For many years, there was a widely-held notion that Apple Mac users were more secure than their Windows counterparts. In recent years, however, that notion has been challenged.
In 2012 Apple Mac OS X users were specifically targeted for exploitation by way of a Java vulnerability. Apple has since made multiple moves to improve its handling of Java. Yet according to Carl Livitt, managing security associate at security firm Bishop Fox, simply updating Java and keeping Mac OS X up-to-date aren’t enough anymore to guarantee browser security.
“The browser presents such a huge attack surface,” Livitt told eSecurity Planet. “It’s not just things like Java and Flash; there are also problems in the browser itself.”
Livitt recently published a brief guide on how to secure Mac OS X browsers and is also a contributing author of the book, Web Hacking Exposed.
A key challenge with Mac OS X browser security is that the browser typically runs with the same permissions and access to the operating system as the user.
“If you run under the assumption that someone will hack your browser eventually, you then have to limit the things that you yourself can do with a browser in order to limit the things that an attacker can do,” Livitt suggested.
Securing Mac OS X
Use multiple browsers. At the top of Livitt’s list of suggestions for Mac OS X browser security is for users to run multiple browsers beyond just the default Apple Safari. There are a number of reasons why running multiple browsers is a good idea, limiting risk chief among them. For a Web-based email system like Google’s Gmail, for example, many users typically stay logged into Gmail all day. If the browser is hacked, the user’s Gmail account and permissions could potentially be at risk. Livitt recommended that users either run Gmail in its own browser that is only being used for email, or simply not stay logged into Gmail all day.
Consider sandboxing the browser. Going a step further, those who are even more risk averse might want to sandbox the browser to limit its access to operating system components. One of the multiple ways of sandboxing on Mac OS X is with the Ironfox application shell script wrapper for Firefox.
Protect cache/cookie information. Cookies and cache stores, which could potentially include authentication information, are among the most valuable sources of information on a user’s browser. One way to help insure that cookie information does not persist beyond a given session is by way of a plugin called Better Privacy. It goes beyond just the typical browser cookie clearing to make sure that cookies from Flash or other add-ons are also removed, on a time basis or on browser exit.
Supplement native firewall capabilities. Mac OS X has its own built-in firewall and anti-malware capabilities which provide a degree of protection for users. To supplement the built-in capabilities, Livitt suggests the use of a program called Little Snitch. Little Snitch is an advanced firewall that tracks all incoming and outgoing connections from a machine.
It also provides a pop-up window each time a program tries to connect to something, requesting users to explicitly grant permission. “After a while, you train Little Snitch to allow or block things,” Livitt said.
If a Mac OS X browser is somehow breached and the attacker tries to make a connection to server in China that the user doesn’t know about, for example, Little Snitch will alert the user before the connection is made. “Little Snitch is a pretty great addition to the crappy OS X firewall,” Livitt added.
Impacting OS X Usability
A primary tenent of Mac OS X is usability. Adding additional layers of browser security could impact some of that usability, at least initially.
As you add more protection, you have to jump through more hoops, Livitt noted. That said, he said the additional measures typically just involve a bit more up-front work by the user until they get used to it.
“Like most things in life, a little hard work up front pays dividends in the end,” he said.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.