Is Apple Feeling the Security Pinch?

As my colleague Michael Hickins noted, among other things, Apple has long encouraged a mythological image of perfection by presenting products as self-contained black boxes that should be, as much as possible, wholly a product of Apple. But the image has been cracking of late, and the company’s own actions show tacit, if not explicit, acknowledgment.

When it comes to security, Apple certainly has its defenders who largely argue for the company’s effectiveness by pointing to what hasn’t happened. For example, I recently had an email exchange with a technology journalist who has never had a security problem with Macs. However, up to that point, he had also never used antivirus software on his system. Nothing showed up when he finally did, but I saw this as an example of selective attention. That feature is a big one among a class of Apple loyalists (and I’m not putting said unnamed journalist into this camp) that I call Defenders of the One True Technology, or DOTTies — a term hardly limited to Apple-devotees..

But even if the Appe DOTTies are reluctant to look at external evidence, they might pay attention to Apple’s recent activities. A big one earlier this week was Apple Patch Day, which included 67 Mac OS X and Safari vulnerabilities:

The OS X update covers flaws in 31 different components, including several known (and dated) issues in open-source packages used by Apple. These include vulnerabilities in Apache, BIND, CUPS, OpenSSL, PHP and Kerberos.

The update also fixes what Apple describes as “arbitrary code execution” vulnerabilities in ATS, CFNetwork, CoreGraphics, Cscope, Disk Images and Spotlight.

Apple’s list of security updates is here, and you can check the Apple Patch Day link for the Safari problems. Note that Apple does periodically come out with substantial security updates, suggesting that perhaps the Mac wouldn’t be quite as secure as DOTTies would like to think should hackers decide to spend any attention on the machines:

• “Macs are as easy to hack as they are to use,” says researcher Charles Muller, who, for the last two years running, has won CanSecWest’s PWN2OWN contest, .trick the iPhone into running shellcode, letting someone remotely view text messages or call history.
• Miller has also claimed to have found a way to
• Also at CanWest, a University of Oldenburg master’s candidate was just as able to hack Safari as IE 8 and Firefox.
• Because there was so much hacking of iPhones, last year Apple was looking to hire a security expert to “validate the security architecture for the iPhone.”
• Apparently there has been a new piece of software to crack iPhone app security so people can share them without permission or payment.
• Earlier this year, someone hacked into Selma Hayek’s Apple MobileMe account with “a few keystrokes.”

But enough with lists. Apple recognizes its own security weaknesses, even if the DOTTies don’t. The company has hired Ivan Krstic, a big name in security who developed the Bitfrost system at age 21. Under Bitfrost, applications get their own virtual operating systems, isolating a virus from everything else — a feature that Apple has already effectively claimed to have via running apps in sandboxes.

Apple knows it needs more attention to security as it gains market share in various areas, even if it won’t say so — not that I can blame them, because what company wants to say, “We’re a security hack waiting to happen?” But at least one analyst is predicting that within the next 18 months, Apple will be recommending that Mac users install security software.

However, I disagree. Apple will just buy some company or product, incorporate it, and pretend that it was there all the time. As an old deodorant commercial said, “Never let them see you sweat.”