Apple Asks Security Experts To Examine OS X Lion

An anonymous reader writes "For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true. But Apple's looking to change that. This past Thursday, Apple doled out a beta of OS X Lion to developers. In conjunction with that, Apple is also reaching out to noted security experts and offering them free previews of OS X 10.7 so that they can take a look at Apple's new security measures and reach back to Apple with any thoughts and concerns they might have. Indeed, Apple is becoming a lot more security conscious these days, not only in terms of reaching out to security researchers but also in its personnel hires."

Am I reading this correctly?

as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true.

I'm sorry, what? Windows is "safer" than OS X? "In fact"?

Re:Am I reading this correctly?

If Apple changes its security culture, it could mean big things for Apple in corporate environments.

I don't think I'll live to see the day that I hear, "Nobody ever got fired for buying Apple," like I've heard for both IBM and Microsoft.

Corporations buy the OS that the applications run on. Period. Security will forever be a redheaded stepchild.

Re:Am I reading this correctly?

Pwn2Own has never been about "which is more secure". It's *always* been about glory and headlines. It's also been said at least twice (2009 and 2010) that a primary motivation for hacking the Macbook was because it was considered more valuable.

Want to see which is the most secure OS? Hook a Win 7, OS X, and standard Linux install (let's say Ubuntu) up to an unfiltered network port and see which drops first.

Re:Am I reading this correctly?

[Cheech+Wizard]

I've been hearing "The only reason every Mac isn't infested with malware is that they're not a big enough chunk of the market for it to be worth the effort." for so many years the effect has worn off. Year after year - You know, it really gets old hearing that excuse. If that really is the case, I hope it continues.

Re:Am I reading this correctly?

[Anubis+IV]

So it may be less secure. That doesn't mean that it isn't safer. If I had an unlocked house in the middle of the countryside with no one else around, I'd be safe, but not secure. If I had an apartment in the ghetto with with bars on the windows and locks on the doors, I'd be secure, but hardly safe. Granted, the situations aren't that extreme here, but it bugs me when people conflate the two. While I don't believe that security through obscurity is solely responsible for the general lack of Mac malware, there definitely are less people making an effort at exploiting it compared to Windows.

Re:Am I reading this correctly?

And they will still be saying that when/if Mac reaches 49% of the market. "It's less than half of the computers sold, not a big enough target".

Re:Am I reading this correctly?

[PsychoSlashDot]

I've been hearing "The only reason every Mac isn't infested with malware is that they're not a big enough chunk of the market for it to be worth the effort." for so many years the effect has worn off. Year after year - You know, it really gets old hearing that excuse. If that really is the case, I hope it continues.

I completely sympathize. I've become tired of the same old excuses why faster-than-light travel isn't possible, just like you and the Apple malware thing. I mean, come on. Why don't they come up with new material?

10% of the personal computing market is Apple. That's it. Now, sure some of the remaining 90% aren't running Windows, but we know that since 2011 is The Year of Linux, the conversion isn't complete, so as of today the majority are.

Some excuses are repeated because they're... valid.

Re:Am I reading this correctly?

[gig]

Yeah, it is fucking ridiculous.

Windows is a tire fire of botnets and viruses. There are banks who give free iPads to their high value transaction customers so their money transfers don't end up in a malware author's account.

Charlie Miller, the guy who wins the Mac every year at pwn to own, recommends users buy Macs and refuse to install FlashPlayer if they want to be as safe as possible. Just the fact that Mac OS X no longer comes with FlashPlayer and Java reduces the attack surface.

I mean, just Unix and Software Update alone are better advantages than anything Windows has. It doesn't matter that Windows 7 has some tricks the Mac doesn't have when Windows 7 runs 80% of XP malware.

I have friends who take their Windows machine in twice a year to get malware cleaned off it. How can that possibly be safer than a platform that has no viruses?

And 90% of Mac users are using the latest version and receive patches automatically from Apple within a week. More than half of Windows users are on XP. It is pathetic.

> Apple is historically months
> behind in patching publicly
> disclosed vulnerabilities
> in core libraries they share
> with other Unix-like systems

First, we're talking about fucking Windows, not other Unix.

Apple is slower in deploying a patch than other Unix because it has to work for non-technical users, but then the patch goes out to 90% of the community within a week via their automatic Software Update system, and almost the entire 100% within a month. That removes the incentive to create a commercial exploit. There just aren't going to be enough users to exploit. On Windows, most machines are not up to date on their patches. It's results that matter — % of platform patched, value of exploits lowered — not just how fast you create a patch.

> Java

Mac OS X Lion does not ship with Java, and the Java that runs on it is made by Oracle.

Are you saying you recommend Windows over Mac to a non-technical user?

Even recommending another Unix to a Mac user is ridiculous, because they are not going to know how to patch it.

Really, the nerd-blindness in your comment is disheartening. Be practical.

Re:Am I reading this correctly?

[99BottlesOfBeerInMyF]

Apple is historically months behind in patching publicly disclosed vulnerabilities in core libraries they share with other Unix-like systems (Samba and Java are two key examples).

This is interesting because as of Lion, Apple isn't maintaining a JVM. Samba isn't even running by default. That doesn't mean it isn't an issue, but it also doesn't mean OS X is particularly vulnerable as a desktop as a result. The small number of exposed services makes many of those potential vulnerabilities fairly moot. Add onto that the default sandboxing for some services and the increased use in the next version, probably has a lot more real world impact than rate up updating libraries that are not exposed on the majority of users' systems. For example, the zeroconf daemon exploits a few years ago were problematic on numerous OS's but were completely ineffective against OS X because of the MAC sanboxing.

Overall code robustness is abysmal in any Apple product I've assessed--they fall over with trivial fuzzing or a few hours of analysis.

