Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security Apple

Apple Asks Security Experts To Examine OS X Lion 417

Posted by samzenpus
from the kick-the-tires dept.
An anonymous reader writes "For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true. But Apple's looking to change that. This past Thursday, Apple doled out a beta of OS X Lion to developers. In conjunction with that, Apple is also reaching out to noted security experts and offering them free previews of OS X 10.7 so that they can take a look at Apple's new security measures and reach back to Apple with any thoughts and concerns they might have. Indeed, Apple is becoming a lot more security conscious these days, not only in terms of reaching out to security researchers but also in its personnel hires."
This discussion has been archived. No new comments can be posted.

Apple Asks Security Experts To Examine OS X Lion

Comments Filter:
  • Re:The opposite??? (Score:0, Informative)

    by Anonymous Coward on Sunday February 27, 2011 @03:54PM (#35332742)

    you ever heard about Pwn2Own? OSX got cracked in about 2 minutes in one of the more recent contests. It was the first OS to be taken down. Win7 took awhile longer, since they already have experience in dealing with security issues (~90% market share tends to get you targeted a hell of a lot more).

  • Re:The opposite??? (Score:4, Informative)

    by Shikaku (1129753) on Sunday February 27, 2011 @03:58PM (#35332754)

    http://en.wikipedia.org/wiki/Pwn2Own [wikipedia.org]

    Pwn2Own contests regularly have Safari/Mac software as a valid winning target.

    Is it good data? Maybe not. But the point is that Mac's aren't targeted much because the Windows desktop share is much larger (some figures say 90%). So while they can get viruses, it's not a valuable target for botnets.

    Still waiting for the first Mac OS X virus in the wild...

    http://www.symantec.com/security_response/threatexplorer/azlisting.jsp?azid=O [symantec.com]

    OSX.* near the bottom of the list. There's 13 on that list.

  • by Colonel Korn (1258968) on Sunday February 27, 2011 @03:59PM (#35332762)

    as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true.

    I'm sorry, what? Windows is "safer" than OS X? "In fact"?

    Every single year, OSX loses the Pwn2Own competition first. Windows and Linux always go down on the same day. No matter what version has been current, OSX has always been less secure than Windows when both are up to date on patches. If Apple changes its security culture, it could mean big things for Apple in corporate environments.

  • Re:The opposite??? (Score:5, Informative)

    by speedingant (1121329) on Sunday February 27, 2011 @04:13PM (#35332820)
    It's not bad actually... You need a MacMini server x2 to replicate each other, and push out the managed settings. You can authenticate machines via AD/OD/OpenLDAP. You can host the home folders off any NFS/AFP server. Netboot, netrestore etc makes deploying easy.. I'm looking after 150 Macs at the moment, as well as a host of PC's, and I don't have many issues. It' s just me.
  • by polaris20 (893532) on Sunday February 27, 2011 @04:17PM (#35332848)
    The wording is indeed poor. Charlie Miller (made famous by Pwn2Own, hacking OS X and iOS) has stated several times that OS X is not more secure than Windows, it is safer. Safer != Secure. He goes on to say he prefers OS X, and still recommends it over Windows. Would you rather be the guy wearing a bullet proof vest running into gun fire, or the guy wearing just a T-shirt, but not even in the same county? Until OS X reaches a level of market penetration that Windows has, it'll continue to be less attractive to hackers for profit. Sorry OS X users (myself included): our OS isn't the most secure out there. Security by obscurity isn't security.
  • by n0-0p (325773) on Sunday February 27, 2011 @04:29PM (#35332936)

    You're joking, right? Apple is historically months behind in patching publicly disclosed vulnerabilities in core libraries they share with other Unix-like systems (Samba and Java are two key examples). Overall code robustness is abysmal in any Apple product I've assessed--they fall over with trivial fuzzing or a few hours of analysis. They're an absolute pain in the ass to deal with when trying to resolve a responsibly reported vulnerability: they often don't seem to have qualified people triaging inbound reports, and when they do finally acknowledge the correct severity of a reported issue it can take years before they finally push out a fix. And to top it all off, their core security counter-measures (e.g. ASLR and NX) are useless as anything more than marketing fluff because they're not implemented consistently.

