Do automatic OS X security updates signal a sea change at Apple?

By Taylor Armerding, CSO |  Security, Apple, OS X

Based on breaking news about Apple's newest OS X, Mountain Lion, and other recent events, the answer seems to be a qualified "yes." MacRumors reported Monday that the new system will have significant security improvements that follow Microsoft's lead: It will check for security updates daily instead of weekly, and will install them automatically.

Gregg Keizer reported at Computerworld: "Apple also said it beefed up the security of the connections between customers' Macs and its update servers, hinting at the same kind of improvement in encryption that Microsoft made this month after Flame, an advanced super-spy kit, was found to fake Windows Update downloads."

But, of course, that still leaves millions of Mac users -- the ones who will not be running Mountain Lion -- to install updates themselves, after they're notified.

Edy Almer, vice president at security software vendor Wave Systems, said he thinks the debate over PC vs. Mac security "misses the larger point: There are many security actions from both sides that have greatly improved the security posture of their respective [OSes.]"

Almer cites Apple's tight control of iTunes applications and adds: "The introduction of an app store proved immensely helpful in mitigating the risk of infection from malware. Microsoft mimicked this with its Win8RT model -- a much stricter lockdown of what can be installed and controlled through the app store."

And he notes that Apple has followed Microsoft's lead in the past as well: "The native FDE offering of BitLocker was later imitated with the introduction of FileVault2 in OS X Lion," he said, but adds that those improvements simply make the need more obvious for independent security software.

On another front, Brian Krebs, a former Washington Post reporter and author of the blog Krebs on Security, has criticized Apple for years for taking far too long to fix known security holes. In a 2009 blog at the Post, he reported, "I have reviewed the last three Java updates that Apple shipped during the past 18 months, and found that Apple patched Java flaws on average about 166 days after Sun (Microsystems) had shipped its own patch to fix the same vulnerabilities."

But in a post earlier this month, Krebs was more complimentary, noting that Apple had shipped a software update for Java on the same day as Oracle, the official producer of Java -- a vast improvement from, "consistently [lagging] months behind Oracle in fixing security bugs."

"It seems that Apple learned a thing or two from that [the Flashback] incident," Krebs wrote.


Originally published on CSO |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness