Snow Leopard Missed a Security Opportunity 304
CWmike writes "Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. 'Apple didn't change anything,' said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive 'Pwn2own' hacker contests. 'It's the exact same ASLR as in Leopard, which means it's not very good.'"
This article sucks (Score:2, Interesting)
Even so, Miller said, Apple made several moves that did improve Mac OS X 10.6's security. Two that stand out, he said, were its revamp of QuickTime and additions to DEP (data execution prevention), another security feature used in Windows Vista.
DEP has been around for a long time and has been in XP since at least SP2.
"[the quicktime rewrite] was really smart, since it's been the source of lots of bugs in the past."
bugs != security failure (although they can cause one... the bad math issues in excel 2007 aren't particularly exploitable, just annoying)
Again and again ... (Score:1, Interesting)
Could it be all these 'experts' are just a tiny little bit self serving? Anyway, every time I read a headline about an OSX exploit it turns out to be either a trojan or local (which is bad but not *that* bad afaik). Are there even any known remote ones? Not trying to troll here, maybe I'm just uninformed. Please enlighten me.
Microsoft technology? Really? (Score:1, Interesting)
They make it sound like freakin' M$ invented the technology... it was in Linux long before and other system even before that! M$ is just using other peoples' ideas, as usual.
See wiki:Address space layout randomization [wikipedia.org].
Comment removed (Score:2, Interesting)
Re:Here they come... (Score:2, Interesting)
Mod parent up (Score:4, Interesting)
Re:Microsoft technology? Really? (Score:4, Interesting)
Shouldn't you be flattered that MS recognized how useful this was and incorporated it into their own OS? The whole point of open source is that anyone is free to adopt its innovations, after all.
And seriously, "M$"? Is anyone still using that in 2009?
Re:It will cost them at some point (Score:5, Interesting)
As a long time Mac user, I completely agree with you. I have long thought Apple did not take security seriously or at least did not devote the resources they should on security matters. Worse, I absolutely do not want to go through a decade of painful and annoying security problems (like the windows users went through) before Apple begins to put real effort into security.
To be fair, Apple have focused much more on the user-facing side of the security problem. There's just much less likelihood of a user installing something bad by accident. Deliberate badness is a problem (always) but by reducing the problem with accidents, real on-the-ground disasters are lessened. (It helps that Mac applications are really directories, and so aren't quite as simple to start from some website by accident, and their filesystem-level metadata that marks downloaded things with where they came from also makes a difference.) Which isn't to say that the other techniques are a bad idea; defense-in-depth is the watchword. But true high-quality security solutions need to address many levels of problems, including both system-level ones and user-facing ones.
Oh... one last thing: Wasn't OpenBSD doing this long before windows?
I believe so. It sounds like the sort of thing they'd do...
Re:Not at All "Perfected" (Score:4, Interesting)
opted out non ASLR code .. :o (Score:3, Interesting)
An interesting hypothesis. Why would they put opted-out non-DEP and non-ASLR code in IE8. And do you have any verifiable third party citations for the above. Wouldn't a more likely explanation was that MS fixed the vulnerability after the fact.
Re:Let's not let facts get in our way (Score:4, Interesting)
a: compared to it's unix bretheren, Windows still requires administrative privileges for a LOT of common things
b: Microsoft's reliance on proprietary protocols, many of which have a lot of known and probably even more unknown vulnerabilities.
c: security policy on Windows has about 0 coherency, making it really hard to properly secure windows and really easy to accidentally miss something/screw something up. Windows security polices are all over the place, in the registry editor, in the windows security center, in the user/computer policy app(which at least as of xp wasn't searchable, so if you were looking for something and you didn't know EXACTLY where to find it you end up having to look through every single freaking policy. Whats worse is that Windows freely mixes client and server policies, even when the machine isn't a server! Most users get so frustrated and just leave everything open.
I tried to recently secure a Windows XP box after coming from a background of unix(including OS X) and Linux, and I just could not believe how insanely obfuscated Microsoft made everything. What is insanely simple to do in the Unix world takes massive effort to even attempt in the Windows world, if it will even work at all.
I swear Microsoft makes a lot of this stuff pointlessly complicated just so they can persuade more people to take the MCSE exams.
