A week or so ago the founder and CEO of Kaspersky Labs said Apple is 10 years behind Microsoft in security. By that Eugene Kaspersky meant Apple needs to be as skittish and responsive as Microsoft was a decade ago, after being hammered for the previous decade over the many vulnerabilities in Windows and the very little Microsoft did to fix any of them.
Now the company's CTO is weighing in, with more criticism, this time of Mac OS X specifically, not just Apple in general.
"Mac OS is really vulnerable," Kaspersky CTO Nikolay Grebennikov said in press interviews. "Our first investigations show Apple doesn’t pay enough attention to security."
That analysis concluded, as Grebennikov's boss Eugene Kaspersky said, that Apple is not ready to respond quickly enough on its own to counter security threats. Worse, it hinders other companies from doing so as well.
"Apple blocked Oracle from updating Java on Mac OS, and they perform all the udpates themselves. They only released the patch a few weeks ago – two or three months after the Oracle patch. That's far too long," Grebennikov said.
The Java update became an issue after it was discovered the Flashback Trojan, which had infected enough Macs to build a botnet of more than 600,000 machines, used flaws in Apple's Java implementation to take over the machine.
Apple is still struggling to get the botnet under control, while another Trojan aimed at Macs, SabPab, continues to expand its own settlement in the once-utopian fields of Macintosh.
And, late last week, security researchers announced a programming error created a flaw in the most recent update to the security of Mac OS X 10.7.3 Lion that exposed user passwords in clear text.
No malware has been discovered in the wild that has been written specifically to target iOS, which runs iPads and iPhones. If malware producers are true to their usual response times, however, the first bits of bespoke iOS malware will begin threatening Apple phones and tablets as well as Mac OS X machines, Grebennikov said.
Two top execs, two public slams of Apple. Why?
Aside from the oddity of having the CEO and CTO of a major security company publicly and harshly criticize a systems vendor by name in different venues at different times, Kaspersky's tandem slam contributed one additional bit of confusion: When he was originally quoted in IT publications, Grebennikov seemed to have said Kaspersky was analyzing MacOS vulnerabilities at Apple's request and under contract to Apple.
Kaspersky has since retracted that, saying Grebennikov's statement was misconstrued to mean Apple hired Kaspersky to help improve its security.
In fact, according to the clarification, Kaspersky was working on its analysis independently in response to increasing demand for third-party security products for the Mac.
In addition to paying far more attention to the Mac OS, Kaspersky is ramping up its efforts to sell its security services by subscription from the cloud as an addition or alternative to having customers install and maintain on-premise antivirus products.
Kaspersky is late to that market – two to three years behind competitors such as Trend Micro, according to reseller-channel blog MSPMentor.
Kaspersky had planned to launch a SaaS version of its security service in 2010, so it's late to the party even compared to itself.
It plans to sell the service aggressively both to the MSPs who provide it and resellers who can offer it to end users according to an interview reseller-channel-chief Nancy Reynolds gave to TheVarGuy, another reseller pub owned by the same company as MSPMentor.
Two years ago competitors saw Kaspersky as "noise," Reynolds said. Now Kaspersky is not only a contender, it is a contender that believes the SaaS security market is "ripe for a leader and we intend to take control."
Is bad news for Apple users good news for anti-virus vendors willing to slam Apple while securing Macs?
Even if a big Apple security scandal is an irresistible opportunity to gain a little visibility at Apple's expanse, having two top executives from the same company slam Apple publicly, in harsh terms, for poor security is overkill.
Given the one-two from Kaspersky and Grebennikov, it's not surprising some in the press were confused about why Kaspersky was being quite this energetically vocal about Apple's malware problem.
Kaspersky does get credit for identifying the SabPub Trojan, so it's not exactly struggling to find something to accomplish on the Mac to gain some notoriety.
More likely they're both just excited about the masses of potential customers the Mac OS X installed base represents.
Half of all the Macs whose owners checked in to Kaspersky's online Flashback-vulnerability checker turned out to be running older versions of Java that were still vulnerable to the Trojan.
That's a huge percentage for a plugin that should get updates routinely and automatically, without the user even having to know about them.
Kaspersky execs may see gold in the lax attitude most Mac users seem to take to security, an attitude for which Apple has to take much of the blame, after reassuring customers for years that the Mac was far less vulnerable than Windows machines.
Apple didn't mention the ego-deflating reality that Macs were less vulnerable because there were so few of them malware writers didn't bother with Macs.
Now that iPhones and iPads rule the cool-computing universe and even Mac OS X machines are gaining market share, malware writers are interested, Mac users are unprepared, and Kaspersky execs are ready to slam Apple publicly as often and as hard as necessary to let Mac users know there's a security company out there willing to deal not only with their insecurities, but their irritating smugness as well.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.