Apple's Leopard a total pussy

Apple's new operating system has been mauled by security experts just days after its release.

The newest version of Apple's operating system, Leopard, has been mauled by security experts just days after its release.

Apple touted the operating system's new security features prior to the software release last Friday, boasting of several new security functions and tools.

But the reaction of security testers has been far from glowing. Heise Security savaged the new version of OS X in a posting on its Web-site. "The Mac OS X Leopard firewall failed every test. It is not activated by default and, even when activated, it does not behave as expected," the company's Jürgen Schmidt wrote. "Although the problems and peculiarities described here are not security vulnerabilities in the sense that they can be exploited to break into a Mac, Apple would be well advised to sort them out pronto... Apple is showing here a casual attitude with regard to security questions which strongly recalls that of Microsoft four years ago."

Blogging for Matasano Chargen, security developer Thomas Ptacek was also less than glowing in his assessment of Leopard's new security features. "When you download a program with Safari and run it for the first time, you will get a (dialogue) box warning you that you downloaded the program and are running it for the first time." Ptacek wrote. "I give the average Leopard user approximately 6 hours before clicking 'OK' on this dialogue becomes a function of their autonomous nervous system."

Ptacek ridiculed Apple's code signing security feature, saying code signatures won't do anything to stop trojans taking hold of Macs, and derided the operating system's sandboxing feature. "The existing [sandbox] profiles suck," Ptacek blogged. "The Leopard 'Quick Look' feature is billed as a test case for sandboxing, because it automatically opens and parses content in your download folder. But all Quick Look sandboxing does is restrict network access. Who cares?A 'Quick Look' exploit is just going to install a Trojan somewhere else, and that Trojan won't be governed by sandboxes."

The blog post containing Ptacek's analysis can be found here.

Dig deeper on Operating system security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

-ADS BY GOOGLE

SearchStorage.com.au

SearchCIO.com.au

SearchFinancialSecurity

SearchMidmarketSecurity

SearchSecurityChannel

Close