Forgot your password?
typodupeerror
Security Apple

Snow Leopard Missed a Security Opportunity 304

Posted by kdawson
from the where-did-you-put-it-what-you-know-where-do-you-think-oh dept.
CWmike writes "Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. 'Apple didn't change anything,' said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive 'Pwn2own' hacker contests. 'It's the exact same ASLR as in Leopard, which means it's not very good.'"
This discussion has been archived. No new comments can be posted.

Snow Leopard Missed a Security Opportunity

Comments Filter:
  • by Ontheotherhand (796949) on Wednesday September 16, 2009 @08:31AM (#29438459)
    Yeah, but it doesnt matter. everyone knows that apples are immume to viruses and malware. and they look better than ordinary Pcs.
    • There just as immune as Linux is.

      • by AnalPerfume (1356177) on Wednesday September 16, 2009 @09:46AM (#29439311)
        Actually no, they're not. Every Mac has a set list of apps, with a set list of libraries etc. It's a mono culture. Not to mention the fact that Apple are insane about secrecy, so Mac users often don't know if there's a vulnerability even reported to Apple, let alone if Apple are doing anything about it, or when it's due if they are. Notice the common theme of "being subservient to Apple's whims". With Linux anyone can submit the fix, which will then be adopted as needed by all the different distros, and within a couple of days at most it's fixed. Also the fact that Linux is so varied, often an exploit or vulnerability found on one distro may not affect another, or not affect a different DE or WM.

        Let's assume the Mac share is around the same as Linux, both close to 10% which I think ain't too far off. An attacker can plan an attack on something they're guaranteed exists because it comes out the factory that way on every model, identical, with a slow acting vendor so the windows stays open for a while.....or they can plan an attack on a fast moving target that may only affect 30% of machines, and the window of opportunity will be gone within a day of it being noticed.

        Both Mac and Linux users tend not to run any protection software like Windows users NEED just to have their system stay alive till lunchtime, so any infection if successful will likely go unnoticed. Both Mac and Linux users often feel their systems are immune. In the case of Mac users, the people who can afford Macs have money (or at least HAD money before they bought their Mac) so combined with a blind spot for self protection they should be a ripe juicy target. Yet, apart from the odd story like this one which is self inflicted by Apple, it's still rare.

        OSX is UNIX, which is a HUGE advantage over Windows, but the closed Apple mono culture prevents it from being used to it's fullest.
        • Re: (Score:2, Insightful)

          by jellomizer (103300)

          Most Linux distributions seem to run a good set of Core Applications that are relatively common across the distributions, and many ways a lot of tiny security holes that are not always designed for full security and expecting the security to happen the next level up but they don't necessarily know who that is and what exactly it does as in theory it could be different. So when there is a glitch there is a bunch of finger pointing as there is no mono-culture who is interested in making the overall product b

          • I blame the admins there. If they aren't paying attention to vulnerabilities in their server packages, they're shitty admins. Windows servers are the same way. No admin worth the title runs AU on a production server, and they take just as long to patch their servers.

            Not an OS problem, but a shitty admin problem.

          • by cerberusss (660701) on Wednesday September 16, 2009 @11:38AM (#29440905) Homepage Journal

            A big post full of ifs and coulds. But I guess because of the size, it's modded up.

            So when there is a glitch there is a bunch of finger pointing as there is no mono-culture who is interested in making the overall product better but just one piece of it.

            RedHat, Canonical, SuSe, Debian, et cetera have not written all software that make up that distribution, however, their core reason for existing is that they take responsibility for the overall picture.

            So often the security fix doesn't fix the core issue just a stop gap somewhere in the line.

            Care to give examples?

            And if that module was replaced with an other then it could happen all over again.

            Just like other platforms.

            You'll have to do a lot better than that.

  • by Chrisq (894406) on Wednesday September 16, 2009 @08:31AM (#29438463)
    Surely this is only of any use to a hacker if they manage to run in "ring zero" anyway. Otherwise wouldn't normal page protection stop them. Am I missing something?
    • by Anonymous Coward on Wednesday September 16, 2009 @08:48AM (#29438629)

      ASLR makes executing code on the stack quite a bit more difficult, regardless of what privileges the program being exploited may have. Also makes calling libaray functions and pretty much anything in RAM far more difficult for a hacker. Page protection doesn't protect against these attacks per se.

