Has Apple Lost Its Security Shine?

With the latest large sets of security patches and an alleged wireless driver vulnerability, Mac OS X no longer seems invincible. Our expert delves into the real threats in the

September 18, 2006

9 Min Read
NetworkComputing logo in a gray background | NetworkComputing

First, there was Apple's massive May security update, which patched more than 40 vulnerabilities in Mac OS X and QuickTime. Then the company patched 26 more vulnerabilities in August. Almost simultaneously, security researchers took advantage of a wireless driver vulnerability to hack into a MacBook at this year's Black Hat conference.

What's going on here? Is the shine off Mac OS X? Is a raft of Windows-level security issues on the way for the secure-OS darling?

Relax, that's not about to happen. For starters, the MacBook that the security researchers hacked into was modified: The vulnerable driver was for a third-party wireless access device, not the AirPort card that's built into the MacBook.

While you should never be blasé or deliberately ignorant of security issues, the fact is, OS X is as secure as it ever was. What you're seeing is the natural evolution of the operating system's security as it becomes more popular.

Windows Security Vs. Mac Security

Mac OS X is, out of the box, a very secure OS. It is, however, not magically secure. While some Mac users like to propagate the myth of "Mac OS X's perfect security," the fact is that like any other well-designed OS, Mac OS X is highly resistant, but not invulnerable, to attack.

This is not to say that it's as bad as Windows at its worst. Early on in the history of Windows NT 4, Microsoft Office, and Internet Explorer, Microsoft made some decisions that, while not terrible from a user's point of view, created the nigh-crippling problems you see with Windows today. The worst of these is the administrator account in Windows, and the reliance of too many software packages on that account. The Windows administrator account is essentially the same as the all-powerful root account on Unix -- there are no files the administrator can't access and no actions the administrator can't perform -- and it's the default account on every version of NT through XP. So once you're running as root, then you're...well...root. There's nothing you can't do, and you aren't going to even get a warning about it.

The insecurity of this is exacerbated by Windows' very bad habit of, until fairly recently, not even asking for a password on the Administrator account. Auto-logon as root, no password needed. There aren't enough letters in the phrase "That's a Very Bad Idea" to adequately communicate the "bad idea-ness" of this bad idea. So if malware gets into your system, then it is running as root. There's very little any OS can do to stop a software process running with that kind of authority.

Apple has never done this. A user who is an "administrator" is not even close to root, but rather is a part of the OS "admin" group. That means that, if needed, the user can authenticate and run processes as root, but is not root on an ongoing basis. In fact, on Mac OS X, the ability to log on as root is disabled, and positive steps must be taken to enable this feature.

It's worth noting that Microsoft has taken a page from Apple in its upcoming Windows Vista operating system: When that OS is released next year, users will not be logged in as administrator/root by default.

So Why All The Patches?
The Mac security alerts and patches you're seeing lately are not a sign that Apple is flubbing the security of the OS, but rather that more people are taking OS X's security seriously and actively looking for vulnerabilities so that Apple can patch them. This was, ironically, predicted by Symantec in a much reviled security review paper back in 2005. In that Internet Security Threat Report, Symantec predicted that as Mac OS X becomes more popular, there will be more people looking for vulnerabilities in that OS (for good and ill), and so of course there will be an upswing in the number of vulnerabilities found. That's what you're seeing today.

This is not an inherently bad thing. It can be unsettling, but it's the best way to reduce vulnerabilities. If the only people looking for holes in Mac OS X were Apple employees, the OS would be a lot less secure. Vulnerabilities are not exploits. They're potential avenues for exploits, which is why it's critical that you keep your system up to date.

The truth is, all the malware for Mac OS X thus far has been rather lame, and not much of a danger to anyone who practices a few common-sense steps. The real threats in the Mac world are complacency and foolish behavior on the part of users.

Protecting Yourself
While Mac OS X is quite secure out of the box, there are some easy things that you can do to keep yourself safe.

