| By Ryan Russell |
The latest version of Mac OS X is out, and among its new features are a few security additions.
While Apple continues to make fun of problems experienced by Windows users, the Cupertino company is just now catching up to some protective features Windows has had for a while.
Leopard features that are already in Windows
Even as a kid, I used to play the “my computer is better than yours” game. Anyone who has ever watched the “I’m a Mac, I’m a PC” commercials knows that Apple likes to play too.
Funny, as a teenage Apple II owner, I used to be more on Apple’s side. But this is not OS X Secrets, so let me point out to you the security features that you already have as a user of Windows Vista or XP SP2.
First off, let me give you a link to Apple’s official listing of its new security features. I would never begrudge someone better security, so it’s nice to see Apple catching up.
- Tagging downloaded applications. This has been in Windows since at least Internet Explorer 6.
- Signed applications. Authenticode 2.0 was introduced with IE 4.
- Application-based firewall. Introduced with XP SP2. (Apple’s implementation in Leopard has already come under criticism, as evidenced in articles at Heise Security on Oct. 29 and Nov. 11.)
- Stronger encryption for disk images. Windows EFS has supported 256-bit AES for several years.
- Enhanced VPN client compatibility. This looks more like a behind-the-scenes feature than a user feature, so I can’t tell exactly what the Windows equivalent is. Of course, Windows is typically the first target for any VPN client, so it might be a moot point.
- Sharing and collaboration configuration. Sounds just like Active Directory share permissions.
- Sandboxing. Here we have a feature that I don’t see a built-in Windows equivalent for. Sure, there are things like the Java VM and .NET managed code, but this is a little different. Score one for Apple, if it works well.
- Multiple user certificates. You can certainty do multiple certificates in Thunderbird, my e-mail client of choice. I believe Outlook can, too, but I’d have to do some experiments to verify that.
- Enhanced smartcard capabilities. Windows has had good smartcard integration since at least Windows 2000.
- Library randomization. This was added to Visual Studio 2005 SP1 only a year or so ago, according to Microsoft developer Michael Howard, so Apple’s not too far behind on this one.
- Windows SMB packet signing. Of course, if Windows didn’t have this in the first place, then OS X wouldn’t need it at all. (The technique digitally signs packets, so an eavesdropper on the network can’t read and/or use the data, as explained in an article by Microsoft security architect Jesper Johannson.)
Shatter attacks not ‘fixed’ until Vista
All of the above is not to imply that Microsoft is perfect, of course. I don’t let anyone off the hook.
In a PDF presentation at the 2003 Black Hat Briefings, Chris Paget gave the name “shatter attack” to a class of Windows vulnerabilities. In brief, just about any Windows process can send “messages” to any other, possibly allowing security bypass.