Several people have asked me for a response to Eugene Kaspersky’s views on Apple, as expressed at Infosecurity Europe last week, suggesting that Apple is ten years behind on security. But having spent some time on an analysis that no-one has used, I guess I’ll use it here – it has, after all been a busy few weeks in the Mac security world, and I haven’t posted here for a while.
There’s certainly a temptation – which Kaspersky clearly couldn’t resist – to make a comparison with Microsoft about ten years ago when it became aware that it needed to clean up its security act and launched the Trustworthy Computing initiative. But is it a fair comparison? At that time Microsoft had attracted a great deal of criticism from the security community over the years, not least for its first ineffective attempt at maintaining an anti-malware utility and the way in which it had tried to dismiss the start of the macro virus epidemic as a “prank macro”. And that in turn generated a certain amount of sour amusement when the company suddenly presented itself as eager to review its (in)secure coding practice while appearing to its customers as the fount of all security knowledge. The fact is, though, that Microsoft has learned a great deal from those early criticisms and made a very substantial contribution to the raising of security standards in the Windows world on many levels. (Consider, for example, its very effective work on taking down some high-profile botnets.)
However, Apple now is not Microsoft then. At that time, Microsoft was still supporting a consumer product range (the Windows 9x series) that couldn’t be hardened to a degree comparable with its NT-derived range, which was intended to be developed as an environment whose internals were more comparable to Unix or VMS than to the consumer-oriented Windows versions that preceded Windows 2000. In fact, the NT-derived range was far more resilient in many respects and only really became seriously risk when it began to replace the 9.x range and so became the target of choice for more attackers.
OS X was quite specifically based on Unix, and Apple’s transition to restricting its support and development of its more robust operating system was implemented far more decisively than Microsoft did: support for the Windows 9.x series wasn’t discontinued until 2006. In general terms, the development of the NT series and OS X in terms of improving system integrity using approaches such as ASLR and DEP has been very roughly parallel in recent years. You could certainly argue that if Apple’s falling behind on patching on the CVE-2012-0507 vulnerability not only argues a failure of their patching process, but is also a major factor contributor to the current problem, but in fact Apple’s patching is – generally speaking – one of the brighter aspects of its security management.
In fact, the extraordinary volume of victim machines in the Flashback incident needs to be set against the fact that while the number of OS X-related malicious programs has increased significantly, the number of individual systems affected by other malware has been very much smaller, so we need to be aware that a single family is in some sense skewing the figures. In fact, Sophos found that out of 100,000 infected machines that they looked at over 7 days, around 75% were infected by OSX/Flashback. It’s possible that something near that proportion holds across the entire population of Macs infected with native malware, but that’s significantly different to where we were with PC malware ten years ago, where there were lots of other malicious programs taking up their fair share of the WildList.
Even if we restrict our scope to the Windows-specific threats that had largely replaced earlier types of malware (DOS viruses, boot sector viruses) by then, there was a much wider range of existing malware families than we’re seeing now in the Mac arena. But the situation is complicated by the fact that comparatively few Mac users use industrial-strength AV, so while we can guesstimate the number of Flashback infections by sinkholing – though even then, the number of currently live infections has been hotly disputed by different vendors – we don’t have the means of tracking other types of infection in the same way. So saying that the new Mac world is “full of malware,” giving the impression that Macville is now like the Windows world in the early noughties, is a little misleading.
What does slightly concern me is that while Apple is engaging much better these days with the security industry, there is still a current of opinion that assumes that Apple’s own countermeasures are sufficient to contain the problem. In my opinion, the sort of synergy between the OS vendor and third-party security vendors that holds in the Windows world is likely to me more effective over time than Apple trying to contain the problem all on its own through utilities like Xprotect and Gatekeeper. While neither of these utilities are completely useless, the contention in Apple’s sneak peek at Gatekeeper that “While malware is one of the biggest security challenges on personal computers, it’s hardly an issue on a Mac” suggests that there might still be some Kool-Aid left in the corporate refrigerator.
(Hat tip to Mikko Hypponen, who actually used the Apples to Oranges metaphor before me.)