Apple & Security; the Java debacle

While I have become more of a fan of Apple’s products in recent years, I have never been a fan of their security disclosure policy.  Apple has traditionally been very secretive, sometimes out of necessity.  Back when Steve Jobs retook the company, Apple was near death.  The company had run into a brick wall with it’s legacy operating system.  The latest version, OS8 had been so long in development that it was now technologically far behind it’s competitors.  When Jobs shook things up with OS X (10) he had a reason to be secretive.  Apple had been successful with their new products, but was still fragile.  If any of their competitors could peek inside what was going on, they might be able to stop Apple’s progress before the company could become healthy again.

Today, Jobs legacy is an Apple with a $98B war chest made largely on the success of the iPod, iPhone and iPad.  These are all benefactors of the technology Jobs brought over from NEXT that helped to form what we now know as OS X.  The problem is with all that success, Apple’s share of the desktop PC market has grown.  Apple is now big enough that’s it’s clearly visible on the radar of a lot of people including potential attackers.

To Apple’s credit, OS X was designed with security in mind from day one.  Most of the vulnerabilities that have effected the OS over the years have required a social engineering element to get users to unwittingly install malware.  For a long time, Apple’s policy, (of withholding details about security flaws until a patch is available) worked for them.  However, a recent vulnerability in Java managed to scratch a large unsightly gash in that previously pristine, brushed aluminum finish.

The component that most recently exposed this weakness in Apple’s approach is ironically a third party product, Oracle’s Java platform.  It’s a little more complicated in Apple’s case because the company repackages and builds their own custom version of Java. Because of this, it always takes longer to get Java on Macs because the software has to be separately modified, tested and blessed by Apple.  The people behind the Flashback trojan saw this opportunity and modified their malware to take advantage of the Java vulnerability.  In the 2 months it took for Apple to produce their version and publicly acknowledge the flaw over 600,000 Apple computers were infected.  The fact that most Apple customers think they’re immune to viruses didn’t help the problem either.

This should be a wake-up call to Tim Cook and the OS X security team.  Apple may not agree with full disclosure, but they can’t continue to put their collective heads in the sand and think nothing will happen.  Had even limited disclosure been made to Apple customers earlier, it would have been possible to mitigate much of the threat posed by this vulnerability.  Instead, Apple customers were exposed to this vulnerability for 2 months.