back to article Major overhaul makes OS X Lion king of security

With Wednesday's release of Mac OS X Lion, Apple has definitively leapfrogged its rivals by offering an operating system with state-of-the-art security protections that make it more resistant to malware exploits and other hack attacks, two researchers say. Unlike the introduction of Snow Leopard in 2009, which offered mostly …

COMMENTS

This topic is closed for new posts.
  1. Christian Berger

    So how is software distribution solved?

    I mean that is the major security problem, and apples previous attempts, anarchy and dictatorship, didn't exactly do a lot to help.

    Forced Apstores cause people to jailbreak their devices or force them to run software they don't want. Anarchy causes people to just install malware right away.

    1. Gordon 10
      FAIL

      Correction

      People who jailbreak without knowing exactly the risks they are taking deserve everything they get.

      Further more they are idiots who have not considered the consequences of their actions.

      Jailbreaking is like sex without a condom - liberating, and enjoyable but only to be attempted when you fully understand and ACCEPT the possible consequences.

      Dont assume that because you dont like Apples restrictions as a techie that the ordinary run of the mill punter shares your views or motivations.

      Anyhoo whats the current share jailbroken devices? 5%?

  2. Anonymous Coward
    Thumb Down

    Holy crap, will you stop with the blatant advertisement already.

    What are the sources of your statement that Lion's superior than Win 7 and Ubuntu in terms of security? ONE security consultant for the former, and yourself for the latter? Address space randomization and sandboxing are nothing new. The fact that the last section of the article is cautionary doesn't change the fact that over the last couple of days, it looks like the Reg got a hefty contribution from a certain company.

    Would you consider doing what news publications usually do, i.e. aggregating and coordinating the publishing of information on a subject into a single article, instead of planting a trough for Apple's marketing team's PR diarrhea to wash over your readers?

    PS. Sorry for any mistakes, I don't have a spellchecker handy and English is not my first language. And this criticism applies to all the recent authors, it's just that Dan's article was the last straw.

    1. Xtreame96
      Thumb Up

      You said it better

      Well said, I didnt have the energy to pick apart this obvious piece of terd of an article but it looks like the reg is getting like Gizmodo and just publishing paid fluff pieces.

      The register is starting to lick the hand that feeds instead of bite it.

      Next thing you know we will be drowning in mac loving technical fact devoid fluff pieces.

      Although Brooke Curuthers over at cnet news is the lead disciple of mac distortion these days, is giving gizmodo a run for its money, the only difference is in gizmodo you can literally buy the commentary directly.

      Its why I don't bother with tech blogs any more, they are handy only for pictures, so called tech journalists are just paid whores who have no BSC or relevant understanding of tech they just roll on their back open their legs and write positive fluff about lame tech.

    2. YetAnotherBob
      Holmes

      Good Points

      Most if not all of these 'Security Fixes' have been available in Linux for over 10 years, if the user wanted them. They have been available in Windows at least since Win7. Even the BSD versions that Apple uses under the hood have had all of these measures available since long before Apple ripped off the BSD core for Darwin. How does any of this put Apple first? All of these measures were available in the source since long before OSX. Apple is just doing what they should have done with the first edition of OSX.

      For a true leapfrogging, Apple should have integrated something like SE Linux. Or perhaps something actually new. But, Apple is still the last to implement any security.

      Microsoft seems to do it right. They watch Linux development carefully, and copy what works. Linux is where the real experimentation happens. SE Linux is the best security currently available, but is difficult to use. App Armor is easier to use, and provides a 'reasonable' level of security. Microsoft has effectively included the most important features of App Armor into Win7. Over time, they will probably do the rest. Apple is still the last to the party.

      Apple is still dedicated to the triumph of style over substance.

  3. Lusty
    Meh

    Win 7

    You say Windows 7 would do well to emulate this new security but never went on to describe the features Windows 7 doesn't have that Lion does. Everything in the article has been in there for years...

    1. Anonymous Coward
      Anonymous Coward

      Didn't you read the article?

      This is 'windows 7 plus plus'. That's all we need to know!

      Also, when did ubuntu become some sort of security yardstick?

    2. Galidron

      The most important one the mentioned.

      Must have missed the part about application sandboxing.

      1. Anonymous Coward
        Joke

        Re: application sandboxing

        I already sandbox the entire OS inside a VM running on a different OS. How about all of these companies follow my lead on this? I'm like Tiger++ me!

  4. Xtreame96
    Thumb Down

    Fluff piece mostly fiction.

    Paid fluff piece perhaps, the ASLR by any other name is nothing new.

    More over OSX was the worst security offender in the world with 1500 vulns as per securnia.

    And MS has had dep/aslr for over half a decade already, if you dont know the tech dont write about the tech. Go back to the PR agency that spawned you evil fan boi.

    1. ThomH

      A fluff piece, but too much hyperbole on your part

      "OSX was the worst security offender in the world with 1500 vulns as per securnia"

      Secunia issue advisories. Each advisory may mention multiple related vulnerabilities.

      They lists 1555 vulnerabilities for all versions of Mac OS X between 2003 and 2011 combined. In terms of advisories, they are aware of 8 unpatched advisories from a total of 155 in the full 8 years they've been tracking the OS. The most severe unpatched advisory is rated by them as "Moderately critical".

      Compare to Windows, which is broken down by release. Like all versions of OS X added together, Windows Vista has 8 unpatched advisories, from pretty much the same all-time total (157 versus 155, but whatever). The most severe unpatched advisory is rated as "Highly critical".

