Leopard security flaws emerge

Apple may have just sold a record 2 million copies of its latest OS over the weekend but that doesn't mean that all is well in the land of iPods and magical elves. Just about the same time that you started digging into the latest from Cupertino, so did the security analysts and what they've turned up is a tad disconcerting.

According to Jürgen Schmidt, editor in chief at Heise Security, Leopard's firewall is a little less than totally secure. If the firewall is enabled (it's turned off by default) and set to "block all incoming connections," certain system services are still allowed access to the Internet. That's a bit misleading, though its hard to say whether or not it's really a security "flaw" per se. 

Meanwhile, Thomas Ptacek of Matasano Security found that two of Leopard's security features--sandboxing and library randomization--were not quite as robust as he was led to believe. While sandboxing--placing specific applications in individual, secure environments to avoid a contaminated application from infecting the entire operating system--can be effective in certain scenarios, Ptacek found that the most commonly targeted applications like Safari, iChat and Mail, were not run in a sandbox. Furthermore, he felt that the sandboxes were not quite as walled off as they should be. With regards to library randomization--which was designed to protect the user from system library exploits like buffer overflows--Apple again failed to implement the feature in all of the places where it's needed, like in the Dynamic Link Library.

While worthy of concern, all of these security flaws are somewhat minor points and won't be seen as critical vulnerabilities until they are exploited. The real test for Apple, however, is in how they deal with these flaws. If they're really intent on proving that they're different from Microsoft, now is their chance.

For more on the security concerns:
- see this MacWorld article
- and this article from CNET