Kaspersky: Apple '10 years behind Microsoft in terms of security'

Kaspersky: Apple '10 years behind Microsoft in terms of security' | ZDNet

He made some spot on points about Microsoft being exposed to the reality of malware and other methods for 10+ years. Now that Apple is gaining some market share they are getting the proverbial bullseye on their back. I guess reason 1,000,001 to stick with Windows in an enterprise environment.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

RobertKaucher

Just to set the record on the entire FlashBack thing... Yes, that was a Java exploit but Oracle had patched the hole in all other versions of Java. Apple decided a number of years ago that they would handle the Mac version of Java and they missed this by waiting too long to fix it. This was not an Oracle problem - it was 100% Apple. No software ever is going to be bug/exploit free. The challenge is timely recognition and patching.

the_Grinch

Was just about to post this. Fair enough, Apple dropped the ball a bit, but honestly, is this headline correct? Apple 10 years behind Microsoft? Come on. Their patch schedule is pretty decent (besides this snafu) and honestly, we did not have one infection at our company. This was no drive by download, you had to download the thing, put in your password, and install it. In all the years I have worked with Macs, I have yet to have one get infected by anything. This is with 1st grades and moron end users who the minute they get onto a pc download some piece malware.

ptilsen

Here's more what I think the article was getting at:
For a decade or so longer, Microsoft has been targeted for all sorts of remote vulnerabilities. The expectation has always been that Microsoft does its best to design and patch software such that the vulnerabilities are gone before they are exploited. This means Microsoft has more experience and therefore better developed processes and policies in testing for, patching, and preventing exploitation of vulnerabilities. Because much of Microsoft's software products take form of public-facing servers, this means the need for these policies extends way beyond web and end-user exploit prevention and correction.

As a result of Macs not being widely used for desktops and almost never used for public-facing servers, Apple has less experience in preventing and responding to threats. Mac market share is still just barely in the stages at which Macs are frequent targets -- it's really iOS that is cause for concern. As a result, yes, I would expect Microsoft to have better processes in place for the security of both its mobile and desktop operating systems.

the_Grinch

While I can respect that statement, I feel the article negates the inherent security features found in OS X. So while yes, Apple does not have 10 years of "experience" in patching security flaws, that doesn't mean they are somehow behind Microsoft in the Security realm. It could really be like saying Ford is 10 years ahead in safety (compared to Chevy) because their popular model sold more so it is in more accidents. This while ignoring the inherent safety features found in the less popular model of a Chevy vehicle (I use this point only for illustration, not based on actual fact). Your operating system doesn't need to be attacked more in order for you to make it more secure.

Everyone

Obscurity isn't an "inherent security feature".

ptilsen

the_Grinch wrote: »

While I can respect that statement, I feel the article negates the inherent security features found in OS X. So while yes, Apple does not have 10 years of "experience" in patching security flaws, that doesn't mean they are somehow behind Microsoft in the Security realm. It could really be like saying Ford is 10 years ahead in safety (compared to Chevy) because their popular model sold more so it is in more accidents. This while ignoring the inherent safety features found in the less popular model of a Chevy vehicle (I use this point only for illustration, not based on actual fact). Your operating system doesn't need to be attacked more in order for you to make it more secure.

I disagree with the premise of your analogy. All cars are subject to safety testing because all cars have significant potential to be in an accident. The safety testing procedures are the relatively similar regardless of the time the manufacturer has been in the market or the market penetration of the product, and procedures do not vary between manufacturers greatly -- testing is performed by multiple disinterested third parties.

Software products are very different. The vendor needs to develop procedures to test their software specifically, and those procedures are greatly shaped by the time the product is in the market. A software security tester can guess at common attack vectors, but ultimately time in the wild is what will show those attack vectors.

So, in fact, yes, I would contend your operating system or other software product does need to be attacked more if effective procedures for secure development and patching are to be developed.

the_Grinch

I don't think we can say it's security through obscurity (though I would argue that it can be considered a "layer" of your security posture, such as running your webserver on a non-standard port). But can we honestly say that Microsoft's operating system is any more open then Apple's (if that was you point, if not disregard my state).

As far as needing to be attacked more to be more secure I truly cannot agree 100% with that point. That's not to say there isn't some validity to your point, only that there are a number of things to be considered. I just feel that blanket headlines like these provide a disservice to the companies behind the Operating System.

onesaint

Everyone wrote: »

Obscurity isn't an "inherent security feature".

Agreed. But, I think the Grinch was referring to OS X features like application sandboxing, address space randomization, etc.

Mac has security flaws and their going to get exposed, eventually. However, I would venture to say (in agreement with the Grinch) that because MS has been working on patching it's software for the last 10 years doesn't mean it's somehow got an edge on Apple's OS other than having a large division of Dev's who patch Window's specific flaws.

"It's an entirely different kind of flying. Altogether." -Airplane!

RobertKaucher

the_Grinch wrote: »

....
As far as needing to be attacked more to be more secure I truly cannot agree 100% with that point. That's not to say there isn't some validity to your point, only that there are a number of things to be considered. I just feel that blanket headlines like these provide a disservice to the companies behind the Operating System.

