14 DAY TRIAL // The new version of Apple's Mac OS X, Lion, brings important security enhancements including a full ASLR implementation, sandboxing and privilege separation.
Security experts agree that it will be much harder to exploit vulnerabilities in Mac OS X Lion than on Snow Leopard or previous versions of the operating system.
The full address space layout randomization (ASLR) implementation is an important step forward and an anti-exploitation technology that Windows has had for a while.
ASLR randomizes the memory so that an exploit cannot execute malicious code after it forces an application to crash.
Even though Apple fans never agreed, security researchers considered Windows 7 better than Mac OS X in terms of security because of additional protection technologies like ASLR.
However, Lion has now changed that and reputed Mac security researcher Dino Dai Zovi told The Register that the new Mac OS X version is "Windows 7, plus, plus." He strongly encourages users to upgrade.
ASLR was actually introduced in Snow Leopard, but the implementation was inadequate and failed to prevent a large number of exploits. That's no longer the case, says Mac security superstar Charlie Miller who notes that Lion is much harder to exploit.
The security of Safari has also been significantly improved by placing the rendering engine inside a sandbox. Hackers looking to exploit a flaw in Safari in order to execute code on the system, like Miller did many times before, will now have a very hard time because they will also need to break out of the sandbox.
This is not impossible and with enough hard work hackers will find a way, but it will mostly be for demonstrative purposes and bragging rights rather than real attacks against users. Cyber criminals always go for the easiest approach and will prefer social engineering instead of investing into a complex exploit that will be blocked anyway.
Mac OS X Lion allows all app developers to sandbox their programs in a similar way Safari is, thanks to new sandboxing technology built directly into the operating system. In addition, Lion also offers the ability to break down apps into components and run them in separate processes that have different privileges. This is called privilege separation.