
Ten years ago, Apple ran a series of television commercials “Get a Mac” which extolled the benefits of a Mac over a Windows PC. One of the key messages was about how the Mac was more secure than a Windows PC. Fast forward to present day, the situation with the Mac is very different.
Back then, Mac computers had less malware of any sort. In fact, malware on the Mac was really quite uncommon. One reason for that was the Mac was simply less popular, there were few fewer users, and thus there was lesser interest in scrutinising it for security vulnerabilities. A potential malicious attacker stands to gain more by focusing his efforts on Windows vulnerabilities. Malicious attackers get more mileage with Windows exploits. It’s simple economics.
The fact that macOS is built on a Unix operating system was often cited for its superior security architecture. However, Windows was not worse because it lacked similar security mechanisms in its operating system. The problem with Windows was that it was just too complicated, with operating system level components doing too many things that should have been done in user-land, without special administrative privileges.
In present day, Apple cannot claim the Mac to be more secure than a Windows PC. As their products get more popular, there will be more interest to find security vulnerabilities. No software is ever bug-free, and we should be prepared that someone will always find a bug to exploit for malicious purposes.
The question, though, is the kind of bugs that are surfacing.
Apple’s infamous “goto fail” bug in back in 2014 was shocking. Officially identified as CVE-2014-1266, this bug causes macOS and iOS to not actually validate SSL/TLS certificates, thus accepting invalid certificates as valid. This enables man-in-the-middle attacks on encrypted connections which you thought will be secure.
This was a huge vulnerability that stemmed from a fundamental programming error. Furthermore, this error should not even have happened because it was the result of poor programming practices. That Apple could even accept such programming style was surprising.
That incident got me worried baout Apple. I hoped it was going to be just a one-off case of such a horrible bug escaping Apple’s attention.
However, another horrible bug surfaced in 2017: macOS High Sierra allows full admin access without a password. If the root user has no password, which is the default, macOS High Sierra allows you to gain administrative privileges by entering a blank password. Anyone can even do so from the login screen.
If goto fail wasn’t worrying enough, this 2017 one should, because it may be reflective of the kind of testing and quality control, or the lack thereof, that goes on at Apple. This root password bug was terrible on a whole new level, so bad that Apple had to issue an apology to customers.
There have been more other nasty security and privacy related bugs involving Apple software. A recent one, just last month, is of Group FaceTime allowing callers to listen to, and sometimes even see, the called party even before the latter had answered the call.
We can all appreciate some bugs that happen because of some very obscure condition that was not properly tested. The bugs here, however, aren’t obscure. The FaceTime bug, for example, only just requires you to make a FaceTime call, which presumably should be something not uncommon for iOS users. I wonder if perhaps no one at Apple actually uses FaceTime, and hence this bug went unnoticed?
Then, this month, Linus Henze demonstrated an exploit on macOS Mojave that allowed him to see all passwords saved in macOS’ KeyChain without requiring administrative privileges. Unfortunately, Apple won’t likely be fixing this bug soon enough because Henze isn’t sharing the exploit details with them in protest of their bug bounty program. Apparently, Apple doesn’t pay out for bugs on macOS, although they do so for iOS.
Is Apple too complacent about macOS to think that a bug bounty isn’t needed?
It is not helping that macOS doesn’t have a full-blown anti-malware capability of the likes of Windows Defender in Windows 10. I am aware that macOS has XProtect, but it seems to be a somewhat watered down protection system. Worse, that many Mac users don’t install a third-party anti-malware application.
On the one hand, the vulnerability that Henze discovered needs to be fixed, and the right thing would be for him to share the details so Apple can address the issue. However, he is also making a good point that the lack of a bug bounty seems to hint at Apple’s disinterest in macOS security problems.
Meanwhile, Henze has created a problem that Mac users need to be worried about. There is an exploit that can reveal all the passwords in your KeyChain, without needing any administrative password. We don’t have the details about the conditions or circumstances that enable this exploit to work, and Apple doesn’t have the details to know how to stop the exploit.
