SAN FRANCISCO--Politicians like to joke that Social Security reform is considered the "third rail" of politics. In Apple's world, that rail belongs to security.
It's been a while since we examined the "state of Mac security," and with this week's RSA Conference in San Francisco, and last month's CanSecWest conference fresh in everyone's mind, it seemed like a decent time.
The topic is always a heated one, and it tends to bring out the usual Mac vs. PC bashing. But according to people I talked to this week here at RSA, the nature of security threats has moved well beyond the platform.
First of all, let's examine where things stand. No security researcher I spoke with could think of an instance of a Mac running Mac OS X that had been exploited in the wild. Not as part of a contest, or as part of a show-stopping demonstration, but through a malicious attack aimed at pwning a Mac. Few were even sure that any viruses or worms existed for the Mac; there was a Trojan horse type of exploit in the wild last year, but it was delivered through a porn site, and it required users to take several steps to infect themselves.
So Macs remain a very safe computing option. This does not mean that Mac OS X is secure, however. It's software, written by humans, and it contains flaws. Those flaws are theoretically exploitable by criminals, but they haven't been, mainly because you don't need an MBA to do a cost-benefit analysis.
Apple hasn't had its "come to Jesus" moment yet with security, the way Microsoft did in the early part of this decade. Millions of Windows users demanded that Microsoft fix the leaky boats that were Windows XP and Internet Explorer, and to Microsoft's credit, it stopped almost everything it was working on and set about that task.
That hasn't happened to Apple. Even though Apple's market share continues to grow quarter by quarter, the company's products account for just 5.8 percent of the total U.S. market for PCs, according to IDC.
"Market share equals money" to the hacker criminals of the world, according to Charlie Miller, a researcher at Independent Security Evaluators. Miller made headlines last month by taking control of a MacBook Air as part of the CanSecWest conference's "Pwn to Own" contest. He used a previously unadvertised flaw in Apple's Safari browser to gain control of a system that was directed to a malicious Web site, earning himself and his team $10,000 and a new MacBook Air.
"Even if Apple moved to 10 percent market share, why spend the time on the 10 percent when you can just nail 90 percent with one bug?" Miller points out. It's far easier, and far more lucrative, for those shadowy figures in the hacking business to spend their time going after the other 90-plus percent of computers in the world than it is to try to exploit flaws in the Mac--even if there's a shiny new computer involved.
Changing of the threat
More and more, it's not really about taking control of a computer through flaws in the operating system; it's about using the browser as the entry point into the system or hacking Web sites, said Mike Romo, product manager for Symantec's Mac product line. "Trojan horses and viruses are yesterday's news."
At the CanSecWest conference, no one was able to take control of three laptops in play (the MacBook Air, a Fujitsu running Windows Vista Ultimate, and a Sony Vaio running Ubuntu) when attacks were confined just to the operating system. But Miller's Safari exploit, and the Flash flaw later exploited by Shane Macaulay, Derek Callaway, and Alexander Sotirov on the Vista laptop, show how security threats are now much more focused on the browser, rather than the operating system.
And it's also much more about phishing and social engineering your way into someone's wallet than it is about trying to take over their system, Romo said. "The OS is not really the target anymore for these next generations of threats; it's taking advantage of the fact that people are spending more time online. People are much more comfortable with entering a credit card number than they ever have before," he said.
That means it's no longer about Windows vs. Mac OS (at least when it comes to security debates--don't worry, fanboys). It's about Internet Explorer vs. Firefox vs. Safari vs. Opera. It's also about things like QuickTime, which Apple has patched extensively since the "Month of Apple Bugs" project last year.
Symantec distributed some research this week showing that 22 vulnerabilities were reported for Safari in 2007, compared with 88 in Mozilla browsers like Firefox, 18 in Internet Explorer, and 12 in Opera. It should be noted that counting the vulnerabilities is not the best way to measure the security of a piece of software, and can be explained in part by increased interest on the part of security researchers in investigating Firefox and Safari, as they become more widely used.
And, as Symantec points out, "as security researchers have focused more efforts in discovering vulnerabilities in these browsers, the theory that this would result in much greater levels of malicious activity targeting these browsers in the wild has not yet been borne out." Again, IE is still the leading browser, and it makes more sense financially to go after that product.
The problem for the security industry is that even if Microsoft, Mozilla, Apple, and Opera all make the most secure browser ever, it still won't prevent things like phishing scams. The quickest, and perhaps easiest, way to make money from criminal activity on the Internet these days is to send out one of those Nigerian 419 e-mails, have people visit a Web site and enter their information, and shut that site down after a few hours of gaining credit card numbers.
It's almost impossible for security companies like Symantec to track that kind of quick behavior and update browser protection software to recognize the phisher's site as a threat, before at least a few people are affected. Lather, rinse, repeat, and after a while, you'll take in far more cash for a day or so of work than you would toiling away for weeks trying to exploit a flaw in Vista or Mac OS X, Romo said.
This is as much a social problem as a technical one; lots of people who may already be nervous around computers often just do whatever the computer tells them to do, Romo said. Credit that tendency for some of the uproar around Apple's decision to ship a new version of Safari to Windows users through Software Update. More than a few people didn't realize that they didn't have to do what the computer was telling them to do.
Miller and Romo--both Mac users--worry that the need for greater security to protect people from themselves will force Apple to change the way the Mac handles certain tasks, potentially taking away some of the Mac's ease of use. Leopard already takes a step in this direction, Miller noted, though not nearly as far as the User Account Control feature introduced in Vista, to much derision.
But Apple's not going to adopt Microsoft's security strategies for Mac OS X, until users demand it or hackers force its hand. They simply don't have to. Until then, quick, diligent patching and a wider embrace of the security community will more than do its part in keeping the Mac secure.
Education and "safe surfing" practices are as important to this era of security as anything having to do with counting flaws or patching practices. Maybe that's the third rail of technology writing: it's not always the mean evil corporation's fault; sometimes, it's yours.