A clear-eyed guide to Mac OS X's actual security risks

Apple's Mac computers and its OS X operating system have enjoyed a reputation of being relatively secure over the years. But in fact, experts say, the Apple OS has had security issues that might have been downplayed only because the vulnerabilities were not exploited.

As more enterprises deploy Macs, the state of OS X security is more likely to be a topic of discussion in IT strategy meetings. Indications are that Macs will continue to find their way into the workplace, as Gartner has noted. Apple's mobile iPhone and iPads are already well accepted by enterprise IT. While Mac laptops and desktops remain "not commonly accepted by IT," that will change as Apple continues to benefit from consumerization and adapt iOS technology into OS X, Gartner says.

[ Also on InfoWorld: A clear-eyed guide to Android security. | It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. ]

Apple security issues made headlines in late February when the company confirmed a major security flaw in the iPhone's and iPad's iOS and in the Mac's OS X. The flaw causes iOS's browser engine and many of Apple's Mac applications to skip a critical verification check that is supposed to occur when many Transport Layer Security (TLS) and Secure Sockets Layer (SSL) connections are being negotiated over unsecured Wi-Fi networks, which could allow man-in-the-middle attacks in public hotspots. The company quickly released a fix for mobile devices running iOS, but took several days to patch OS X.

Whether OS X is more or less secure than other operating systems today is difficult to say -- it's hard to compare the number of vulnerabilities in different operating systems.

For example, many vulnerabilities currently used to attack Windows aren't vulnerabilities in the core Windows OS, says Johannes Ullrich, chief research officer at the SANS Institute, a research and education organization for security professionals. Instead, many "Windows" vulnerabilities are actually in third-party software like Oracle Java, Microsoft Office macros, Adobe Reader, and Adobe Flash.

"At the same time, most malware seen for OS X does not use any [inherent OS] vulnerability at all, but instead tricks the user into installing the malicious application," Ullrich says.

As with Windows, user awareness and the need to train Mac users to not click on certain things is a necessary but difficult task, says Henry Henderson, senior penetration tester at Foreground Security, a security consulting firm. "Defense-in-depth only helps if you train your users and have the proper tools in place to detect the basic things," he says.

"I don't think either operating system today has a significant advantage when it comes to security, and the market share is still the most important issue when it comes to the prevalence of malware for either operating system," Ullrich says.

But some say the idea that Mac's comparatively low market share makes OS X not worth the trouble for cyber criminals should be put to rest. "Macs may not be used that broadly in the enterprise, but if you walk into any coffee shop you will see at least two to three people using them," Henderson says. "The consumer market for the average Internet bad guy who targets users for financial gain or to grow their botnet is already there." As the enterprise market share grows, the level of interest for targeting Macs will grow as well, he says.

OS X's security has improved in recent yearsHow secure is OS X today? In general, more secure than it has been in the past, although far from invulnerable, say security experts.

"OS X has improved considerably over the past few years, and is now nearly as inherently secure as the latest versions of Windows," says Rich Mogull, CEO at Securosis, an information security research and analysis firm. "It is also still attacked less, making it relatively safer than Windows."

The main OS X attack vectors are plug-ins such as Java and Flash applets in the browser, Mogull says.

OS X is more secure due to several improvements in its defenses in recent releases, experts say. These include:

• New memory-protection techniques
• Improved security defaults, such as automatic installation of system updates
• The addition of Gatekeeper, a feature introduced in OS X Lion 10.7.5 that builds on OS X's existing malware checks to help protect Macs from malware and problematic apps downloaded from the Internet
• FileVault2, an easy-to-use disk encryption system that allows for key escrow in corporate systems
• OS X's attempts to minimize the use of common attack vectors such as Java
• The use of the same APIs as in iOS 7 for system management and remote configuration, a process started in OS X Mountain Lion and greatly enhanced in OS X Mavericks

Apple's focus has been on blocking malwareThe Gatekeeper whitelist system provides a reasonable defense against current OS X malware, says SANS's Ullrich.

