Apple is showing signs that the company is taking the security of OS X far more seriously than it has in the past. In addition to features like app sandboxing and Gatekeeper, OS X Mountain Lion will also apparently check for critical security updates more regularly by default and will install them automatically.
Documentation accompanying a software update sent out to registered developers running the beta version of Mountain Lion shows that Apple is testing a new feature designed to mitigate potential security disasters like the recent Flashback malware problem. While regular OS X updates will come from the Mac App Store, security updates will be available directly through a new OS X Security Update system.
OS X Security Update will check for "required" security updates every day. The software will make use of a secure connection to Apple servers meant to keep hackers from hijacking the connection to spread malware. Users will be able to configure their Mac to either install security updates automatically or during the next restart.
We believe most users will opt to use the automatic updates, since OS X's Auto Resume feature means that all of your apps and open documents will be right back where you left them before the update process kicked in. Furthermore, security updates could be downloaded and installed automatically whenever a recent-vintage Mac (with an Apple-approved SSD) is using Mountain Lion's Power Nap feature. (Power Nap lets an otherwise sleeping Mac download software updates, sync with iCloud, and perform Time Machine backups.) Combined, these features should make installing security updates relatively painless and should ensure that users keep their systems up to date and secure.
You don't need us to tell you that many users ignore Software Update's notifications, thereby allowing OS X to become out of date. (We all know people who have a bad habit of waiting for weeks before performing a mass Software Update install.) In doing so, however, users run the risk of leaving themselves vulnerable to well-known exploits that have long since been patched. Anything that reduces the friction of installing security patches is a major plus in our view.
Just as critical, however, is Apple's response to reports of vulnerabilities and known exploits. Earlier this year, the Flashback malware was able to spread because Apple had not updated Java for several months after patches for the specific vulnerabilities became available from Oracle. OS X's ability to check for security updates on a daily basis will be of little use if Apple isn't providing patches on a timely basis, though the company did recently release another critical update to Java for OS X on the same day as Oracle, indicating that it is beginning to take security more seriously. Perhaps separating OS X feature updates from critical security patches will allow Apple to respond to security issues more nimbly than it has in the past.
While the new OS X Security Update system should be immediately beneficial to individual users, it's not clear how well the new system will work for IT administrators. Automatic updates are not often welcomed in the enterprise, where system and third-party software updates are routinely evaluated for stability before being applied across all systems. Though security updates rarely affect performance, the possibility may worry some admins. Conversely, automated security patches might help head off network-wide infections that could spread while admins are occupied testing the latest patches.
One thing is for sure: it's reassuring that Apple is no longer trying to market Macs as immune to malware and appears to be putting more effort into making OS X more secure. Combining improved system-level features like kernel address space layout randomization and app sandboxing with Gatekeeper and automated security patches, OS X should no longer appear to be "ten years behind Microsoft" when it comes to security.
reader comments
90