Besides the stupidity of disabling the firewall by default and not updating included software, Apple’s Leopard upgrade even has holes in its security measures — an ironic concept by any other name. For example, the “Library Randomization” feature (similar to Windows Vista’s Address Space Load Randomization) is supposed to keep code from predictably loading in the same memory spaces, making buffer overflow attacks much more difficult, but some parts of the operating system that should have been randomized are still in predictable locations, most notably the Dynamic Link Library. One of the security researchers putting Leopard through its paces notes that he’s used that component in many exploits he’s written before.
Sandboxing, the other major security feature, is also incompletely implemented, with the normal attack targets (such as browsers, IM clients, and email programs) not being run in sandboxes. Sandboxing is supposed to keep hacked applications from writing malicious files to disk and from installing programs. Since the usual targets are not sandboxed, however, these vulnerabilities are still quite present. Most of the applications sandboxed were network services, but most attacks come through email, IM, or the Web, not from the local network.