Lion: What is new in Security

Published: 2011-07-21
Last Updated: 2011-07-22 01:33:05 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Once you are over the online install experience, the upside down mouse gestures and all the other bling that comes as part of OS X Lion, it is time to look at what has changed from a security point of view. Apple doesn't exactly advertise security features, but Lion provides some significant security improvements.

Just an important note: Lion is just a day old now, so a lot of these features haven't exactly been tested yet by the large masses of users.

Address Space Layout Randomization (ASLR)

ASLR will make exploiting vulnerabilities significantly harder. In itself, it doesn't prevent any vulnerabilities. Snow Leopard introduced ASLR, but limited it to libraries. ASLR on Snow Leopard also missed randomizing the stack and the heap.

Automatic Security Updates

In Snow Leopard, like in most other operating systems, the user was told about updates, but had to manually approve / install them. In Lion, this is all going to happen behind the scenes. We will have to see how well this works as "automatic" or "unmanaged" updates may of course break incompatible applications


Sandboxing is supposed to limit how individual applications can affect each other, and the underlying system. In particular for Safari it will be interesting how well this works and if it prevents exploitation of some vulnerabilities. Safari itself is even split into different parts and javascript or plugins will run in its own sandbox.

Encrypted Backups

Time machine backups can now be encrypted.

Air Drop

Air drop sounds a bit dangerous, and we will have to revisit this protocol. It essentially allows setting up quick peer-to-peer networks to exchange files. However, the file transfer is TLS encrypted according to Apple and authenticated using the users Apple ID (which has always been available as a client certificate). It also appears to set up appropriate firewall rules. Looks like they did think about the important issues, but this is very much a topic that needs further testing.

File Vault 2

The original file vault feature in Snow Leopard only encrypted the users home directory. It was rather clunky and didn't interoperate well with time machine. File Vault 2 implements full disk encryption. In addition, a number of additional features are implements. For example, one can instantly "wipe" the disk by deleting the key. If a users is afraid of losing the key, the key can be escrowed with Apple. Initial performance test have been pretty good.

Update: After experimenting with File Vault 2, I found that it can only be used if the installer was able to create a recovery partition, which it didn't do in my case. Also, File Vault 2 is encrypting the partition, not the entire disk like other products (e.g. PGP).


Lion uses refined privacy preferences in particular limiting the access to location information

Apple ID for authentiation

Not sure Air Drop, but other authentication features leverage your Apple ID. As you sign up for an apple id, Apple will create a client certificate for you that you can now use to authenticate for file sharing, iChat and Screen Sharing. The certificate has existed in the past, and was used in iChat. But now it is used by other features of the OS.

Complete Feature List:

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: apple lion os x
1 comment(s)

Lion Released

Published: 2011-07-21
Last Updated: 2011-07-21 13:53:32 UTC
by Mark Hofman (Version: 1)
3 comment(s)

Those of you that are Apple users will no doubt have noticed a few updates to Safari, but more importantly an update to the Snow Leopard O/S.  Lion is out today. A few of us are Apple users and are in the process of installing/updating the product already.

Unlike previous upgrades this one is delivered digitally through the App store on the Mac. A 3.7GB update, so you will likely want to download it when connected to something cheaper than your 3G card.

No real major issues have been identified so far, but then it is early days.  One change is that Rosetta is no longer installed, so some older applications may no longer work.  In other words Lion is not fully backwards compatible with things that you might be running. 

Over the next few days if there is anything of significance to report one of the handlers we'll let you know. As always if you have anything to add feel free to comment or contacts us.


The install was pretty seamless and straight forward. Little snitch is one of my favourite apps and needed to be updated. The rest of the apps on the machine still seem to be working.  I guess I'll find out tomorrow when it has its first work day.  One thing that was a smidge irritating is the two finger swipe you use to scroll. It now defaults to "natural" which feels completely backwards as the reverse to what you were used to under snow leopard.  A quick trip to system preferences fixed that.  

The Release notes make mention of two main security features Address space Layout Randomisation (ASLR). Something that has been available in a number of operating systems for a while makes it way to the MAC.  By randomising the memory locations where key data is stored it should make it a little bit more difficult to do things like buffer overflows.  The second feature is probably a bit more useful which is application sandboxing. Applications are in a contained environment and are prevented from doing "evil" things.  How effective these two measures are I guess we will see in the weeks to come as more people have a play with the product.  The updates to Safari also mean that web pages and browser based applications are sandboxed.  

-- Mark --


Keywords: Apple lion OS upgrade
3 comment(s)

Down the FakeAV rabbit hole

Published: 2011-07-21
Last Updated: 2011-07-21 02:21:00 UTC
by Daniel Wesemann (Version: 1)
1 comment(s)


This one started with ISC reader Lorenzo spotting a suspicious EXE download in his proxy logs. Sorting and analyzing the logs further led him to the page that actually triggered the download... and from there, he discovered a slice of what is behind those poisoned Google Image Searches that we covered earlier.

In a nutshell, there are websites running PHP, and a vulnerable version of (what we believe so far) WordPress or Joomla.

Once hacked, the bad guys add some custom malicious PHP.

The custom PHP uses "Google Trends" and other web sites with trending statistics to find out what people currently are interested in. Out of this, the PHP generates lots of links for these topics, pointing to itself and other similarly infected pages. Politely enough, the current version of the PHP keeps a log file of sorts of its activity .. and this log file is accessible, looking something like this (defanged to keep your anti-virus from panicking :)

a href="http://domain-removed/js/ajax.php?p=social-security-checks">social security checks
a href="http://domain-removed/js/ajax.php?p=rebecca-nalepa">rebecca nalepa
a href="http://domain-removed/js/ajax.php?p=droid-bionic">droid bionic
a href="http://domain-removed/js/ajax.php?p=marilyn-monroe-statue">marilyn monroe statue
a href="http://domain-removed/js/ajax.php?p=murdoch">murdoch
a href="http://domain-removed/js/ajax.php?p=facebook">facebook
a href="http://domain-removed/js/ajax.php?p=iphone-5-release-date">iphone 5 release date
a href="http://domain-removed/js/ajax.php?p=men-of-a-certain-age">men of a certain age
a href="http://domain-removed/js/ajax.php?p=george-anthony">george anthony
a href="http://domain-removed/js/ajax.php?p=toshiba-thrive">toshiba thrive

One thing in common is the ?p=trendy-topic. If you search, for example, for

inurl:?p=casey-anthony inurl:php

in Google, chances are that a good bunch of the results are actually infected web sites. BEFORE YOU GO THERE: These search results are highly likely to return MALICIOUS content. As they say on TV: Don't try this at home, kids! As I say off TV: If you brick your PC or blackout your company, don't blame ME!

One of the search results, for example, is blog.

In this case, you would go to blog.

... and lookie what you find: A long list of trending topics and other infected domains.

After trying a handful of these domains manually, Lorenzo wrote a script that recursively requested the "log" files, parsed them, and requested the log files of the domains mentioned within the log, etc...  The result are currently about 100 domains that are hacked, and used to poison the search results.

Our investigation is still ongoing, if we find any further clues, we'll update this diary. If you have been analyzing the same thing in the past days, please share what you found so far.




Keywords: fakeav fave AV
1 comment(s)


Diary Archives