  • This article sucks (Score:2, Interesting)

    by datapharmer (1099455)
    This article reads like a PR release for Vista a couple years late:

    Even so, Miller said, Apple made several moves that did improve Mac OS X 10.6's security. Two that stand out, he said, were its revamp of QuickTime and additions to DEP (data execution prevention), another security feature used in Windows Vista.

    DEP has been around for a long time and has been in XP since at least SP2.

    "[the quicktime rewrite] was really smart, since it's been the source of lots of bugs in the past."

    bugs != security failure (although they can cause one... the bad math issues in excel 2007 aren't particularly exploitable, just annoying)

    • by T Murphy (1054674) on Wednesday September 16, 2009 @09:00AM (#29438721) Journal
      To be most objective they have to compare to the newest commercially available Windows version, so they just refer to what Vista has without implying whether it started in Vista or not. If anything, adding "Windows had this feature since XP" would sound more of a MS bias than "Vista has this feature".
    • by drinkypoo (153816)

      DEP has been around for a long time and has been in XP since at least SP2.

      DEP was recently improved, which is shown by the text you C&P. Fail.

      It is a simple fact that Vista/Windows 7 has the best implementation of ASLR in the desktop market today. Linux's is not as good, and OSX's isn't even close. The other lesson you can take away from this is that OSX really does get attacked less than Windows due to market share, because OSX is easy to own! Oh wait, there's one more: Apple either doesn't think it is a problem, or requires more than two years to address an important securi

      • It is a simple fact that Vista/Windows 7 has the best implementation of ASLR in the desktop market today. Linux's is not as good

        The default ASLR is not as good, but with the Linux kernel you can add PAX or Execshield. Windows or OSX doesn't have such expandability.

        http://en.wikipedia.org/wiki/Address_space_layout_randomization#History [wikipedia.org]

  • Two week old "news" (Score:5, Informative)

    by Anonymous Coward on Wednesday September 16, 2009 @08:34AM (#29438489)

    The summary alleges Miller said it "today". Except he didn't.

    The article linked to is dated September 14, which means he allegedly said it 2 days ago. Except he didn't.

    He actually said it *two weeks ago* on August 29th. [theregister.co.uk]

    Wake up, editors!

  • by necro81 (917438) on Wednesday September 16, 2009 @08:35AM (#29438495) Journal
    FTFA:

    Miller said. "Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7," he said. "When Apple has both [in place], that's when I'll stop complaining about Apple's security."

    Call me a cynic, but I somehow think he, and everyone else that looks at OS security, will still find things to complain about. The tech blog and journalism industry depends on it!

    • by Animaether (411575) on Wednesday September 16, 2009 @09:39AM (#29439221) Journal

      Call me a cynic, but I somehow think he, and everyone else that looks at OS security, will still find things to complain about.

      Isn't that human nature? Well, some humans' nature, anyway?

      Such as...
      >> Gates foundation to donate $2.5B to cancer researh
      > BOO! HISS! HE'S JUST USING IT AS A TAX WRITE-OFF AND AS INDIRECT GOOD-WILL FORMING PR FOR M$!!!!!

      *shrug*

      If, in the end, it makes OS X an even better operating system, then I say to the tech blog and journalism industry: complain on.

  • Security researchers and various crackers have been saying for a few years now that OS X hasn't implemented a lot of security features that even Windows has. Each release, OS X gets a little better, but they are relying mainly on people wanting to break Windows more than OS X.

    With snow leopard, they had the perfect opportunity to make a release that focused on performance and security over bells and whistles. It's modestly faster on my MacBook Pro, and I think most users would have gladly paid under $30 for

    • by bhima (46039) * <Bhima.PandavaNO@SPAMgmail.com> on Wednesday September 16, 2009 @09:01AM (#29438733) Journal

      As a long time Mac user, I completely agree with you. I have long thought Apple did not take security seriously or at least did not devote the resources they should on security matters. Worse, I absolutely do not want to go through a decade of painful and annoying security problems (like the windows users went through) before Apple begins to put real effort into security.

