Apple's security code of silence: a big problem

Security industry insiders have long known that the Mac platform has its holes. The Flashback trojan is the first in-the-wild issue that's confirmed this, and big time. More will follow unless Apple steps up its game.

(Credit: James Martin/CNET)

Apple has cultivated a myth about security on the Mac platform. The myth goes like this: Apple users don't need antivirus software. They're more secure than anyone out there. Security worries are overblown.

In reality, Apple practiced security by obscurity with the Mac.

Those days may be ending in a hurry. Apple's relative silence about malware is going to have to end as the company finds itself managing a large ecosystem, noted ZDNet US's Ed Bott. Delivering massive security updates during product launches and software roll-outs just isn't going to cut it.

The Flashback virus has infected more than 600,000 Macs. These Mac users didn't fall prey to snazzy social engineering or any real work at all. Russian antivirus company Dr.Web noted that Flashback exploited a security hole in Java to silently attack Mac OS X systems. Flashback was discovered in September 2011 as a fake Adobe Flash Player, and has morphed into attacking Java. Apple has been belatedly patching Java.

What's the problem here? Apple likes to pretend that its security is superior. The reality is that Apple hasn't had the market share to matter. That's quickly changing, since the Mac platform is outgrowing PCs. Meanwhile, enterprises are adopting Macs, too. As these Macs go corporate, the honey pot looks a lot sweeter to hackers.

It's possible that Apple CEO Tim Cook will hit the security issue head on, like he tackled the supply-chain flap. In either case, Apple has to step up its security game. It can't: a) thump its chest about security and invite hackers; and b) pretend that there's nothing to worry about. As these attacks continue over time, Apple may be forced to have its big security "ah-ha" moment, just like Microsoft did.

Here's how Apple's silence on security contributes to the problem:

  • Apple doesn't allow Oracle to patch Java. The latest round of malware could have been avoided with faster patching. Since Apple likes to control its patching, it is often behind. The window of exposure on the Mac platform is longer. The easy fix here is to let Oracle do the patching.

  • Apple has a rudimentary antivirus update utility that's updated with signatures only when there's a big enough threat. Apple knew about Flashback, which has been pointed out by security researchers, but didn't ship an update.

  • Apple users have no idea whether they are infected, and don't know how to search. Why would they know? Apple has told them there are no viruses on the Mac. This false sense of security is the primary reason why Apple needs to start talking. Apple users are smug about security.

  • Antivirus vendors can't provide protection to the Mac, because users don't think they are needed.

Security industry insiders have known that the Mac platform has its holes, but Flashback is the first in-the-wild issue that's confirmed and big. More will follow, unless Apple becomes more proactive.

Via CNET



Add Your Comment

Avatar
 

Be the first to comment on this story!


Post comment as


Sponsored Links

Recently Viewed Products