or Connect
AppleInsider › Forums › Software › Mac Software › Apple exposing Mac OS X Lion to security experts for review
New Posts  All Forums:Forum Nav:

Apple exposing Mac OS X Lion to security experts for review

post #1 of 27
Thread Starter 
Apple is inviting security experts to examine its developer preview of Mac OS X 10.7 Lion, apparently the first time it has expanded beyond its core developers to expose its new software to community scrutiny.

"I wanted to let you know that I've requested that you be invited to the prerelease seed of Mac OS X Lion, and you should receive an invitation soon," Apple wrote to several security researchers, including such luminaries as Dino Dai Zovi, Stefan Esser and Charlie Miller.

"As you have reported Mac OS X security issues in the past, I thought that you might be interested in taking a look at this. It contains several improvements in the area of security countermeasures," the letter stated, according to a report by CNET.

The report cited Miller, who has demonstrated cracks in Apple's software, as saying, "as far as I know they have never reached out to security researchers in this way. Also, we won't have to pay for it like everybody else. It's not hiring us to do pen-tests of it, but at least it's not total isolation anymore, and at least security crosses their mind now."

Miller predicted Lion would incorporate full ASLR (Address Space Layout Randomization), a security technique that puts important data in unpredictable locations, making it harder to target known weaknesses. Snow Leopard currently limits ASLR protection to libraries, leaving the location of code, stack, and heap easier for crackers to aim their assaults.

Apple's iOS 4.3 will reportedly add ASLR, making it more difficult to jailbreak devices via exploits of userland vulnerabilities. This suggests Lion will also adopt the same protections when it arrives this summer.

Dai Zovi, who has similarly demonstrated exploits for Apple's software before at events such as CanSecWest, tweeted, "Apple has invited me to look at the Lion developer preview. I won't be able to comment on it until its release, but hooray for free access," later adding, "This looks to be a step in the direction of opening up a bit and inviting more dialogue with external researchers."

Dai Zovi also mused, "Will Lion be the 'Vista' of Mac OS X? In the sense that they start taking security seriously, not the sense that nobody wants to use it."
post #2 of 27
Quote:
Originally Posted by AppleInsider View Post

Dai Zovi also mused, "Will Lion be the 'Vista' of Mac OS X? In the sense that they start taking security seriously, not the sense that nobody wants to use it."



Allow / Deny pop-ups like Vista?

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #3 of 27
It's actually really nice to see Apple doing this. It sure shows they want to deliver a safer OS.
Let's hope it helps OSX not being the first hacked OS every year at that hacker contest...

---
iMac Early '08- 20", 2.66 Ghz C2D, 320Gb HD, ATI 2600 Pro, 4Gb RAM 800 Mhz DDR2 SDRAM
MBP Mid '10 - 15", 2.4 Ghz i5, 320Gb HD, NVIDIA GeForce GT 330M, 4Gb RAM 1066 Mhz DDR3
4Gen. iPod Nano - 8Gb

Reply

---
iMac Early '08- 20", 2.66 Ghz C2D, 320Gb HD, ATI 2600 Pro, 4Gb RAM 800 Mhz DDR2 SDRAM
MBP Mid '10 - 15", 2.4 Ghz i5, 320Gb HD, NVIDIA GeForce GT 330M, 4Gb RAM 1066 Mhz DDR3
4Gen. iPod Nano - 8Gb

Reply
post #4 of 27
Quote:
Originally Posted by mstone View Post

Allow / Deny pop-ups like Vista?

It already does for administrative actions, a GUI wrapper around sudo. Every Linux and BSD distro has the same feature, and with a little work, Windows Vista/7 can be set up with the same security (by default, the popups are useless and just annoying).
post #5 of 27
Quote:
Originally Posted by FitzGerald View Post

It's actually really nice to see Apple doing this. It sure shows they want to deliver a safer OS.
Let's hope it helps OSX not being the first hacked OS every year at that hacker contest...

They only reason OS X is hacked first is because people have incentive to win the Mac. Nobody wants the PC so they don't try so hard to hack it.
post #6 of 27
Quote:
Originally Posted by mstone View Post

Allow / Deny pop-ups like Vista?

Oh the inhumanity!
post #7 of 27
Quote:
Originally Posted by FitzGerald View Post

It's actually really nice to see Apple doing this. It sure shows they want to deliver a safer OS.
Let's hope it helps OSX not being the first hacked OS every year at that hacker contest...

