Sign in with
Sign up | Sign in

How Apple OS X Mavericks Falls Short on Security

By - Source: Tom's Guide US | B 6 comments
Credit: AppleCredit: Apple

Apple products are commonly seen as being immune to viruses and other computer malware, but the truth is that Apple's OS X desktop operating system is just as vulnerable as Microsoft Windows.

Among security experts, Apple has been criticized for lagging behind Microsoft in its response to malware outbreaks and its efforts to build security enhancements into the desktop.

However, with the release of its new Mavericks OS X 10.9 operating system, and the announcement of a number of security improvements, Apple appears to be taking a new approach to security.

MORE: Top Mac Anti-Virus Suites Tested and Rated

On the surface, this is good news for the Apple faithful, since the improvements arrive as Macs become a growing target for malware attacks.

Security experts, on the other hand, are skeptical about the efforts to make Macs safer. They dismiss some of Apple's enhancements as too little, too late.

OS X Mavericks' security improvements

"In general, any security improvement is very welcome," said Dmitry Bestuzhev, Latin American head of Kaspersky Lab's Global Research and Analysis Team. "It's clear Apple is doing new things, and this is good."

The bulk of Apple's recent security improvements have been bug fixes on the back end of the operating system, such as fixes to the firewall, to the application sandbox and to the kernel itself.

There have been some other security upgrades as well, such as the option for users to encrypt data synced to Apple's iCloud services.

Mac users will also now be able to control application permissions, such as whether applications and system processes may interact with one another and share user data.

Gatekeeper, Apple's built-in malware-defense system, will continue to verify whether new applications are coming from the Apple app store or if they are signed with a legitimate Apple developer ID.

In addition, because Java exploits are commonly used to infect OS X with malware, Safari users now have the option to enable their Java browsers plug-ins on a website-by-website basis.

(Meanwhile, users of OS X 10.8 Mountain Lion may not ever get the latest version of Safari, or any more security patches.)

MORE: Without Mavericks, Mac Users May Lose Security Updates

Apple still needs to do more about desktop security

"Apple appears to be doing their due diligence in correcting security issues in Mavericks," said Mat Gangwer, security consultant with Rook Consulting in Indianapolis. "The last security update fixed around 40 security issues that were disclosed in the operating system and associated components."

But Gangwer wasn't quite ready to award Apple a blue ribbon.

"At this point in time," he said, "it's unfair to try to draw conclusions to the security of Mavericks, as it's very early on in the software life cycle."

Bestuzhev doesn't believe Apple has gone far enough.

"OS X is still vulnerable to malware," he said. "Maybe it's time to recognize [that] an anti-malware product is needed, especially one capable to detect exploits while browsing."

"This is needed," Bestuzhev explained, "because users use third-party applications such Java and Adobe."

No fixes to the weakest security point – the end user

Michael Sweeting, senior threat research analyst at Broomfield, Colo.-based Webroot, agrees that Apple has taken steps in the right direction, such as by fixing previous bugs and flaws and adding a few new user-controlled security features.

But, he added, there is nothing revolutionary or special about the security upgrades.

The improvements also don't take into account that user-controlled security settings are often disabled by users who find them annoying or unnecessary, leaving systems vulnerable to potential compromise.

However, trends in threat data show that the users, not the IT asset, have become the target of many malicious campaigns because it is much easier to deceive a user than to bypass technical security controls.

"What's important to keep in mind is that most Mac malware attacks are done through social engineering," Sweeting said. "Hackers can trick a Mac user into giving up their username, password and other sensitive data."

"No matter what OS you use," Sweeting said, "it still comes down to being smart about security, including what applications you are downloading and installing, and where you're going on the Internet."

"There will continue to be vulnerabilities, both disclosed and undisclosed, in Mavericks and other operating systems," Gangwer said. "It's going to be the responsibility of the vendor to deal with these in a timely manner."

"Apple shows consistency in their security-update schedule based on historic releases," Gangwer added. "We shouldn't count Mavericks out yet."

Follow us @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 4 Hide
    Zeatrix184 , November 29, 2013 6:43 AM
    This article, to me, seems like there is much ado about nothing. The title says OS X falls short but when I read the text it seems that it is just like any operating system and I wouldn't call that falling short, that's being on par. And the Kazpersky guy seems like he's just trying to sell his products to Mac users.
  • 0 Hide
    alextheblue , November 29, 2013 5:12 PM
    Apple all but abandons older versions of OS X after the newest release hits. If you're using a Mac you should just bite the bullet and upgrade. Or stop using a Mac.
  • 0 Hide
    jimmysmitty , November 30, 2013 12:29 AM
    Quote:
    This article, to me, seems like there is much ado about nothing. The title says OS X falls short but when I read the text it seems that it is just like any operating system and I wouldn't call that falling short, that's being on par. And the Kazpersky guy seems like he's just trying to sell his products to Mac users.


    In terms of built in security, Mac has been and still is way behind Windows in terms of security.

    Since Windows 95 Microsoft has had to deal with security issues. They have had years worth of malware and attacks on the system to make a OS that on release is pretty secure. Of course after a while it needs a AV but on release Windows in the first 6 months to a year pretty safe to use without a AV. 8/8.1 is even better since it includes Defender w/MSE built in.

    And I am sure we will see more Mac AV ads soon since they are starting to get malware.
  • Display all 6 comments.
  • 1 Hide
    back_by_demand , November 30, 2013 12:44 AM
    "OS X is still vulnerable to malware," he said. "Maybe it's time to recognize [that] an anti-malware product is needed, especially one capable to detect exploits while browsing"

    Yep, scathing. After the article about "is Win 8.1 worth the security upgrade" and all we get is moans about the interface and why don't they cascade all these improvements down to 7, XP, etc. It's interesting to note people don't moan about Apple not cascading security updates down to previous versions of OSX, what pathetic little security there is.
  • 1 Hide
    axehead15 , November 30, 2013 6:03 AM
    What I gather from this is, they are blaming Apple for people not being smart about security. Apple gives the end-user the choice to turn protection on or off, which is the way it should be. Not their fault if the end-user is an idiot.
  • -1 Hide
    falchard , December 1, 2013 1:28 AM
    lol that startup screen reminds me of Vista. It should be no surprise that Apple has the worst security built into it and have the users who are least aware of security concerns. The bigger security measure Apple possesses is its lack of market share.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter