Researchers at Kapersky Lab recently concluded that Apple is an entire decade behind Microsoft at malware protection, pointing to the spate of Flashback attacks and Apple’s slow response. Kapersky predicting a coming wave of malware as OSX viruses, once rare, grow to be as common as those aimed at Windows. Microsoft, by contrast, has been struggling with malware since its inception and has developed a system of responses and initiatives known as Trustworthy Computing, which, not coincidentally, celebrated its ten year anniversary earlier this January.
In January, 2002, Bill Gates sent an email to all full-time Microsoft employees with grand ambitions for computing, envisioning a future with a pervasive internet, continued growth in personal computers, and a wider range of connected devices, which turned out to be accurate. In a world where so many people are connected to the Internet in so many ways that affect their life, Gates saw that information technology must be “as available, reliable and secure as standard services such as electricity, water services and telephony.” To achieve these immense goals he announced Trustworthy Computing, a drive to improve security, privacy and reliability for all of Microsoft’s offerings.
Over the years, Trustworthy Computing’s most notable contribution was the Security Development Lifecycle, a series of 16 practices to ensure that security is incorporated into every part of the software development process rather than added as an afterthought. Every engineer at Microsoft gets some security training each time they begin a new project, and everyone in the enterprise is expected to know something about security. Tools, software, and personnel are continuously tested or audited for security, privacy, and reliability and, in case anything slips by, compensating controls are built-in to correct flaws elsewhere. Microsoft also brought in Windows Error Reporting, which drastically reduced crashes, and was among the first to publish privacy standards for developers or offer users layered privacy notices.
While Microsoft has come a long way, there is plenty of work left before we can fully trust out computers. Part of the problem, however, comes from the user. One big hurdle in Trustworthy Computing has been users not updating their old software as new and improved solutions become available. For example, Microsoft’s Internet Explorer 9 is much more secure than Internet Explorer 6, but ten years after its launch, IE6 has only just fallen under 1% of the American market despite Microsoft’s best efforts. Another obstacle is that, as Microsoft’s operating system has become hardened, attackers are finding new ways to breach a computer, and now 75% of all attacks are aimed at applications. While compensating controls mitigate some of the risk, the ever-growing IT ecosystem means that Microsoft can’t make computing trustworthy on its own. Still, over the last decade, Microsoft has come a long way and has plenty to celebrate.
Just as Bill Gates said ten years ago about Microsoft, users are connecting a wide array of Apple products, from computers to phones, tablets, and accessories, to the internet and expect privacy, reliability, and security. If versions of Flashback as well as novel malware for Apple operating systems continue to proliferate, Apple will need to implement its own version of the Trustworthy Computing drive. For the sake of anyone with a Macintosh or an iPhone, let’s hope it doesn’t take them ten years to get it right.
What’s the argument for Apple OSX’s security given that it is based on the Unix OS open source platform? Even if Apple OSX were behind, the world-wide open source community moves very fast. Faster than any organization possibly could. CAVEAT: I am not expert in this area by any means. Hopefully someone can enlighten me. Needless to say, Microsoft OS security is world-class. It’s pretty remarkable really that they have been able to create such a secure platform when the entire universe is trying to exploit vulnerabilities.