Major overhaul makes OS X Lion king of security With Wednesday's release of Mac OS X Lion, Apple has definitively leapfrogged its rivals by offering an operating system with state-of-the-art security protections that make it more resistant to malware exploits and other hack attacks, two researchers say. Unlike the introduction of Snow Leopard in 2009, which offered mostly …
Wasn't IE 7 the first browser to have sandboxing in Vista?
Like the article says a good implementation of ASLR has been in Windows for a long time.
Full disk encryption on the boot volume already exists in Windows too.
That's not to say that these features aren't great - I'm a MAC user and welcome them, but to say OS X is far far ahead is probably a bit of a stretch.
OS X's sandboxing is exposed for use of all applications via a high-level API and is implemented across all applications that the OS comes with. So those are both huge steps, but the sand boxing doesn't apply to software that isn't written to use it. So your existing applications aren't sand boxed, at least in the sense that the term is being used here.
Apple have stated that applications must use the sand boxing to be accepted onto the App Store as of some date later in the year, so there is a carrot and stick aspect to it, but you can still download any old application you want from the Internet and it can still do whatever it wants (or, more relevantly, expose exploits that allow malicious agents to use it as an agent to do whatever they want).
Yes, I'm so gullible I actually believed that I could genuinely install and live with Ubuntu as my main OS without needing to go tinkering in the Terminal. Sure learnt my lesson though (maybe lessons about how to achieve things through the Terminal)!
Next time I'll ask you for your sagely advice instead, you're obviously much more informed than I could possibly be.
I wonder if I'd have been so gullible about Linux if I'd been installing it on any one of my non-Apple machines instead of Windows? Probably not - we all know how only when you're using Apple kit do you become a sucker right?
Stringing together some more boilerplate nonsense and resort to name calling.
If you actually paid attention, you'll note that this isn't from an Apple press release. If you check Apple's website you'd notice that they aren't in fact pretending they're "being innovative and somehow superior." WRT security. It's a footnote if anything. YOU are the one doing that! Instead of lurking and trolling on every single Mac article, why don't you just stop reading them, they seem to upset you a great deal so it'd ultimately be better for your health.
"YOU are the one doing that! Instead of lurking and trolling on every single Mac article, "
But I don't lurk and troll Apple threads, as much as your tiny deluded imagination may tell you otherwise.
Go ahead and read my comments , I dare you.
Oh you wont do that though, will you? As then you will realise what an lying arsehole you're being.
I was under the impression that, rather than Ubuntu adding ASRL, Canonical just took advantage of something in the Kernel already* -- or did they code it up and use it before Debian, Red Hat, Mandriva, SuSe and the rest?
I think what you meant to say was Linux added much more robust implementations of ASLR years earlier.
*not that there's anything wrong with this.
“I generally tell Mac users that if they care about security, they should upgrade to Lion sooner rather than later, and the same goes for Windows users, too.”
What? You 'generally' recommend? How's that been working? Recommending a product before it is yet available. I bet his clients have been loving that.
.... that implemented ASLR in the kernel (or in userspace)? I wonder of those "Canonical commits" came from people with @redhat.com email addresses.... that would be weird if they did, wouldn't it.?
As a disclaimer, I have no idea who actually did implement ASLR in the kernel, just that I strongly suspect it wasn't Canonical.... their record of kernel contributions are shockingly low generally (David Henningsson's and other Canonical folk's recent sound related fixes in the kernel have been very much welcomed tho' :))
One has to say that enabling this in Lion is a piece of cake. Click a button and that's it, after a reboot the data is encrypted in the background, no setup woes, nothing. Compared to the burning hoops you have to jump through to enable this on other systems (although it is nothing new and entirely possible since ages) this really makes a difference.
Say what you want, Apple is good at making things easy enough to have common people actually use it instead of just nerds bragging about things being "possible". I know only very few people actually encrypting their laptop drives on Windows or Linux, even if most know that they could and should do it. Come on, do *you* encrypt your drives?
I always knew OSX magically installed partitions *sigh*
I wouldn't be that surprised if it did actually, not that I've seen it on my Snow Leopard VM at home, I mean giving users control over how they want to partition their disk is going to be deemed be a step to far one day, surely!!
Hmmm, let's see. Monopoly and control would suggest Apple users have no choice of OS, yet I can install either OS X, Windows or Linux on my hardware and even triple-boot. So that's obviously not a monopolistic position. They're also not controlling (as of yet and for the foreseeable future) my choice or ability to do this.
Also, your choice of the words 'monopoly and control' would suggest I don't have the ability to choose which software I run even when inside Apple's 'controlling' and 'monopolistic' OS. Yet, for some reason when I surf the web I can use Firefox, or Chrome, or Opera. When I send emails I can use Thunderbird or Opera. When I retouch photos I can use GIMP or Photoshop. When I write music I can use Cubase, or ProTools, or Reason, or Ableton, or Reaper. When I edit videos I use Premiere. When I listen to music I can use Audion. When chatting to friends online I can use Skype or Google+ or MSN, or AIM.
