Apple’s Security Past Defines Its Future
It’s a foundational meme of the modern Internet that once Apple’s market share rises above a certain nebulous level, Mac users will face a horde of viruses, worms, and other nefarious malware that will quickly burst our bubble of innocence and drag us into the swamps of despair long populated by our Windows-using brethren. But while market share is clearly an important factor in the relative security of the different platforms, and probably the most significant one from a historical perspective, such arguments fail to account for the current threat environment surrounding both Apple’s products and the Internet at large.
Recent moves by Apple, especially the hiring of prominent security experts like David Rice (the author of “Geekonomics: The Real Cost of Insecure Software”) and Window Snyder (former head of security for Firefox maker Mozilla), combined with frequent product updates, indicate that Apple may be quietly, yet significantly, improving their security infrastructure. With Apple’s rising popularity, increasing use in the enterprise, and dominance in mobile computing, such moves could help the company avoid the pitfalls of the last decade that even now continue to plague Microsoft.
But don’t think for a second that Macs are invulnerable or immune to security issues. Just last week I saw engineers at security software maker Immunity (in a Web-based demonstration) exploit an up-to-date version of Mac OS X 10.6 Snow Leopard via Safari using a new, unpatched, WebKit vulnerability. All it took was clicking on a single link to give the attacker full control over the Mac.
Microsoft Rises to the Security Challenge — At the beginning of the century (all of 10 years ago) Microsoft faced one of the greatest challenges in its history. Internet worms and viruses were so rampant on the platform that it was nearly impossible to protect (or use) the systems. Unlike today’s financially motivated malware, the dark side of software at the time was just as likely to erase your hard drive as steal your credit card. Microsoft then, as today, was the dominant platform among consumers, but held near-total control of the enterprise (business and government) market.
In 2001, enterprise IT professionals sweated as the Code Red and Nimda worms, and viruses like Melissa and LOVELETTER, wreaked havoc with their systems. Firewall and antivirus companies rejoiced in the massive increases in sales, but few others enjoyed the new reality.
The situation was so out of hand that Microsoft’s largest customers confronted the software company and stated, in no uncertain terms, that Windows was so difficult and expensive to secure that they faced no other option but to absorb the extreme costs and move to another platform. Microsoft responded in 2002 with the Trustworthy Computing Initiative: a massive realignment of corporate priorities in which security would take precedence over time-to-market and other factors. One of the cornerstones of this program was the creation of Microsoft’s Security Development Lifecycle (SDLC), a process for integrating security into every phase of software development.
Although it’s still commonly believed that Microsoft software is insecure, the reality is the company is now a leader in developing secure software and responding to security issues. What most fail to acknowledge is that the large majority of serious security problems affecting Microsoft involve older products, especially Windows XP. These products never went through the cradle-to-grave SDLC, and instead still rely on a series of fixes and patches. Problems are exacerbated by serious weaknesses in third-party software like Adobe Flash (now entering its own SDLC program) and Java.
The first Microsoft product released after undergoing the complete SDLC process, SQL Server, suffers fewer software vulnerabilities than any competing database platform (a mere handful over a matter of years). Windows Vista was the first consumer operating system to undergo the SDLC and is materially more secure than Windows XP (albeit nearly unusable from a user interface standpoint). More recently, Windows 7 has blended usability, performance, and security into a fairly solid platform that is much more difficult to exploit.
But Windows XP is still the dominant Windows version in the hands of users, even though it’s no longer available from Microsoft, and it’s impossible to experience the benefits of Microsoft’s recent security initiatives without upgrading to a modern operating system.
Apple’s Unix Roots and Market Share — The same year Bill Gates announced the Trustworthy Computing Initiative, Steve Jobs released Mac OS X. Based on a Unix foundation, Mac OS X was, at the time, more secure than Windows XP due to how it handled user accounts. Most Windows users needed to run their systems as administrators, while Mac OS X users ran at a lower privilege level, but could enter their passwords when they needed to perform something requiring greater rights, such as installing software. Although merely a speed bump to attackers, the feature did offer a little more security.
Coming off the corporate difficulties of the 1990s, Apple’s market share was in the single digits, with comparatively few users outside the education and media markets. In the late 1990s and early part of the 21st century, Microsoft software was both easier to exploit, and ridiculously dominant.
The Mac’s low market share also inadvertently conveyed additional security benefits. Those miscreants learning to write viruses and other malware were far less likely to use Macs themselves. Windows PCs were cheap, easily available, and a more common platform for teaching programming. The bad guys weren’t using Macs, Macs were somewhat more secure, and there were far more Windows targets in the world.