1. Stay away from the Sharing preference pane unless you need to share files. Simply stated, unless you need to share files with someone, don't enable file sharing. This is a really easy step to take: Do nothing. By default, all sharing services are disabled in Mac OS X. Leave them that way. It's rather hard for an attacker to transfer files to your machine if you never open the file transfer pathways.

If you're not sure as to whether you need to enable sharing, I have a general guideline that can help: If I have to ask, "Should I do this?" the answer is "no." If I need to do something, then I'll be sure of it. I find this a solid guide even for my own use, and I've been in the tech field for 20 or so years.

In the two images below, you can see the default, secure sharing settings. If you've turned any sharing services on, and you're not sure they should still be on, here's what you should see when they're all turned off. (The Sharing dialog box is the first thing you see in the Sharing Preference Pane in System Preferences.)

2. Don't download strange software. That's not to say "never download anything without a full source code review," but try to be sure of your sources. For example, a bunch of people got burned a few years ago because what they thought was a free Internet download of the Microsoft Office 2004 demo was really a malicious script that wiped out their home directory. Of course, the only place this script existed was on questionable download sites such as Limewire.

In general, stick to reputable sites for your software downloads. My favorite is VersionTracker, at. It's a great site, not only for Mac OS X software, but for Windows and Palm software as well, and is updated constantly throughout the day. Unlike most P2P networks such as the aforementioned LimeWire, VersionTracker doesn't allow for anonymous software postings, and there is at least a basic vetting process for software. No one can guarantee perfect safety, but VersionTracker has done a solid job thus far.

Running program(s) is where you need to be the most careful, as once you run code, you have no control over what that code is doing. If you're an administrator user, then that code is running as you. If you authenticated as root in a security dialog, then that code is running as root. There's nothing in the world that's stopping a Trojan horse with root privileges.

3. Think before you enter a password. While many applications ask you to enter an administrator password, particularly during an installation, you shouldn't just do so because you were asked. If nothing else, check to see if it's a valid request dialog box. Below are two images of a legitimate authentication request that I created via AppleScript to demonstrate:

There are a number of items that help identify this as a legitimate request dialog. First, there's the lock icon, with the requesting application's icon overlaid on it. Next is the text informing you that the application (Script Debugger in this case) is requesting your password. Then there's your complete user name already filled out in the "Name" field. If we expand the "Details" triangle we see more information that will help you identify this as a legitimate request dialog:

Here we see the specific right the application is requesting (system.privilege.admin), which will give it root access for this operation and the application requesting the privilege. If the application name doesn't match the name or the icon at the top of the dialog, think twice before authenticating. However, there's one more thing you can check, and that's the location of the application requesting the privilege. If you click on the blue application name bubble you can get a path listing for that application, as seen below:

The path shown for Script Debugger 4 is exactly where it should be: in the /Applications/Programming/AppleScript/Script Debugger 4/ folder. (Remember, in Unix nomenclature, "/" is the root level of the boot drive, and folders are shown with an optional trailing "/".) If the path shown in this dialog and the path where you think the application should be are different, again, you might not want to enter a password here.

The dialog check isn't perfect, and it's trivial to create a legit one (I did this in one line of AppleScript), but even the small bit of checking you can do here is better than blind trust.

4. Stay up to date on security patches. While you may not want to apply security patches the minute they're available (hey, bugs happen), I'd not wait more than a week to do it. Security patches are a dead simple way to protect yourself. I'd also stay up to date on OS versions. While upgrading the OS isn't something you just do, and can require you to pay for a new version, the truth is, the current version of the OS always gets more attention than older versions when it comes to bug fixes and patches. Security is as legitimate a reason to upgrade as any other, and some security holes may require changes on a scale that only a new OS version can address.

If you follow these four tips, and apply some common sense in your daily Mac usage, the chances of you ever having a problem drop rather quickly, and stay there.

So no, there's no looming security nightmare for Mac OS X. All the headlines mean is that more people are taking Mac OS X and Apple more seriously from a security point of view -- and that is, in the end, a good thing.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights