Do automatic OS X security updates signal a sea change at Apple?
Experts say the move is positive, but it remains unclear if Apple has really changed its often criticized stance on security
June 26, 2012 — CSO — Perhaps Apple was hoping nobody would notice the somewhat subtle changes in the language on its "Why you'll love a Mac" webpage. After all, "It doesn't get PC viruses" and "It's built to be safe" are both reassuring messages. Not all that much difference between "Safeguard your data. By doing nothing," and "Safety. Built right in," right?
Wrong. Security experts, starting with Graham Cluley of Sophos, noticed it, broadcast it and pronounced it a very big deal. Writing on Sophos' Naked Security blog, Cluley pointed out the changes and surmised that since "one particular piece of Mac malware [the Flashback botnet] had infected 600,000 Macs worldwide, including 274 in Cupertino," the claim that Macs don't get viruses, PC or otherwise, was seriously compromised.
"People in glass houses shouldn't throw stones," Cluley wrote, adding that the tweaking of the wording, along with the company mentioning malware at a WWDC keynote address, amounted to "some important baby steps" in acknowledging that Mac malware is a reality and that Apple customers must do more than "nothing" to keep their machines safe.
Preston Gralla noted at Computerworld: "That marketing change may not strike you as substantial, but coming from Apple, it's a big deal. Apple has long denied any security problems with the Mac, detailed evidence to the contrary."
Other Apple critics gleefully piled on. Mihaita Bamburic, writing at BetaNews, said what he and others have been saying for years: The only reason Macs have been "safer" is because they are not as large a target.
"The Apple world, due to their irrelevance on the market -- around 10% PC share in the United States, less than 5% worldwide, according to Gartner and IDC -- hasn't gotten much attention from the bad guys," Bamburic wrote, and then mocked the language change. "What does Apple do in light of all this? No apologies, as it's too embarrassing. They quietly (like running through a room full of people thinking no one's going to notice) change their security motto."
But once the "we-told-you-so" chorus subsides, the more relevant question for millions of users is whether this "quiet" change in terminology signals a change in action. Is Apple going to take security more seriously?
Based on breaking news about Apple's newest OS X, Mountain Lion, and other recent events, the answer seems to be a qualified "yes." MacRumors reported Monday that the new system will have significant security improvements that follow Microsoft's lead: It will check for security updates daily instead of weekly, and will install them automatically.
Gregg Keizer reported at Computerworld: "Apple also said it beefed up the security of the connections between customers' Macs and its update servers, hinting at the same kind of improvement in encryption that Microsoft made this month after Flame, an advanced super-spy kit, was found to fake Windows Update downloads."
But, of course, that still leaves millions of Mac users -- the ones who will not be running Mountain Lion -- to install updates themselves, after they're notified.
Edy Almer, vice president at security software vendor Wave Systems, said he thinks the debate over PC vs. Mac security "misses the larger point: There are many security actions from both sides that have greatly improved the security posture of their respective [OSes.]"
Almer cites Apple's tight control of iTunes applications and adds: "The introduction of an app store proved immensely helpful in mitigating the risk of infection from malware. Microsoft mimicked this with its Win8RT model -- a much stricter lockdown of what can be installed and controlled through the app store."
And he notes that Apple has followed Microsoft's lead in the past as well: "The native FDE offering of BitLocker was later imitated with the introduction of FileVault2 in OS X Lion," he said, but adds that those improvements simply make the need more obvious for independent security software.
On another front, Brian Krebs, a former Washington Post reporter and author of the blog Krebs on Security, has criticized Apple for years for taking far too long to fix known security holes. In a 2009 blog at the Post, he reported, "I have reviewed the last three Java updates that Apple shipped during the past 18 months, and found that Apple patched Java flaws on average about 166 days after Sun (Microsystems) had shipped its own patch to fix the same vulnerabilities."
But in a post earlier this month, Krebs was more complimentary, noting that Apple had shipped a software update for Java on the same day as Oracle, the official producer of Java -- a vast improvement from, "consistently [lagging] months behind Oracle in fixing security bugs."
"It seems that Apple learned a thing or two from that [the Flashback] incident," Krebs wrote.
However, Krebs told CSO that while he suspects Apple wishes it had moved more quickly with the earlier Java patches, "it remains unclear how or if this incident has caused the company to take other such risks more seriously, or if indeed it has served to make Apple's attitudes toward security any less opaque."
Blake Turrentine, of HotWAN and a trainer for Black Hat, said he hasn't seen a shift. He said he has a difficult time finding antivirus products in Apple stores. "When I talk to one of those folks in the blue shirts, I ask them where's the antivirus software," he said. "Their 'programmed' answer is that Macs don't get viruses, they may get malware. Often they tell me they've been running without antivirus on their own personal systems for years and never had a problem."
"I guess ignorance is bliss when you're an unsuspecting player in a botnet," Turrentine said. "Forget that your shiny new Mac is shipped from China."
Read more about application security in CSOonline's Application Security section.
Other stories by Taylor Armerding