Inside Mac OS X 10.7 Lion: Apple exposing beta to security experts for review
"I wanted to let you know that I've requested that you be invited to the prerelease seed of Mac OS X Lion, and you should receive an invitation soon," Apple wrote to several security researchers, including such luminaries as Dino Dai Zovi, Stefan Esser and Charlie Miller.
"As you have reported Mac OS X security issues in the past, I thought that you might be interested in taking a look at this. It contains several improvements in the area of security countermeasures," the letter stated, according to a report by CNET.
The report cited Miller, who has demonstrated cracks in Apple's software, as saying, "as far as I know they have never reached out to security researchers in this way. Also, we won't have to pay for it like everybody else. It's not hiring us to do pen-tests of it, but at least it's not total isolation anymore, and at least security crosses their mind now."
Miller predicted Lion would incorporate full ASLR (Address Space Layout Randomization), a security technique that puts important data in unpredictable locations, making it harder to target known weaknesses. Snow Leopard currently limits ASLR protection to libraries, leaving the location of code, stack, and heap easier for crackers to aim their assaults.
Apple's iOS 4.3 will reportedly add ASLR, making it more difficult to jailbreak devices via exploits of userland vulnerabilities. This suggests Lion will also adopt the same protections when it arrives this summer.
Dai Zovi, who has similarly demonstrated exploits for Apple's software before at events such as CanSecWest, tweeted, "Apple has invited me to look at the Lion developer preview. I won't be able to comment on it until its release, but hooray for free access," later adding, "This looks to be a step in the direction of opening up a bit and inviting more dialogue with external researchers."
Dai Zovi also mused, "Will Lion be the 'Vista' of Mac OS X? In the sense that they start taking security seriously, not the sense that nobody wants to use it."