    Seriously, I've been in the security field for almost 15 years and dealt with reporting vulnerabilities to dozens of companies. Microsoft is a pain to deal with because of their compatibility matrices and long release cycles, but they're generally competent. Whereas Apple is just an absolute train-wreck. The only reason every Mac isn't infested with malware is that they're not a big enough chunk of the market for it to be worth the effort. If they ever cross the magic 15% threshold they're in for a very rude awakening.

  • by lseltzer (311306) on Sunday February 27, 2011 @04:40PM (#35333014)
    IIRC, this is the version in which they will no longer deliver a Java VM. This alone will drop the vulnerability and patch count significantly. Can anyone with the preview confirm that it is/is not included?
  • by Kitkoan (1719118) on Sunday February 27, 2011 @04:47PM (#35333052)

    You mean, once the contest enters the phase where you can run a program remotely, people attack the Mac first, because they want to win the Mac, and Windows and Linux are successfully attacked minutes later.

    No, he means exactly what he said. OSX is less secure then Windows. Charlie Miller (the guy who takes down the Macs first) has mentioned this in an interview here [threatpost.com]. While Apple has improved their security, they are still behind Windows.

    Many pundits have made a lot of the fact that the Mac was the first to be exploited in the Pwn2Own contest. Was the choice of the Mac as the first target because the hardware/operating system combo was more desirable as a prize than the commodity Windows laptops of the other competitors? Or was it just because Macintosh exploits occur with much less frequency than Windows exploits and would therefore be more newsworthy?

    So until this year, applications on Apple were way easier to exploit than Windows. This is because Apple had weak ASLR and no DEP while Windows had full ASLR and DEP. This year, Snow Leopard has DEP, so its no longer trivial to exploit. In fact, I have lots of bugs in Safari that I easily could have exploited on Leopard but will be very difficult on Snow Leopard. So it used to be that that it was much worse, but now its mostly comparable (although still slightly behind)

  • by 99BottlesOfBeerInMyF (813746) on Sunday February 27, 2011 @04:49PM (#35333058)

    It is disappointing to see the comments thus far have not bothered to mention what potential security improvements are likely to be in the final version of Lion and how effective they might be. So far the ones I've heard mentioned include:

    • ASLR applied to more than just the libraries.
    • More ubiquitous use of the sandboxing framework, enough so that there are now bugs around applications being unable to save files if the file name changes in the Finder, while open in the app.
    • Dropping the custom java runtime, and making a deal with Oracle to maintain it alongside the Windows JVM.
    • A new full disk encryption system built in (branded the same as the old Filevault) with a rapid system wipe.
    • Webkit2 with a sandboxed thread model.

    I'm sure in more security oriented forums there will be some good analysis of these new features, how well implemented they are, and how effective they are likely to be. The Mac App Store offers some potential security improvements by standardizing application updates and pushing them out more quickly and widely and hopefully encouraging developers to make more use of security frameworks already present. Personally, I think the sandboxing combined with the Mac App Store could be a huge boon to security if Apple can get enough developers on board, but I'm not sure if Apple will go that route. Hopefully feedback from experts will help push them in that direction.

  • by ZeissIcon (67281) on Sunday February 27, 2011 @05:01PM (#35333128)

    From the Charlie Miller interview mentioned elsewhere in this thread...

    Another question from the Twittersphere: What OS/browser pairing to you use? Do you do anything special (beyond default settings) to secure yourself while browsing?

    You're not trying to pwn me are you??? Have you ever heard the saying about the cobbler's kids not having shoes? That's me, I'm afraid. I use Safari on OSX with no special settings. This isn't the most secure combination, by any stretch of the imagination, but I like it. It's designed by Apple engineers to be easy to use and 'just work' and it does. The risk of malware is low, and hey, I'm a security expert right :) The risk of a targeted attack is real, except I don't think I'm important enough to be targeted! So I rely on security by obscurity, I guess

  • by 99BottlesOfBeerInMyF (813746) on Sunday February 27, 2011 @09:11PM (#35334626)

    They want the benefits of open source mentality without having to give back.

