Feeds

Apple's Mountain Lion to offer automatic security updates

Crikey - now there's a thought

The Power of One eBook: Top reasons to choose HP BladeSystem

Apple is building in automatic update checking into the next version of Mac OS X – Mountain Lion.

OS X 10.8 Mountain Lion can be configured to automatically poll for security updates every day instead of waiting for users to check for them, which describes the current set-up, AppleInsider reports.

Alternatively, Mountain Lion can be set up to phone home for updates every time a computer is restarted. In either case, users can select to automatically apply available security updates.

"Of course, most days it is unlikely that Apple will have released a security update - but for those times when they have, this feature will hopefully reduce the window of opportunity for malicious hackers to exploit any vulnerabilities in OS X," notes Graham Cluley, senior technology consultant at net security firm Sophos.

The automatic update feature appeared alongside the latest build of Mountain Lion Developer Preview, where it is known as "OS X Security Update Test 1.0" and available through the Mac App Store.

In addition, the latest laptops from Apple will come with a "PowerNap" feature, allowing security updates to be downloaded while the rest of the computer is in sleep mode.

Both features will help ensure that more Macs are kept more up-to-date. Whether or not they remain secure will still depend on the timely publication of security updates from Apple, an issue highlighted by the infamous Flashback Trojan. Flashback exploited a Java vulnerability to infect 600,000 Macs worldwide. The malware exploited a cross-platform flaw in Java that was patched on Windows machines weeks before creating mayhem on Macs. But Apple took much longer to respond, eventually belatedly responding with Java updates and clean-up tools.

Chastened by the experience, Apple is reportedly making security improvements a key feature in Mountain Lion, which is due to debut in mid-July. Other changes in the pipeline may include mandating secure connection to Apple's update servers. Earlier this month it emerged that the Flame cyber-espionage tool had used a "man-in-the-middle" attack against the Windows update system. If Apple introduces security updates over SSL connections then it will move ahead of the game in thwarting this type of attack.

It's unclear to what extent Apple will retro-fit these various security improvements into previous versions of Mac OS X.

In a related moved, Apple recently removed assertions that the Mac "doesn't get PC viruses" in favour of the less strident statement that its computers are "built to be safe".

The increased popularity of Macs in business Apple will need to develop tools (or at least settings) to make patching more manageable in corporate environments.

"In business environments the concept of automatic, silent updates to the Mac operating system may be less popular," Cluley explained. "Often organisations prefer to test a security update before rolling it out across a large number of computers, in case there are bugs or conflicts.

"Furthermore, companies may not like the idea of lots of their Mac computers individually pulling down hefty security updates and gobbling up their internet bandwidth. Presumably Apple will provide mechanisms for businesses to handle these issues when OS X ships next month," he concluded. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.