More Macs, But a Different Environment — Any glance around a coffee shop or peek in an Apple Store tells us Macs are more popular than they’ve been in decades. Some Mac defenders like to point out that despite this increase in market share, there has been very little increase in security problems, and claim that this must mean Macs are inherently more secure. On the other side are naysayers who are convinced that any day now Macs will face the exact same security challenges as Windows users.
Both sides fail to realize that users of current Windows versions don’t face nearly the problems of those on Windows XP, and that Macs now exist in a completely different environment than ten years ago.
Windows 7 faces a fraction of the malware that successfully attacks previous versions. Many of the attacks that do work rely on Adobe Flash or Reader, or on Java (and, as mentioned earlier, Adobe is finally focusing on security improvements).
Apple has also had time to learn and improve their own security. Snow Leopard includes many of the same security controls used in Windows 7. The one big exception is an incomplete implementation of Library Randomization (called ASLR on Windows). But, as demonstrated by security researcher Stefan Esser, there’s no technical obstacle to fully implementing Library Randomization on Mac OS X. Combined with other security technologies like Data Execution Protection and a 64-bit operating system, these features significantly improve the security of any operating system.
Apple also seems to be taking the enterprise market more seriously. Apple approaches enterprises from exactly the opposite direction that Microsoft does. Rather than focusing on the enterprise first, Apple concentrates on the consumer, then slowly lowers any barriers to enterprise adoption (such as continuously increasing support for Microsoft Exchange, corporate VPNs, and enterprise provisioning of mobile devices). Apple knows that if security issues become endemic to their products, the odds of continuing their enterprise success rapidly drop off a cliff.
And finally, the malware ecosystem simply isn’t in place for Mac OS X. Few malware writers start from scratch; they use common toolkits and packages to create custom variants of, or add “features” to, existing code. This doesn’t prevent anyone from attacking Macs, but it does mean greater effort is involved. There’s no reason to chase a gazelle if a flock of sheep is sitting in front of it.
Mac users will never face the same environment that Windows users did a decade ago when malware became such a persistent issue. The only fair comparison is against Windows 7 users today, who also live in a far more secure world.
Positive Signs in iOS and MobileMe — Apple’s most popular platform, iOS devices, faces a different situation. Apple has near-total control over the devices, including the entire application ecosystem. While iOS devices are far from perfectly secure (every jailbreak is a successful security exploit), the very tools Apple uses to maintain platform control also enhance user security.
iOS devices use a combination of hardware and software security to protect the platform. Although we’ve seen security issues, there is yet to be any significant exploitation of non-jailbroken iOS devices. The single most popular smartphone in the world for the past couple of years has yet to experience a widespread security issue. Why? Because hardened platforms take more effort to develop malware for.
MobileMe is another example of Apple taking security more seriously. All MobileMe communications are now encrypted by default, something still not supported by other major webmail providers except Google. Apple improved MobileMe’s security before it experienced significant problems.
Apple’s Security Future — Apple still suffers from many of the security issues I identified in “Five Ways Apple Can Improve Mac and iPhone Security” (3 June 2009). The exploit demonstration I mentioned at the beginning of this article was performed using a known WebKit vulnerability that has yet to have a patch available. Apple still hasn’t completed Library Randomization, and some vulnerabilities in recent patch sets appear to be signs of weak security development and testing.
While Apple still hasn’t resolved some of these fundamental issues, for the most part users remain unaffected. It’s easy to criticize Apple’s lagging responses, but until problems affect users on a large enough scale to affect sales, it’s hard to argue with Apple’s actions. The one case of wide exploitation I’m aware of was related to a DNS issue on Mac OS X servers—the Apple platform that tends to be at the bottom of the priority heap.
But Mac OS X contains all the core pieces for a very secure operating system, and if there’s one thing Apple proves time and again, it’s that they are extremely sensitive to anything that will hurt their growing success. It’s unlikely the well-known security experts Apple has hired of late would take such positions if they didn’t think they could have an effect on the company and its products.
Possibly even more significant is the rise of the iOS and Mac App Stores. Providing users a centralized, controlled source for applications reduces the chance they will download random garbage from the dark corners of the Internet. Sure, some people will still take risks in order to find naked pictures or to lose their savings in rigged gambling halls, but most users will likely stick to the safer shopping mall.
Apple users will surely suffer greater security challenges as the use of Macs and iOS devices grows. But attackers don’t have nearly the open playing field they did for a decade or so on Windows. Macs will never be as completely exposed as previous versions of Windows, and it is inconceivable that Apple wouldn’t respond rapidly to anything threatening consumer perceptions and product sales.
The biggest threat to Apple users isn’t any particular vulnerability or weakened security feature, but the slow decline of Windows XP. The real issue isn’t Mac versus Windows, but Mac OS X and Windows 7 versus Windows XP. Once attackers face two hardened platforms, instead of two hardened platforms and a diamond-filled defenseless baby slug, that’s when market share starts to really matter.
In practical terms this means our security problems will likely exist as a series of isolated events and user-focused trickery rather than as a Windows XP-like pandemic. Apple will surely continue to tighten the security screws, and, based on their staffing trend, they are far more likely to respond quickly to serious issues today than even a few years ago.
I wish you read Apple’s website. Snow Leopard 10.6 has DEP, ASLR and other security measures when it is booted into 64 bit mode.
Apple has been slow to assign the 64 bit boot by default, because not all of its developers have upgraded their applications. Besides, Macs are not under attack. There is much talk about Apple’s vulnerability, but there are no threats in the field.
It is anyone’s guess when Apple will boot automatically into the 64 bit kernel, but surely it will happen by 10.7, which is likely to be released in August.
OS X 10.6 has everything except full ASLR. The dynamic loader (dyld) isn't randomized, and that's enough of a hook that an attacker can use it to bypass the other protections. In the demo by Immunity they sliced right through a 64 bit install of 10.6 via Safari (everything fully patched).
Thus 64 bit itself isn't enough. But most of the researchers I talk with consider ASLR + DEP + 64 bit to be very hard to circumvent. Thus I hope Apple finishes their Library Randomization for 10.7!
I thought this was a very good article.
I should point out Rich that the FUD-fest about the imminent invasion of Mac OS X with masses of malware has been going on since the spring of 2005, instigated by Symantec in an effort to boost sales of their worst-in-class anti-malware application Norton Anti-Virus. During the intervening period of nearly six years we have racked up a total of 27 Mac OS X malware, all of which are Trojan horses requiring user failure. There is nothing perfect about Mac OS X. Add to that Apple's terrible record of QuickTime security holes. Webkit has similar problems. However, it has been an amusing waste of time waiting for The Flood of malware. Even Windows 7 has well proven vulnerabilities, including in their much lauded ASLR. Microsoft Windows remains the single least secure and most dangerous operating system available. Meanwhile, Apple has exponentially improved their attention to Mac OS X security. I write about Mac security at: http://Mac-Security.blogspot.com
Thanks Derek, but I have to disagree about Windows 7. It's more secure than most competing operating systems, including OS X and many Unix variants. It's also attacked a heck of a lot, and Java and Adobe are real problems to secure.
I'm sorry, but given how much time is wasted throughout the course of the year by IT/Sys Admin/Consultants (myself included) cleaning malware out of Windows (including 7) and given how widely documented the sheer volume of active threats out there compared to *NIX, I'm just at a loss as to how you could possibly say that?!
While I know a lot of security pundits love to go on about ASLR, (and myriads of other useless buzzword technologies) my view is that unless you can actually show me some sort of real world everyday examples of Mac users being compromised through web use (not including a lab or proof of concept theory) happening in an IT environment you've consulted at/worked in the real proof of security (or lack thereof ;) for me remains the plethora of malware that Windows computers are regularly infected with that I have to clean out for clients is the proof of OS X's security through superior design!
"Malware" on Windows 7 includes a lot of trojans.
Trojans aren't something the OS can stop - indeed, trojans are the only notably successful malware I'm aware of on OSX.
Unlike with actual viruses, where underlying security architecture matters, with trojans? It's all about platform popularity.
Because even if you're running SELinux, if the user wants to see the picture of the bunny*, and the download tells him he has to type "sudo bunnypicture" to see it and enter the admin password...
He'll bloody well do it. You can't really stop him.
Along with David Rice & Window Synder, do you know if Ivan Krstić still works at Apple?
I think so, but I don't know for sure.
What you failed to point out is that the way Apple handles the jail breakers of the iPhone works perfectly--you have an unpaid group of hackers looking for security holes and publishing them quickly in the open rather then in the underground trade. No other operating system has that advantage including OS X. Everywhere else security flaws are discovered and used for months and years before the company and security researchers know about them.
Oh, that's a really interesting way of looking at jailbreaking that I hadn't previously considered...
One of my guys moonlights on a help desk for a firewall company. He says Win7 calls are increasing steadily with adoption. So that's malware making it through a hardware security appliance and through security software on the desktop. Even if they are all trojans, it's still way too much.