Apple has a long-standing reputation for silence when it comes to security. Whether it’s OS X or iOS, details around vulnerabilities, security patches and malware attacks are often obscured. This has led leading researchers and security vendors to reference the notorious idiom“security through obscurity” to describe Apple’s approach to threats. Whether this approach is effective or not, is up for debate. What remains clear, as a consequence of this strategy, is that vast numbers of Apple-based systems remain vulnerable to attacks.
On Thursday, Italian researchers Roberto Paleari and Aristide Fattori released information on a vulnerability they recently discovered, which affects OS X versions 10.9.4 and 10.9.5 (“Mavericks”) and was silently patched in 10.10 (“Yosemite”). The vulnerability is located in the Bluetooth OS X driver, the IOBluetoothFamily KEXT. Successful exploitation can lead to root privileges. The researchers also disclosed that the Apple security team has admitted that Mavericks is still unpatched.
This discovery follows previous research by Google’s “Project Zero” which disclosed several vulnerabilities, most of which were patched in Yosemite, but some left open in Mavericks and earlier OS versions. Moreover, two weeks ago, a 0-day vulnerability in Yosemite was disclosed Swedish researcher Emil Kvarnhammar from TruSec. Apple has yet to release a patch for this vulnerability. It would be interesting to see if backported security patches will be released for Mavericks and Mountain Lion.
Without a security patch, the best alternative to keep systems protected is for users to patch it themselves. Since this is not easily accomplished, we expect that the majority of systems will remain vulnerable. In trying to evaluate how many non-Yosemite systems are out there we came across this page from Adium, a popular IM app for OSX, and this page from GoSquared, maker of real time analytics software. According to these estimates, approximately 70% of Apple devices are running pre-Yosemite OSes. That is an awful lot.
It’s important to reiterate that a solution to these threats does exist: upgrade to Yosemite. Our main concern is the silence around these threats, leaving many users both vulnerable and unaware.
From a practical standpoint, what can you do?
Obviously wherever possible, keep the OS up to date and apply security patches when they become available. Yosemite still has its issues, but updating to this version will minimize the risk.
In addition, consider next gen endpoint protection that is able to protect against zero-day malware with or without security patches. Unfortunately, antivirus will not protect against these vulnerabilities.