Apple in security hot water
I had a debate some time with some Apple people about the security of the Apple machines. As they have built their whole marketing campaign around the hype that their system is more secure, they were quite angry and resistant to the idea that their 'security-thinking' is already totally old fashioned and no longer of this time.
Security attacks don't care today about the OS of a machine. They want to know what the security state of the browser is. They want to use the mistakes in the drivers, applications and files that are on the machines, whatever the OS. Okay, there are still thousands of viruses around, but the real malware is moving online - this is why Google is investing in the anti online-malware business and is overhauling its own security thinking - just as Microsoft did some years ago. Apple is still moving very slowly. To be a Titanic or not.
Apple doesn't educate her users about online security. Apple doesn't publish security alerts on her website. Apple doesn't propose several methods to update their applications - how do you update quicktime in an enterprise with 100 people, download 100 times the update ?
That something is changing since the month of the Apple bugs is clear. Apple has launched security pack after security pack. They seem to have understood that it is better to be safe than sorry. But it seems like becoming a ratrace between the hackers (who can now use powerful machines, software and fuzzing-techniques to analyse whatever code against whatever exploit method) and Apple. And as Apple has always preached that its systems were not attacked, not hacked and so didn't need a robust securitypolicy from the moment you design a software, OS or functionality - it is finding itself now in the state of Microsoft with NT. So much faulty, untested code (2007 standards) and so many users and no central update or alert system. How long before the real exploit, the real virus, the real attack. Or will Apple be faster with a securitypackage, a security OS update and a security infrastructure ?
This seems the real story between the Samba on Apple exploit (workable) for which there is no patch (except if you are a coding expert) and for which Apple doesn't seem to know how to answer.
Knowing Jobs I wouldn't be surprised if he surprises the security community the way he surprised the computer industry, the music industry and finally (?) the telephone industry. I hope he does - for the Apple users who have bought his machines because they were safer in 2006 but feel they are losing that advantage in 2007 and can think in 2008 that their security is worse than that of windows.