Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Asks Security Experts To Examine OS X Lion

Posted by samzenpus on from the kick-the-tires dept.

An anonymous reader writes "For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true. But Apple's looking to change that. This past Thursday, Apple doled out a beta of OS X Lion to developers. In conjunction with that, Apple is also reaching out to noted security experts and offering them free previews of OS X 10.7 so that they can take a look at Apple's new security measures and reach back to Apple with any thoughts and concerns they might have. Indeed, Apple is becoming a lot more security conscious these days, not only in terms of reaching out to security researchers but also in its personnel hires."

5 of 417 comments (clear)

  1. Re:Am I reading this correctly? by Colonel+Korn · · Score: 5, Informative

    as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true.

    I'm sorry, what? Windows is "safer" than OS X? "In fact"?

    Every single year, OSX loses the Pwn2Own competition first. Windows and Linux always go down on the same day. No matter what version has been current, OSX has always been less secure than Windows when both are up to date on patches. If Apple changes its security culture, it could mean big things for Apple in corporate environments.

    --
    "I zero-index my hamsters" - Willtor (147206)
  2. Re:The opposite??? by speedingant · · Score: 5, Informative

    It's not bad actually... You need a MacMini server x2 to replicate each other, and push out the managed settings. You can authenticate machines via AD/OD/OpenLDAP. You can host the home folders off any NFS/AFP server. Netboot, netrestore etc makes deploying easy.. I'm looking after 150 Macs at the moment, as well as a host of PC's, and I don't have many issues. It' s just me.

  3. Re:Am I reading this correctly? by daver00 · · Score: 5, Informative

    http://www.wired.com/gadgetlab/2009/09/security-snow-leopard/

    http://www.tomshardware.com/news/hack-windows-security-snow-leopard,8704.html

  4. Re:Am I reading this correctly? by n0-0p · · Score: 5, Informative

    You're joking, right? Apple is historically months behind in patching publicly disclosed vulnerabilities in core libraries they share with other Unix-like systems (Samba and Java are two key examples). Overall code robustness is abysmal in any Apple product I've assessed--they fall over with trivial fuzzing or a few hours of analysis. They're an absolute pain in the ass to deal with when trying to resolve a responsibly reported vulnerability: they often don't seem to have qualified people triaging inbound reports, and when they do finally acknowledge the correct severity of a reported issue it can take years before they finally push out a fix. And to top it all off, their core security counter-measures (e.g. ASLR and NX) are useless as anything more than marketing fluff because they're not implemented consistently.

    Seriously, I've been in the security field for almost 15 years and dealt with reporting vulnerabilities to dozens of companies. Microsoft is a pain to deal with because of their compatibility matrices and long release cycles, but they're generally competent. Whereas Apple is just an absolute train-wreck. The only reason every Mac isn't infested with malware is that they're not a big enough chunk of the market for it to be worth the effort. If they ever cross the magic 15% threshold they're in for a very rude awakening.

  5. Actual Security Conversation by 99BottlesOfBeerInMyF · · Score: 5, Informative

    It is disappointing to see the comments thus far have not bothered to mention what potential security improvements are likely to be in the final version of Lion and how effective they might be. So far the ones I've heard mentioned include:

    • ASLR applied to more than just the libraries.
    • More ubiquitous use of the sandboxing framework, enough so that there are now bugs around applications being unable to save files if the file name changes in the Finder, while open in the app.
    • Dropping the custom java runtime, and making a deal with Oracle to maintain it alongside the Windows JVM.
    • A new full disk encryption system built in (branded the same as the old Filevault) with a rapid system wipe.
    • Webkit2 with a sandboxed thread model.

    I'm sure in more security oriented forums there will be some good analysis of these new features, how well implemented they are, and how effective they are likely to be. The Mac App Store offers some potential security improvements by standardizing application updates and pushing them out more quickly and widely and hopefully encouraging developers to make more use of security frameworks already present. Personally, I think the sandboxing combined with the Mac App Store could be a huge boon to security if Apple can get enough developers on board, but I'm not sure if Apple will go that route. Hopefully feedback from experts will help push them in that direction.