Come on, you don't think the ZDNet (AKA FUD Central) and Kaspersky have good reason to pitch the idea that there is a potential iOS malware storm on the horizon?

Kaspersky was not arguing that the technology in the OS is 10 years behind, but that the company in its culture and knowledgebase in how to deal with malware is.

the_Grinch

Oh no you are for sure correct that they had a good reason to pitch the idea.

ptilsen

onesaint wrote: »

Mac has security flaws and their going to get exposed, eventually. However, I would venture to say (in agreement with the Grinch) that because MS has been working on patching it's software for the last 10 years doesn't mean it's somehow got an edge on Apple's OS other than having a large division of Dev's who patch Window's specific flaws.

So it doesn't have an advantage other than that enormous advantage you just pointed out?

But really, that's my point. MS has devoted a large amount of extremely experienced resources to securing Windows and Windows-based products. Securing Mac OSX and Mac OSX-based products is largely a new field. Apply will need time to develop the resources and procedures necessary to match what MS is doing.

I definitely don't think in terms of technology Mac OS X is ten years behind Windows. Apple as an organization and Mac and iOS as platforms are not as mature in this specific topic, and that is the point I am making, and hopefully that the article's author is making. Given some more time with significant market presence, I think Apple will catch up quickly -- ten years behind doesn't mean that Apple needs ten years to catch up.

Edit: RobertKaucher really summarized by point very concisely. "Kaspersky was not arguing that the technology in the OS is 10 years behind, but that the company in its culture and knowledgebase in how to deal with malware is."

it_consultant

Half of Windows security is convincing people to use the tools built into the operating system properly. People who adopt the Mac platform, in my experience, are more apt to follow Apple's directions and are less likely to make their own systems more vulnerable.

the_Grinch

Are we making the assumption that Apple does not have a security team/resources devoted to the security of their operating systems? While perhaps not as large as what Microsoft has, I don't think anyone (other then someone within the company) can make an educated guess to the size/budget of their security resources. I think that fact that this malware only infect a couple hundred thousand machines compared to the millions of Macs out there speaks volumes about the inherent security within the operating system.

Usage share of operating systems - Wikipedia, the free encyclopedia

10% of the US - thus 35 million
# infected by flashback - 650,000

Flashback infections not waning after all; 650,000 Macs still hijacked

ptilsen

the_Grinch wrote: »

Are we making the assumption that Apple does not have a security team/resources devoted to the security of their operating systems? While perhaps not as large as what Microsoft has, I don't think anyone (other then someone within the company) can make an educated guess to the size/budget of their security resources.

I would make an educated assumption that it is much, much smaller than Microsoft's. Keep in mind, Apple is actually a "larger" company in terms of market cap at this point, but here's the key difference. The vast majority of MS' business is software. Outside of the Xbox, pretty much everything is Windows and Windows-based products. Once again, many, possibly most of these products are server-side and have the potential to face the public Internet or otherwise insecure networks. Microsoft has a much, much larger array of products to secure that are at a much higher risk. Given these facts, I think it is very safe and quite logical to assume Microsoft's security development resources are much greater than Apple's. We are comparing a company that is 90% software to a company that is 90% hardware. Obviously given similar size organizations, which is the case, the former is going to a have a larger set of security resources simply on the basis that it has much more work to do. Additionally, we have already established that these resources will be much more experienced than Apple's due to the lack of a need for this team for many years at Apple.

I don't think this one anecdote says much of anything about the inherent security of either OS. It's not even a good anecdote because there is no comparison to a similar Windows infection, which would have to infect tens of millions to be the same relative percentage of targets. Anyway, the specifics of any given infection are not really the point. The article is about inherent flaws in any operating system, not is that what I'm talking about. Inherently, it's all software. Barring some fundamental, un-fixable flaw in its base design, it is all equally insecure. There are no flaws of this form present in the BSD or Windows kernels of which I am aware, so at the end of the day they're just software products. What's relevant is the processes and resources their developers have in place to ensure those products are developed and maintained. What is relevant about this one infection is that Apple's security processes ultimately could have prevented it from occurring at all, given the details.

Again, given all of the facts about Microsoft's business model and history vs. Apple's, it is not unreasonable to think Microsoft has a stronger, more experienced set of resources and processes in place for software security than Apple.

SteveLord

In soviet Russia...computers hack YOU!

the_Grinch

ptilsen wrote: »

I would make an educated assumption that it is much, much smaller than Microsoft's. Keep in mind, Apple is actually a "larger" company in terms of market cap at this point, but here's the key difference. The vast majority of MS' business is software. Outside of the Xbox, pretty much everything is Windows and Windows-based products. Once again, many, possibly most of these products are server-side and have the potential to face the public Internet or otherwise insecure networks. Microsoft has a much, much larger array of products to secure that are at a much higher risk. Given these facts, I think it is very safe and quite logical to assume Microsoft's security development resources are much greater than Apple's. We are comparing a company that is 90% software to a company that is 90% hardware. Obviously given similar size organizations, which is the case, the former is going to a have a larger set of security resources simply on the basis that it has much more work to do. Additionally, we have already established that these resources will be much more experienced than Apple's due to the lack of a need for this team for many years at Apple.