It seems like some Apple products are really hit and miss in this regard. Some of the developers are very security conscious and some seem to give little or no thought to security at all.

They're an absolute pain in the ass to deal with when trying to resolve a responsibly reported vulnerability: they often don't seem to have qualified people triaging inbound reports, and when they do finally acknowledge the correct severity of a reported issue it can take years before they finally push out a fix.

That has not been my experience. My former company submitted a small number of vulnerabilities to Apple through the public facing bug report system, and they were reasonably responsive, replying within a week or two and doing a good job of crediting us with the fix in the next security patch.

And to top it all off, their core security counter-measures (e.g. ASLR and NX) are useless as anything more than marketing fluff because they're not implemented consistently.

Their NX is well implemented from my understanding. Did you have a specific complaint about it? ASLR is only applied to libraries, but is applied widely in Lion. The sandboxing is well implemented but not ubiquitous and is more widely applied to userspace apps in Lion (we'll see how far). The malware detection is half assed and I've heard nothing about improvements in Lion. But it sounds like most of your complaints in this regard are already on the table in Lion.

The only reason every Mac isn't infested with malware is that they're not a big enough chunk of the market for it to be worth the effort.

You are way, way, way oversimplifying. Their market share is plenty to be attractive. Not having to fight other bot operators over the Mac market share would be very profitable. There are worms now with dozens of different Windows attacks fighting over the small share of vulnerable Windows systems, adding macs to that would be a considerable increase. Also, if you work in network security you are no doubt aware of the trend towards malware that mines data such as account info and credit card and bank account info. Macs would be a goldmine in that regard. Rather, I think OS X's lack of exploitation has to do with good choices for default services, some sandboxing, lack of malware author familiarity with non-windows development, and failure to properly create multi-vector worms that contain OS X attacks in conjunction with Windows attacks. Market share alone does not explain what we see in the wild.

If they ever cross the magic 15% threshold they're in for a very rude awakening.

People said the same thing with 5% and 10%. Part of the joy of arbitrary goalposts in internet forums is the lack of accountability. They're so easy to shift over time... unless, of course, you have specific reasons and data to suggest why 15% would be the specific number we need to consider.

Re:Am I reading this correctly?

[node+3]

I'm telling you, no matter what Charlie says, and no matter what the theory behind which is more secure or not is, the 100% truth is that Macs are significantly more secure in practice, which is all that matters for the user.

Re:Am I reading this correctly?

[Kitkoan]

Look Node, you can tell me what you wish and believe whatever you wish. The facts have shown the opposite of what you wish to believe here. They showed that Macs are less secure, with showing how they are less secure and you are more then welcome to try to rephrase, alter and/or change anything you wish but it won't change the facts that have been laid bare before you.

As I mentioned in my other post, if you wish to still state otherwise, please show something to back it up. Your answers to every post have been your own claims with nothing to back it up, which amounts to nothing when compared to the facts. If you wish for me to take you seriously, you'll have something to back it up that is a creditable source (no random posts of someone making random claims). I've shown Charlie Miller who has a track record of 3 years showing the weakness of the Mac OS and his experience of this as my facts, I should be able to honestly expect something along these lines from you if you are correct in your statements about the Mac OS's security. If the Mac OS is as secure as you are claiming, then you should be able to find many, MANY security-backgrounded people who will agree with you.

Re:Why did they wait until now?

I'm certain they have their own internal security experts, but if they were going to reach out to outside experts, they should have done it a lot sooner.

Mac OS X Lion was only released to developers this last Thursday. Bringing in security people to look at it earlier than that would require putting them under NDAs, which makes them effectively insiders and defeats the purpose of getting outsiders to look at it (i.e. peer review and sharing research results with other researchers).

I know that Slashdotters assert Apple as evil, but good grief, rein in the jingoism, please.

Re:"that the opposite is, in fact, true"

[Gaygirlie]

Have any quotes or links to back that up, Mr. Submitter?

Why would the submitter need to provide those? It's not his claim, it's a direct quote from the article itself.

And yes, among security researchers the general consensus indeed does seem that OSX is quite poor from security standpoint and I applaud Apple on their efforts in trying to beefen it up. It's hard to point one to some direct quotes on this as it's mostly just a comment here or there, but here's atleast two links:

http://www.techrepublic.com/blog/security/security-vs-popularity/4403
http://pcworld.about.com/od/securit1/The-Truth-About-Apple-Securit.htm

Re:The opposite???

[simoncpu+was+here]

Work in a place with 1500+ mac's and it's hell

Work in a place with 1500+ Mac users and it's hell. There, fix that for you.

Metric that counts

[cratermoon]

Here's the only metric that really counts in my book.

If you've ever done desktop support for your friends and family, count up the times you've had to go in and clean up a rooted, malware-laden mess on Windows, either by running a full, time-consuming, malware scan and removal, or just doing a reformat and reinstall. Now do the same thing for your OS X user friends. Adjust for market share and compare the numbers.

Yeah, brb, going over to friend's house for free beer after I fix his Windows infection.

market share

[Gary+W.+Longsine]

Roughly 10% of the total PC market is Apple. Apple has roughly 0% (zero percent) of the enterprise PC market, which is roughly half of the overall PC market (the number of installed systems is smaller than the consumer market, but consumers tend to refresh less often). So, Apple apparently has about 20% of the consumer market these days.

There are automated, automatically propagating exploits for obscure BBS systems, for IIS back when it was a tiny sliver of the web server market, for data base systems installed on a tiny fraction of web servers, in numbers utterly dwarfed by the installations of a single model of MacBook Pro.

What's it gonna take for y'all to give up on the "market share" ghost?