Sudden 2012: what will happen to security in OS X next?

2012 was a “refreshing” year for OS X security — at least for professionals or researchers. The fact of the matter is that during the year several events occurred that managed to pull all the nerves. But, despite the fact that some of them managed to embarrass Apple itself, the company took up the matter seriously when it touched the safety of its users.

This article will at least introduce you to the views of several personalities in the field of computer security, who closely followed the events in the OS X world for a year.

Back to flashback

Remember the flashback? This malware first appeared on a Mac in 2011 , but it was not very common and hardly threatened all users before this year. Suddenly, Apple ran into the first truly worthy “virus” for OS X , and just at the time when Apple appeared more often than ever on the pages of the press.
')
The incident sparked a discussion about the end of the “security through obscurity” era (“security through obscurity” in the original) for Apple. Researchers and scientists then unanimously declared that Apple’s growing popularity would lead to an increase in attacks on OS X and iOS security systems. Of course, it’s hard to deny that malicious attacks on Mac users are becoming more frequent, and Apple itself made an annoying miss, leaving a hole in its Java for two whole months after it was fixed by a patch from Oracle.

Uninstall java

And yet, despite the delay in Apple, the failure of Flashback was the impetus for one of the most important decisions regarding the security of OS X.

“Flashback led to both Apple initiatives: removing Java from the standard system delivery and creating a separate program to clean the system, ” says computer security specialist (and senior computer security engineer Obama in America). "When the manufacturer of OS releases a special utility for cleaning the system, it means only one thing - things are going lousy."

Hagen points out that the need for Apple to release its own program to clean the system from the Flashback indicates that the Mac app store and users are “not ripe for that.” But a much more significant solution was to reduce the role of Java in the lives of OS X users to the extent possible - that is, up to the download and installation by the user.

“Removing Java is a very interesting solution, and de facto this statement from Apple. Java on user systems has certain ways to open it; New, removed vulnerabilities have been found more than once and not just this year, ”says Hagen. "Removing Java simplifies Apple’s life and makes it easier and safer for users to live."

Charlie Miller, widely known in narrow circles (the “hacker” of iOS and OS X) agrees with this statement, adding that perhaps this is the most significant decision that Apple made in 2012.

“Now the amount of effort required to write an exploit under OS X is about the same as writing a similar under Windows. The thing is that there are more users under Windows than under OS X - therefore, under OS X, an exploit is not so easy to find. But this condition is valid only if we exclude Java exploits from the list, ”Miller says. "For Java applets"

Miller also claims that Java is actually the only reason we see Mac exploits. “So, any attempt by Apple to reduce the number of installed Java packages on OS X is a plus to the security of the entire system, a real benefit for the real life of users,” he says.

Go to signed applications

But even if Flashback was “bent” and Java “itself” was gone, Apple was already in the process of creating several other important changes in the way users interact with their applications on a Mac. A new feature in Mountain Lion, released in the summer of 2012, will (by default) limit the installation of third-party applications on the system, thus protecting the user from installing applications from unknown sources - including malicious ones.

This feature, called Gatekeeper, required the Apple developer ecosystem to even sign their applications with a registered certificate - still leaving them solely responsible for the situation when everything went wrong - or selling their applications through the Mac App Store and donating to Apple 30 percent of your profits. The reaction from the developers turned out to be surprisingly calm, most reported that they are optimistic about the control given to users, and that this will not hinder the distribution of really worthwhile applications.

When we turned back to Mac developers a few months later, they were still very good about the effect Gatekeeper had on the entire ecosystem. “It seems to me that Gatekeepre is only a plus for the user. It is quite effective against disguised attacks, and they are very popular among malware developers, ”Fel from Delicious Monster told us in September. Craig Hockenberry agreed with him: “Definitely, it seems to me that Gate Keeper helps users. Now, even if I accidentally click on the application and see a message about the fact that it is not signed, I can think a hundred times before installing it. ”

In fact, we did not expect the Gatekeeper experience to be so positive - much better than we expected. And security experts are optimistic about how far this idea has led them. “From a security point of view, Apple continues to move to the AppStore on OS X and the addition of strictly verifiable certificates for applications makes a significant change in the ecosystem,” says Hagen. “The quality control that occurs in the App Store is a way to significantly improve the quality of software for users. And at the same time, you can get rid of the possibility of infection with viruses. "

Successful hack at a good time

Everything we talked about so far was not the only topic for discussion in the world of Mac users in terms of computer security in 2012. The August hack of Wired editor Math Honan caused loud headlines for a reason - with the iPhone, iPad and Mac Honan all data was deleted using a remote attack, and he failed to make a backup. But it is surprising in this case, another - what technologies were used for this. In general, these are Apple technologies - the ones that are usually associated with the latest version of the iCloud cloud service.

It was not just an iCloud error. Amazon was also involved in this, and the attacker had enough social engineering skills on both Amazon and Apple — they got access to everything they needed to destroy Honan’s digital life.

And then Apple, in truth? The company was not directly involved in erasing the Honan data, but, as Hagen points out, this case became so noticeable this year because “it highlighted the human factor flaws in several systems with online accounts and used Apple's iCloud as a means of deception” .

After the account of Honan in iCloud was compromised, its devices became open to attack with full erasure. “Users have not yet encountered such a problem; the inability to protect their online accounts makes their devices useless, ”says Hagen. “This attack emphasized the need for Apple to start protecting accounts from social attacks and reminded everyone that they should treat their accounts with Apple with particular trepidation and attention.”

In fact, Conan’s autopsy caused many of us to change our passwords, enable two-step authentication, and make sure that back-ups always have a place to be in our lives. Both Amazon and Apple made their conclusions and changed the terms of the agreements, so now this type of attack will be much more difficult to implement. This story does not have a happy ending, but the loss of Honan turned into good news for us.

Forecast for 2013

It turned out that 2012 was a year of vulnerabilities for Apple and OS X security, but in the end, "It seems to me that Apple is in pretty decent shape," says Miller.

But not for nothing that says that there is no limit to perfection. What would you like to see users and experts in OS X in 2013?

Miller wants to get more transparency from Apple itself. “I would like to get an opportunity for more“ transparency ”and interaction with the information security community. Their performance on BlackHat , where they couldn’t ask any questions, was more like a farce, ”says Miller. "I would like to see more details about their testing methodology, learn about the review process in the AppStore and finally hear the answers to the questions about the security of their system."

We all know that the words “transparency” and “Apple” are rarely found together in the same sentence, but noticeably, as CEO Tim Cook, slowly (and very carefully) begins to change the state of Apple’s openness to the rest of the world. But what Hagen would like to see goes far beyond their present behavior - he would like the community to be able to take care of their own safety.

“It seems to me that antivirus and antispyware software for OSX will have to quickly gain power in case of the next possible threats. Microsoft’s approach to creating its own software of this kind has proven itself, so it will be great if Apple follows suit, ”says Hagen. "Combining the App Store and system updates makes things much easier, and OSX users just need to get used to regular updates."