Computerworld reports that security pro Charlie Miller of Independent Security Evaluators, and co-author of the Mac Hacker's Handbook and the winner of two consecutive "Pwn2own" hacking contests claims that "Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7."
Computerworld reports that Miller claims that
Apple missed a golden opportunity to lock down Snow Leopard when it again failed to fully implement security technology that Microsoft perfected nearly three years ago in Windows Vista.The security hole that Miller says Apple ignored, according to Computerworld, is address space layout randomization (ASLR) which "randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus make it harder for them to craft reliable exploits."
Miller complains that Apple didn't bother to address the issue in Snow Leopard, saying
"Apple didn't change anything. It's the exact same ASLR as in Leopard, which means it's not very good."This isn't the first time that Miller has called Apple to task for its lack of interest in security. Two years ago, he and several other researchers criticized Apple's release of Leopard because it also didn't do anything about ALR. He said, according to Computerworld:
"I hoped Snow Leopard would do full ASLR, but it doesn't. I don't understand why they didn't. But Apple missed an opportunity with Snow Leopard."He does say, though, that Apple did plug some other security holes with Snow Leopard, including some in QuickTime. And he is pleased that Apple revamped DEP (data execution prevention), which is a security technology used in Vista.
Miller adds that for now, a Mac user is much less liable to get attacked than a Windows user, but that's not because Snow Leopard is more secure than Windows. In fact, he says, it's less secure than either Vista or Windows 7. There simply aren't enough Mac users to make it worth hackers' efforts to attack Macs, he says. Computerworld quotes him as saying:
"It's harder to write exploits for Windows than the Mac, but all you see are Windows exploits. That's because if [the hacker] can hit 90% of the machines out there, that's all he's gonna do. It's not worth him nearly doubling his work just to get that last 10%."As I've said before, it's time for Apple to finally get serious about security. It's willing to spend millions for ads touting what it claims is the Mac's superior security to Windows machines --- but not willing to actually do the work to make sure that's really the case.