Today, Apple’s macOS 10.12.4 update includes security fixes for several open source vulnerabilities. The update includes a vulnerability fix that enSilo’s researcher, Omer Medan, disclosed to Apple whereas the vulnerability allows an attacker to change file system permissions on arbitrary files (CVE-2017-2390). The vulnerability affects all Apple products that rely on macOS, from Apple’s desktop computers, iPads and iPhones, to Apple TV and Apple Watch. We applaud Apple for its effort.
Enterprise adoption of Apple product has risen sharply in recent years. A survey by Jamf found that “91 percent of enterprise organizations are now using Mac.” According to StatCounter, Apple’s market share based on operating system footprint represents nearly 13% globally.
More Vulnerabilities, More Fixes
This vulnerability fix is part of a wider disclosure that enSilo’s researcher provided Apple throughout the past several months. Following one of the disclosures, discovered in late October, Apple released a fix for its Apple Watch. In this case, the vulnerability allowed a malicious archive to overwrite arbitrary file. Canalys estimates that Apple cumulatively shipped 11.9 million Watches in 2016, holding market share of around 50% globally for the year.
The Common Theme: Open Source
It’s important to see all these vulnerabilities in greater context as they all have a common theme: open source.
Apple’s operating system contains various open source and close source packages. If the kernel (xnu) for instance, is an open source project, the graphical interface of Apple is a closed source. Apple picked various important packages from other UNIX-based operating systems like libarchive, bzip, tcpdump, gzip, and others. These packages are included in almost all BSD operating system flavors (FreeBSD, OpenBSD, etc.), Linux flavors (Ubuntu, Centos, Arch, etc.) and other less-known open source operating systems.
The open source community continues to fix and update their core modules. While the public code base is updated by the wider, vocal and visible open source community, Apple’s proprietary operating system developers overlooked the updates.
The Adoption of Open Source within the Enterprise
A common dilemma that is often posed in cyber-security is what is more secure – open source or closed software. The opponents of open source security claim that what has more eyes, becomes more secure. Those on the other side of the fence typically call out security by obscurity, and the fact that open source has some nasty vulnerabilities such as Heartbleed.
That discussion digresses from what is really important. Open source vs closed code is not the issue. De facto open source exists within the enterprise, from the operating system that contains open source modules to applications developed in-house and rely on open-source modules. At the end of the day, threat actors couldn’t care less if an exploit is closed or open source.
Apple has become a major force in the enterprise landscape. Even as far back as 2012, Forrester reported, “21% of information workers are using one or more Apple products for work.” The same survey found that managers and execs were twice as likely to use Macs. In other words, starting at least five years ago, Mac’s footprint in the enterprise affected some of the most important employees in the workforce. What does this mean for security teams? The days of “security by obscurity” are truly gone. Since many corporate VIPs are Apple users, protecting Apple endpoints is an urgent priority.