To many Mac users, the recent news report of an
Apple
OS X
security
vulnerability seemed like an anomaly. While Windows users are greeted
almost weekly with a new virus or worm, OS X users tend to
view their systems as impervious
to such concerns.
The steady stream of Windows bugs is a phenomenon far removed from their computing
experience -- or so it seems. But the late February security report cast Apple in a new
light.
Chris Adams, a systems administrator in San Diego, discovered a
flaw in the Apple Filing Protocol (AFP), a tool in OS X 10.3,
code-named "Panther." AFP enables a secure connection using the secure
shell (SSH) protocol. The flaw is in AFP's warning mechanism: Users may
request a secure connection, but Panther will not warn users if the
connection is in fact not a secure one. So, a user may send sensitive
information -- like passwords -- on an insecure connection, not knowing that
they are using an easily hacked protocol.
In short, the flaw is similar to a host of Windows flaws,
suggesting that the concept of Apple invulnerability may be closer to
myth than fact. That said, What is the big picture when it comes to Apple security? Is OS X safe enough to be a viable contender for running public Web sites and general
enterprise
applications?
Peer Review
Apple's OS X is based on Berkley secure distribution (BSD), a Unix
variant. OS X is "a version of Unix, with an Apple personality on top
of it,"
IDC
analyst Dan Kusnetzky told NewsFactor.
That could be the source of some security
vulnerabilities for OS X. Because the Unix code has been public for so
long, hackers are well positioned to exploit its weaknesses.
Indeed, the existing hacks of OS X, for the most part, have been adaptations of Unix
hacks, noted
Gartner
analyst Ray Wagner, though he pointed out that
such attacks have been rare.
Yet, Wagner is in the camp with those who believe just the opposite about OS X:
"The more eyes that look at code, the more chances that vulnerabilities
will be caught and fixed by the good guys," he told NewsFactor. "It's
not possible for one person to write an operating system, so I can't
get the most security-conscious person on earth to go and write an OS --
it has to be done by a team, and the more peer review, the better."
"Any security issues that have come up in the version of BSD upon which
[Apple] based their efforts would also very likely be in the Apple
product," Kusnetzky said, but he said that he had not heard of such
hacks.
OS X's Unix underpinnings mean it is "probably far more secure" than
earlier Mac OSes, Jupiter analyst Michael Gartenberg told NewsFactor.
"Previous Mac OSes were not overly robust in terms of withstanding
attacks. If you tried to attack a system 7 Mac in its heyday, it would
probably have crashed before you got into it."
The Network Age
One of the chief security problems facing
Microsoft
, experts
say, is that it was created prior to the age of the Internet. Before
mass public networking, code was not exposed to the amount and
sophistication of attacks that today's networked software is. Although
many recent Windows OSes are post-Internet, "there's still a legacy
code base," Wagner noted.
Code developed after the rise of the Internet is built with that
environment in mind. "Certainly, OS X falls into this category," Wagner said.
"So you've got newer operating systems designed with the best
principles of the mid '90s as opposed to the mid '80s," he said.
"People thought about security more -- they designed thinking about
security more from a ground up perspective."
In contrast to OS X, earlier Mac OSes were built when "connected
computing meant hooking six computers together via AppleTalk to a laser
writer," Gartenberg said. "You're clearly talking far more overall
security than any previous effort."
Security Through Obscurity
If Windows-based enterprises were to use non-Windows systems -- like OS
X -- on at least certain hardware in their system, they would gain
"security through obscurity," Wagner suggests.
"Maintaining some corporate users on non-Windows desktops offers a huge
advantage, in terms of attack avoidance, because the most popular target
for virus and worm writers will always be the consumer desktop," he
says in a security report.
As Gartenberg notes, "The fact that Apple is not in as many hands as
Windows means there are fewer people trying to exploit those
vulnerabilities in the marketplace."
There is "no question" that its low profile is the biggest factor
behind the low amount of attacks on the OS, Wagner said, also pointing
out that Apple tends to inspire less animosity in the
hacker
community
than Windows.
This low profile alone does not make OS X a safe bet for
corporate Web sites. "If Windows with its known vulnerabilities has
proven good enough for corporate use, OS X is certainly as good as that
standard, if not better in certain ways," Gartenberg said.
|