Login  |  Register  |  Contact

On My Curious Relationship With Apple And Security

Security professionals seem to have a strained relationship with Apple these days. Any trip to a security conference shows that more and more security professionals are using Macs on a regular basis. A not-insignificant percentage of the high-end industry types I know shows they all use Macs and iPhones; at home if not at work, often against corporate policy.

Yet Apple’s view on security is very… 2001. They do not follow a security development lifecycle. Marketing seems to play too strong a role in security decisions, especially when dealing with researchers. They never finished most of the security features of Leopard, and some products (especially QuickTime) are running at very high vulnerability rates.

The first thing we need to get out of the way is that Macs are currently safer to use than Windows XP, even if they aren’t as secure. There just aren’t as many exploits out there in the wild. Vista is more secure, but I find it unusable. This can, and will, change over time as Macs continue to rise in popularity and become a bigger target.

Thus, as a security professional I have mixed feelings about Apple. I feel somewhat hypocritical about supporting a company that doesn’t prioritize my bread and butter, but I’m not overly pleased with Window’s UI failings or Linux’s peculiarities. I’ve made the decision to pick the OS that best fits my work and productivity needs, then do what I can to improve the security of the platform.

Which gives me three options:

  1. Work for Apple. They haven’t called and I’m not waiting.
  2. Discover and report vulnerabilities, hoping they’ll get patched. I suck at this, so not the best option.
  3. Criticize and constantly pressure them in public, hoping to embarrass them into change. They’ll call me a raving loon, then ignore and marginalize me.
  4. Actively engage with the Apple community, give Apple credit for what they get right, and point out where they get things wrong while educating Mac users. This hopefully gains me enough credibility that they can’t simply dismiss me as anti-Apple and I can help the Mac community pressure Apple for needed change.

Apple is far from perfect and their security needs a ton of work, but I’m taking a reasoned approach and hoping that by engaging and educating their customers (and thus Apple, indirectly), we can spur change.

On that note, I’m off to the Macworld Expo show floor to meet with various vendors (including security vendors) and to play with my new iPhone (yes, I’m weak).

<

p style=”text-align:right;font-size:10px;”>Technorati Tags:

—Rich

No Related Posts
Previous entry: Excel Sort-of-0day Affects Mac And Windows | | Next entry: The Last I’ll Ever Need To Write Proving SCADA Risks

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Raffi  on  01/16  at  07:35 PM

Rich,

I’‘m with you on this. I am a recent switcher (about a year now) and semi-fanboy. I too was weak and a fit of discontent bought an iPhone.  So don’‘t feel bad, you’‘re not alone. I have been pleased with it so far.

I was similarly concerned about Apple’s treatment of security researchers and vulnerabilities. I had issues with the Windows platform which had me dabble in Linux as a full time operating system but found that I spent too much time tweaking to get it to work right and the Mac seems to just get out of your way and let you work.  With the addition of virtualization, I’‘m good to go.

However, if history is an indication, I’‘m not confident that Apple will turn around soon. I think it was Microsoft’s corporate customers that brow beat them into changing their security practices, not their consumers.  I don’‘t see the hard-core Mac community in education and production doing the same things to Apple.  When Apple pushes further into the corporate world (it seems its being done, but rather stealthily) you’‘ll see the clamor grow.

By windexh8er  on  01/16  at  08:29 PM

I’‘ll agree to disagree in some respects.  I love the raving rants of security professionals stating the lack of security features in OS X.  Then they go on to point out Quicktime, the staple posterchild of Apple insecurities.  Which are you pointing out?  Sure…  Quicktime is an Apple product.  One that desperately needs to be fixed.  But you’‘re not forced to use it.  And in fact you can remove it from your system if you choose to do.

Let’s face it, the OS itself does a very good job of tighter reigns on security because of the UNIX substructure.  It’s just a better model.  Yes, there are some quirks out of the box with regards to network services and Apple can probably do a better job.  Maybe having a system panel that enables a sort of "travel mode" where bonjour and things of that nature shut themselves up.

