On the eve of Sierra: macOS security is now central

Tomorrow, many of us will be engaged again in the upgrade dance, when Apple releases macOS 10.12.0 Sierra. Once we have installed our upgrades, and ironed out any glitches, we’ll turn to looking at what has changed. Hackles will rise – as they always do – when we discover changes thrust upon us for no good reason. We might even find a few of the bugs in 10.11.6 fixed; I hope that includes sporadic freezing and Bluetooth.

What we will probably not see, perhaps for some weeks, is whether Sierra addresses the single most important issue for Macs: improved security, without stopping us from doing our work.

Of Apple’s operating systems, iOS is the hot favourite for the discovery of vulnerabilities. Not so that they can be used for regular malware, but because they are the most valuable when sold on the market. Those who trade in vulnerabilities, and the companies who exploit them for spyware, are happy to pay huge sums for a good zero-day in iOS. But with the vast majority of iOS devices kept inside Apple’s walled garden, regular malware is not such a good way to go. Yet.

The situation with OS X/macOS is different. With no such walled garden, getting malware onto macOS is far easier. Every few weeks someone emails me to admit to their folly in clicking a link in an email, or ending up on a malicious website. It nearly happened to me a couple of weeks ago.

Looking back at the security articles here over the last 18 months – which only cover OS X – we’ve had

  • MacKeeper
  • XcodeGhost
  • Transmission (twice)
  • Eleanor (backdoor)
  • Keydnap
  • FakeFileOpener
  • Mokes A.

Five of those eight have been reported in the last three months alone.

In addition, there have been many major vulnerabilities discovered – dylib hijacking, for example, is a large class on its own – some of which have been fixed, and some only partially so.

Apple has responded well and promptly, in the main. It has released security fixes in each of its six minor updates to El Capitan, and its additional Security Update 2016-001, and pushes out silent updates to Gatekeeper’s configuration data, its Malware Removal Tool, and XProtect’s configuration data quite frequently.

In the last three weeks, Apple has pushed no less than six sets of silent security updates, taking Gatekeeper configuration data, for example, from version 96 (of 23 August) to 102 (of 17 September).

We are used to reading worrying predictions from the vendors of security tools that the threat to OS X is increasing all the time. It is so tempting just to dismiss them with a “you’d hardly tell us otherwise, would you?” I have no connection, financial or otherwise, with any of that industry, and remain healthily sceptical of some of the claims and most of their products. But from where I’m reporting, we have entered a real boom in malware targeting OS X/macOS.

I used to check for silent updates every few days. Now I check several times each day, so that I can report those updates here, before the next is pushed out.

Sierra does bring new security features; whether it will do anything to address this problem is as yet unclear. Apple may well end up pushing out updates to our protection every couple of days – a pace which I suspect their engineers will be pressed to keep up. There is also the question of whether silent updates will continue for those who choose to stay with El Capitan for the time being, or whether those will peter out. Apple has always maintained the previous major release of OS X, particularly in security patches, but if those differ much from patches for Sierra, that could become too onerous a task.

But more than anything else, Apple needs to get ahead of the game again, rather than being pre-empted all the time. If it hasn’t built that into Sierra, we could all get to regret it.