Apple security under attack: The view from Windows

The blogosphere is abuzz over the latest Black Hat presentation exposing the security holes of Apple’s Mac OS X. The upshot is that Microsoft Windows, in comparison, does a better job of protecting its users, especially against network protocol attacks. A proof-of-concept hack shown at the Black Hat security conference involved plugging one rogue Mac computer into an enterprise network, where it was soon able to gather the authentication credentials of all the other Macs in the environment.

In my world (I’m a principal security architect for Microsoft), this is no big surprise. Macs have always been far more vulnerable to hacker assaults than Windows computers, by almost every metric that means anything. Yes, Macs do have far more software vulnerabilities than Windows computers. If you don’t believe me, go to any vulnerability database (I like Secunia’s advisory database) and compare any operating system or application from Apple and Microsoft, head to head, over the same time period during the last five years. Most people are absolutely shocked to see that Microsoft software in general, and Windows in particular, has suffered far fewer vulnerabilities than Apple software and Mac OS X.

But even pure vulnerability numbers don’t paint the whole picture. Among the leading OS vendors, Apple has been the last to implement nearly every important security protection. Apple was last to implement anti-buffer-overflow memory protections. Apple was the last to implement address space layout randomization (ASLR). Apple was the last leading operating system vendor to offer full disk encryption (in the recently released Mac OS X Lion). Apple is also typically the last among these vendors to patch software bugs, sometimes months after they become publicly known.

And it came as no surprise when Dmitry Sumin, president of Password Inc., told me last week that Apple’s Mac OS X Lion was the only popular operating system to store login passwords in plain text in memory.

As astounding as these facts might be to Mac users, they aren’t surprising to security experts who work with both platforms. It’s been this way for a long time. At Black Hat a few years ago, I asked hacking expert Charlie Miller why he concentrated on the Mac when most hackers focused on Windows. He replied, “Because it’s easier.” Apple is an innovator in device design, UI, and many other important things that the world is properly grateful for. But in the computer security world, Apple is a follower.

Does all this mean that Mac users would be safer running Windows? No, it doesn’t. Macs are attacked far less frequently today than Windows PCs, and this factor is hugely important when considering overall security. Although I said Macs are more vulnerable than Windows PCs, notice that I didn’t say they are more insecure. Although vulnerability is easy to measure, insecurity is a function of security risk. Right now, Macs have far less security risk than Windows PCs. Microsoft Windows is the primary target of hackers because it runs on 80 to 90 percent of the world’s computers. Simply because Macs are in the minority, owning a Mac means you might be “safer” than if you owned a Windows computer.

At least for now. The sad part of this is that attack presentations at Black Hat tend to be prophetic. The protection Mac users have enjoyed from flying under the radar is coming to an end. Apple computers and devices are increasingly under attack, and Trojans and worms targeting Mac OS X and iOS have been pouring out of the cyber woodwork. Whenever I get on an airplane, I can’t help but notice how many Macs and iPads are traveling first class. I routinely see them in the hands of IT security officers and C-level executives. And hackers are noticing this too. 

[ Windows 7 is making huge inroads into business IT. But with it comes new security threats and security methods. InfoWorld’s expert contributors show you how to secure the new OS in the “Windows 7 Security Deep Dive” PDF guide. ]

So if you’re the user of an Apple product — and who isn’t? — it’s time to think like a Windows user and make sure you do all of the regular things it takes to keep a computer secure. That means using strong passwords (and separate passwords for system, network, Facebook, and so on), installing patches as frequently as they’re released, not getting fooled into clicking links that you shouldn’t, watching out for lookalike websites and phishing attempts, and not installing software that you don’t trust 100 percent.

I do expect Apple to provide better security and more secure defaults. The days when Apple could treat security as an afterthought while raking in billions of dollars reminds me of Microsoft in 1999 — you know, the year Gartner recommended that people not buy IIS because it was being exploited too often.

It’s taken Microsoft 10 years to turn security from a weakness into a strength. Apple can use the lessons learned by Microsoft to manage a quick turnaround. Apple has already hired one of Microsoft’s former security leaders, Window Snyder, and it has adopted a modified form of Microsoft’s Security Development Lifecycle programming practices. Apple has the benefit of seeing how Microsoft fixed its past mistakes.

Take the network protocol vulnerability exposed at Black Hat (PDF), for example, which relies on forcing Macs to use an earlier, less secure protocol. Microsoft had that problem, too, 10 years ago, and fixed it by disabling authentication protocol fallback as a default. It took Microsoft awhile to get that solution implemented. Apple could do it in a single patch.

This article, “Apple security under attack: The view from Windows,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.