OS X flaws draw hackers' eyes

With Unix at its core, Apple's new OS has started to draw the scrutiny of hackers and security experts. As a result, mailing lists are seeing the first reports of mild Mac OS X vulnerabilities.

Apple has never had much trouble grabbing attention for its Macintosh operating system. This time, however, it may be attracting the wrong kind.

The rising popularity of the current Mac OS X and the new operating system's foundation in the ubiquitous Unix operating system have started to draw the scrutiny of hackers and security experts. The result: Electronic mailing lists dedicated to security are seeing the first reports of Mac OS X vulnerabilities.

The vulnerabilities are considered mild, partly due to Apple's focus on desktop PCs and minimal presence in servers and other Internet infrastructure. But that could change as hackers get more ambitious and Apple tries to move into new markets.

"It's a pretty cool operating system, and it has a lot of exposure," said Dan Ingevaldson, technical product manager with network protection service provider Internet Security Systems. "Anytime anything new comes out, there's a lot of security research done on it."

In early April, a buffer overflow was found in a program known as "sudo," used by system administrators to allow users to run restricted applications. The flaw affected both the FreeBSD version of Unix, which forms the core components of Apple's operating system, and by extension, Mac OS X.

And last week, several people reported that beta testers who upgraded Mac OS X to the latest version likely have improper access permissions set on their desktops, allowing any user to change the appearance of any other user's desktop.

As far as vulnerabilities go, the latest misstep is minor, said a hacker and security expert who uses the handle "shrdlu" and confirmed the problem last week.

"Beta users should be alert enough to notice these things anyway," he said in an email interview, adding that the flaw "is not a problem for the vast majority of users unless they are running (Mac OS X) as a server with multiple users."

While only a handful of security flaws have been found in OS X, it's clear that more attention is being paid to the operating system, said Robert Watson, research scientist at security software maker Network Associates. Watson also heads off security woes for FreeBSD in his volunteer role as a core team member of the FreeBSD project.

"As Apple relies on a more common code base, there will be increased scrutiny and increased interest by the less desirable members of the Internet security community," he said.

That attention will only increase if Apple can bootstrap its share of the server market from a fraction of a percent into a significant portion.

Apple seems to be aware of its potentially precarious situation. While the company's Web site doesn't have extensive security resources, the company has formed a team to combat security vulnerabilities.

"Apple always take security seriously," said Bill Evans, spokesman for the Cupertino, Calif., company.

As evidence of Apple's security awareness, supporters note that while Microsoft and many Linux companies have only recently begun turning off unnecessary services--such as file transfer and the Web server--that could leave a computer vulnerable, Apple installs the Mac OS X with such services turned off by default.

FreeBSD's Watson agrees. He and others in the FreeBSD core team have frequent conversations with Apple over security, he said. "At this point, they are still developing their whole approach to OS X," he said. "I think this is an area where they are still evolving their policy."

Don't expect an overnight plan of action, though, said ISS's Ingevaldson.

"Security is not going to push their product," he said. "Cost and functionality are the drivers for an OS."

"In the past Sun, IBM and HP didn't push security from the very beginning; it is something that evolved," Ingevaldson said. "I think (Apple) will follow the same model."