Apple Revamps Security in OS X Lion

Apple has released the newest version of its OS X operating system, dubbed Lion, and it includes a batch of new security protections that bring it up to the level of Windows and Internet Explorer. The most significant additions, experts say, is the full implementation of ASLR and a sandbox that make it much more difficult for attackers to exploit browser bugs via a drive-by download to install malware on a victim’s machine.

Lion securityApple has released the newest version of its OS X operating system, dubbed Lion, and it includes a batch of new security protections that bring it up to the level of Windows and Internet Explorer. The most significant additions, experts say, is the full implementation of ASLR and a sandbox that make it much more difficult for attackers to exploit browser bugs via a drive-by download to install malware on a victim’s machine.

Drive-by download attacks have been a popular and effective attack vector for a wide variety of phishing crews, cybercrime gangs and others for several years. As most Web users spend their online lives in the browser, it can be the most effective way to compromise a large number of people if you have an exploit for a bug in a popular browser. The major browser vendors have been adding exploit mitigations and other protections in recent versions, but researchers have said that Safari, in particular, has not been up to the levels of security provided by IE, Firefox and Chrome.

Apple is attempting to fix that in Lion by finally putting in a full version of ASLR (address space layout randomization), which makes it harder for attackers to run code on a machine by placing objects in random spots in memory.

“OS X has always had this goofy ASLR implementation where the randomized the libraries but not anything else, and you could still play the games and reuse code as long as there was one thing that wasn’t randomized,” said Charlie Miller, principal research consultant at Accuvant, who does a lot of OS X security research. “In Lion it seems like everything is randomized and no code is loaded at a predictable address. They made it much harder to exploit things. You probably need two bugs now, one for code execution and one for information disclosure.”

Miller added that it’s also more difficult to find information disclosure bugs because they can’t be found with a fuzzer. In addition to the improved ASLR implementation, Lion also includes a sandbox that prevents applications from being able to make changes to a machine or take other actions they shouldn’t be able to take. In the case of Safari, Apple has taken the step of putting Webkit in a separate process.

“Webkit lives in a second process, so what will happen is if you get one bug and exploit that gets around ASLR, you end up in that second process,” Miller said. “That process is sandboxed, so you can only read and write in certain places. You can’t do the things you want to do, like install malware. You need two to three bugs now where before you only needed one. To get from malicious site to installing malware is way, way harder.”

Apple also has added a couple of more obvious security and privacy features to OS X Lion, most notably FileVault 2, which now encrypts the entire disk using 128-bit AES. The tool also can encrypt USB and FireWire drives and has a feature called Instant Wipe that will immediately erase the encryption key from the hard drive and then erase the entire drive.

One other significant change is that Lion does not install Adobe Flash or Java by default.

Overall, Miller said, with Lion, Apple has raised its security game to the point where OS X is no longer the 98-pound weakling on the beach.

“It’s always been the easiest to exploit and now it’s to the point that it’s not that easy anymore,” he said. “OS X has always been way behind on security, but now it’s more or less comparable [to Windows]. Once you have ASLR and DEP and some sandboxing, that’s all anyone has.”

Suggested articles

Discussion

  • Del Miller on

    There is one more thing that Apple is doing that actually puts OS X security far ahead of other platforms. That is the push toward the Mac App Store as the primary source for application downloads. I strongly suspect that the Mac App Store will become the go-to place for Apple software and, as a result, OS X users will be downloading their software from a trusted vendor that actually tests the programs for malware before they are distributed.

    The model has been tested with iOS, which is the ONLY way to load software on the iPhone, iPod Touch and iPad, and there have been no reports of malware on that platform that I am aware of. So it seems to work, so far.

    I think this is huge.

  • Ardra on

    Controlling the distribution channel can help enhance security, sure, but Macs can still download from the web and unverified sources.    For now, at least.  Give it iTime.

    It's bloody refreshing to read an article like this that is realistic and not saturated with Apple hype and the usual cult-like responses.    My Snow Leopard disc installs an operating system where the firewall is off by default - long after the setup routine has 'helped' you get on the web.   That's inexcusable.   In the world of OS security, there are lies, damn lies, and Apple commercials.

    The multi-touch enhancements in Lion were meaningless to me.  I upgraded for patches and bugfixes really, glad to see some discussion of a good non-pop-culture-social-media-feature of Lion that strengthens my machine from attacks.

  • Anonymous on

    Miller is full of it.    He is in the pockets of MSFT.   All the supposed 'exploits' have had confederates at the keyboard, etc…

    Now that Apple is far larger than even MSFT, can we finally put the 'obscurity' non-sense to rest?    Fact is, Mac OS X is FAR harder to exploit.   Apple didn't put all the services on by default, they don't make it their #1 priority to make everything as easy as possible for the programmer (user be damned) which is the way Windows works, not Mac.

    Mac OS X has had FAR more security than Windows, prior to AND after Win7.     But yeah, Lion is an improvement, none the less.   

  • nancy on

    Not sure where you get the statement that Apple is "far larger" than MSFT; their market capitalization is higher, their cash reserves are higher, but their market penetration is still less than 50%, and in the enterprise it's even farther behind. That's not a slam on Apple, it's real numbers.

    Microsoft would go a long way in security if they just did one thing that Apple and *nix have always done: require a password for all installations.

  • Angelina on

    security flaws at Lo is an issue of crusial importance: http://www.totalapps.net/mac/security-flaws-in-the-mac-os-x-lion/

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.