It’s been the better part of a decade now since Microsoft got religion about the security of its products, following the release of Bill Gates’s famous Trustworthy Computing memo. In that time, the reliability, security and resiliency of the company’s products has improved greatly, as has Microsoft’s standing in the security community.
In that same time period, Apple has taken almost no public stance on security and has fallen farther and farther behind Microsoft, Mozilla and other software suppliers on application protections. And yet the company’s market share, popularity and brand image continue to climb.
[ Pwn2Own hacker: Safari is ‘easy pickings’ ]
So the question that many customers, security researchers and other observers are asking is: What will it take for Apple to pay attention to security?
The short answer is that there is really no pressing reason for Apple to take security more seriously. The main driver behind Microsoft’s huge shift was demand from its enterprise customers. When Fortune 500 customers are complaining loudly and publicly about the
security of your products, that tends to get some attention, and usually at the highest levels. That’s what drove the creation of Service Pack 2 for Windows XP, put a hold on the development process for some major releases while security training took priority and spurred the hiring of a number of top security minds in Redmond.
And Apple doesn’t have any of that pressure. The company’s share of the enterprise IT market is miniscule. It is far more concerned with the consumer business, especially the youth segment that sees Apple products such as iPhones, MacBooks and iPods as fashion accessories. That customer base wants more colors, more storage capacity and more games. It is not screaming about the absence of memory protections in OS X and Safari.
[ Q&A: CanSecWest hacker Charlie Miller ]
But security researchers are, and the hits are starting to pile up for Apple. At the SOURCE Boston and CanSecWest conferences this month, Dino Dai Zovi gave presentations that demonstrated the relative ease with which attackers could compromise Macs, thanks to the lack of security mechanisms in OS X. Dai Zovi likened the security model in Apple applications to that of software from 1999, lacking memory protections such as ASLR, DEP and others.
Also at CanSecWest, Charlie Miller (above) of Independent Security Evaluators was able to compromise a fully patched MacBook Air in less than a minute through the use of a Safari exploit that he’d had in hand for more than a year. When he was asked by my colleague Ryan Naraine why he went after Safari to win Pwn2Own instead of Internet Explorer 8, Firefox or Chrome, Miller had an easy answer.
“It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows,” Miller told my colleague Ryan Naraine. It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it.”
Those are the kinds of things we used to hear from researchers about Windows and IE five or six years ago. And Microsoft ignored security in favor of features and functionality for a long time, until it became untenable for them to do so. Apple is in the same position right now, but without the pressure from customers, it’s hard to see a motivation for them to change.
* Photo credit: Garrett Gee’s Flickr photostream (Creative Commons).