Mac OS X Lion makes the security grade

Apple's newest operating system gets its usual parcel of flashy features -- but also some major security upgrades

For Mac OS X users worried about security, the latest upgrade to Apple's operating system should be enticing. 

Unlike the last update, Mac OS X 10.6 Snow Leopard, Lion brings a number of key missing security features to the platform. Mac OS X 10.7 includes a complete implementation of the anti-exploitation feature known as Address Space Layout Randomization (ASLR), better sandboxing of applications, and full disk encryption.

"They have been playing catch-up to Microsoft, but they more or less have everything that is standard now," says Charlie Miller, a security consultant at Accuvant and co-author of "The Mac Hacker's Handbook."

Miller started looking into the security of Mac OS X in 2007 because it was much easier to find flaws in that operating system than in Microsoft's then-current platform, Windows Vista. With the release of Mac OS X Lion, which fixes a number of shortcomings, that's no longer true, he says.

In previous versions of the Mac operating system, for example, 32-bit applications were not protected by a full implementation of Address Space Layout Randomization, a technique that makes it hard for attackers to guess where specific code may be in a computer's memory and thus makes it difficult to exploit systems. With Lion, both 32-bit and 64-bit applications compiled on the system get the full benefits of ASLR.

Apple has also made its file encryption feature, FileVault, much better. FileVault now encrypts at the block level, allowing full disk encryption, Miller says.

Finally, the company has implemented sandboxing throughout many parts of the operating system and will require it of third-party vendors. Sandboxing restricts how a program can affect other data on the system. With its move to online sales of software through the App Store, Apple may be able to enforce better security on third-party programs as well, says Dino Dai Zovi, an independent security consultant and the other co-author of "The Mac Hacker's Handbook." Starting in November, Apple will be requiring all programs sold through the App Store to make use of sandboxing.

"They're kind of pushing the Mac App Store as a model, like what is on iOS," Dai Zovi says. "On iOS, you can't opt out of the sandbox, so they are going to push that for the Mac App Store as well."

This story, "Mac OS X Lion makes the security grade," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.