      On Snow Leopard, I've told everyone in my family to ignore Snow Leopard until some convenient time after Christmas or so. There's not much in it for regular users and I am not aware of a single application that really leverages the new technology found in Snow Leopard... so there's no rush upgrading.

      Oh... one last thing: Wasn't OpenBSD doing this long before windows?

      • by dkf (304284) <donal.k.fellows@manchester.ac.uk> on Wednesday September 16, 2009 @09:22AM (#29438981) Homepage

        As a long time Mac user, I completely agree with you. I have long thought Apple did not take security seriously or at least did not devote the resources they should on security matters. Worse, I absolutely do not want to go through a decade of painful and annoying security problems (like the windows users went through) before Apple begins to put real effort into security.

        To be fair, Apple have focused much more on the user-facing side of the security problem. There's just much less likelihood of a user installing something bad by accident. Deliberate badness is a problem (always) but by reducing the problem with accidents, real on-the-ground disasters are lessened. (It helps that Mac applications are really directories, and so aren't quite as simple to start from some website by accident, and their filesystem-level metadata that marks downloaded things with where they came from also makes a difference.) Which isn't to say that the other techniques are a bad idea; defense-in-depth is the watchword. But true high-quality security solutions need to address many levels of problems, including both system-level ones and user-facing ones.

        Oh... one last thing: Wasn't OpenBSD doing this long before windows?

        I believe so. It sounds like the sort of thing they'd do...

      • Re: (Score:3, Insightful)

        I have long thought Apple did not take security seriously or at least did not devote the resources they should on security matters.

        There are several parts to this that are interesting. Is Apple slacking off on implementing new security, or are users like you just not learning about the security improvements Apple has made. Do you remember hearing about when Apple's sandboxing made them just about the only vendor to not be vulnerable to a local service exploit a few years back? Have you ever seen a mainstream article mentioning Apple uses sandboxing?

        That said, at last some of Apple obviously pays no attention to security, but that's no

    • Re: (Score:3, Insightful)

      by Tom (822)

      Security researchers and various crackers have been saying for a few years now that OS X hasn't implemented a lot of security features that even Windows has.

      I largely tend to think of it as "security buzzwords that even windos has".

      There's a lot of them in the newer releases. But the overall questions we have to ask is whether or not it makes the system more secure. When your machine gets owned, you couldn't care less for the checklist of buzzwordy "security" features that just got bypassed. Your security was compromised, end of story.

      OS X has less of them. Check.
      OS X also doesn't have many of what I'd call necessary things (MAC, RBAC to name just a few. MLS if

    • Well that depends on whether the average mac user is richer and buying a proportionally more expensive machine, or starts out the same as your average PC user and just ends up poorer after the transaction...

  • The article asks why they didn't do ASLR, especially since snow leopard is touted as a "performance and reliability" update...
    Since when does ASLR improve performance or reliability? If anything, it would decrease performance and could cause compatibility issues with some badly written code (and exploits) and thus decrease reliability too...

    Also, the article talks about windows but doesn't mention that linux had dep and aslr long before windows did, and still has a far more complete implementation.

  • by Doc Ruby (173196) on Wednesday September 16, 2009 @09:07AM (#29438795) Homepage Journal

    technology that Microsoft perfected nearly three years ago

    If there's a phrase that should trigger skepticism, that's it. ASLR isn't "perfect", and has been reported (and confirmed) exploited [dslreports.com] as recently as 7 months ago:

    March 24, 2009 -

            quote:Internet Explorer 8 "critical" flaw in final version

            Microsoft confirmed that the vulnerability exists in the official release, said Terri Forslof, a researcher at TippingPoint, which sponsored the Pwn2Own contest that challenged competitors to find bugs in either web browsers or mobile devices

            "This is a single-click-and-you're-owned exploit," she told SCMagazineUS.com on Tuesday. "You click a link in an email or simply browse to a website, and your machine is compromised. This meets Microsoft's 'critical' bar [in its vulnerabilities and rating system]."

            The exploit apparently defies Microsoft's DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) technologies -- two features added to IE8 to prevent memory corruption vulnerabilities.

