Apple Asks Security Experts To Examine OS X Lion

An anonymous reader writes "For as much as Mac OS X has a reputation for being safer than Windows, security researchers won't hesitate to point out that the opposite is, in fact, true. But Apple's looking to change that. This past Thursday, Apple doled out a beta of OS X Lion to developers. In conjunction with that, Apple is also reaching out to noted security experts and offering them free previews of OS X 10.7 so that they can take a look at Apple's new security measures and reach back to Apple with any thoughts and concerns they might have. Indeed, Apple is becoming a lot more security conscious these days, not only in terms of reaching out to security researchers but also in its personnel hires."

Re:Am I reading this correctly?

[Anonymous Coward]

Every single year, OSX loses the Pwn2Own competition first.

Could just be that the hackers want the mac the most ;-)

Re:Am I reading this correctly?

[node 3]

You mean, once the contest enters the phase where you can run a program remotely, people attack the Mac first, because they want to win the Mac, and Windows and Linux are successfully attacked minutes later.

Re:The opposite???

[node 3]

No it isn't FUD, do some research online, Just about every hacking contest sees OS X go down in a ball of flames in minutes

Yes, minutes... After the contest enters the phase where you can load files remotely. And minutes later, Windows and Linux go down (everyone attacks the Mac first, because pwn2own means you get to keep the computer you pwn, and everyone wants the Mac).

Just about every patch cycle from apple sees more security vulnerabilities patches than are found in all MS products combined in a year.

Not remotely true. However it is true that in pure numbers, Apple patches more vulnerabilities than MS. These are primarily in Open Source products included with Mac OS X, and is seen as a strength, not a weakness. Also, Mac OS X patches tend to be local vulnerabilities, while Windows patches are far more often remote vulnerabilities, which are significantly more critical.

Many security researchers have been pointing out Apples Lax Security practises for a long time

Yet somehow the sky has never fallen. It's possible that Mac OS X is theoretically less secure than Windows, but it's absolutely certain that Mac OS X is, in actual real world usage, significantly more secure than Windows. Hands down, no-contest.

Pwn2own and "patches per year" are interesting metrics, but the only thing that matters is whether a user has to worry about their computer being compromised, and Mac users don't, Windows users do. It's as simple as that. Everything else is academic and hand-waving side-stepping of the actual issue.

seems they might finally be getting the message now that there share of the pie is significant enough to warrant it being an issue.

Apple has had sufficient market share since the beginning of consumer viruses and malware. There were plenty of Mac viruses back when their market share was far lower than it is now. It's absurd to claim that there are essentially zero malware for Macs because of market share, when their market share is large enough for thriving third-party software and hardware. Market share plays a role, but is not *the* primary reason.

What this indicates is that Apple is being proactive in making sure Macs remain as secure as they are today, and not resting on their laurels.

Re:Am I reading this correctly?

[Cronock]

I've had a Mac OS X Server machine open to the world for 2 years now, partially to just see what people would try to do. I watch the system very closely hoping I will see something happen so I can learn a little about it. Services running are SMB, AFP, Apache, Cal/CardDAV, Email for a few domains, MySQL, Software Update Server, AFP, VNC, and ARD. This server is setup as mostly default with only basic security precautions taken: Disabling clear text authentication mechanisms and using overly-strong passwords to rule out brute force attacks. The firewall has only recently been turned on, all ports open, to utilize the brute-force attempt throttling mechanism that requires it. This server hosts a few of my personal pet project domains, any information that would be considered valuable to intruders is actually kept in AES-encrypted sparse images. I'm overly paranoid about backups, so any vandalism-type attacks are quickly recovered from. So far I've only seen a good share of brute force attacks from IPs in Poland and China agaist SSH, FTP, and VNC. There have also been a whole crapload of spam registrations to the hosted WordPress site, but that's not an OS X issue.

Re:Am I reading this correctly?

[hairyfeet]

Uhhh...you DO know none of the problems you listed apply to Windows since Vista, yes? Let us be consistent here, I mean it isn't like we are comparing Win 7 to system 7 either, so at least compare like to like.

And if Mac is so secure, why does it consistently fall first in "pwn to own"? To me pwn to own seems like the fairer test, since you A.-have an equal reason to pwn all three machines (because you get to keep it and they are nice machines) and B.-have the same bog standard software like flash that a good 90%+ of the public is likely to have.

The simple fact is ALL OSes are seriously complex pieces of code now, and with complexity comes vulnerability. The main weakness in Windows (running as admin) was removed with Vista and now with 7 you simply never run as admin (even the admin account in 7 has less rights than the old XP admin, and like *NIX and OSX is almost never needed) and with DEP, ASLR, and file and registry virtualization Windows has gotten pretty damned secure. Sadly though all the security in the world doesn't stop social engineering and working PC repair I can tell you nearly every infected PC that crosses my desk was infected by the user via social engineering tactics.