MAC OS

Apple invites bug researchers to scrutinize Lion OS

Feb 25, 2011 04:18 pm | Computerworld
But security experts who accept must keep findings secret

by Gregg Keizer

. What's this?

Apple is offering security experts a copy of the developer preview of Mac OS X 10.7, aka Lion, and asking them for feedback.

Several prominent Mac security researchers have reported that they received invitations to try out the Lion preview, which Apple issued Thursday .

"Apple has invited me to look at the Lion developer preview," said Dino Dai Zovi in a tweet yesterday. "I won't be able to comment on it until its release, but hooray for free access!"

Dai Zovi is the co-author of The Mac Hacker's Handbook .

Charlie Miller, an analyst with Baltimore-based consulting firm Independent Security Evaluators (ISE) and Dai Zovi's co-author, confirmed today that he had also received an invitation to try out Lion.

The preview comes with a non-disclosure agreement (NDA) that prevents Zovi, Miller and others from commenting publicly about what they find. But Apple has asked for feedback and provided researchers an e-mail address to report vulnerabilities or other issues, said Miller.

"They've never done this before," noted Miller in an interview today. "That they're thinking of reaching out [to researchers] is a good positive step, but whether it makes a difference, I'll believe it when I see it."

Miller has been critical of Apple's security practices in the past, saying in 2008 that Mac OS X was an easier target at the time than either Windows or Linux.

Miller has proven his point at the last three Pwn2Own hacking contests by walking away with cash prizes and laptops for exploiting vulnerabilities in Mac OS X and Safari, Apple's browser. Miller is slated to tackle Safari and Apple's iPhone on March 9 at this year's Pwn2Own .

Other researchers have heard the news, if not received an invitation to the preview, and given their two cents on expectation for security improvements.

"I doubt we'll see any real security innovation in Lion," opined Alexander Sotirov on Twitter. And in a later tweet aimed at Miller, Sotirov said, "I'm sure we'll see improvements in Lion, perhaps even full ASLR. But that doesn't count as 'innovation' in 2011."

Sotirov is an independent security researcher, who with Miller and Dai Zovi, launched a 2010 effort they dubbed "No Free Bugs" that proposed researchers should be paid for their work because vulnerabilities have value.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?