Security features expected within Mac OS X Leopard

In advance of Friday's general release of Apple Mac OS X Leopard, Apple has posted a variety of preview pages, one of which details new security features. In Apple's preview, the Cupertino vendor cites 11 specific enhancements that should make Leopard more secure than Tiger.

Library randomization: This is huge. The technology behind this, address space layout randomization (ASLR), randomly arranges the positions of key data areas. This prevents malware authors from predicting the targeted memory addresses for buffer overflows and malware exploitation. Windows Vista includes ASLR.

Sandboxing: Sandboxing allows applets to run without interfering with the overall system, then terminate when the application shuts down. Apple says "many Leopard applications--such as Bonjour, Quick Look, and the Spotlight indexer--are sandboxed so hackers can't exploit them." Missing from the list, however, is the Apple Internet browser, Safari, which, of all the applications listed, needs sandboxing most of all.

Tagging downloads: Before Leopard executes a download, it will ask for your consent first by telling you when a file was downloaded, what application was used to download it, and, if applicable, what URL it came from. Hopefully no more drive-by downloads.

Application-based firewall: This will allow users to specify the behavior of individual applications.

Stronger encryption for Disk images: With 256-bit AES encryption, Disk Utility will provide stronger encryption for Mac OS disk images.

Sharing and collaboration configuration: Leopard will make it easier to share and control who has access to your folders over a network.

Signed applications: All applications designed for Leopard will be signed by either Apple or third-party developers.

Enhanced VPN client compatibility: Leopard will support Cisco Group Filtering as well as DHCP over PPP.

Multiple user certificates: Leopard provides a digital certificate for encrypting e-mail messages.

Enhanced smart card capabilities: According to Apple, "now you can use a smart card to unlock FileVault volumes and your keychain, and configure your Mac to lock the screen when a smart card is removed."

Windows SMB packet signing: According to Apple, "enjoy improved compatibility and security with Windows-based servers."

[mailbox001]

Doesn't Vista have all this already?

Now who's copying who?

[rcrusoe]

Vista has some of this

but it actually works in Leopard.

[Williame789]

you're right

i think that you're right vista have all this.

[pctec100]

Re: Doesn't Vista have all this already?

Yes, these features are found in Vista and some of them were in XP. <br /><br />I think this may signal that Apple is positioning themselves to take on Microsoft on MS's own playground, the corporate world.

[balkce]

That was quick...

Let's see, if we just consider MacOS and Windows (here we go <br />again)...<br /><br />Library randomization: First in Vista, but it's a standard, so get <br />off your high horse (it was first in OpenBSD).<br /><br />Sandboxing: First in Vista, application-wise (just IE, really, which <br />isn't a real sandbox, just "protected mode"). First in MacOS X <br />(Puma), user-wise (because of the UNIX implementations below <br />it). Frankly, I see this more as a higher level protection "just in <br />case".<br /><br />Tagging downloads: First in MacOS X (Leopard). Vista doesn't <br />have this, as far as I know. Yeah it tells you if that it's <br />downloading something and what type of file it is, but it doesn't <br />recall where you download it from and what application was <br />used to download it when you're opening it for the first time <br />afterwards... Another of those add-ons that are trying to protect <br />the user from itself: a user must be aware what is (s)he <br />downloading, Safari and IE 7 already are telling you if it's a <br />executable or not. Anyway, I guess it will save some people.<br /><br />Application-based firewall: First in Windows XP. However, I <br />hardly ever use it in Windows XP. I rather be protecting specific <br />ports than specific applications. Have you seen the huge list that <br />it produces? And when you uninstall a program, it's still on the <br />list!<br /><br />Stronger encryption for Disk images: First in MacOS X (Jaguar). <br />Disk images (dmg files) are Mac specific, and although they can <br />be converted into ISO files and opened in Windows, I doubt that <br />Microsoft put a 256-bit encription in them first in Vista.<br /><br />Sharing and collaboration configuration: First in... well... neither. <br />If we really want to be specific, the idea of permissions of a <br />folder of who can access it from the network has been done <br />before, so I don't know what they're saying here. Specifically, <br />though, although it may have appeared in Windows NT first (I'm <br />not too sure about it, though), MacOS X made it easy to handle <br />to the point that it was actually usable.<br /><br />Signed applications: First in Windows XP. However, it was more <br />of a patch and hasn't really worked. Every program that I've <br />downloaded in Windows hasn't ever been signed (even some <br />from very big third party developers like Adobe and Norton) so I <br />don't see how that's helping. In addition, this is another add-on <br />that's trying to protect the user from itself, when the user should <br />be really just be careful. But ok, ok, yeah Windows did it first; <br />crappy, but first, like everything it does.<br /><br />Enhanced VPN client compatibility: First in MacOS X (Leopard). <br />I'm pretty sure you have to download a client in Vista from <br />CISCO (like MacOS Tiger) to be able to connect to a CISCO VPN. <br />I've always been very annoyed of the CISCO incompatibility in <br />MacOS X and needing to download a third-party client; I'm glad <br />that they're taking care of it.<br /><br />Multiple user certificates: First in MacOS X (Leopard). Yes you <br />can add some encription measures onto Office (which is not <br />really a part of Vista), but you can add it on to Mail in MacOS X <br />as well. Apparently now it comes included, cool.<br /><br />Enhanced smart card capabilities: First in Windows XP. Yeah, I'll <br />give you that one.<br /><br />Windows SMB packet signing: First in Windows NT. Well, <br />obviously that's going to be in Windows first.<br /><br /><br />So 5 wins for Windows, 4 for MacOS, and 2 ties. <br /><br />Interestingly, 3 of the Windows wins were iffy (the firewall thing, <br />the sandboxing thing, and the signed applications thing), <br />meaning that "yeah, they're there, but not really there"; and <br />another win was 1 in which they started the trend (SMB); the only <br />thing that I can see that really came out first from Windows and <br />is worth while is the smart card thing.<br /><br />MacOS only had 1 trend to state (disk images thing), while <br />tagging downloads, enhanced CISCO vpn and multiple user <br />certificates (3) seem to have some use that won't be in the <br />Windows side. It's only left to see how well did Apple implement <br />the other measures into the OS, and how well do they stack up <br />against Windows.<br /><br />And, yes, I trolled like crazy here, sorry for that... reply away.

