HEAT Security Blog

What the Security Features of Apple’s Mountain Lion Mean for the Enterprise

The 2012 Apple World Wide Developers’ Conference saw the release of many new Apple products, including a sneak peek of the long-anticipated OS, Mountain Lion. The new release shows that Apple has taken one step forward in what will be a long security road. While it’s a good start, they are still miles behind Microsoft when it comes to the security needs of an enterprise.

Here’s a break out of the security features for enterprise IT teams.

Apple is moving their successful whitelisting capability of iOS to the new Mountain Lion operating system. This is very good news. If you look at the security issues reported on Android over the last year and compare that to the vulnerabilities reported on the iPhone, you’ll see how the whitelisting capability has clearly been the differentiator in smart phones. Within Mountain Lion, the whitelisting feature is called Gatekeeper and it gives users three security options for downloading and installing apps:

  1. Download and install applications that have been fully vetted by Apple in the Mac App Store
  2. Download and install applications from identified and perhaps trusted providers
  3. Download and install applications from anywhere

Browser vendors such as Mozilla are already preparing the code signing required by Mountain Lion. Enterprise deployments of Mountain Lion can achieve maximum security by permitting the downloading and installing of applications and their updates from the Apple App Store. But this leads me to wonder about the many third party applications not provided in the Apple App Store. Obviously, users are left on their own when determining what level of trust to apply. While the whitelisting capability in Mountain Lion is a welcome addition to Apple’s offering, current generation whitelisting solutions offer numerous additional features that are simply missing in the Apple Gatekeeper solution.

Bottom Line: Gatekeeper is a great start but it lacks a level of automation and a complete trust model that can be found in current generation solutions.

FIPS 140-2 certification
Apple has indicated that FIPS 140-2 certification is in progress. While this may go a long way in raising the FISMA score of government organizations, the reality is users are still reeling from the debug switch mistake made by Apple with OSX 10.7.3 that, for more then 3 months, exposed passwords for FileVault in the clear in log files. Again the FIPS 140-2 certification is welcome but Apple needs to take flaws in its products more seriously and clean up bugs on a timetable acceptable to enterprise – not simply ignore reported issues and release a patch with little fanfare when they get “around to it.”

Kernel ASLR
Kernel ASLR has been available in both Windows and Linux operating systems. It is a welcome addition to Apple Mountain Lion but clearly, as shown by other vendors’ implementations such as in Windows and Linux, it is far from the Holy Grail. It remains to be seen how effective the ASLR implementation of ASLR will be for Apple.

Management tools for FileVault
New management capabilities using the fdesetup command-line tool for FileVault will expand third party offerings that can perhaps put the technology to good use. Recent FileVault issues still cast a shadow of doubt on Apple’s FileVault implementation.

Sandboxed apps
Apple mandated that all application submissions for iOS applications utilize their sandbox capabilities by March 2012 and then pushed that date back to June. The expansion of Apple sandboxing capability in Mountain Lion will now include FaceTime, Mail, Reminders, Notes, Game Center, and Safari.  Apple has not had an easy road to travel in its sandbox implementation. Reportedly, one bug in the Apple sandbox existed for well over 3 years without a patch and resolution from Apple. Because of the legacy issues in the Apple sandbox and the seemingly low priority it has been given by Apple in patching issues associated with it the robustness of the current offering, the benefits of Apple’s sandbox implementation in Mountain Lion remains to be seen.

Check for updates daily
While Mountain Lion will now check for new updates every day, perhaps Apple could really add value for its users by adopting Microsoft’s level of disclosure regarding product vulnerabilities. The long history of Apple releasing patches in the shadow of Microsoft Patch Tuesday with little if any of the information for IT pros to make informed decisions is simply inexcusable for an enterprise ready product.

Safari safe HTML handling
A new welcome capability in Safari displays only local information and does not access remote resources or send data to a remote server when you open an HTML file saved from the web.  However is the Safari browser from Apple really a suitable browser for the enterprise? While Apple has really improved the user experience with the speed of Safari, the security issues associated with Safari relegate is as a last choice for many within the enterprise. Many of the security pro’s I see use Apple laptops but most opt to use Mozilla or Chrome as their browser.