With Wednesday's release of Mac OS X Lion, Apple has definitively leapfrogged its rivals by offering an operating system with state-of-the-art security protections that make it more resistant to malware exploits and other hack attacks, two researchers say. Unlike the introduction of Snow Leopard in 2009, which offered mostly …
Lets see at Pwn2Own shall we
Lets see what happens at Pwn2Own at CanWest. I'm betting that someone walks away with a shiny new MacBook Pro far before anyone walks away with a Linux or a Windows box.
OK, let's see. How much are you betting?
I'm not suggesting that Lion is the most secure operating system, but you are betting that it is the most vulnerable one. How much?
The suggestion is that the Mac would be so clearly more desirable that the best efforts of the best people will be focussed there . . .
Really leaps and bounds above the rest?
Wasn't IE 7 the first browser to have sandboxing in Vista?
Like the article says a good implementation of ASLR has been in Windows for a long time.
Full disk encryption on the boot volume already exists in Windows too.
That's not to say that these features aren't great - I'm a MAC user and welcome them, but to say OS X is far far ahead is probably a bit of a stretch.
Does IE7's sandboxing also work with all your office applications, all your video games, and all your multi-media applications? Just wondering since the article said that OS X's sandboxing was for all applications.
@AC: not quite that simple
OS X's sandboxing is exposed for use of all applications via a high-level API and is implemented across all applications that the OS comes with. So those are both huge steps, but the sand boxing doesn't apply to software that isn't written to use it. So your existing applications aren't sand boxed, at least in the sense that the term is being used here.
Apple have stated that applications must use the sand boxing to be accepted onto the App Store as of some date later in the year, so there is a carrot and stick aspect to it, but you can still download any old application you want from the Internet and it can still do whatever it wants (or, more relevantly, expose exploits that allow malicious agents to use it as an agent to do whatever they want).
How do I get it on my Hackintosh?
am uninstalling my antivirus software as i type....
Implement ideas that have been around for years.
Pretend you're being innovative and somehow superior.
Watch the fanboys lap it up without a second thought.
RE: Typical Apple
Then patent the concept, and claim everyone has copied it??
I'll get my coat
Typical Norfolk 'n' Goode
Stringing together some more boilerplate nonsense and resort to name calling.
If you actually paid attention, you'll note that this isn't from an Apple press release. If you check Apple's website you'd notice that they aren't in fact pretending they're "being innovative and somehow superior." WRT security. It's a footnote if anything. YOU are the one doing that! Instead of lurking and trolling on every single Mac article, why don't you just stop reading them, they seem to upset you a great deal so it'd ultimately be better for your health.
Sorry to spoil your fantasy
"YOU are the one doing that! Instead of lurking and trolling on every single Mac article, "
But I don't lurk and troll Apple threads, as much as your tiny deluded imagination may tell you otherwise.
Go ahead and read my comments , I dare you.
Oh you wont do that though, will you? As then you will realise what an lying arsehole you're being.
RE: lying arsehole
OK, so not *every* Apple article, just a lot of them. Inaccurately too. You've got some foam on the side of your mouth. The reaction though, speaks volumes. Troll.
OK, I read them
I just read all your comments. You ONLY comment on Apple stories - you're the 'an lying arsehole'. Just because you can't see that they're all Apple articles doesn't mean Apple haven't already patented the method for publishing those articles! ;p
To the lying arsehole.
By not every article you mean 2 in the last few months, including this one.
But don't let reality get in the way of your continued lies and blatant trolling.
You do know you're making a total idiot of yourself, right?
So Canonical are responsible for ASLR now?
I was under the impression that, rather than Ubuntu adding ASRL, Canonical just took advantage of something in the Kernel already* -- or did they code it up and use it before Debian, Red Hat, Mandriva, SuSe and the rest?
I think what you meant to say was Linux added much more robust implementations of ASLR years earlier.
*not that there's anything wrong with this.
“I generally tell Mac users that if they care about security, they should upgrade to Lion sooner rather than later, and the same goes for Windows users, too.”
What? You 'generally' recommend? How's that been working? Recommending a product before it is yet available. I bet his clients have been loving that.
A new tree cabin or more firewood?
With all fanboys once fibbing that the 3GS was better than all the its more modern and advanced rivals, its nigh on impossible to tell the wood from the trees.
Even Isaac Newton would certainly needed an almight mutant Apple fall.
We have these rules..
.. in english. They are designed to assist comprehension.
"Even Isaac Newton would certainly needed an almight mutant Apple fall."
I guess you never covered this at school.
