With the year rapidly coming to a close it’s time for all those year-end retrospectives to pop up across the internets (and traditional media). 2007 was an especially busy year for Apple who introduced a plethora of revolutionary new hardware and software that has given fodder for post-upon-post to blogs old and new.
When not contributing to TAB (or spying on the Caldari for the Amarr in EVE Online) my focus is on all things related to information security (i.e. my day job). With that in mind, I thought it would be interesting to do a “security year in review” as it relates to our favorite OS & hardware vendor to see where we’ve been and where we’re headed, tossing in a bit of advice to help keep your holiday computing secure.
Back To Where We Started From
January kicked off with The Month of Apple Bugs (“official” web site), a project whose sole intent was to show the world that even Apple has a chink in its dragon-scale armor. While daily flaws were revealed, none were earth shattering and the interest in their releases died down substantially very quickly into the project.
The founders showed their lack of professional integrity when they admitted they weren’t notifying vendors before releasing the exploits. If the project’s integrity wasn’t in question from the start, a contingent of vocal uses argued that various bugs had no security impact whatsoever, and it became painfully obvious that the project had to go fishing for issues in many cases since some of the bugs weren’t even for Apple-released products.
Number Crunching
According to the National Vulnerability Database, there were 79 common vulnerabilities & exploits (CVEs) for “Mac OS X” and 45 for “Mac OS X Server”. The same numbers for 2006 were 106 and 55, but these are difficult statistics to trend since the 2005 data shows 96 & 72 respectively. Overall, it does appear that the operating systems get harder to break through as Apple matures.
Apple officially released 32 product and OS security updates, each fixing one or more vulnerabilities (with their latest one for Tiger [10.4] in November 2007 fixing over 40). Unfortunately, Leopard even had a few vulnerabilities as the 10.5.1 update fixed three security issues with the new firewall.
New! Impoved! Insecure!
Two of the product highlights of the year were the release of the iPhone and Apple’s answer to Microsoft Vista – Leopard [OS X 10.5]. The iPhone had detractors from the start, and some of them went off to find a way to make it do what they wanted it to do on their schedule. These hacks have been beaten to death in the blogs and there’s even a central repository for them. Unfortunately, many of them require exposing and exploiting security vulnerabilities on the device in order to “free” them from Apple’s iron grip. Apple has not been as quick as some would like to patch the device, but they have addressed the security issues as they come up and have done a better job issuing fixes and features than other smartphones (and I’ve had smartphones from other vendors). There were reports of broken phones after updates due to using these hacks and it’s my firm belief that you get what you deserve when you decide to exploit security holes in order to gain functionality. Patience will have paid off for those users who decided to wait for Apple to do the right thing and release an API letting developers go beyond pretty iPhone-tailored web pages.
While the iPhone stole the show for the year, Leopard was not without relevance since it may have been the most anticipated operating system release ever (well, perhaps Vista beat it slightly due to the constantly sliding schedule). How successful this release was is a topic for another post, but it was not without http://www.matasano.com/log/981/a-roundup-of-leopard-security-features/”>many new security features, including application sandboxing, code-signing, library randomization and a new firewall configuration (there was a slew of changes under-the-hood as well). These features were heavily scrutinized, with the new firewall taking an especially hard beating and was the subject of the aforementioned end of year 10.5.1 patch.
Expect The Unexpected
The Mac platform gained even further popularity in 2007, but this visibility came at price. As more users flock to OS X we can expect to see hackers migrate there as well. The engineers over at McAfee’s AVERT Labs identified a rise in crimeware on OS X, showing that the bad guys see profit in targeting this new playground. This was further demonstrated in November when the Net was abuzz with the news of a trojan horse aimed at Mac users. Then again, November is a rather slow news month.
Sadly, 2008 may be a dangerous year for iPhone users with many researches flagging it as a prime target. Given how little problem Apple supporters have with handing over the platform to the enemy by identifying and exploiting vulnerabilities, I’m not surprised.
