Kelly Jackson Higgins has noted “4 Signs That Apple's Sharpening Its Security Game”. And indeed, there are indications that Apple’s hard-line “We don’t have any security problems” attitude as getting a bit smoother at the edges, as the Mac threatscape has started to resemble a (very) microcosmic version of the World of Windows. (The Mac APT Store is now open.)
In particular, Higgins cites the hardening of Safari to disable older versions of Flash Player and direct the potential victim to Adobe’s downloader site. That should certainly clean up some of the OSX/Flashback fallout, though it won’t necessarily stop Mac users falling for fake updates.
In fact, she also cites Apple’s participation in the cooperative assault on the Flashback botnet, and that’s certainly gone a long way towards redeeming the company’s initial fumble on patching the Java flaw that Flashback exploits. It wasn’t an altogether smooth transition, though: one of the mildly irritating features of commentary on action against botnets, bank fraud gangs and so on, is that the participation of anti-virus researchers across a wide range of companies tends to be relegated to the small print, and it seems to have been forgotten that Apple’s patchy engagement with the AV industry seemed to result in attempts to close down a sinkhole server operated by Dr Web, the company that’s credited with the initial discovery of the malware. On the other hand, that glitch seems to have resulted in better communication between Apple and the AV industry in general. Nevertheless, I suspect that there’s still a mindset in some corners of the Apple core that finds it embarrassing to admit to having to consider security at all, let alone compromising its independence and reputation by associating with the security industry.
Higgins also cites the toning down (flagged a few weeks ago by Graham Cluley) of the ‘viruses are a PC problem’ message on Apple’s "Why you'll love a Mac" webpage. In fact, this belated and understated acknowledgement of a world in which Mac malware is not an urban myth goes deeper into the Apple PR psyche. A while ago, I noted that in its PR for the Gatekeeper utility coming up in Mountain Lion, Apple was claiming that “While malware is one of the biggest security challenges on personal computers, it’s hardly an issue on a Mac.” I also noted that ‘700,000 Flashback victims (allegedly) might not agree.’
That assertion seems to have gone: instead, there’s a terse and relatively sober summary of the improved security measures in Mountain Lion. In fact, it doesn’t mention malware at all there now. That may be a case of ‘why mention it if we don’t have to?’, but it’s better than claiming those countermeasures will eliminate the malware problem altogether, as some Microsoft personnel once strongly hinted would happen with the implementation of ASLR.
One quote (from Rapid7’s Marcus Carey) did worry me a little, though. He apparently told Higgins that “I believe that consumers and organizations don’t typically buy Apple products because they are secure anyway -- they buy them because they are cool.” It’s perfectly true that many Mac users are probably far more influenced by the ‘coolness’ of the product than by an overriding concern for security – when did you last hear anyone say ‘I’d rather use Windows, but Macs are safer’? – but there have certainly been instances where organizations like the US military have been inclined to favour Macs over other platforms because they’ve been perceived as being more secure. While the next generation of MacBook Pro users is likely to be more influenced by the Retina display than the introduction of sandboxing to Safari, that assumption of superior security has been ingrained in customer perception by generations of Apple PR and Mac fan commentary far and wide across the Web, and even with the Flashback setback, it’s far from dead.
In fact, it’s not altogether wrong: Mac security may not be as perfect as some still assume, but Macs are in some respects still a far safer environment. I just wish Apple weren’t so good at not discussing security issues...