Macs are immune from security threats, right? It’s Windows we have to worry about. That water-cooler wisdom needs to be flipped on its head, security experts and IT managers warn. Microsoft has gotten its security act together with Vista and its current security-response program; meanwhile, Apple is fast becoming the company most in need of getting its security mojo going.
Many IT and security managers who have focused on securing Windows need to turn their attention to the Mac OS, as these six Mac security flaws attest. And with Macs increasingly making their way into the enterprise, they shouldn’t wait: According to a recent Yankee Group study, 80 percent of senior managers at 700 companies had Macs in house, with 21 percent boasting 50 or more Macs in use.
A few security holes in Mac OS X are already known, such as the unpatched ARDAgent vulnerability. But that’s not where the principal Mac security threat lies. From interviews with security experts and corporate IT managers, it’s clear that security concerns and potential risks are much more quotidian — exactly the kind of bread-and-butter stuff that is easy to ignore, especially for Macs, where IT’s familiarity with the Mac is slight because users have typically managed the computers themselves.
It’s time for IT to figure out where the Mac’s security holes are so that you can plug them before your corporate knowledge starts bubbling out. Here are the six main flaws you should focus on.
Security flaw No. 1: Update management
Across the board, IT and security folks peg patch and update management as Apple’s biggest lacuna. The problem is not that the Apple doesn’t release security patches, bug fixes, and functionality upgrades on a continuous basis. Instead, the issue is with four flaws in Apple’s update process:
- Unlike Microsoft’s Patch Tuesday, Apple offers no predictable schedule on which critical updates are released.
- There’s no simple rollback or uninstall provision.
- Many updates don’t fully document the set of changes involved.
- Apple doesn’t provide hooks for third-party software to assist in managing patch installation or rollbacks, although such software does exist. (Apple does allow configuration so that software updates are downloaded from an intranet server, however.)
“Apple just goes ahead and issues an update without anyone knowing it’s coming, and no one knows what’s inside it,” says Rich Mogull, an independent security consultant, formerly of Gartner.
This demonstrates Apple’s newness to the enterprise environment with Mac OS X, despite the operating system’s many years on the market and its growing adoption rate. For single users and midsize offices, these patch policies raise few eyebrows. But for large corporations, they’re insufficient.
Third-party patch management software for Mac OS X is available (such as LANrev, Bigfix, and PatchLink), but only a few suites are designed for anything but Mac OS X — which makes it hard to have a unified suite for Windows and Mac patch management.
The danger here is in allowing individual users to manage their patches, which could lead to systems — especially laptops carried by mobile users — being far out of patch compliance and, thus, vulnerable to long-fixed security holes.
Solutions: Install an intranet proxy for Apple’s software updates.
Review Mac-oriented patch management; these suites also include options for distributing other software updates and corporate documents, as well as auditing settings and installed software. Check with your patch management vendors about plans to add Mac support if yours do not. Send reminders to Mac-using employees whenever critical patches appear to install the updates as soon as possible.
Schedule patch sessions for laptops that are primarily out of the office, as they are most vulnerable to proximity attacks via Wi-Fi or Bluetooth, as well as attacks from untrusted networks on which they are located.
Security flaw No. 2: Serious third-party security flaws are slow to be fixed
Most of Apple’s most serious security updates, ones in which remote code execution or arbitrary code execution are possible, typically involve third-party software — often open source or free software components. (Notable exceptions are Safari and QuickTime, Apple-developed products that have had dozens of serious flaws, none of which have so far turned into attacks prior to being patched.)
While the project running the software often patches such vulnerabilities in hours or days, Apple often lags in releasing such updates. For example, Apple included version 2.2.6 of the Apache Web server in Mac OS X 10.5 (Leopard) in October 2007. Apache was updated to 2.2.8 to fix several security flaws in January 2008, but Apple didn’t ship an update until March 2008.
