back to article Major overhaul makes OS X Lion king of security

With Wednesday's release of Mac OS X Lion, Apple has definitively leapfrogged its rivals by offering an operating system with state-of-the-art security protections that make it more resistant to malware exploits and other hack attacks, two researchers say. Unlike the introduction of Snow Leopard in 2009, which offered mostly …

COMMENTS

This topic is closed for new posts.

Lets see at Pwn2Own shall we

Lets see what happens at Pwn2Own at CanWest. I'm betting that someone walks away with a shiny new MacBook Pro far before anyone walks away with a Linux or a Windows box.

9
3

@Blarkon

OK, let's see. How much are you betting?

I'm not suggesting that Lion is the most secure operating system, but you are betting that it is the most vulnerable one. How much?

-dZ.

5
1

Maybe

The suggestion is that the Mac would be so clearly more desirable that the best efforts of the best people will be focussed there . . .

6
0
Boffin

Really leaps and bounds above the rest?

Wasn't IE 7 the first browser to have sandboxing in Vista?

Like the article says a good implementation of ASLR has been in Windows for a long time.

Full disk encryption on the boot volume already exists in Windows too.

That's not to say that these features aren't great - I'm a MAC user and welcome them, but to say OS X is far far ahead is probably a bit of a stretch.

7
1
Anonymous Coward

Sandboxing

Does IE7's sandboxing also work with all your office applications, all your video games, and all your multi-media applications? Just wondering since the article said that OS X's sandboxing was for all applications.

0
2
Silver badge

@AC: not quite that simple

OS X's sandboxing is exposed for use of all applications via a high-level API and is implemented across all applications that the OS comes with. So those are both huge steps, but the sand boxing doesn't apply to software that isn't written to use it. So your existing applications aren't sand boxed, at least in the sense that the term is being used here.

Apple have stated that applications must use the sand boxing to be accepted onto the App Store as of some date later in the year, so there is a carrot and stick aspect to it, but you can still download any old application you want from the Internet and it can still do whatever it wants (or, more relevantly, expose exploits that allow malicious agents to use it as an agent to do whatever they want).

1
0
Gimp

Sounds great

How do I get it on my Hackintosh?

6
0
jai
Silver badge

awesome

am uninstalling my antivirus software as i type....

6
3
Thumb Down

Typical Apple

Implement ideas that have been around for years.

Pretend you're being innovative and somehow superior.

Watch the fanboys lap it up without a second thought.

8
8
Coat

RE: Typical Apple

Then patent the concept, and claim everyone has copied it??

I'll get my coat

8
3
Trollface

Typical Norfolk 'n' Goode

Stringing together some more boilerplate nonsense and resort to name calling.

If you actually paid attention, you'll note that this isn't from an Apple press release. If you check Apple's website you'd notice that they aren't in fact pretending they're "being innovative and somehow superior." WRT security. It's a footnote if anything. YOU are the one doing that! Instead of lurking and trolling on every single Mac article, why don't you just stop reading them, they seem to upset you a great deal so it'd ultimately be better for your health.

6
6
Trollface

Sorry to spoil your fantasy

"YOU are the one doing that! Instead of lurking and trolling on every single Mac article, "

But I don't lurk and troll Apple threads, as much as your tiny deluded imagination may tell you otherwise.

Go ahead and read my comments , I dare you.

Oh you wont do that though, will you? As then you will realise what an lying arsehole you're being.

3
4
FAIL

RE: lying arsehole

OK, so not *every* Apple article, just a lot of them. Inaccurately too. You've got some foam on the side of your mouth. The reaction though, speaks volumes. Troll.

1
2
Joke

OK, I read them

I just read all your comments. You ONLY comment on Apple stories - you're the 'an lying arsehole'. Just because you can't see that they're all Apple articles doesn't mean Apple haven't already patented the method for publishing those articles! ;p

0
2
Anonymous Coward

To the lying arsehole.

By not every article you mean 2 in the last few months, including this one.

But don't let reality get in the way of your continued lies and blatant trolling.

You do know you're making a total idiot of yourself, right?

0
0

So Canonical are responsible for ASLR now?

I was under the impression that, rather than Ubuntu adding ASRL, Canonical just took advantage of something in the Kernel already* -- or did they code it up and use it before Debian, Red Hat, Mandriva, SuSe and the rest?

I think what you meant to say was Linux added much more robust implementations of ASLR years earlier.

*not that there's anything wrong with this.

7
0

Generally ...

“I generally tell Mac users that if they care about security, they should upgrade to Lion sooner rather than later, and the same goes for Windows users, too.”

What? You 'generally' recommend? How's that been working? Recommending a product before it is yet available. I bet his clients have been loving that.

11
0
Bronze badge

A new tree cabin or more firewood?

With all fanboys once fibbing that the 3GS was better than all the its more modern and advanced rivals, its nigh on impossible to tell the wood from the trees.

Even Isaac Newton would certainly needed an almight mutant Apple fall.

0
5
FAIL

We have these rules..

.. in english. They are designed to assist comprehension.