Support for application sandboxing has made it easier for developers to write applications that, if compromised, have limited access to the system, Ullrich says. "The antimalware detection capability is very limited, but it has been used with success to limit some OS X malware like the Flashback bot," he says. "However, updates to the signatures have been rather slow."

Apple has made OS X security a higher priority, Mogull says, and is taking the lessons of iOS and applying them to OS X. The two are still based on the same code base, which is commonly forgotten, he says.

The company has focused heavily on the methods of malware propagation, so it uses tools such as Gatekeeper to make it extremely difficult to create widespread infections, Mogull says. "It isn't that such infections aren't possible, but users are building different habits on OS X that make it much harder for attackers to succeed at scale, even when they discover a vulnerability," he says. He doesn't anticipate that a rise in market share for OS X in the enterprise will correspond to a significant decline in safety.

"Apple is targeting the economics of malware, which is an excellent way to prevent any widespread attacks," Mogull says. Of course, even as Apple continues to harden the operating system, OS X will still be subject to targeted attacks. "But Macs today are safer in the enterprise than Windows, assuming you can get the manageability you want," he says.

Others aren't as keen on Macs' security level when it comes to malware. Despite the Flashback incident and recent Java attacks that could affect Macs just like Windows PCs, "most OS X users are still under the illusion that they are safe. They are far from safe," says Foreground Security's Henderson. Henderson laments that OS X users typically do not install antimalware software and vendors don't aggressively market their tools.

Of course, as any Mac user will tell you, it's extremely rare for a Mac to be infected by a virus -- most users have never had an infection, even over a decade's use. The Flashback incident in 2012 was the exception to that quiet. By contrast, Windows users are routinely infected both at home and at work, and there's a major new infection several times a year.

OS X users have to worry less about viruses due to the smart way that Apple has engineered security into its operating system, says Dan Guido, CTO of Trail of Bits, a company that provides security research and services.

"Features like Gatekeeper and the availability of the App Store on the Mac desktop do far more to keep users safe than installing antivirus software," Guido says. Apple also forbids use of Java 6 and earlier due to their security holes, and discourages use of Java 7. "We explored this phenomenon in our analysis of mobile malware ... and found that Apple knows these are hard obstacles for hackers to overcome."

The OS X weaknesses you should knowTo be sure, even with the security improvements Apple has made, IT needs to be aware of other issues, Ullrich says:

• OS X often does not integrate well with commonly used configuration tools. Although OS X now integrates with an increasing number of mobile management tools, due to the security and management APIs shared with iOS, that's not yet a common management approach in the enterprise.
• Apple does not furnish long-term support for its operating systems, typically providing patches only for the current and previous version, requiring relatively fast updates. Apple has extended some security updates as far as back as 2009's OS X Snow Leopard, but usually after delay.
• Apple's built-in firewall configuration graphical interface is basic, though it can be improved with command-line or third-party tools.
• OS X tends to rely on Apple-provided, cloud-based services for backups, remote management, and password storage, which can be hard to control for corporate systems.
• Apple does not provide a security configuration guide for any recent version of OS X.
• Apple has been slow to release updates for OS X's open source components.

Third-party software for the Mac has and always will be an issue, says Foreground Security's Henderson. "The biggest flaw with any system is always third-party software," he says. "Even with sandboxing and software/hardware protection techniques, major exploit kits still heavily target browsers, and the last few big exploits have been via third-party applications."

Ironically, those vulnerabilities tend to exist in the same applications that provide a conduit for malware in Windows: Oracle Java, Adobe Flash, and Adobe Reader. Office macro vulnerabilities are not an issue in OS X only because Office for Mac doesn't support them and thus can't run them.

Allowing Java access across the enterprise is a bad idea, Henderson maintains, "yet I continue to access networks using these attacks. The landscape is changing, as Apple recently decided to stop supporting Java. But users can still install the Oracle version, which will still make Java-based attacks viable."

Ironically, some Mac antivirus software such as Symantec's requires the use of Java to operate, forcing enterprises to enable the risky Java to gain antivirus protection. Likewise, Flash is required by some Web-based online meeting services, for YouTube, and for many companies' marketing websites.

