For as much as Mac OS X has a reputation for being safer than Windows, security researchers won’t hesitate to point out that the opposite is, in fact, true. Indeed, the primary reason why the Mac has been relatively immune from security threats often found on Windows is because the Mac’s relatively paltry market share makes it an unattractive target for malicious hackers. Put differently, when it comes to code quality as it pertains to security, the Mac is not the safe-haven many assume it is.
But with Apple selling record numbers of Macs quarter after quarter, Apple’s PC marketshare is slowly but surely increasing. Moreover, as hackers become more sophisticated, malware is increasingly becoming OS independent. As a result, Apple needs to devote a lot more attention to system security and recent moves over the past few months indicate that Apple is up for the challenge.
This past Thursday, Apple doled out a beta of OS X Lion to developers. In conjunction with that, Apple is also reaching out to noted security experts and offering them free previews of OS X 10.7 so that they can take a look at Apple’s new security measures and presumably reach back to Apple with any thoughts, observations, and concerns they might have.
Apple reportedly sent out the following letter to an undisclosed number of security researchers.
“I wanted to let you know that I’ve requested that you be invited to the prerelease seed of Mac OS X Lion, and you should receive an invitation soon,” the letter reads. “As you have reported Mac OS X security issues in the past, I thought that you might be interested in taking a look at this. It contains several improvements in the area of security countermeasures.”
MacBook hacker and security consultant Dino Dai Zovi was one such individual who received one of Apple’s invites to give OS X 10.7 a test drive. In a few tweets sent out on Thursday, Zovi wrote:
“Apple has invited me to look at the Lion developer preview. I won’t be able to comment on it until its release, but hooray for free access!
“This looks to be a step in the direction of opening up a bit and inviting more dialogue with external researchers.”
Also on the guest list, so to speak, is famed OS X hacker and former NSA employee Charlie Miller who has made a habit of finding OS X exploits with breathtaking regularity In 2009 Miller cracked Apple’s Safari browser in just 9 seconds at the CanSecWest security conference. Miller, along with fellow research Collin Mulliner, also made headlines during the Summer of 2009 when he demonstrated, at the Black Hat computer security conference in Las Vegas, how to remotely take over any iPhone with a text message comprised of just a single character. Apple was subsequently forced to issue an iOS update to fix the security risk once Miller made the exploit public. Note, though, that Miller only took the exploit public after he claimed Apple failed to respond to him and Mulliner after the two first informed Apple of the vulnerability
In any event, CNET contacted Miller about the importance of Apple’s security invitation.
Miller opined, “As far as I know they have never reached out to security researchers in this way. Also, we won’t have to pay for it like everybody else. It’s not hiring us to do pen-tests of it, but at least it’s not total isolation anymore, and at least security crosses their mind now.”
“I haven’t downloaded it yet,” Miller concluded, “but if I had, I couldn’t talk about it. Damn NDAs.”
Damn NDAs, indeed. But it is reassuring to see Apple becoming a lot more security conscious these days, not only in terms of reaching out to security researchers but also in its personnel hires.
Back in May of 2009, Apple hired noted security expert Ivan Kritic who formerly served as the director of security architecture for the One Laptop per Child (OPLC) initiative. In May of 2010, Apple hired former Mozilla security chief Window Snyder as a senior security product manager. Previously, Synder worked at Microsoft as the security lead on a number of OS releases. Another noteworthy security hire at Apple is PGP co-founder Jon Callas who was hired nearly a year ago to work on OS security. Callas is highly regarded for his cryptography acumen.
More recently, Apple in January hired former NSA analyst David Rice to head up operations as Apple’s director of global security.