Posted on 09/17/2009 7:59:21 AM PDT by BubbaBasher
Snow Leopard lacks security features that are built in to Windows XP, Windows Vista and Windows 7, a noted Mac researcher has said.
Dubbed ASLR, for address space layout randomisation, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus make it harder for them to craft reliable exploits.
"Apple didn't change anything," said Charlie Miller, of Baltimore-based Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive "Pwn2own" hacker contests. "It's the exact same ASLR as in Leopard, which means it's not very good."
Two years ago, Miller and other researchers criticised Apple for releasing Mac OS X 10.5, aka Leopard, with half-baked ASLR that failed to randomise important components of the OS, including the heap, the stack and the dynamic linker, the part of Leopard that links multiple shared libraries for an executable.
Miller was disappointed that Apple didn't improve ASLR from Leopard to Snow Leopard. "I hoped Snow Leopard would do full ASLR, but it doesn't," said Miller. "I don't understand why they didn't. But Apple missed an opportunity with Snow Leopard."
Even so, Miller said, Apple made several moves that did improve Mac OS X 10.6's security. Two that stand out, he said, were its revamp of QuickTime and additions to DEP (data execution prevention), another security feature used in Windows Vista.
"Apple rewrote a bunch of QuickTime," said Miller, "which was really smart, since it's been the source of lots of bugs in the past." That's not surprising, since QuickTime supports scores of file formats, historically its weak link. Last week, in fact, Apple patched four critical QuickTime vulnerabilities in the program's parsing of various file formats.
How Apple's rewrite of QuickTime for Snow Leopard plays out, of course, is uncertain, but Miller was optimistic. An exploit of a vulnerability in Leopard's QuickTime that he had been saving doesn't work in the version included with Snow Leopard, Miller acknowledged.
"They've shaken out hundreds of bugs in QuickTime over the years, but it was still really smart of them to rewrite it," said Miller. If it was up to him, though, Miller would do even more. "I'd reduce the number of file formats from 200 or so to 50, and reduce the attack surface. I don't think anyone would miss them."
Snow Leopard's other major security improvement was in DEP, which Miller said has been significantly enhanced. DEP is designed to stop some kinds of exploits - buffer overflow attacks, primarily - by blocking code from executing in memory that's supposed to contain only data. Microsoft introduced DEP in Windows XP Service Pack 2 (SP2), and expanded it for Vista and the upcoming Windows 7.
Put ASLR and DEP in an operating system, Miller argued, and it's much more difficult for hackers to create working attack code. "If you don't have either, or just one of the two [ASLR or DEP], you can still exploit bugs, but with both, it's much, much harder."
Because Snow Leopard lacks fully-functional ASLR, Macs are still easier to compromise than Windows Vista systems, Miller said. "Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7," he said. "When Apple has both [in place], that's when I'll stop complaining about Apple's security."
In the end, though, hacker disinterest in Mac OS X has more to do with numbers, as in market share, than in what protective measure Apple adds to the OS. "It's harder to write exploits for Windows than the Mac," Miller said, "but all you see are Windows exploits. That's because if [the hacker] can hit 90% of the machines out there, that's all he's gonna do. It's not worth him nearly doubling his work just to get that last 10%."
Mac users have long relied on that "security-through-obscurity" model to evade attack, and it's still working. "I still think you're pretty safe [on a Mac]," Miller said. "I wouldn't recommend antivirus on the Mac."
But the missed opportunity continues to bother him. "ASLR and DEP are very important," Miller said. "I just don't understand why they didn't do ASLR right," especially, he added, since Apple touted Snow Leopard as a performance and reliability update to Leopard.
"If someone else is running your machine, it's more unreliable than if you're running it," Miller concluded.
Actually, no, there weren't. They did exist, but there were only a total of 113 total MacOS viruses, counting variations on a basic design.
Today, there are now almost 40,000,000 OSX Macs in use and the total number of viruses in the wild for OSX is ZERO. Viruses have been written for target population of fewer than 12,000 vulnerable computers (Witty Worm), and even for the few dozen iPods that had been converted to run LINUX, yet no one has succeeded in writing a virus to attack the 40M Macs in over eight years. There have been about seven "proof of concept" attempts to do so, but none of them have ever worked.
More like because back then Mac OS was pretty much one big gaping security hole. It was easy to hack, didn't even have protected memory.
bttt
It is misleading because the author and Charlie Miller choose to ignore the alternative methods of attaining similar levels of security that Apple IS implementing in preference to Miller's pet approach of Address Space Location Randomization which Apple does use for dynamic libraries and other system files but chooses to use a different approach for other files including heap and stack non-executability, etc.
So they have. They've been trumpeting "Just you wait! When there are enough Macs, Macs will have just as much or more malware than Windows!"
They've been saying the same tired old canard for eight years now. Tell me. What is the magic number of OSX Macs that will unleash the Dogs of Havoc? Since we've reached 40,000,000, that's not it. So what is the number that will suddenly make it easy to compromise Mac security?
Or as I like to say, why worry about a potential virus delivered over the Internet when the bigger problem is the uninvited houseguest sitting at your computer in your living room.
Hey, Swordmaker, I already gave Cold Heat a hard time over The Number back at #33 above. ;-)
He wouldn't let on... but I found it anyway! It was written on a folded-up piece of paper back in the alley behind Microsoft campus. Apparently they figured out how to compromise OS-X security! It said:
"Mac #51389207 is The One! It has the Mac GUI, but underneath, instead of BSD Unix, we've switched in a copy of Windows. When this baby hits the interweb, it'll be all over for the Mac! -- Steve"A Microsoft spokesman was unavailable for comment.
At least it's user friendly.
Oh, don't worry, I'm no Machead. I'm a Unixhead who currently is using mostly Apple hardware platforms because it's reliable. I've got Windows, OS-X, Linux, and BSD all running RIGHT NOW in front of me on mostly Apple hardware, just to do my job.
> At least it's user friendly.
Actually, truth be known, I don't like the OS-X Finder/GUI as much as the Windows XP Win-Explorer/GUI, and my dream machine would have Win-Explorer over Unix instead of Finder over Unix.
But in any case, I live on a commandline in xterms and SSh. I don't give a rat's ass for the modern user friendly. Far as I care, any system with "man" pages is user friendly enough for me. Seriously.
But I appreciate the stirring. About $600 for the Minis and about $1200 for the Macbooks. ;-)
Hi! Please add me back on to the Mac ping list.. I was focusing my attention on other things but now miss my technology fix! :-)
Sorry to be of trouble...
Thanks,
Dave
I think the proliferation is not of viruses but of Apple created FUD. Honestly, you know most of the claims in the Apple attack ads were false. They were pure FUD. This article is by a Mac guy not Microsoft.
No trouble. I’ll add you back tonite.
Actually, there were. And they were a pain in the ass since few people really paid any attention to them. 113 is more than enough especially when minor variations render the prior fix useless.
At the time we were using Macs (SE30, IICx) as secretarial workstations replacing our Wang word processing system - a dumba$$ decision to be sure but we did it. The machines were heavily used and networked.
The few DOS machines we had were unmolested. In part because they were relatively unused and mostly standalone machines.
Comparatively though if there are 40M Macs using OSX how many PCs are there running WindowsXP/2000? Must be a much larger target. Much easier to gain access to the technology from a developer POV.
It’s one thing to write a virus for a small population as a challenge - which is what the early viruses were really all about. I’d argue for the most part that isn’t the case today.
But even if machines were equally tough or equally vulnerable, why target the smaller population? Especially since statistically it is liable to be engaged in less valuable activity?
If we were to reverse the statistics so that Macs were the dominant machine - which they were at one time - would we expect people to continue focusing their efforts on the smaller Windows target?
Smaller overall population makes it less attractive. Harder to write may discourage the casual ‘challenge’ programmer. With limited time and resources one would be better of focusing on Linux rather than MacOS.
And they were available especially to a population that would be interested in taking up the challenge.
As I wrote to Swordmaker, if we reversed the number now so that Macs were again the dominant machines, would we expect people to continue targeting the smaller Windows footprint. I wouldn't think so. Especially as the availability of the Windows technology decreased.
No, security by obscurity is largely a risky strategy.
If the small number of iPods running Linux were controlling nuclear weapons or managing all funds transfer through existing clearing houses then I'd expect them to be prime targets.
I can understand people writing for a small platform as a challenge - or if that platform is engaged in doing valuable work.
But in the case of the Mac you've got a machine statistically liable to be doing less valuable work and it's harder to write for. That was not the case when were deploying them early on. They were the dominant machine and the technology was easily available to a population that would be interested in the challenge.
I disagree. 113 is the number of ALL MacOS from 1 to 9.2 viruses over the period of 1984 through 2001. At any one period of time there might have been a maximum of 10 or so active in the wild. The vast majority of those were transmitted purely on floppies. A far greater problem was corrupted fonts. In 1998 the US Army switched their website to run on MacOS 8.6 because it was far more secure than Windows. They migrated to OSX and are still there today.
However, that's still 113 more than there are for OSX.
Here is an honest to God truth. I have a rack of NT servers. There are seven in this rack. They are all Compaq Proliant servers. They are all fault tolerant, dual power supply, hot swappable drives that are mirrored through a hardware array. These are absolutely unbelievably solid pieces of hardware, Compaq Proliant’s were by far the best servers made in the Windows world.
That being said, NT was a nightmare. We had to bump these machines regularly. One server was a dedicated virus server running the full Trend Antivirus suite. This was needed to combat the 24/7 battle with all of the security flaws in the servers and clients we were running.
All the while, I had a dual G4 running OS 9 and then OS X. We added a dual G5 OS X server, and then added an Intel dual quad core server running OS X. I still have the rack of Proliants, and one is still performing a function (legacy crap). The Apple machines have never been rebooted on purpose, the NT’s were regularly done so. The G4, G5 are still running flawlessly, never rebuilt.
The Intel OS X server is the only thing I have ever seen that made me think my Proliants were inferior. I was and still am a huge proponent of the Proliant, it was the absolute best of the best in the Windows world (and I guess UNIX too). Hewlett Packard destroyed the Proliant and I will never forgive them, I think it added to their demise as well.
Apple’s systems are unbelievably good, they may or may not be more expensive than competitors, but just like my old Proliants, which were the absolute best at the time ( which were unbelievably expensive, about $8,000 per unit) they are the absolute best today and nothing can touch them. Say what you will, but OS X and the machines it runs on as opposed to a garage sale computer running a souped up version of DOS/Windows is like flying on Delta Air LInes versus Aeroflot.
ah, no. Macs have never been dominent. When Apple had the largest share of the personal computer market, their computer was the Apple II.
Also, Macs are not "hard" to software write for. It's not even hard to write malicious software for the Mac, but it will be very limited in the damage it can do on an OSX default install. They ARE hard to write self duplicating, self transmitting, self installing malware for. The only successful Mac malware have been Trojans.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.