Apple's 'good enough' security response: why it’s not going to change, isn’t fair, but doesn’t matter anyway
Apple’s handling of the recent "goto fail" vulnerability has brought about another round of the usual criticisms that we’ve heard from the security research community for years. In this most recent episode, Apple’s decision to provide security updates for iOS devices while leaving the vulnerability unpatched on Mac OS X for four days and giving no clear sign of the company's intentions has revived the oft-repeated criticisms that Apple isn’t transparent in its security response, isn’t timely, and doesn’t engage with the researcher community positively. Often the criticism will point to Microsoft as an example of what Apple doesn’t do and should.
I’m a ten year veteran of the Microsoft Security Response Center (MSRC), and I and my colleagues have said much the same things about Apple’s security response. In fact, one of my colleagues, Stephen Toulouse, made news in 2006 by calling on Apple to implement some of the many programs that Microsoft had put together. For us, it was always particularly frustrating to see Apple essentially get a pass on behavior that would lead to huge outcries if Microsoft did it. Think of the outcry if there was an SSL/TLS vulnerability that enables man-in-the-middle attacks affecting Microsoft Windows and Internet Explorer that’s unpatched for four days with no information from Microsoft. Now, compare that with what we saw with Apple. Forgive the pun but its Apples to oranges, really and Apple gets off easy every time.
While it’s good and justified that the security research community continues to criticize Apple and encourage change, it’s my professional opinion now that it’s just not going to happen. It is patently unfair: Apple is being held by its customers and the community to a lesser standard than Microsoft, Adobe or Oracle. But it’s also my opinion that Apple not making changes increasingly doesn’t matter.
Let me explain first why Apple isn’t going to change. I’ve worked with my colleagues at Apple on communications around joint security issues and can attest that its approach is very old school: it wants to keep the issues off the front page. And who can blame it? Microsoft never wanted to be as public as it is (Jim Allchin once famously accusing us of "trying to kill his product" when publicizing the first critical, potentially wormable vulnerability affecting Windows XP MS02-006). What drove Microsoft to change and isn’t driving Apple are customers. Bill Gates’ Trustworthy Computing Memo was driven chiefly by large customers making clear they were ready to dump everything with the word "Microsoft" if things didn’t change. When we look at Apple, as the saying goes, where’s the outrage? It’s only to be found in the security research community. Apple has correctly calculated that it can do the bare minimum and its customers won’t penalize it. If Apple hasn’t followed Microsoft’s lead around security response by now, there’s no reason to expect it to in the future. No, it’s not fair. But that’s just what it is.
Why It Doesn't Matter
Which brings me to my second point: increasingly it doesn’t matter if Apple builds a Microsoft-like security response process. The world in which we built the "Patch Tuesday" process is ten years gone now. A regular update process like that made sense for desktops and servers. But is an ancient artifact when we talk about cloud and devices. Expectations around handling vulnerabilities in the cloud and device world are simpler and lower. Basically, security response for cloud and devices is send an update from the cloud to the device (or app on the device) or fix it on the back end as soon as possible. You don’t need to publicize it since the auto-update mechanisms cover that for you on the devices. From the point of view of cloud and device security response, all the major players are on an equal footing and no one really excels. I’ve said there are ways in which the best of the old server and desktop security response and cloud and device security response should be synthesized but no one is doing that right now and again, there’s not much call for it beyond the research community and again, there’s not much call for it beyond the research community. The big security response processes that companies like Microsoft have are losing their relevance much like desktops and servers are. They exist increasingly to fill a necessary but legacy function.
In fact, when we talk about cloud and device security we also have to give Apple credit for decisions it made that keeps the iOS ecosystem relatively free of malware and high risk apps. Compare what Apple has done with what Google has done and you can see the good work by Apple. My company, Trend Micro, has catalogued 1.4 million malicious and high risk apps on Android with 1 million of those coming out in 2013 alone. To set context, it took Microsoft Windows 15 years to reach the one million pieces of malware mark. And when we’re talking addressing vulnerabilities on mobile platforms, Apple has a much better and stronger story than Google, due most of all to the fragmentation and poor ongoing support of Android on the part of the carriers and handset makers. In fact, Google’s Android head Sundar Pichai was just quoted as saying "We cannot guarantee that Android is designed to be safe… If I had a company dedicated to malware, I would also be addressing my attacks on Android". Unlike desktops and servers, this space is the space of the future and in this space I would argue Apple HAS made security a priority and leads its peers.
But Apple isn’t just about iOS, it still has Mac OS X and will for some time. And we are seeing attacks against the Mac platform finally, like the Flashback Trojan. Don’t these mean that Apple’s lackluster security response process for the Mac matters? I argue that it doesn’t. The truth is that attacks against the Mac are still very rare: targeted attacks are more common than broad ones. All trends show that the money and interest for attackers is moving towards mobile, while keeping a healthy legacy Windows business going as well: like the Mac itself, Mac attacks are a niche business. And where there have been security issues Apple has at least gotten fixes out and issued cleaning tools at least enough to prevent a Microsoft-style PR disaster (and that’s Apple’s goal with security). Taken all together, what I’m saying is that at this point, Apple’s security response for its legacy Mac OS X is just good enough and it doesn’t matter if it never gets any better. The company has done better work where it matters: on iOS.
Is it fair? No. Is it putting customer security first? No, certainly not on Mac OS X. But is it going to change? No. And as the years pass it’s going to matter less and less.
It does mean, however, that people who run Mac OS X should understand this reality and take steps to increase their protections by running a security package on their Mac OS X systems.
In the end, the nature of Apple’s security response process reflects Apple’s culture (closed and authoritarian) and its customer base (loyal to a fault, focused on it "just going", and not asking for much). These are things that are unique to Apple in the industry. And that gives Apple a unique pass when it comes to security response. There is no other company that could maintain this approach to security. But there’s also no other company that could have pioneered digital music by standing up to the record companies or dictated terms to wireless carriers either. Some companies (like people) do seem to live a charmed life.
Christopher Budd is a communications manager at Trend Micro. He is a 10-year veteran of Microsoft, where he oversaw and managed communications around online security and privacy incidents. He left the company in December 2010. Today uses his experience in the areas of threats to online security and privacy, crisis communications, and social media to help people better protect themselves.