Forgot your password?
typodupeerror
OS X Security Apple

A Closer Look At Apple Leopard Security 267

Posted by kdawson
from the changing-spots dept.
Last week we discussed some of the security features coming in Leopard. This article goes into more depth on OS X 10.5 security — probably as much technical detail as we're going to get until the folks who know come out from under their NDAs on Friday. The writer argues that Apple's new Time Machine automatic backup should be considered a security feature. "Overall, Mac OS X 10.5 Leopard is perhaps the most significant update in the history of Mac OS X — perhaps in the history of Apple — from a security standpoint. It marks a shift from basing Macintosh security on hard outside walls to building more resiliency and survivability into the core operating system."
This discussion has been archived. No new comments can be posted.

A Closer Look At Apple Leopard Security

Comments Filter:
  • Security (Score:3, Insightful)

    by jcicora (949398) on Tuesday October 23, 2007 @01:19PM (#21088513) Journal
    Why doesn't everyone (Apple, Microsoft, Linux/Unix people) work together on security? Its the one thing that everyone benefits from.
    • Re:Security (Score:5, Insightful)

      by jellomizer (103300) * on Tuesday October 23, 2007 @01:27PM (#21088657)
      Well Linux and Apple people like seeing Microsoft with security holes. How many articles about microsoft security problems are tagged "HAHA". Windows People like seeing Apple and Linux security holes because then they don't feel as bad about choosing Windows. Linux people are not normally to happy to see Apple Security holes because it usually means Linux has a simular problem and vice versa.

      It is basicly a case if one can say I am more secure then you then I win.
    • I guess it depends on what you mean by "work together". They sort of do work together. They're constantly borrowing ideas from each other. Sometimes the Linux/Mac/Unix people are even using the same code. But do any of them want to hold up their own security improvements while they try to persuade everyone else to adopt the same security practices?
    • Re: (Score:3, Insightful)

      by krunk7 (748055)

      Why doesn't everyone (Apple, Microsoft, Linux/Unix people) work together on security? Its the one thing that everyone benefits from.

      Microsoft is free to use any and every security feature ever developed by the open source community. This includes virtually 100% of Linux/bsd's development and lion's share of OSX's security features as well.

      The reason we can't say the same for a Microsoft->open source is because for a lot of security in windows...no one has access at all.

    • by Sloppy (14984)

      Why doesn't everyone (Apple, Microsoft, Linux/Unix people) work together on security?
      Why doesn't everyone (Apple, Krusty the Klown, Linux/Unix people) work together on security? Because they have conflicting values and goals, that's why.
  • Significance (Score:5, Insightful)

    by Mikey-San (582838) on Tuesday October 23, 2007 @01:19PM (#21088521) Homepage Journal
    "Overall, Mac OS X 10.5 Leopard is perhaps the most significant update in the history of Mac OS X -- perhaps in the history of Apple

    Maybe in the history of Mac OS X, but definitely not the history of Apple itself. I'd say that would be, oh, the shift to Unix.
    • Re: (Score:2, Funny)

      by rucs_hack (784150)
      Maybe in the history of Mac OS X, but definitely not the history of Apple itself. I'd say that would be, oh, the shift to Unix.

      Don't you mean iUnix?
    • Well a lot of people considered Moving from OS 9 to OS X a downgrade. It took until 10.2 for it to have features better then OS 9 before that there were a lot of internal things changed but it wasn't better it was just potentionally better. 10.5 may be the OS version with the most improvements to the system. Not the most changes to the code base.
      • Re:Significance (Score:5, Insightful)

        by noewun (591275) on Tuesday October 23, 2007 @01:55PM (#21089067) Journal

        Well a lot of people considered Moving from OS 9 to OS X a downgrade.

        It wasn't a lot of people. It was a vocal minority, the same minority which swore up and down that they'd never touch Apple again after the Intel switch and who spend hours debating the tiniest "flaws" in OS X's GUI. In other words, people for whom computers are an obsession or a fetish.

