"I wanted to let you know that I've requested that you be invited to the prerelease seed of Mac OS X Lion, and you should receive an invitation soon," Apple wrote to several security researchers, including such luminaries as Dino Dai Zovi, Stefan Esser and Charlie Miller.
"As you have reported Mac OS X security issues in the past, I thought that you might be interested in taking a look at this. It contains several improvements in the area of security countermeasures," the letter stated, according to a report by CNET.
The report cited Miller, who has demonstrated cracks in Apple's software, as saying, "as far as I know they have never reached out to security researchers in this way. Also, we won't have to pay for it like everybody else. It's not hiring us to do pen-tests of it, but at least it's not total isolation anymore, and at least security crosses their mind now."
Miller predicted Lion would incorporate full ASLR (Address Space Layout Randomization), a security technique that puts important data in unpredictable locations, making it harder to target known weaknesses. Snow Leopard currently limits ASLR protection to libraries, leaving the location of code, stack, and heap easier for crackers to aim their assaults.
Apple's iOS 4.3 will reportedly add ASLR, making it more difficult to jailbreak devices via exploits of userland vulnerabilities. This suggests Lion will also adopt the same protections when it arrives this summer.
Dai Zovi, who has similarly demonstrated exploits for Apple's software before at events such as CanSecWest, tweeted, "Apple has invited me to look at the Lion developer preview. I won't be able to comment on it until its release, but hooray for free access," later adding, "This looks to be a step in the direction of opening up a bit and inviting more dialogue with external researchers."
Dai Zovi also mused, "Will Lion be the 'Vista' of Mac OS X? In the sense that they start taking security seriously, not the sense that nobody wants to use it."
27 Comments
Dai Zovi also mused, "Will Lion be the 'Vista' of Mac OS X? In the sense that they start taking security seriously, not the sense that nobody wants to use it."
Allow / Deny pop-ups like Vista?
It's actually really nice to see Apple doing this. It sure shows they want to deliver a safer OS.
Let's hope it helps OSX not being the first hacked OS every year at that hacker contest...
Allow / Deny pop-ups like Vista?
It already does for administrative actions, a GUI wrapper around sudo. Every Linux and BSD distro has the same feature, and with a little work, Windows Vista/7 can be set up with the same security (by default, the popups are useless and just annoying).
It's actually really nice to see Apple doing this. It sure shows they want to deliver a safer OS.
Let's hope it helps OSX not being the first hacked OS every year at that hacker contest...
They only reason OS X is hacked first is because people have incentive to win the Mac. Nobody wants the PC so they don't try so hard to hack it.
Allow / Deny pop-ups like Vista?
Oh the inhumanity!