Security Quest #7 – New Leopard Security Features

Now’s a good time to review the new security features Apple is adding to Leopard. Besides, between the site upgrade and Leopard prep I didn’t have time to put together another security topic.

Apple has 11 new security features listed on their “300+ New Features” page. Some of the non-security features seem to be padding for the list, such as an “empty trash button”. How lame are the security features and which ones are padding?

The 11 from Apple’s list are:

1. Tagging Downloaded Applications:It all depends upon implementation but this sounds like a really good feature that contributes to security. When an application is downloaded to the Mac it is tagged as a downloaded app. Before it runs for the first time your prompted for your consent and are told it was downloaded, what application downloaded it and if possible what URL it came from. This one is definitely a useful feature.

2. Signed Applications: All apps shipped with Leopard are digitally signed and third-party developers can sign their applications. This one is probably more beneficial to sysadmins and all small segment of users, but most users probably won’t care. I’d still put this in the useful feature category.

3. Application-Based Firewall: In addition to port blocking you can also configure individual applications to allow or block incoming connections. OK, this is new for Leopard, but an evolutionary improvement that’s already in the Windows XP firewall and most third-party firewalls.

4. Stronger Encryption for Disk Images:OK, stronger is better, but this is borderline “new button” territory. It’s 256-bit AES instead of 128-bit AES. 128 bit is still an option. It’s an improvement, not a new feature and I suspect one most Mac users don’t care about. Governments and enterprises will probably welcome it.

5. Enhanced VPN Connection Compatibility: Like encryption, this is an improvement. A welcome improvement for people who need VPN. This could include people forced to use a public Wi-Fi network and wanting VPN for extra security.

6. Sharing and Collaboration Configuration: You can now share any folder on your Mac the same as Windows. I can see sysadmins cringe now. I’m not sure I’d call this a security improvement since users are often the weak link in security. It all depends upon implementation but it’s easier to share a directory to everyone rather than have to manage access and it’s easier to share an entire drive than folders. (I speak from experience.) I guess I’d agree this is new to OS X but I don’t think I’d put it in the security category unless it’s really well implemented.

7. Sandboxing: This one really depends upon the implementation but it’s a new feature and has the potential to significantly improve security. Applications can have their file access, network access, and ability to launch other apps limited. Apple has sandboxed Bonjour, Quick Look and the Spotlight indexer. A good security improvement but it depends upon the application and developers. This does deserve the “new feature” designation.

8. Multipe User Certificates: Allows you to maintain different digital certificates for different email addresses. Keychain can be used to associate certificates with email addresses. Signing email is becoming more common and anything that helps implement it is welcome. Another one that deserves the new feature moniker.

9. Enhanced Smart Card Capabilities: This is a welcome improvement targeted towards government and business.

10. Library Randomization: This loads system libraries to randomly assigned addresses which makes it harder for hackers. Vista has this too but it’s new to OS X and welcome.

11. Windows SMB packet Signing: Even the description makes this sound like something thrown in to pump up the numbers: “Enjoy improved compatibility and security with Windows-based servers.” So improved security is a good thing but it should hardly be on a new features list.

There’s one they put under the Network category that could help with security: New Airport Menu, now we’ll be able to identify secure WiFi networks. Sounds like they took it from Windows, but no shame in taking something that works.

Leopard Security Enhancement Summary

It’s actually not too bad. Only two shouldn’t be on the new feature list (6 and 11) and three are more along the lines of small enhancements (3, 4, 5) but the other six are worth identifying as new.

It’s nice to see Apple continue to address and improve security despite their reputation as a secure OS. I’d have to agree they aren’t paying lip service to security and made significant improvements.

Security Vulnerabilities

Real has released updates to several Windows versions of RealPlayer to address a security vulnerability. Mac and Linux versions are not affected.

Firefox 2.0.0.8 was released to address eight security vulnerabilities and add Leopard support.

WordPress 2.3 has a vulnerability that allows a blogroll to be spammed. This thread describes the vulnerability and has a link to download an updated link.php file to plug it.

Security Software

AVG Anti-Virus Free Edition has been update to version 7.5.503 has been released.

Links & News

ArsTechnica.com: Comcast’s law enforcement handbook leaked, could teach telecoms a thing or two – Comcast document leaked. Makes them look good compared to telcos.

Macworld.com: I will behave cautiously online – Some tips for safe browsing. Even Mac users are vulnerable in this area since the operating system is irrelevant.

Macworld.com: I will keep my Mac safe from other users – Some tips on securing a Mac. Can’t say I do all these things

Macworld.com: I will use good passwords – Some tips for using passwords