Let's remember they all got hacked by the same person every year, who targets only the Macs, has his hack planned in detail which only works after lowering security twice

iPhone 4S 64GB, Black, soon to be sold in favor of a Nokia Lumia 920
Early 2010 MacBook Pro 2.4GHz, soon to be replaced with a Retina MacBook Pro, or an Asus U500

Reply

iPhone 4S 64GB, Black, soon to be sold in favor of a Nokia Lumia 920
Early 2010 MacBook Pro 2.4GHz, soon to be replaced with a Retina MacBook Pro, or an Asus U500

Reply
post #8 of 27
Quote:
Originally Posted by mstone View Post

Allow / Deny pop-ups like Vista?

Oh No. I would have to change my sig.
Crying? No, I am not crying. I am sweating through my eyes.
Reply
Crying? No, I am not crying. I am sweating through my eyes.
Reply
post #9 of 27
Quote:
Originally Posted by Lukeskymac View Post

Let's remember they all got hacked by the same person every year, who targets only the Macs, has his hack planned in detail which only works after lowering security twice

Oh totally forgot about that little detail And I guess macosxp has a good point too

---
iMac Early '08- 20", 2.66 Ghz C2D, 320Gb HD, ATI 2600 Pro, 4Gb RAM 800 Mhz DDR2 SDRAM
MBP Mid '10 - 15", 2.4 Ghz i5, 320Gb HD, NVIDIA GeForce GT 330M, 4Gb RAM 1066 Mhz DDR3
4Gen. iPod Nano - 8Gb

Reply

---
iMac Early '08- 20", 2.66 Ghz C2D, 320Gb HD, ATI 2600 Pro, 4Gb RAM 800 Mhz DDR2 SDRAM
MBP Mid '10 - 15", 2.4 Ghz i5, 320Gb HD, NVIDIA GeForce GT 330M, 4Gb RAM 1066 Mhz DDR3
4Gen. iPod Nano - 8Gb

Reply
post #10 of 27
Quote:
Originally Posted by Lukeskymac View Post

Let's remember they all got hacked by the same person every year, who targets only the Macs, has his hack planned in detail which only works after lowering security twice

Yes, but all the platforms are set up that way. Windows 7, 64-bit, has simply proven to be much harder to hack (not impossible, but harder).

I for one am thrilled that they're taking security seriously, if for nothing else but to help prevent the Mac from being a laughing stock at these contests. They have shown that the reason we don't have viruses is not because Mac and Linux is unhackable, but simply because malware programmers focus on Windows. If Apple continued to neglect this, it was going to be inevitable that viruses and malware would come to Mac.

Some security features coming in Lion:

- ALSR (makes it hard to predict memory locations. Also means that the Mac Kernel will be 64-bit by default, since 64-bit is required for ALSR to work effectively).

- Safari - process isolation. A technique/concept borrowed from Google's Chrome browser.
post #11 of 27
In my 7 years of using Macs, I've never had a security issue (that I'm aware of). Compare this with my dad whose 2 year old Toshiba got completely screwed up last December...

But it's always better to be on the safe side. Built-in virus scanning would be nice, with definitions freely updated by Apple.
post #12 of 27
Quote:
Originally Posted by _Rick_V_ View Post

- Safari - process isolation. A technique/concept borrowed from Google's Chrome browser.

I think they may be using is Webkit 2, which would mean the implementation would be slightly different.
post #13 of 27
Quote:
Originally Posted by acslater017 View Post

But it's always better to be on the safe side. Built-in virus scanning would be nice, with definitions freely updated by Apple.

Yes, but unfortunately there are no viruses for OS X, and hence there can be no virus definitions...

(The only thing that exists and is called "OS X virus" by lame tech writers are various kinds of lame Trojans and proof of concept crap).
post #14 of 27
Given that many security "experts" like to diss Apple, I fear this is like Apple putting it's head in a Lion's mouth . . . .
post #15 of 27
Quote:
Originally Posted by FitzGerald View Post

It's actually really nice to see Apple doing this. It sure shows they want to deliver a safer OS.
Let's hope it helps OSX not being the first hacked OS every year at that hacker contest...

So what if it is? In the real world Mac users don't have much to worry about. The researchers keep saying "any day now" OS X will be attacked like Windows. They've been saying it for a decade and it simply hasn't happened yet. Being the first OS to get hacked at some contest is about as meaningless as it gets.

Yes, Apple should continue to make OS X as secure as it possibly can and yes, letting security researchers take a look is a good move. But to wring one's hands in fear is just not justified in the case of OS X.
post #16 of 27
Quote:
Originally Posted by columbus View Post

I think they may be using is Webkit 2, which would mean the implementation would be slightly different.