And the list goes on... None of those pieces of software are Apple's offerings, despite Apple writing software which performs each of those tasks (Safari, Mail, Aperture, Garageband/Logic, iMovie/Final Cut Pro, iTunes/Quicktime Player) so at which point am I controlled and monopolised even if I make the free choice not to run one of their competitors' operating systems on hardware I chose to buy in the first place?
Apple finally finishing implementing some basic security measures that were half written in Snow Leopard, golly! The only vaguely interesting bit is that it can now encrypt the entire boot disk (unlike I believe bitlocker, not that I've seen it, a fabled object that only exists on the fanboi and enterprise edition of windows). I use macs, I'm happy with the price and will probably upgrade 'cause of that and not because of this gushing advert
True, it has. Except that most of the core has not been compiled with it for a while, and even the bits that had - OTHER apps weren't. You have to specifically enable it when developing rather than it being enabled by default (which, IIRC is still true in W7) - Apple turning it on by default is not a bad thing and I could be wrong but I think it does put it ahead of Windows...
While I applaud such efforts, I would be interested in hearing is why nobody seems to be able to design and implement a Memory Management Unit that can prevent one function from accessing another functions' address space and do the same for the heap and the stack. In this context `function' means independently running processes. The same applies to sandboxing, why plant a sandbox on top of the OS, why not fix the OS? Such protections should be done in the hardware if they are to be effective. Don't tell us how it can't be done or I don't understand the technical issues, the so called security professionals don't seem to either.
"No doubt, Apple deserves kudos for setting a new standard in OS security that Microsoft and Linux distributors would do well to emulate"
Now you've done it, don't ever mention Redmond in the same breath as Linux. Here's my solution, run your OS off a read-only device, the running system loads to memory and gets flushed at shutdown.
\http://en.wikipedia.org/wiki/Ubuntu_Live_USB_creator
-------
Is there any risk of brain damage?
Well, technically speaking, the operation is brain damage, but it's on a par with a night of heavy drinking. Nothing you'll miss.
Exploits don't necessarily need to access other processes' memory if they can over wright and execute their own memory space.
Sandboxing is part of fixing the OS. It restricts the things applications can do, so that if the application behaves badly it reduces or eliminates the possible damages.
"Lightweight Portable Security (LPS), created by USA's Department of Defence, is a small Linux live CD focusing on privacy and security, for this reason, it boots from a CD and executes from RAM, providing a web browser, a file manager and some interesing tools. LPS-Public turns an untrusted system into a trusted network client"
http://www.unixmen.com/software/1832-lightweight-portable-security-lps-a-linux-disto-from-the-us-department-of-defense
I love how much Apple stuff makes so many (although I must stress, not all) IT dept types foam at the mouth. It's such a perversely satisfying side benefit of using their kit. This kind of comments thread is my own little humane version of watching a dogfight. Smug, I know, but I can't help it. Apple User Smugness makes them so much more apoplectic, it's just irresistible.
"Dino Dai Zovi, principal of security consultancy Trail of Bits and the coauthor of The Mac Hacker's Handbook. “I generally tell Mac users that if they care about security, they should upgrade to Lion sooner rather than later, and the same goes for Windows users, too.”
Yeah and what will I do if I want to play games and run my business ?
Knob.
I think you're missing Alan's point...
Since almost all Windows business software functionality can be duplicated on a Mac (and, in fact, Windows can be run as a VM on a Mac, ANY Windows software can be run), his business is most likely a a Windows service shop. If enough people take Dino's advice he may actually have to learn about Macs in order to stay in business. (And -- let's face it -- frothing at the mouth while working on electronic gear is probably a dangerous practice, so he might be at risk as a Mac tech!)
How exactly does running Windows on a Mac constitute 'upgrading' to Lion?
Besides, as you say MOST business software can be run on a Mac (by which I take it you mean OS X) - not all, though.
I also note you've omitted the games part of his question, too. - No, a console requires buying separate hardware to do what one PC already does better.
Theoretically, a quick review of the history of the Pwn2Own contest will convince most that researches are always to find and exploit vulnerabilities, no matter what OS you use.
On a practical level, I've disinfected hundreds of Windows Computers, I've have yet to see a virus infected Mac.
I fully expect things to change if OSX's market share continues to rise, at which point I just start doing my online shopping and banking using Linux.
...and malware authors start targeting Linux with privilege escalations and other nasty bits we already see in Windows. It's only then when you realize that nowhere is safe and that you're dead either way. Hell, even physical banks aren't foolproof (two words: bank heist).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
