Feeds

back to article Major overhaul makes OS X Lion king of security

With Wednesday's release of Mac OS X Lion, Apple has definitively leapfrogged its rivals by offering an operating system with state-of-the-art security protections that make it more resistant to malware exploits and other hack attacks, two researchers say. Unlike the introduction of Snow Leopard in 2009, which offered mostly …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

So how is software distribution solved?

I mean that is the major security problem, and apples previous attempts, anarchy and dictatorship, didn't exactly do a lot to help.

Forced Apstores cause people to jailbreak their devices or force them to run software they don't want. Anarchy causes people to just install malware right away.

2
6
Silver badge
FAIL

Correction

People who jailbreak without knowing exactly the risks they are taking deserve everything they get.

Further more they are idiots who have not considered the consequences of their actions.

Jailbreaking is like sex without a condom - liberating, and enjoyable but only to be attempted when you fully understand and ACCEPT the possible consequences.

Dont assume that because you dont like Apples restrictions as a techie that the ordinary run of the mill punter shares your views or motivations.

Anyhoo whats the current share jailbroken devices? 5%?

7
9
WTF?

OS X Lion king of security? Yeah, right.

It's more like Prince Valium who is always late to the party. Don't get me wrong, it's great that OS X finally gets a sensible implementation of ASLR, but that doesn't change the fact that it merely catches up with Windows and some Linux distros. The same is true for full disk encryption. BitLocker is available since November 2005 when Vista came out. It's great FDE is now available in Mac OS X but it only took them 6 years to catch up.

This is nothing new, though. Mac OS has mostly been last to the party in terms of major technology changes like implementing pre-emptive multitasking or moving to 64bit.

But then, what can you expect from the two authors of the "The Mac Hacker's Handbook"?

27
7
Gold badge

ASLR is pointless?

ASLR is largely pointless unless you reboot regularly. Most laptop owners (and laptops are one of the most common home computers now) just let their computer hibernate or sleep.

5
3
Ru
Meh

Its the leapfrogging bit I was looking for.

Everything else is old news, even in ubuntu/windows land and they're not exactly at the leading edge of the security world.

In fact, I'd be a lot more interested if Apple changed is corporate attitude to security issues, where it isn't exactly a paragon of the industry.

2
1
Silver badge

@Davidoff

Agree with most of your post but let's not kid ourselves about the 64-bit party attendance. Remind me who still ships a 32-bit variant of their OS and only in the latest version has really tried to get everyone to leave it behind? XP may have had 64-bit (and shit driver support) but they're the ones still shipping 32-bit variants and still doing it with 7 was a missed opportunity to lay it to rest.

Whilst I'm at it, bitlocker encryption is only available in the Ultimate and Enterprise versions of those OS versions - i.e. not the ones most users will have on account of it being £229.99 RRP (£166.41 on Amazon.co.uk).

I'm all for bagging some of the hubris in the OSX World but let's not pretend that MS is holier than thou.

11
4

Yes, let's focus on the important stuff

>This is nothing new, though. Mac OS has mostly been last to the party in terms of major

>technology changes like implementing pre-emptive multitasking or moving to 64bit.

Yeah, being first is the most important thing.

Presumably you drive an 1982 Daimler and your personal computer of choice would be the Berkeley Enterprises "Simon" that you built yourself from the original 1950/51 plans or maybe the Intel SIM4 if you prefer a microcomputer.

Or maybe first and last don't matter that much after all.

4
5

re Mark65's stupid post

You are trashing MS for continuing to still provide support for older systems??

Microsoft released a 32-bit Windows for a number of reasons including to cater to those people who are upgrading with small systems that cannot take advantage of the 64-bit supported >4GB memory. They are trying to pull the XP-32 people up onto Win7. A 64-bit OS requires more memory to run apps due to larger 64-bit pointers etc., and the thunking and WoW64 have additional overhead that can impact performance on older systems if running the 64-bit variant.

Anyone with a 2002-2005 P4 2GB will probably be better suited to run Win7-32.

It is almost impossible to find new PC desktop systems that are selling anything but 64-bit Win7 preinstalled.

At least with a 2004-6 PC system you can still run Windows 7, you can't say the same about Apple OSX since they dropped all PPC support (forcing me to have to sell my G5 and buy a new Pro for $2500-5000 if I want to run the 'Intel' OSX).

Most OS's are sold to anyone purchasing new kit, so that places the OWM Ultimate OEM (with BitLocker) at around $200 CDN retail (£130).

2
4
FAIL

One Problem....

Even these new security measures won't protect Joe User from himself when he clicks the fake antivirus message which prompts him to run a downloaded file which then in turn installs the virus with user-level permissions, which can then use <insert vuln here> to escalate priveledges (or simply be happy with user-level-priv keylogging) to install the "virus" (read: fakeAV or its ilk)

0
0
Silver badge

I think it's the sandboxing that makes the story

The story is quite clear, as you point out, that ASLR and full disk encryption are areas in which OS X has now caught up with Windows and Linux (or Ubuntu as it seems to call it). It then suggests that sand boxing processes and designing the applications (and daemons) that come with the system to isolate different logical parts into different processes within different sandboxes constituted a step in advance of any of the competing operating systems. So that's the leapfrog jump — the fact that the supplied browser, email app, PDF viewer, etc are all now aggressively using sand boxing, for which there is now high level API support.

Whether or not that's a valid assessment is one thing; just repeating what the article already says about areas where Apple have played catch up is quite another.

Re: pre-emptive multitasking, citing Apple's failure to transition to a modern OS until around 2000 feels a bit disingenuous as a comment on the OS they transitioned to.

Re: 64bit, that's been a feature since 2005. The difference in approaches has been that Apple have uncharacteristically gone for a gradual transition, though I think that's because the hardware has made a gradual transition.

1
0
Windows

RE: re Mark65's stupid post

Fuck me. Have the school holidays started already?

"You are trashing MS for continuing to still provide support for older systems??" Looks like it.

"Microsoft released a 32-bit Windows for a number of reasons including to cater to those people who are upgrading with small systems that cannot take advantage of the 64-bit supported >4GB memory. They are trying to pull the XP-32 people up onto Win7. A 64-bit OS requires more memory to run apps due to larger 64-bit pointers etc., and the thunking and WoW64 have additional overhead that can impact performance on older systems if running the 64-bit variant."

I'm going to let you into a little secret. Not may people buy upgrade. It's only really nerd like you and people the 'support'. Most people buy a new computer every 5-7 years. They don't need the shiniest OS for what amounts to email, Skype and fucking Facebook.

"It is almost impossible to find new PC desktop systems that are selling anything but 64-bit Win7 preinstalled." This is a good thing, but moot.

"At least with a 2004-6 PC system you can still run Windows 7, you can't say the same about Apple OSX since they dropped all PPC support (forcing me to have to sell my G5 and buy a new Pro for $2500-5000 if I want to run the 'Intel' OSX)." Windows 7 was released nearly 2 years ago. Sadly MSFT will release a 32bit version of Windows 8 which will be a mistake.

"forcing me to have to sell my G5 and buy a new Pro for $2500-5000 if I want to run the 'Intel' OSX" I can ally assume that you are talking about the SL upgrade as leopard fully supported G5 processors. If you felt 'forced' to buy new kit, perhaps that'd've been a good point to consider switching. Tit.

3
2

Sandboxing

Referring to Linux as Ubuntu isn't very fair as Enterprise Linux has had sandboxing for quite a while with it's Mandatory Access Control systems (SELinux). With EL6 you can now sandbox any application you want as well as sandboxing users. Ubuntu however has used AppArmor which technically is Mandatory Access Control it isn't as extensive as SELinux. As far as whole disk encryption that's been a part of Linux for a really long time. Ubuntu again uses home directory encryption and leaves the OS alone (because the OS on a Desktop computer doesn't change). ASLR is mostly implemented on Linux and you have the choice to forcing 100% ASLR but it's third party. If you pick up an older Linux Security book and try to install patches for ASLR you'll realize they're already there and have been for years.

It's nice to see Apple catching up to Linux though, it's better for everyone if ALL OS's are secure. Ubuntu on the other hand needs to spend more time thinking about security. They need to finally dump AppArmour, adopt Redhats SELinux build, apply all security patches, finish policykit and finally get rid of sudo.

1
0

@AC 20:32... a real coward

Wow, I'd really like to know what color the skies are in your world. :p

"Have the school holidays started already?"

I have probably been working in the computer industry since you were in diapers.

"Looks like it."

And if MS decided to kill support for anything but the latest hardware and software, you would bitch about that as well I'm sure.

"This is a good thing, but moot."

Not moot at all. The OP was regarding the OS should be 64-bit, and that's what is sold on new hardware, so it is totally relevant. Another "Fail" for you.

"leopard fully supported G5 processors"

OSX has not supported the G5 PPC models for ~4 years. Anyone who wants the new OSX features is forced to purchase a complete new computer.

Windows 7 will still run on hardware from 4+ years ago.

"perhaps that'd've been a good point to consider switching. Tit."

I own a software development company, I have numerous Wintel systems, Mac, and Linux. No switching is required. And I like tits, especially when they are attached to pretty women.

2
1
Anonymous Coward

Someones testy...

"I have probably been working in the computer industry since you were in diapers." I seriously doubt that.

"And if MS decided to kill support for anything but the latest hardware and software, you would bitch about that as well I'm sure." No. That is what you are doing. I'd personally applaud it as a bold move on Microsofts part. I have little interest in the Windows platform myself.

"Not moot at all. The OP was regarding the OS should be 64-bit, and that's what is sold on new hardware, so it is totally relevant." No, it's moot. The problem lies within software houses. Adobe are a good example of this and an example for both platforms that they support too boot.

"Another "Fail" for you." Well this is awkward. Moving swiftly on...

"OSX has not supported the G5 PPC models for ~4 years. Anyone who wants the new OSX features is forced to purchase a complete new computer." Funny that. Apple introduced the Intel based Mac ~5 years ago. They we very transparent about the future of the PPC from the outset, which is unusual for Apple. They were unequivocally clear that within 5 years PPC would not be supported. And lo, so it was. Leopard (OS X 10.5) was released 4 years ago. That was the last version of OS X to support PPC (http://goo.gl/FcRSg). Snow Leopard was released 2 years ago to much wailing about how it didn't support PPC. This is not new.

"I own a software development company, I have numerous Wintel systems, Mac, and Linux." So if you are developing software for those platforms, then why haven't you got up-to-date hardware? I'm not talking the latest and greatest bling, I mean up-to-date? You Mac Pro has to be at the very least 6 years old FFS. No, it because you talking shit. Jackass.

1
1

Maybe late, but always seems to be better

Mac OS X may have been late to the 'party' for 64-bit, but in good Apple fashion, it was done right. Windows 7 supports up to 198GB memory. Why the artificial limitation? If it is truely 64-bit great as you think, it should be like Apple's Snow Leopard. which supported 16TB memory. Now we have Lion, with better security to finish off what is truely the worlds most advanced OS.

1
1

erm..

I know plenty of people running the 32-bit edition of Win 7. The main reason being that their craptops are 32-bit only. At the end of the day, Microsoft are out to make money - and they do that by making Win7 as compatible with as many devices as possible.

As for bitlocker - for the home users etc, they should not really need it - however if they do need full encryption, truecrypt is freely available and does a stellar job!

0
1

Would like more info on this...

"If iDevices, which contain security protections that go well beyond those found in OS X, can succumb to drive-by downloads, there's no reason Macs aren't also vulnerable."

