Do automatic OS X security updates signal a sea change at Apple?

Perhaps Apple was hoping nobody would notice the somewhat subtle changes in the language on its "Why you'll love a Mac" webpage. After all, "It doesn't get PC viruses" and "It's built to be safe" are both reassuring messages. Not all that much difference between "Safeguard your data. By doing nothing," and "Safety. Built right in," right?

Wrong. Security experts, starting with Graham Cluley of Sophos, noticed it, broadcast it and pronounced it a very big deal. Writing on Sophos' Naked Security blog, Cluley pointed out the changes and surmised that since "one particular piece of Mac malware [the Flashback botnet] had infected 600,000 Macs worldwide, including 274 in Cupertino," the claim that Macs don't get viruses, PC or otherwise, was seriously compromised.

"People in glass houses shouldn't throw stones," Cluley wrote, adding that the tweaking of the wording, along with the company mentioning malware at a WWDC keynote address, amounted to "some important baby steps" in acknowledging that Mac malware is a reality and that Apple customers must do more than "nothing" to keep their machines safe.

Preston Gralla noted at Computerworld: "That marketing change may not strike you as substantial, but coming from Apple, it's a big deal. Apple has long denied any security problems with the Mac, detailed evidence to the contrary."

Other Apple critics gleefully piled on. Mihaita Bamburic, writing at BetaNews, said what he and others have been saying for years: The only reason Macs have been "safer" is because they are not as large a target.

"The Apple world, due to their irrelevance on the market -- around 10% PC share in the United States, less than 5% worldwide, according to Gartner and IDC -- hasn't gotten much attention from the bad guys," Bamburic wrote, and then mocked the language change. "What does Apple do in light of all this? No apologies, as it's too embarrassing. They quietly (like running through a room full of people thinking no one's going to notice) change their security motto."

But once the "we-told-you-so" chorus subsides, the more relevant question for millions of users is whether this "quiet" change in terminology signals a change in action. Is Apple going to take security more seriously?

Based on breaking news about Apple's newest OS X, Mountain Lion, and other recent events, the answer seems to be a qualified "yes." MacRumors reported Monday that the new system will have significant security improvements that follow Microsoft's lead: It will check for security updates daily instead of weekly, and will install them automatically.

Gregg Keizer reported at Computerworld: "Apple also said it beefed up the security of the connections between customers' Macs and its update servers, hinting at the same kind of improvement in encryption that Microsoft made this month after Flame, an advanced super-spy kit, was found to fake Windows Update downloads."

But, of course, that still leaves millions of Mac users -- the ones who will not be running Mountain Lion -- to install updates themselves, after they're notified.

Edy Almer, vice president at security software vendor Wave Systems, said he thinks the debate over PC vs. Mac security "misses the larger point: There are many security actions from both sides that have greatly improved the security posture of their respective [OSes.]"

Almer cites Apple's tight control of iTunes applications and adds: "The introduction of an app store proved immensely helpful in mitigating the risk of infection from malware. Microsoft mimicked this with its Win8RT model -- a much stricter lockdown of what can be installed and controlled through the app store."

And he notes that Apple has followed Microsoft's lead in the past as well: "The native FDE offering of BitLocker was later imitated with the introduction of FileVault2 in OS X Lion," he said, but adds that those improvements simply make the need more obvious for independent security software.

On another front, Brian Krebs, a former Washington Post reporter and author of the blog Krebs on Security, has criticized Apple for years for taking far too long to fix known security holes. In a 2009 blog at the Post, he reported, "I have reviewed the last three Java updates that Apple shipped during the past 18 months, and found that Apple patched Java flaws on average about 166 days after Sun (Microsystems) had shipped its own patch to fix the same vulnerabilities."

But in a post earlier this month, Krebs was more complimentary, noting that Apple had shipped a software update for Java on the same day as Oracle, the official producer of Java -- a vast improvement from, "consistently [lagging] months behind Oracle in fixing security bugs."

"It seems that Apple learned a thing or two from that [the Flashback] incident," Krebs wrote.

However, Krebs told CSO that while he suspects Apple wishes it had moved more quickly with the earlier Java patches, "it remains unclear how or if this incident has caused the company to take other such risks more seriously, or if indeed it has served to make Apple's attitudes toward security any less opaque."

Blake Turrentine, of HotWAN and a trainer for Black Hat, said he hasn't seen a shift. He said he has a difficult time finding antivirus products in Apple stores. "When I talk to one of those folks in the blue shirts, I ask them where's the antivirus software," he said. "Their 'programmed' answer is that Macs don't get viruses, they may get malware. Often they tell me they've been running without antivirus on their own personal systems for years and never had a problem."

"I guess ignorance is bliss when you're an unsuspecting player in a botnet," Turrentine said. "Forget that your shiny new Mac is shipped from China."

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place