Re:It doesnt matter... (Score:5, Interesting)
Let's assume the Mac share is around the same as Linux, both close to 10% which I think ain't too far off. An attacker can plan an attack on something they're guaranteed exists because it comes out the factory that way on every model, identical, with a slow acting vendor so the windows stays open for a while.....or they can plan an attack on a fast moving target that may only affect 30% of machines, and the window of opportunity will be gone within a day of it being noticed.
Both Mac and Linux users tend not to run any protection software like Windows users NEED just to have their system stay alive till lunchtime, so any infection if successful will likely go unnoticed. Both Mac and Linux users often feel their systems are immune. In the case of Mac users, the people who can afford Macs have money (or at least HAD money before they bought their Mac) so combined with a blind spot for self protection they should be a ripe juicy target. Yet, apart from the odd story like this one which is self inflicted by Apple, it's still rare.
OSX is UNIX, which is a HUGE advantage over Windows, but the closed Apple mono culture prevents it from being used to it's fullest.
Re:Let's not let facts get in our way (Score:4, Interesting)
>compared to it's unix bretheren, Windows still requires administrative privileges for a LOT of common things
Id say this is the one part of Windows MS has been improving. Running as limited user, runas, etc in Vista (especially SP2) and 7 is lightyears ahead of what it was in XP or 2000. Developers are pretty much being told to write software correctly or it just wont run in Vista/7. This is a sea change in how things are done in the Windows world and even today a lot of users without legacy cruft to support run without much hassle from the UAC. Eventually those old pieces of software causing these issues (lets write to c:\temp why not?) will be retired in favor of compliant newer versions.
Re:This article sucks (Score:3, Interesting)
If you are trying to get as much money as possible which would you do:
A)Write a program to get control of 90%+ of computers in the world
B)Write a program to get control of 3-5% of the computer in the world
Why would people trying to make money even go after the smaller amount of computers? Plus a lot of people hate microsoft. Any company that is against mocrosoft they will leave alone.
By the way, if OSX is so secure why am I rebuilding OSX machines at work since those machines are actively attacking other machine in the network? The user is not a hacker or programmer. OSX has exploits. The easiest way to get them installed is to prompt the OSX user to enter in their password. Which is exactly how these OSX machines got hacked. The user just went to a website, the prompt popped up to enter in their OSX password. The users just entered in their password since "OSX has no virues, OSX is safe". That way of thinking has to stop.
Re:Surely this is only of any use to a hacker if . (Score:2, Interesting)
Executing code on the stack is prevented by the NX bit, it has nothing to do with address space layout. What it does prevent would be something like return to libc attacks and other nice things.
Re:OS X Security Reporting (Score:3, Interesting)
There's a few significant differences in the "modern" runtime library introduced with Mac OS X 10.5. I believe they've put some effort into making applications running against the modern runtime more resistant to runtime changes.
But there's a catch: The modern runtime is not binary compatible with applications built to the old runtime. That's no problem for 64-bit apps, where there was nothing compiled against the classic runtime. (10.4 didn't support any 64-bit processes at all, and even the limited hybrid 64-bit processes available built for 10.5 linked to the new runtime.) Apple could have provided the modern runtime to 32-bit apps built specifically to it, a fifth flavor of universal app. But Apple chose to provide the classic runtime to 32-bit apps, and the modern one to 64-bit apps.
I suspect as long as Mac OS X has to run apps linked to the old runtime, Apple is limited in what they can do under the application. 10.7 will probably drop Rosetta and not be supported on systems with 32-bit processors. But I suspect it will still offer *optional* 32-bit Intel compatibility, which means supporting that classic runtime somehow. 10.8 will finally drop 32-bit Intel, leaving the Mac with only the modern runtime. That's when we'll see interesting stuff start being added.
That's probably 4-5 years away, though.
Apple's used the 64-bit transition as an excuse for other things, too. For instance, the 64-bit System Preference runs preference panel plugins in a garbage collected environment.
So I don't think Apple wants developers to stop shipping fat binaries as much as they want developers to start making their code use the new runtime features. I think Mac OS X is going to get very interesting when the need to run apps linked against the classic runtime goes away.