Newsflash: Mac Isn't Magically Secure

Thursday May 10th 2007 by John Welch
Share:

Despite Apple users’ belief, Mac security isn’t a given – but there are steps to take to make the Mac more secure.

So now that the QuickTime Java hole has been discovered and plugged, within eleven day's time, what does that say for Mac OS X's security? Is Mac OS X really just a house of cards, ready to be destroyed by The Bad People? Have Mac users been deluding themselves? Or was this really nothing, and there was never any real problem?

The correct answer is, I think, neither. Look, the Mac OS has always had holes. It always will. To think otherwise, no matter what the legions of the MacMacs out there fervently wish, is to literally deny reality.

Windows Vista and XP also have holes. Solaris has holes. Even my dear, fondly remembered OS/400 has holes. We are talking about complex software designed by inherently, and sometimes actively imperfect beings. There are always going to be holes, a k a mistakes. No matter how smart the designers of Mac OS X are, (and having met quite a few of them, they're astoundingly smart, all of them), they're only human.

They also aren't the only smart people on the planet. As a good friend of mine, Andy Ihnatko once said, rather sagely (complete with appropriate sagely demeanor), "No matter how smart or evil I may be, there is always someone out there who is smarter and more evil than I am."

Related Articles
Mac and PC Installation Hell: Just Say No

Top 10 Mac Productivity Enhancements

iPhone and Steve Ballmer

Using Vista and Linux on a Mac, Part One

FREE IT Management Newsletters

As vulnerabilities go, this one was both quite real, and not as bad as it could have been. It affected a critical framework in Mac OS X, and a rather common install in Windows (QuickTime), and until it was patched, your only real safe bet was to disable Java in your browsers. It could, and did, allow a web site to open a hole into at least your home directory, and potentially worse.

To those who were, and maybe still are, trying to shout this down as "not a real problem," I say to them, "get a clue." Any hole that allows a random web page to open up your machine is bad. Period. Especially since this kind of attack vector makes hay of things like anti-virus and most firewalls. You created the connection, you "executed" the code. Had someone started exploiting this in a bad way, the fact that it wasn't a "real" problem would not be comforting to those damaged by it.

However, this vulnerability does not suddenly make the Mac OS no more secure than a tissue house in a hurricane. It had a reliable workaround (disable Java), that while causing some pain, did not require you to ignore the Internet until a patch was found. Exploiting the vulnerability meant you had to get people to execute the code on a web site. The law of averages makes this rather quite hard to do on the Internet, especially with an eleven-day window between discovery and patching.

This was not a "Witty"-level problem, wherein malware on another machine could reach out and infect your system, then crash it without you ever knowing about it. (For information on Witty, a particularly nasty bit of malware, read here.) You had to go to a location with the attack code to be hit by it. This is hardly a harbinger of doom.

Related Articles
Mac and PC Installation Hell: Just Say No

Top 10 Mac Productivity Enhancements

iPhone and Steve Ballmer

Using Vista and Linux on a Mac, Part One

FREE IT Management Newsletters

So what's it all mean? Well for one, hopefully the idea that Mac OS X is somehow magically secure has been shattered. It is not "magically" secure, it is methodically secure. The security methods behind Mac OS X are not terribly exciting or new, they are the result of a lot of smart people doing good work for a long time. Nor is Mac OS X perfectly secure. It never was, it never shall be. It means that just like everyone else, you have to take some precautions when bouncing about the Internet, but then you've always had to do that. It doesn't mean that Mac OS X is now less, or still more secure than any other OS. It has, like every other OS, advantages and disadvantages.

If you are going to take one thing away from the CanSecWest vulnerability, take away a new resolve to make your patching methods better than before. Maybe start reading more security web sites, and set up a Nessus scanner so that you can better know your own network's security posture. If you want to more actively know what's going on with your network traffic, consider Snort. If you're a sysadmin, you should have been doing this anyway, but maybe this will help give you both impetus and moral authority to do so now.

Mac OS X is as secure as it ever was. The only problems have been caused by people with mistaken ideas of what that really meant.

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved