What are the actual security risks of OS X for businesses?

Introduction and attack surface

Many people have, over the years, bought an Apple Mac believing not just that they are a thing of beauty, but also much more secure than a Windows PC. But has the security of OS X been overplayed?

Take, for example, the recent FREAK vulnerability – it hit OS X just as badly as it hit Windows PCs, leading Apple to roll out a security update to machines running OS X (and iOS and Apple TV devices as well).

In IT security firm Secunia’s Vulnerability Review 2015, Apple’s Mac OS X placed 13th with 147 vulnerabilities, with Microsoft’s Windows 8 in 20th place (on 105).

More and more organisations are deploying Macs and so OS X has increasingly come into the sights of criminals looking for a way into an enterprise’s infrastructure. And that’s why it’s wise for businesses to consider and discuss the risks of Apple’s operating system.

Attack surface

OS X has not represented a large enough ‘attack surface’ to warrant the attention of professional hackers, though this is changing, as we have seen the last 18-24 months.

“There have been a number of high-profile examples including Flashback, Wirelurker, and more recently, Thunderstrike,” says Jeff Erwin, chief ececutive of Intego. “Therefore businesses should consider not only protecting their OS X installations from malware, but also pay close attention to the other aspects of IT security.”

He says that features such as Gatekeeper and OS X’s stricter application controls are helpful, but they only protect against threats that affect a local machine.

Operating under the radar

“Any non-Windows system which isn’t being actively managed is a risk, but Macs are more likely to be implemented just under the radar, and in departments that don’t have an acute sense of security,” says Ken Munro, senior partner at ethical hacking firm Pen Test Partners.

He says that part of the issue in managing Macs is one of a clash of cultures. “Macs occupy a strange position, technology-wise, between UNIX box and Windows box, and that makes them difficult to understand from the perspective of Windows or UNIX sysadmins.”

Munro says there’s a ‘them and us’ mentality, which sees many pro-PC IT teams view Macs with suspicion at best and downright disdain at worst. “But in reality, there are some parallels between Windows and Mac OS X in that attack vectors are roughly similar,” he adds.

Browser-based attacks are the most common but others include Flash, Adobe Reader, and Java, yet there are few Mac-friendly information security tools that work on OS X. Some Data Loss Prevention (DLP) for example only covers USB device control, which is a tiny piece of what some companies uses DLP for.

Munro says that despite the common ground, the Mac community still tends to operate in isolation.

“We’ve seen this manifested in very limited local lockdown of Macs, and excessive privileges being given to them. The problem tends to be compounded when there are just a handful of Macs being used in a broadly Windows environment – usually in marketing departments where they’re used by design and dev creative types,” says Munro.

In these scenarios there is often a separate sys admin for the OS X assets, who doesn’t sit under the Head of IT, and who also has very little interest (or knowledge) in information security. Munro says that centrally managing OS X assets in this kind of set-up isn’t easy.

“Even if the IT Sec team do manage to persuade the OS X sys admin to do the bare minimum and install antivirus on all Mac devices, it then isn’t centrally managed, and alerts don’t report back to a management console. There was no way to report on it, nor know if they were up to date,” he adds.

Yosemite and password problems

Security lagging behind

Another issue is endpoint security and David Flower, EMEA managing director of Bit9 + Carbon Black, says in the enterprise this is lagging behind Windows.

“Despite the fact that Mac OS X is becoming increasingly popular for enterprises, there are still significantly fewer security solutions available to protect it. The built-in security mechanisms for Macs are as good as those for Windows, but to combat today’s advanced threats, the ecosystem needs to be stronger,” he says.

Flower adds that most security solutions in the Mac ecosystem are signature-based, which just isn’t sufficient for dealing with advanced threats. “Signature-based defence works well against known, documented threats, but just can’t handle today’s Advanced Persistent Threats (APTs),” he says.

He says that it is crucial that companies bear in mind that hackers are deliberately targeting them. “They’ll be looking for any vulnerabilities or weak links in the security chain. Despite being less familiar with Mac endpoints than they are with Windows, they may well target them because there just isn’t as much security to bypass,” says Flowers.


Is Yosemite safer?

Munro says that updating OS X to the latest version, Yosemite, is crucial to avoid some vulnerabilities. Also, knowing which version a Mac is running would be helpful too.

“If you have no idea what OS X version a Mac device is running, and how well updated it is, it could well be vulnerable to the Firewire/Thunderbolt encryption bypass attack, enabled by the Inception tool. Recent OS X and FileVault versions are okay, but older versions (Lion 10.7.2 or previous) are open to this abuse. So updating is crucial,” he says.

Password problems hit Active Directory

Munro says that with Macs something as straight forward as a password refresh can cause real headaches.

“One corporate environment I was in recently had a Mac/Windows base that used Active Directory (AD) for managing users,” he says. “They had a large amount of problems getting Macs to change passwords on password expiration. This meant that all of their Mac users ended up with static passwords, of which most of them were the default set by the helpdesk. This lead to half the users in AD with a password of ‘Password1’. So, there will be issues with integration between different technologies – make sure this is worked out before it goes live.”

Protecting your organisation’s Macs from threats

What an organisation does to protect its Macs from secuirty risks depends on how many there are in the network, according to Munro.

“If there are only a smattering of devices then you should audit them by hand. Review OS versions, check patch freshness, review apps etc. and draw up a simple policy for maintenance and use,” he says.

Munro adds that if there are more than a handful of Macs then an enterprise really should have the policies and software in place to diminish the risk.

“In our experience it is the organisations with huge numbers of Windows boxes and just a few Macs that suffer the biggest problems in this respect. If I wanted to target such an organisation the least supported/most neglected desktop OS would be my favoured vector,” he observed.