Researchers give Leopard security low marks

Computerworld - Security features that Apple Inc. added to Leopard look great on paper, but in practice most are half-baked or useless, experts said today. And none of those features, good or bad, will make a whit of difference in how safe Mac users are when they hit the Internet.

"I do think that this is the most significant update in the OS X line when it comes to security," said Rich Mogull, a security consultant and former Gartner Inc. analyst. "But Apple didn't finish the job. There's a lot of room for improvement here."

Apple touts more than a dozen new security features and tools in Leopard, from anti-exploit memory randomization and an application defense dubbed sandboxing, to a guest account for shared machines and tighter control over input managers, long-abused operating system components that could be used by hackers to jack Macs. But with an exception here and maybe there, any crowing by users that Mac OS X 10.5 is more secure is premature.

For the most part, Mogull sees the new features as laying the groundwork for serious work down the road. He gave only a few -- such as the new restrictions on input managers -- rave reviews. "The changes in input manager are huge," said Mogull. "It shows that Apple is willing to reduce functionality to increase security. It's never done that before.

"Great, great move," he said.

Input managers, code originally intended to provide accessibility and internationalization functionality to Mac programs, have morphed into plug-ins created by scores of third-party developers. And they're a straight street to the operating system that hackers could drive as easily as legitimate programmers, said Thomas Ptacek, a researcher at Matasano.

"Almost all plug-ins abuse input managers," said Ptacek, who agreed with Mogull and tagged Leopard's lock-down as a smart move. "They've been used by the good guys, but they could also be a really bad way for attackers to backdoor a Mac. Fortunately, Leopard's made it a lot harder to install them."

Other moves by Apple on security, said Ptacek, include Leopard's new sandboxing, which let the company's developers restrict applications' actions, such as what network access they're allowed or what other programs they can communicate with. While applauding the effort -- "sandboxes are better in some ways than what Vista provides," he said -- Apple's follow-through was dismal. "Almost nothing you care about is sandboxed," Ptacek argued, pointing out that Safari, iChat and Mail, the three applications most often exposed to malware, or used as an attack vector, are not sandboxed.

Nor has Apple documented the feature. "You can't officially use this API to secure your own code [and] we can't read their code or specifications to test whether it's secure," Ptacek said.