Apple invites bug researchers to scrutinize Lion OS
But security experts who accept must keep findings secret
Computerworld - Apple is offering security experts a copy of the developer preview of Mac OS X 10.7, aka Lion, and asking them for feedback.
Several prominent Mac security researchers have reported that they received invitations to try out the Lion preview, which Apple issued Thursday.
"Apple has invited me to look at the Lion developer preview," said Dino Dai Zovi in a tweet yesterday. "I won't be able to comment on it until its release, but hooray for free access!"
Charlie Miller, an analyst with Baltimore-based consulting firm Independent Security Evaluators (ISE) and Dai Zovi's co-author, confirmed today that he had also received an invitation to try out Lion.
The preview comes with a non-disclosure agreement (NDA) that prevents Zovi, Miller and others from commenting publicly about what they find. But Apple has asked for feedback and provided researchers an e-mail address to report vulnerabilities or other issues, said Miller.
"They've never done this before," noted Miller in an interview today. "That they're thinking of reaching out [to researchers] is a good positive step, but whether it makes a difference, I'll believe it when I see it."
Miller has been critical of Apple's security practices in the past, saying in 2008 that Mac OS X was an easier target at the time than either Windows or Linux.
Miller has proven his point at the last three Pwn2Own hacking contests by walking away with cash prizes and laptops for exploiting vulnerabilities in Mac OS X and Safari, Apple's browser. Miller is slated to tackle Safari and Apple's iPhone on March 9 at this year's Pwn2Own.
Other researchers have heard the news, if not received an invitation to the preview, and given their two cents on expectation for security improvements.
"I doubt we'll see any real security innovation in Lion," opined Alexander Sotirov on Twitter. And in a later tweet aimed at Miller, Sotirov said, "I'm sure we'll see improvements in Lion, perhaps even full ASLR. But that doesn't count as 'innovation' in 2011."
Sotirov is an independent security researcher, who with Miller and Dai Zovi, launched a 2010 effort they dubbed "No Free Bugs" that proposed researchers should be paid for their work because vulnerabilities have value.
ASLR, or "address space layout randomization," is an anti-exploit technology that randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus make it harder for them to craft reliable exploits.
Windows, for example, leans on ASLR, but Apple's current operating system -- 2009's Snow Leopard -- relies on partial ASLR that doesn't randomize important components of the OS. Microsoft has included ASLR in Windows since Vista's late 2007 debut.
After Snow Leopard's August 2009 launch, Miller said Apple missed the security boat by not fully implementing ASLR.
Apple has not disclosed a ship date for Lion -- saying only that it will be available "this summer" -- or its price. Historically, the company has priced its operating system upgrades at $129 for a single license, $149 for a five-license package, although it departed from that practice with Snow Leopard when it priced Mac OS X 10.6 at $29 and $49, respectively.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Apple hands stock worth $12.1M to top execs in retention deal
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
- Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks
- Apple patches critical 'gotofail' bug with Mavericks update
- Why Apple needs a $700 MacBook Air
- Apple takes top spot in brand value computation
- Apple gets a patent for health-monitoring ear buds
- Apple shifts to hardware-first TV strategy with revamped set-top box
Read more about Security in Computerworld's Security Topic Center.
- Top 12 Laptop Bags for Mobile Pros
- Think Deleted Text Messages Are Gone Forever? Think Again
- 7 New Faces of the C-suite
- 5 Ways CIOs Can Rationalize Application Portfolios
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts