Apple exposing Mac OS X Lion to security experts for review

Posted:
in Mac Software edited January 2014
Apple is inviting security experts to examine its developer preview of Mac OS X 10.7 Lion, apparently the first time it has expanded beyond its core developers to expose its new software to community scrutiny.



"I wanted to let you know that I've requested that you be invited to the prerelease seed of Mac OS X Lion, and you should receive an invitation soon," Apple wrote to several security researchers, including such luminaries as Dino Dai Zovi, Stefan Esser and Charlie Miller.



"As you have reported Mac OS X security issues in the past, I thought that you might be interested in taking a look at this. It contains several improvements in the area of security countermeasures," the letter stated, according to a report by CNET.



The report cited Miller, who has demonstrated cracks in Apple's software, as saying, "as far as I know they have never reached out to security researchers in this way. Also, we won't have to pay for it like everybody else. It's not hiring us to do pen-tests of it, but at least it's not total isolation anymore, and at least security crosses their mind now."



Miller predicted Lion would incorporate full ASLR (Address Space Layout Randomization), a security technique that puts important data in unpredictable locations, making it harder to target known weaknesses. Snow Leopard currently limits ASLR protection to libraries, leaving the location of code, stack, and heap easier for crackers to aim their assaults.



Apple's iOS 4.3 will reportedly add ASLR, making it more difficult to jailbreak devices via exploits of userland vulnerabilities. This suggests Lion will also adopt the same protections when it arrives this summer.



Dai Zovi, who has similarly demonstrated exploits for Apple's software before at events such as CanSecWest, tweeted, "Apple has invited me to look at the Lion developer preview. I won't be able to comment on it until its release, but hooray for free access," later adding, "This looks to be a step in the direction of opening up a bit and inviting more dialogue with external researchers."



Dai Zovi also mused, "Will Lion be the 'Vista' of Mac OS X? In the sense that they start taking security seriously, not the sense that nobody wants to use it."
«1

Comments

  • Reply 1 of 27
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by AppleInsider View Post


    Dai Zovi also mused, "Will Lion be the 'Vista' of Mac OS X? In the sense that they start taking security seriously, not the sense that nobody wants to use it."







    Allow / Deny pop-ups like Vista?
  • Reply 2 of 27
    It's actually really nice to see Apple doing this. It sure shows they want to deliver a safer OS.

    Let's hope it helps OSX not being the first hacked OS every year at that hacker contest...
  • Reply 3 of 27
    Quote:
    Originally Posted by mstone View Post


    Allow / Deny pop-ups like Vista?



    It already does for administrative actions, a GUI wrapper around sudo. Every Linux and BSD distro has the same feature, and with a little work, Windows Vista/7 can be set up with the same security (by default, the popups are useless and just annoying).
  • Reply 4 of 27
    Quote:
    Originally Posted by FitzGerald View Post


    It's actually really nice to see Apple doing this. It sure shows they want to deliver a safer OS.

    Let's hope it helps OSX not being the first hacked OS every year at that hacker contest...



    They only reason OS X is hacked first is because people have incentive to win the Mac. Nobody wants the PC so they don't try so hard to hack it.
  • Reply 5 of 27
    Quote:
    Originally Posted by mstone View Post


    Allow / Deny pop-ups like Vista?



    Oh the inhumanity!
  • Reply 6 of 27
    Quote:
    Originally Posted by FitzGerald View Post


    It's actually really nice to see Apple doing this. It sure shows they want to deliver a safer OS.

    Let's hope it helps OSX not being the first hacked OS every year at that hacker contest...



    Let's remember they all got hacked by the same person every year, who targets only the Macs, has his hack planned in detail which only works after lowering security twice
  • Reply 7 of 27
    Quote:
    Originally Posted by mstone View Post


    Allow / Deny pop-ups like Vista?



    Oh No. I would have to change my sig.
  • Reply 8 of 27
    Quote:
    Originally Posted by Lukeskymac View Post


    Let's remember they all got hacked by the same person every year, who targets only the Macs, has his hack planned in detail which only works after lowering security twice



    Oh totally forgot about that little detail And I guess macosxp has a good point too
  • Reply 9 of 27
    Quote:
    Originally Posted by Lukeskymac View Post


    Let's remember they all got hacked by the same person every year, who targets only the Macs, has his hack planned in detail which only works after lowering security twice



    Yes, but all the platforms are set up that way. Windows 7, 64-bit, has simply proven to be much harder to hack (not impossible, but harder).