But, base OS exploits have been few and far between thus far.  And the platform has gained enough attention that if there are any major problems they would be coming to the surface by now.  As you’‘ve stated a lot of professional developers, security folks, and hackers are switching to the platform.

The constant rants about Apple security doesn’‘t hold it’s water anymore and is in fact getting slightly old.  Unless someone has better proof of the inherently bad security of OS X in itself I’‘d like to see this.  Until then I would say if you want to harp on Quicktime, go ahead.  I hope for 2008 Apple does a complete rewrite.  I just can’‘t stand reading yet another "Apple sux at security because I read about the problems with Quicktime" from yet another "security guru / researcher" who doesn’‘t have anything to back it with.

If people honestly feel the hardware and systems from Apple are that bad then don’‘t use them.  I don’‘t think it’s getting worse in any regards, because if I felt that way I would abandon and go back to a distro of Linux for my main platform.  But, my Mac runs a very tight ship at this point and I feel totally comfortable knowing I have control over everything in and out—something that’s just not as doable on a Microsoft platform.

Outside of Quicktime I’‘d be curious to know what applications you (Rich) see as "running at very high vulnerability rates"?  Please quantify with real data.

By raffi  on  01/16  at  08:59 PM

Actually we’‘ve seen vulnerabilities in other applications such as Safari as well in the recent past.  Perhaps the BSD core is solid, but its the stuff on top that becomes the issue. Just because the foundation is good doesn’‘t mean the software built on it doesn’‘t have issues or shouldn’‘t be a concern.

First problem is the way that Apple has dismissed security researchers in the past.  It’s free QA! embrace it.  It has helped Microsoft.  The second problem (and the larger one) has more to do with injecting security into software lifecycle.  It helped Microsoft and every other company that does it produce better code.  A rewrite of Quicktime will be useless until they fix their programming practices.

By windexh8er  on  01/16  at  10:14 PM

My point was that a rewrite would imply a more focused development around security of Quicktime.  It’s interesting that people assume Apple has no security practices around programming…  Obviously those people have no insight to Apple development models:

http://developer.apple.com/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html

I’‘m not stating that every app Apple puts out will be 100% secure.  But, show me a browser that has never had a security flaw.  Software will almost certainly always have flaws - especially because the landscape of the web is continuously changing.  Look at the track record for Safari 2 over the course of it’s life:

http://secunia.com/product/5289/?task=advisories

Yes, there are open vulnerabilities still.  But compare that to Internet Explorer 6:

http://secunia.com/product/11/?task=advisories

That’s what I don’‘t get—Apple puts out far higher quality software than the competition, but it will *never* be perfect.  Humans are not perfect.  Keep throwing more Apple apps on the fire, but that isn’‘t my original topic.  The topic is the underlying OS and securing it more.  To the point where application control and least privilege is the best that’s out there.

People need to understand operating systems and applications alike are not static.  They will never get to that point of impenetrable perfection.  Unless the environment is 100% controllable there will always be new and unperceived threats.  The same goes for everything else in this world…

My real question is why are the gurus not focusing more on the real problematic areas?  Let’s talk about embedded devices like Cisco that are far more susceptible to cause major havoc than things like Safari or Quicktime.  The monolithic beast that’s probably one of the hardest to update and least updated platform on the Internet runs the majority of our communications.  Those are the things researchers should really be pushing for changes in.  Companies like Cisco have been let off with a simple pat on the back…

By Scott Wright  on  01/16  at  10:39 PM

It’s good to hear this debate. I think more people need to tune into it; both security geeks and business people.  My recent article about the Vista Bandaid Paradox (see the link above) was written in a fit of frustration that led me to declare something like "my next laptop will probably be a Mac."

I don’‘t know as much about how secure the OS X development cycle is, but I had the feeling it was better than that of MS… until Rich’s post.  I think the key to avoiding the Bandaid Paradox is to start with a Unix architecture, as Apple has, even though that doesn’‘t guarantee security.  The whole package has to be secure.

As much as I love the commercials with "Security Guy" in them, something tells me they won’‘t be so cocky if they can get enough market share to attract the masses… and then the bottom-dwellers who will see a more worthwhile target in going after Mac users. At that point, they will be wishing they had built more security into their design cycle.

