While Apple fans were counting the list of features in its announcements today of Lion, a new version of its operating system and its fourth-generation iCloud service, security professionals digging under the hood declared the new platforms more secure but with caveats.
For instance, for the first time Mac OS X users will be protected by Address Space Layout Randomisation, (ASLR) an anti-exploit system that obfuscates important system functions.
And they get Data Execution Prevention (DEP) for 64-bit and 32-bit processes; it was offered on only the 64-bit version of predecessor operating system, Snow Leopard.
Apple hacker Charlie Miller said the new platforms have improved security.
"Things like the Flash Plugin or Microsoft Office are only 32-bit and so it is easy for attackers to exploit these processes by just injecting shellcode and having it execute," said Dr Miller, who has won the Pwn2Own hacking competition of Mac systems four times.
"Lion says it will enforce DEP on all processes, 64-bit and 32-bit, both. This would be an improvement."
And if Apple implemented layout randomisation properly, it will make it more difficult-to-write exploits for the platform.
He said layout randomisation in Snow Leopard and the earlier Leopard operating systems were incomplete: "Lion says it has improved ASLR; we will see exactly what is improved".
The easiest way to exploit DEP is to reuse executable code in the process called return-oriented programming; layout randomisation scrambled the location of libraries but not the location of the binary, dynamic memory or dynamic linker.
Using DEP and ASLR together made such attacks impossible without another attack vector, Dr Miller said.
"I demonstrated how to build an exploit based only on knowing the position of the dynamic linker," he said. "If this location is randomised, it will be much harder to write exploits."
Vista has had layout randomisation since its Vista operating system.
Lion will also introduce sandboxes and privilege separation. Little is known about how extensively this was used, and those developers who have tested the operating system are under non-disclosure agreements.
Dr Miller said Snow Leopard had limited sandboxing for critical processes but not important applications such as Safari or Mail.
"Not many details about Lion have been revealed, but it would be cool if Safari was sandboxed," he said.
Apple introduced encryption into its MobileMe platform last year, and in May hired former National Security Agency vulnerability expert and US Navy cryptologic specialist David Rice as its chief security officer. The fourth-generation iCloud service is the successor to MobileMe, its third foray into cloud services after .Mac and iTools.
I came, I saw, iCloud: The SC takeaway
Enterprises should still consider implications of data sovereignty and trust with any cloud service and Apple's iCloud was no exception.
And chief information officers should consider how it affected security or their organisation's data.
The consumerisation of technology has a habit of permeating business and iCloud was sure to make it through the corporate gates, especially as users adopt it without the blessing of the IT shop.
Perhaps the most immediate danger of iCloud is it's seamless drag and drop interface that, while hiding complexity from the user, may also see staff flippantly sending corporate secrets to servers offshore and outside the ITdepartment's control.
That factor could be exaggerated as Apple CEO, Steve Jobs' stated ambition for iCloud is it will replicate data across the user's devices.
Copyright © SC Magazine, Australia
Issue: 322 | December 2013
Access CRN's extensive online resources including; email bulletins, community discussions and unique online news.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can log on to the CRN website or start posting comments on articles.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain '@crn.com.au' to your white-listed senders.