I have been saying this for quite some time now, last time at the Security Nightmares talk at the 22C3: Apple needs to put serious money into security. Just claiming OS X to be more secure because there is a open source Unix underneath is just bullshit.

First, there is no real open source anymore below the operating System.

Second, the history of OS X vulnerabilities begins to get devastating, despite the UNIX core. Old vulnerabilities that are long time fixed in other distributions stay unpatched for months. The latest Security Patch again contains vulnerabilities that are several months old, and even a PHP version that is seriously out of date despite the patched version being available for quite some time.

To put it mildly: it is only by sheer luck that Apple has escaped a major security disaster for so long. Without a immediate and substantial investment into security (hiring talented people, shell out money for external source audits and penetration tests) OS X will loose its reputation as a reasonably secure platform rather quickly and it will be very difficult to get it back.

Microsoft has understood this problem and invested accordingly, and the effects begin to show. The number and severity of Windows problems seems to be falling. In comparision: the kind of problems surfaced now in the latest rounds of Apple patches points to rather deep reaching problems in Apples security culture that need to be addressed urgently.

The list of rumors circling about undisclosed vulnerabilities and exploits is rather long, ranging from a method to attack the software update process by inserting a doctored update into the update download to problems in the nice and colorful sharing protocols of iTunes and iPhoto. 2006 will certainly not be a happy year for OS X users in terms of security. Be careful with your Mac…