Grumpy Security Guy

Apple announced that Leopard will be released October 26th. They also pumped out a feature list. The guys over at Securosis do a fine job running down the list of security features on tap for the new version so I won’t duplicate the fine effort shown over there. I wanted to take a look at the new features that make me feel a little leery: (to be clear I have not installed any version of Leopard so my comments below are guesses)

Dashboard Web Clip - Clip out any portion of a web page and turn it into a Dashboard widget. Let me see, grab random web content and have it execute in a local context, anyone see a problem with this? The widget is “live” and will update as its page of origin does. Even better! One day I download a nice little neat package, they next day the code changes and I have a big problem on my hands.

Finder Instant Screen Sharing from the Finder - Start an interactive screen sharing session with other Macs on your network. How soon before we have a virus that streams back live video sessions of a users desktop? Hopefully Apple has some decent controls in place around this.

Back to My Mac - Connect to any of your Mac computers at home from any Mac on the Internet. What is we rewrote that a bit, Connect to any of your Mac computers at the office from any Mac on the Internet. Yikes!

Time Machine Browse Other Time Machine Disks - Browse other Time Machine disks with your Mac. Just plug in the drive and your Mac will recognize the Time Machine backup volume, even if it has backed up a different Mac. Keep an eye on those backup disk! This is not a unique issue to Time Machine of course but knowing Apple they will make it super easy to read backup disk. They do mention preserving access rights so maybe I won’t be able to read all the data from your backup. Maybe they will let you encrypt it but I don’t see a mention of that.

Unix Wide Area Bonjour - I think this is probably the same as the “Back to my Mac” feature above but they do mention Use this host name whether you’re behind a NAT gateway or hopping across DHCP servers. so that is pretty troubling.

One feature Securosis didn’t mention that looks like it could be really helpful in tracking down malware is the Instruments feature. This allows you to analyze running processes and track what they are doing (when combined with DTrace).

I really hope Apple has thought these things through a bit from a security perspective. I think these are all really great features and Leopard is poised to be the best OS release ever from a features and usability standpoint. I have pre-ordered my copy and I hope to get a full review of the security implications of these features once I get it installed.

If you enjoyed this post, make sure you subscribe to my RSS feed!