Apple's new Leopard operating system has some worrying security issues, according to researchers.
Leopard introduces a number of important security features to the Mac, but they are often incomplete, leaving users vulnerable to attack, said Thomas Ptacek, a researcher at Matasano Security, who has written a detailed assessment of Leopard's security.
"They've done a really good job of robbing Microsoft advocates of their talking points," he said. But, "I don't see anything that they've done out of the box, where it's really any more resistant to attack than Tiger was," he added, referring to the previous version of Mac OS X.
According to Ptacek, two of Apple's key security upgrades – Sandboxing and Library Randomisation – are great ideas that are imperfectly applied.
In the case of Library Randomisation, it's supposed to mitigate some of the most common attacks like buffer overflows, where the attacker takes advantage of a software bug to place code somewhere in memory where it will be run. Microsoft developed a similar technology for Vista, called Address Space Load Randomisation. Library Randomisation makes it much harder, if not impossible, for the attacker to know where to place this code, reducing the risk of attack.
The problem is that Apple did not randomise all of the parts of the operating system that it should have, according to Ptacek. In particular, Apple's Dynamic Link Library has not been randomised.
Security researcher Dino Dai Zovi said he's used this library in several of the Mac exploits he's written over the past few years, taking advantage of the fact that this library is not randomised. He agreed with Ptacek's assessment that the Leopard feature would simply make things a little more difficult for attackers.
The Sandboxing feature restricts software so that even if it's hacked it can't do things that it shouldn't, such as install new software. The problem is that Apple hasn't sandboxed many of the most commonly attacked applications such as the browser, mail client, or instant messaging software, Ptacek said.
And the programs that have been sandboxed have not been walled off as thoroughly as they should be, he added.
For example, the Quick Look file viewer has been sandboxed, but only to restrict network access. The software can still be misused to write malicious files where they will be automatically launched, Dai Zovi said. "Most of the things that were sandboxed were network services," he said. "Increasingly these days IM, email and web surfing are where most of the attacks are coming from, not directly on your network."
Independent consultant Rich Mogull said that his biggest problem is Leopard's firewall, which he said suffered from a confusing interface that made it very difficult to control access to individual services on the Mac. "It was very complicated and very hard to get the right settings," he said.
Worse, when he installed Leopard, he found himself suddenly without a firewall. "It turned off my firewall when I upgraded, despite that being a default setting." he said.
Like Ptacek and Dai Zovi, Mogull said he had been expecting more from Apple with the Leopard release, but he agreed that the new security features were a step in the right direction. "I think that Apple has started down the right path but they are not as far as they communicated they would be," he said. "The firewall is the big negative; they really messed that up."
Apple declined to comment in detail. Spokesman Anuj Nayar said via email that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."
Ptacek said that it is great that Apple has begun adding these security features even when the Mac has not been the target of a widespread worm or virus outbreak. "I'm impressed that when they didn't have to do it they went after low-level features that no-one will understand," he said. "I like the direction they're headed. I'm just saying that they've got a long way to go to catch up with Microsoft."