking for vulnerabilities in that OS (for good and ill), and so of course there will be an upswing in the number of vulnerabilities found. That's what you're seeing today.

This is not an inherently bad thing. It can be unsettling, but it's the best way to reduce vulnerabilities. If the only people looking for holes in Mac OS X were Apple employees, the OS would be a lot less secure. Vulnerabilities are not exploits. They're potential avenues for exploits, which is why it's critical that you keep your system up to date.

The truth is, all the malware for Mac OS X thus far has been rather lame, and not much of a danger to anyone who practices a few common-sense steps. The real threats in the Mac world are complacency and foolish behavior on the part of users.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 3
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll