On July 20, Apple released Mac OS X Lion which, despite a million downloads in the first 24 hours, has been met with mixed reactions from early adopters. Despite the tepid enthusiasm, there are some important security enhancements to be gained in the upgrade.
- Improved ASLR – Address Space Layout Randomization (ASLR) is now fully implemented in Mac OS X Lion, making it more difficult for attackers to render buffer exploits such as heap sprays and stack based attacks.
- FileVault 2 – Encrypts the entire drive using 128-bit XTS-AES; recovery password can be stored with Apple if desired; Instant wipe immediately removes the encryption key (rendering the drive contents inaccessible), then wipes the entire drive. Additionally, File Vault 2 is now compatible with removable media and Time Machine backups.
- Safari – In Lion Safari, Webkit runs as a separate sandboxed process, further hardening against remote attacks.
- As an additional security boost – Apple’s Mac OS X Lion does not preinstall Java or Flash.
the security features have attracted a positive response from security experts. Dino Dai Zovi from consultancy trail of Bits told the Register: “It’s a significant improvement, and the best way that I’ve described the level of security in Lion is that it’s Windows 7, plus, plus. I generally tell Mac users that if they care about security, they should upgrade to Lion sooner rather than later, and the same goes for Windows users, too.”
From a security standpoint, none of these enhancements are enough to compel me to upgrade (for starters, I never use Safari and have already uninstalled Java and Flash) But if you’re planning to upgrade for other reasons, the Lion security enhancements are certainly nice bennies.