"With all fanboys once fibbing that the 3GS was better than all the its more modern and advanced rivals"
Well, it's not disputed that the 3GS was definitely better than the 4. So what's your point?
Can you point me to the Canonical commits....
.... that implemented ASLR in the kernel (or in userspace)? I wonder of those "Canonical commits" came from people with @redhat.com email addresses.... that would be weird if they did, wouldn't it.?
As a disclaimer, I have no idea who actually did implement ASLR in the kernel, just that I strongly suspect it wasn't Canonical.... their record of kernel contributions are shockingly low generally (David Henningsson's and other Canonical folk's recent sound related fixes in the kernel have been very much welcomed tho' :))
Full HD encryption
One has to say that enabling this in Lion is a piece of cake. Click a button and that's it, after a reboot the data is encrypted in the background, no setup woes, nothing. Compared to the burning hoops you have to jump through to enable this on other systems (although it is nothing new and entirely possible since ages) this really makes a difference.
Say what you want, Apple is good at making things easy enough to have common people actually use it instead of just nerds bragging about things being "possible". I know only very few people actually encrypting their laptop drives on Windows or Linux, even if most know that they could and should do it. Come on, do *you* encrypt your drives?
easy in Ubuntu
was trivial in Ubuntu. Most people I know don't know they are using it of course, but it is trivial.
"Trivial" in Ubuntu...
I always knew OSX magically installed partitions *sigh*
I wouldn't be that surprised if it did actually, not that I've seen it on my Snow Leopard VM at home, I mean giving users control over how they want to partition their disk is going to be deemed be a step to far one day, surely!!
Does Linux have to catch up?
I *thought* that this ASLR was done by doing a prelink -afmR and there was also some kernel option ticked which did some similar stuff?
The only Security Apple cares about
Is that related to maintaining it's control & monopoly over its users.
Monopoly isn't what you think it is.
Hmmm, let's see. Monopoly and control would suggest Apple users have no choice of OS, yet I can install either OS X, Windows or Linux on my hardware and even triple-boot. So that's obviously not a monopolistic position. They're also not controlling (as of yet and for the foreseeable future) my choice or ability to do this.
Also, your choice of the words 'monopoly and control' would suggest I don't have the ability to choose which software I run even when inside Apple's 'controlling' and 'monopolistic' OS. Yet, for some reason when I surf the web I can use Firefox, or Chrome, or Opera. When I send emails I can use Thunderbird or Opera. When I retouch photos I can use GIMP or Photoshop. When I write music I can use Cubase, or ProTools, or Reason, or Ableton, or Reaper. When I edit videos I use Premiere. When I listen to music I can use Audion. When chatting to friends online I can use Skype or Google+ or MSN, or AIM.
And the list goes on... None of those pieces of software are Apple's offerings, despite Apple writing software which performs each of those tasks (Safari, Mail, Aperture, Garageband/Logic, iMovie/Final Cut Pro, iTunes/Quicktime Player) so at which point am I controlled and monopolised even if I make the free choice not to run one of their competitors' operating systems on hardware I chose to buy in the first place?
"randomization and sandboxing"
Has Apple patented this yet?
As well as.....
'Lion'. No doubt they'll attempt to patent this.
You know when...
...a company is getting big. Because all the gripers are the first to post comments. OS X has now surpassed windows, in one area. Now its the windows fanboys who lay in to Apple rather than the other way around.
Echoing earlier Ubuntu comments. RHEL has had excellent SELinux support for several iterations. Look up Mandatory Access Control.
For a moment I thought that I had logged on to the Graun's tech website....
.......after all they regularly do this type of puff piece for The Man From Cuppertino, bit of a shock when I realised it was dear old El Reg - what happened?
All very well and good that Safari is sandboxed in Lion but most OS X users I know use either Chrome or Firefox. What's the desktop Safari's market share, less than 3%?
Rhubarb! Rhubarb! Toilet paper! Toilet paper in our time!
Oh I'm sorry I thought this was the forum thread to spout any old tosh you wish about your most favourite thing, that others seem to be " dissin' "!
Wheres the fat?
Apple finally finishing implementing some basic security measures that were half written in Snow Leopard, golly! The only vaguely interesting bit is that it can now encrypt the entire boot disk (unlike I believe bitlocker, not that I've seen it, a fabled object that only exists on the fanboi and enterprise edition of windows). I use macs, I'm happy with the price and will probably upgrade 'cause of that and not because of this gushing advert
Fine. Let's try it then
So Windows has had ASLR for years
True, it has. Except that most of the core has not been compiled with it for a while, and even the bits that had - OTHER apps weren't. You have to specifically enable it when developing rather than it being enabled by default (which, IIRC is still true in W7) - Apple turning it on by default is not a bad thing and I could be wrong but I think it does put it ahead of Windows...
