In an unexpected move, Apple has invited several security researchers to take a look at the upcoming Mac OS X Lion and provide feedback.
Apple has generally been tight-lipped about security vulnerabilities in Mac OS X while gleefully touting flaws in competitor platforms. Sophos security expert Graham Cluley has speculated in the past that Apple does not publicly announce anti-malware security updates for marketing reasons: “Shh! Don’t tell folks that we have to protect against malware on Mac OS X!” he said.
As hackers become more sophisticated, malware is increasingly becoming OS independent, so security researchers were pleased when Apple seemed to be taking steps to take security more seriously.
According to Edible Apple blog, the company sent out the following note to an undisclosed number of security researchers on Feb. 24:
““I wanted to let you know that I’ve requested that you be invited to the prerelease seed of Mac OS X Lion, and you should receive an invitation soon. As you have reported Mac OS X security issues in the past, I thought that you might be interested in taking a look at this. It contains several improvements in the area of security countermeasures.”“
With this Apple is requiring participating researchers to sign a non-disclosure agreement that prevent them from publicly discussing any flaws or concerns they might find, according to several security researchers who said they’ve been asked to participate. The list includes Dai Zovi and Charlie Miller, co-authors of The Mac Hacker’s Handbook.
“This looks to be a step in the direction of opening up a bit and inviting more dialogue with external researchers,” Zovi wrote on Twitter.
In return, the researchers get a free copy of the beta version of the OS.
In Miller’s case, Apple is turning to someone unimpressed with Mac OS X and a lot of experience breaking it. He has own prizes in the last three Pwn2Own hacking contests by exploiting security holes in the Safari Web browser, Mac OS X and the iPhone. His SMS exploit can enable attackers to launch attacks on other phones from a compromised iPhone.
“At least it’s not total isolation anymore, and at least security crosses their mind now,” Miller told CNET.
“I haven’t downloaded it yet,” Miller said, “but if I had, I couldn’t talk about it. Damn NDAs.”