"Even Isaac Newton would certainly needed an almight mutant Apple fall."

I guess you never covered this at school.

5
0
FAIL

Eh?

"With all fanboys once fibbing that the 3GS was better than all the its more modern and advanced rivals"

Well, it's not disputed that the 3GS was definitely better than the 4. So what's your point?

0
0
WTF?

Can you point me to the Canonical commits....

.... that implemented ASLR in the kernel (or in userspace)? I wonder of those "Canonical commits" came from people with @redhat.com email addresses.... that would be weird if they did, wouldn't it.?

As a disclaimer, I have no idea who actually did implement ASLR in the kernel, just that I strongly suspect it wasn't Canonical.... their record of kernel contributions are shockingly low generally (David Henningsson's and other Canonical folk's recent sound related fixes in the kernel have been very much welcomed tho' :))

1
2
Thumb Up

Full HD encryption

One has to say that enabling this in Lion is a piece of cake. Click a button and that's it, after a reboot the data is encrypted in the background, no setup woes, nothing. Compared to the burning hoops you have to jump through to enable this on other systems (although it is nothing new and entirely possible since ages) this really makes a difference.

Say what you want, Apple is good at making things easy enough to have common people actually use it instead of just nerds bragging about things being "possible". I know only very few people actually encrypting their laptop drives on Windows or Linux, even if most know that they could and should do it. Come on, do *you* encrypt your drives?

7
2

easy in Ubuntu

was trivial in Ubuntu. Most people I know don't know they are using it of course, but it is trivial.

0
1

"Trivial" in Ubuntu...

http://www.linuxbsdos.com/2011/05/10/how-to-install-ubuntu-11-04-on-an-encrypted-lvm-file-system/

versus

http://static.arstechnica.net/2011/07/04/lion/file-vault.png

1
0
Anonymous Coward

Seems fair

I always knew OSX magically installed partitions *sigh*

I wouldn't be that surprised if it did actually, not that I've seen it on my Snow Leopard VM at home, I mean giving users control over how they want to partition their disk is going to be deemed be a step to far one day, surely!!

0
0
Linux

Does Linux have to catch up?

I *thought* that this ASLR was done by doing a prelink -afmR and there was also some kernel option ticked which did some similar stuff?

2
0
Boffin

The only Security Apple cares about

Is that related to maintaining it's control & monopoly over its users.

3
5
WTF?

Monopoly isn't what you think it is.

Hmmm, let's see. Monopoly and control would suggest Apple users have no choice of OS, yet I can install either OS X, Windows or Linux on my hardware and even triple-boot. So that's obviously not a monopolistic position. They're also not controlling (as of yet and for the foreseeable future) my choice or ability to do this.

Also, your choice of the words 'monopoly and control' would suggest I don't have the ability to choose which software I run even when inside Apple's 'controlling' and 'monopolistic' OS. Yet, for some reason when I surf the web I can use Firefox, or Chrome, or Opera. When I send emails I can use Thunderbird or Opera. When I retouch photos I can use GIMP or Photoshop. When I write music I can use Cubase, or ProTools, or Reason, or Ableton, or Reaper. When I edit videos I use Premiere. When I listen to music I can use Audion. When chatting to friends online I can use Skype or Google+ or MSN, or AIM.

And the list goes on... None of those pieces of software are Apple's offerings, despite Apple writing software which performs each of those tasks (Safari, Mail, Aperture, Garageband/Logic, iMovie/Final Cut Pro, iTunes/Quicktime Player) so at which point am I controlled and monopolised even if I make the free choice not to run one of their competitors' operating systems on hardware I chose to buy in the first place?

0
0

"randomization and sandboxing"

Has Apple patented this yet?

4
5
Anonymous Coward

As well as.....

'Lion'. No doubt they'll attempt to patent this.

4
2
Happy

You know when...

...a company is getting big. Because all the gripers are the first to post comments. OS X has now surpassed windows, in one area. Now its the windows fanboys who lay in to Apple rather than the other way around.

8
3
Bronze badge

SEL?

Echoing earlier Ubuntu comments. RHEL has had excellent SELinux support for several iterations. Look up Mandatory Access Control.

0
0
Silver badge
Unhappy

For a moment I thought that I had logged on to the Graun's tech website....

.......after all they regularly do this type of puff piece for The Man From Cuppertino, bit of a shock when I realised it was dear old El Reg - what happened?

1
1

sandboxed

All very well and good that Safari is sandboxed in Lion but most OS X users I know use either Chrome or Firefox. What's the desktop Safari's market share, less than 3%?

0
2
Megaphone

Rhubarb!

Rhubarb! Rhubarb! Toilet paper! Toilet paper in our time!

Oh I'm sorry I thought this was the forum thread to spout any old tosh you wish about your most favourite thing, that others seem to be " dissin' "!

5
0
Meh

Wheres the fat?

Apple finally finishing implementing some basic security measures that were half written in Snow Leopard, golly! The only vaguely interesting bit is that it can now encrypt the entire boot disk (unlike I believe bitlocker, not that I've seen it, a fabled object that only exists on the fanboi and enterprise edition of windows). I use macs, I'm happy with the price and will probably upgrade 'cause of that and not because of this gushing advert

0
2
WTF?

