Apple Changing Posture on Security and Macs
Apple, which faced harsh criticism of its response to the massive Flashback exploit earlier this spring, appears to be changing its approach to security at a time when its Mac OS X operating system is getting more attention from cyber-criminals.
Some of it is in Apples messagingthe company recently quietly changed the pitch it had for Macs on its Website, saying now they are built to be safe and no longer that they are virus-freewhile in other ways its more practical. For example, Apple reportedly is putting a new feature into its upcoming OS X 10.8 Mountain Lion operating system that will automatically update Macs with the latest security patches and protections.
In addition, at its Worldwide Developer Conference in June, Apple officials also talked about a new feature for their laptops called PowerNap, that will allow security updates to be downloaded even while the systems are in sleep mode.
Features such as these are getting some good responses from security experts, some of whom in the past have been critical of Apples somewhat tepid response to security.
This [PowerNap feature], alongside the removal of requiring the user to give permission for a security patch to be installed, should ensure that more Macs are kept more up-to-date, Graham Cluley, senior technology consultant at security firm Sophos, said in a June 28 blog post. Anything which makes that attack window smaller has to be good news for Mac users. So, well done, Apple.
Security researchers have warned that with the popularity of Apple Internet-connected systems rising, the company can expect to see more interest from hackers and scammers. Even before the Flashback malware, there had been a rise in the number of attacks on Apple systems over the previous year, from Tsunami to the Mac Defender fake antivirus program.
However, it was the Flashback malware, which infected more than 600,000 Macs worldwide, that put the company and its security practices in the spotlight. The exploit targeted a vulnerability in Java that Oracle had patched for PCs in February, but that Apple didnt patch until April, after many of those Macs already were infected.
Apple is 10 years behind Microsoft when it comes to dealing with malware attacks and security, Eugene Kaspersky, CEO and founder of his namesake company, said in April.
Apple appears to be trying to change that perception with new security features, including OS X Security Update Test 1.0, which was first reported by the AppleInsider Website. The automated update feature will run on a daily basis or whenever the Mac restarts, and reportedly can do all this in the background without user interaction.
Of course, most days it is unlikely that Apple will have released a security updatebut for those times when they have, this feature will hopefully reduce the window of opportunity for malicious hackers to exploit any vulnerabilities in OS X, Sophos Cluley said.
IT administrators may have some problems with the automated update in Macs, he said. Usually businesses want to test security updates before sending them out companywide to ensure there are no bugs or conflicts with other software.
Furthermore, companies may not like the idea of lots of their Mac computers individually pulling down hefty security updates and gobbling up their Internet bandwidth, Cluley said. Presumably, Apple will provide mechanisms for businesses to handle these issues when OS X ships next month.
Security experts looking at the widespread Flashback infection said Mac users not only were impacted by Apples slow response to the threat, but also by the reputation that the systems were essentially invulnerable to viruses and other threats. Apple fueled that idea with the wording on its Website that said the Mac doesnt get PC viruses. Now the site reads that Macs are built to be safe.
Lysa Myers, in a June 25 blog post for Apple security software vendor Intego, applauded the change, saying that while it was technically correct that most PC viruses wont work on OS X, there is malware that will work on both. Myers also took issues with some media reports saying that Mac malware was less dangerous or that Macs were buggy.
Lets not overstate the case, she wrote. Macs are awesome. They work well. But there is risk; there are bugs, there are vulnerabilities, there are malware. Theyre not harmless, and its also not the end of the world. You can protect yourself, and if you behave safely and intelligently, you can minimize your risk."