      Windows 7 has only 5 unpatched advisories of 76 to date but the most severe is again "Highly critical".

      Linux is broken down by distribution, which makes it hard to compare. But that's not just a statistical tabulation difference, it's a real on-the-ground difference so fair enough. For the record, Ubuntu 10.10 has been the subject of 133 advisories to date but all have been patched. So kudos to the Linux crowd.

      But to go from that to "OSX was the worst security offender in the world" feels like overreaching. It requires you to compare eight years of Apple's problems with two years of Microsoft's, to ignore the advice Secunia are actually giving as to the seriousness of the problems and to conflate problems that were solved with ones that remain an issue.

  5. Davidoff
    WTF?

    OS X Lion king of security? Yeah, right.

    It's more like Prince Valium who is always late to the party. Don't get me wrong, it's great that OS X finally gets a sensible implementation of ASLR, but that doesn't change the fact that it merely catches up with Windows and some Linux distros. The same is true for full disk encryption. BitLocker is available since November 2005 when Vista came out. It's great FDE is now available in Mac OS X but it only took them 6 years to catch up.

    This is nothing new, though. Mac OS has mostly been last to the party in terms of major technology changes like implementing pre-emptive multitasking or moving to 64bit.

    But then, what can you expect from the two authors of the "The Mac Hacker's Handbook"?

    1. Giles Jones Gold badge

      ASLR is pointless?

      ASLR is largely pointless unless you reboot regularly. Most laptop owners (and laptops are one of the most common home computers now) just let their computer hibernate or sleep.

    2. Ru
      Meh

      Its the leapfrogging bit I was looking for.

      Everything else is old news, even in ubuntu/windows land and they're not exactly at the leading edge of the security world.

      In fact, I'd be a lot more interested if Apple changed is corporate attitude to security issues, where it isn't exactly a paragon of the industry.

    3. Mark 65

      @Davidoff

      Agree with most of your post but let's not kid ourselves about the 64-bit party attendance. Remind me who still ships a 32-bit variant of their OS and only in the latest version has really tried to get everyone to leave it behind? XP may have had 64-bit (and shit driver support) but they're the ones still shipping 32-bit variants and still doing it with 7 was a missed opportunity to lay it to rest.

      Whilst I'm at it, bitlocker encryption is only available in the Ultimate and Enterprise versions of those OS versions - i.e. not the ones most users will have on account of it being £229.99 RRP (£166.41 on Amazon.co.uk).

      I'm all for bagging some of the hubris in the OSX World but let's not pretend that MS is holier than thou.

      1. deegee

        re Mark65's stupid post

        You are trashing MS for continuing to still provide support for older systems??

        Microsoft released a 32-bit Windows for a number of reasons including to cater to those people who are upgrading with small systems that cannot take advantage of the 64-bit supported >4GB memory. They are trying to pull the XP-32 people up onto Win7. A 64-bit OS requires more memory to run apps due to larger 64-bit pointers etc., and the thunking and WoW64 have additional overhead that can impact performance on older systems if running the 64-bit variant.

        Anyone with a 2002-2005 P4 2GB will probably be better suited to run Win7-32.

        It is almost impossible to find new PC desktop systems that are selling anything but 64-bit Win7 preinstalled.

        At least with a 2004-6 PC system you can still run Windows 7, you can't say the same about Apple OSX since they dropped all PPC support (forcing me to have to sell my G5 and buy a new Pro for $2500-5000 if I want to run the 'Intel' OSX).

        Most OS's are sold to anyone purchasing new kit, so that places the OWM Ultimate OEM (with BitLocker) at around $200 CDN retail (£130).

        1. Anonymous Coward
          Windows

          RE: re Mark65's stupid post

          Fuck me. Have the school holidays started already?

          "You are trashing MS for continuing to still provide support for older systems??" Looks like it.

          "Microsoft released a 32-bit Windows for a number of reasons including to cater to those people who are upgrading with small systems that cannot take advantage of the 64-bit supported >4GB memory. They are trying to pull the XP-32 people up onto Win7. A 64-bit OS requires more memory to run apps due to larger 64-bit pointers etc., and the thunking and WoW64 have additional overhead that can impact performance on older systems if running the 64-bit variant."

          I'm going to let you into a little secret. Not may people buy upgrade. It's only really nerd like you and people the 'support'. Most people buy a new computer every 5-7 years. They don't need the shiniest OS for what amounts to email, Skype and fucking Facebook.

          "It is almost impossible to find new PC desktop systems that are selling anything but 64-bit Win7 preinstalled." This is a good thing, but moot.

          "At least with a 2004-6 PC system you can still run Windows 7, you can't say the same about Apple OSX since they dropped all PPC support (forcing me to have to sell my G5 and buy a new Pro for $2500-5000 if I want to run the 'Intel' OSX)." Windows 7 was released nearly 2 years ago. Sadly MSFT will release a 32bit version of Windows 8 which will be a mistake.

          "forcing me to have to sell my G5 and buy a new Pro for $2500-5000 if I want to run the 'Intel' OSX" I can ally assume that you are talking about the SL upgrade as leopard fully supported G5 processors. If you felt 'forced' to buy new kit, perhaps that'd've been a good point to consider switching. Tit.

          1. deegee

            @AC 20:32... a real coward

            Wow, I'd really like to know what color the skies are in your world. :p

            "Have the school holidays started already?"

            I have probably been working in the computer industry since you were in diapers.

            "Looks like it."

            And if MS decided to kill support for anything but the latest hardware and software, you would bitch about that as well I'm sure.