But other times, Apple is speedy. For example, an Apple researcher discovered a set of flaws in the Ruby language and environment, which were documented and patched June 20, 2008. In this case, Apple took only 10 days to release its security patch.
In both cases, it’s critical to note that neither Apache nor Ruby is used by default in Mac OS X. Apache must be enabled either through the Sharing preference pane’s Web Sharing service check box or at the command line. Ruby isn’t used for any native Apple products, and it must be wired in at the command line or through third-party packages.
Locking down this sort of access would prevent the most likely security flaws from being exposed, but that’s problematic with the current OS. Configuration management software does exist to help such a lockdown, but again, Mac support may not exist in the software you’re running companywide.
That should change. “We are starting to see early signs that some vendors are supporting Mac as a platform for those configuration management systems,” Mogull says.
Solution: Consider limited deployment of third-party software to restrict configuration by administrative users if your current solution doesn’t include Mac support.
Security flaw No. 3: Everybody’s an administrator (or not)
Apple has a binary attitude when it comes to modifying system settings, gaining access at the command line to its Unix underpinnings, and installing software: You’re either an administrator — or you’re not.
For home users and small businesses, the distinction is probably enough. An unprivileged or normal user can be restricted via parental controls and typically can’t create user accounts, enable file-sharing services, or install certain kinds of software. For that, an administrative-flagged account is needed.
But with administrator privilege set, a user can turn on features through switches in System Preferences, such as enabling Samba — “the Mac version is typically three to six months out of date,” Mogull says — or using the Terminal application to activate any of the thousands of Unix daemons and servers that ship as part of a stock Mac OS X system.
“It’s hard to enable those things on Windows,” says Thomas Ptacek, a principal consultant at security firm Matasano Chargen, noting that even when such settings are available in Windows, the settings are typically obscure or complicated enough to deter average users. By contrast, a single click might be enough in Mac OS X.
Solution: Limit administrative accounts to users that require them.
Security flaw No. 4: Naïve use of Back to My Mac
Mac OS X includes one special service that sounds alarming at first glance — and can be a real security hole in unmanaged environments. Back to My Mac, a remote access system built into Mac OS X 10.5, requires both a MobileMe account (formerly .Mac) from Apple and administrator privileges. Back to My Mac operates like the GoToMyPC familiar to Windows administrators, although it’s less insistent about working around intentional blockades.
While Apple uses IPv6 tunnels, IPsec encryption, and Kerberos tickets to secure connections, starting up such a connection from anywhere on the Internet requires just the password to someone’s MobileMe account. With that password, all computers with Back to My Mac enabled can have their files examined or screens remotely controlled.
In a managed enterprise, security experts don’t believe that Back to My Mac creates any real risk, despite its feature set. “No enterprise is going to allow something like Back to My Mac unless it’s running through a VPN tunnel,” Mogull says, at which point it would conform to the enterprise’s policy. If users are running Back to My Mac on their own, “it would mean that [IT] royally screwed up” the firewall, he adds.
Matasano Chargen’s Ptacek says that Back to My Mac will eventually fall under the category of services that businesses ban their employees from using in the office. “Enterprise users are not allowed to use Gmail or Yahoo Mail,” he notes, and Back to My Mac should be treated the same.
Solution: Confirm that Back to My Mac won’t work in your environment. Establish a policy that bans its use.
Security flaw No. 5: Complacency over malware
The recent appearance of a kit that lets malicious parties install Trojan horses in legitimate software to, in turn, obtain root access to a Mac seems to run counter to the widely held view that Macs are immune from many of the exploits that once plagued Windows (and that Vista has ameliorated).
But that Trojan horse doesn’t meet the smell test: Like a few other “concept attacks,” the exploit requires that someone download and install software, although no password is required for the malware to run. (The exploit relies on the escalated privileges available for the Apple Remote Desktop agent, or ARDAgent, even when it’s turned off. An AppleScript command can be sent to the agent, which is handed off as a root-level shell command.) A survey of security experts and the buzz among the Mac enterprise management community shows that this threat is a nonstarter.