        The the rest of us--people for whom computers are tools used to make money--OS X, and the features it brought, were long overdue. The switch was entirely worth it if only for the addition of a modern memory susbsyetem to an Apple OS. No more preemptive multitasking and having to specify how much memory each application got.

        • Re:Significance (Score:5, Informative)

          by ChronoReverse (858838) on Tuesday October 23, 2007 @02:00PM (#21089135)
          I believe you mean no more cooperative multitasking. The modern desktop OS's are all preemptive IIRC.
        • Re: (Score:3, Interesting)

          by aftk2 (556992)
          Umm...not entirely. I really like the power OS X and am quite enthusiastic about the Intel switch. And yet, as an Apple fan from the mid 90s, I can completely recognize that 10.0 was pretty rough when moving from OS 9. Do you remember how slow that felt? OS 9 still feels faster to me than OS X, although I'd never, ever want to use it again.

          I mean really...you think the people who even know about the term "preemptive multitasking" wasn't outnumbered by those who groused about how the new Mac upgrade ran a
          • I can completely recognize that 10.0 was pretty rough when moving from OS 9.

            Old Macs had a flaw (yes, I said it) where holding down the mouse button would freeze the rest of the computer.

            Including the network stack.

            We noticed this because when the rest of the office would play MP3s from our graphics guy's Mac's shared folder, everyone's audio would randomly and simultaneously drop out. We eventually realized that it happened when he was holding Photoshop's menus open for a long time while he pondered which filter to apply to some image.

            People who found 10.0 to be rough wer

            • Re: (Score:3, Interesting)

              by Apotsy (84148)
              Talk about a false dichotomy! Do you really think the two are at all related?

              There were people who understood the flaws, but (correctly) thought that moving to OS X should not require giving up good performance (which took years to get back), or UI niceties like the way the classic Finder worked. As to the latter, unfortunately Steve apparently didn't like the old Finder and never allowed the OS X Finder to work the same way. Spatial mode is still broken to this day, the "Show Package Contents" feature is

              • Re:Significance (Score:4, Informative)

                by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Tuesday October 23, 2007 @04:22PM (#21091585) Homepage Journal

                Talk about a false dichotomy! Do you really think the two are at all related?

                Definitely. The old OS model allowed certain shortcuts such as hacks that directly patched the code segments of other programs that were running to change their behavior. The new protected memory model flat-out makes that hackery impossible, so it was up to programs to add explicit support for message passing and other external control systems. There isn't a message passing system in the world that's as fast as just overwriting a destination application's buffers with new data.

                That's just one example of why some things are inherently slower if done right. Sometimes it's just not avoidable. That doesn't mean that the new way is inefficient or bad, just different.

                I was never into Macs back in the day so I can't comment on old vs. new Finder or spring loaded folders, etc., but I find it telling that the only people who seem to seriously dislike the new Finder are the ones who seriously loved the old one. To everyone else it's pretty spiffy and a reasonably good model of how such things are supposed to work. That is, I'm not at all convinced that the old Finder was actually superior; it's just that people liked it that way, darnit, and anything different is inferior by definition.

                None of that has anything to do with multitasking or event loop handling and you know it.

                You're right: it doesn't. I'm not sure why you even brought it up.

                • by Kadin2048 (468275) * <[slashdot.kadin] [at] [xoxy.net]> on Tuesday October 23, 2007 @07:54PM (#21094071) Homepage Journal

                  I was never into Macs back in the day so I can't comment on old vs. new Finder or spring loaded folders, etc., but I find it telling that the only people who seem to seriously dislike the new Finder are the ones who seriously loved the old one. To everyone else it's pretty spiffy and a reasonably good model of how such things are supposed to work. That is, I'm not at all convinced that the old Finder was actually superior; it's just that people liked it that way, darnit, and anything different is inferior by definition.
                  As someone who used the old (oops, "Classic") Mac OS from versions 6-9, while I do think there was a certain level of curmudgeonness among the people who swore they wouldn't switch, there were very legitimate concerns about the OS X Finder and GUI, which I'm not sure have really been resolved.

