Forgot your password?
typodupeerror
Security Apple

Snow Leopard Missed a Security Opportunity 304

Posted by kdawson
from the where-did-you-put-it-what-you-know-where-do-you-think-oh dept.
CWmike writes "Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. 'Apple didn't change anything,' said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive 'Pwn2own' hacker contests. 'It's the exact same ASLR as in Leopard, which means it's not very good.'"
This discussion has been archived. No new comments can be posted.

Snow Leopard Missed a Security Opportunity

Comments Filter:
  • This article sucks (Score:2, Interesting)

    by datapharmer (1099455) on Wednesday September 16, 2009 @08:32AM (#29438481) Homepage
    This article reads like a PR release for Vista a couple years late:

    Even so, Miller said, Apple made several moves that did improve Mac OS X 10.6's security. Two that stand out, he said, were its revamp of QuickTime and additions to DEP (data execution prevention), another security feature used in Windows Vista.

    DEP has been around for a long time and has been in XP since at least SP2.

    "[the quicktime rewrite] was really smart, since it's been the source of lots of bugs in the past."

    bugs != security failure (although they can cause one... the bad math issues in excel 2007 aren't particularly exploitable, just annoying)

  • Again and again ... (Score:1, Interesting)

    by Anonymous Coward on Wednesday September 16, 2009 @08:34AM (#29438491)

    Could it be all these 'experts' are just a tiny little bit self serving? Anyway, every time I read a headline about an OSX exploit it turns out to be either a trojan or local (which is bad but not *that* bad afaik). Are there even any known remote ones? Not trying to troll here, maybe I'm just uninformed. Please enlighten me.

  • by rqqrtnb (753156) on Wednesday September 16, 2009 @08:35AM (#29438509)

    They make it sound like freakin' M$ invented the technology... it was in Linux long before and other system even before that! M$ is just using other peoples' ideas, as usual.

    See wiki:Address space layout randomization [wikipedia.org].

  • by MikeRT (947531) on Wednesday September 16, 2009 @08:47AM (#29438621) Homepage

    Security researchers and various crackers have been saying for a few years now that OS X hasn't implemented a lot of security features that even Windows has. Each release, OS X gets a little better, but they are relying mainly on people wanting to break Windows more than OS X.

    With snow leopard, they had the perfect opportunity to make a release that focused on performance and security over bells and whistles. It's modestly faster on my MacBook Pro, and I think most users would have gladly paid under $30 for an upgrade that just focuses on the internals to get more out of their system. Since most Macs cost at least $1100, $30 is nothing for an average Mac user.

  • Re:Here they come... (Score:2, Interesting)

    by Chrisq (894406) on Wednesday September 16, 2009 @08:50AM (#29438643)
    I don't even use a MAC, I just don't understand how you can exploit known addresses if the only writaeble addresses you see are private to your process. Of course you are going to explain the "big gaping security hole" to me.
  • Mod parent up (Score:4, Interesting)

    by shis-ka-bob (595298) on Wednesday September 16, 2009 @09:05AM (#29438767)
    The parent post's reference to OpenBSD seem spot on to me. See OpenBSD Security Features [wikipedia.org]. This uses a BSD license and is written for a BSD 4.4 derivative (just like OS/X). Why doesn't Apple just adopt the OpenBSD mmap and just close this hole?
  • by elrous0 (869638) * on Wednesday September 16, 2009 @09:06AM (#29438777)

    Shouldn't you be flattered that MS recognized how useful this was and incorporated it into their own OS? The whole point of open source is that anyone is free to adopt its innovations, after all.

    And seriously, "M$"? Is anyone still using that in 2009?

  • by dkf (304284) <donal.k.fellows@manchester.ac.uk> on Wednesday September 16, 2009 @09:22AM (#29438981) Homepage

    As a long time Mac user, I completely agree with you. I have long thought Apple did not take security seriously or at least did not devote the resources they should on security matters. Worse, I absolutely do not want to go through a decade of painful and annoying security problems (like the windows users went through) before Apple begins to put real effort into security.

    To be fair, Apple have focused much more on the user-facing side of the security problem. There's just much less likelihood of a user installing something bad by accident. Deliberate badness is a problem (always) but by reducing the problem with accidents, real on-the-ground disasters are lessened. (It helps that Mac applications are really directories, and so aren't quite as simple to start from some website by accident, and their filesystem-level metadata that marks downloaded things with where they came from also makes a difference.) Which isn't to say that the other techniques are a bad idea; defense-in-depth is the watchword. But true high-quality security solutions need to address many levels of problems, including both system-level ones and user-facing ones.

    Oh... one last thing: Wasn't OpenBSD doing this long before windows?

    I believe so. It sounds like the sort of thing they'd do...

