Apple missed security boat with Snow Leopard, says researcher

Apple missed a golden opportunity to lock down Snow Leopard when it again failed to fully implement security technology that Microsoft perfected nearly three years ago in Windows Vista, a noted Mac researcher said today. Miller was disappointed that Apple didn't improve ASLR from Leopard to Snow Leopard. "I hoped Snow Leopard would do full ASLR, but it doesn't," said Miller. "I don't understand why they didn't. But Apple missed an opportunity with Snow Leopard." Even so, Miller said, Apple made several moves that did improve Mac OS X 10.6's security. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus make it harder for them to craft reliable exploits. "Apple didn't change anything," said Charlie Miller, of Baltimore-based Independent Security Evaluators, the co-author of The Mac Hacker's Handbook , and winner of two consecutive "Pwn2own" hacker contests . "It's the exact same ASLR as in Leopard, which means it's not very good." Two years ago, Miller and other researchers criticized Apple for releasing Mac OS X 10.5, aka Leopard, with half-baked ASLR that failed to randomize important components of the OS, including the heap, the stack and the dynamic linker, the part of Leopard that links multiple shared libraries for an executable. Two that stand out, he said, were its revamp of QuickTime and additions to DEP (data execution prevention), another security feature used in Windows Vista. "Apple rewrote a bunch of QuickTime," said Miller, "which was really smart, since it's been the source of lots of bugs in the past." That's not surprising, since QuickTime supports scores of file formats, historically its weak link.

How Apple's rewrite of QuickTime for Snow Leopard plays out, of course, is uncertain, but Miller was optimistic. Last week, in fact, Apple patched four critical QuickTime vulnerabilities in the program's parsing of various file formats. An exploit of a vulnerability in Leopard's QuickTime that he had been saving doesn't work in the version included with Snow Leopard, Miller acknowledged. "They've shaken out hundreds of bugs in QuickTime over the years, but it was still really smart of them to rewrite it," said Miller. I don't think anyone would miss them." Snow Leopard's other major security improvement was in DEP, which Miller said has been significantly enhanced. If it was up to him, though, Miller would do even more. "I'd reduce the number of file formats from 200 or so to 50, and reduce the attack surface. DEP is designed to stop some kinds of exploits - buffer overflow attacks, primarily - by blocking code from executing in memory that's supposed to contain only data.

That's because if [the hacker] can hit 90% of the machines out there, that's all he's gonna do. Microsoft introduced DEP in Windows XP Service Pack 2 (SP2), and expanded it for Vista and the upcoming Windows 7 . Put ASLR and DEP in an operating system, Miller argued, and it's much more difficult for hackers to create working attack code. "If you don't have either, or just one of the two [ASLR or DEP], you can still exploit bugs, but with both, it's much, much harder." Because Snow Leopard lacks fully-functional ASLR, Macs are still easier to compromise than Windows Vista systems, Miller said. "Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7," he said. "When Apple has both [in place], that's when I'll stop complaining about Apple's security." In the end, though, hacker disinterest in Mac OS X has more to do with numbers, as in market share, than in what protective measure Apple adds to the OS. "It's harder to write exploits for Windows than the Mac," Miller said, "but all you see are Windows exploits. It's not worth him nearly doubling his work just to get that last 10%." Mac users have long relied on that "security-through-obscurity" model to evade attack, and it's still working. "I still think you're pretty safe [on a Mac]," Miller said. "I wouldn't recommend antivirus on the Mac." But the missed opportunity continues to bother him. "ASLR and DEP are very important," Miller said. "I just don't understand why they didn't do ASLR right," especially, he added, since Apple touted Snow Leopard as a performance and reliability update to Leopard. "If someone else is running your machine, it's more unreliable than if you're running it," Miller concluded.

iStockphoto guarantees its collection

Starting today, iStockphoto, the micropayment royalty-free image, video, and audio provider, will legally guarantee its entire collection from copyright, moral right, trademark, intellectual property, and rights of privacy disputes for up to $10,000. The new iStock Legal Guarantee, delivered at no cost to customers, covers the company's entire 5 million-plus collection. Recently however, Vivozoom, another microstock company, took a similar action to guarantee its collection. Additional coverage for an Extended Legal Guarantee totaling $250,000 is available for the purchase of 100 iStock credits. "Our first line of defense has always been-and continues to be-our rigorous inspection process," said Kelly Thompson, chief operating officer of iStockphoto. "The Legal Guarantee is simply an added layer of protection for our customers, many of whom are using microstock more than ever before." Although common for traditional stock houses, such legal guarantees have not been standard in microstock because of the low prices. iStock says that files purchased and used in accordance with its license will not breach any trademark, copyright, or other intellectual property rights or rights of privacy.

