Tim Cook Challenge: Fix Apple’s Security Mentality

With spring break and the Easter holiday upon us, there hasn’t much technical news debris worth posting. Instead, I’d like to address an important Apple issue.

_________________

Apple’s CEO, Tim Cook, has been about the business of fine tuning Apple, making some needed changes and taking decisive action. His moves related to the China workers were bold. Now, it would be nice to see heightened attention to Apple’s OS security methodology added to the list.

As we know, for a long time Apple touted the superiority of OS X security. Of course, there were some obscure holes that could be exploited by experts like Charlie Miller at the annual DEF CON Conference. By and large, however OS X has been pretty good in the past, compared to Windows XP because of the open source nature of Darwin, the UNIX core of OS X.

Battleship in crosshairsAlong the way, however, things have changed. Microsoft put an enormous amount of work into Windows 7 security, hired security experts and in some technical areas, surpassed OS X in security in the process. For example, Address Space Layout Randomization (ASLR) wasn’t as robust in Snow Leopard as it was even in Vista. These days, one hardly hears about laughably frequent and embarrassing major security holes in Windows 7.

Another area where Apple has been a bit of a doofus is in certificate management and OCSP and CRL options. That needs to be fixed as well.

So while Mozilla, the Linux community, Microsoft and the rest if the technical family energetically work together, come together at conferences, and work as a team to fight the bad guys, Apple pulls back and seems to go it alone for the sake of marketing image and message control. That is, the message is that all’s well with the Mac while everyone else has to scramble to keep up with Apple’s superior product. It’s time to mothball that conceit.

Things are different now, thanks to Apple’s enormous success.  Apple products are incredibly popular, and the bad guys continue to get more clever as they work together to target ever more popular Macs. Apple sells boatloads of everything, so it’s no longer required to tout the technical superiority of a boutique UNIX product for the sake of gaining acceptance.

Of course, I am not overlooking the technical work Apple has done to improve security. Sandboxing and Apple signed digital certificates for Mac apps are significant measures. Even so, when marketing agenda gets in the way of good technology, it creates problems.

Apple has arrived in a big way. So now, it’s time for Apple to reset and put that old philosophy behind them. After all, the origin of the approach was the result of being a runner up, a niche player, politicking for more respect. Now, Apple should, in my opinion, step up and act like the giant, responsible company it is.

The result of Apple’s now discredited philosophy, a marketing instead of technical approach, is that an estimated 600,000 Macs have been infected with the Flashback Trojan. It was a combination of ignorant bliss by customers who had been led to believe that nothing could go wrong and Apple’s tardiness and stubbornness. Oracle knew about this Java vulnerability in February, but Apple didn’t act in time.

To make matters worse, Apple published a fix on Thursday and then, mysteriously, on Friday, published a second fix. That makes Apple look bad. Finally, Apple didn’t take any explicit action that I know of to inform customers how to detect and remove the trojan. As a result, I suspect, many customers who don’t have good technical knowledge may have believed that (if they had been infected) after they applied the two fixes, their problem would be solved.

That’s not so. Applying the preventive Java fixes don’t eradicate the trojan if the Mac has already been infected. To do that, read Jeff Gamet’s article.

While it may have been okay to hold Apple’s hand on these matters in the past when the company was beleaguered, it’s not appropriate anymore when Apple is a half trillion dollar company with nearly a hundred billion dollars in cash and other assets.

I’m hoping the new captain of the Apple ship, Tim Cook, will take decisive action, as he has already shown a tendency to do.

General Quarters has been sounded.

_____________

Image credit: Shutterstock.