For Mac security, communication is key

In general, the Mac operating system has seen far fewer bugs than its Windows counterpart. But some say a recent vulnerability demonstrates that the notoriously tight-lipped company must communicate more openly on security issues and move more quickly when it comes to plugging holes.

"I think there's room for improvement with their response speed on problems with their own code," said Chris Adams, a Mac user and system administrator for San Diego's Salk Institute for Biological Studies, a research center that's played a part in training five Nobel Prize-winning scientists. "The general pattern is complete silence for months and then a terse announcement when the update is released."

Adams said Apple has done a pretty good job of updating the operating system to fill holes found in various Unix components. But what is needed, Adams and others contend, is more dialogue about what the company is doing with regard to security.

"At the very least, they need to communicate with the people who report these problems, so it's obvious that work is happening," Adams said in an e-mail interview. "Depending on the problem, it may also be a good idea to announce a workaround if a fix won't be available quickly."

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

The issue of Apple's communication with the security industry came to the forefront last month. Researchers went public with a combination of vulnerabilities that, if exploited, could allow a Mac to be taken over by hackers. One of the researchers involved, a coder known as "lixlpixel," said he privately notified Apple of a problem in February but went public with his findings in May after not hearing back from the company.

Apple Senior Vice President Phil Schiller said the Mac's security is good and noted that the company is under more scrutiny now that the Mac is facing what he described as the first critical vulnerability since the release of Mac OS X three years ago.

According to Schiller, there was more to the critical issue Apple wound up addressing in May than just the flaw reported to the company several months earlier.

"What was learned in February was only a small piece of the picture and didn't present as great a threat," Schiller said. "The complete picture of this current threat has actually been very recent."

Beat of a different drum
Although the tech industry has guidelines that call for researchers to notify vendors of threats and then wait at least 30 days before going public, Schiller said Apple uses its own process to decide when to issue a patch, a process that takes into account Apple's assessment of the threat posed by the vulnerability.

Apple has released a partial patch, but security researchers say the OS remains vulnerable to attack.

Some of the other knocks on Apple's response to security issues also center on the company's communications. For example, critics have called on Apple to offer more detailed information on its Web site, as well as to offer a dedicated e-mail address for reporting bugs. But Schiller said Apple does both those things--security concerns can be sent to product-security@apple.com, and the company posts information on its Web site. But he conceded that many people don't know about those programs and that the company could be doing a better job.

"We're actually doing a lot of the right things people want," Schiller said. "They're just not aware of it."

There are, however, additional areas where Apple differs from other OS vendors. Unlike Microsoft and Red Hat, Apple does not have a life-cycle policy that guarantees which versions of the operating system will receive patches. Schiller said Apple makes those decisions on a case-by-case basis, rating the severity of the risks and balancing that with how hard it is to update older versions.

The company has offered updates to older versions in some cases but has not always been clear about those decisions. Last October, Apple waited several days before confirming it would offer a security patch for older systems. The initial silence by the company fueled speculation that Apple was going to leave older users unprotected.

While Microsoft has set up a separate security business unit to deal with such issues, Apple has decided not to. The responsibility falls broadly to the Mac OS X crew and other software product groups to ensure the security of their products, Schiller said. "It's everyone's job," he said. "We don't have to create a special team to solve these things...Everyone who works on software also works on security at some level or another."

Worse than it sounds?
Another critique, leveled by digital-security company @Stake, is that Apple has downplayed the threat of potential vulnerabilities in its descriptions of flaws.

In one example, Apple last month patched a series of holes including a buffer overflow in the Apple file-sharing system that could allow a remote attacker to take control of the system. Apple, though, described it as a correction "to improve the handling of long passwords."

"They are not characterizing the issue so that people can make a security decision about it," Chris Wysopal, @Stake's vice president of research and development, said last month. Apple "seems to think that everyone will update their computers all the time, and that is not the way the world works."

In another case, a security company called eEye said Apple rated as minor a QuickTime flaw eEye had found. Apple said the flaw in the QuickTime movie player for Mac OS X could cause the player to crash, while eEye said the real problem was that it could allow malicious code to be executed.

Schiller said Apple will look into how it communicates the details of potential threats.

"Certainly that is criticism we will take," Schiller said. "If people think we can do a better job of communicating some of this to everybody, than we will do a better job."

But some Mac users say that as long as Apple keeps potential problems from becoming real headaches, they don't need more detail from the company.

"I haven't been burned yet," said Lauren Connolly, a system administrator at the California Institute of Technology who has used Macs for 20 years. Connolly said she has never had a system infected because of something Apple didn't patch, nor has she had problems with any of the patches Apple has put out.

"They haven't given me any reason not to trust what they've been releasing," she said.

Indeed, the Mac's strongest selling point is its track record. Schiller and others point out that the Mac has proved to be a much lower security risk in recent years, with most of the vulnerabilities being caught at the potential stage--or before customers have actually been affected. Schiller said Apple has fixed 138 issues in 43 security updates since the debut of Mac OS X, with only one of those considered critical. "Windows XP has had 77 updates in that time," Schiller said. "Two-thirds of those updates have been critical."

Analysts agree that Mac OS X has so far proved to be more secure than Windows.

"They've had less patches," said Ray Wagner, a research director at Gartner. "We're not talking an order of magnitude (less). We're talking maybe half as many."

The bigger they are...
However, the question is whether that will continue to be the case. The Mac has attracted somewhat less attention from hackers because of its niche position in the PC market--it holds less than 5 percent market share worldwide. Because Macs are fewer in number, it would be tough for a Mac-centered mass-mailing worm to find enough targets to allow it to propagate effectively.

On the flip side, the company is gaining cachet in the Unix world that some say could make Apple a juicier target in the future. Additionally, security companies may devote more time to finding Mac OS holes, which could lead to more discoveries.

Others say the current challenges add up to adolescent growing pains as the company and Mac OS X mature.

"Apple is coming to terms with dealing with these types of issues," said independent security researcher Richard Forno, who also noted that Apple has offered a much more stable and secure option than Windows.

Most of the vulnerabilities that have been found have been in the Mac's Unix underpinnings, rather than in the Mac OS shell. And the code base itself--a version of BSD Unix--is pretty well tried and true because it's been in use for more than a decade.

Despite its relative stability, one challenge is that the average Mac user may not even be aware that the OS contains all this Unix code that could potentially have holes.

"It's kind of new for all Mac users, unless they had a good Unix background to begin with," said Michael Junkroski, who, along with his brother Patrick, runs VSM.net, a Florida-based IT consultancy that is an all-Mac shop. "I think we were all probably a little lax because we thought the OS was impenetrable."

Junkroski said there are 55,000 viruses in the wild that affect Windows machines, compared with zero for Mac OS X. "In theory, a few (vulnerabilities) have been found. In practice, nothing has happened."

For its part, Schiller said, Apple has learned some lessons and is working on a complete fix for the latest bug.

"We fixed one part of what is a complex problem. We're working on fixes to the other parts, and there will be more coming," Schiller said. "We were more interested in getting out the first part of the fix as fast as we can...It can help people right now. Now we'll follow up with more things as we finish the rest of this complex problem."