On My Curious Relationship With Apple And Security

By Rich

Security professionals seem to have a strained relationship with Apple these days. Any trip to a security conference shows that more and more security professionals are using Macs on a regular basis. A not-insignificant percentage of the high-end industry types I know shows they all use Macs and iPhones; at home if not at work, often against corporate policy.

Yet Apple’s view on security is very… 2001. They do not follow a security development lifecycle. Marketing seems to play too strong a role in security decisions, especially when dealing with researchers. They never finished most of the security features of Leopard, and some products (especially QuickTime) are running at very high vulnerability rates.

The first thing we need to get out of the way is that Macs are currently safer to use than Windows XP, even if they aren’t as secure. There just aren’t as many exploits out there in the wild. Vista is more secure, but I find it unusable. This can, and will, change over time as Macs continue to rise in popularity and become a bigger target.

Thus, as a security professional I have mixed feelings about Apple. I feel somewhat hypocritical about supporting a company that doesn’t prioritize my bread and butter, but I’m not overly pleased with Window’s UI failings or Linux’s peculiarities. I’ve made the decision to pick the OS that best fits my work and productivity needs, then do what I can to improve the security of the platform.

Which gives me three options:

  1. Work for Apple. They haven’t called and I’m not waiting.
  2. Discover and report vulnerabilities, hoping they’ll get patched. I suck at this, so not the best option.
  3. Criticize and constantly pressure them in public, hoping to embarrass them into change. They’ll call me a raving loon, then ignore and marginalize me.
  4. Actively engage with the Apple community, give Apple credit for what they get right, and point out where they get things wrong while educating Mac users. This hopefully gains me enough credibility that they can’t simply dismiss me as anti-Apple and I can help the Mac community pressure Apple for needed change.

Apple is far from perfect and their security needs a ton of work, but I’m taking a reasoned approach and hoping that by engaging and educating their customers (and thus Apple, indirectly), we can spur change.

On that note, I’m off to the Macworld Expo show floor to meet with various vendors (including security vendors) and to play with my new iPhone (yes, I’m weak).


p style=”text-align:right;font-size:10px;”>Technorati Tags:

No Related Posts


I’‘m with you on this. I am a recent switcher (about a year now) and semi-fanboy. I too was weak and a fit of discontent bought an iPhone.  So don’‘t feel bad, you’‘re not alone. I have been pleased with it so far.

I was similarly concerned about Apple’s treatment of security researchers and vulnerabilities. I had issues with the Windows platform which had me dabble in Linux as a full time operating system but found that I spent too much time tweaking to get it to work right and the Mac seems to just get out of your way and let you work.  With the addition of virtualization, I’‘m good to go.

However, if history is an indication, I’‘m not confident that Apple will turn around soon. I think it was Microsoft’s corporate customers that brow beat them into changing their security practices, not their consumers.  I don’‘t see the hard-core Mac community in education and production doing the same things to Apple.  When Apple pushes further into the corporate world (it seems its being done, but rather stealthily) you’‘ll see the clamor grow.

By Raffi on

I’‘ll agree to disagree in some respects.  I love the raving rants of security professionals stating the lack of security features in OS X.  Then they go on to point out Quicktime, the staple posterchild of Apple insecurities.  Which are you pointing out?  Sure…  Quicktime is an Apple product.  One that desperately needs to be fixed.  But you’‘re not forced to use it.  And in fact you can remove it from your system if you choose to do.

Let’s face it, the OS itself does a very good job of tighter reigns on security because of the UNIX substructure.  It’s just a better model.  Yes, there are some quirks out of the box with regards to network services and Apple can probably do a better job.  Maybe having a system panel that enables a sort of "travel mode" where bonjour and things of that nature shut themselves up.

But, base OS exploits have been few and far between thus far.  And the platform has gained enough attention that if there are any major problems they would be coming to the surface by now.  As you’‘ve stated a lot of professional developers, security folks, and hackers are switching to the platform.