And, if a customer does get a claim, iStock will cover the customer's legal costs and direct damages up to a combined total of $10,000. iStock customers can increase their coverage for legal fees and direct damages up to a combined total of $250,000 by purchasing the Extended Legal Guarantee via the iStock credits (which costs between $95 and $138). iStock expects that this program will be popular with a very small percentage of sophisticated media buyers with very specific needs, and considers it to be a value-added service to customers rather than a major source of revenue.

You've got questions, Aardvark Mobile has answers

Aardvark has taken a different tack with search. And now the people behind Aardvark are bringing that same approach to the iPhone and iPod touch. The online service figures it's sometimes more productive to ask a question of an actual person-usually someone from within your social network-rather than brave the vagaries of a search engine and its sometimes irrelevant answers. Aardvark Mobile actually arrived in the App Store nearly a week ago.

Aardvark Mobile tackles the same problem as the Aardvark Web site-dealing with subjective searches where two people might type in the same keywords but be searching for two completely different things. "Search engines by design struggle with these types of queries," Aardvark CEO Max Ventilla said. But developer Vark.com waited until Tuesday to take the wraps off the mobile version of its social question-and-answer service. What Aardvark does is tap into your social networks and contacts on Facebook, Twitter, Gmail, and elsewhere to track down answers to questions that might otherwise flummox a search engine-things like "Where's a good place to eat in this neighborhood?" or "Where should I stay when I visit London?" With Aadvark's Web service, you'd send a message through your IM client to Aardvark; the service then figures out who in your network (and in their extended network) might be able to answer the question and asks them on your behalf. The majority of questions are answered in less than five minutes. Ventilla says that 90 percent of the questions asked via Aardvark get answered.

The iPhone version of Aardvark works much the same way. The service pings people for an answer, and sends you a push notification when there's a reply. Instead of an IM, you type a message directly into the app, tag it with the appropriate categories, and send it off to Aardvark. In previewing the app, I asked a question about affordable hotels in Central London-two responses came back within about three minutes from other Aardvark users. If you shake your mobile device when you're on the Answer tab, Aardvark Mobile looks up any unanswered questions that you may be able to provide a response for (while also producing a very alarming aardvark-like noise). "We think Aardvark is particularly well-suited to mobile, and especially the iPhone given how rich that platform is to develop for," Ventilla said.

In addition to push notifications, Aardvark Mobile also taps into the iPhone's built-in location features to automatically detect your location-a feature that can help when you're asking about local hotspots. You don't have to already be using Aardvark's online service to take advantage of the mobile app. Aardvark Mobile requires the iPhone OS 3.0. The free Aardvark Mobile app lets you set up a profile on your iPhone or iPod touch; Facebook Connect integration helps you instantly build up a network of friends who are also using the service.

DOJ expands review of planned Microsoft-Yahoo agreement

The U.S. Department of Justice has asked Microsoft Corp. and Yahoo Inc. to hand over more information regarding their proposed search partnership. Nina Blackwell, a spokeswoman for Yahoo, said both companies are cooperating with federal regulators. "[We] firmly believe that the information [we] will be providing will confirm that this deal is not only good for both companies, but it is also good for advertisers, good for publishers, and good for consumers," she added. A Microsoft spokesman confirmed in an e-mail to Computerworld today that the DOJ requested additional information, but added that it came as no surprise. "As expected, we received additional request for information about the agreement earlier this week," wrote the spokesman, Jack Evans. "When the deal was announced, we said we anticipated a close review of the agreement given its scope, and we continue to be hopeful that it will close early next year." Evans declined to disclose exactly what information the DOJ is looking for.

Microsoft and Yahoo announced late in July that they had finalized negotiations on a deal that will have Microsoft's Bing search engine powering Yahoo's sites, while Yahoo sells premium search advertising services for both companies. Microsoft officials contend that the deal with Yahoo will improve competition in the search market. The partnership, which was a year-and-a-half in the making , is aimed at enabling the companies to take on search behemoth Google as a united force. Matthew Cantor, a partner at Constantine Cannon LLP in New York and an experienced antitrust litigator, disagrees. He argues that since Yahoo will cease being a competitor in the search market, the DOJ is likely to say the Microsoft/Yahoo partnership is anticompetitive . In an interview today, Cantor applauded the DOJ's request for more information. "Most deals clear without a request for additional information.

Cantor said last month that when Yahoo's own search tool disappears, only two major search engines will remain - Google and Microsoft's Bing. This is not run-of-the-mill," said Cantor. "The government believes there are potential antitrust concerns raised here. Nonetheless, Blackwell told Computerworld that Yahoo is still hopeful the deal will close early next year. They would only request additional information if there was some kind of presumption that the deal will cause antitrust effects." Cantor added that he thinks it could take months for Microsoft and Yahoo to pull this new information together, perhaps until the end of this year.