Apple has a problem. For years, the message that many Apple users heard was that Macs don’t need anti-virus because the OS was invulnerable. In the late 90s and early 2000s, Windows suffered from dozens of vulnerabilities that were massively exploited, partly prompted by the fact that, suddenly, everyone was plugging their poorly managed PCs into broadband connection. Cue crowing from the (comparatively) small number of Apple aficionados: their view was that their age-old nemesis was getting what it deserved.
The problem was, and to some extent still is, that this perception of invulnerability was grounded in an uncomfortable fact: Apple’s share of the PC market was tiny. In 2001 it was around 3%. By 2011, it was nearly 10% (not including phones and tablets). Bearing in mind the explosion in computer ownership in this time, it amounts to a very large increase.
What all this means is that Macs are now economical to exploit.
Microsoft recognised that they had a problem in the early 2000s, resulting in a huge engineering effort to reduce the number of bugs in their code. The main crux of this strategy was to weed vulnerabilities out early using their Security Development Lifecycle (SDL) as the earlier you find a bug, the cheaper it is to fix. Sun, as was, and Oracle adopted a similar approach.
In addition, there was a real push to engage with security researchers, they promoted responsible disclosure through giving credit where it was due to those who had discovered flaws and improved their patching processes. All in all, the process has become much more transparent.
The results of these efforts are clear: while Microsoft OSs are still the most targeted, most malware no longer targets the OS, rather 3rd party apps have become the target of choice. A good example of this is the recent discovery of the “Sweet Orange” malware development kit that goes for vulnerable browser addons.
(Mozilla provide a free browser plugin checker that works for most common browsers, so you can see what’s vulnerable on your system.)
Apple have taken a different approach:
- Seemingly punishing people for notifying them of vulnerabilities
- Repeatedly failing to fix well known vulnerabilities in OS X in a timely manner
- For years, they have promoted the idea that Macs were inherently more secure than PCs
Now, we are hearing of increasing numbers of Macs infected, a user base that is confused because they think they don’t need anti-virus and seemingly poor software QA (take the recent example of Filevault’s unencrypted passwords).
Eugene Kaspersky has said what many people in the information security world have been thinking: Apple are now ten years behind Microsoft when it comes to security. Interestingly, Apple has restated that it is “open to collaboration” with Kaspersky on improving its security.
So, if anyone from Apple reads this, I strongly urge you to swallow your pride and take a look at how other people, including Microsoft, approach security. This means changing the way software is developed and how it’s patched. Transparency and collaboration is important: if people fear that they might get treated badly when they’re trying to help will quickly stop trying to help.
There is still vastly more malware for Windows but the tide is turning. Apple is running out of time to stop repeating Microsoft’s mistakes.