Upgraded OS, Updated Features

Apple appears to have heeded warnings that hackers may be taking a second look at Mac OS X; Leopard boasts a number of security enhancements and new technologies. Whitehouse notes two in particular that have caught his eye: SeatBelt, a new sandboxing technology, and Address Space Layout Randomization (ASLR), a technique that randomly moves the location of key data to make it difficult for attackers to predict where to find it.

"[Seatbelt] limits what an application can do in terms of interacting with the operating system and file system," Whitehouse says. "This is a good proactive technology against applications which may be compromised at a point in the future, but limits the impact on the operating system. However, it's clear that it is not as widely used as it could be; if Apple expands the usage to cover a majority of common applications, then it will become a valuable mitigation technology.

"The [ASLR] version in Leopard is currently minimal and provides limited protection at this point. However, it's an important step as Apple improves the implementation. One hope is it will reach the level of effectiveness of Microsoft's implementation of Windows Vista," says Whitehouse.

Cross-Platform Infection on the Horizon

Noticeably missing from Leopard's security buffet is a method of protecting the system from cross-platform infection when running virtualized environments with its native application, BootCamp. No matter how secure your Mac is, once you fire up a virtual machine running Windows, you leave your system open for invasions through the back door.

Whitehouse notes that although there have been no documented instances of a cross-platform infection, he says it's simply a matter of time before one does occur. Fortunately, there are a number of precautions IT departments can take to minimize the risks. He suggests using full-disk encryption on at least one of the operating systems so whichever OS is at rest will be inaccessible to the other. Whitehouse also recommends that CrossOver Mac users develop and implement their own sandbox policies and run Windows within those environments. That way, any security compromises won't affect the host system. Finally, he says, be sure to run consistently updated security systems on both OSs at all times.

According to Selby, strict virtualization policies are a company's best defense against cross-platform contamination, especially when users are permitted to self-provision their own machines. "Best practices dictate that you make sure Windows is always firewalled, patched and updated," he says. "Make it a corporate policy." Selby expects that as more companies trend toward virtualization, vendors will develop virtual machine monitors that will automate the process. But in the meantime, he urges IT departments to make every effort to ensure virtual Windows machines are as buttoned-up as possible.