Apple invites bug researchers to scrutinize Lion OS

But security experts who accept must keep findings secret

Apple is offering security experts a copy of the developer preview of Mac OS X 10.7, aka Lion, and asking them for feedback.

Several prominent Mac security researchers have reported that they received invitations to try out the Lion preview, which Apple issued Thursday.

"Apple has invited me to look at the Lion developer preview," said Dino Dai Zovi in a tweet yesterday. "I won't be able to comment on it until its release, but hooray for free access!"

Dai Zovi is the co-author of The Mac Hacker's Handbook.

Charlie Miller, an analyst with Baltimore-based consulting firm Independent Security Evaluators (ISE) and Dai Zovi's co-author, confirmed today that he had also received an invitation to try out Lion.

The preview comes with a non-disclosure agreement (NDA) that prevents Zovi, Miller and others from commenting publicly about what they find. But Apple has asked for feedback and provided researchers an e-mail address to report vulnerabilities or other issues, said Miller.

"They've never done this before," noted Miller in an interview today. "That they're thinking of reaching out [to researchers] is a good positive step, but whether it makes a difference, I'll believe it when I see it."

Miller has been critical of Apple's security practices in the past, saying in 2008 that Mac OS X was an easier target at the time than either Windows or Linux.

Miller has proven his point at the last three Pwn2Own hacking contests by walking away with cash prizes and laptops for exploiting vulnerabilities in Mac OS X and Safari, Apple's browser. Miller is slated to tackle Safari and Apple's iPhone on March 9 at this year's Pwn2Own.

Other researchers have heard the news, if not received an invitation to the preview, and given their two cents on expectation for security improvements.

"I doubt we'll see any real security innovation in Lion," opined Alexander Sotirov on Twitter. And in a later tweet aimed at Miller, Sotirov said, "I'm sure we'll see improvements in Lion, perhaps even full ASLR. But that doesn't count as 'innovation' in 2011."

Sotirov is an independent security researcher, who with Miller and Dai Zovi, launched a 2010 effort they dubbed "No Free Bugs" that proposed researchers should be paid for their work because vulnerabilities have value.

ASLR, or "address space layout randomization," is an anti-exploit technology that randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus make it harder for them to craft reliable exploits.

Windows, for example, leans on ASLR, but Apple's current operating system -- 2009's Snow Leopard -- relies on partial ASLR that doesn't randomize important components of the OS. Microsoft has included ASLR in Windows since Vista's late 2007 debut.

After Snow Leopard's August 2009 launch, Miller said Apple missed the security boat by not fully implementing ASLR.

Apple has not disclosed a ship date for Lion -- saying only that it will be available "this summer" -- or its price. Historically, the company has priced its operating system upgrades at $129 for a single license, $149 for a five-license package, although it departed from that practice with Snow Leopard when it priced Mac OS X 10.6 at $29 and $49, respectively.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleMac OSsecuritysoftwareMalware and Vulnerabilitiesoperating systems

More about AppleBaltimoreLinuxMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts