security

The steady stream of Windows bugs is a phenomenon far removed from their computing experience -- or so it seems. But the late February security report cast Apple in a new light.

Chris Adams, a systems administrator in San Diego, discovered a flaw in the Apple Filing Protocol (AFP), a tool in OS X 10.3, code-named "Panther." AFP enables a secure connection using the secure shell (SSH) protocol. The flaw is in AFP's warning mechanism: Users may request a secure connection, but Panther will not warn users if the connection is in fact not a secure one. So, a user may send sensitive information -- like passwords -- on an insecure connection, not knowing that they are using an easily hacked protocol.

In short, the flaw is similar to a host of Windows flaws, suggesting that the concept of Apple invulnerability may be closer to myth than fact. That said, What is the big picture when it comes to Apple security? Is OS X safe enough to be a viable contender for running public Web sites and general enterprise applications?

Peer Review

Apple's OS X is based on Berkley secure distribution (BSD), a Unix variant. OS X is "a version of Unix, with an Apple personality on top of it," IDC analyst Dan Kusnetzky told NewsFactor.

That could be the source of some security vulnerabilities for OS X. Because the Unix code has been public for so long, hackers are well positioned to exploit its weaknesses. Indeed, the existing hacks of OS X, for the most part, have been adaptations of Unix hacks, noted Gartner analyst Ray Wagner, though he pointed out that such attacks have been rare.

Yet, Wagner is in the camp with those who believe just the opposite about OS X: "The more eyes that look at code, the more chances that vulnerabilities will be caught and fixed by the good guys," he told NewsFactor. "It's not possible for one person to write an operating system, so I can't get the most security-conscious person on earth to go and write an OS -- it has to be done by a team, and the more peer review, the better."

"Any security issues that have come up in the version of BSD upon which [Apple] based their efforts would also very likely be in the Apple product," Kusnetzky said, but he said that he had not heard of such hacks.

OS X's Unix underpinnings mean it is "probably far more secure" than earlier Mac OSes, Jupiter analyst Michael Gartenberg told NewsFactor. "Previous Mac OSes were not overly robust in terms of withstanding attacks. If you tried to attack a system 7 Mac in its heyday, it would probably have crashed before you got into it."

The Network Age

One of the chief security problems facing Microsoft , experts say, is that it was created prior to the age of the Internet. Before mass public networking, code was not exposed to the amount and sophistication of attacks that today's networked software is. Although many recent Windows OSes are post-Internet, "there's still a legacy code base," Wagner noted.

Code developed after the rise of the Internet is built with that environment in mind. "Certainly, OS X falls into this category," Wagner said.

"So you've got newer operating systems designed with the best principles of the mid '90s as opposed to the mid '80s," he said. "People thought about security more -- they designed thinking about security more from a ground up perspective."

In contrast to OS X, earlier Mac OSes were built when "connected computing meant hooking six computers together via AppleTalk to a laser writer," Gartenberg said. "You're clearly talking far more overall security than any previous effort."

Security Through Obscurity

If Windows-based enterprises were to use non-Windows systems -- like OS X -- on at least certain hardware in their system, they would gain "security through obscurity," Wagner suggests.

"Maintaining some corporate users on non-Windows desktops offers a huge advantage, in terms of attack avoidance, because the most popular target for virus and worm writers will always be the consumer desktop," he says in a security report.

As Gartenberg notes, "The fact that Apple is not in as many hands as Windows means there are fewer people trying to exploit those vulnerabilities in the marketplace."

There is "no question" that its low profile is the biggest factor behind the low amount of attacks on the OS, Wagner said, also pointing out that Apple tends to inspire less animosity in the hacker community than Windows.

This low profile alone does not make OS X a safe bet for corporate Web sites. "If Windows with its known vulnerabilities has proven good enough for corporate use, OS X is certainly as good as that standard, if not better in certain ways," Gartenberg said.