Keeping Safe For The Holidays
‘Tis the season to demonstrate our wanton consumption and many happy individuals will be recipients of a brand new Mac later this month. While the out-of-the-box Mac experience is still a fairly secure one there are some things you can do to ensure that it stays that way.
Even though new boxes will be shipping with Leopard, the Tiger Security Configuration Guide – approved by our friends at the NSA & Apple – provides a good starting point for boosting the security profile of your dektop. If you’re really the adventurous type, you can even make your Leopard firewall experience a bit more secure.
The advent of real malware on the Mac means that you should also definitely consider using anti-virus/anti-malware software. Thankfully, there are many to choose from. McAfee VirusScan 8.6 was the first Leopard compatible anti-virus product, with MacScan (more spyware-focused) and Sophos Endpoint Security & Control coming in shortly thereafter. Norton seems to be lagging behind, but it’s in good company with the freely available ClamXav.
For all those Airport Extreme recipients, you should definitely check out Glenn Fleishman’s Take Control of Your 802.11n AirPort Extreme Network to ensure you’ve configured your network as securely as possible.
And To All A Good Night
Overall, my take is that 2007 was a good year for Apple in terms of security. The Cupertino crew smacked down bugs as quickly as they arose and managed to build products with new features that have laid the foundation for even more secure applications and operating systems in the coming years. Despite the news that Macs are in the sights of more malicious malcontents, it remains the most secure and productive computing platform available today.
I think that you have an error here, where you state that McAfee had their Leopard anti-malware solution out first. This is incorrect, as Sophos had a full supported version on the day prior to the release of Leopard.
I’ve looked at both the McAfee and Sophos products and there appears to be no home edition for either vendor. McAfee has a license for 3 or more computers and Sophos starts at 5 computers. Symantec/Norton does have home edition that now supports 10.5, but I’ve used Norton in the past on my Macs and it was very invasive/buggy.
Please correct me if I am mistaken on the above, but I can’t find single user versions on their sites.
ClamXAV, as far as I can tell does not support Leopard as of yet.
Here at Sophos we are definitely seeing a rise in financially-motivated malware for Mac OS X, although obviously it’s tiny in comparison to the Windows problem.
Scott is right that Sophos announced its Mac OS X anti-virus product before McAfee.
LARick – yes, Sophos focuses on protecting businesses rather than home users, although we do run just fine on a single Mac (like I’m using right now!)
Cheers
Graham, Sophos
Graham,
How do I buy it then? I sent and inquiry via your website and got the following back from Jackin Harper when I asked for single user pricing:
“As for pricing, unfortunately because we do not cater to home/single users
we have a 5 licence minimum for our products. If you are interest in
getting a quote for 5 user licences please let me know and send me your
full contact details, including zip code. You may want to look at these
third party websites to find an alternative security vendor:”
What is the correct way of going about buying a home license?
Sorry LARick, I wasn’t clear at all in my reply to you.
We *do* run fine on a single PC or Mac, but as we focus on protecting businesses you would need to purchase a minimum of a 5 user license. Sorry for not being clearer in my post.
It just isn’t economical for us to supply the high level of tech support that we believe is important with a security product at a competitive single user price. Of course, many of our business licenses include a waiver to allow workers to use our software at home too.. so that’s another route.
Cheers, and sorry about the confusion.
Graham Cluley, Sophos
Keep your computer running like new.
Have you been searching for a great antispyware to keep your computer running like new? If so, you will be happy to know that there are some great options out there. I have tried many different types of antispyware only to find that the majority of them find the exact same types of bugs. The biggest difference that you will find between all the different types of antispyware offered is the price. Orbasoft Antispyware is an excellent choice that can be purchased at a lower price than many of the other options available. If you are interested in discovering the benefits offered from antispyware solution from Orbasoft visit http://www.orbasoft.com to learn more.
hi buddy!
enjoy your holidays with your Apple devices like iPhone, iPod. But if you are using iPhone then you also think about its data security. Today numerous chances of data loss so if you have no any backup of your data then you suffer from data loss problems. backup is very necessary for iPhone users. I would suggets you to try iPhone backup for mac application because it is powerful and provide you complete backup to your data.