Apple's Big 5 Security Failures

In its ads, Apple may tout better security than Microsoft, but a number of well-known security pros say that the company isn't doing enough to keep Mac users safe. And now one of those security pros warns about five ways that Apple has failed on security --- and recommends five fixes.

Rich Mogull, a well-known security consultant and founder of the security firm Securosis, warns on his blog that although

"It's clear that Apple considers security important...the company also struggles to execute effectively when faced with security challenges"

He points out, for example, that Apple has yet to patch a five-month-old Java security hole that has been fixed on other platforms, including Windows and Linux.

Mogull points out five ways that Apple has fallen short on security, and has these five recommended fixes.

Appoint and empower a Chief Security Officer (CSO)

Mogull points out that "Apple currently lacks both a public face for their security efforts and a single internal executive dedicated to security." He recommends appointing a single CSO to fulfill both roles --- and making sure that the CSO is give true authority to get things done, and isn't a mere figurehead. He concludes:

"None of this will work if the CSO is merely a figurehead, and this must be an executive management position with the budget, staff, and authority to get the job done. Ideally, the CSO will be a member of the inner circle of Apple executives that drives the company forward, so as to avoid the position becoming marginalized in company politics."

Adopt a secure software development program

Apple, he says, has yet to integrate security into its development work. He concludes:

"Based on a variety of sources, we know that Apple does not have a formal security program, and as such fails to catch vulnerabilities that would otherwise be prevented before product releases.

"To address this lack, Apple should integrate secure software development into all internal development efforts. This includes programmer training, development standards, design requirements, threat modeling, code review, use of security testing tools, specialized pre-release testing, and root cause analysis for post-release bugs."

Establish a security response team

Mogull notes that Apple has individual security engineers, there's no single security response team, devoted "to manage externally reported vulnerabilities or other security issues in a consistent and coherent fashion."

Such a team, he concludes, would allow Apple to fix flaws much more quickly, particularly those having to do with third-party software.

Manage vulnerabilities in included third-party software

Apple really falls short here, he concludes. He warns:

"one of Apple's most significant security problems is patching versions of third-party software (much of it open source) included in Apple products. Apple has a history of patching these components long after fixes are released on other platforms (examples include Java, Samba, Apache, and DNS, and even Apple's own open-source WebKit and mDNS).

"This is more than merely a roadmap for an attacker, it's an unimpeded highway straight to your desktop. For example, the world's most popular free penetration testing (hacking) tool, Metasploit, can now target Mac OS X specifically, and functional attacks (for any platform) are typically available for Metasploit only hours or days after new patches are released."

His conclusion: "As the barriers to exploiting new vulnerabilities continue to drop, Apple absolutely can't afford to leave its customers exposed."

Complete the implementation of anti-exploitation technologies

Even the best security in the world can't fix every security vulnerability. So an operating system needs to build in anti-exploitation technologies that fight against inevitable security holes.

He points out that Microsoft has already been doing this, and says that Apple should as well. In fact, he believes that Apple may be even better positioned that Microsoft to do this:

"As Microsoft is learning, it's also important to enforce these controls in individual applications, not just the operating system, so a single Web browser plug-in like Flash or Java can't circumvent anti-exploitation technologies. Apple is in a stronger position to enforce these rules than Microsoft, thus better protecting Mac and iPhone users. Rumor is we may see some of these advances in the upcoming Snow Leopard release of Mac OS X, which would be a positive development."

By the way, Mogull doesn't argue that using a Mac is unsafe. Quite the contrary. But he does warn that that may change. In his blog he concludes:

"It's inarguable that using Apple products today is currently a relatively safe experience, but there are early signs that if Apple doesn't start to do a better job with security policies and architecture, we customers may be at greater risk down the road."

Subscribe to the Security Watch Newsletter

Comments