            "This is a good thing, but moot."

            Not moot at all. The OP was regarding the OS should be 64-bit, and that's what is sold on new hardware, so it is totally relevant. Another "Fail" for you.

            "leopard fully supported G5 processors"

            OSX has not supported the G5 PPC models for ~4 years. Anyone who wants the new OSX features is forced to purchase a complete new computer.

            Windows 7 will still run on hardware from 4+ years ago.

            "perhaps that'd've been a good point to consider switching. Tit."

            I own a software development company, I have numerous Wintel systems, Mac, and Linux. No switching is required. And I like tits, especially when they are attached to pretty women.

            1. Anonymous Coward
              Anonymous Coward

              Someones testy...

              "I have probably been working in the computer industry since you were in diapers." I seriously doubt that.

              "And if MS decided to kill support for anything but the latest hardware and software, you would bitch about that as well I'm sure." No. That is what you are doing. I'd personally applaud it as a bold move on Microsofts part. I have little interest in the Windows platform myself.

              "Not moot at all. The OP was regarding the OS should be 64-bit, and that's what is sold on new hardware, so it is totally relevant." No, it's moot. The problem lies within software houses. Adobe are a good example of this and an example for both platforms that they support too boot.

              "Another "Fail" for you." Well this is awkward. Moving swiftly on...

              "OSX has not supported the G5 PPC models for ~4 years. Anyone who wants the new OSX features is forced to purchase a complete new computer." Funny that. Apple introduced the Intel based Mac ~5 years ago. They we very transparent about the future of the PPC from the outset, which is unusual for Apple. They were unequivocally clear that within 5 years PPC would not be supported. And lo, so it was. Leopard (OS X 10.5) was released 4 years ago. That was the last version of OS X to support PPC (http://goo.gl/FcRSg). Snow Leopard was released 2 years ago to much wailing about how it didn't support PPC. This is not new.

              "I own a software development company, I have numerous Wintel systems, Mac, and Linux." So if you are developing software for those platforms, then why haven't you got up-to-date hardware? I'm not talking the latest and greatest bling, I mean up-to-date? You Mac Pro has to be at the very least 6 years old FFS. No, it because you talking shit. Jackass.

      2. Rabbit80

        erm..

        I know plenty of people running the 32-bit edition of Win 7. The main reason being that their craptops are 32-bit only. At the end of the day, Microsoft are out to make money - and they do that by making Win7 as compatible with as many devices as possible.

        As for bitlocker - for the home users etc, they should not really need it - however if they do need full encryption, truecrypt is freely available and does a stellar job!

    4. chr0m4t1c

      Yes, let's focus on the important stuff

      >This is nothing new, though. Mac OS has mostly been last to the party in terms of major

      >technology changes like implementing pre-emptive multitasking or moving to 64bit.

      Yeah, being first is the most important thing.

      Presumably you drive an 1982 Daimler and your personal computer of choice would be the Berkeley Enterprises "Simon" that you built yourself from the original 1950/51 plans or maybe the Intel SIM4 if you prefer a microcomputer.

      Or maybe first and last don't matter that much after all.

    5. Ammaross Danan
      FAIL

      One Problem....

      Even these new security measures won't protect Joe User from himself when he clicks the fake antivirus message which prompts him to run a downloaded file which then in turn installs the virus with user-level permissions, which can then use <insert vuln here> to escalate priveledges (or simply be happy with user-level-priv keylogging) to install the "virus" (read: fakeAV or its ilk)

    6. ThomH

      I think it's the sandboxing that makes the story

      The story is quite clear, as you point out, that ASLR and full disk encryption are areas in which OS X has now caught up with Windows and Linux (or Ubuntu as it seems to call it). It then suggests that sand boxing processes and designing the applications (and daemons) that come with the system to isolate different logical parts into different processes within different sandboxes constituted a step in advance of any of the competing operating systems. So that's the leapfrog jump — the fact that the supplied browser, email app, PDF viewer, etc are all now aggressively using sand boxing, for which there is now high level API support.

      Whether or not that's a valid assessment is one thing; just repeating what the article already says about areas where Apple have played catch up is quite another.

      Re: pre-emptive multitasking, citing Apple's failure to transition to a modern OS until around 2000 feels a bit disingenuous as a comment on the OS they transitioned to.

      Re: 64bit, that's been a feature since 2005. The difference in approaches has been that Apple have uncharacteristically gone for a gradual transition, though I think that's because the hardware has made a gradual transition.

      1. grantmasterflash

        Sandboxing

        Referring to Linux as Ubuntu isn't very fair as Enterprise Linux has had sandboxing for quite a while with it's Mandatory Access Control systems (SELinux). With EL6 you can now sandbox any application you want as well as sandboxing users. Ubuntu however has used AppArmor which technically is Mandatory Access Control it isn't as extensive as SELinux. As far as whole disk encryption that's been a part of Linux for a really long time. Ubuntu again uses home directory encryption and leaves the OS alone (because the OS on a Desktop computer doesn't change). ASLR is mostly implemented on Linux and you have the choice to forcing 100% ASLR but it's third party. If you pick up an older Linux Security book and try to install patches for ASLR you'll realize they're already there and have been for years.

        It's nice to see Apple catching up to Linux though, it's better for everyone if ALL OS's are secure. Ubuntu on the other hand needs to spend more time thinking about security. They need to finally dump AppArmour, adopt Redhats SELinux build, apply all security patches, finish policykit and finally get rid of sudo.

    7. Tony Martin

      Maybe late, but always seems to be better

      Mac OS X may have been late to the 'party' for 64-bit, but in good Apple fashion, it was done right. Windows 7 supports up to 198GB memory. Why the artificial limitation? If it is truely 64-bit great as you think, it should be like Apple's Snow Leopard. which supported 16TB memory. Now we have Lion, with better security to finish off what is truely the worlds most advanced OS.

  6. Anonymous Coward
    Anonymous Coward

    Would like more info on this...

    "If iDevices, which contain security protections that go well beyond those found in OS X, can succumb to drive-by downloads, there's no reason Macs aren't also vulnerable."

    Does anyone know any more about this? Does iOS contain far more security precautions than OS X? If so, what extra steps in particular does it take to protect itself?

    1. DZ-Jay

      @Tony Chandler

      I think he was referring to the so-called "wall garden" and other lock-down measures of controlling access. If you restrict the ability of the outside world to interact with the internal system, you severely curtail the attack surface.

      -dZ.

      1. Anonymous Coward
        Headmaster

        @DZ-Jay

        WallED garden.

        LockED-down.

        1. Anonymous Coward
          FAIL

          @Your Retarded

          You'RE retarded!

          Ahem, I thank you.

          1. Anonymous Coward
            Thumb Down

            No, that is not my name

            If I was trying to insult you I would write as such.

    2. ThomH

      iOS is behind on some of the features listed

      For example, jailbreakme.com uses a PDF exploit — a buffer overrun or some other flaw that allows a maliciously crafted PDF to perform arbitrary code execution. The cat and mouse with Apple from that specific method of jailbreaking has surrounded finding exploitable flaws in the PDF renderer and fixing them.

      In Lion, PDF parsing and rendering is devolved to one or more separate, sand boxed processes that don't have the ability to read or write to files or otherwise communicate very widely with the outside world. So Lion takes a big step forward in trying to secure against that type of exploit.

      Of course there are likely to be further flaws and exploits, but Lion is a step up from iOS in terms of overall security. Since iOS and OS X use the same kernel and share many of the system APIs (though the user interface stuff is deliberately very different), the general rule is that whichever was released most recently has Apple's most up-to-date security. I expect the new OS X stuff will migrate to iOS in the near future.

    3. jaime
      Boffin

      That's why people Jailbreak their iPhones/iPods...for complete access!

      The iPhone's interfacing with software, such as iTunes, is run in a chrooted environment, where no user or desktop application—even iTunes—can see into the operating system; this is commonly known in the Unix world as a chroot jail. This jail (and the fact that you can't simply yank out the hard drive) is the only thing standing in the way of the iPhone functioning as a complete, portable Mac OS X computer.

      With Lion Apple is doing the same thing with apps submitted to the App store so this is a big deal and a big change in security even though most people still don't understand it at this point!

  7. Anonymous Coward
    Happy

    BSD?

    “Those guys are seriously raising the bar..."

    If I remember correctly, OpenBSD was pretty-much the first generally available OS to implement ASLR. And it implements a raft of other anti-exploit stuff. And I'm pretty sure the other BSDs (which OS-X is a derivative, of course) also implemented this stuff years ago - long before MS, Apple, or Linux.

    So when looking at who is raising the bar on security, as is often the case, one has to look at the BSDs.

    1. Mark 65

      Re:BSD?

      Is Windows XP a BSD derivative? Blue Screen of Death, that is.

      1. Stevie

        Bah!

        I've seen precisely 3 blue screens since I bought XP in 2001. One because a disc controller failed (so we can put that one down to the hardware manufacturer rather than MS) and the other two I ascribe to a certain AV company's nagware since once I disabled it the problem went away.

        I've never seen a Blue Screen on any of my at-work XP workstations in the 10 years I've been using them.

        For me, mentioning the Blue Screen immediately devalues whatever the other guy has to say because, well, it shows they are out of touch. Years out of touch.

        Kudos to Apple for the address jiggery-pokery. It is irrelevant who did it first. Apple have done it *now* and deserve an Attaboy.

        1. Anonymous Coward
          Thumb Up

          Re: Mark65!

          Haha, and let that be a lesson 'Mark65'. Remember to use the Joke Alert icon to express how firmly your tongue is in your cheek or you WILL be slapped down by other users on El Reg.

  8. Filippo Silver badge

    okay, it's good, but...

    ...this seems more like catch-up than leapfrogging. The article itself mentions that Windows has had address space randomization for years. And the same is true of full-disk encryption. The only feature I see that's not been present on other OSes for years is that browser thing, which is nice but I don't know if it alone justifies the enthusiastic tones.

    1. DZ-Jay

      @Filippo

      It's not "that browser thing," it's the compartmentalization of processes across all application space. Safari was mentioned as one example because it is usually the most prominent attack vector.

      -dZ.

      1. Anonymous Coward
        Anonymous Coward

        This is also available on Linux

        SELinux and AppArmor for linux-based systems both enforce granular and context-specific privilege management for processes. It looks like this is another implementation of the same kind of thing.

  9. Tchou
    WTF?

    "...said the researchers,

    ...who spent the past few months analyzing the OS"

    Since OSX is closed source, chances are that Apple paid this research to whitewash its recent troubles with malware.

    Standard industry procedure.

    1. Anonymous Coward
      Stop

      Re: Whitewash

      ...or perhaps they were in the Beta testing programme, so have had their mitts on it for a while to see if they can poke any shitty sticks through the security.

      Also a standard industry procedure.

