So there are widely published reports this week claiming that Apple has teamed up with Kaspersky Labs, publisher of antivirus software, to receive advice on bolstering OS X security. How do we know that? Because Kaspersky’s chief technology officer, Nikolai Grebennikov, said so, according to an interview published in Computing [1]. Since we’re talking about a heavy-hitter in the security software business, the quote is being taken as accurate.
But that doesn’t mean it’s necessarily true, because there are some other questionable statements from Grebennikov, particularly the one claiming that “Mac OS is really vulnerable,” that the Apple may be ten years behind Microsoft when it comes to shoring up OS security. More to the point, other than this single comment in a published interview, how do we know that Apple actually reached out to Kaspersky or any other security company for help?
So far, Apple hasn’t responded to our requests for comment, nor to Ars Technica, perhaps one of the few media outlets who attempted to confirm this report.
In the meantime, I asked security expert Rich Mogull [2], who has sharp ears when it comes to security issues, what he knew. His response? “I have no knowledge of Kaspersky working with Apple so I can’t comment on that. But it seems weird that Apple would allow a security partner to discuss the relationship in the press.”
What’s more, for reasons revealed later in this article, the original Computing story will probably be updated by the time you read it to correct the questionable claim about a partnership with Apple.
It’s also true that third-party companies are generally admonished not to announce anything about an Apple partnership without approval from the mother ship. Consider a recent story quoting a Foxconn executive that Apple is gearing up to produce that rumored smart TV. Turns out that this quote was buried in a single story, and could have been the result of an incorrect translation, since other media outlets present when this statement was allegedly made never confirmed it. Again, you have to believe that Foxconn respects the trade secrets and marketing plans of their clients and wouldn’t betray them in such a clumsy fashion, or at all. In fact, Foxconn has since denied the report.
When it comes to the state of OS X security, Mogull had some very pointed comments to make that sharply contradict those of the Kaspersky executive: “OS X is now very close to the latest versions of Windows in terms of security. This gap will close even more with Mountain Lion. That 10 year line shows a lack of understanding of the current operating system fundamentals.”
The largest security issue Apple faces, according to Mogull, is not necessarily the result of Apple’s own OS components: “Overall OS X security has improved dramatically in the past few years, especially with Lion. Apple still struggles due to extensive use of third party software, like Java or the many Open Source components included in the OS, which is out of its direct control. Their biggest current security issue is closing the gap of time between when one of those components is patched, and when Apple updates the OS with their version of the patch.”
A key example of that gap is Apple’s failure to inoculate Mac users against the Flashback virus in a timely fashion. Although Oracle patched Java to remove the vulnerability in February, it took weeks for Apple to get around to releasing a series of OS X patches to address the issue. And not before an estimated 600,000 Mac users were affected. Certainly Apple ought to explain what happened, and promise to do better.
It may well be that there was a communications problem between Apple and Java’s developer, Oracle. Maybe Oracle was late in delivering the patched source code to Apple from which to build an OS X updater. Maybe the efforts to build that updater were stalled because the fix generated other problems. Modern software is too complex to just release something without thorough testing. Even then, fixes can, themselves, introduce unexpected problems.
When Apple did release a new version of Java, they followed with two more in rapid-fire fashion, both of which removed the Flashback malware if it was present on a Mac, and, in the final release, disabled Java if it hasn’t been used lately. Apple also released a standalone Flashback remover and, later, Safari 5.1.7, which disables older versions of Flash. Indeed, the original Flashback malware exploited a Flash vulnerability before it was modified to target Java.
As Mogull states, Apple has taken positive steps towards enhancing OS X security. The new Mac App Store will soon insist that posted apps be sandboxed, meaning they will be walled off from the OS and other apps, so malware or other instabilities can’t impact your Mac. Mountain Lion’s Gatekeeper feature will help reduce the possibility of a Mac user launching a potentially malware-ridden app.
As to Kaspersky, after the original story came out, they walked it back, claiming the original quote was taken out of “context.” As quoted by Engadget, Kaspersky reportedly announced, “Apple did not invite or solicit Kaspersky Lab’s assistance in analyzing the Mac OS X platform. Kaspersky Lab has contacted computing.co.uk to correct its article.” Or maybe Apple simply told them it was time to stop boasting about an alliance that didn’t really exist, but that’s just a casual assumption.
Meantime, I suppose it still possible that the keynote at the forthcoming Apple WWDC will mention enhanced OS X security, and how Apple is working with key industry players to make the Mac user experience safer.
But I’m more concerned that far too many members of the media believed Kaspersky without reaching out to a second source to confirm or deny that story, and I mean Apple.