Fine. Let's try it then

okay

0
1
Stop

So Windows has had ASLR for years

True, it has. Except that most of the core has not been compiled with it for a while, and even the bits that had - OTHER apps weren't. You have to specifically enable it when developing rather than it being enabled by default (which, IIRC is still true in W7) - Apple turning it on by default is not a bad thing and I could be wrong but I think it does put it ahead of Windows...

3
2
Trollface

Modern day fox hunting

I love how much Apple stuff makes so many (although I must stress, not all) IT dept types foam at the mouth. It's such a perversely satisfying side benefit of using their kit. This kind of comments thread is my own little humane version of watching a dogfight. Smug, I know, but I can't help it. Apple User Smugness makes them so much more apoplectic, it's just irresistible.

4
2
Linux

What ASLR is for?

While I applaud such efforts, I would be interested in hearing is why nobody seems to be able to design and implement a Memory Management Unit that can prevent one function from accessing another functions' address space and do the same for the heap and the stack. In this context `function' means independently running processes. The same applies to sandboxing, why plant a sandbox on top of the OS, why not fix the OS? Such protections should be done in the hardware if they are to be effective. Don't tell us how it can't be done or I don't understand the technical issues, the so called security professionals don't seem to either.

"No doubt, Apple deserves kudos for setting a new standard in OS security that Microsoft and Linux distributors would do well to emulate"

Now you've done it, don't ever mention Redmond in the same breath as Linux. Here's my solution, run your OS off a read-only device, the running system loads to memory and gets flushed at shutdown.

\http://en.wikipedia.org/wiki/Ubuntu_Live_USB_creator

-------

Is there any risk of brain damage?

Well, technically speaking, the operation is brain damage, but it's on a par with a night of heavy drinking. Nothing you'll miss.

0
1

Process memory

Exploits don't necessarily need to access other processes' memory if they can over wright and execute their own memory space.

Sandboxing is part of fixing the OS. It restricts the things applications can do, so that if the application behaves badly it reduces or eliminates the possible damages.

2
0
Linux

re: What ASLR is for?

"Lightweight Portable Security (LPS), created by USA's Department of Defence, is a small Linux live CD focusing on privacy and security, for this reason, it boots from a CD and executes from RAM, providing a web browser, a file manager and some interesing tools. LPS-Public turns an untrusted system into a trusted network client"

http://www.unixmen.com/software/1832-lightweight-portable-security-lps-a-linux-disto-from-the-us-department-of-defense

0
0
FAIL

Dino you fanboy

"Dino Dai Zovi, principal of security consultancy Trail of Bits and the coauthor of The Mac Hacker's Handbook. “I generally tell Mac users that if they care about security, they should upgrade to Lion sooner rather than later, and the same goes for Windows users, too.”

Yeah and what will I do if I want to play games and run my business ?

Knob.

1
1
Trollface

what will I do if I want to play games

@Alan Bourke: Dino you fanboy #

> Yeah and what will I do if I want to play games and run my business ?

Get a games console ...

1
3
Bronze badge
Trollface

@ AC 14:10

I think you're missing Alan's point...

Since almost all Windows business software functionality can be duplicated on a Mac (and, in fact, Windows can be run as a VM on a Mac, ANY Windows software can be run), his business is most likely a a Windows service shop. If enough people take Dino's advice he may actually have to learn about Macs in order to stay in business. (And -- let's face it -- frothing at the mouth while working on electronic gear is probably a dangerous practice, so he might be at risk as a Mac tech!)

2
4
Facepalm

Delibrately mssing the point?

How exactly does running Windows on a Mac constitute 'upgrading' to Lion?

Besides, as you say MOST business software can be run on a Mac (by which I take it you mean OS X) - not all, though.

I also note you've omitted the games part of his question, too. - No, a console requires buying separate hardware to do what one PC already does better.

0
0

Fanbois Beware!

I worry about Mac viruses daily, just like I worry about getting hit by a crashing airplane, or getting struck down by lightning. It's happened before, people! Better worry than... erm... not, right?

2
0
Unhappy

Theoretical vs Actual Risks.

Theoretically, a quick review of the history of the Pwn2Own contest will convince most that researches are always to find and exploit vulnerabilities, no matter what OS you use.

On a practical level, I've disinfected hundreds of Windows Computers, I've have yet to see a virus infected Mac.

I fully expect things to change if OSX's market share continues to rise, at which point I just start doing my online shopping and banking using Linux.

1
0
Silver badge

Until Linux's market share rises...

...and malware authors start targeting Linux with privilege escalations and other nasty bits we already see in Windows. It's only then when you realize that nowhere is safe and that you're dead either way. Hell, even physical banks aren't foolproof (two words: bank heist).

0
0
Gimp

Anyone else read 1st paragraph...

.... & think wonder if author is trolling?

0
0
This topic is closed for new posts.

Forums