Member preview

An Apple today won’t keep vulnerabilities away

Increased Mac sales can only mean more flaws for hackers to exploit

A serious bug in Apple’s MacOS High Sierra , discovered by Turkish developer Lemi Orhan Ergin, makes it possible to gain entry to the machine without a password, which also allows access to powerful administrator rights.

Many have falsely believed that Macs are more secure than PCs, and despite several reports to the contrary, users have taken comfort in the assumed security of their Apple products.

After exploiting the flaw, an attacker could easily take over your system and install malware, ransomware, or even access files. As Apple worked to fix the flaw, Jesse Dean, senior director with TDI, questioned whether they could have been more proactive in their security.

“This is a clear example of Apple turning a blind eye towards a niche industry can have certain repercussions. This is bad,” Dean said. What’s most concerning about this flaw, said Dean, is that even if you took proactive steps to disable the root account in advance, you’re still not immune to this vulnerability.

Last year Apple sold approximately 36 percent more computers than it did in 2010. “Between this increase and greater adoption by DevOps teams to create and manage critical applications,” Dean said, “MacOS users should no longer feel they are safe hiding in plain sight.”

A gentle reminder

Referencing a report on the number of vulnerabilities by vendor in 2015 , Dean noted that Apple OS X had over twice as many vulnerabilities as compared to Microsoft Windows Server 12.

It’s certainly true that recent years have not been good for anyone relying on OS X for security. Craig Young, computer security researcher at Tripwire said, “Already in 2017, researchers revealed flaws allowing an attacker to extract passwords from the keychain (CVE-2017–7150), from APFS encrypted volumes (CVE-2017–7149), and from WiFi captive portals (CVE-2017–7143).”

According to Young, in 2016 researchers had demonstrated the ability to discover FileVault 2 encryption passwords through a crafted Thunderbolt device (CVE-2016–7585) as well as some other password mishandling bugs (CVE-2016–4670 and CVE-2016–1851, for example).

“The OS X kernel’s security model was also effectively broken last year when Google Project Zero researcher, Ian Beer, described a new class of OS X bug allowing dozens of vectors for privilege escalation,” Young said.

“Looking at the history of MacOS releases tells a pretty interesting story about the kind of quality coming out of Cupertino recently,” Young said.

Despite the fact that Apple releases an update for their operating system every September they have (in the past few years) had to follow-up the major release with a quick succession of fixes for issues detected after launch.

2017 is the third consecutive year that Apple will have had three versions of their OS released before the end of the year. “Some of these were because of buggy behavior, while others were due to gaping security holes like revealing the actual password in a password hint field,” Young said.

So what now?

Apple may want to re-evaluate how they perform quality assurance testing. Young said there is really no excuse for releasing macOS with some of these blatant security failings.

This announcement should be a wakeup call for anyone who still thinks a Mac offers superior security due to obscurity.

Up until now, Apple’s customer base hasn’t really demanded much of them, and secure coding has not seemed to be a priority for Apple. As the number of Macs have increased along with their prominence in the tech industry, Dean said Apple is slowly starting to understand that their customers need a more secure OS and not just a sexy design.