2007 Apple Year in Review: Security

With the year rapidly coming to a close it’s time for all those year-end retrospectives to pop up across the internets (and traditional media). 2007 was an especially busy year for Apple who introduced a plethora of revolutionary new hardware and software that has given fodder for post-upon-post to blogs old and new.

When not contributing to TAB (or spying on the Caldari for the Amarr in EVE Online) my focus is on all things related to information security (i.e. my day job). With that in mind, I thought it would be interesting to do a “security year in review” as it relates to our favorite OS & hardware vendor to see where we’ve been and where we’re headed, tossing in a bit of advice to help keep your holiday computing secure.

Back To Where We Started From

January kicked off with The Month of Apple Bugs (“official” web site), a project whose sole intent was to show the world that even Apple has a chink in its dragon-scale armor. While daily flaws were revealed, none were earth shattering and the interest in their releases died down substantially very quickly into the project.

The founders showed their lack of professional integrity when they admitted they weren’t notifying vendors before releasing the exploits. If the project’s integrity wasn’t in question from the start, a contingent of vocal uses argued that various bugs had no security impact whatsoever, and it became painfully obvious that the project had to go fishing for issues in many cases since some of the bugs weren’t even for Apple-released products.

Number Crunching

According to the National Vulnerability Database, there were 79 common vulnerabilities & exploits (CVEs) for “Mac OS X” and 45 for “Mac OS X Server”. The same numbers for 2006 were 106 and 55, but these are difficult statistics to trend since the 2005 data shows 96 & 72 respectively. Overall, it does appear that the operating systems get harder to break through as Apple matures.

Apple officially released 32 product and OS security updates, each fixing one or more vulnerabilities (with their latest one for Tiger [10.4] in November 2007 fixing over 40). Unfortunately, Leopard even had a few vulnerabilities as the 10.5.1 update fixed three security issues with the new firewall.

New! Impoved! Insecure!

Two of the product highlights of the year were the release of the iPhone and Apple’s answer to Microsoft Vista – Leopard [OS X 10.5]. The iPhone had detractors from the start, and some of them went off to find a way to make it do what they wanted it to do on their schedule. These hacks have been beaten to death in the blogs and there’s even a central repository for them. Unfortunately, many of them require exposing and exploiting security vulnerabilities on the device in order to “free” them from Apple’s iron grip. Apple has not been as quick as some would like to patch the device, but they have addressed the security issues as they come up and have done a better job issuing fixes and features than other smartphones (and I’ve had smartphones from other vendors). There were reports of broken phones after updates due to using these hacks and it’s my firm belief that you get what you deserve when you decide to exploit security holes in order to gain functionality. Patience will have paid off for those users who decided to wait for Apple to do the right thing and release an API letting developers go beyond pretty iPhone-tailored web pages.

While the iPhone stole the show for the year, Leopard was not without relevance since it may have been the most anticipated operating system release ever (well, perhaps Vista beat it slightly due to the constantly sliding schedule). How successful this release was is a topic for another post, but it was not without many new security features, including application sandboxing, code-signing, library randomization and a new firewall configuration (there was a slew of changes under-the-hood as well). These features were heavily scrutinized, with the new firewall taking an especially hard beating and was the subject of the aforementioned end of year 10.5.1 patch.

Expect The Unexpected

The Mac platform gained even further popularity in 2007, but this visibility came at price. As more users flock to OS X we can expect to see hackers migrate there as well. The engineers over at McAfee’s AVERT Labs identified a rise in crimeware on OS X, showing that the bad guys see profit in targeting this new playground. This was further demonstrated in November when the Net was abuzz with the news of a trojan horse aimed at Mac users. Then again, November is a rather slow news month.

Sadly, 2008 may be a dangerous year for iPhone users with many researches flagging it as a prime target. Given how little problem Apple supporters have with handing over the platform to the enemy by identifying and exploiting vulnerabilities, I’m not surprised.

Keeping Safe For The Holidays

‘Tis the season to demonstrate our wanton consumption and many happy individuals will be recipients of a brand new Mac later this month. While the out-of-the-box Mac experience is still a fairly secure one there are some things you can do to ensure that it stays that way.

Even though new boxes will be shipping with Leopard, the Tiger Security Configuration Guide – approved by our friends at the NSA & Apple – provides a good starting point for boosting the security profile of your dektop. If you’re really the adventurous type, you can even make your Leopard firewall experience a bit more secure.

The advent of real malware on the Mac means that you should also definitely consider using anti-virus/anti-malware software. Thankfully, there are many to choose from. McAfee VirusScan 8.6 was the first Leopard compatible anti-virus product, with MacScan (more spyware-focused) and Sophos Endpoint Security & Control coming in shortly thereafter. Norton seems to be lagging behind, but it’s in good company with the freely available ClamXav.

For all those Airport Extreme recipients, you should definitely check out Glenn Fleishman’s Take Control of Your 802.11n AirPort Extreme Network to ensure you’ve configured your network as securely as possible.

And To All A Good Night

Overall, my take is that 2007 was a good year for Apple in terms of security. The Cupertino crew smacked down bugs as quickly as they arose and managed to build products with new features that have laid the foundation for even more secure applications and operating systems in the coming years. Despite the news that Macs are in the sights of more malicious malcontents, it remains the most secure and productive computing platform available today.