The truth about Apple, Mac security, and responsibility
While we might continuously debate glossy vs. matte screens, the visual aesthetics of a translucent dock, or the value of MobileMe, few issues in the Apple community generate as emotional an response as Mac security. One extreme considers the Mac an unassailable platform immune to the problems plaguing Windows users, while the other tells us that a Mac Security Armageddon is just around the corner. But the vast majority of Mac users merely want to know what risks they really face, and how to keep their system safe.
On May 26, Macworld republished a controversial Computerworld article by Ira Winkler suggesting that Apple is “grossly negligent” when it comes to security, and should be investigated by the Federal Trade Commission for false advertising. The author was motivated to write this piece based on Apple’s recent failure to patch a known Java security flaw that was fixed on other platforms nearly six months ago. While the article raises some legitimate issues, it’s filled with hyperbole, inaccurate interpretations, and reaches the wrong conclusions. Here’s what you really need to know about the Java situation, Mac security in general, and the important lesson on how we control Apple’s approach to security.
The article is absolutely correct in that Apple clearly bungled the Java security patch, placing Mac users at risk in the process. This isn’t the first time Apple has failed to patch a known security issue in a timely fashion, and it reveals a major weakness in the company’s security program. Mac OS X, like other operating systems, relies heavily on third-party components or programs. Since Apple doesn’t necessarily control the code, it is reliant on the software’s developers to manage any security vulnerabilities that come up. This is a pretty common situation in the software world, and companies typically develop relationships with whoever controls the code they include (even if it’s open-source software) to coordinate updating their products when patches are released for the underlying programs. Since, once a patch is released, the details of a vulnerability become public, it’s important for all software using that code to be patched at the same time, so no one is left exposed. Most computers are compromised using known, unpatched vulnerabilities rather than new, unknown flaws.
Apple has a poor history here, often failing to provide OS X security fixes for flaws fixed on other platforms days, weeks, or even months earlier. We’ve seen Mac users exposed to known vulnerabilities in WebKit (Safari), Samba (Windows file sharing), DNS (networking), MDNS (Bonjour), Apache (web server), Java, and more. This is an extremely serious problem, and one Apple is rightly criticized for. All Mac users are at risk due to the Java vulnerability, and should immediately take actions to protect themselves. Had Apple issued a patch with everyone else, we wouldn’t be so exposed.
While there’s no legitimate excuse for Apple’s failure to patch, Winkler’s article misinterprets the facts in its call for government involvement.
Yes, Macs are plagued with as many (and sometimes more) vulnerabilities as other operating systems. These are the doors attackers use to exploit our systems, and Macs are far from invulnerable. But the truth is that in the real world, Macs suffer from far fewer compromises. This is the difference between security and safety. A highly secure home in a bad neighborhood is still more likely to be robbed than a less secure home in a safer area. Mac market share is probably an important reason here, as is the history of the platform, the focus of the bad guys, and a host of other factors.
Should the FTC ever make that fateful call to Cupertino, Apple can show a track record of customer safety, even with lower security. While Macs are theoretically more exposed to attacks than current versions of Windows, despite all the OS X vulnerabilities there are only a couple handfuls of malicious Mac software programs in the wild, and not a single widely seen self propagating virus. Macs do get compromised, but currently at a rate far lower than Windows systems.
Apple advertises that Mac users are safer, and, practically speaking, they are. Until those vulnerabilities and Apple mishaps result in actual, wide exploitation of its users it’s mighty hard to call those advertisements grossly negligent. To steal Mr. Winkler’s analogy, if an automobile manufacturer advertised having safer cars than its competitors, and their customers suffered fewer accidents with less injuries, even if the car was a theoretical death trap it might be hard to build a case for negligence. Besides, the FTC would then have to go after nearly every other major software company that’s made false claims as to the effectiveness of security or other features in their products, instantly slamming us back into the stone age.
The real failure of this, and many other, calls for Mac security is that they fail to accurately identify those who are really responsible for Apple’s current security situation. It isn’t security researchers, malicious attackers, or even Apple itself, but Apple’s customers. Apple is an incredibly successful company because it produces products that people purchase. We still buy MacBooks despite the lack of a matte screen, for example. And until we tell Apple that security will affect our buying decisions, there’s little motivation for the company to change direction. Think of it from Apple’s perspective—Macs may be inherently less secure, but they are safer than the competition in the real world, and users aren’t reducing what they spend on Apple because of security problems. There is reasonable coverage of Mac security issues in the mainstream press (Mr. Winkler’s claim to the contrary), but without demonstrable losses it has yet to affect consumer behavior.
If Macs start being compromised on a wide scale, or security concerns otherwise start affecting buying decisions, no amount of Apple advertising will be able to cover it up. Market forces will engage, and Apple will either provide a more secure platform, or we’ll all move on to something else. The more we pressure Apple for security, and not just relative safety, the less likely we are to experience future real-world security compromises.
Our Mac security future is in our hands, not the government’s, attackers’, or even Apple’s.
[Rich Mogull been working in the security world for 17 or so years, and breaking computers even longer. He currently works as an independent security analyst and writer through Securosis.com and previously spent seven years as an analyst with Gartner. He is a frequent contributor to TidBITS.]