The Mac hardware weaknesses you should knowApple uses much of the same core hardware as Windows PCs: Intel processors, USB ports, SATA hard drives, and so on. Its hardware risks are similar for those components, says Henderson.

"There is debate about whether CPU attacks are real, but nonetheless, CPU, BIOS, and motherboards still remain a viable target for Tempest-like attacks," he says, which spy agencies like the NSA use. (They put monitoring radios and other spy gear inside the computer itself.)

Apple's management APIs don't provide a way to lock down USB or other ports. Monitoring external media connections through a host-based intrusion prevention system is a good first step for companies that do not want the inconvenience of disabling USB and similar ports, Henderson advises.

Apple does not support the Trusted Platform Module that Microsoft will require all PC makers to support starting next year, to make encryption keys much harder to hack.

Also, one of the Mac's conveniences -- its ability to be booted from any attached disk with OS X installed -- could be used to bypass OS X's password requirements, giving a thief access to the Mac's contents and time to try to break any encryption. Ironically, Macs support firmware passwords, a feature that can lock a Mac to a specific startup device, but few people know about it, Henderson notes. (You can access it only by booting from the recovery partition and running the OS X utilities there.)

The more integrated "all in one" hardware Apple provides in its thin laptops -- the Retina MacBook and MacBook Air -- and in its iMacs make tampering more difficult, Ullrich says. For example, it's not easy to remove an internal hard drive or flash drive to copy data from the drive.

Is iCloud a security risk?OS X's reliance on iCloud to store online documents in apps such as the iWork suite or Omni Outliner could be a risk if those documents contain sensitive corporate information. If another Mac or iOS device uses the same iCloud account and isn't protected through encryption or a password, a thief could use that other device to access the files.

"If an employee has very confidential company data and is putting it on their iCloud and on their iPhone, the [need for] data management is expanded," creating a new exposure point, says James Robinson, director of information security at Accuvant, a provider of security services. (This risk is similar to the use of any cloud-storage service, such as Box, Dropbox, Google Drive, or Microsoft OneDrive.)

Exchange ActiveSync policies can enforce the use of encryption and passwords on a Mac or iOS device, and third-party management tools can use an Apple API to disable iCloud on iOS devices. But if a device is not under IT management, those protections can't be enabled or enforced.

The new iCloud Keychain feature in iOS 7 and OS X Mavericks allows Safari to sync passwords and credit card numbers across Macs and iOS devices. Although it uses two-factor authentication, there's a possible risk in using this feature.

As is true with other cloud services, such as Google accounts and Microsoft accounts, a hacker can use a combination of social engineering techniques and spoofing attacks to hijack an iCloud account, gaining access to the users' iCloud data. Many iCloud users share their credentials with iTunes and the Apple Store, so a hijacked iCloud username and password could also be used to purchase items from iTunes and the Apple Store online.

Apple plays it quiet in the security cat-and-mouse gameWith security in general, it's often a cat-and-mouse game, where vendors release the latest patches or anti-whatever tools, and researchers figure out a way to bypass them, Foreground Security's Henderson says. Vendors engage with security researchers and white-hat hackers to identify and close off vulnerabilities in an awkward but useful dance -- not Apple, though.

"Apple should take the 'help us help you' approach and publicize the fact that it is willing to work with independent security researchers," Henderson advises. "If we look at the increased security features that Microsoft has started to include in its products over the past decade or so, you will see that most of these features are a result of working with security researchers and the general public."

Apple is much less transparent about its security policies than other vendors, says Mike Silver, a distinguished analyst at Gartner. (Apple declined to comment to InfoWorld on Mac security issues.) Plus, "Apple doesn't have specific timelines on how long it will support an OS for, which makes it difficult for organizations that have to certify security."

Should you worry? Yes, but not a lot.

This story, "A clear-eyed guide to Mac OS X's actual security risks," was originally published at InfoWorld.com. Follow the latest developments in mobile technology and security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Read more about security in InfoWorld's Security Channel.