We have some guests in town so it will be a couple more days until I’m back to the regular blogging schedule, but I did manage to install Leopard this weekend.
As an OS, so far it looks great. The upgrade went without a hitch and everything seems to be working well. I still need to dig into my Unix tools and the less-frequently used applications, but the day to day stuff is all working fine.
The security updates are a bit of a mixed bag. Tom at Matasano posted a really good technical summary of how Apple implemented some key new security features. I’ve also talked to a couple other researchers who have dug in.
The summary is that Apple is dipping their toes, but needs to fully implement the features if we’re to see the security benefits. Library Randomization seems to be only a partial implementation. Check out Tom’s details, but I validated this through another source and it’s unlikely this will offer the buffer overflow protection we’re looking for. As Tom describes, it’s more of a speed bump than a wall.
The firewall may be better, but we’ll never know. The user interface is so simple as to be nearly useless and despite the simplicity is more confusing. It’s all or nothing (block all incoming connections, or allow all incoming connections, or select applications to secure).
Later this week or next weekend I’ll have time to play with it more, but the firewall changes don’t look good and may place more people at risk.
There are a bunch of other implementation problems. I’d say, right now, my earlier statements that this is the most significant security improvement in the OS X line are premature. The components are there, but the execution is off. It’s nothing they can’t easily fix in some regular updates, and we (the customers) need to stay on Apple to finish the job.