By Raffi  on  01/17  at  07:42 PM

windexh8er, I’‘m with you. I think you misunderstand. All I can go on regarding Apple’s practices is how Apple reacts when others tell them about potential risks in their software.

Remember, I’‘m a convert. I use a mac for my day to day because it just works and gets out of your way.

By rmogull  on  01/17  at  07:45 PM

@windexh8er: There’s a reason we have IE7- and it’s called IE6. That’s noe a fair comparison since 6 didn’‘t go through the Security Development Lifecycle. If you look at the Secunia stats and compare products that went through this cycle to Apple’s products, you’‘ll see a stark difference.

Pundits focus on Apple because we all use Apple. Also, despite that development document please remember we often have direct insight into some of these companies. Apple employs (last time we looked) a handful of security engineers, at most. Microsoft has hundreds and contracts with nearly every major security researcher on the planet.

Apple also makes some very elementary mistakes. For example, Safari betas were vulnerable to the most common web fuzzing tool on the net. It’s clear it never with through a QA stage for security.

There is more than enough proof of the vulnerabilities if you look through the vuln reports and talk to the researchers that work in the industry. For example, none of the new Leopard security features provide any additional security- they weren’‘t properly implemented and thus are useless. This is from responsible people who have tested it directly (and reported their findings).

Exploits also occur on a regular basis, but they are more targeted and we haven’‘t seen the big virus/worm activity as on Windows. Based on REAL research, we know this is because of the limited adoption of the platform, not any security advantages.

I don’‘t have time today to pull the complete stats, but take a look at the vuln rates for safari, the file system, networking, file sharing (Samba), the Software Update Service, wireless drivers, and so on. In the case of Samba, the vulnerabilities were patched for months in the Linux/Unix/BSD tree before OS X, leaving Mac users exposed to a known vulnerability.

It’s all real, and there is factual evidence to support the problems. Out at Macworld I talked with many of the major voices in the Mac community and they are all concerned.

As for Cisco, you just don’‘t read the right lists (and the vulnerability rate is lower). Cisco gets their hat handed to them in the security world all the time. I wrote some of that criticism myself at my last job. Heck, just go Google, "ciscogate".

I use all Apple products at this point. They are less secure than if I were on most of their Window’s equivalents. On the other hand, since there are fewer attacks they are safer… for now…

By forrestmage  on  01/17  at  10:26 PM

I agree with rmogull.  Apple has been slow in responding to vulnerabilities, and that may be due to them feeling rather safe with malware writers not focusing on macs because they just don’‘t have the market share to make it worthwhile.  Apple is going to have to wake up soon and realize that their growing popularity is making them a profitable target.  Just look at all the iphone attacks/bugs in the news.  Also recently, the rogue spyware utility MacSweeper has come to light as scareware just like the multitude for Windows.  The video codec phishing trick has also targeted macs specifically- just google ‘‘trojan targets macs’’ . 
Apple needs to start jumping on security vulnerabilities faster and making more of an effort to build with security in mind.  Their market share is quickly reaching the point where malware writers can profit by targeting mac.  Microsoft releases monthly updates fixing an average of 7 vulnerabilities- but Apple’s last serious update fixed something like 57 problems (I don’‘t remember the actual numbers).  It’s interesting to note that when Microsoft releases security patches, each vulnerability is detailed, but when Apple releases security patches, all the vulnerabilities are lumped together into headings so that it looks like only a couple fixes.
Maybe Apple products are less secure than Microsoft, maybe they aren’‘t, either way Apple DOES need to improve their handling of Security from development to patches.

By windxh8er  on  01/18  at  12:30 AM

@rmogull

Like I said, Apple is not perfect.  It was only fair to compare Safari 2 up against IE6.  I’‘ll take the same match with Safari 3 and IE7.  I would wager a good amount that by the end of 2008 Safari will have less exploits and fewer old exploits.  That leads me to the comment of: "Microsoft has hundreds and contracts with nearly every major security researcher on the planet."  Great (enter golf clap).  But does it make the product better?  It hasn’‘t.  Maybe it will, but it hasn’‘t is the key.  I would take a handful of bright security engineers over 500 "security engineers" / "researchers".  There’s no way to quantify that more equals better and that is the only fact you’‘re basing it on.