                  Don't get me wrong, I still think OS X is better overall, because of its underlying architecture and a functional CLI, but the Classic Mac GUI had been honed incrementally over almost two decades before Steve just decided to bin the whole thing and reinvent the wheel. It was that interface which made the crappiness of OS 9 worth dealing with, despite the fact that you could hang the whole system by holding down the mouse button, and had to manually allocate memory, and everything else. It was the Mac's saving grace -- perhaps its only saving grace -- throughout the 'lean years' of the platform. And that's why a lot of users just never got over its elimination; it was, for many people, the only reason why they'd stuck around for so long.

                  There was no real reason to change it when the old codebase was dropped for NeXT's: even if none of the code needed to be kept, the interface guidelines that had evolved as best practices, arrived at by painstaking trial-and-error by generations of Mac programmers, could have been retained. What I think happened is that Steve Jobs wanted more eye candy, and wanted to make the entire desktop reflect the OS's "newness." It was a sales tactic, and although I don't think there's any debate that it worked, it was a pretty huge cost.

                  OS 9 was an operating system with a great GUI and a terrible backend; OS X had a great backend, but a GUI that was almost unusable at first, and which has only very recently come back on par with the Classic OS circa System 7.5 or so. (They just recently snuck the option-click-to-close-all-Finder-windows trick back in, which I believe originated on the IIgs, and was definitely missing for a while in early OS X versions...)

                  (Incidentally, the interface scizophrenia isn't limited just to the Mac OS; you also see this behavior in some of the major Apple apps [e.g. iTunes] -- every time there's a whole-number version increase, some part of the interface gets changed, apparently for the sake of changing it. It's as if they realize that some people won't believe that anything is different unless the widgets change, so they scramble everything around periodically, just to keep everyone on their toes.)
        • by soupdevil (587476)
          OSX was worthless to me (as an audio engineer/sound designer) until they added Core Audio, which made professional audio tools possible. But it took too long. By then, all the cool kids had given up on ProTools and MOTU, and were using SONAR, Gigastudio, and Nuendo on Windows.
        • A nearly non-existent minority actually thought that MacOS 9 was better than Mac OS X at first. This minority survived until the release of Mac OS X 10.2.

          A large majority of MacOS 9 users migrating to Mac OS X thought that, while pretty, the Aqua UI was slow, bloated, and annoyingly shiny. They also gave most of the organizational features of the Finder a complete fail as well. Gone were spring-loaded folders, pop-up-tray tabs on the desktop, hierarchic menus, the app-switcher menu, and a host of other thin
        • The switch was entirely worth it if only for the addition of a modern memory susbsyetem to an Apple OS. No more preemptive multitasking and having to specify how much memory each application got.

          Yeah, that and security-- including real multi-user stuff. There were always some users who got stuck on the OS9 crap. They'd get their knickers in a twist because there was some missing feature like the color "labels". And then there were the OS9 power-users who had figured out how to do all the insane old Mac

        • by soft_guy (534437) *
          Bullshit. If you had to spend a year using 10.0.x or 9.0.x which would you pick? I'd pick 9.0.4 every time. And I like OS X. I evaluated every version of it from Developer Preview 1 up until 10.2. I switched to OS X for daily use when 10.2 shipped. Because for day in/day out use of an operating system I have to get work done, not just admire its microkernel or crash protection.
      • OS 9 was more responsive, yes. But, due to cooperative multitasking, if any program crashed, your entire computer did as well. I did some fairly memory intensive Photoshop work for a newspaper on an OS 9 Mac that was packed to the gills with RAM, and I'd have an average of two reboots a day. This can be maddening to the point where you'll want to throw the Mac out the window if you just lost an hour's painstaking work to the fucking bomb.

