Feeds

Apple's Mountain Lion to offer automatic security updates

Crikey - now there's a thought

Intelligent flash storage arrays

Apple is building in automatic update checking into the next version of Mac OS X – Mountain Lion.

OS X 10.8 Mountain Lion can be configured to automatically poll for security updates every day instead of waiting for users to check for them, which describes the current set-up, AppleInsider reports.

Alternatively, Mountain Lion can be set up to phone home for updates every time a computer is restarted. In either case, users can select to automatically apply available security updates.

"Of course, most days it is unlikely that Apple will have released a security update - but for those times when they have, this feature will hopefully reduce the window of opportunity for malicious hackers to exploit any vulnerabilities in OS X," notes Graham Cluley, senior technology consultant at net security firm Sophos.

The automatic update feature appeared alongside the latest build of Mountain Lion Developer Preview, where it is known as "OS X Security Update Test 1.0" and available through the Mac App Store.

In addition, the latest laptops from Apple will come with a "PowerNap" feature, allowing security updates to be downloaded while the rest of the computer is in sleep mode.

Both features will help ensure that more Macs are kept more up-to-date. Whether or not they remain secure will still depend on the timely publication of security updates from Apple, an issue highlighted by the infamous Flashback Trojan. Flashback exploited a Java vulnerability to infect 600,000 Macs worldwide. The malware exploited a cross-platform flaw in Java that was patched on Windows machines weeks before creating mayhem on Macs. But Apple took much longer to respond, eventually belatedly responding with Java updates and clean-up tools.

Chastened by the experience, Apple is reportedly making security improvements a key feature in Mountain Lion, which is due to debut in mid-July. Other changes in the pipeline may include mandating secure connection to Apple's update servers. Earlier this month it emerged that the Flame cyber-espionage tool had used a "man-in-the-middle" attack against the Windows update system. If Apple introduces security updates over SSL connections then it will move ahead of the game in thwarting this type of attack.

It's unclear to what extent Apple will retro-fit these various security improvements into previous versions of Mac OS X.

In a related moved, Apple recently removed assertions that the Mac "doesn't get PC viruses" in favour of the less strident statement that its computers are "built to be safe".

The increased popularity of Macs in business Apple will need to develop tools (or at least settings) to make patching more manageable in corporate environments.

"In business environments the concept of automatic, silent updates to the Mac operating system may be less popular," Cluley explained. "Often organisations prefer to test a security update before rolling it out across a large number of computers, in case there are bugs or conflicts.

"Furthermore, companies may not like the idea of lots of their Mac computers individually pulling down hefty security updates and gobbling up their internet bandwidth. Presumably Apple will provide mechanisms for businesses to handle these issues when OS X ships next month," he concluded. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.