            "Once the browser was compromised, we handed over the exploit to Microsoft immediately, on site," Forslof said. "They went back and reproduced it and called to verify that the vulnerability was present. We retested again on the released version of IE8 that went live on the following morning and verified that the vulnerability was in it as well."

    • by vistapwns (1103935) on Wednesday September 16, 2009 @09:24AM (#29439005)
      That exploit took advantage of code MS left in the beta version of IE8 that opted out of DEP and ASLR, the RTM IE8 disables that code on the internet zone, and it can be disabled on the intranet zone as well, so it's not much of an issue in the RTM IE8.
      • "That exploit took advantage of code MS left in the beta version of IE8 that opted out of DEP and ASLR, the RTM IE8 disables that code on the internet zone, and it can be disabled on the intranet zone as well, so it's not much of an issue in the RTM IE8"

        An interesting hypothesis. Why would they put opted-out non-DEP and non-ASLR code in IE8. And do you have any verifiable third party citations for the above. Wouldn't a more likely explanation was that MS fixed the vulnerability after the fact.
        • Why would they put opted-out non-DEP and non-ASLR code in IE8.

          If the "Internet" zone uses DEP and ASLR but the "Local intranet" zone opts out, that's probably designed to keep ActiveX-based intranet sites working.

  • by jellomizer (103300) on Wednesday September 16, 2009 @09:10AM (#29438829)

    address space layout randomization
    I though this was a feature in OS X 10.5? Was it not implemented or just not implemented as well as other OS's?
    I remember hearing about it as a feature for 10.5.

    • Re: (Score:2, Informative)

      by FelxH (1416581)

      address space layout randomization I though this was a feature in OS X 10.5? Was it not implemented or just not implemented as well as other OS's? I remember hearing about it as a feature for 10.5.

      From TFA:

      Two years ago, Miller and other researchers criticized Apple for releasing Mac OS X 10.5, aka Leopard, with half-baked ASLR that failed to randomize important components of the OS, including the heap, the stack and the dynamic linker, the part of Leopard that links multiple shared libraries for an executable.

  • So they're at least using some ASLR, which they can patch for later, and they got Snow Leopard out the door earlier rather than later.

    If you're running your business on OSX Server, you didn't immediately go upgrade anyways, so where's the harm, other than early adopters claiming their ASLR isn't as cool as it could be?

  • Snow Leopard does actually improve on Leopard's security. I can't even get processes that run as admin to save files to world-writeable locations anymore.

    Sandboxd reports a "deny file-write*".

    Fecked if I can get it to work.

  • Silly ASLR (Score:3, Informative)

    by Ancient_Hacker (751168) on Wednesday September 16, 2009 @09:38AM (#29439203)

    ASLR is sorta like moving the location of the barn door, while keeping it wide open.

        Hint: The cows can still get out.

    Perhaps the guys at Apple realize this and give ASLR a low priority for implementation.

    Even so, adding ASLR to the Apple OS is something they could do with relative ease-- change the kernel and user-space mallocs() to be less predictable, munge the call stacks tobe less predictable, etc, etc, etc,---- mostly stuff that can be done with 50 lines of code here and there and not too many other places.

    But again, it would be much more efficient to put that effort into closing any open barn doors, rather than painting the open gateways in random colors. Every five seconds.

    • Even so, adding ASLR to the Apple OS is something they could do with relative ease...

      ...And is something they did years ago. The issue being discussed here is Apple did not use ASLR to randomize the dynamic loader, which is a significant and juicy target. Applying it to the dynamic loader, however, is a nontrivial task.

    • Re: (Score:3, Informative)

      ASLR is sorta like moving the location of the barn door, while keeping it wide open.

      Yes, which is why you keep the door closed. The point of ASLR is to provide some extra degree of protection in case someone accidentally forgets to close the door. Since it happens every now and then anyway (and, yes, in OS X too), it makes sense to have some additional protection.

      Also, you rather underestimate the effect of ASLR. It makes reusable fire-and-forget exploits of buffer overruns (which are the single most common source of security issues) extremely difficult to write.

      • Re: (Score:3, Insightful)

        by weicco (645927)

        And another thing. To my understanding ASLR one purpose is that when there's a exploitable buffer overrun and it is exploited to call some system function the process goes KAB0000M! Now if you have couple of hundreds these kabooms in your log files you probably start to suspect that something fishy is going on.

