How Apple OS X Mavericks Falls Short on Security
Apple products are commonly seen as being immune to viruses and other computer malware, but the truth is that Apple's OS X desktop operating system is just as vulnerable as Microsoft Windows.
Among security experts, Apple has been criticized for lagging behind Microsoft in its response to malware outbreaks and its efforts to build security enhancements into the desktop.
However, with the release of its new Mavericks OS X 10.9 operating system, and the announcement of a number of security improvements, Apple appears to be taking a new approach to security.
On the surface, this is good news for the Apple faithful, since the improvements arrive as Macs become a growing target for malware attacks.
Security experts, on the other hand, are skeptical about the efforts to make Macs safer. They dismiss some of Apple's enhancements as too little, too late.
OS X Mavericks' security improvements
"In general, any security improvement is very welcome," said Dmitry Bestuzhev, Latin American head of Kaspersky Lab's Global Research and Analysis Team. "It's clear Apple is doing new things, and this is good."
The bulk of Apple's recent security improvements have been bug fixes on the back end of the operating system, such as fixes to the firewall, to the application sandbox and to the kernel itself.
There have been some other security upgrades as well, such as the option for users to encrypt data synced to Apple's iCloud services.
Mac users will also now be able to control application permissions, such as whether applications and system processes may interact with one another and share user data.
Gatekeeper, Apple's built-in malware-defense system, will continue to verify whether new applications are coming from the Apple app store or if they are signed with a legitimate Apple developer ID.
In addition, because Java exploits are commonly used to infect OS X with malware, Safari users now have the option to enable their Java browsers plug-ins on a website-by-website basis.
(Meanwhile, users of OS X 10.8 Mountain Lion may not ever get the latest version of Safari, or any more security patches.)
Apple still needs to do more about desktop security
"Apple appears to be doing their due diligence in correcting security issues in Mavericks," said Mat Gangwer, security consultant with Rook Consulting in Indianapolis. "The last security update fixed around 40 security issues that were disclosed in the operating system and associated components."
But Gangwer wasn't quite ready to award Apple a blue ribbon.
"At this point in time," he said, "it's unfair to try to draw conclusions to the security of Mavericks, as it's very early on in the software life cycle."
Bestuzhev doesn't believe Apple has gone far enough.
"OS X is still vulnerable to malware," he said. "Maybe it's time to recognize [that] an anti-malware product is needed, especially one capable to detect exploits while browsing."
"This is needed," Bestuzhev explained, "because users use third-party applications such Java and Adobe."
No fixes to the weakest security point – the end user
Michael Sweeting, senior threat research analyst at Broomfield, Colo.-based Webroot, agrees that Apple has taken steps in the right direction, such as by fixing previous bugs and flaws and adding a few new user-controlled security features.
But, he added, there is nothing revolutionary or special about the security upgrades.
The improvements also don't take into account that user-controlled security settings are often disabled by users who find them annoying or unnecessary, leaving systems vulnerable to potential compromise.
However, trends in threat data show that the users, not the IT asset, have become the target of many malicious campaigns because it is much easier to deceive a user than to bypass technical security controls.
"What's important to keep in mind is that most Mac malware attacks are done through social engineering," Sweeting said. "Hackers can trick a Mac user into giving up their username, password and other sensitive data."
"No matter what OS you use," Sweeting said, "it still comes down to being smart about security, including what applications you are downloading and installing, and where you're going on the Internet."
"There will continue to be vulnerabilities, both disclosed and undisclosed, in Mavericks and other operating systems," Gangwer said. "It's going to be the responsibility of the vendor to deal with these in a timely manner."
"Apple shows consistency in their security-update schedule based on historic releases," Gangwer added. "We shouldn't count Mavericks out yet."