security.itworld.com
  Search  
Security Home Page Security Webcasts Security White Papers Security Newsletters Security News Security Topics Careers ITworld Voices ITwhirled The Security site of ITworld.com
Apple OS X users feeling the exploit pinch
SECURITY.ITWORLD.COM --- 02/20/2007

Brent Huston

OS X is my operating system of choice and I use it every day. That said, many Apple users have sat smug about the security of the OS X operating system. Pundits have expounded on its BSD roots, its imperviousness to spyware and malware, and overall lack of public exploits. Some have even lauded Apple's superior responsiveness when threats arose, and its commitment to information security. 

On this topic
Get practical tips, IT news, how-tos, and the best in tech humor.
Disaster Recovery Simplified - iSCSI and VMware Site Recovery Manager Deliver Results
Data Protection and Disaster Recovery with iSCSI and VMware
Five Security Mistakes to Avoid
Osterman Report: The Advantages of a Hosted Messaging Security Solution
Top 10 Ways to Protect Against Web Threats
The Case and Criteria for Combining Application Acceleration and Security
Facebook partners with AGs for kids' safety
Mozilla: Firefox plugin shipped with malicious code
Four Microsoft security patches due next week
Mozilla: Firefox plugin shipped with malicious code
0day treasure hunt: researcher hides IE attack on Web

Unfortunately, a lot has changed.

The "Month of Apple Bugs" project (http://projects.info-pull.com/moab/) has shattered much of the illusions around OS X's security. According to the website, its initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. As of this writing, the project has released 31 public vulnerabilities for OS X and its supporting applications. Of the 31 vulnerabilities, 30 have either proof-of-concept exploits or none are needed to cause damage. Many of the disclosed bugs are serious issues and can be used to remotely compromise the system.

Apple is working on fixes, but patches have come slower than expected. Observers have stopped spreading the image of Apple as a security-focused messiah, and grown used to the idea that for Apple (like every other company that manufactures an operating system), tracking and mitigating security issues is a long, difficult and resource-intensive process.

Hopefully, OS X users will begin to acknowledge the risks, and embrace their need for anti-virus, OS hardening and ongoing patching. One thing is for certain. Information security-savvy users and organizations will need to focus attention on OS X users. Apple will also likely improve their security testing and programming development processes to help stop future holes.

I am paying more attention. As noted, I own a PowerBook, running OS X, and I have tightened up my system’s firewall, implemented more monitoring, deployed more detection tools to know when I am being targeted and even ratcheted down the time between checks for patches -- which I, like everyone else, am anxiously awaiting. I will still use OS X every day. It is still my operating system of choice, for the same reasons as before – flexibility, power and usefulness plus incredible ease-of-use. That said, I will remain vigilant and take the necessary steps to protect my Mac and all of the other computer systems I depend on. Let’s hope that everyone else does the same.

 

 Brent Huston is CEO and Security Evangelist of MicroSolved, Inc., an information security company, based in Columbus, OH. Brent and his staff have performed system and network security-consulting services for Fortune 500 companies, international telecomm firms and major financial institutions. His professional experience exceeds fifteen years in the information security field. To date, he has performed hundreds of vulnerability assessments and penetration tests against target organizations such as banks, credit unions, financial companies, e-commerce sites, critical infrastructure, federal/state/local governments and military/national security installations. He is well versed in the use and implementation of all major security tools, standards and systems and has developed the primary assessment methodologies in use at MicroSolved and the US Department of Energy. He has published numerous white papers on security-related topics, and is the co-author and technical editor of the book "Hack Proofing Your E-Commerce Site" from Syngress Publishing. Write him at mailto: bhuston@microsolved.com.
Advertisements
Sponsored links
Bring harmony to your mix of UNIX-Linux-Windows computing environments
Locate Hidden Software on business PCs with this free tool
KODAK i1400 Series Scanners stand up to the challenge
Top 5 Reasons to Combine App Performance and Security
Home  Newsletters SECURITY.ITWORLD.COM
www.itworld.com    open.itworld.com     security.itworld.com     smallbusiness.itworld.com
storage.itworld.com     utilitycomputing.itworld.com     wireless.itworld.com

 
Contact Us   About Us   Privacy Policy    Terms of Service   Reprints  

CIO   Computerworld   CSO   GamePro   Games.net   IDG Connect   IDG World Expo   Infoworld   ITworld   JavaWorld   LinuxWorld  MacUser   Macworld   Network World   PC World   Playlist  

Copyright © Computerworld, Inc. All rights reserved

Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.