Modern day fox hunting
I love how much Apple stuff makes so many (although I must stress, not all) IT dept types foam at the mouth. It's such a perversely satisfying side benefit of using their kit. This kind of comments thread is my own little humane version of watching a dogfight. Smug, I know, but I can't help it. Apple User Smugness makes them so much more apoplectic, it's just irresistible.
What ASLR is for?
While I applaud such efforts, I would be interested in hearing is why nobody seems to be able to design and implement a Memory Management Unit that can prevent one function from accessing another functions' address space and do the same for the heap and the stack. In this context `function' means independently running processes. The same applies to sandboxing, why plant a sandbox on top of the OS, why not fix the OS? Such protections should be done in the hardware if they are to be effective. Don't tell us how it can't be done or I don't understand the technical issues, the so called security professionals don't seem to either.
"No doubt, Apple deserves kudos for setting a new standard in OS security that Microsoft and Linux distributors would do well to emulate"
Now you've done it, don't ever mention Redmond in the same breath as Linux. Here's my solution, run your OS off a read-only device, the running system loads to memory and gets flushed at shutdown.
Is there any risk of brain damage?
Well, technically speaking, the operation is brain damage, but it's on a par with a night of heavy drinking. Nothing you'll miss.
Exploits don't necessarily need to access other processes' memory if they can over wright and execute their own memory space.
Sandboxing is part of fixing the OS. It restricts the things applications can do, so that if the application behaves badly it reduces or eliminates the possible damages.
re: What ASLR is for?
"Lightweight Portable Security (LPS), created by USA's Department of Defence, is a small Linux live CD focusing on privacy and security, for this reason, it boots from a CD and executes from RAM, providing a web browser, a file manager and some interesing tools. LPS-Public turns an untrusted system into a trusted network client"
Dino you fanboy
"Dino Dai Zovi, principal of security consultancy Trail of Bits and the coauthor of The Mac Hacker's Handbook. “I generally tell Mac users that if they care about security, they should upgrade to Lion sooner rather than later, and the same goes for Windows users, too.”
Yeah and what will I do if I want to play games and run my business ?
what will I do if I want to play games
@Alan Bourke: Dino you fanboy #
> Yeah and what will I do if I want to play games and run my business ?
Get a games console ...
@ AC 14:10
I think you're missing Alan's point...
Since almost all Windows business software functionality can be duplicated on a Mac (and, in fact, Windows can be run as a VM on a Mac, ANY Windows software can be run), his business is most likely a a Windows service shop. If enough people take Dino's advice he may actually have to learn about Macs in order to stay in business. (And -- let's face it -- frothing at the mouth while working on electronic gear is probably a dangerous practice, so he might be at risk as a Mac tech!)
Delibrately mssing the point?
How exactly does running Windows on a Mac constitute 'upgrading' to Lion?
Besides, as you say MOST business software can be run on a Mac (by which I take it you mean OS X) - not all, though.
I also note you've omitted the games part of his question, too. - No, a console requires buying separate hardware to do what one PC already does better.
I worry about Mac viruses daily, just like I worry about getting hit by a crashing airplane, or getting struck down by lightning. It's happened before, people! Better worry than... erm... not, right?
Theoretical vs Actual Risks.
Theoretically, a quick review of the history of the Pwn2Own contest will convince most that researches are always to find and exploit vulnerabilities, no matter what OS you use.
On a practical level, I've disinfected hundreds of Windows Computers, I've have yet to see a virus infected Mac.
I fully expect things to change if OSX's market share continues to rise, at which point I just start doing my online shopping and banking using Linux.
Until Linux's market share rises...
...and malware authors start targeting Linux with privilege escalations and other nasty bits we already see in Windows. It's only then when you realize that nowhere is safe and that you're dead either way. Hell, even physical banks aren't foolproof (two words: bank heist).
Anyone else read 1st paragraph...
.... & think wonder if author is trolling?
- Analysis Oh no, Joe: WinPhone users already griping over 8.1 mega-update
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- OK, we get the message, Microsoft: Windows Defender splats 1000s of WinXP, Server 2k3 PCs
- Spanish village called 'Kill the Jews' mulls rebranding exercise
- NASA finds first Earth-sized planet in a habitable zone around star