Betas don’‘t count—that’s why it’s labeled that way, it’s obviously not done.  Is the mainstream release of Safari vulnerable?  No.  IE7 betas were just as bad.

The thing is I read the research.  I don’‘t understand where you’‘re getting this stuff from.  The wireless vulnerabilities had to do with low level code for the Atheros chipset—that affected *every* platform, not just Apple.  Maynor even stated that time and time again.

Yes, the software update platform can be spoofed since it doesn’‘t use any sort of checking.  Someone will eventually attack this and it needs to be fixed.  I could guarantee you when they update the platform that it won’‘t get worse though.

Out of the items you’‘ve listed only one two of them have any real merit from where I sit.  First one being the software update which I’‘ve already mentioned and the second one being SAMBA.  That’s fine…  The difference to me is that if I were on a Windows platform and I had a similar problem I can’‘t update at all.  On OS X I can go grab the new source and patch it myself.  What if Microsoft decides not to ever patch it?  What then?

I follow Cisco pretty closely.  I’‘m CCNP and have various other Cisco certs.  I know their systems *very* well, having deployed global networks across their high end platforms.  I’‘ve deployed military networks using none other than Cisco (to my dismay).  If you truly believe that what’s out there is all there is then you are looking in the wrong places.  Cisco has had vulnerabilities in software for 5+ years they haven’‘t fixed or even addressed.  The base OS for IOS is monolithic meaning software updates at this point are not even possible in the current model without complete reloads.  I find almost every week PIX/ASA code that chokes on packet inspection causing device reloads or infinite deadlocks.  Cisco does very little to secure routing protocols or common exploits and attacks and has historically implemented "new" technologies into their platforms that are years old and are instantly vulnerable.

In the end *everyone* needs to get better.  But, like I said humans are humans.  Things get implemented wrong and unfortunately not everyones first priority is security.  The masses reading articles like this however don’‘t understand the intricacies of how and why.  To say Apple has implemented a lot of security features wrong is fair in a lot of respect.  But it’s not right to publish it in a way that makes it seem like Microsoft implemented those same technologies correctly, because they too have screwed up things like BitLocker, ALSR, and the list goes on…

At this point I’‘m confused as to why a security consultant would openly say that his Mac systems are less secure than the Windows equivalent.  Mine are not, and it’s quantifiable.

@forrestmage
Just to make sure everyone is aware but MacSweeper wasn’‘t an exploit of sorts but a social engineering attack based on scareware.  The original page had javascript running that played back a pretty report which pretended to scan your system and show that you had things to "clean".  The user still has to install the software manually.  It also did not take a rocket scientist to figure out that they were full of cow pie when you looked on their page and they stated that MacSweeper cleaned DLLs.  Just so we’‘re all on the same page there…  The first of many Mac scareware sights, big deal nobody blinks at that sort of social engineering targeting Windows.

@all
One thing I hope that Apple takes away from Microsoft is "patch Tuesday".  It’s a great model to have schedules in some fashion, but at the same rate malicious coding can be released on a nice timely basis so that we can get over a month of time in with a vulnerability.  Bruce Schneier was actually talking about this at the recent even he spoke at for OWASP in Minneapolis.

By forrestmage  on  01/18  at  12:53 AM

@windxh8er
Just to make sure you aren’‘t misunderstanding me- I know MacSweeper doesn’‘t use an exploit, my point is that it targets mac users.  Yes we’‘re all used to seeing these for Windows, but now it has become profitable to do the same thing on Mac.  My point is that if it is now profitable to target macs with scareware, it won’‘t be long until we see the true quantity of mac exploits as it becomes profitable to actually *look* for them. 

At the same time though, I think the Windows/Mac security debate is going the way of the Dodo as exploits are turning to target web apps that every browser supports, regardless of publisher.  Let’s compare IE7, Safari 3.0, Firefox 2.x, and whatever realease Opera is on and how they handle web exploits.  I’‘m curious to here what all of you think of this trend.

By windxh8er  on  01/18  at  01:05 AM

@forrestmage

I know, I was just clarifying for the uninformed.  :)

Firefox 3 too.  Oh wait, it’s beta.  Someone bust out the fuzzer!  Anyway, who needs Javascript, AJAX, and the web 2.0 goodness…  Let’s all just switch to Links where the web is best viewed in less than 10 colors. No cheating, I know about ‘‘links -g’‘!

By anonymous  on  01/18  at  06:38 AM

Saying that Apple are slow to respond to vulnerabilities and that they ignore vulnerabilities are two very different claims. The first can be backed up with statistics-and in Apple’s defense, the funding the security department receives is laughable compared to Microsoft.  However your second claim is simply untrue… While Apple may be slow to address issues, show me a single responsible vulnerability reporter who Apple ignored, or a mistreated.  Every security advisory they put out contains credit information, so it should be easy to contact these people and ask them about their experience.  It often seems like bloggers and self-marketers with little real security research experience criticize loudly and ignorantly while real security reaearchers quietly report vulnerabilities and receive credit. Making this claim without conducting a statistical analysis of how legitimate reporters of issues feel is doing a disservice to your readers and is unfair to those at Apple who work hard with external reporters.

By rmogull  on  01/19  at  12:27 AM

I know of multiple vulnerabilities that were quietly reported to Apple by responsible security vendors and mishandled. In many cases, I believe it’s because they never made it to the few security engineers who could have resolved the issue in a timely fashion.

None of this, of course, makes it public because none of the people involved believe in full disclosure. They don’‘t self-promote and thus these problems never make it to light. As a security researcher, but not vulnerability research, I NEVER disclose any of these situations, but they do taint my analysis.

We can’‘t perform real statistical information since we will never have the complete numbers. What we do know is that the security department is under-staffed, under-budgeted, and there is no SDLC in place.

All of those are situations Apple will need to remedy as the platform becomes more popular. I’‘m a heavy, practically exclusive, user of Apple products and despite the security shortcomings I still feel comfortable using the products because of the relatively low risk. This is the difference between "security" (how theoretically secure something is), and "safety" (the real level of risk based on threats). @windexh8r, you seem to be looking only at safety, not security.

I bring these issues up to educate customers who will eventually apply market pressure on Apple for better security. I also balance this with my love of Apple products. I’‘m far from one of those random bloggers that just whines about security without any real knowledge or doing anything about it. I’‘m a professional industry analyst and researcher with years of experience and a solid, public, track record.

You can decide for yourself.

By windexh8er  on  01/20  at  08:13 PM

I’‘m curious, because most often times vulnerabilities that are quietly reported to the vendor first will get out into the wild eventually.  I find it hard to believe that most security researches wouldn’‘t give Apple the chance to take the opportunity, and then if not announce it to the world to make it a priority.  Although not exactly ethical that tactic has proven quite reliable in the past.  The thing that is interesting to me is that if security researchers are telling you, then they’‘re also telling others.  Which is hard to keep tightly closed in this day and age…  If someone truly does not believe in full disclosure then you would never hear it.  Telling anyone makes that researcher a hypocrite of sorts because the faintest of insight can provide a fast track to potentially malicious users.

I think it’s laughable to propose that Apple has no software development life cycle in place.  It’s impossible to write an entire OS without one.  Now, whether or not they have a specific cycle for security practices is another question.  But every company I’‘ve worked for (Lockheed Martin probably had one of the best I’‘ve seen) has always followed a strict process around this sort of function—I can’‘t imagine Apple not having one.

With regards to "security" and "safety"—I’‘m not sure what exactly you’‘re trying to make a point of.  Security, in my mind, is the intrinsic valuation of risk based on an assessment with regards to a monetary value (because all things can be given a price tag), not safety.  If I am at risk then I have bad or weak security.  Security is just a buzzword.  So is information assurance (however, a better idea for describing the situation—I know Hoff renamed his site to this, probably after he saw Norwich’s IA Masters program title—they’‘ve been calling it that for years).  "Safety" is a new one for me.  I also don’‘t see security as theoretical.  If I wanted to look at that side of the coin I’‘d be looking at a risk assessment.  "Theoretically I am 100% secure with no patches because this machine will never be turned on and stored in a glass bubble."