The fact is that the Mac has not been a malware target, and it is safer than Windows from such threats. And that’s where the risk lies: The Mac is safer from malware today, and there’s very little concern about the Mac being a gateway to infecting Windows users.
But that may not be true in the future, and there is some concern that IT won’t be ready to protect Macs from malware when that day comes.
Today most of those who follow Mac security closely seem to abjure anti-virus software. “It’s not unreasonable to use anti-virus in an enterprise, especially if compliance is an issue,” says Mogull — but “I wouldn’t necessarily recommend that for a consumer,” he adds, because today’s anti-virus apps don’t address Mac OS X’s actual risk profile today. “Anti-virus is an industry failure,” Ptacek says. Because of this, he can’t recommend that companies install anti-virus software at all.
Dino Dai Zovi, an independent security researcher, is concerned about acceleration in this area. “Because there is still very little malware in the wild targeting Apple, it is still a safe platform, and it is in a lot of ways safer than the Windows equivalent. But I think that that time is rapidly changing,” he says.
Mogull cautioned that the worst could be yet to come. “It isn’t that the Mac is immune or even more resistant to these attacks, there just hasn’t been very much interest in them,” he says, a sentiment echoed by security experts and IT managers. With more Macs in the enterprise, it’s likely that attacks designed to extract information or take over Macs to use them as zombies will hit the wild.
While the Mac OS itself is fairly safe, at least for now, from malware, the Mac OS X’s default Safari browser is not. “We’ve long since moved into this place where it’s about the browser and about JavaScript,” Ptacek says.
Even security experts unconcerned over OS-level malware threats are worried about browser-based threats. The fears center on as-yet-undiscovered flaws in the Safari browser and on Apple’s use of the Webkit, a browser engine that’s both employed throughout OS X and available to third-party developers. The concerns are not theoretical: A flaw in Safari on the iPhone found in a TIFF library module lets an iPhone forfeit root control just by visiting a Web page. (This was briefly a popular way of jailbreaking iPhones to install third-party software.)
Solutions:Keep abreast of security updates and security news related to Macs. Make sure the same outgoing firewall monitoring tools cover Macs as other platforms to identify hallmarks of hijacked systems.
Security flaw No. 6: Apple’s security is half-baked
The strongest concerns over Mac OS X security have to do with improvements introduced in Mac OS X 10.5 (Leopard) that fall short of what’s fully needed. “Nothing in Leopard is completely implemented,” says Mogull. “They finished enough to get their marketing bullet point, but not a real strong level of defense,” concurs Dai Zovi.
Leopard has a strong foundation on which more enterprise-oriented features should be built, as well as a greater extension of integrity and attack resistance for individual users on their own or in companies. For example, Apple added library randomization to Mac OS X 10.5, which prevents virus writers from finding code at specific places in memory each time. However, unlike with Vista, only a subset of what can be protected is actually protected.
Some suspect that Apple will finish building enterprise-class security in Snow Leopard, the next major Mac OS X, slated for summer 2009. While Apple is scant on details related to Snow Leopard, it’s clear that with the “pause button” pressed, as Apple CEO Steve Jobs put it, security and enterprise support will be two of the big improvements expected. (Better use of multiple cores and processors and a push toward optimized software such as JavaScript and QuickTime will be two of the other pillars.)
Solution: With Snow Leopard a year away, security-conscious enterprise may choose to delay serious Mac deployments until they know precisely what security improvements Apple commits to for that release.
Don’t be complacent about Mac security
It’s vital that security planning takes place before holes appear, and that the IT staff is ready to handle the differences between the Windows, Unix, and Linux systems they may be accustomed to and what Mac OS X brings with it.
Dai Zovi said, “The biggest danger is a sense of complacency: ‘Oh, it’s a Mac, we don’t need to worry about this.’ “