Editorial - Does the Mac Really Have Enterprise Security Issues?

by , 5:15 PM EDT, July 15th, 2008

On Tuesday, Computerworld published a story about so-called security flaws in Mac OS X that affect the enterprise. The six arguments actually amount to a collection of shibboleths.

Security Flaw #1: Apple Updates. The argument is that security updates pop up unannounced and insufficient information is provided to make a decision as to whether to roll out the update.

Reality: Experienced IT administrators who maintain Macs have access to information that helps them better understand the updates. With Apple Remote Desktop, they can lock down their clients and prevent individual users from installing updates while they evaluate the update themselves. Then they can roll it out when ready. The CW argument above draws from the experience of the desktop user, not the Mac IT administrator.

Security Flaw #2: Serious Flaws are slow to be fixed. "While the project running the software often patches such vulnerabilities in hours or days, Apple often lags in releasing such updates," the author noted.

Reality: I suspect, based on my experience, that Apple evaluates the impact of the vulnerability in the light of the system architecture. If there are no known exploits in the wild, as the author admitted, then Apple can take a wholistic approach that's better for system stability. Also, they have to take into account that the FreeBSD subsystem is open source maintained by committers. In contrast, Microsoft can roll out emergency patches that simply cause trickle down effects and result in the need for new patches on patches and reduce system stability.

Security Flaw #3: Administrator Mode. The argument here is somewhat incoherent and suggests that the distinction between administrator mode and an unprivileged user is a problem in the business world. The argument fails to take note of the tools Mac IT administrators have.

Reality: Corporate users of Mac OS X do not generally have Administrator privileges and IT Administrators lock down the Mac and dictate what can be done. Entire disk images ("spins") can be rolled out or specific updates installed. See Item #1 above. The CW article goes over the top when it suggests that Mac users with Admin privileges can all too easily access dangerous functions, which is not true in a managed corporate environment. "It's hard to enable those things on Windows," said a consultant who noted that "even when such settings are available in Windows, the settings are typically obscure or complicated enough to deter average users. By contrast, a single click might be enough in Mac OS X." The obscurity argument is hardly comforting and fails to take into account the fact that enterprise Mac users can be denied access to the the terminal or other configuration options.

Security Flaw #4: Naive Use of Back to My Mac. "Mac OS X includes one special service that sounds alarming at first glance -- and it can be a real security hole in unmanaged environments," according to the author.

Reality: Enterprise installations of Macs are managed environments. Back to My Mac is a toy for individuals who assume the entire risk. The article goes on to basically admit that.

Security Flaw #5: Complacency over Malware. The author goes on to say, "The fact is that the Mac has not been a malware target, and it is safer than Windows from such threats." The argument is then that that may not be true in the future.

Reality: The author negated his own headline and then added some speculation.

Security Flaw #6: Apple's security is half-baked. "Nothing in Leopard is completely implemented," according to a consultant cited by the author. "They finished enough to get their marketing bullet point, but not a real strong level of defense," was ascribed to another consultant. The solution suggested was to wait for Snow Leopard for serious Mac deployments when the users will "know precisely what security improvements Apple commits to for that release."

Reality: Quoting consultants who have an opinion doesn't make for quantitative truth. Any OS is an evolving ecosphere. No OS will ever be perfect, and suggesting that the entire security posture of Leopard won't be complete until Snow Leopard is like suggesting that 90 percent of corporate America completely delay the deployment of Vista until Windows 7 comes out. It's a pipe dream.

In my opinion, the article isn't really about security flaws in Mac OS X that affect the enterprise. It's really just a collection of quotes and differing opinions regarding Apple's business practices and technical approach.