    Umm, most all of their security frameworks are open source. The MAC framework was based on the TrustedBSD variant of the same, and although not required by the license, Apple has continued to keep their fork open source. They are giving back the source to tons of code. They are, in fact, a huge OSS contributor. For example, Webkit2, incorporating protected memory threads into Webkit directly is open source and written by Apple. Google wrote similar software, but kept it out of Webkit so that other Webkit based browsers did not automatically gain the same security/stability benefits as Chrome. It is a serious security improvement, Apple wrote it, and contributed it, and the OSS community is incorporating it to the benefit of all.

  • No it won't (Score:5, Informative)

    by Sycraft-fu (314770) on Sunday February 27, 2011 @09:47PM (#35334824)

    Apple's problem in corporate environments is there complete and utter lack of understanding and support of a real enterprise. They want to play make believe at enterprise support but they don't take it seriously. It is a disaster and only getting worse. We've been looking at integrating Macs in to a lab (and we are going to) but will need 3rd party software to make it work well.

    Some big noteworthy things they've done recently are discontinue servers and screw over virtualization. So you can't buy a blade server, the most popular kind of server, for Macs anymore. You can buy a Mac mini, an overpriced tiny little desktop thing ($1000 for a Core 2 Duo server box) and use that, or you can buy a Mac Pro tower. That's it. No rack servers. Ya that is real enterprise support.

    In terms of virtualization VMWare fully supports OS-X server, client tools and all... However Apple won't license it to run on anything but Mac hardware. So if you want Mac VM servers you have to buy a Mac Pro tower and find a place to put that, then get VMWare Fusion on it, which is a desktop solution, not a server one, then virtualize OS-X server on that. That Big rack of high availability, bare-metal ESXi servers that you run Windows, Linux, etc on? Nope, fuck you can't run OS-X on it because Apple says so.

    Apple will never get big in corporate environments until they get real with enterprise support. Not half assed solutions, real support.

  • Mod parent (Score:4, Informative)

    by Billly Gates (198444) on Monday February 28, 2011 @03:17AM (#35335986) Journal

    True.

    IIS and SQL Server injections were on the rise when Solaris was still king of the internet server market a decade ago. Windows Server back then was not the dominant player yet had most of the backdoors. The reason Windows has more viruses and trojans is due to activeX and shoddy design for IE and Windows. Not because it was the dominant client operating system.

    I would mod you up if I had points. I have been refuting this until I am blue in the face.

    It has nothing to do with popularity. Fact is in 1999 all you had to do was wrote a few lines of code in C++ to do a delete a partition and put it in an ocx container for activeX and voila! Anyone visiting your site lost their hard drive! Yes security was that bad in the 1990s with Windows.

  • by John Betonschaar (178617) on Monday February 28, 2011 @09:06AM (#35337344)

    Charlie Miller is the kind of fireman who doesn't mind screaming FIRE! in a theater every now and then, just so he can make a point to stress his own relevance extinguishing fires. Every time anything is published on OS X security, this guy is quoted along with some title of some books he wrote. He might know a lot about OS X security and the way you could theoretically exploit it, but that's hardly a measure how secure OS X is compared to other operating systems.

    Every time I read an article that brings up the 'small market share' that makes OS X 'less attractive to malware writers' I know I can safely disregard anything in it. People have been saying this for decades, meanwhile OS X market share has almost quadrupled, many Mac users are the kind of people with disposable income and credit cards, yet *no* viruses *whatsoever* have *ever* managed to succesfully exploit Macs. Not a *single* one. No matter how much bigger the Windows market share is, you'd expect at least one or two prolific malware writers to give it a shot, just to make a point, or to make a market out of the 10% of Macs already out there.

    Both articles linked are just like that. A summary of security features OS X doesn't have, and/or a list of 'critical security flaws' and how fast they are solved, and a concluding remark that 'OS X users do not have to worry _yet_, because OS X market share is still not high enough for it to be interesting'. We'll talk yet another decade from now and see how many OS X viruses have surfaced in the mean time...

The idle man does not know what it is to enjoy rest.

Working...