In the end I don’‘t think anybody was attacking your professional cred in particular here.  I think there are too many people who don’‘t have the background and throw up a blog and discuss it.  I think the differential that I get frustrated with in this space is those who do and those who write about it.  I find it hard to believe people are "professional security researchers" who write process and risk management papers around security.  These are usually not the people down at the very technical level.  I think there’s a vast difference in being a security engineer (as in doing) and a security practitioner / analyst.  I wish there was a gold standard to differentiate, but alas nothing will ever exist in this space.  In Texas to hold a formal "engineering" title you have to have a degree to back it.  However, when I worked for LM I was a "systems engineer"—although my major in college (B.S. in Telecommunications Systems) was not an engineering undergrad program at all.  Sure, I did all of the math, CS, digital, comms, and lots and lots of NetAcad.  But I never really thought of myself as a tried and true "engineer".  Maybe a network engineer, but I never did formal systems engineering coursework until after my undergrad…  And then I realized what it really means to hold the title of a real engineer.  In the end too many people give themselves too big of titles and it’s annoying.  I’‘m not saying, in particular, you Rich—but I’‘m sure you see a lot of this along with the rest of us.

By rmogull  on  01/20  at  09:03 PM

Oh, I agree on the engineer title. It’s why I don’‘t call myself a programmer, even though I’‘ve programmed professionally. I came up on the technical side as a systems and network administrator, and I won’‘t use the title "engineer".

Also keep in mind that many pundit types do have real technical backgrounds, but as they progress through their career it’s hard to keep those skills as you move to the business side. I like to think I do it better than most, but that’s only because I’‘m a huge geek who enjoys re-wiring his house for home automation on the weekends and hacking WRTs.

On SDLC- I’‘m using the term Security Development Life Cycle, not Software Development. APple obviously has a software development cycle, but there is no formal security development cycle. That’s huge, and something they’‘ll have to do eventually. It takes years to implement, but when it works you get things like SQL Server 2005 (only 1 known vulnerability since release).

As for the researchers talking to me- there is a very tight community of trust involved, and even then I don’‘t get code samples. No hypocrisy involved; it’s no different than doctors or police officers carefully exchanging case notes. These were all responsibly reported to Apple and have yet to make it public, although they are sometimes independently discovered (e.g. a new tool is released, lowering the skill level required for discovery). Most of these researchers will never disclose unless a product is patched.

By Why engaging with the Mac community over security  on  01/21  at  02:50 AM

[...] Mogul talkes about his “Curious Relationship With Apple And Security” and what he wants to do in the future: “Actively engage with the Apple community, give Apple [...]

By forrestmage  on  01/21  at  11:02 PM

It seems I’‘m not the only one of the opinion that Apple’s popularity is going to bring out all the vulnerabilities. 
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9058198&source=rss_topic85

The discussion about titles is interesting to me- I’‘m very recently entered into this world of security with a BS and I passed the CISSP exam (though my work experience limits me to Associate of (ISC)² )  .  I am not a technical security person at all, the CISSP is so very overview centric, and I don’‘t like to use the title "Engineer" but job search engines seem to find more when I do.  I lean to the "Analyst" title, but being a newbie, I hesitate on that too.  I’‘m not sure what to title myself.

By windexh8er  on  01/22  at  08:25 PM

Case in point:

http://www.cisco.com/en/US/products/products_security_advisory09186a008093942e.shtml

I know, off topic from Apple—but just goes to show how bad Cisco is at stupid little stuff like handling exceptions that don’‘t create panics like this.

By links for 2008-01-29 «  Mac²  on  01/28  at  08:29 PM

[...] On My Curious Relationship With Apple And Security | securosis.com Interessante post sobre a segurança nos Mac pelas mãos de Rich Mogull, especialista no assunto e recém convertido aos Macs. Acabou de oficializar a sua colaboração com a TidBits. (tags: security Rich_Mogull) [...]

Name:

Email:

Remember my personal information

Notify me of follow-up comments?