Sunday, April 15, 2012

Apple joins the big leagues

I've been hearing 'OS X is secure' for a decade now. For a decade, I've been challenging that assertion.

The challenges to that assertion generally end up with a response of  'because it's Unix' or 'because it's not Microsoft'. I don't recall 'OS X is secure' assertions being backed up by detailed explanations of anything in the kernel, operating system, development tools or coding practices that assures a higher level of security than competing operating systems, and I don't hold that a Unix history automatically ensures a more secure platform. My first forensic examinations were Unix, not Windows, and I can easily assert that the reason that we have more compromised Windows servers and desktops is because we have more Windows servers and desktops. 

Unfortunately the 'OS X is more secure' fantasy has left some (or many) with the impression that they don't need to practice safe computing on Macs. It is OK to run as admin. Anti-virus is not necessary. Drivebys are a Microsoft problem. In my opinion the smoke and mirrors surrounding 'OS X is secure'  have also lead to complacency on Apples part. They are not as aggressive at implementing security related operating system improvements (such as ASLR) or routine security patches, nor have they implemented really the really basic security controls that I implemented more than twenty years ago on our NetWare servers (remove the execute permission from directories that contain user data, remove the create/write permission from directories that contain executable code). With the latest attacks on OS X applications and with Apples apparent inability to defend its operating system against drive-by vulnerabilities in third party software, the 'OS X is secure' attitude should must change. A half million users can't be wrong, and those users will eventually move past their denial phase and expect Apple to step up to the plate.

Apple will have to up their game a bit on incident response, too. An urgent fix for a months-old vulnerability followed by a fast tracked effort to provide a malware removal tool, resulting in three updates in ten days, doesn't leave me with the impression that they have a well oiled response machine. Apple will feel heat that has been directed at Microsoft the last decade (and Unix systems before that.) Hopefully they will learn from their competitors and react to the new landscape better and faster than their peers did. 

Apple can't blame Sun either. The vulnerability of Java is well known (as are the vulnerabilities of Flash, Reader, Safari, Firefox…). Apple also has had plenty of opportunity to learn from their own mistakes, having repeatedly offered multiple versions of vulnerable desktop software to their customers.

I figure that it'd be pretty boring surfing the web with a platform that isn't exposed to drivebys and remote root exploits so I never really embraced OS X as my preferred home desktop. Now that OS X is playing in the big leagues I figure that it is sufficiently challenging for me to use it as my preferred desktop, and I went out and bought an 11" Air for my home computer.

Update 2012-05-11: Apple accidentally logs passwords in clear text. In football (soccer) that would be an "own goal". A major league fail. 

No comments:

Post a Comment