Apple's security code of silence: A big problem

Apple has cultivated a myth about security on the Mac platform. The myth goes like this: Apple users don't need antivirus software. We're more secure than anything out there. Security worries are overblown.

In reality, Apple practiced security by obscurity with the Mac.

Those days may be ending in a hurry. Apple's relative silence about malware is going to have to end as the company finds itself managing a large ecosystem, noted ZDNet's Ed Bott. Delivering massive security updates during product launches and software rollouts just isn't going to cut it.

The Flashback virus has infected more than 600,000 Macs. These Mac users didn't fall prey to snazzy social engineering or any real work at all. Russian antivirus company Dr. Web noted that Flashback exploited a security hole in Java to silently attack Mac OS X systems. Flashback was discovered in September 2011 as a fake Adobe Flash Player and has morphed into attacking Java. Apple has been belatedly patching Java.

What's the problem here? Apple likes to pretend that its security is superior. The reality is that Apple hasn't had the market share to matter. That's quickly changing since the Mac platform is outgrowing PCs. Meanwhile, enterprises are adopting Macs too. As these Macs go corporate the honeypot looks a lot sweeter to hackers.

It's possible that Apple CEO Tim Cook will hit the security issue head on like he tackled the supply chain flap. In either case, Apple has to step up its security game. It can't a) thump its chest about security and invite hackers and b) pretend that there's nothing to worry about. As these attacks continue over time, Apple may have to have its big security "ah ha" moment just like Microsoft did.

Here's how Apple's silence on security contributes to the problem:

Apple doesn't allow Oracle to patch Java. The latest round of malware could have been avoided with faster patching. Since Apple likes to control its patching it is often behind. The window of exposure on the Mac platform is longer. The easy fix here is to let Oracle do the patching.

Apple has a rudimentary antivirus update utility that's updated with signatures only when there's a big enough threat. Apple knew about Flashback, which has been pointed out by security researchers, but didn't ship an update.

Apple users have no idea if they are infected and don't know how to search. Why would they know? Apple has told them there are no viruses on the Mac. This false sense of security is the primary reason Apple needs to start talking. Apple users are smug about security.

Anti-virus vendors can't provide protection to the Mac because users don't think they are needed.

Security industry insiders have known the Mac platform has its holes, but Flashback is the first in-the-wild issue that's confirmed and big. More will follow unless Apple becomes more proactive.