'Secure OS': The Latest IT Oxymoron

by Paul Rubens

The latest security research from Secunia shows security vulnerabilities among the major vendors increasing as much as fourfold in the past four years. Apple may think it stands apart, but its record is spotty, and with iPhone jailbreaks now 'legal,' its security woes may only be beginning.

More on Apple

Talk to an Apple fanboy or girl, and chances are they'll tell you the company's Mac software is "better" than Microsoft's -- or anyone else's for that matter. So there will be a few of them slinking around holding their heads in shame right now thanks to some research published recently by security company Secunia.

It turns out that of all the software vendors Secunia studied -- and it looked at all the big boys including Microsoft, Oracle, Adobe, Mozilla, Google, IBM and so on -- the vendor with the most vulnerabilities in all its products was ... you guessed it: Apple (NASDAQ: AAPL).

It's ironic, really, when earlier this year Apple's Steve Jobs refused to allow Adobe's Flash on the iPhone or iPad, justifying the decision by calling Adobe lazy and saying: "Apple does not support Flash because it is so buggy." The words "pot," "kettle" and "black" spring to mind.

Of course it's true to say that bugs and vulnerabilities are not the same thing, and also that the raw number of vulnerabilities doesn't give a precise indication of the relative overall security of a given vendor's offerings. What we can say is that no one is perfect. Apple may be the least perfect of them all -- at least when it comes to writing vulnerability-free code.

The depressing thing for anyone concerned with security is that all the major vendors are actually getting worse. The vulnerability count for the majority of them has increased by between 136 percent and 440 percent in the past four years, according to Secunia -- despite increased attention to and investment in security by vendors. It's a sorry state of affairs, but one that perhaps reflects the mind-boggling complexity of today's OSes and applications, and the inevitability of bugs, vulnerabilities and other "unintended features."

When you put it like that, you can see why Apple appears to be rapidly losing interest in the conventional computer market: It involves selling server, desktop and laptop machines that provide root access to their owners, who are then free to run any software they like from any third party. Apple's server OS software -- and the rest of the code it peddles -- may be full of vulnerabilities, but often these don't present such severe security risks as applications built by third parties, such as Adobe.

Apple's interest these days is in selling closed systems: Devices like the iPhone and iPad that don't provide root access to their owners and that can run only software that Apple specifically approves (and, rather handily, takes a juicy financial cut of) via the AppStore and iTunes.

Apple's control over the software these devices can run means it can outlaw applications or vendors it believes present security risks. What's more, its control over software distribution means users can be notified of security patches for all their applications very easily, and they can download these updates from a single source. On the face of it, that's good for security, and it compares favorably with traditional enterprise OSes. For example, if you look at machines running Windows OSes like Windows Server 2008, Secunia says about 35 percent of vulnerability patches can be downloaded from Microsoft (NASDAQ: MSFT), but the remaining 65 percent must be downloaded using about 13 or more other update mechanisms from various third parties.

But the Library of Congress Monday dealt Apple's closed system strategy a body blow. It granted a number of exceptions to the Digital Millennium Copyright Act (DMCA), one of which is particularly significant. It exempts, "computer programs that enable wireless telephone handsets to execute software applications, where circumvention (of DRM) is accomplished for the sole purpose of enabling interoperability of such applications, when they have been lawfully obtained, with computer programs on the telephone handset."

That sounds innocuous enough, but what it means is that it is quite legal for iPhone owners to jailbreak their devices by overcoming Apple's attempts to prevent them from doing so. And that, in turn, provides them with root access to their devices and enables them to install and run any software they like, from any source -- not just software approved by Apple and installed via iTunes. (Bizarrely, the position of folks wishing to jailbreak their iPads or iPod Touches -- which run the same OS -- is unclear as these devices are not "wireless telephone handsets.")

It's a humiliating defeat for Apple, which opposes jailbreaking vehemently and loves its closed system idea. But it's a victory for those who believe hardware wants to be free -- to run whatever open source software he wants, modified to whatever his needs might be.

And perhaps most importantly, it's not a defeat for those concerned with security because Apple's closed system strategy is not the only way. Open source OSes like Linux prove that you don't need to be closed to create a computing platform that can be made very secure indeed.

Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.

Follow ServerWatch on Twitter

This article was originally published on Tuesday Jul 27th 2010
Mobile Site | Full Site