Will Flashback hurt Macs in the enterprise?

If anybody still thought Apple devices were bulletproof, the Flashback drive-by episode last month should have provided the needed reality check.

However, is the company really as out of the loop on security as some of its critics contend? Is it "10 years behind Microsoft in terms of security," as Kaspersky Labs' Eugene Kaspersky famously said recently?

And do its vulnerabilities, exaggerated or not, mean it is at risk of losing market share in the enterprise, where many businesses might have been persuaded to use Apple desktop and mobile devices in part because of the company's demonstrably false claim that they don't get viruses?

Probably not, at least not right now.

"I don't think enterprises buy Macs because they perceive them as being inherently more secure," said Roger Thompson, chief emerging threats researcher at ICSA Labs.

His colleague at ICSA, anti-malcode program manager Andy Hayter, said corporations should be more sophisticated than the average individual user and, "should have protected Mac computers by now, knowing there is plenty of malware that can cross platforms."

Edy Almer, a vice president at Wave Systems, said: "Apple never relied directly on business users. What would likely happen is increased awareness in IT that Macs are corporate devices and need the full IT suite -- systems management, security, backup, encryption and DLP just like any other endpoint."

[Bill Brenner on Salted Hash: Apple's Mac OS X NEVER had superior security]

John Linkous, vice president, and chief security and compliance officer at eIQnetworks, agrees that Flashback, which is said to have infected at least 600,000 Macs, is unlikely to affect enterprise interest in Macs.

"But it might give them second thoughts around mobile technology [iPhone, iPad]," he said. That's where you're seeing greatest adoptions of Apple devices. One of the key things they'll ask themselves is how are they going to manage these things."

And in comment threads following stories about Kaspersky's comments, Apple owners are as fiercely loyal as they have always been. Some of them, like one called "gavernmusic," claim that it is all a conspiracy by antivirus vendors.

"You can bet that it's a Microsoft-related affiliate that designs the viruses," gavernmusic wrote.

Another, going by the handle "cozmot," wonders: "If their [Kaspersky's] AV software is so great, why do computers that use it still get infected with viruses and malware?"

Build it and (hackers) will come

Still, more sober voices say that Apple does need to do more to get its security house in order, if it wants to continue the explosive growth that has fueled its profits and stock price in recent years.

Ed Bott wrote at ZDNet this past weekend that Apple must confront "one of those great ironies of technology -- an increased incidence of malware is a sign that your product has been a success in the market."

Bott says Apple is far too slow to deliver updates. He notes that its update to fixed the Java security hole [exploited by Flashback] was released April 3. That was 49 days after Oracle released the Java SE 6 Update 31 for all other platforms.

Jonathan Zdziarski, author of "Hacking and Securing iOS Applications," told SecurityNewsDaily that "Some iOS (which runs iPhone, iPad and iPod) attacks from the past took months to fix. The [iPhone] jailbreak community had fixes out for users before Apple did. That's shameful."

Bott says the company offers no automatic update options, only provides updates for the current and immediately preceding versions of the operating system, and doesn't communicate well. Apple didn't issue a public statement about Flashback until April 14.

'Reality distortion field' resurfaces

Linkous says Apple's lack of communication is legendary, and is reminiscent of the "reality distortion field" that the company's late founder, Steve Jobs, was said to be able to project to developers working on the Macintosh.

"They think, 'If we don't tell the customer, it doesn't exist, and they won't worry about it,'" Linkous said. "But that's antithetical to good information security."

Security expert and blogger Brian Krebs is another who says that slow response and a lack of communication is typical of Apple. "In 2009, I examined Apple's patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun," Krebs wrote on April 4, the day after Apple released its update.

So while corporate leaders don't expect Apple products to be immune from attacks, they do expect the company to take threats seriously, to address them quickly and to be transparent about confronting those threats and educating their customers.

ICSA's Thompson says he thinks Apple devices are generally secure, but are not invulnerable. "Every year, a fully patched Mac seems to fall quickly at CanSec West," he said, adding that, "Mac users simply need to understand the risks, and be sensible."

"To paraphrase Obi Wan Kenobi, 'We will never find a more wretched hive of scum and villainy than the Internet. We must be cautious,'" Thompson said.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleApple.BillCSADLPICSAKasperksy LabsKasperskyKasperskyLPMacsMicrosoftOracleWave SystemsWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts