Chipping Away at Mac OS X Security

Enterprise Planet ^ | February 23, 2009 | By Sean Michael Kerner

[Swordmaker]

Hacking Apple Mac OS X is no easy task. Just ask security researcher Vincenzo Iozzo.

Iozzo delivered a session on Mac OS X hacking at the Black Hat security conference, where he attempted to show how he had developed a new vulnerability that allows for a hacker to executes arbitrary code on Apple's OS X.

But if anything, the effort demonstrated that Apple users don't have much to fear -- for now, at least.

"The attack can only work if you already have access to the machine," Iozzo said during his presentation. "The attack is not a magic [wand] that can own every machine in your network. You need to have an exploit to gain remote access. This is not for exploiting a new machine from the beginning."

Iozzo's finding hinges on injecting a malicious payload directly into OS X memory, bypassing some of Apple's security filters. According to the researcher, an attack by way of memory injection marks a potentially new and dangerous attack vector for the Mac, which thus far has been largely exempt from the threat of malware plaguing Windows systems.

While it's unclear whether Iozzo's discovery could be a harbinger of things to come for Apple users, the attack could have wide-reaching implications, since it may also potentially lead to exploitation of Apple's iPhone, which shares a similar structure and uses the Safari Web browser, Iozzo said.

Apple spokespeople did not return a request for comment on the presentation by press time.

Iozzo's presentation at Black Hat comes barely a week after Apple last patched Mac OS X in an update that one security researcher criticized as having taken too long to fix a particular Safari flaw.

Black Hat sessions on Mac security are somewhat of a recent tradition. Earlier this year in a Webcast, researchers discussed Apple Mac security and alleged that the best security feature of OS X is its market share -- or lack thereof. The Black Hat Las Vegas 2008 conference also included a pair of Mac security sessions where released a Mac OS X rootkit called Irk. A year ago at Black Hat DC 2008, security researcher Tiller Beuchamp released a Dtrace-based tool for offensive and defensive security operations on a Mac.

Iozzo's latest vulnerability findings involve encapsulating shellcode that he calls an autoloader, and injecting it into binary code. The next step is to execute the autoloader in the address space of the attacked process in order to deliver the payload.

In a detailed presentation, Iozzo explained how his new technique could exploit OS X memory. He noted that his autoloader impersonates the Mac OS X kernel, un-maps the old binary from an existing application process and then maps the new one on the victim's Mac.

Apple's Mac OS X uses a technique called Address Space Layout Randomization (ASLR) that could potentially thwart such attempts at memory infection by scrambling memory. But an autoloader could be able to get around ASLR, since not all memory libraries are always randomized, he said.

Courtesy of InternetNews.

[Swordmaker]

Hmmmm... what do you know. A fairly accurate article on Mac security.

[Swordmaker]

A fairly accurate Mac Security article... PING!

Mac Security Ping!

If you want on or off the Mac Ping List, Freepmail me.

[SlowBoat407]

I’ll have to stop letting complete strangers borrow my Mac and use my login /s

[Ancient Drive]

don’t forget that firewire hack too.

[dayglored]

> Hmmmm... what do you know. A fairly accurate article on Mac security.

It will be good to get some balance between the Know-Nothings of the "Macs are invulnerable" sort, and the Know-Nothings of the "Macs are only safe because they're a niche" sort.

All computers are vulnerable. The Mac -- or rather the UNIX that is under the hood of OS-X -- is more secure than any other commercial operating system available to normal people, but of course nothing is without flaw.

How long before Mac's marketshare reaches a level where the argument about "not enough to bother writing viruses for" can finally be shot in the head for good? I think 10% is enough, but 20% would be even better.

[umbra43]

Please put me on the ping list.

Thanks

[antiRepublicrat]

Sounds like a very complicated privilege elevation. Sadly, it’s happened on probably all multi-user operating systems. Likely only a true microkernel OS has a chance of being immune to this by design.

[Golden Eagle]

Thankfully this hack alone doesn't solely create an imminent danger for Mac users, but that doesn't mean this bozo doesn't deserve tons of criticism for sharing his info at a hackers conference instead of with the vendor first so users could be fully protected as soon as possible. Unfortunately this despicable practice known as “full disclosure” is actually celebrated by some, they're probably disappointed he didn't release working exploit code at the same time. Or did he? Probably did knowing these low lifes, it's thanks to scum like them our internet rights will eventually be eroded away.