Macintosh OS X has joined Windows and other Unix systems in a inauspicious top 20 list – the SANS TOP 20 Vulnerabilities. OS X was added not because of any particular hack or vulnerability, but because “MacOS includes software that has critical vulnerabilities and Apple has a patch policy, described below, that do not allow us to be more specific in identifying the elements of MacOS that contain the critical vulnerabilities.”

SANS Details:

Description

The Mac OS X was released by Apple in 2001 as a solid UNIX-based Operating System. Although Mac OS X has security features implemented out of the box such as built-in personal firewall, un-necessary services turned off by default and easy ways to increase the OS security, the user still faces many vulnerabilities.

Mac OS X also includes the Safari web browser. Multiple vulnerabilities have been found in this browser and in certain cases exploit code has also been posted publicly.

Apple frequently issues Mac OS X cumulative security updates that tend to include fixes for a large number of vulnerabilities with risk ratings ranging from critical to low. This complicates the tracking of vulnerabilities for this OS, and the best way to ensure security is to apply the latest cumulative patch.

How to determine If You Are Vulnerable

Any default or unpatched Mac OS X installations should be presumed to be vulnerable.

The following procedure will check if there are new packages available. If you do not see any important packages patches available, you may be safe:

1. Choose System Preferences from the Apple Menu.
2. Choose Software Update from the View menu.
3. Click Update Now.
4. Check the items available

To aid in the process of vulnerability assessment, you can leverage any vulnerability scanner.

How to Protect against Mac OS X Vulnerabilities

• Be sure to stay current and have all security updates for Apple products applied by turning on the Software Update System to automatically check for software updates released by Apple. Although different schedules are possible, we recommend that you configure it to check for updates on a weekly basis at least. For more information about how to check and run the Software Update System, see the Apple Software Updates webpage – http://www.apple.com/macosx/upgrade/softwareupdates.html
• To avoid unauthorized access to your machine, turn on the built-in personal firewall. If you have authorized services running in your machine that need external access, be sure to explicitly permit them.
• There are many excellent guides available for hardening Mac OS X. The CIS Benchmark for Mac OS X enumerates security configurations useful for hardening the Operating System. The actions suggested by the Level-1 benchmarks documents are unlikely to cause any interruption of service or applications and are highly recommended to be applied on the system. Also, the Securing Mac OS X 10.4 Tiger white paper examines security features and hardening of Mac OS X.

Source: SANS