Apple Scrutinized Over [In]Security

By Michael Flanakin @ 11:41 AM :: 3340 Views :: Technology, Microsoft :: Digg it!

Finally! It's about time Apple's security gets some true scrutiny. Of course, this is only the beginning. The first sign of the Apple security apocalypse could probably be considered the fact that, as of May 2007, Apple has released five sets of security patches for Mac OS X Mobile-ready link -- three with patch counts in the double-digits and a grand total of over 100 security holes patched in 5 months. Sure, it sounds like a good accomplishment, but the problem is the fact that there were that many holes to begin with. How secure does that sound?

The next sign is the one that I'm very glad to see, which I think will bring more doubt Apple's way... Within hours of releasing Safari Mobile-ready link for Windows, Apple's web browser, the security community came alive with reports of vulnerabilities (1 Mobile-ready link, 2 Mobile-ready link, 3 Mobile-ready link). And no, these weren't Windows vulnerabilities. Beyond that, don't let the "beta" moniker fool you. Most of these vulnerabilities are true to the existing Safari release on Mac OS X, as well. And we can't forget to mention the claim that, "Apple engineers designed Safari to be secure from day one." Let's ponder that for a second... Some of my favorite quotes include: "These [vulnerabilities] are popping out like hotcakes" and "...which rock did Safari developers hide under for the past 8 years or so?" That latter remark was made about a vulnerability which has been known since 1997, to give you a frame of reference for the quality of the security that was "designed since day one." Luckily, Apple was pretty quick to fix these vulnerabilities -- supposedly fixing in days what usually takes them weeks or months to fix. However, despite their best efforts to plug the leaks, their newly "secured" release came with its own set of holes Mobile-ready link. When will it stop? Perhaps Apple's engineers should take a course at Microsoft on the Security Development Lifecycle Mobile-ready link (book Mobile-ready link).

Perhaps the highlight of my day is when I listened to Mac Break Weekly Mobile-ready link Syndicated feed episode 45 Mobile-ready link when Leo Laporte said, "you're now in a Windows environment and all the hackers are looking at you," and, "maybe [the] people [who] have been saying Apple is secure by obscurity might be right." Exactly! This is what I've always said, so it's nice to see someone who is perhaps from the other side acknowledge it -- actually, Leo is pretty good at playing the line. The truth of the matter is that the tools security researchers to find these vulnerabilities are built for Windows, not Mac OS X. So, of course nobody's going to find the vulnerabilities until they cross that road over into the Windows world. This just makes me curious as to whether hackers will shift focus to Mac OS X since the security veil has been lifted. I have to say I think Apple is most likely ripe for the picking. I'm not saying Mac OS X users are wide-open, I'm just saying they have a false sense of security and it's about time that's come to light. What was really funny about the MBW episode was that just about everyone shut up when Leo started talking. I couldn't help but smile at that.

The only thing left to mention is that this is more fuel for Dino Dai Zovi's fire Mobile-ready link: "I have to be much better overall in Vista than Mac OS X 10.4." He's not the only one, tho. It looks like David Maynor Mobile-ready link is saying the same thing Mobile-ready link: "Windows Vista is more secure than Mac OS X 10.4.8." Perhaps the best part is the follow-on sentence, "Anybody that tells you anything different should immediately be treated with the same disdain as finding a parking ticket on your car." To put it another way, he later states, "[Mac OS X] is definitely NOT as fundamentally secure as Vista." David also mentioned another quote, but I'm not sure if it's his or someone else's...

Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine.

With all that said, I do have to say that I'm not cheering on flailing security. I merely think Mac OS X users need to be aware of the fact that they aren't as secure as they think they are. Yes, Mac OS X users are less likely to get viruses and what not, but that's merely because of the fact that there are more Windows users, so Windows is more "profitable" to attack. Hell, I'd even say the same about Linux. I'm not saying that Linux is insecure, but it's not getting the same attention Windows gets, so I just don't think it's easy to compare each system's security. Too many people make blanket statements they can't justify.