Apple takes wraps off Leopard security guide

Apple has released a security guide for its Mac OS X 10.5 Leopard operating system, with more than 200 pages of details and a focus on advanced users or system administrators.

The guide, released on Monday, arrives at a time when OS X is coming to the attention of a wider user base. This in turn has spurred increased interest in the security aspects of the software, according to industry analysts.

The guide, available from Apple's Web site in PDF form, is aimed at advanced users familiar with the Terminal command-line interface, Apple warned, but also includes general security tips.

"Some instructions in this guide are complex, and deviation could cause serious adverse effects on the computer and its security," Apple said in the guide's introduction. "These instructions should only be used by experienced Mac OS X users, and should be followed by thorough testing."

Topics covered include securing the system administrator account, using Open Directory, using strong authentication, secure installation, services configuration, and security in a number of popular applications, as well as more esoteric topics such as Xgrid Sharing, library randomization, and the use of smart cards to protect encrypted storage devices.

According to Apple, Leopard includes a number of significant security improvements, including a feature that marks downloaded applications to protect against Trojan horses, stronger runtime security, simplified network security, and improved support for secure connections such as virtual private networks.

In the guide Apple also called attention to the fact that its approach to security alerts has taken exactly the opposite path to that of Windows Vista with its notorious User Account Control feature.

"Mac OS X v10.5 minimizes the number of security alerts that you see, so when you do see one, it gets your attention," Apple said in the guide.

Last week Apple released a large update including nearly 70 stability, compatibility, and security improvements and fixes. Apple also tucked eight fixes for iCal, its personal scheduling program, into the update, but did not patch the three security vulnerabilities disclosed a week ago by Core Security Technologies.

The three iCal bugs, which were reported to Apple in January 2008, were revealed last Wednesday by Core after it had repeatedly been asked by Apple to delay publishing its findings. Core decided to unveil the vulnerabilities after Apple again postponed its patches.

The large update and the increased attention from organizations such as Core shows that Apple has become a more significant presence in the PC market, in part because of its iPhone smartphone, which also runs Mac OS X.

"The fact that OS X is now on the radar of both the security vendors and the bad guys indicates that the OS has become a 'worthy' target," said Ovum analyst Mike Davis in a bulletin published this week.