“I think [Apple] are ten years behind Microsoft in terms of security,” Kaspersky told CBR. “For many years I’ve been saying that from a security point of view there is no big difference between Mac and Windows. It’s always been possible to develop Mac malware, but this one was a bit different. For example it was asking questions about being installed on the system and, using vulnerabilities, it was able to get to the user mode without any alarms.”
It is true that OS X benefits enormously from obscurity relative to Windows’ ubiquity by presenting less opportunity to criminals. But what’s driven me to expend the energy to write this blog posting is Kaspersky’s apparent ignorance of Apple’s protracted efforts to redefine the operating system contract in a dramatic way–with security no doubt as one of the foremost motives (and if not, certainly a material by-product).
This game-changer is (as anyone paying attention knows) the introduction of the app sandbox in Snow Leopard and Lion via the Mac App Store, and identified developers aka Gatekeeper, coming in Mountain Lion. If you’re in the consumer software business, I’m not sure how you’d miss these developments, but ignorance of them is even less excusable in the light of the success of iOS, which has pioneered OS X’s sandbox architecture on the world’s most popular smartphone. It’s done a pretty good job, given the complete absence of malware on iOS combined with the world’s largest app ecosystem (by at least one order of magnitude).
It is somewhat valid to point out that Gatekeeper hasn’t shipped yet and the app sandbox on OS X is opt-in and partial, but these are clearly initial, concrete steps towards migrating OS X from Unix openness to a consumer-grade, iOS-ish platform (that will presumably always let the power users opt back out into the wild west).
So yeah, Apple may not have setup a robust mechanism to respond to vulnerabilities in third-party code they modify and distribute (i.e., Java) as fast as we would like, and they may not have something as high-profile as Microsoft’s SDL to market security-consciousness to the world, but given how squeaky clean the platform has been traditionally, this seems rather forgivable (and solvable).
But it should be noted that while Microsoft has simply reacted tactically to insecurity for nearly a decade, causing untold misery and chaos for their users, Apple is taking steps to change the game. It seems that’s how they roll.
A decade behind? Hardly. But then, it’s not to hard to see how self-interest may have colored genuine perspective in this case. After all, the expert in question now has the opportunity to create a new market for their wares in a world where Windows’ dominance is finally on the wane.
UPDATE: Friday, April 27, 8:30 am
In the comments, Dan “dfabulich” writes:
I was right with you up until this point: “Microsoft has simply reacted tactically to insecurity for nearly a decade”
Vista was a huge step forward for platform security. ASLR, NX/DEP, Mandatory Integrity Control, and IE Protected Mode were huge at the time.
The problem is that Vista was late, and so buggy that nobody upgraded. Windows 7 security may be better than OSX Lion, but lots of people are still on Windows XP; their only real upgrade path is to buy a new computer.
I agree with Dan; I shouldn’t have written what I did about Microsoft. Whether Microsoft has reacted appropriately to the massive sea change in internet safety and security that occurred at some point in the 90’s / 2000’s is a separate issue and one I would have been wise to avoid.
But since I did step in it, let me expand on what was going on in my head when I wrote that:
While Microsoft is great at creating security patches and has introduced various technologies to make new versions of Windows more secure, they haven’t been at all effective at incentivizing people to upgrade to these versions of Windows nor at incentivizing software providers to require newer versions of Windows. It would seem that this latter point–putting secure software in users’ hands–is at least as important as introducing the new security features to begin with.
Regarding the Microsoft windows XP situation, this is where apple is now too. OSX 10.5 already ignored albeit still used by quite a few people (e.g. Some in our company) and I don’t think gatekeeper or whatever “magic” apple builds will be backported to even 10.6 or 10.7.
Consider that Windows XP was released in 2001; its Apple peer was OS X 10.0. 10.5 was released in 2007; that makes it contemporary was Windows Vista. Take a look at the relative marketshare between the two; Apple has done a fantastic job of migrating their users forward by any measure, certainly relative to Microsoft.
Is this because Apple users are fanatics under the thrall of a charismatic salesman? Maybe, but there’s a lot more to the Apple upgrade cycle than that. Consider all that Apple does in this regard:
- regularly introduce innovative operating system features that incentivize users to upgrade
- block developers from supporting older operating system releases without going out of their way (by regularly updating their developer tools and gradually removing older OS libraries and docs)
- dropping support for older hardware in OS releases
- aggressively pricing OS releases, making them extremely affordable relative to Microsoft
- rapidly refreshing the hardware line, which takes older hardware out of the system and brings an OS upgrade along for the ride
In my view, Microsoft is not as effective or aggressive as Apple in these points (though obviously the last one doesn’t apply to them directly at all, though given their leverage and influence with OEMs, they cannot be completely exonerated from the last point).
But is it really fair to hold Microsoft accountable for today’s massive Windows XP install base or claim that they aren’t viewing the problem strategically?
That’s a different point and not one I had intended to explore with this post. I’ll just leave it where I should have and say that I don’t think it’s at all accurate to characterize Apple’s position as ten years behind Microsoft.
Thanks Dan for calling that out.