Web developers concerned about security vulnerabilities in the web pages and applications they create and in the software they use got surprising news this weekend when a renowned hacker said that Apple, Adobe, and web applications were behind Microsoft in terms of software security and code patches.
The comments came from Marc Maiffret, chief security architect for FireEye, who famously hacked the U.S. government when he was 17. Maiffret's claim that Apple and Adobe have not been taking software security seriously came during an exclusive interview with CNET.
Adobe, Apple Treat Security Like a Marketing Problem, Not a Technical One
"Adobe, and even Apple, is a good example" of companies that should follow Microsoft's security example, Maiffret said. "They are starting to get black eyes with people saying Adobe is a bigger worry than Microsoft is at the moment, which I agree with. As those things are happening, Adobe and Apple and other companies are starting to pay attention and care more. But a year ago, it was still very much a marketing thing. People from both companies treated it as a marketing problem. They didn't have good technical structures behind the scenes.
Both Apple and Adobe were contact for comment. After 24 hours neither company had responded.
Apple Should Follow Microsoft's Good Example
"It's even a little scarier with [Apple]," Maiffret said in response to a question about whether or not Apple was taking software security seriously, "because they try to market themselves as more secure than the PC, that you don't have to worry about viruses, etc. Anytime there's been a hacking contest, within a few hours someone's found a new Apple vulnerability. If they were taking it seriously, they wouldn't claim to be more secure than Microsoft because they are very much not. And the Apple community is pretty ignorant to the risks that are out there as it relates to Apple. The reason we don't see more attacks out there compared to Microsoft is because their market share isn't near what Microsoft's is."
Web Applications Could Be New Target
Maiffret also said that Microsoft does a better job than Apple of auditing its code and added that online applications like Facebook, were becoming increasingly complex and vulnerable to attack.
"The web-based applications are also big targets--companies putting web apps online and weird uses of Facebook. Facebook is becoming its own complex platform with all these different apps integrated," Maiffret said.
"A few years ago, the types of attacks were e-mails that appeared to come from your bank. You could just log into your bank and see if there was a notice for customers. It was old-style phishing. It's easier to look for that and avoid those things. Nowadays, when attacks are increasingly being leveraged from legitimate web sites, it's harder," said Maiffret. "For instance, where the CFO of a company was targeted because he was on CFO.com and some guys in Ukraine paid to have a flash-based advertisement taken out on financial sites. That's the scariest shift to me.
"I don't even know of a way right now, with the various types of attacks, how to explain to my mom what not to click on and what not to do because just through the normal browsing attacks are going to be coming at her. It's so low-level and behind the scenes. You just happen to click on a news link and a flash link off to the side that you're not even interacting with compromises you. The potential of educating users is going away quickly. It means we have to be better as technology people and security companies at preventing these things."
Preventing Hacks in Your Code
Maffret's comments raise questions about how web developers can (1) protect their own systems, since almost no other group of users is exposed to a greater array of sites and software downloads—consider the number of jQuery plugins you downloaded just last month—and (2) how developers can prevent malicious hackers from hijacking their websites and web applications.
But unfortunately the answers to those questions are not as simple as one might expect. If Apple is indeed the most vulnerable OS, should you move to Windows 7, which is notable the safest? What about using Adobe's powerful Dreamweaver tool set? Certainly not. You should not stop using products which are generally secure and often necessary for the development task.
The bottom line is that web developers should (1) continue to use all reasonable caution when interacting on the web, downloading software, plugins, and extensions; (2) write code that is not vulnerable to SQL injections, man-in-the-middle attacks, or other site hijacking techniques; and as much as possible (3) use attack and malware monitoring tools and code signing from reputable certifying agencies like VeriSign or McAfee as examples.
