Editor’s Note: The following article is reprinted from CSO.
Just last week, news broke that Apple was offering copies of its yet-to-be released Mac OS X 10.7, or Lion, operating system to security researchers and soliciting their feedback.
In an interview with Computerworld’s Gregg Keizer, Mac security expert Charlie Miller, with Independent Security Evaluators, and an author of the Mac Hacker’s Handbook, acknowledged that he wasn’t aware of Apple taking such steps before.
Miller sees the step as, potentially, a good move. “That they’re thinking of reaching out [to researchers] is a good positive step, but whether it makes a difference, I’ll believe it when I see it,” he told Keizer.
Miller is widely known for successfully hacking vulnerabilities in OS X and Safari at the annual Pwn2Own contest over the past few years.
Miller is set to do so again next week in Vancouver at this year’s Pwn2Own contest at CanSecWest Vancouver.
Though clearly not directly related, this news broke around the same time antivirus firm Sophos reported on a new Mac OS X backdoor Trojan, known as BlackHole RAT (Remote Access Trojan).
Proactively engaging with the Apple security community is Apple’s most recent move in what appears, from the outside, that the company is stepping up its security game. Earlier this year Apple reportedly hired noted software security expert David Rice. That personnel move followed the hiring of Window Snyder, former security lead at Mozilla, last year.
“They’ve hired a number of high-profile people,” says Rich Mogul, founder and analyst at researcher firm Securosis. “They’ve since fallen into the Apple vacuum, but I most definitely get the feeling that Apple is taking security more seriously.”
Also, two independent sources close to Apple report that the company is aligning a security member as part of each product team, though CSO has not been able to confirm this.
Steps like this can only be good news for consumers of Apple products, enterprises, and Apple’s own ambition to gain a larger piece of corporate sales.
While consumers inherently trust Apple OS X systems to be safer than its Windows competitors, businesses don’t have that luxury. That’s not to say consumers aren’t justified in their belief. They are, as OS X attacks rarely rise above proof-of-concept malware that spread nowhere fast.
Businesses, however, are justified in their cautionary stance as well, experts say. Apple software applications are certainly not without their vulnerability concerns.
Just this week, Apple released a security update to fix nearly five dozen significant flaws in iTunes, many based on its web browser engine Webkit.
A quick perusal of the National Vulnerability Database for Apple shows 417 items for all of 2010. Many of those vulnerabilities are for Apple products and applications. Many others are for applications that run on OS X.
Fortunately, for now, Mac users have been spared attacks and malware that target those vulnerabilities. However, in today’s age of strict regulatory compliance and highly targeted attacks, organizations need more assurance that they can manage the risk associated with their devices. And, just because a device hasn’t been hit with widespread viruses doesn’t mean users can’t be attacked with specialized exploits.
Last year, for instance, news reports surfaced that the British government forbid iPhones and iPads because the company refused to allow its source code to be analyzed by intelligence services. Meanwhile, Apple’s slowness to fix some of its vulnerabilities has been a point of contention among experts.
“Apple has been slow to patch a number of software vulnerabilities in the past, and it’s reliance on open source as part of its operating system does complicate the patching process,” Mogull says. “But, overall, you have to see the moves the company has made, such as the reported hiring and engaging with the security community with Lion as right steps,” he says.