In the same fashion that many Linux distributions aren’t targeted by viruses and malware, Apple’s proprietary Mac OS X platform was never much of a good target for hackers to begin with. The platform has only gained a lot of traction in the past four years and is a more recognised name globally, synonymous for some with extreme quality and ease of use. But for others, OS X has become a viable target for malware and information or identity theft.
Just last year, in August, Apple was alerted to a botnet building up among their customer’s computers, at its height claiming over five hundred thousand desktops under its control in under two months. By the third, another hundred thousand desktops and laptops were under hacker’s control and there wasn’t any word immediately from the Cupertino company about how they were going to fix it. Oracle’s Java was the source of the vulnerability and it was patched by the company four months later in February – but Apple never pushed out the update immediately, choosing o rather wait and teat it out before pushing to their servers last week.
Its this head-in-the-sand approach that makes me wonder how some companies still make their money. Apple hides in a corner and cries foul while vulnerabilities are exposed and slowly patched. Samsung releases mobile phones and only updates them once Google’s Android moves to the next version in the family. At least Google and Microsoft pay hackers for revealing exploits to the company to help beef up security. Android is still the most malware-riddled mobile OS today but at least something’s being done about it.
For any software company, when a major vulnerability is found the first thing they should do is alert their customers to the fault and how to avoid it. Microsoft issued an alert to all users who were infected by the “Popureb” trojan within weeks telling them to reformat their systems and deep-clean their hard drives (it was later found out that it was the more extreme approach) if they were significantly affected by the virus. Its not the company’s fault if someone found a clever hack into the operating system, its just their job to make sure it doesn’t happen again.
Likewise, Apple needs to be more proactive and start plugging holes that have been in their build of OS X for a long time. It makes no sense that the latest version of Mac OS X ships by default with the firewall turned off and its that kind of mentality, that they’re smaller and still Unix-based, that makes their approach to security all the more dangerous for users. Imagine if that botnet had reached servers running OS X? The incredibly long time it took for Apple to even address the issue would have been enough, for some people, to launch a lawsuit against the company.
Eugene Kaspersky quipped a few weeks ago that Apple has always been “ten years behind Microsoft” in terms of security measures implemented and the secure-by-default standard that servers are released to. Granted, no operating system is ever truly safe (goes for Linux as well) but its simple steps that help users avoid being infected that will go a long way to preventing another Conficker disaster (which is still a threat, by the way and still no-one knows exactly what it does).
After the Info Security 2012 conference where Kaspersky spoke to an audience, Apple invited the company to have a look at its code and help secure the operating system before more malware grabs hold of their customer’s computers. Is it possible that all Macs could ship with Kaspersky in future like McAffee and Norton do for Windows? I sure hope so.
Discuss this in the forums: Linky