Apple’s reputation for software security a 'myth': expert
Security experts call recent iOS software bug 'scary'
A "scary" software flaw that has put users of iPhones, iPads and Mac computers at risk of being hacked has dealt a blow to the reputation of Apple, the world’s most valuable brand, say security researchers.
Tech watchers say this bug — which Apple quietly announced on Friday — illustrates that the company’s reputation for strong security may be overstated.
"People in general feel, 'It's Apple, so it's secure'," says Brian Bourne, co-founder of Toronto's annual SecTor cybersecurity conference.
“Whereas the truth is that Apple operates within the same bounds as every other software provider, so they’re just as likely to have security vulnerabilities as anybody else.”
Johannes Ullrich, dean of research for the Internet Storm Center, which monitors online threats, goes even further: he calls Apple’s security reputation “a myth.”
Apple’s latest security flaw became public on Friday when it released iOS 7.0.6, explaining that the newest version of its mobile operating system had fixed a bug pertaining to safe browsing.
In explaining the flaw, Apple said that "an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS."
SSL/TLS is an encryption standard that enables a web browser to talk to a web server to verify that a site is not a fake set up by hackers to steal personal information on your computer or hand-held device. It's used by banks, credit card companies and government agencies to keep transactions secure.
The iOS bug interfered with this process, making it difficult for applications such as Apple’s Safari browser to confirm that web sites were legitimate.
Popularity breeds vulnerability
In a blog post entitled “Why Apple's Recent Security Flaw Is So Scary,” Gizmodo managing editor Brian Barrett said the bug makes Apple users vulnerable to a so-called “man in the middle attack.”
That type of cryptographic attack involves an attacker eavesdropping on communications between your browser and a given website, including anything from private conversations to financial information.
As a result of this bug, “someone could trick you into connecting to a lookalike website and you wouldn’t be able to tell by looking at the SSL information coming back from that website,” says Ullrich.
SecTor's Bourne says that Apple’s reputation for security is largely due to the fact that its operating system is more restrictive in what it allows installed software programs to do.
But consumer fascination with mobile products such as the iPhone and the iPad has made Apple a more desirable target for hackers, says Urs Hengartner, an associate professor in the University of Waterloo's computer science department at the University of Waterloo.
“Many of the [hacking] exploits are deployed and developed by criminals who make money, so they go after the popular platforms,” he says.
When it comes to Apple products, “we haven’t seen that many security flaws, at least not public ones," says Hengartner. But he echoes the feeling of many in the software community, who say that when Apple does identify a problem in its code, it is slow to respond with an update.
A turning point?
Bourne estimated that this recent, problematic version of Apple’s iOS has been “on the street since October," when the company introduced a patch to fix problems with the launch of its new operating system.
With the latest release of iOS 7.0.6, Apple said it had fixed the bug on mobile devices. On Tuesday, Apple released OS X 10.9.2, which addresses the SSL encryption issue for the operating system on Mac desktop and laptop computers.
Bourne notes that Apple does not have a sterling reputation in the cybersecurity community, which congregates on websites and online forums to report bugs and share proposed fixes.
“I think most people who try to report [software] vulnerabilities to Apple have been frustrated,” says Bourne. “They don’t engage in the security community in the same way” as other companies, particularly Microsoft, which actively confers with the community to identify bugs and fix them quickly.
In terms of security, Microsoft has made great strides in the last decade, says Bourne. In the 1990s and early 2000s, Microsoft was issuing so many security patches to its operating systems that they gave it a name: “Patch Tuesdays,” which took place on the second Tuesday of every month.
Ulrich says that a key moment for Microsoft was the Blaster worm, a computer virus that infected machines running Windows XP and Windows 2000 in August 2003. The scope of the infection forced Microsoft to focus greater attention on the security of its operating systems, he says.
Hengartner thinks with the latest iOS security flaw, Apple may be reaching a similar point.
“They’re in the same situation that Microsoft was 10 to 15 years ago,” he says.