Apple: Taking OS X security seriously--finally

Apple hasn't had a great record when it comes to keeping users informed about security vulnerabilities or supplying timely fixes. But the company now seems to be actually trying to improve its rep.

COMMENTARY--During the days of Mac OS 9, Apple didn't need to pay much attention to security. Attacks on Mac OS boxes were extremely rare, successful ones well-nigh unheard-of. But Mac OS 9's excellent security record does not automatically transfer to OS X just because both OSes originate in Cupertino.

Thanks to Mac OS X's Unix plumbing, any vulnerabilities in Unix software can instantly become vulnerabilities in OS X. Unix vendors as a rule have always been quick to issue both security alerts and fixes for discovered holes. Which means that Apple now has a pretty high standard to live up to.

If you're a Windows user, you've grown accustomed to the never-ending stream of vulnerability announcements, interminable waits for fixes, and, most recently, unilateral changes of your end-user licensing agreement that grant Redmond remote admin privileges on your system. Trustworthy computing, indeed.

But this is a new ballgame for Apple. And its initial responses to security flaws in OS X weren't anything to crow about. Apple would keep completely quiet until it had a fix ready. When those fixes were finally released, it was usually long after other Unix vendors had delivered theirs.

I'M PLEASED TO REPORT that Apple appears to be changing its approach to security announcements, that it's taking the crescendoing din of security-related criticism to heart.

Last week, for example, a high-profile vulnerability in OpenSSH--a system for securely transferring data to and from a remote machine--was announced; Apple released a security update for OS X two days after the fix became available. That two-day response time was a welcome surprise; I hope it sets a precedent. While most other commercial Unix vendors have been quicker than Apple in the past, of the big names only Red Hat was a day faster than Apple in this specific case.

More recently, Apple announced this past Monday morning that OS X wasn't susceptible to a recently discovered widespread domain name resolver (DNR) vulnerability.

THIS IS NOT TO SAY Apple has become perfect. Its OpenSSH update also included two other, less timely security fixes. One was for an Apache vulnerability whose fix was available from other vendors on June 18--a 10-day lag from Apple. The second fix was for the mod_ssl Apache module, which allows Apache to provide secure Web connections. Unfortunately, this latter fix was already obsolete when Apple released it; a new vulnerability had been discovered in the interim, another update issued by mod_ssl's developers.

Apple needs to not only stake out, but also maintain an unshakable hold on the moral high ground when it comes to its security policies. This is critical not only for the growing number of Mac OS X users, especially if Apple wants to entice existing Windows users. It's especially important if Apple wants to succeed with Xserve in the server market.

Proof that Apple understands this last facet of OS security came over the security-announce list on Monday. Apple announced it was hiring SAIC's Common Criteria Testing Lab to give Mac OS X and Mac OS X Server a going-over.

SAIC will test OS X and its Server sibling to something called the Common Criteria Evaluation Assurance Level 3. This evaluation will determine whether Apple has followed specific secure practices during development and has actively looked for potential vulnerabilities. OS X will then be tested against a set of standardized criteria to make sure nothing obvious was overlooked.

IT SEEMS UNLIKELY that Apple would submit its OSes to such scrutiny if it weren't confident that OS X will pass. But the announcement was also a bit cagey: Apple didn't say which version of OS X will be scrutinized--I assume it will be Jaguar rather than 10.1.

While such certification might at first glance smack of marketing and buzzword compliance, the Common Criteria are not without substance. Given their status as an ISO standard, certification is a requirement for government purchase in many countries.

The debate about the relative security of open source was recently revived. While the jury is still out on whether closed or open source yields more secure software, it's clear that open source produces faster analysis of vulnerabilities and speedier fixes. While Apple's speedy turnaround with the OpenSSH fix and the DNR announcement are laudable indeed, two data points do not a trend plot. Apple's ongoing behavior in this realm is the key to building and then maintaining confidence among Mac OS X users, recommenders, and buyers.

What do you think? Will Apple learn to be a good Unix citizen? Or is it too mired in its what-me-worry past? TalkBack to me!