Does anyone know any more about this? Does iOS contain far more security precautions than OS X? If so, what extra steps in particular does it take to protect itself?

0
0

@Tony Chandler

I think he was referring to the so-called "wall garden" and other lock-down measures of controlling access. If you restrict the ability of the outside world to interact with the internal system, you severely curtail the attack surface.

-dZ.

0
1
Headmaster

@DZ-Jay

WallED garden.

LockED-down.

2
4
FAIL

@Your Retarded

You'RE retarded!

Ahem, I thank you.

7
4
Silver badge

iOS is behind on some of the features listed

For example, jailbreakme.com uses a PDF exploit — a buffer overrun or some other flaw that allows a maliciously crafted PDF to perform arbitrary code execution. The cat and mouse with Apple from that specific method of jailbreaking has surrounded finding exploitable flaws in the PDF renderer and fixing them.

In Lion, PDF parsing and rendering is devolved to one or more separate, sand boxed processes that don't have the ability to read or write to files or otherwise communicate very widely with the outside world. So Lion takes a big step forward in trying to secure against that type of exploit.

Of course there are likely to be further flaws and exploits, but Lion is a step up from iOS in terms of overall security. Since iOS and OS X use the same kernel and share many of the system APIs (though the user interface stuff is deliberately very different), the general rule is that whichever was released most recently has Apple's most up-to-date security. I expect the new OS X stuff will migrate to iOS in the near future.

2
0
Boffin

That's why people Jailbreak their iPhones/iPods...for complete access!

The iPhone's interfacing with software, such as iTunes, is run in a chrooted environment, where no user or desktop application—even iTunes—can see into the operating system; this is commonly known in the Unix world as a chroot jail. This jail (and the fact that you can't simply yank out the hard drive) is the only thing standing in the way of the iPhone functioning as a complete, portable Mac OS X computer.

With Lion Apple is doing the same thing with apps submitted to the App store so this is a big deal and a big change in security even though most people still don't understand it at this point!

2
1
Thumb Down

No, that is not my name

If I was trying to insult you I would write as such.

0
0
Bronze badge
Meh

Win 7

You say Windows 7 would do well to emulate this new security but never went on to describe the features Windows 7 doesn't have that Lion does. Everything in the article has been in there for years...

12
2
Anonymous Coward

Didn't you read the article?

This is 'windows 7 plus plus'. That's all we need to know!

Also, when did ubuntu become some sort of security yardstick?

6
3

The most important one the mentioned.

Must have missed the part about application sandboxing.

1
0
Joke

Re: application sandboxing

I already sandbox the entire OS inside a VM running on a different OS. How about all of these companies follow my lead on this? I'm like Tiger++ me!

2
1
Thumb Down

Holy crap, will you stop with the blatant advertisement already.

What are the sources of your statement that Lion's superior than Win 7 and Ubuntu in terms of security? ONE security consultant for the former, and yourself for the latter? Address space randomization and sandboxing are nothing new. The fact that the last section of the article is cautionary doesn't change the fact that over the last couple of days, it looks like the Reg got a hefty contribution from a certain company.

Would you consider doing what news publications usually do, i.e. aggregating and coordinating the publishing of information on a subject into a single article, instead of planting a trough for Apple's marketing team's PR diarrhea to wash over your readers?

PS. Sorry for any mistakes, I don't have a spellchecker handy and English is not my first language. And this criticism applies to all the recent authors, it's just that Dan's article was the last straw.

22
4
Thumb Up

You said it better

Well said, I didnt have the energy to pick apart this obvious piece of terd of an article but it looks like the reg is getting like Gizmodo and just publishing paid fluff pieces.

The register is starting to lick the hand that feeds instead of bite it.

Next thing you know we will be drowning in mac loving technical fact devoid fluff pieces.

Although Brooke Curuthers over at cnet news is the lead disciple of mac distortion these days, is giving gizmodo a run for its money, the only difference is in gizmodo you can literally buy the commentary directly.

