Apple Changing Posture on Security and Macs

The company is including a new automated update feature in the upcoming OS X "Mountain Lion" operating system, and admitting that Macs can get viruses.

Apple, which faced harsh criticism of its response to the massive Flashback exploit earlier this spring, appears to be changing its approach to security at a time when its Mac OS X operating system is getting more attention from cyber-criminals.

Some of it is in Apple€™s messaging€”the company recently quietly changed the pitch it had for Macs on its Website, saying now they are €œbuilt to be safe€ and no longer that they are virus-free€”while in other ways it€™s more practical. For example, Apple reportedly is putting a new feature into its upcoming OS X 10.8 €œMountain Lion€ operating system that will automatically update Macs with the latest security patches and protections.

In addition, at its Worldwide Developer Conference in June, Apple officials also talked about a new feature for their laptops called €œPowerNap,€ that will allow security updates to be downloaded even while the systems are in sleep mode.

Features such as these are getting some good responses from security experts, some of whom in the past have been critical of Apple€™s somewhat tepid response to security.

€œThis [PowerNap feature], alongside the removal of requiring the user to give permission for a security patch to be installed, should ensure that more Macs are kept more up-to-date,€ Graham Cluley, senior technology consultant at security firm Sophos, said in a June 28 blog post. €œAnything which makes that attack window smaller has to be good news for Mac users. So, well done, Apple.€

Security researchers have warned that with the popularity of Apple Internet-connected systems rising, the company can expect to see more interest from hackers and scammers. Even before the Flashback malware, there had been a rise in the number of attacks on Apple systems over the previous year, from Tsunami to the Mac Defender fake antivirus program.

However, it was the Flashback malware, which infected more than 600,000 Macs worldwide, that put the company and its security practices in the spotlight. The exploit targeted a vulnerability in Java that Oracle had patched for PCs in February, but that Apple didn€™t patch until April, after many of those Macs already were infected.

Apple is 10 years behind Microsoft when it comes to dealing with malware attacks and security, Eugene Kaspersky, CEO and founder of his namesake company, said in April.

Apple appears to be trying to change that perception with new security features, including OS X Security Update Test 1.0, which was first reported by the AppleInsider Website. The automated update feature will run on a daily basis or whenever the Mac restarts, and reportedly can do all this in the background without user interaction.

€œOf course, most days it is unlikely that Apple will have released a security update€”but for those times when they have, this feature will hopefully reduce the window of opportunity for malicious hackers to exploit any vulnerabilities in OS X,€ Sophos€™ Cluley said.

IT administrators may have some problems with the automated update in Macs, he said. Usually businesses want to test security updates before sending them out companywide to ensure there are no bugs or conflicts with other software.

€œFurthermore, companies may not like the idea of lots of their Mac computers individually pulling down hefty security updates and gobbling up their Internet bandwidth,€ Cluley said. €œPresumably, Apple will provide mechanisms for businesses to handle these issues when OS X ships next month.€

Security experts looking at the widespread Flashback infection said Mac users not only were impacted by Apple€™s slow response to the threat, but also by the reputation that the systems were essentially invulnerable to viruses and other threats. Apple fueled that idea with the wording on its Website that said the Mac €œdoesn€™t get PC viruses.€ Now the site reads that Macs are €œbuilt to be safe.€

Lysa Myers, in a June 25 blog post for Apple security software vendor Intego, applauded the change, saying that while it was technically correct that most PC viruses won€™t work on OS X, there is malware that will work on both. Myers also took issues with some media reports saying that Mac malware was less dangerous or that Macs were buggy.

€œLet€™s not overstate the case,€ she wrote. €œMacs are awesome. They work well. But there is risk; there are bugs, there are vulnerabilities, there are malware. They€™re not harmless, and it€™s also not the end of the world. You can protect yourself, and if you behave safely and intelligently, you can minimize your risk."