NEWS ANALYSIS: As Mac’s security strengths are challenged, should businesses be concerned about using Mac in the enterprise and is Apple doing enough?
Mac OS has long been viewed as a much safer operating system than Windows, with malicious attackers preferring to create malware for the latter due to the comparative ease in finding vulnerabilities and a much larger target base.
However this perception is being challenged by the discovery of numerous zero-day flaws and there is growing concern Apple isn’t doing enough to make Mac OS X safe.
In July, it was reported the company knew about major vulnerabilities for eight months yet did nothing and earlier this month, the discovery of two major threats brought fresh scrutiny on Apple’s approach. One of the bugs, the DYLD_PRINT_TO_FILE vulnerability has now been fixed, but experts couldn’t see any patches that mitigate the Thundestrike 2 attack threat detailed at Black Hat.
So what does this mean for businesses and is Apple doing enough to secure to customers?
David Flower, managing director Bit9 + Carbon Black EMEA
“One of the main issues for Apple OS X is that Mac endpoint security in the enterprise lags behind that for Windows. Despite the fact that Mac OS X is becoming increasingly popular for enterprises, there are still significantly fewer security solutions available to protect it. The built-in security mechanisms for Macs are as good as those for Windows, but to combat today’s advanced threats, the ecosystem needs to be stronger.
“Currently, most security solutions in the Mac ecosystem are signature-based, which just isn’t sufficient for dealing with advanced threats. Signature-based defence works well against known, documented threats, but just can’t handle today’s Advanced Persistent Threats (APTs) such as Dyre or Panda Emissary.
“In light of this, it’s crucial that companies bear in mind that hackers are deliberately targeting them. As such, they’ll be looking for any vulnerabilities or weak links in the security chain. Despite being less familiar with Mac endpoints than they are with Windows, they may well target them because there just isn’t as much security to bypass.”
TK Keanini, CTO at Lancope
“When species are put into a hostile environment, they learn to thrive through adaptation or they die. Apple is not going to die but they are adapting and quickly. Unlike other OS’s on the marketplace, a lot of Apple’s OS is open source and thus open for scrutiny and ultimately security issues are found and fixed in a timely manner.
“This quick adaptation applies to all software companies and everyone, not just Apple, needs to move faster in response to responsible disclosure. I’d like to see a better bug bounty program out of their efforts and other best practices that makes disclosure like this a part of the quality programs and business processes.
“Everything is relative and honestly, nothing is safe – or should I say what is safe today could be unsafe tomorrow. We cannot think of safe or unsafe as a state, we need to think of it as a process. Even if at one point OS X was safer, when new research is presented like this it is no longer safe until it is fixed and then we are back to safe again. Conferences like BlackHat/DEFCON and a few others almost make these disclosures seasonal because the top researchers time their disclosures for these yearly events, even if privately they may have already disclosed the issue to the vendor directly. August is always a big season for vulnerability disclosure and vendors need to be ready – the attackers certainly are leveraging this information.
Graham Cluley, security expert
“There are some very smart people out there who are very good at finding vulnerabilities in Apple’s software. The good news is that some of them aren’t in the business of exploiting the vulnerabilities for criminal commercial gain, and aren’t in the pocket of foreign governments and intelligence agencies. Some of them genuinely want to improve security, and believe they are performing a valuable service by raising awareness of security vulnerabilities that really should be fixed.
“Sure, some of these security researchers quite enjoy the limelight, and like to show off how clever they have been, and some of them might have very strongly held views about the quality of code being written in Cupertino, and Apple’s tardiness in patching.
“But none of that matters to the millions of Mac and Macbook users around the world. They simply want to know that their systems are secure and not at risk. Apple has tried to close the security holes exploited in these firmware attacks in the past, and yet researchers keep finding more vulnerabilities.
“The really bad news is that Apple isn’t doing enough to work with these researchers, and could be doing much more to ensure that their discoveries are only made public when a fix is available.
“Other technology companies are offering sizeable bug bounties to researchers who work with them to uncover security holes, whereas Apple — one of the richest companies in the world — doesn’t even bother to dangle the carrot of a $10 iTunes voucher, preferring to name bug reporters on a “hall of fame” page instead.
Dr Steven Furell, Institute of Electrical and Electronic Engineers (IEEE)
“Historically the Mac has found itself getting very little attention relative to Window PCs, and this has helped to support the perception that it is more secure. However, such things are not static. Anyone who remembers back a few years may recall that Apple’s marketing would quite openly suggest that you would not get virus problems on a Mac. They don’t say that any more.
“While Apple has acted to address problems (e.g. adding more explicit malware protection within OS X), their responsiveness needs to keep pace with the growing nature of the threats against their platforms.
“The fact that Mac-based attacks still make headlines because they are Mac-based attacks shows that incidents targeting the platform remain relatively rare. So, overall I think it is still safer, insofar as it still gets less attention, but safer doesn’t mean immune.”
Rich Mogull, Mac security expert, reporting for Tidbits
“Nearly everyone can ignore Thunderstrike 2 entirely. The research really is excellent, compelling work that the Wired piece unfortunately turned into a bit of a fright-fest. The Web attack vector, in particular, is blocked in OS X 10.10.4. The worm can’t automatically jump air gaps — those in sensitive environments can easily protect themselves by being careful where they source their Thunderbolt devices, and this entire family of firmware attacks is likely to become a lot more difficult as hardware improves, and as device manufacturers update their firmware code.
“I have no doubt similar attacks will continue to be used, especially against high-value targets, but the economics make it highly unlikely this is something we will ever see used at scale against consumers.”
Are you a security pro? Try our quiz!