Apple dealt double blow over Mac OS X security

Mac OS X has come under attack from hackers and security experts in recent days

Security experts in Canada and Europe have served up a double dose of bad news for Apple in the last few days - proving the haters right when it comes to Mac OS X security.

Over at CanSecWest in Vancouver, a competition to hack laptops armed with Mac OS X, Windows Vista and Linux saw the MacBook Air fail on the second day with the successful hacker winning both the MacBook Air and a $10,000 (£5,000) prize. Windows Vista for its part didn't fold until the the third day (and then using a Adobe Flash vulnerability), while a laptop equipped with Linux prove to be unhackable by the time the competition's close.

Moving closer to home, two IBM researchers at a Black Hat convention in Amsterdam revealed that Mac OS X has a greater deal of unpatched vulnerabilities than Windows Vista, and that Apple had an unhealthy disregard for security experts who notified the company of flaws.

Both scenarios point to obvious shortcomings in both Mac OS X and Apple's attitude, but are things really as simple as that?

Mac OS X security row

A row has already kicked off over the CanSecWest event between OSNews and Mac site Roughly Drafted.

Roughly Drafted contends that CanSecWest - which is sponsored by Microsoft among others - has a vested interest in finding fault with Mac OS X. Site owner Daniel Dilger also accuses the hacker - Charlie Miller - of bias against Mac OS X and attending the event fully-armed with a hack that he knew would work, as opposed to probing the operating system for vulnerabilities 'on the ground'.

OSNews counters that the flaw shows how vulnerable Apple and Mac OS X are becoming now that Apple hardware and software are becoming more popular.

However some commenters at Ars Technica have also pointed out that the the Mac OS X flaw was only revealed after the competition rules had been relaxed after no-one gained access to any of the machines after the first day. Existing and known vulnerabilities were also excluded - something that will have worked in favour of Internet Explorer.

The vulnerability apparently exists in some open source code used in Apple's Safari web browser. The exploit is not publicly available and Apple is currently working on a patch.

Black Hat attack

The IBM researchers over at Black Hat reinforce this view, arguing that Apple tends to publish patches late, and that it seems more concerned about the negative PR coverage, rather than taking security seriously. Particularly worthy of note is this comment from the researchers' white paper [PDF link]:

"Comparing the number of unpatched vulnerabilities per vendor for the period since January 2002 we observe a striking difference between Microsoft and Apple.

"On average Microsoft succeeds to keep the average number of unpatched vulnerabilities below 20 at a steady number.

"On the opposite, Apple seems unable to stabilise the number of unpatches vulnerabilities in recent years. We observe a steady increase in recent years for Apple. It seems that Apple's security processes cannot cope with the side-effects of the increased popularity of their products."

You could argue, of course, that none of these things are as clear cut as that - the CanSecWest conference and competition is held precisely so security researchers can find and report vulnerabilities to software makers, and that the exploit Charlie Miller found was never likely to impact Mac OS X users out in the wild.

More worrying is the IBM finding. It seems to show that Apple has a cavalier attitude to security, but that doesn't really square with the facts. Apple has gone to great lengths in Mac Mac OS X 10.5 Leopard to improve security - from sandboxing to security signing for applications. It's also a fact that there are relatively few threats to both Mac OS X and Linux compared to the tens of thousands on the Windows platform.

If anything, the news from the last few days should show that Mac users have no reason to be smug or complacent on security - and that they need to start taking measures to prevent themselves from being exposed. And that has to be a good thing for everyone.