        Without ASLR your box gets exploited and you get nothing in the log file.

  • by viralMeme (1461143) on Wednesday September 16, 2009 @09:42AM (#29439269)
    "Apple .. failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista"

    Address space layout randomization is a technique to randomize memory addresses of the base of the code, stack, heap, and libraries. First used by PaX and OpenBSD [laconicsecurity.com]
    • The parent's article goes into more detail and even points out other features. This seems to be the source of the other article, and it also looks like the other article cherry picked the results: rather than mentioning the four sections of software improvements, the Computerworld article focused on the one area of disappointment. Oh well, what is journalism without a little baiting to improve ratings?
  • by 99BottlesOfBeerInMyF (813746) on Wednesday September 16, 2009 @10:06AM (#29439623)

    I always find articles about OS X security, especially in discussion, painful. First you either have a security expert writing and being translated by a fairly clueless reporter, or you have a clueless reporter writing. In the former case what makes a good article and gets press is usually a security person pointing out weaknesses or flaws in OS X. After all, saying OS X still doesn't have much risk of malware for the average user is like reporting that most GM cars still use gas. It's old info and not news. The other type of article that gets picked up are soft articles about how cool OS X is and how it can't get malware, written for the 90% of the populace that has never used it, but from an uniformed perspective.

    Inevitably when either kind of story goes up on Slashdot we see tons of people who know little or nothing about what security is actually implemented in OS X, spouting off one way or the other, usually emotionally defending their favorite OS.

    So in this case we have a fairly knowledgeable security expert talking about security in OS X. His sentence about ASLR begins, "One major disappointment in the midst of all these security enhancements..." Based upon what reporters have made of his paper, do any of you know what those security enhancements are? Contrast the expert's conclusion:

    While the only true test of security is how effective it is in the real world, on paper it looks like life is now at least a little harder for any potential Mac attackers.

    With the title of article linked to:

    Apple missed security boat with Snow Leopard, says researcher

    That's not to say the article is a filthy lie. It is completely true. Apple did miss the opportunity to improve ASLR for the heap. That's very true and important and disappointing. It's also the only OS X security news most people will hear and that, is misleading. It's not the writer's fault either, they're just writing what's interesting and "news". Writing an article on how Apple's security got moderately better in a number of ways and Macs are still unlikely to have many serious or widespread malware problems going forward for a few years, is not news.

    And Apple is not blameless about what press reaches the public either. Apple is pretty quiet about security features in OS X because they don't like to bring up the topic for the general public, except in very generic ways. Their plan seems to be "tell users the security is cool and good and make sure they know they're unlikely to get viruses, but don't confuse them with details. Experts can read the whitepapers." This leaves out the whole middle portion of the spectrum, not security experts but not completely clueless either.

    It would be nice to have meaningful discussion on some of the OS X security features, but that might be too much to hope for. What do people think about the sandboxing approach and has anyone noticed any particularly surprising sandboxed services in Leopard? The mixed 32-64 bit thing seems like an interesting choice, with 64 bit application development now motivated by artificially restricting access to some new APIs. Since a lot of the security improvements are tied to 64 bit applications and/or 64 bit processors, do people feel this was an attempt to direct developers for security reasons or just to speed the transition for other reasons? What do people think the other heap protection checksums and protections for 64 bit kernels. Will we transition to 64 bit fast enough so that they will be useful? How about the application signing being tied to the application level firewall? It seems like Apple could have made that a default and really motivated developers to use it, but decided to go in baby steps instead. And why in the world has Apple not created a proper application and update manager that extends to third parties? That seems like a no-brainer from a security and usability perspective.

  • I read somewhere that the OSX had ASLR, but only for the PowerPC, not for x86. I can't remember if it was part of the PPC architecture or Apple just being lazy in porting ASLR. Can somebody point me to an article more about this (or explain more about what is so special about PPC)?

    • I read somewhere that the OSX had ASLR, but only for the PowerPC

      This is incorrect. OS X uses ASLR on all chips. Some other security features dealing with memory only work using a 64 bit processor, kernel, or application or combination thereof.

An optimist believes we live in the best world possible; a pessimist fears this is true.

Working...