Sophos Cloud Optix
The new version of Mac OS X, Mountain Lion, is just around the corner and contains a feature which should go down well with security-minded end users.
AppleInsider reports that one of the new features included in OS X 10.8 Mountain Lion is automatic security updates.
That means that you will be able to configure any Macs you have that are running Mountain Lion to automatically check Apple’s update servers on a daily basis (or when the computer is restarted) to see if a security update is available, and apply it without user interaction.
Of course, most days it is unlikely that Apple will have released a security update – but for those times when they have, this feature will hopefully reduce the window of opportunity for malicious hackers to exploit any vulnerabilities in OS X.
At its recent WWDC event, Apple revealed that its newest range of laptops are coming with a “PowerNap” feature, allowing security updates to be downloaded while the rest of the computer is in sleep mode.
This, alongside the removal of requiring the user to give permission for a security patch to be installed, should ensure that more Macs are kept more up-to-date.
Anything which makes that attack window smaller has to be good news for Mac users. So, well done Apple.
One thing that is interesting is that Apple claims to also be introducing a more secure connection to its update servers with Mountain Lion. Earlier this month it was revealed that the Flame malware had used a “man-in-the-middle” attack against the Windows update system.
Of course, in business environments the concept of automatic, silent updates to the Mac operating system may be less popular. Often organisations prefer to test a security update before rolling it out across a large number of computers, in case there are bugs or conflicts.
Furthermore, companies may not like the idea of lots of their Mac computers individually pulling down hefty security updates and gobbling up their internet bandwidth.
Presumably Apple will provide mechanisms for businesses to handle these issues when OS X ships next month.
Image credit: AppleInsider
It's not clear that these updates will generally be "hefty". Remains to be seen.
Historically, security updates have often been pretty hefty (especially when multipled by the number of Macs in your organisation). Let's hope that moving forward update sizes are kept to a minimum, and that proper systems are in place for enterprises to manage the roll out of updates appropriately.
The phrase that worries me, as with Microsoft Automatic Updates is “apply it without user interaction”. If I had allowed that on my Windows PC, I would have had installed several unwanted ‘updates’ that were not required at all and added nothing to the system securoty but were ‘forced’ on Microsoft by EU rulings and others.
Further, automatic application in this form can be used/hijacked to install malware, trojans and other dangerous ‘software’ that users may not want but will be largely unaware of by the automatic installation. Some may say you can choose not to install but if the system is available you can guarantee some nasty people will try to use it for their own purposes that afre not beneficial to the system owner and user.
The real danger is that someone will succeed in spoofing the update mechanism to introduce malware into the Apple machine base.
As Graham Cluley posted above, there will need to be a mechanism for corporate IT departments to manage the rollout of updates (including testing the updates before rollout, to make sure they don't break anything).
You kind of have to wonder how much of this new security stuff has David Rice’s name on it?
Mac OS X Server has a software update feature that allows the server to act as a local cache of updates from Apple for an organizations machines, as well as whitelisting which updates get published for attached clients. Any organization with more than a handful of Macs probably already has a Mac OS X Server onsite. If not, the "app" to enable it on 10.8 will only cost $20; make any computer in the organization a "server".