    2. Brian Tabone
      Go

      OS X kernel sources

      You can get them here

      http://www.opensource.apple.com/source/xnu/xnu-1699.22.73/

      1. Tchou
        FAIL

        It is not Apple source

        but the *free* part they are obligated to republish by the very *free* licenses they build their closed source on.

        But i didn't knew this site, thanks.

  10. Alex F.
    Thumb Down

    What?

    So Apple introduces features that Windows Vista (ASLR) and IE7 (Protected Mode - aka separate low priority process) had back in 2006 and we somehow supposed to admire that?

    1. Giles Jones Gold badge

      Yes but..

      That's on top of a Unix security model that is fairly tried and tested.

      Where as Windows tries to offer backward compatibility which weakens security.

      1. Spearchucker Jones
        WTF?

        Actually...

        ...you'll find that many of Vista's problems (primarily pre-Vista apps and drivers, and ignoring the UX issues, which were serious) were because Micosoft did not offer backward compatibility, for the sake of security.

        1. Anonymous Coward
          Anonymous Coward

          Yes

          I said at the time, and still stand by it, that MS should have dumped actual 'backwards compatibility' in Vista/7 and instead followed Apple's earlier model of switching from OS 9 to OS X with a VM environment running an older system to handle legacy apps. It made the transition much smoother and they repeated this successfully with Rosetta when transitioning from PPC to Intel architecture.

          The system worked very well for the majority of users and was much less painful than having to upgrade EVERYTHING in one go, but also signalled that it was time to consider renewing software within a reasonable timeframe to take it native onto the new platform.

          Anyone refusing to update after about 5 years will just have to live with an unsupported system from then on in. I'd say that's a pretty fair deal.

  11. Blarkon

    Lets see at Pwn2Own shall we

    Lets see what happens at Pwn2Own at CanWest. I'm betting that someone walks away with a shiny new MacBook Pro far before anyone walks away with a Linux or a Windows box.

    1. DZ-Jay

      @Blarkon

      OK, let's see. How much are you betting?

      I'm not suggesting that Lion is the most secure operating system, but you are betting that it is the most vulnerable one. How much?

      -dZ.

      1. Jolyon

        Maybe

        The suggestion is that the Mac would be so clearly more desirable that the best efforts of the best people will be focussed there . . .

  12. Anonymous Coward
    Boffin

    Really leaps and bounds above the rest?

    Wasn't IE 7 the first browser to have sandboxing in Vista?

    Like the article says a good implementation of ASLR has been in Windows for a long time.

    Full disk encryption on the boot volume already exists in Windows too.

    That's not to say that these features aren't great - I'm a MAC user and welcome them, but to say OS X is far far ahead is probably a bit of a stretch.

    1. Anonymous Coward
      Anonymous Coward

      Sandboxing

      Does IE7's sandboxing also work with all your office applications, all your video games, and all your multi-media applications? Just wondering since the article said that OS X's sandboxing was for all applications.

      1. ThomH

        @AC: not quite that simple

        OS X's sandboxing is exposed for use of all applications via a high-level API and is implemented across all applications that the OS comes with. So those are both huge steps, but the sand boxing doesn't apply to software that isn't written to use it. So your existing applications aren't sand boxed, at least in the sense that the term is being used here.

        Apple have stated that applications must use the sand boxing to be accepted onto the App Store as of some date later in the year, so there is a carrot and stick aspect to it, but you can still download any old application you want from the Internet and it can still do whatever it wants (or, more relevantly, expose exploits that allow malicious agents to use it as an agent to do whatever they want).

  13. Anonymous Coward
    Devil

    Address Space Randomization

    Congratulations on achieving the same point where OpenBSD was 10 years ago.

    Watta(fan)boy!

  14. SteveBalmer
    FAIL

    What is this?

    Pay for a report for your new product week or something?

    First NSS Labs IE9 Bullshit and now this...

    Still we all know how gullible Apple owners are (and the entire American general public), i'm sure they will lap this news up without even a shadow of doubt over it's validity.

    1. Anonymous Coward
      Flame

      Re: "we all know how gullible Apple owners are"

      Yes, I'm so gullible I actually believed that I could genuinely install and live with Ubuntu as my main OS without needing to go tinkering in the Terminal. Sure learnt my lesson though (maybe lessons about how to achieve things through the Terminal)!

      Next time I'll ask you for your sagely advice instead, you're obviously much more informed than I could possibly be.

      I wonder if I'd have been so gullible about Linux if I'd been installing it on any one of my non-Apple machines instead of Windows? Probably not - we all know how only when you're using Apple kit do you become a sucker right?

  15. GoFasterStripes
    Gimp

    Sounds great

    How do I get it on my Hackintosh?

  16. jai

    awesome

    am uninstalling my antivirus software as i type....

  17. Anonymous Coward
    Thumb Down

    Typical Apple

    Implement ideas that have been around for years.

    Pretend you're being innovative and somehow superior.

    Watch the fanboys lap it up without a second thought.

    1. Anonymous Coward
      Coat

      RE: Typical Apple

      Then patent the concept, and claim everyone has copied it??

      I'll get my coat

    2. Anonymous Coward
      Trollface

      Typical Norfolk 'n' Goode

      Stringing together some more boilerplate nonsense and resort to name calling.

      If you actually paid attention, you'll note that this isn't from an Apple press release. If you check Apple's website you'd notice that they aren't in fact pretending they're "being innovative and somehow superior." WRT security. It's a footnote if anything. YOU are the one doing that! Instead of lurking and trolling on every single Mac article, why don't you just stop reading them, they seem to upset you a great deal so it'd ultimately be better for your health.