The constant rants about Apple security doesn’‘t hold it’s water anymore and is in fact getting slightly old.  Unless someone has better proof of the inherently bad security of OS X in itself I’‘d like to see this.  Until then I would say if you want to harp on Quicktime, go ahead.  I hope for 2008 Apple does a complete rewrite.  I just can’‘t stand reading yet another "Apple sux at security because I read about the problems with Quicktime" from yet another "security guru / researcher" who doesn’‘t have anything to back it with.

If people honestly feel the hardware and systems from Apple are that bad then don’‘t use them.  I don’‘t think it’s getting worse in any regards, because if I felt that way I would abandon and go back to a distro of Linux for my main platform.  But, my Mac runs a very tight ship at this point and I feel totally comfortable knowing I have control over everything in and out—something that’s just not as doable on a Microsoft platform.

Outside of Quicktime I’‘d be curious to know what applications you (Rich) see as "running at very high vulnerability rates"?  Please quantify with real data.

By windexh8er on

Actually we’‘ve seen vulnerabilities in other applications such as Safari as well in the recent past.  Perhaps the BSD core is solid, but its the stuff on top that becomes the issue. Just because the foundation is good doesn’‘t mean the software built on it doesn’‘t have issues or shouldn’‘t be a concern.

First problem is the way that Apple has dismissed security researchers in the past.  It’s free QA! embrace it.  It has helped Microsoft.  The second problem (and the larger one) has more to do with injecting security into software lifecycle.  It helped Microsoft and every other company that does it produce better code.  A rewrite of Quicktime will be useless until they fix their programming practices.

By raffi on

My point was that a rewrite would imply a more focused development around security of Quicktime.  It’s interesting that people assume Apple has no security practices around programming…  Obviously those people have no insight to Apple development models:

I’‘m not stating that every app Apple puts out will be 100% secure.  But, show me a browser that has never had a security flaw.  Software will almost certainly always have flaws - especially because the landscape of the web is continuously changing.  Look at the track record for Safari 2 over the course of it’s life:

Yes, there are open vulnerabilities still.  But compare that to Internet Explorer 6:

That’s what I don’‘t get—Apple puts out far higher quality software than the competition, but it will *never* be perfect.  Humans are not perfect.  Keep throwing more Apple apps on the fire, but that isn’‘t my original topic.  The topic is the underlying OS and securing it more.  To the point where application control and least privilege is the best that’s out there.

People need to understand operating systems and applications alike are not static.  They will never get to that point of impenetrable perfection.  Unless the environment is 100% controllable there will always be new and unperceived threats.  The same goes for everything else in this world…

My real question is why are the gurus not focusing more on the real problematic areas?  Let’s talk about embedded devices like Cisco that are far more susceptible to cause major havoc than things like Safari or Quicktime.  The monolithic beast that’s probably one of the hardest to update and least updated platform on the Internet runs the majority of our communications.  Those are the things researchers should really be pushing for changes in.  Companies like Cisco have been let off with a simple pat on the back…

By windexh8er on

It’s good to hear this debate. I think more people need to tune into it; both security geeks and business people.  My recent article about the Vista Bandaid Paradox (see the link above) was written in a fit of frustration that led me to declare something like "my next laptop will probably be a Mac."

I don’‘t know as much about how secure the OS X development cycle is, but I had the feeling it was better than that of MS… until Rich’s post.  I think the key to avoiding the Bandaid Paradox is to start with a Unix architecture, as Apple has, even though that doesn’‘t guarantee security.  The whole package has to be secure.

As much as I love the commercials with "Security Guy" in them, something tells me they won’‘t be so cocky if they can get enough market share to attract the masses… and then the bottom-dwellers who will see a more worthwhile target in going after Mac users. At that point, they will be wishing they had built more security into their design cycle.

By Scott Wright on

windexh8er, I’‘m with you. I think you misunderstand. All I can go on regarding Apple’s practices is how Apple reacts when others tell them about potential risks in their software.