        The OS X came about. Systemwide crashes are a rarity, and in my exper
    • by Tom (822)
      Then you're back at Leopard as well, because only Leopord is really "Unix" and not "*nix". :-)
    • by neoform (551705)
      Uhm, not to be nitpicking, but 10.5 is the first actual UNIX distribution of OSX..
    • Re:Significance (Score:5, Interesting)

      by uncleFester (29998) on Tuesday October 23, 2007 @05:32PM (#21092507) Homepage Journal
      Maybe in the history of Mac OS X, but definitely not the history of Apple itself. I'd say that would be, oh, the shift to Unix.

      myself, i would consider the shift in architechure a greater historical shakeup. it's still amazing to me apple has shifted their core processor/architechure setup twice, including an emulation layer (each time) to ease transition. i had (and still own) a Motorola Mac (SE/30, Moto 68030 CPU) and remember the titanic shift it was migrating to the PowerPC. And, more recently, shifting from the Power/RISC platform to Intel. I think Apple's continued demonstrated ability to shift its underpinnings with damn near nary a disruption is scary impressive. :)

      -r
  • by jellomizer (103300) * on Tuesday October 23, 2007 @01:20PM (#21088543)
    Reading this made me wonder. What would happen if you had an important file you temprarly drop it in a public location then move it out. once the person downloaded it. Then someone goes and runs time machine on the public directory and picks up the file that you deleted.... Also will time machiene pick up different permissions set on a file at different time. You made it and tested it as 777 then after you assure it physically works you bring it down to 755 will it allow you to go back in time and get the permission 777 of the file...

    While I do agree having good backups is important part of security... Perhaps just perhaps because it is so easy there is a security problem with it.
    • by 99BottlesOfBeerInMyF (813746) on Tuesday October 23, 2007 @01:30PM (#21088701)

      What would happen if you had an important file you temprarly drop it in a public location then move it out. once the person downloaded it.

      If it is an important file, why would you drop it in a public location in the first place, instead of just transferring it directly to that user or putting it in a password protected location or them? The scenario you envision is already a security problem because you're posting private data in public temporarily. I'd argue the right solution, is not to do that at all.

      • Sure you can argue the correct solution but, my way is the easier solution... Given most people they will go with the easy solution. Put it on a public location turn on file sharing tell them to go to this address, then turn it off after they got the file, delete the file from that dir and you are all set. For most cases it will take a while for a hacker or whatever to find the file and get it, durring the 10 minutes it is public. Of course there are more secure ways of doing this but the point it how far
        • by jimicus (737525)
          You're assuming that time machine works over a shared network folder.

          I very much doubt this will be the case. To my mind, Time Machine looks an awful lot like a pretty wrapper around a snapshot function, similar to that found in modern logical volume managers and SAN products. Sun's ZFS has such a function, and Apple have licensed ZFS for inclusion in Leopard [news.com].

          Such a system generally works at the block level (with LVM), though with the filesystem integration ZFS gives it could probably operate more efficie
        • Sure you can argue the correct solution but, my way is the easier solution... Given most people they will go with the easy solution. Put it on a public location turn on file sharing tell them to go to this address, then turn it off after they got the file, delete the file from that dir and you are all set.

          Or easier yet you can include it in an IM chat or e-mail, which is what most people do these days and which is no less secure than what you describe.

          For most cases it will take a while for a hacker or whatever to find the file and get it, durring the 10 minutes it is public.

          Sure, but you're advocating lousy security instead of real security. Do tell, how is your method "easier" than e-mail or chat file transfers?

      • If it is an important file, why would you drop it in a public location in the first place ...

        GUIs are prone to errors, just like consoles. All that has changed is how the error manifests. When your finger slips at the console you get a typo. When your finger slips during a drag you may inadvertantly issue a mouse up and drop the file being moved prematurely, in the wrong folder. It can be a PITA when you were dragging over a bunch of subfolders in a list view.
    • by photon317 (208409)

      On the "777" issue, I don't think the backup snapshots are writable in the general sense, so it wouldn't much matter if your backup of a file had writable perms. What you're probably more interested is a file you initially created as 755 and later changed to 700 (which is basically the same issue as your "accidental publication" concern). The answer is that Time Machine allows you to explicitly ask it to delete all historical copies of a given file, for precisely these kinds of reasons.
    • by MSG (12810)
      Then someone goes and runs time machine on the public directory and picks up the file that you deleted.

