Researchers give Leopard security low marks

01.11.2007
Security features that Apple Inc. added to Leopard look great on paper, but in practice most are half-baked or useless, experts said Wednesday. And none of those features, good or bad, will make a whit of difference in how safe Mac users are when they hit the Internet.

"I do think that this is the most significant update in the OS X line when it comes to security," said Rich Mogull, a security consultant and former Gartner Inc. analyst. "But Apple didn't finish the job. There's a lot of room for improvement here."

Apple touts more than a dozen new security features and tools in Leopard, from anti-exploit memory randomization and an application defense dubbed sandboxing, to a guest account for shared machines and tighter control over input managers, long-abused operating system components that could be used by hackers to jack Macs. But with an exception here and maybe there, any crowing by users that Mac OS X 10.5 is more secure is premature.

For the most part, Mogull sees the new features as laying the groundwork for serious work down the road. He gave only a few -- such as the new restrictions on input managers -- rave reviews. "The changes in input manager are huge," said Mogull. "It shows that Apple is willing to reduce functionality to increase security. It's never done that before.

"Great, great move," he said.

Input managers, code originally intended to provide accessibility and internationalization functionality to Mac programs, have morphed into plug-ins created by scores of third-party developers. And they're a straight street to the operating system that hackers could drive as easily as legitimate programmers, said Thomas Ptacek, a researcher at Matasano.

"Almost all plug-ins abuse input managers," said Ptacek, who agreed with Mogull and tagged Leopard's lock-down as a smart move. "They've been used by the good guys, but they could also be a really bad way for attackers to backdoor a Mac. Fortunately, Leopard's made it a lot harder to install them."

Other moves by Apple on security, said Ptacek, include Leopard's new sandboxing, which let the company's developers restrict applications' actions, such as what network access they're allowed or what other programs they can communicate with. While applauding the effort -- "sandboxes are better in some ways than what Vista provides," he said -- Apple's follow-through was dismal. "Almost nothing you care about is sandboxed," Ptacek argued, pointing out that Safari, iChat and Mail, the three applications most often exposed to malware, or used as an attack vector, are not sandboxed.

Nor has Apple documented the feature. "You can't officially use this API to secure your own code [and] we can't read their code or specifications to test whether it's secure," Ptacek said.

Mogull, meanwhile, pegged an application not even on Leopard's list as the best thing in the new operating system for security. "The most material to security is Time Machine," he said, talking about Leopard's new automated backup and restore software. "IT security always talks about confidentiality, integrity and availability [of data]. Time Machines really makes backup, the availability part of that, accessible to any user, even my mom."

But those few bright spots are overwhelmed by features Mogull and Ptacek called "a mess" or "easily breakable."

Start with the memory randomization feature Apple dubs Library Randomization, both said. Although in theory it can block or at least hinder many of the current exploits -- because hackers need to know exactly where to inject their code to corrupt memory or get their exploit to run -- Apple's implementation is weak at best. Ptacek tagged it as the Leopard security feature that's most hype and least helpful. "This first incarnation is easily breakable," he said. "It might as well not even be there. But it let Apple tick off the feature when it's compared to Vista."

Mogull dismissed Leopard's memory randomization as well, but saved his best shot for the new operating system's firewall. "It's a mess," he said, rattling off a slew of problems. By default, Leopard installs with the firewall disabled, a practice that leaves users unprotected. It's also a step back from Tiger's firewall, he said, because it's both less flexible and more confusing. And after some preliminary testing, Mogull remains unconvinced it even works like it's supposed to.

"I set up file sharing but selected 'deny all' in the firewall, but my other Mac still saw the computer sharing over Bonjour -- even though it should have been denying everything," said Mogull.

For all Leopard's lousy security tools, in the end they just don't matter, said Ptacek. That's because the Mac's single most important security feature remains intact: its small market share.

"None of these additions [to Leopard] will make a difference. The best security feature is that the Mac's too small of a target for attackers," Ptacek said. In fact, if Apple had done nothing to beef up Leopard's security, it wouldn't have mattered. "Security people sometimes get irritated that Apple has had a huge free ride [on security] in the last five years, and that they haven't done anything to earn that free ride. And that free ride will continue as long as the Mac has a smaller share."

In effect, any progress by Apple is gravy, said Ptacek, a bonus. "I'm happy that they're starting to pay some attention to security, and they're heading in the right direction: they're laying the groundwork.

"But as a Mac user, I have to admit I feel safer on Vista. Microsoft spends millions [on security] because they had to. They got the crap kicked out of them years ago and got religion. Really high-end security researchers have taken their best shots [at Windows].

"If security was the deciding factor, I wouldn't be using my MacBook. But it's not [the deciding factor]. The MacBook, and the tools on it, that's what is."