updated 12:00 am EDT, Sat July 23, 2011
Leapfrogs Windows 7, Linux, but still not perfect
Consultants with several computer security firms say that Wednesday's release of Mac OS X Lion makes it "king of the jungle" in terms of mainstream operating system security, surging ahead of rivals such as Windows 7 and Ubuntu Linux with very signifiant security overhauls throughout the OS, reports The Register, including a robust implementation of ALSR, sandboxing of vulnerable processes, and locking down web interactions.
Charlie Miller of Accuvant, well-known in the Mac hacking community for his exploitations of various Mac vulnerabilities, is particularly pleased to see significant changes in Safari (he has been known to use weaknesses in Safari as part of his techniques). The latest version (v5.1) separates the internal processes into two camps: the user interface, and the Webkit engine that handles the parsing of web content. The change was made to limit the damage that could be done, and effectively sandboxes each of the two "sides" to prevent any error in one affecting the other.
Apple has also -- finally -- fully implemented address space layout randomization (ASLR), a technique that protects the contents in RAM from being easily manipulated. The technique has been partially present in OS X for some time (since the release of Leopard), but was never implemented system-wide until Lion. Windows has been using the technique since Vista, and Ubuntu also adopted the protection some time ago.
These changes alone make much of Miller's previous techniques for exploiting vulnerabilities moot, though he has still had some success finding other issues to exploit -- a reminder that security is an ongoing and never-finished job for operating systems that offer any amount of open interaction with the internet or other computers. Apple's iOS devices, which are rated even higher than the Mac in terms of security, still have known exploits, which makes it likely that there are still undiscovered or little-noticed loopholes and flaws in the code for Lion.
Apple has also offered a revamped and overhauled Filevault 2 encryption system to protect user data in the event of theft or physical manipulation of a Mac. The new version works on a block level rather than file level, encrypts the entire hard drive rather than just the user folder, and has significantly less impact on performance and doesn't interfere with OS functions. It also now works fully with the company's Time Machine backup software and other improvements.
Both Miller and his co-author in the book The Mac Hacker's Handbook, Dino Dai Zovi of Trail of Bits said that from a security perspective, Snow Leopard was little better on Leopard, but that Lion is a "significant improvement." Zovi describes the level of security in Lion as "Windows 7 plus plus." Apple hired the inventor of the BitFrost security system for OLPC, Ivan Krstic, two years ago in an effort to beef up core OS security. Krstic's methods in BitFrost mirror closely what has now been implemented in Lion.
“I generally tell Mac users that if they care about security, they should upgrade to Lion sooner rather than later," Dai Zovi said, "and the same goes for Windows users, too.” [via The Register]