Apple exposing Mac OS X Lion to security experts for review
Apple is inviting security experts to examine its developer preview of Mac OS X 10.7 Lion, apparently the first time it has expanded beyond its core developers to expose its new software to community scrutiny.
"I wanted to let you know that I've requested that you be invited to the prerelease seed of Mac OS X Lion, and you should receive an invitation soon," Apple wrote to several security researchers, including such luminaries as Dino Dai Zovi, Stefan Esser and Charlie Miller.
"As you have reported Mac OS X security issues in the past, I thought that you might be interested in taking a look at this. It contains several improvements in the area of security countermeasures," the letter stated, according to a report by CNET.
The report cited Miller, who has demonstrated cracks in Apple's software, as saying, "as far as I know they have never reached out to security researchers in this way. Also, we won't have to pay for it like everybody else. It's not hiring us to do pen-tests of it, but at least it's not total isolation anymore, and at least security crosses their mind now."
Miller predicted Lion would incorporate full ASLR (Address Space Layout Randomization), a security technique that puts important data in unpredictable locations, making it harder to target known weaknesses. Snow Leopard currently limits ASLR protection to libraries, leaving the location of code, stack, and heap easier for crackers to aim their assaults.
Apple's iOS 4.3 will reportedly add ASLR, making it more difficult to jailbreak devices via exploits of userland vulnerabilities. This suggests Lion will also adopt the same protections when it arrives this summer.
Dai Zovi, who has similarly demonstrated exploits for Apple's software before at events such as CanSecWest, tweeted, "Apple has invited me to look at the Lion developer preview. I won't be able to comment on it until its release, but hooray for free access," later adding, "This looks to be a step in the direction of opening up a bit and inviting more dialogue with external researchers."
Dai Zovi also mused, "Will Lion be the 'Vista' of Mac OS X? In the sense that they start taking security seriously, not the sense that nobody wants to use it."
"I wanted to let you know that I've requested that you be invited to the prerelease seed of Mac OS X Lion, and you should receive an invitation soon," Apple wrote to several security researchers, including such luminaries as Dino Dai Zovi, Stefan Esser and Charlie Miller.
"As you have reported Mac OS X security issues in the past, I thought that you might be interested in taking a look at this. It contains several improvements in the area of security countermeasures," the letter stated, according to a report by CNET.
The report cited Miller, who has demonstrated cracks in Apple's software, as saying, "as far as I know they have never reached out to security researchers in this way. Also, we won't have to pay for it like everybody else. It's not hiring us to do pen-tests of it, but at least it's not total isolation anymore, and at least security crosses their mind now."
Miller predicted Lion would incorporate full ASLR (Address Space Layout Randomization), a security technique that puts important data in unpredictable locations, making it harder to target known weaknesses. Snow Leopard currently limits ASLR protection to libraries, leaving the location of code, stack, and heap easier for crackers to aim their assaults.
Apple's iOS 4.3 will reportedly add ASLR, making it more difficult to jailbreak devices via exploits of userland vulnerabilities. This suggests Lion will also adopt the same protections when it arrives this summer.
Dai Zovi, who has similarly demonstrated exploits for Apple's software before at events such as CanSecWest, tweeted, "Apple has invited me to look at the Lion developer preview. I won't be able to comment on it until its release, but hooray for free access," later adding, "This looks to be a step in the direction of opening up a bit and inviting more dialogue with external researchers."
Dai Zovi also mused, "Will Lion be the 'Vista' of Mac OS X? In the sense that they start taking security seriously, not the sense that nobody wants to use it."
Comments
Dai Zovi also mused, "Will Lion be the 'Vista' of Mac OS X? In the sense that they start taking security seriously, not the sense that nobody wants to use it."
Allow / Deny pop-ups like Vista?
Let's hope it helps OSX not being the first hacked OS every year at that hacker contest...
Allow / Deny pop-ups like Vista?
It already does for administrative actions, a GUI wrapper around sudo. Every Linux and BSD distro has the same feature, and with a little work, Windows Vista/7 can be set up with the same security (by default, the popups are useless and just annoying).