      1. Anonymous Coward
        Trollface

        Sorry to spoil your fantasy

        "YOU are the one doing that! Instead of lurking and trolling on every single Mac article, "

        But I don't lurk and troll Apple threads, as much as your tiny deluded imagination may tell you otherwise.

        Go ahead and read my comments , I dare you.

        Oh you wont do that though, will you? As then you will realise what an lying arsehole you're being.

        1. Anonymous Coward
          FAIL

          RE: lying arsehole

          OK, so not *every* Apple article, just a lot of them. Inaccurately too. You've got some foam on the side of your mouth. The reaction though, speaks volumes. Troll.

          1. Anonymous Coward
            Anonymous Coward

            To the lying arsehole.

            By not every article you mean 2 in the last few months, including this one.

            But don't let reality get in the way of your continued lies and blatant trolling.

            You do know you're making a total idiot of yourself, right?

        2. Anonymous Coward
          Joke

          OK, I read them

          I just read all your comments. You ONLY comment on Apple stories - you're the 'an lying arsehole'. Just because you can't see that they're all Apple articles doesn't mean Apple haven't already patented the method for publishing those articles! ;p

  18. Cameron Colley

    So Canonical are responsible for ASLR now?

    I was under the impression that, rather than Ubuntu adding ASRL, Canonical just took advantage of something in the Kernel already* -- or did they code it up and use it before Debian, Red Hat, Mandriva, SuSe and the rest?

    I think what you meant to say was Linux added much more robust implementations of ASLR years earlier.

    *not that there's anything wrong with this.

  19. Demosthenese

    Generally ...

    “I generally tell Mac users that if they care about security, they should upgrade to Lion sooner rather than later, and the same goes for Windows users, too.”

    What? You 'generally' recommend? How's that been working? Recommending a product before it is yet available. I bet his clients have been loving that.

  20. Alan Denman

    A new tree cabin or more firewood?

    With all fanboys once fibbing that the 3GS was better than all the its more modern and advanced rivals, its nigh on impossible to tell the wood from the trees.

    Even Isaac Newton would certainly needed an almight mutant Apple fall.

    1. amanfromearth
      FAIL

      We have these rules..

      .. in english. They are designed to assist comprehension.

      "Even Isaac Newton would certainly needed an almight mutant Apple fall."

      I guess you never covered this at school.

    2. Anonymous Coward
      FAIL

      Eh?

      "With all fanboys once fibbing that the 3GS was better than all the its more modern and advanced rivals"

      Well, it's not disputed that the 3GS was definitely better than the 4. So what's your point?

  21. Colin Guthrie
    WTF?

    Can you point me to the Canonical commits....

    .... that implemented ASLR in the kernel (or in userspace)? I wonder of those "Canonical commits" came from people with @redhat.com email addresses.... that would be weird if they did, wouldn't it.?

    As a disclaimer, I have no idea who actually did implement ASLR in the kernel, just that I strongly suspect it wasn't Canonical.... their record of kernel contributions are shockingly low generally (David Henningsson's and other Canonical folk's recent sound related fixes in the kernel have been very much welcomed tho' :))

  22. G C M Roberts
    Linux

    Does Linux have to catch up?

    I *thought* that this ASLR was done by doing a prelink -afmR and there was also some kernel option ticked which did some similar stuff?

  23. uhuznaa
    Thumb Up

    Full HD encryption

    One has to say that enabling this in Lion is a piece of cake. Click a button and that's it, after a reboot the data is encrypted in the background, no setup woes, nothing. Compared to the burning hoops you have to jump through to enable this on other systems (although it is nothing new and entirely possible since ages) this really makes a difference.

    Say what you want, Apple is good at making things easy enough to have common people actually use it instead of just nerds bragging about things being "possible". I know only very few people actually encrypting their laptop drives on Windows or Linux, even if most know that they could and should do it. Come on, do *you* encrypt your drives?

    1. David Ward 1

      easy in Ubuntu

      was trivial in Ubuntu. Most people I know don't know they are using it of course, but it is trivial.

      1. uhuznaa

        "Trivial" in Ubuntu...

        http://www.linuxbsdos.com/2011/05/10/how-to-install-ubuntu-11-04-on-an-encrypted-lvm-file-system/

        versus

        http://static.arstechnica.net/2011/07/04/lion/file-vault.png

        1. Anonymous Coward
          Anonymous Coward

          Seems fair

          I always knew OSX magically installed partitions *sigh*

          I wouldn't be that surprised if it did actually, not that I've seen it on my Snow Leopard VM at home, I mean giving users control over how they want to partition their disk is going to be deemed be a step to far one day, surely!!

  24. Anonymous Coward
    Boffin

    The only Security Apple cares about

    Is that related to maintaining it's control & monopoly over its users.

    1. Anonymous Coward
      WTF?

      Monopoly isn't what you think it is.

      Hmmm, let's see. Monopoly and control would suggest Apple users have no choice of OS, yet I can install either OS X, Windows or Linux on my hardware and even triple-boot. So that's obviously not a monopolistic position. They're also not controlling (as of yet and for the foreseeable future) my choice or ability to do this.

      Also, your choice of the words 'monopoly and control' would suggest I don't have the ability to choose which software I run even when inside Apple's 'controlling' and 'monopolistic' OS. Yet, for some reason when I surf the web I can use Firefox, or Chrome, or Opera. When I send emails I can use Thunderbird or Opera. When I retouch photos I can use GIMP or Photoshop. When I write music I can use Cubase, or ProTools, or Reason, or Ableton, or Reaper. When I edit videos I use Premiere. When I listen to music I can use Audion. When chatting to friends online I can use Skype or Google+ or MSN, or AIM.

