Apple asks security experts to examine OS X Lion

Sat, Feb 26, 2011


For as much as Mac OS X has a reputation for being safer than Windows, security researchers won’t hesitate to point out that the opposite is, in fact, true. Indeed, the primary reason why the Mac has been relatively immune from security threats often found on Windows is because the Mac’s relatively paltry market share makes it an unattractive target for malicious hackers. Put differently, when it comes to code quality as it pertains to security, the Mac is not the safe-haven many assume it is.

But with Apple selling record numbers of Macs quarter after quarter, Apple’s PC marketshare is slowly but surely increasing. Moreover, as hackers become more sophisticated, malware is increasingly becoming OS independent. As a result, Apple needs to devote a lot more attention to system security and recent moves over the past few months indicate that Apple is up for the challenge.

This past Thursday, Apple doled out a beta of OS X Lion to developers. In conjunction with that, Apple is also reaching out to noted security experts and offering them free previews of OS X 10.7 so that they can take a look at Apple’s new security measures and presumably reach back to Apple with any thoughts, observations, and concerns they might have.

Apple reportedly sent out the following letter to an undisclosed number of security researchers.

“I wanted to let you know that I’ve requested that you be invited to the prerelease seed of Mac OS X Lion, and you should receive an invitation soon,” the letter reads. “As you have reported Mac OS X security issues in the past, I thought that you might be interested in taking a look at this. It contains several improvements in the area of security countermeasures.”

MacBook hacker and security consultant Dino Dai Zovi was one such individual who received one of Apple’s invites to give OS X 10.7 a test drive. In a few tweets sent out on Thursday, Zovi wrote:

“Apple has invited me to look at the Lion developer preview. I won’t be able to comment on it until its release, but hooray for free access!

“This looks to be a step in the direction of opening up a bit and inviting more dialogue with external researchers.”

Also on the guest list, so to speak, is famed OS X hacker and former NSA employee Charlie Miller who has made a habit of finding OS X exploits with breathtaking regularity In 2009 Miller cracked Apple’s Safari browser in just 9 seconds at the CanSecWest security conference. Miller, along with fellow research Collin Mulliner, also made headlines during the Summer of 2009 when he demonstrated, at the Black Hat computer security conference in Las Vegas, how to remotely take over any iPhone with a text message comprised of just a single character. Apple was subsequently forced to issue an iOS update to fix the security risk once Miller made the exploit public. Note, though, that Miller only took the exploit public after he claimed Apple failed to respond to him and Mulliner after the two first informed Apple of the vulnerability

In any event, CNET contacted Miller about the importance of Apple’s security invitation.

Miller opined, “As far as I know they have never reached out to security researchers in this way. Also, we won’t have to pay for it like everybody else. It’s not hiring us to do pen-tests of it, but at least it’s not total isolation anymore, and at least security crosses their mind now.”

“I haven’t downloaded it yet,” Miller concluded, “but if I had, I couldn’t talk about it. Damn NDAs.”

Damn NDAs, indeed. But it is reassuring to see Apple becoming a lot more security conscious these days, not only in terms of reaching out to security researchers but also in its personnel hires.

Back in May of 2009, Apple hired noted security expert Ivan Kritic who formerly served as the director of security architecture for the One Laptop per Child (OPLC) initiative. In May of 2010, Apple hired former Mozilla security chief Window Snyder as a senior security product manager. Previously, Synder worked at Microsoft as the security lead on a number of OS releases. Another noteworthy security hire at Apple is PGP co-founder Jon Callas who was hired nearly a year ago to work on OS security. Callas is highly regarded for his cryptography acumen.

More recently, Apple in January hired former NSA analyst David Rice to head up operations as Apple’s director of global security.


, ,

12 Comments For This Post

  1. john Says:

    “For as much as Mac OS X has a reputation for being safer than Windows, security researchers won’t hesitate to point out that the opposite is, in fact, true.”

    Citations, please?

  2. flerchjj Says:

    I would be happy if it played better with smartcard authentication again. It hasn’t been working well for me for quite some time.

  3. mal Says:

    @john – It is fairly true, for out of the box osx. Safari is a nightmare. However, in the hands of a security expert… it is BSD.

  4. macsyrinx Says:

    @mal “It is fairly true, for out of the box osx” – is not a citation.

  5. JimK Says:

    Go google Charlie Miller. This isn’t really news. OSX and Safari have been the most easily compromised combo for years at the Pwn2Own competition. The most secure was win7 with IE8 or Chrome and NO flash installed. This is actually a good move by Apple.

  6. Alex Says:

    Degree of Secure != Risk to user

  7. Kevin Says:

    LOL In REAL WORLD USAGE OS X IS more secure than Windows.

    The “Only 10% use it so it’s not valuable for virus writers” is BULLCRAP!

    I knew MANY people that wrote viruses. They TRIED and TRIED to get one to work and spread with OS X. WHY? The first person that does it will be famous, and probably have a lucritive career.

    There are people CONSTANTLY trying to get viruses to spread on OS X. Unless you have a DIRECT CONNECTION to the computer, it’s next to impossible.

  8. wryMac Says:

    “Indeed, the primary reason why the Mac has been relatively immune from security threats often found on Windows is because the Mac’s relatively paltry market share makes it an unattractive target for malicious hackers.”

    This is the most baseless argument I’ve heard. Yes, Macs have a smaller market share. Digital thievery and malfeasance isn’t a zero sum game. Their is *more* to be gained by targeting two platforms than one, hence, small market share isn’t a reason not to attack a Mac.

    To use a real world analogy (let’s use cars): Fords have proprietary security mechanisms. BMWs have propriety security mechanisms. Fords have a lot more market share than BMWs. To use your argument: If I’m a thief, why would I ever bother to ever try and steal a BMW? My answer: Because I can, and because it’s potentially far more valuable than a Ford.

  9. Chuck Says:

    How can osx be less secure and have less malware?


    1) actual viruses are much more difficult to code.

    2) Malware use virus tricks to stealth itself.

    While osx is easier to hack, it’s harder to hide evidence. Malware thrives on remaining undetected.

  10. Joe Klein Says:

    Wait, are you telling me that Apple is asking help to secure their product in exchange for a $120 operating system?

  11. keyboard Says:

    flame on children!

  12. Ralifin Says:

    LOL…Look at all the iSheeple trying to make excuses for their lame unsecure OS. Pwn2Own. Check it out. Every year mac gets hacked by far the easiest. Ms has been dealing with malware for years now, they know whats up…Crapple is many years behind. Deal with it…and you will..just keep buying those macs and you will…

eXTReMe Tracker