Its why I don't bother with tech blogs any more, they are handy only for pictures, so called tech journalists are just paid whores who have no BSC or relevant understanding of tech they just roll on their back open their legs and write positive fluff about lame tech.

4
2
Holmes

Good Points

Most if not all of these 'Security Fixes' have been available in Linux for over 10 years, if the user wanted them. They have been available in Windows at least since Win7. Even the BSD versions that Apple uses under the hood have had all of these measures available since long before Apple ripped off the BSD core for Darwin. How does any of this put Apple first? All of these measures were available in the source since long before OSX. Apple is just doing what they should have done with the first edition of OSX.

For a true leapfrogging, Apple should have integrated something like SE Linux. Or perhaps something actually new. But, Apple is still the last to implement any security.

Microsoft seems to do it right. They watch Linux development carefully, and copy what works. Linux is where the real experimentation happens. SE Linux is the best security currently available, but is difficult to use. App Armor is easier to use, and provides a 'reasonable' level of security. Microsoft has effectively included the most important features of App Armor into Win7. Over time, they will probably do the rest. Apple is still the last to the party.

Apple is still dedicated to the triumph of style over substance.

0
2
Thumb Down

Fluff piece mostly fiction.

Paid fluff piece perhaps, the ASLR by any other name is nothing new.

More over OSX was the worst security offender in the world with 1500 vulns as per securnia.

And MS has had dep/aslr for over half a decade already, if you dont know the tech dont write about the tech. Go back to the PR agency that spawned you evil fan boi.

15
6
Silver badge

A fluff piece, but too much hyperbole on your part

"OSX was the worst security offender in the world with 1500 vulns as per securnia"

Secunia issue advisories. Each advisory may mention multiple related vulnerabilities.

They lists 1555 vulnerabilities for all versions of Mac OS X between 2003 and 2011 combined. In terms of advisories, they are aware of 8 unpatched advisories from a total of 155 in the full 8 years they've been tracking the OS. The most severe unpatched advisory is rated by them as "Moderately critical".

Compare to Windows, which is broken down by release. Like all versions of OS X added together, Windows Vista has 8 unpatched advisories, from pretty much the same all-time total (157 versus 155, but whatever). The most severe unpatched advisory is rated as "Highly critical".

Windows 7 has only 5 unpatched advisories of 76 to date but the most severe is again "Highly critical".

Linux is broken down by distribution, which makes it hard to compare. But that's not just a statistical tabulation difference, it's a real on-the-ground difference so fair enough. For the record, Ubuntu 10.10 has been the subject of 133 advisories to date but all have been patched. So kudos to the Linux crowd.

But to go from that to "OSX was the worst security offender in the world" feels like overreaching. It requires you to compare eight years of Apple's problems with two years of Microsoft's, to ignore the advice Secunia are actually giving as to the seriousness of the problems and to conflate problems that were solved with ones that remain an issue.

7
0
Happy

BSD?

“Those guys are seriously raising the bar..."

If I remember correctly, OpenBSD was pretty-much the first generally available OS to implement ASLR. And it implements a raft of other anti-exploit stuff. And I'm pretty sure the other BSDs (which OS-X is a derivative, of course) also implemented this stuff years ago - long before MS, Apple, or Linux.

So when looking at who is raising the bar on security, as is often the case, one has to look at the BSDs.

2
1
Silver badge

Re:BSD?

Is Windows XP a BSD derivative? Blue Screen of Death, that is.

2
3
Silver badge

Bah!

I've seen precisely 3 blue screens since I bought XP in 2001. One because a disc controller failed (so we can put that one down to the hardware manufacturer rather than MS) and the other two I ascribe to a certain AV company's nagware since once I disabled it the problem went away.

I've never seen a Blue Screen on any of my at-work XP workstations in the 10 years I've been using them.

For me, mentioning the Blue Screen immediately devalues whatever the other guy has to say because, well, it shows they are out of touch. Years out of touch.