      Time machine isn't a feature that "someone" can run against your network drives. Time machine allows you, the operator, to use a second hard drive to maintain snapshots of the drives that you're using. Since the snapshots are on a separate drive, there's no risk that someone accessing your system remotely will have access to files that you've removed, or whose permissions you've changed.
  • The much-needed focus on availability is a real breath of fresh air. If one can recover a previous state (i.e. if it is available), it's a great deal easier to restore integrity. Confidentiality improvements are always welcome, of course, but they'll never be complete, and availability allows us to recover after the fact.

    Also, Time Machine is a great forensic tool.

    Overall, of course, I'm lauding the article more than 10.5, since I'm unaware of any of these features being truly new to the IT world.
  • Evil bit? (Score:5, Funny)

    by grassy_knoll (412409) on Tuesday October 23, 2007 @01:23PM (#21088599) Homepage
    From tfa:

    While Apple can't prevent people from downloading dangerous stuff, Leopard has a new feature to tag downloaded applications as coming off the Internet.


    Wait... don't tell me they implemented RFC 3514 [wikipedia.org] . ;-)
    • by jkabbe (631234)
      What would be really cool is if, before you run a program with the evil bit set, it would run Time Machine to make sure your backup is up to date:

      Double-click program downloaded from the internet
      Time machine begins to backup your computer
      Floyd says, "oh boy, are we going to do something dangerous now?"
  • Backups as Security? (Score:2, Interesting)

    by rueger (210566)
    "With Time Machine making it easier to back up for all users, especially individuals not already protected by some corporate backup system, Apple is doing more to improve security than any upgrades to firewalls or Safari ever could."

    Although I am a fan of backups, this is really silly. Even if we assume that users have Time Machine turned on, that they have external media on which to back up, that they manage to actually have everything turned on and hooked up to do the automated backup, there's still o
  • "Code randomization" is a terrible idea. Virus writers will write something that searches around for the right place to patch. Developers will think buffer overflows are now OK, and write worse code. Worst of all, bugs become nonrepeatable and harder to debug. (Great for tech support. Much harder to pin blame on the vendor now.)

    • by Potatomasher (798018) on Tuesday October 23, 2007 @02:03PM (#21089197)
      "Virus writers will write something that searches around for the right place to patch"

      No, they won't be able to do that. At that point, they haven't gained execution yet.
      Buffer overflows require you to jump to code which is in a known place in memory (usually libraries), which in turn slingshots you back to the exploit code stored on the stack (or other). Without knowing where to jump to, your malicious code will just sit there in memory, not doing anything.
    • by bucky0 (229117) on Tuesday October 23, 2007 @02:04PM (#21089221)
      ASLR works using the dynamic linker. For the vast majority of programs (I can't think of any counter examples off the top of my head), the dynamic linker works transparently to match up in-program function calls with their proper library addresses. If ASLR adds bugs to the implementation, it must be because of a faulty linker, which can be debugged out.

      Virus writers will write something that searches around for the right place to patch
      It's not quite that simple. Virus writers have a practical limit of how much code they can squish into a buffer overflow (which reduces the effectiveness of a NOP slide) Not only that, protected memory operating systems will bomb out if you start randomly poking at memory addresses. Since the addresses are randomized, you don't really know where to start looking which means it becomes a probability game of how many valid addresses the code your looking for could be at compared to the total address space.

      Developers will think buffer overflows are now OK, and write worse code.
      Developers have known about buffer overflows for years, and people still use sprintf over snprintf. I doubt anyone who is doing any serious coding will look at ASLR and say, "Hurray! We can forget about string validation!"
      • Developers have known about buffer overflows for years, and people still use sprintf over snprintf.
        snprintf just trades off potentially writing past the end of the buffer with potentially reading past the end of the buffer. People should be resizing their buffers as needed - when is it ever OK to truncate data - and stop misusing the 'n' functions.
        • by bucky0 (229117)
          I'll be honest and say that I'm pretty naive about good coding practices, but I use snprintf for things like: (terrible example)

          char buf[1024];
          snprintf(buf, "Logging started, argv[0] is %s", 1024, argv[0]);

          and then later, I'll output it to a file or something. It's a bad example, but doesn't using the 'n' version of sprintf keep people from filling buf outside its bounds?
      • What's to keep the virus from just using the underlying trap instruction for its system calls? This is a UNIX system, friends, you don't need to call printf(), you can call write().
    • Re: (Score:3, Informative)

      by Lally Singh (3427)
      - Which class of bugs depends upon the memory layout of your libraries? E.g. what kinds of bugs happen or don't happen depending on that layout?