Remember, I’‘m a convert. I use a mac for my day to day because it just works and gets out of your way.

By Raffi on

@windexh8er: There’s a reason we have IE7- and it’s called IE6. That’s noe a fair comparison since 6 didn’‘t go through the Security Development Lifecycle. If you look at the Secunia stats and compare products that went through this cycle to Apple’s products, you’‘ll see a stark difference.

Pundits focus on Apple because we all use Apple. Also, despite that development document please remember we often have direct insight into some of these companies. Apple employs (last time we looked) a handful of security engineers, at most. Microsoft has hundreds and contracts with nearly every major security researcher on the planet.

Apple also makes some very elementary mistakes. For example, Safari betas were vulnerable to the most common web fuzzing tool on the net. It’s clear it never with through a QA stage for security.

There is more than enough proof of the vulnerabilities if you look through the vuln reports and talk to the researchers that work in the industry. For example, none of the new Leopard security features provide any additional security- they weren’‘t properly implemented and thus are useless. This is from responsible people who have tested it directly (and reported their findings).

Exploits also occur on a regular basis, but they are more targeted and we haven’‘t seen the big virus/worm activity as on Windows. Based on REAL research, we know this is because of the limited adoption of the platform, not any security advantages.

I don’‘t have time today to pull the complete stats, but take a look at the vuln rates for safari, the file system, networking, file sharing (Samba), the Software Update Service, wireless drivers, and so on. In the case of Samba, the vulnerabilities were patched for months in the Linux/Unix/BSD tree before OS X, leaving Mac users exposed to a known vulnerability.

It’s all real, and there is factual evidence to support the problems. Out at Macworld I talked with many of the major voices in the Mac community and they are all concerned.

As for Cisco, you just don’‘t read the right lists (and the vulnerability rate is lower). Cisco gets their hat handed to them in the security world all the time. I wrote some of that criticism myself at my last job. Heck, just go Google, "ciscogate".

I use all Apple products at this point. They are less secure than if I were on most of their Window’s equivalents. On the other hand, since there are fewer attacks they are safer… for now…

By rmogull on

I agree with rmogull.  Apple has been slow in responding to vulnerabilities, and that may be due to them feeling rather safe with malware writers not focusing on macs because they just don’‘t have the market share to make it worthwhile.  Apple is going to have to wake up soon and realize that their growing popularity is making them a profitable target.  Just look at all the iphone attacks/bugs in the news.  Also recently, the rogue spyware utility MacSweeper has come to light as scareware just like the multitude for Windows.  The video codec phishing trick has also targeted macs specifically- just google ‘‘trojan targets macs’’ . 
Apple needs to start jumping on security vulnerabilities faster and making more of an effort to build with security in mind.  Their market share is quickly reaching the point where malware writers can profit by targeting mac.  Microsoft releases monthly updates fixing an average of 7 vulnerabilities- but Apple’s last serious update fixed something like 57 problems (I don’‘t remember the actual numbers).  It’s interesting to note that when Microsoft releases security patches, each vulnerability is detailed, but when Apple releases security patches, all the vulnerabilities are lumped together into headings so that it looks like only a couple fixes.
Maybe Apple products are less secure than Microsoft, maybe they aren’‘t, either way Apple DOES need to improve their handling of Security from development to patches.

By forrestmage on


Like I said, Apple is not perfect.  It was only fair to compare Safari 2 up against IE6.  I’‘ll take the same match with Safari 3 and IE7.  I would wager a good amount that by the end of 2008 Safari will have less exploits and fewer old exploits.  That leads me to the comment of: "Microsoft has hundreds and contracts with nearly every major security researcher on the planet."  Great (enter golf clap).  But does it make the product better?  It hasn’‘t.  Maybe it will, but it hasn’‘t is the key.  I would take a handful of bright security engineers over 500 "security engineers" / "researchers".  There’s no way to quantify that more equals better and that is the only fact you’‘re basing it on.

Betas don’‘t count—that’s why it’s labeled that way, it’s obviously not done.  Is the mainstream release of Safari vulnerable?  No.  IE7 betas were just as bad.

The thing is I read the research.  I don’‘t understand where you’‘re getting this stuff from.  The wireless vulnerabilities had to do with low level code for the Atheros chipset—that affected *every* platform, not just Apple.  Maynor even stated that time and time again.

Yes, the software update platform can be spoofed since it doesn’‘t use any sort of checking.  Someone will eventually attack this and it needs to be fixed.  I could guarantee you when they update the platform that it won’‘t get worse though.

Out of the items you’‘ve listed only one two of them have any real merit from where I sit.  First one being the software update which I’‘ve already mentioned and the second one being SAMBA.  That’s fine…  The difference to me is that if I were on a Windows platform and I had a similar problem I can’‘t update at all.  On OS X I can go grab the new source and patch it myself.  What if Microsoft decides not to ever patch it?  What then?

I follow Cisco pretty closely.  I’‘m CCNP and have various other Cisco certs.  I know their systems *very* well, having deployed global networks across their high end platforms.  I’‘ve deployed military networks using none other than Cisco (to my dismay).  If you truly believe that what’s out there is all there is then you are looking in the wrong places.  Cisco has had vulnerabilities in software for 5+ years they haven’‘t fixed or even addressed.  The base OS for IOS is monolithic meaning software updates at this point are not even possible in the current model without complete reloads.  I find almost every week PIX/ASA code that chokes on packet inspection causing device reloads or infinite deadlocks.  Cisco does very little to secure routing protocols or common exploits and attacks and has historically implemented "new" technologies into their platforms that are years old and are instantly vulnerable.

In the end *everyone* needs to get better.  But, like I said humans are humans.  Things get implemented wrong and unfortunately not everyones first priority is security.  The masses reading articles like this however don’‘t understand the intricacies of how and why.  To say Apple has implemented a lot of security features wrong is fair in a lot of respect.  But it’s not right to publish it in a way that makes it seem like Microsoft implemented those same technologies correctly, because they too have screwed up things like BitLocker, ALSR, and the list goes on…

At this point I’‘m confused as to why a security consultant would openly say that his Mac systems are less secure than the Windows equivalent.  Mine are not, and it’s quantifiable.

Just to make sure everyone is aware but MacSweeper wasn’‘t an exploit of sorts but a social engineering attack based on scareware.  The original page had javascript running that played back a pretty report which pretended to scan your system and show that you had things to "clean".  The user still has to install the software manually.  It also did not take a rocket scientist to figure out that they were full of cow pie when you looked on their page and they stated that MacSweeper cleaned DLLs.  Just so we’‘re all on the same page there…  The first of many Mac scareware sights, big deal nobody blinks at that sort of social engineering targeting Windows.

One thing I hope that Apple takes away from Microsoft is "patch Tuesday".  It’s a great model to have schedules in some fashion, but at the same rate malicious coding can be released on a nice timely basis so that we can get over a month of time in with a vulnerability.  Bruce Schneier was actually talking about this at the recent even he spoke at for OWASP in Minneapolis.

By windxh8er on

Just to make sure you aren’‘t misunderstanding me- I know MacSweeper doesn’‘t use an exploit, my point is that it targets mac users.  Yes we’‘re all used to seeing these for Windows, but now it has become profitable to do the same thing on Mac.  My point is that if it is now profitable to target macs with scareware, it won’‘t be long until we see the true quantity of mac exploits as it becomes profitable to actually *look* for them. 

At the same time though, I think the Windows/Mac security debate is going the way of the Dodo as exploits are turning to target web apps that every browser supports, regardless of publisher.  Let’s compare IE7, Safari 3.0, Firefox 2.x, and whatever realease Opera is on and how they handle web exploits.  I’‘m curious to here what all of you think of this trend.

By forrestmage on

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.