Kudos to Apple for the address jiggery-pokery. It is irrelevant who did it first. Apple have done it *now* and deserve an Attaboy.

6
4
Thumb Up

Re: Mark65!

Haha, and let that be a lesson 'Mark65'. Remember to use the Joke Alert icon to express how firmly your tongue is in your cheek or you WILL be slapped down by other users on El Reg.

0
0

okay, it's good, but...

...this seems more like catch-up than leapfrogging. The article itself mentions that Windows has had address space randomization for years. And the same is true of full-disk encryption. The only feature I see that's not been present on other OSes for years is that browser thing, which is nice but I don't know if it alone justifies the enthusiastic tones.

2
1

@Filippo

It's not "that browser thing," it's the compartmentalization of processes across all application space. Safari was mentioned as one example because it is usually the most prominent attack vector.

-dZ.

5
0
Anonymous Coward

This is also available on Linux

SELinux and AppArmor for linux-based systems both enforce granular and context-specific privilege management for processes. It looks like this is another implementation of the same kind of thing.

1
0
WTF?

"...said the researchers,

...who spent the past few months analyzing the OS"

Since OSX is closed source, chances are that Apple paid this research to whitewash its recent troubles with malware.

Standard industry procedure.

9
1
Stop

Re: Whitewash

...or perhaps they were in the Beta testing programme, so have had their mitts on it for a while to see if they can poke any shitty sticks through the security.

Also a standard industry procedure.

2
1
Go

OS X kernel sources

You can get them here

http://www.opensource.apple.com/source/xnu/xnu-1699.22.73/

1
0
FAIL

It is not Apple source

but the *free* part they are obligated to republish by the very *free* licenses they build their closed source on.

But i didn't knew this site, thanks.

0
1
Thumb Down

What?

So Apple introduces features that Windows Vista (ASLR) and IE7 (Protected Mode - aka separate low priority process) had back in 2006 and we somehow supposed to admire that?

10
1
Gold badge

Yes but..

That's on top of a Unix security model that is fairly tried and tested.

Where as Windows tries to offer backward compatibility which weakens security.

0
0
WTF?

Actually...

...you'll find that many of Vista's problems (primarily pre-Vista apps and drivers, and ignoring the UX issues, which were serious) were because Micosoft did not offer backward compatibility, for the sake of security.

1
0
Anonymous Coward

Yes

I said at the time, and still stand by it, that MS should have dumped actual 'backwards compatibility' in Vista/7 and instead followed Apple's earlier model of switching from OS 9 to OS X with a VM environment running an older system to handle legacy apps. It made the transition much smoother and they repeated this successfully with Rosetta when transitioning from PPC to Intel architecture.

The system worked very well for the majority of users and was much less painful than having to upgrade EVERYTHING in one go, but also signalled that it was time to consider renewing software within a reasonable timeframe to take it native onto the new platform.

Anyone refusing to update after about 5 years will just have to live with an unsupported system from then on in. I'd say that's a pretty fair deal.

2
1
FAIL

What is this?

Pay for a report for your new product week or something?

First NSS Labs IE9 Bullshit and now this...

Still we all know how gullible Apple owners are (and the entire American general public), i'm sure they will lap this news up without even a shadow of doubt over it's validity.

5
7
Flame

Re: "we all know how gullible Apple owners are"

Yes, I'm so gullible I actually believed that I could genuinely install and live with Ubuntu as my main OS without needing to go tinkering in the Terminal. Sure learnt my lesson though (maybe lessons about how to achieve things through the Terminal)!

Next time I'll ask you for your sagely advice instead, you're obviously much more informed than I could possibly be.

I wonder if I'd have been so gullible about Linux if I'd been installing it on any one of my non-Apple machines instead of Windows? Probably not - we all know how only when you're using Apple kit do you become a sucker right?

2
1
Devil

Address Space Randomization

Congratulations on achieving the same point where OpenBSD was 10 years ago.

Watta(fan)boy!

6
2

Page:

This topic is closed for new posts.