By David Worthington | Friday, August 28, 2009 at 5:54 pm
While Apple still has significant security work ahead of it, its Snow Leopard operating system makes prudent progress toward securing Mac OS X. But a security expert says that Apple is still playing catch up to Windows.
That is the opinion of Charlie Miller, a leading Mac security researcher. Miller is co-author of The Mac Hacker’s Handbook, and is also known for discovering critical vulnerabilities in the OS. He told CNET today that Snow Leopard “made some improvements,” but has not implemented some of the security features that Microsoft built into Windows Vista in 2007.
After being slammed with a series of major security incidents at the start of the decade, Microsoft made security a part of its development lifecycle. Products cannot ship from Microsoft unless they have gone through a review process, and consequently, the number of security vulnerabilities in its products has dropped markedly. It was tough, expensive work, and required a strong commitment from management.
Microsoft is now making its Security Development Lifecycle (SDL), as well as some of its internal security tools, available to developers in an effort to secure Windows applications as well as the OS itself. Apple has not taken similar steps.
To the best of my knowledge, Apple is still lacking an SDL-like approach to software development. That might be why I’ve had to download several massive security roll ups to patch my Mac over the past two months. As much as I love my iMac, the experience reminds me of Microsoft just a few years back.
However, Snow Leopard demonstrates that Apple, like Microsoft, has made security a higher priority. To thwart attacks, Snow Leopard introduces limited malware protection, and other protections including improved Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP). It also sandboxes applications, which is made possible through mandatory access control that was introduced in Leopard.
I have made no bones about my opinion that Apple has done a lackluster job at security, but it deserves credit for moving in the right direction.