      And the list goes on... None of those pieces of software are Apple's offerings, despite Apple writing software which performs each of those tasks (Safari, Mail, Aperture, Garageband/Logic, iMovie/Final Cut Pro, iTunes/Quicktime Player) so at which point am I controlled and monopolised even if I make the free choice not to run one of their competitors' operating systems on hardware I chose to buy in the first place?

  25. Wang N Staines

    "randomization and sandboxing"

    Has Apple patented this yet?

    1. Anonymous Coward
      Anonymous Coward

      As well as.....

      'Lion'. No doubt they'll attempt to patent this.

  26. Cyberspice
    Happy

    You know when...

    ...a company is getting big. Because all the gripers are the first to post comments. OS X has now surpassed windows, in one area. Now its the windows fanboys who lay in to Apple rather than the other way around.

  27. foo_bar_baz

    SEL?

    Echoing earlier Ubuntu comments. RHEL has had excellent SELinux support for several iterations. Look up Mandatory Access Control.

  28. Arctic fox
    Unhappy

    For a moment I thought that I had logged on to the Graun's tech website....

    .......after all they regularly do this type of puff piece for The Man From Cuppertino, bit of a shock when I realised it was dear old El Reg - what happened?

  29. magnetik

    sandboxed

    All very well and good that Safari is sandboxed in Lion but most OS X users I know use either Chrome or Firefox. What's the desktop Safari's market share, less than 3%?

  30. Anonymous Coward
    Megaphone

    Rhubarb!

    Rhubarb! Rhubarb! Toilet paper! Toilet paper in our time!

    Oh I'm sorry I thought this was the forum thread to spout any old tosh you wish about your most favourite thing, that others seem to be " dissin' "!

  31. frood
    Meh

    Wheres the fat?

    Apple finally finishing implementing some basic security measures that were half written in Snow Leopard, golly! The only vaguely interesting bit is that it can now encrypt the entire boot disk (unlike I believe bitlocker, not that I've seen it, a fabled object that only exists on the fanboi and enterprise edition of windows). I use macs, I'm happy with the price and will probably upgrade 'cause of that and not because of this gushing advert

  32. Anonymous Coward
    WTF?

    Fine. Let's try it then

    okay

  33. Anonymous Coward
    Stop

    So Windows has had ASLR for years

    True, it has. Except that most of the core has not been compiled with it for a while, and even the bits that had - OTHER apps weren't. You have to specifically enable it when developing rather than it being enabled by default (which, IIRC is still true in W7) - Apple turning it on by default is not a bad thing and I could be wrong but I think it does put it ahead of Windows...

  34. doperative
    Linux

    What ASLR is for?

    While I applaud such efforts, I would be interested in hearing is why nobody seems to be able to design and implement a Memory Management Unit that can prevent one function from accessing another functions' address space and do the same for the heap and the stack. In this context `function' means independently running processes. The same applies to sandboxing, why plant a sandbox on top of the OS, why not fix the OS? Such protections should be done in the hardware if they are to be effective. Don't tell us how it can't be done or I don't understand the technical issues, the so called security professionals don't seem to either.

    "No doubt, Apple deserves kudos for setting a new standard in OS security that Microsoft and Linux distributors would do well to emulate"

    Now you've done it, don't ever mention Redmond in the same breath as Linux. Here's my solution, run your OS off a read-only device, the running system loads to memory and gets flushed at shutdown.

    \http://en.wikipedia.org/wiki/Ubuntu_Live_USB_creator

    -------

    Is there any risk of brain damage?

    Well, technically speaking, the operation is brain damage, but it's on a par with a night of heavy drinking. Nothing you'll miss.

    1. Galidron

      Process memory

      Exploits don't necessarily need to access other processes' memory if they can over wright and execute their own memory space.

      Sandboxing is part of fixing the OS. It restricts the things applications can do, so that if the application behaves badly it reduces or eliminates the possible damages.

    2. doperative
      Linux

      re: What ASLR is for?

      "Lightweight Portable Security (LPS), created by USA's Department of Defence, is a small Linux live CD focusing on privacy and security, for this reason, it boots from a CD and executes from RAM, providing a web browser, a file manager and some interesing tools. LPS-Public turns an untrusted system into a trusted network client"

      http://www.unixmen.com/software/1832-lightweight-portable-security-lps-a-linux-disto-from-the-us-department-of-defense

  35. Anonymous Coward
    Trollface

    Modern day fox hunting

    I love how much Apple stuff makes so many (although I must stress, not all) IT dept types foam at the mouth. It's such a perversely satisfying side benefit of using their kit. This kind of comments thread is my own little humane version of watching a dogfight. Smug, I know, but I can't help it. Apple User Smugness makes them so much more apoplectic, it's just irresistible.

  36. Alan Bourke
    FAIL

    Dino you fanboy

    "Dino Dai Zovi, principal of security consultancy Trail of Bits and the coauthor of The Mac Hacker's Handbook. “I generally tell Mac users that if they care about security, they should upgrade to Lion sooner rather than later, and the same goes for Windows users, too.”

    Yeah and what will I do if I want to play games and run my business ?

    Knob.

    1. Anonymous Coward
      Trollface

      what will I do if I want to play games

      @Alan Bourke: Dino you fanboy #

      > Yeah and what will I do if I want to play games and run my business ?

      Get a games console ...