It's actually really nice to see Apple doing this. It sure shows they want to deliver a safer OS.
Let's hope it helps OSX not being the first hacked OS every year at that hacker contest...
They only reason OS X is hacked first is because people have incentive to win the Mac. Nobody wants the PC so they don't try so hard to hack it.
Allow / Deny pop-ups like Vista?
Oh the inhumanity!
It's actually really nice to see Apple doing this. It sure shows they want to deliver a safer OS.
Let's hope it helps OSX not being the first hacked OS every year at that hacker contest...
Let's remember they all got hacked by the same person every year, who targets only the Macs, has his hack planned in detail which only works after lowering security twice
Allow / Deny pop-ups like Vista?
Oh No. I would have to change my sig.
Let's remember they all got hacked by the same person every year, who targets only the Macs, has his hack planned in detail which only works after lowering security twice
Oh totally forgot about that little detail And I guess macosxp has a good point too
Let's remember they all got hacked by the same person every year, who targets only the Macs, has his hack planned in detail which only works after lowering security twice
Yes, but all the platforms are set up that way. Windows 7, 64-bit, has simply proven to be much harder to hack (not impossible, but harder).
I for one am thrilled that they're taking security seriously, if for nothing else but to help prevent the Mac from being a laughing stock at these contests. They have shown that the reason we don't have viruses is not because Mac and Linux is unhackable, but simply because malware programmers focus on Windows. If Apple continued to neglect this, it was going to be inevitable that viruses and malware would come to Mac.
Some security features coming in Lion:
- ALSR (makes it hard to predict memory locations. Also means that the Mac Kernel will be 64-bit by default, since 64-bit is required for ALSR to work effectively).
- Safari - process isolation. A technique/concept borrowed from Google's Chrome browser.
But it's always better to be on the safe side. Built-in virus scanning would be nice, with definitions freely updated by Apple.
- Safari - process isolation. A technique/concept borrowed from Google's Chrome browser.
I think they may be using is Webkit 2, which would mean the implementation would be slightly different.
But it's always better to be on the safe side. Built-in virus scanning would be nice, with definitions freely updated by Apple.
Yes, but unfortunately there are no viruses for OS X, and hence there can be no virus definitions...
(The only thing that exists and is called "OS X virus" by lame tech writers are various kinds of lame Trojans and proof of concept crap).
It's actually really nice to see Apple doing this. It sure shows they want to deliver a safer OS.
Let's hope it helps OSX not being the first hacked OS every year at that hacker contest...
So what if it is? In the real world Mac users don't have much to worry about. The researchers keep saying "any day now" OS X will be attacked like Windows. They've been saying it for a decade and it simply hasn't happened yet. Being the first OS to get hacked at some contest is about as meaningless as it gets.
Yes, Apple should continue to make OS X as secure as it possibly can and yes, letting security researchers take a look is a good move. But to wring one's hands in fear is just not justified in the case of OS X.
I think they may be using is Webkit 2, which would mean the implementation would be slightly different.
Ironically, once Apple provided a superior solution with WebKit 2, Google is dropping their solution for WebKit 2.
LOL, funny how the software is "released" to developers, but "exposed" to security experts ;-)
That's because they are opening the kimono.
They have shown that the reason we don't have viruses is not because Mac and Linux is unhackable, but simply because malware programmers focus on Windows.
You also have to consider the fact that most Windows computers are still running XP, which is much much less secure than Vista and Windows 7.
They only reason OS X is hacked first is because people have incentive to win the Mac. Nobody wants the PC so they don't try so hard to hack it.
No, that's actually not the reason. I would explain some of the real reasons why it's hacked first but all it would do is start another flame war.
You also have to consider the fact that most Windows computers are still running XP, which is much much less secure than Vista and Windows 7.
This is true in the sense that most older operating systems are generally going to have more documented exploits making them less secure than newer ones. However, XP SP3 is a rather secure OS in its own right. But of course, if one can upgrade to Vista or 7, that is recommended.