Ironically, once Apple provided a superior solution with WebKit 2, Google is dropping their solution for WebKit 2.
post #17 of 27
Snow Leopard is already supposed to have ASLR when the kernel is run in 64-bit mode.
post #18 of 27
LOL, funny how the software is "released" to developers, but "exposed" to security experts ;-)
post #19 of 27
Quote:
Originally Posted by zenwaves View Post

LOL, funny how the software is "released" to developers, but "exposed" to security experts ;-)

That's because they are opening the kimono.
post #20 of 27
Quote:
Originally Posted by _Rick_V_ View Post

They have shown that the reason we don't have viruses is not because Mac and Linux is unhackable, but simply because malware programmers focus on Windows.

You also have to consider the fact that most Windows computers are still running XP, which is much much less secure than Vista and Windows 7.
post #21 of 27
Quote:
Originally Posted by macosxp View Post

They only reason OS X is hacked first is because people have incentive to win the Mac. Nobody wants the PC so they don't try so hard to hack it.

No, that's actually not the reason. I would explain some of the real reasons why it's hacked first but all it would do is start another flame war.
Quote:
Originally Posted by Mynameisjoe View Post

You also have to consider the fact that most Windows computers are still running XP, which is much much less secure than Vista and Windows 7.

This is true in the sense that most older operating systems are generally going to have more documented exploits making them less secure than newer ones. However, XP SP3 is a rather secure OS in its own right. But of course, if one can upgrade to Vista or 7, that is recommended.
post #22 of 27
Quote:
Originally Posted by Lukeskymac View Post

Let's remember they all got hacked by the same person every year, who targets only the Macs, has his hack planned in detail which only works after lowering security twice

Yeah, like after giving him root access!

Quote:
Originally Posted by acslater017 View Post

In my 7 years of using Macs, I've never had a security issue (that I'm aware of).

Same here. Except i've been using Macs since 1984.

Quote:
Originally Posted by AppleInsider View Post

Dai Zovi also mused, "Will Lion be the 'Vista' of Mac OS X? In the sense that they start taking security seriously, not the sense that nobody wants to use it."

Oh pleeeeeeze! Using Windoze analogies for Macs is bass-ackward, upside down, and depraved. It's like comparing a 1930’s VW Beetle to a 2011 Ferrari.
post #23 of 27
Quote:
Originally Posted by _Hawkeye_ View Post

Yeah, like after giving him root access!



Same here. Except i've been using Macs since 1984.



Oh pleeeeeeze! Using Windoze analogies for Macs is bass-ackward, upside down, and depraved. It's like comparing a 1930s VW Beetle to a 2011 Ferrari.

Why, is using "Windoze analogies" going to burst your little iBubble? It's not the analogy I would have used but I understand what they meant by it.
post #24 of 27
Quote:
Originally Posted by AppleInsider View Post

The report cited Miller, who has demonstrated cracks in Apple's software, as saying, "It's not hiring us to do pen-tests of it, but at least it's not total isolation anymore, and at least security crosses their mind now."

Dai Zovi also mused, "Will Lion be the 'Vista' of Mac OS X? In the sense that they start taking security seriously, not the sense that nobody wants to use it."

It is quite stretching it to say that Apple only now starts taking security seriously or that it crosses their mind, just because they themselves are invited to have a go at the system.

These people act as if they are full of self-importance. Apple knows it is a good idea to get these into the act early, but given these kind of personalities, they must be doing it while pinching their nose shut.
post #25 of 27
Quote:
Originally Posted by AppleInsider View Post

Dai Zovi also mused, "Will Lion be the 'Vista' of Mac OS X? In the sense that they start taking security seriously, not the sense that nobody wants to use it."

Um... right... don't let that 30% market share hit you on your way out of ignorance, Dai. OS X is a fundamentally better design thanks to its kernel and layered scoping.
post #26 of 27
Where are all of these viruses that were supposed to be targeting/infecting Macs ?
I have never come across one, have you ?
Surely now that Macs have 10% plus of the market share in the US, you would think someone NOW would try and infect them. Remember the old argument, not enough market share so nobody bothers.

Comparing OSX to that steaming pile of SHIT called vista or any other windoze is the ultimate insult.
post #27 of 27
There is no "Daniel" in this thread. ^This appears to be a mechanically-copied post from elsewhere on the forum by a SPAMmer in order to run-up his post count. Please do not respond.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac Software
AppleInsider › Forums › Software › Mac Software › Apple exposing Mac OS X Lion to security experts for review