    I for one am thrilled that they're taking security seriously, if for nothing else but to help prevent the Mac from being a laughing stock at these contests. They have shown that the reason we don't have viruses is not because Mac and Linux is unhackable, but simply because malware programmers focus on Windows. If Apple continued to neglect this, it was going to be inevitable that viruses and malware would come to Mac.



    Some security features coming in Lion:



    - ALSR (makes it hard to predict memory locations. Also means that the Mac Kernel will be 64-bit by default, since 64-bit is required for ALSR to work effectively).



    - Safari - process isolation. A technique/concept borrowed from Google's Chrome browser.
  • Reply 10 of 27
    In my 7 years of using Macs, I've never had a security issue (that I'm aware of). Compare this with my dad whose 2 year old Toshiba got completely screwed up last December...



    But it's always better to be on the safe side. Built-in virus scanning would be nice, with definitions freely updated by Apple.
  • Reply 11 of 27
    Quote:
    Originally Posted by _Rick_V_ View Post


    - Safari - process isolation. A technique/concept borrowed from Google's Chrome browser.



    I think they may be using is Webkit 2, which would mean the implementation would be slightly different.
  • Reply 12 of 27
    foljsfoljs Posts: 390member
    Quote:
    Originally Posted by acslater017 View Post


    But it's always better to be on the safe side. Built-in virus scanning would be nice, with definitions freely updated by Apple.



    Yes, but unfortunately there are no viruses for OS X, and hence there can be no virus definitions...



    (The only thing that exists and is called "OS X virus" by lame tech writers are various kinds of lame Trojans and proof of concept crap).
  • Reply 13 of 27
    Given that many security "experts" like to diss Apple, I fear this is like Apple putting it's head in a Lion's mouth . . . .
  • Reply 14 of 27
    lkrupplkrupp Posts: 10,557member
    Quote:
    Originally Posted by FitzGerald View Post


    It's actually really nice to see Apple doing this. It sure shows they want to deliver a safer OS.

    Let's hope it helps OSX not being the first hacked OS every year at that hacker contest...



    So what if it is? In the real world Mac users don't have much to worry about. The researchers keep saying "any day now" OS X will be attacked like Windows. They've been saying it for a decade and it simply hasn't happened yet. Being the first OS to get hacked at some contest is about as meaningless as it gets.



    Yes, Apple should continue to make OS X as secure as it possibly can and yes, letting security researchers take a look is a good move. But to wring one's hands in fear is just not justified in the case of OS X.
  • Reply 15 of 27
    Quote:
    Originally Posted by columbus View Post


    I think they may be using is Webkit 2, which would mean the implementation would be slightly different.



    Ironically, once Apple provided a superior solution with WebKit 2, Google is dropping their solution for WebKit 2.
  • Reply 16 of 27
    cpsrocpsro Posts: 3,192member
    Snow Leopard is already supposed to have ASLR when the kernel is run in 64-bit mode.
  • Reply 17 of 27
    LOL, funny how the software is "released" to developers, but "exposed" to security experts ;-)
  • Reply 18 of 27
    Quote:
    Originally Posted by zenwaves View Post


    LOL, funny how the software is "released" to developers, but "exposed" to security experts ;-)



    That's because they are opening the kimono.
  • Reply 19 of 27
    Quote:
    Originally Posted by _Rick_V_ View Post


    They have shown that the reason we don't have viruses is not because Mac and Linux is unhackable, but simply because malware programmers focus on Windows.



    You also have to consider the fact that most Windows computers are still running XP, which is much much less secure than Vista and Windows 7.
  • Reply 20 of 27
    Quote:
    Originally Posted by macosxp View Post


    They only reason OS X is hacked first is because people have incentive to win the Mac. Nobody wants the PC so they don't try so hard to hack it.



    No, that's actually not the reason. I would explain some of the real reasons why it's hacked first but all it would do is start another flame war.

    Quote:
    Originally Posted by Mynameisjoe View Post


    You also have to consider the fact that most Windows computers are still running XP, which is much much less secure than Vista and Windows 7.



    This is true in the sense that most older operating systems are generally going to have more documented exploits making them less secure than newer ones. However, XP SP3 is a rather secure OS in its own right. But of course, if one can upgrade to Vista or 7, that is recommended.
Sign In or Register to comment.