Flashback malware exposes big gaps in Apple security response

<-- Previous page

2. Apple offers no automatic update option

Even when updates are available, they’re only effective if they're applied. And every security researcher knows that a nontrivial percentage of users simply ignore updates.

As Mac expert Glenn Fleishman noted the other day (via Twitter), “Legions of children manage updates for parents and grandparents.” That's because they know that, left to their own devices, many unsophisticated users will simply postpone those updates by clicking the “Not Now” or "Install Later" button. They see updates as an annoyance that will mean they can’t use their Mac for 10 minutes to a half-hour.

So how bad is the problem? Based on data collected by Dr. Web, roughly 1 out of every 4 Snow Leopard users are at least six months behind in terms of applying major software updates. Nearly 15% are more than a year behind, meaning they have skipped at least two major OS X updates and are easy prey for any exploit that targets security holes that were fixed in those updates.

User education only goes so far. When you go home for the holidays, you can configure Software Update so that it downloads new updates automatically. But you can’t set up OS X to install those updates automatically, as you can with Windows.

Automatic updates would not, of course, bring the percentage of up-to-date installations anywhere near 100%. But it could make a difference for a few percent. And in a user base of 70 million (and growing), even a 3% improvement means 2 million Macs that are better protected than they are today.

3. Apple is too quick to abandon its customers

Although Apple has never said so publicly, it’s common knowledge among Mac experts that Apple provides updates (security and otherwise) only for the current OS X version and the most recent.

That means Macs that are between three and five years old are left unprotected unless their owners pay for an upgrade to a new version of OS X. (Apple charges $29 to upgrade from Leopard to Snow Leopard and another $30 to upgrade from Snow Leopard to Lion.)

According to Dr. Web’s data, 25% of all Flashback-infected Macs are running Mac OS X 10.5 Leopard. Net Market Share statistics suggest that at least 17% of all Macs in use today are running Leopard (or an earlier version of OS X).

Leopard shipped August 25, 2007. It was sold on new Macs for two full years. Customers purchased 5.7 million computers with Leopard installed in the first half of 2009. Those computers are all roughly three years old today, and most can expect to have at least two or three more years of useful life. Apple does not provide updates to these computers unless the customer purchases and installs a new version of OS X.

Snow Leopard (Mac OS X 10.6) shipped August 28, 2009, and was on sale for almost two years, until Lion shipped on July 20, 2011. It is still the most popular version of OS X today, according to these March 2012 Net Market Share figures:

If Apple maintains its current policy, then as soon as OS X Mountain Lion goes on sale, probably in July or August, Apple will drop support for the Macs it sold with Snow Leopard installed. Every one of those unsupported Macs will be three years old or less.

Or, to put it another way:

Apple sold about 27 million Macs in 2009 and 2010. By the end of this summer, in September 2012, every one of those Macs will be unsupported in its original, as-purchased configuration.

Microsoft has a support lifecycle of 10 years for each version of Windows. While that may be too much to expect of Apple, it’s clear that there’s a radical disconnect between the useful life of Apple hardware and the company’s support for the combination of hardware and software that it sells.

Users have many reasons besides cost to avoid the headaches of upgrades. I’ve yet to read an enthusiastic review of OS X Lion, and I’ve heard many people compare Lion to Windows Vista.

But the point is, Apple offers its customers the choice of whether to upgrade to a new OS. The company shouldn’t be allowed to refuse to deliver essential security updates to Macs that are three to five years old. That’s gross negligence.

4. Apple doesn’t communicate well

Apple’s first public statement that mentioned the Flashback malware outbreak came on April 14, with a support bulletin titled “About Flashback malware.” That was more than a week after security researchers and news sites like ZDNet had sounded the alarm. In its Java updates on April 3, Apple did not communicate any sense of urgency, even though they had to have known by that time that exploits were in the wild and wreaking havoc on Mac owners.

Apple doesn’t communicate well with security researchers, either. Boris Sharov, chief executive of the Moscow-based security firm Dr. Web, told Andy Greenberg of Forbes that his researchers were ignored when they tried to contact Apple with their findings: “We’ve given them all the data we have. We’ve heard nothing from them…” The only contact from Apple, in fact, was a demand to take down the “sinkhole” domain that Dr. Web researchers were using to study the distribution and behavior of the Flashback botnet.

To this day, in fact, Apple has not issued any statement aimed at the general public or the mainstream news media. Apple’s dilemma is a painful one here: If they talk to the press in an effort to reach owners of Macs who aren’t aware they’ve been infected, they risk puncturing the “Macs don’t get viruses” image they’ve cultivated through the years. So the company has chosen to remain silent, which is shameful.

Apple’s legendary secrecy is an asset when it comes to product development and launch-day hype. Somehow, the company has to overcome that desire for secrecy when it comes to security.

For its customers' sake, it desperately needs to think different.