      - Do you have any idea how less vulnerable you are to an attack when the attacker can't get you in 1 hit? A networked-based attack would essentially have to flood you to get the right address, and bandwidth limitations could prevent them from ever doing it (searching through a multi-gigabyte address range a few dozen bytes at a time takes a *long* while when you'r
    • by Sloppy (14984)

      "Code randomization" is a terrible idea. Virus writers will write something that searches around for the right place to patch.

      Brilliant solution. All they have to do, in order to run the code that "searches around," is run some code that searches around for the right place to patch. But to run that, they first have to run some code that searches around for the right place to patch. But in order to run that, they have to--
      STACK OVERFLOW! User Sloppy DoSed.
      Oops, I guess it worked, after all.

  • I am wondering if some even more basic holes have been filled here.

    I have been given to understand that one of the problems with OSX is that in order to make some legacy software work such as applescript, apple had to make a few file settings more open than they should be.

    The big example is the one which allows a USB drive with a correc tly set up copy of OSX on it to automatically become the boot drive with full root access to all drives on a restart. IIRC there's even a company that sells these things pr
    • by SuperKendall (25149) on Tuesday October 23, 2007 @02:37PM (#21089935)
      Trying to protect non-encrypted data from an attacker with physical access is a fools errand.
    • The USB thing can be fixed via an Open Firmware password (G5 and below, though I'm sure there's an equivalent for intel). If you have one in place, holding down the option key on boot will present you with a password screen before the Boot Manager.

      The only other ways to boot from an external disk if there is an Open Firmware is to use the Startup Disk pane of System Preferences (requires admin password) or to use the bless command in the terminal (requires sudo / root access).

      Oh, and for those of you that
      • This is why I said "default settings". There are several more things like this. It's stuff that can be fixed by folks who know what they are doing. The whole point behind macs though is they should not require that level of system knowledge to make them work.

        This is or has been a known problem on a few Linux distros as well. Still IMHO it should be fixed. There's a big difference between surreptitiously slipping a flash drive into a slot for a minute or two and taking the lid off a machine. Especially
    • by JPRelph (519032)
      It is possible to boot a Mac from an external drive (USB or Firewire on Intel Macs, and Firewire drives on PPC Macs) but it is pretty easy to stop that from becoming a problem. Apple have a utility that stops people changing firmware settings including booting from a different drive http://docs.info.apple.com/article.html?artnum=106482 [apple.com]
  • Application signing, warning dialogs for downloaded files, and the like... these have been Microsoft's first line of defense against cross-zone exploits for a decade now and they have systematically failed. Now Microsoft is using Sandboxing, and that will also fail.

    I wish that Apple would decide to photocopy good ideas from Microsoft rather than bad ones. The single set of application bindings for helper applications and URL handlers? That comes from Windows. The idea of giving users the opportunity to open potentially hostile files directly from mail and browser software? That comes from Windows. Open Safe Files? That comes from Windows. Popping up dialogs before automatically doing stupid things, instead of not automatically doing stupid things? That comes from Windows.

    The last straw for me was when Safari on OSX warned me that I was downloading an EXE file because it's executable. Not that I was running it. Just that I was downloading it. Holy Mother of Turing!

    *sigh*

    At least they don't have anything like ActiveX yet.
  • From article submission: http://yro.slashdot.org/article.pl?sid=06/07/31/0044201 [slashdot.org]

    Re: Vista Previous Versions (Also in 2003 Server)
    Some users will find the feature objectionable because it could give the bossman a new way to check up on employees, or perhaps it could be exploited in some nefarious way by some nefarious person. Previous versions of Windows were still susceptible to undelete utilities, of course, but this new functionality makes browsing quite, quite simple.

    From today's article:
    The writer argu

Save gas, don't use the shell.

Working...