I don't think this one anecdote says much of anything about the inherent security of either OS. It's not even a good anecdote because there is no comparison to a similar Windows infection, which would have to infect tens of millions to be the same relative percentage of targets. Anyway, the specifics of any given infection are not really the point. The article is about inherent flaws in any operating system, not is that what I'm talking about. Inherently, it's all software. Barring some fundamental, un-fixable flaw in its base design, it is all equally insecure. There are no flaws of this form present in the BSD or Windows kernels of which I am aware, so at the end of the day they're just software products. What's relevant is the processes and resources their developers have in place to ensure those products are developed and maintained. What is relevant about this one infection is that Apple's security processes ultimately could have prevented it from occurring at all, given the details.

Again, given all of the facts about Microsoft's business model and history vs. Apple's, it is not unreasonable to think Microsoft has a stronger, more experienced set of resources and processes in place for software security than Apple.

Fair enough. I guess I took it as if people are say Apple has no security department. You are bound to be correct that yes Microsoft would definitely have a larger and more experienced team. I wouldn't attempt to argue that point

onesaint

ptilsen wrote: »

So it doesn't have an advantage other than that enormous advantage you just pointed out?

But really, that's my point. MS has devoted a large amount of extremely experienced resources to securing Windows and Windows-based products. Securing Mac OSX and Mac OSX-based products is largely a new field. Apply will need time to develop the resources and procedures necessary to match what MS is doing.

I definitely don't think in terms of technology Mac OS X is ten years behind Windows. Apple as an organization and Mac and iOS as platforms are not as mature in this specific topic, and that is the point I am making, and hopefully that the article's author is making. Given some more time with significant market presence, I think Apple will catch up quickly -- ten years behind doesn't mean that Apple needs ten years to catch up.

Edit: RobertKaucher really summarized by point very concisely. "Kaspersky was not arguing that the technology in the OS is 10 years behind, but that the company in its culture and knowledgebase in how to deal with malware is."

So really what you're saying is that in 10 years OS X will have as many deployments as MS.

I guess to me, it's not an advantage per se. It's just relational to the size of both company's market share. Which I suppose is the point.

tpatt100

While Apple is 10 years behind due to Windows computers being targetted more due to user base. I wonder if Microsoft learned it's lesson going forward with mobile devices since Apple got a head start with a large user base with tablets and phones? The mobile market is what really worries me looking forward.

GAngel

Of the hundreds of engineers I've worked with in my career from all the major companies the best by far as a group have been the MS guys then Cisco. Google, Apple, fb, ibm meh. This is at a level 4 arch support

RobertKaucher

I'm going to make a statement here that I think will be unpopular on this forum... While I believe that we all need to evaluate things for ourselves and be skeptical of potentially hyperbolic statements I also believe that when an industry insider like Kasperky himself says something like this it is worth considering. He certainly has first hand knowledge of working with very high level people in both companies that none of us would ever even dream of having access to. So while I think he may be hyping his opinions a little to make a point, I also believe he probably knows much, much more about this than any of us.

onesaint

RobertKaucher wrote: »

I'm going to make a statement here that I think will be unpopular on this forum... While I believe that we all need to evaluate things for ourselves and be skeptical of potentially hyperbolic statements I also believe that when an industry insider like Kasperky himself says something like this it is worth considering. He certainly has first hand knowledge of working with very high level people in both companies that none of us would ever even dream of having access to. So while I think he may be hyping his opinions a little to make a point, I also believe he probably knows much, much more about this than any of us.

What good is a user forum if not for speculating on things far beyond our knowledge base?

On the point taking Kaspersky's position into account, the last paragraph of the article addresses this very nicely.

That being said, Kaspersky, both the man and his company, of course would benefit from a malware epidemic on the Mac. That’s important to keep in mind, while acknowledging that the numbers are indeed growing and the Mac security situation is getting worse. Just how bad it’s getting, and will get, is a matter of perspective.

the_Grinch

RobertKaucher wrote: »

I'm going to make a statement here that I think will be unpopular on this forum... While I believe that we all need to evaluate things for ourselves and be skeptical of potentially hyperbolic statements I also believe that when an industry insider like Kasperky himself says something like this it is worth considering. He certainly has first hand knowledge of working with very high level people in both companies that none of us would ever even dream of having access to. So while I think he may be hyping his opinions a little to make a point, I also believe he probably knows much, much more about this than any of us.

You make a fair point. All things being said though, it's pretty well known that most Mac users do no install antivirus and so when 10% of the market sure is tap able you are going to try. I was never a fan of their product so I am bias.

tpatt100

I had Symantec on my wife's mac a few years ago but it kept crashing all the time so I got rid of it. I might put something on eventually once the market matures enough but she hardly uses it, she does everything on the iPad or iPhone.