If anybody still thought Apple devices were bulletproof, the Flashback drive-by episode last month should have provided the needed reality check.
However, is the company really as out of the loop on security as some of its critics contend? Is it “10 years behind Microsoft in terms of security,” as Kaspersky Labs’ Eugene Kaspersky famously said recently?
And do its vulnerabilities, exaggerated or not, mean it is at risk of losing market share in the enterprise, where many businesses might have been persuaded to use Apple desktop and mobile devices in part because of the company’s demonstrably false claim that they don’t get viruses?
Probably not, at least not right now.
“I don’t think enterprises buy Macs because they perceive them as being inherently more secure,” said Roger Thompson, chief emerging threats researcher at ICSA Labs.
His colleague at ICSA, anti-malcode program manager Andy Hayter, said corporations should be more sophisticated than the average individual user and, “should have protected Mac computers by now, knowing there is plenty of malware that can cross platforms.”
Edy Almer, a vice president at Wave Systems, said: “Apple never relied directly on business users. What would likely happen is increased awareness in IT that Macs are corporate devices and need the full IT suite—systems management, security, backup, encryption and DLP just like any other endpoint.”
John Linkous, vice president, and chief security and compliance officer at eIQnetworks, agrees that Flashback, which is said to have infected at least 600,000 Macs, is unlikely to affect enterprise interest in Macs.
“But it might give them second thoughts around mobile technology [iPhone, iPad],” he said. That’s where you’re seeing greatest adoptions of Apple devices. One of the key things they’ll ask themselves is how are they going to manage these things.”
And in comment threads following stories about Kaspersky’s comments, Apple owners are as fiercely loyal as they have always been. Some of them, like one called “gavernmusic,” claim that it is all a conspiracy by antivirus vendors.
“You can bet that it’s a Microsoft-related affiliate that designs the viruses,” gavernmusic wrote.
Another, going by the handle “cozmot,” wonders: “If their [Kaspersky’s] AV software is so great, why do computers that use it still get infected with viruses and malware?”
Build it and (hackers) will come
Still, more sober voices say that Apple does need to do more to get its security house in order, if it wants to continue the explosive growth that has fueled its profits and stock price in recent years.
Ed Bott wrote at ZDNet this past weekend that Apple must confront “one of those great ironies of technology—an increased incidence of malware is a sign that your product has been a success in the market.”
Bott says Apple is far too slow to deliver updates. He notes that its update to fixed the Java security hole [exploited by Flashback] was released April 3. That was 49 days after Oracle released the Java SE 6 Update 31 for all other platforms.
Jonathan Zdziarski, author of “Hacking and Securing iOS Applications,” told SecurityNewsDaily that “Some iOS (which runs iPhone, iPad and iPod) attacks from the past took months to fix. The [iPhone] jailbreak community had fixes out for users before Apple did. That’s shameful.”
Bott says the company offers no automatic update options, only provides updates for the current and immediately preceding versions of the operating system, and doesn’t communicate well. Apple didn’t issue a public statement about Flashback until April 14.
‘Reality distortion field’ resurfaces
Linkous says Apple’s lack of communication is legendary, and is reminiscent of the “reality distortion field” that the company’s late founder, Steve Jobs, was said to be able to project to developers working on the Macintosh.
“They think, ‘If we don’t tell the customer, it doesn’t exist, and they won’t worry about it,’” Linkous said. “But that’s antithetical to good information security.”
Security expert and blogger Brian Krebs is another who says that slow response and a lack of communication is typical of Apple. “In 2009, I examined Apple’s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun,” Krebs wrote on April 4, the day after Apple released its update.
So while corporate leaders don’t expect Apple products to be immune from attacks, they do expect the company to take threats seriously, to address them quickly and to be transparent about confronting those threats and educating their customers.
ICSA’s Thompson says he thinks Apple devices are generally secure, but are not invulnerable. “Every year, a fully patched Mac seems to fall quickly at CanSec West,” he said, adding that, “Mac users simply need to understand the risks, and be sensible.”
“To paraphrase Obi Wan Kenobi, ‘We will never find a more wretched hive of scum and villainy than the Internet. We must be cautious,’” Thompson said.