      1. Mike Moyle
        Trollface

        @ AC 14:10

        I think you're missing Alan's point...

        Since almost all Windows business software functionality can be duplicated on a Mac (and, in fact, Windows can be run as a VM on a Mac, ANY Windows software can be run), his business is most likely a a Windows service shop. If enough people take Dino's advice he may actually have to learn about Macs in order to stay in business. (And -- let's face it -- frothing at the mouth while working on electronic gear is probably a dangerous practice, so he might be at risk as a Mac tech!)

        1. Greemble
          Facepalm

          Delibrately mssing the point?

          How exactly does running Windows on a Mac constitute 'upgrading' to Lion?

          Besides, as you say MOST business software can be run on a Mac (by which I take it you mean OS X) - not all, though.

          I also note you've omitted the games part of his question, too. - No, a console requires buying separate hardware to do what one PC already does better.

  37. Nikolaus Heger

    Fanbois Beware!

    I worry about Mac viruses daily, just like I worry about getting hit by a crashing airplane, or getting struck down by lightning. It's happened before, people! Better worry than... erm... not, right?

  38. ZenCoder
    Unhappy

    Theoretical vs Actual Risks.

    Theoretically, a quick review of the history of the Pwn2Own contest will convince most that researches are always to find and exploit vulnerabilities, no matter what OS you use.

    On a practical level, I've disinfected hundreds of Windows Computers, I've have yet to see a virus infected Mac.

    I fully expect things to change if OSX's market share continues to rise, at which point I just start doing my online shopping and banking using Linux.

    1. Charles 9

      Until Linux's market share rises...

      ...and malware authors start targeting Linux with privilege escalations and other nasty bits we already see in Windows. It's only then when you realize that nowhere is safe and that you're dead either way. Hell, even physical banks aren't foolproof (two words: bank heist).

  39. Lord Lien
    Gimp

    Anyone else read 1st paragraph...

    .... & think wonder if author is trolling?

  40. Keith Crooks
    Stop

    But..

    My dad is bigger than your dad!

    Yeah but my dad is harder than your dad!

    Well my dad is a black belt in kung fu!

    So is mine! But my dad was a black belt before your dad so my dad is better!

    Yeah well ... your dad is a big stupid stinky poo!

  41. aThingOrTwo

    Research

    Many of the comments sound like people are happy to be uninformed/ignorant.

    People should be FORCED to read the are article** explaining how things like the XPC Services framework before adding all the “Windows has had that for years” comments.

    So many people seem to have seized the ASLR and run with it. That isn't the security story in Lion at all.

    ** http://arstechnica.com/apple/reviews/2011/07/mac-os-x-10-7.ars/9#powerbox

  42. Henry Wertz 1 Gold badge

    No leapfrog but good progress

    @Mark 65, dropping support for systems is not a feature. Especially since Apple sold 32-bit-only Intel boxes less than 5 years ago (THAT was the mistake IMHO -- they should have gone straight to the 64-bit capable Intel chips.) Windows is a joke, but continuing to provide a 32-bit version isn't a reason for it being a joke; there's no reason for Ubuntu to stop providing a 32-bit version either.

    So, obviously adding features that Ubuntu and even Windows to a lesser extend have had for years is only leapfrogging to a fanboi. But, still, nice that they have full ASLR and such.

    @Giles Jones, not true at all, ASLR isn't useless if you don't reboot. Applications should be randomized every time they are quit and reloaded. The kernel of course won't keep getting rearranged without reboots, but it still will be rearranged once, which is already enough to stop kernel exploits that can involve modifying and jumping into the kernel, i.e. "This is OSX 10.7.1, so I'll make the code at byte 75338 naughty then jump into it" won't work.

  43. Henry Wertz 1 Gold badge

    MMUs and security

    @doperative, the MMU of course has enforced memory protection between processes at least since IBM started using them in the 1960s. ASLR prevents situations where someone subverts existing code *within* the application.. usually either overwriting a portion of the program, or jumping to a piece of code in the program, where it does something different when called "naughtily" than it was intended to do. Since the locations are randomized these become much more difficult.

    @Charles 9, no. Popularity doesn't help, but Linux doesn't have so few viruses just because of that. Frankly, Unix *used* to have pretty poor security. But, the Unix community had their "Nimda"/"Code Red" moments back in the late 1980s with Morris worm and the like! So they've been improving security for over 20 years, instead of the few years Microsoft has been taking it seriously. People do look through source code for security problems; Linux distros have much more frequent updates than Windows (no waiting til "patch Thursday", a.k.a. giving exploits 30 days free reign.) They don't include massive mounds of "legacy code" (stuff dating all the way back to Windows 3.1 or even older) the way Windows does. The security systems in Linux are *actually used*, whereas Windows has plenty of access controls that are not even used, resulting in plenty of apparent security that is actually implemented by the shell rather than kernel level. An important one, Linux (as with any UNIX) has an executable bit, so you can't just download some crap into a file and expect it to execute. Windows doesn't. Finally, a nice one, if Windows (or probably OSX for that matter) got a virus, how do you know if your system files are clean? You really don't. Linux distros have a proper package manager, so comparing the checksums between what is there and what is in the packages is easy, and in fact it's entirely possible (in fact easy) to just reinstall all packages instead of "wipe, reformat, reinstall".

  44. buff_butler

    huh?

    This ASLR thing has existed for so long on other OS's. This was like how Apple "revolutionalized" their iPhone development kit with step through remote debugging... in 2009.

This topic is closed for new posts.

Other stories you might like