[Penguinisto]

Much of this has existed long, long before Vista.

Seriously - a huge chunk of it translates very readily:<br /><br />* chroot jails have been around for (literally) decades as disk sandboxes, and proecss sandboxing was the major premise for Java (y'all remember Java, right - it sort of predates Vista by well over a decade...)<br /><br />* download warnings have been a part of Firefox since the day it was first released.<br /><br />* Application-based firewalls? Get off my f%*@!ng lawn you damned kids! We've had inetd (later, xinetd) in *nix since MS-DOS was Microsoft's flagship product, let alone Vista - and by the by, even OSX 10.3 has it (open a Terminal already). The big thing about 10.5 is that they expose it (or something like it) to the UI.<br /><br />* Encrypted disks have existed for a very long time before Vista was even coded for... and 256-bit AES first began implementation in *nix. Incidentally, AES isn't near the strongest method out there.<br /><br />* "network folder control"? Pffft! Ancient History. For newer stuff, even in OSX 10.3, I can implement it by simple dint of NFS, chmod, and chown. Just like any other *nix.<br /><br />* Signed Applications - too fuzzy of a term, and can mean too many things. md5 checksums from trusted sources have predated this usage by relative eons in either case.<br /><br />It is very easy to go on with this... point is, Vista certainly did not invent any of these features either.<br /><br />So in answer to your question? Everybody, with MSFT being the most egregious copier of all.<br /><br />/P

[tropical11]

Vista is junk

I am not a Mac fanboy (although I may turn into one), but vista is the worst O/S I have used in years. It doesnt even run Microsofts own programs without running into errors. As for sercuity, Vista goes overboard asking me 100 times if I want to run a program, etc. Do yourself a favor and buy a Mac. Or if you want a vista machine i will sell you mine.

[Gunady]

Apple Arrogant..

With advertisement like "Vista 2.0" or "Microsoft Photocopy machine" or "I am MAC, I am PC", apple want to prove that they are company with most innovative product, than Microsoft. That's why, when their new product comes with features that Windows already has, people will cry and scream. Haha.. lol. This is proven that no company really has the original idea, but who can implement and can be used worldwide matters.

[jltnol]

Ok ok

Alright already!<br /><br />I'll be MORE than happy to admit that Apple may have <br />"borrowed" some technology from Microsoft, but YOU have to <br />admit that Redmond has "borrowed" stuff from Apple as well.<br /><br />So if we even, then it comes down to who did it or implemented <br />it, or made easy for everyone to use.<br /><br />Why Apple, of course!

[jmdunys]

Apple arrogant?

or journalists ignorant?<br /><br />Security HAS existed, and exists on OS X. It's nothing new. Countless reviews, white paper, and articles have been published about it. The record speak for itself.<br /><br />The mentioned features are mainly for the benefit of the enterprise world "requirement list". Some boxes have to be ticked, just to be considered for specific bids and tenders. Even if there is no great need.<br /><br />As for the little chicken and egg discussion going on about who brought features first, I would ask our writers to cut it out.<br />The ONLY item in your discussion that Microsoft invented was SMB. It is a de-facto standard because of NT and its descendants' place in the enterprise. None of the other 'security features' are either Microsoft's or Apple's.<br /><br />Finally, I have Vista, XP, and uBuntu 7.10, all running on my Acer laptop, and I have Tiger running on my Media iMac. <br />Performance-wise, Vista is much faster than XP on networking, disk access, shutdown/restart. It is faster than uBuntu for shutdown/restart, but not for disk access where ReiserFS just leaves everyone in the dust.<br />But why oh why does one need to 'accept' so many things so many times a day, on Vista? In most cases it does not even make sense, because the system does not ask me for authentication (like uBuntu or OS X do).<br /><br />At this point in time, Vista is not stable enough yet and is a no-go in our setup, where uBuntu seems to have done enough for the user to be a near 'natural' upgrade. Perhaps SP1 will change this perception?

[balkce]

Thank you.

No, really, thanks. I've been approached far too many times from <br />both sides of which OS' "better". It's a matter of tastes, really.<br /><br />I work better in OS X; some friends seem to have it pretty well <br />figured out using Windows; and others, in some distribution of <br />Linux, like, apparently, you have. Good for you for trying out all <br />of these system to come to a resolution that works for you; with <br />the force informed are you now, mmm? =)<br /><br />We all like our own environments and the beauty of ALL of them <br />is that they can, pretty much, work together in the same global <br />environment if networking needs to be done. I don't see the <br />issue in pulling a "my OS' bigger than yours" or a "I did it first" <br />everytime one of these articles comes about.<br /><br />My last post was trying to challenge the idea that all of those <br />features were done first in Windows, and some of them haven't, <br />some of them have; which was in contrast to some stating that <br />"ALL of them were done in Windows first" without really knowing <br />about it.<br /><br />So, now, who wins? And if there's an answer to that question, <br />why do we care? If a someone uses their computer, I'm fine if <br />they brag about it, but I hate it when they compare it to others'... <br />it's like they want to know they have the best system, when, in <br />reality, there's no such thing. And both companies, Apple and <br />Microsoft, have done a hideous job in promoting this sentiment.