When Will Apple ‘Get’ Security Religion?

My recent mention of Apple in a speech at CeBIT Australia initiated the usual flurry of chatter and publications (example) regarding the company’s approach to security. As Apple’s security seems to be a hot topic of late (since Flashfake), I think this is an opportune time to talk some sense about this issue.

As you’ll know, today we see a widening rift between, on the one hand, Apple’s long-term alleged ‘Macs are malware-invincible’ campaign, and on the other – reality, i.e., that this campaign is… losing credibility, to put it mildly. So, will users have the nous to get to understand the real state of affairs, despite what Apple keeps telling them? What’s wrong with Apple’s security approach? Is there anything Apple can learn from Microsoft and other vendors in terms of security?

A decade ago network worms like Blaster and Sasser wreaked havoc on Microsoft’s Windows platform, forcing the company to make some tough – and costly – decisions. The most important was the creation of the Trustworthy Computing initiative, an executive directive that included a major rewrite of Windows XP SP2, an improved security response (Patch Tuesday, security advisories), and the mandatory SDL (Security Development Lifecycle) program that made the operating system more resilient to hacker attacks.

The recent Mac OS X Flashback botnet incident is Apple’s version of the network worm era. It is a wake-up call for a company that has traditionally ignored security.

To really get to the bottom of Apple’s negligence on security, we need to go back to 2006 and that famous Mac vs. PC commercial in which the PC is sneezing from a virus infection and the Mac passes the PC a tissue while dismissing any need for security since viruses pose no threat to Mac OS.

The ad was both clever and funny, but misleading. It helped perpetuate the false sense of security among the Mac faithful and ossify the mindset that security just wasn’t needed – because Macs are invincible, and don’t get viruses.

This complacency caused and continues to cause unacceptably long delays in applying patches for critical security flaws and responding to in-the-wild attacks.

Make no mistake about it, the iBotnet (Flashback/Flashfake infected more than 700,000 Macs) was entirely Apple’s fault. The Java patch (CVE-2012-0507) that fixed the vulnerability was issued for Windows on February 14, 2012. This same vulnerability affected Mac OS X too but Apple didn’t provide a fix until April 3, 2012! Apple left its users exposed for 49 days, providing a huge window of opportunity for malware writers to build a botnet. Unforgivable.

Think about it: almost one million Macs in a for-profit botnet owned by cyber-criminals. In terms of market share figures (the percentage of Mac users infected), this is the Mac version of Conficker on Windows. It’s the first in-the-wild malware attack on Mac OS X with such a large number of victims, and further confirmation that growth in Mac market share is providing a major incentive to attackers.

Flashback is particularly nasty because it spreads via drive-by downloads – no user interaction, no extra clicks, no admin password required. Simply surf to a rigged or hacked website, and the malware gets installed automatically. The known variants were used for click-fraud but it could have been even more dangerous because of the Trojan-downloader component that allowed the attackers to install additional malware onto the infected machines.

It’s clear that we have reached the market share tipping point for Mac OS to validate mass-malware attacks. The rule of thumb is: if market share is high enough, cyber-criminals will be motivated to invest in attacks. Malware authors have dabbled in Mac OS attacks in the past with DNS changers, scareware (fake anti-virus) attacks, and the usual phishing lures, but if you put everything together, you can see we’re entering a new phase.

The fact that Apple users have been brainwashed to ignore security threats means that vulnerable desktop applications will remain unpatched and there will always be a large pool of victims waiting to be infected.

If you leave an expensive car unlocked all night in the high street and it gets stolen, it’s you who’s to blame and who should have locked it – no question. Similarly, Apple is to blame for its current situation. The company is always late with supplying patches for known security problems. Java for Mac is just one example but, if you monitor Apple’s patch release process, you’ll find they are constantly late with fixes, especially for open-source components. WebKit and Safari are permanent security nightmares.

Then we have the whole “veil of secrecy” thing. Apple simply ignores all media queries about security problems. Whenever there is a legitimate threat, users get zero communication from Apple. There are no pre-patch advisories with mitigations for users. They don’t provide data to security vendors to help keep the ecosystem secure. When there’s an outbreak, Mac users have to rely on third-party guidance instead of getting help straight from Apple. Nice user respect!

The funny thing is, Apple can learn a lot from Microsoft when it comes to security. In fact, I think Apple should simply copy Microsoft’s playbook word-for-word when it comes to security response. Apple needs an SDL process to make sure developers build security into every stage of the software development process. SCADA, smart grid suppliers, and even the government of India have already adopted Microsoft’s SDL process, which proves that Microsoft is now leading the way on software security.

Apple’s marketing folks won’t like it, but there’s no shame in Apple learning from Microsoft; at least, there shouldn’t be. Apple should copy Microsoft’s security advisories program so that users are properly informed when there’s a legitimate security threat. If Mac users have to wait ages for a patch, Apple should provide temporary mitigations. How about a scheduled Patch Day? This will help IT administrators prepare for patch deployment instead of being surprised by ad-hoc Mac OS X updates. When it comes to security response, Apple is stuck in the 1990s.

Ten years ago, “Trustworthy Computing” effectively rescued the Windows platform from malware armageddon. The security posture of the Windows operating system has improved and Microsoft’s security response process is now the standard that others – like Adobe – are copying.

Now it’s Apple’s turn. The company would help itself – and its users – immensely if it would use the Flashback attack as a reality check and reject the security-by-PR approach that has tricked its user base into complacency. Apple needs to take the security game seriously. We are no longer in 2006 when Macs were deemed safe from attacks and cute commercials could be used to brand an operating system as “superior”. Flashback is the first major Mac botnet, but you can bet there’ll be more. Apple cannot afford to ignore the lesson of Flashback.

Esteemed and respected Apple, are you listening?