  • by vistapwns (1103935) on Wednesday September 16, 2009 @09:24AM (#29439005)
    That exploit took advantage of code MS left in the beta version of IE8 that opted out of DEP and ASLR, the RTM IE8 disables that code on the internet zone, and it can be disabled on the intranet zone as well, so it's not much of an issue in the RTM IE8.
  • by viralMeme (1461143) on Wednesday September 16, 2009 @09:36AM (#29439171)
    "That exploit took advantage of code MS left in the beta version of IE8 that opted out of DEP and ASLR, the RTM IE8 disables that code on the internet zone, and it can be disabled on the intranet zone as well, so it's not much of an issue in the RTM IE8"

    An interesting hypothesis. Why would they put opted-out non-DEP and non-ASLR code in IE8. And do you have any verifiable third party citations for the above. Wouldn't a more likely explanation was that MS fixed the vulnerability after the fact.
  • by antifoidulus (807088) on Wednesday September 16, 2009 @09:39AM (#29439217) Homepage Journal
    The biggest security problems with Windows still remain, namely that:
    a: compared to it's unix bretheren, Windows still requires administrative privileges for a LOT of common things

    b: Microsoft's reliance on proprietary protocols, many of which have a lot of known and probably even more unknown vulnerabilities.
    c: security policy on Windows has about 0 coherency, making it really hard to properly secure windows and really easy to accidentally miss something/screw something up. Windows security polices are all over the place, in the registry editor, in the windows security center, in the user/computer policy app(which at least as of xp wasn't searchable, so if you were looking for something and you didn't know EXACTLY where to find it you end up having to look through every single freaking policy. Whats worse is that Windows freely mixes client and server policies, even when the machine isn't a server! Most users get so frustrated and just leave everything open.

    I tried to recently secure a Windows XP box after coming from a background of unix(including OS X) and Linux, and I just could not believe how insanely obfuscated Microsoft made everything. What is insanely simple to do in the Unix world takes massive effort to even attempt in the Windows world, if it will even work at all.

    I swear Microsoft makes a lot of this stuff pointlessly complicated just so they can persuade more people to take the MCSE exams.
  • by AnalPerfume (1356177) on Wednesday September 16, 2009 @09:46AM (#29439311)
    Actually no, they're not. Every Mac has a set list of apps, with a set list of libraries etc. It's a mono culture. Not to mention the fact that Apple are insane about secrecy, so Mac users often don't know if there's a vulnerability even reported to Apple, let alone if Apple are doing anything about it, or when it's due if they are. Notice the common theme of "being subservient to Apple's whims". With Linux anyone can submit the fix, which will then be adopted as needed by all the different distros, and within a couple of days at most it's fixed. Also the fact that Linux is so varied, often an exploit or vulnerability found on one distro may not affect another, or not affect a different DE or WM.

    Let's assume the Mac share is around the same as Linux, both close to 10% which I think ain't too far off. An attacker can plan an attack on something they're guaranteed exists because it comes out the factory that way on every model, identical, with a slow acting vendor so the windows stays open for a while.....or they can plan an attack on a fast moving target that may only affect 30% of machines, and the window of opportunity will be gone within a day of it being noticed.

    Both Mac and Linux users tend not to run any protection software like Windows users NEED just to have their system stay alive till lunchtime, so any infection if successful will likely go unnoticed. Both Mac and Linux users often feel their systems are immune. In the case of Mac users, the people who can afford Macs have money (or at least HAD money before they bought their Mac) so combined with a blind spot for self protection they should be a ripe juicy target. Yet, apart from the odd story like this one which is self inflicted by Apple, it's still rare.

    OSX is UNIX, which is a HUGE advantage over Windows, but the closed Apple mono culture prevents it from being used to it's fullest.
  • by gad_zuki! (70830) on Wednesday September 16, 2009 @10:14AM (#29439745)

    >compared to it's unix bretheren, Windows still requires administrative privileges for a LOT of common things

    Id say this is the one part of Windows MS has been improving. Running as limited user, runas, etc in Vista (especially SP2) and 7 is lightyears ahead of what it was in XP or 2000. Developers are pretty much being told to write software correctly or it just wont run in Vista/7. This is a sea change in how things are done in the Windows world and even today a lot of users without legacy cruft to support run without much hassle from the UAC. Eventually those old pieces of software causing these issues (lets write to c:\temp why not?) will be retired in favor of compliant newer versions.

  • by BlackSnake112 (912158) on Wednesday September 16, 2009 @11:16AM (#29440583)

    If you are trying to get as much money as possible which would you do:

    A)Write a program to get control of 90%+ of computers in the world

    B)Write a program to get control of 3-5% of the computer in the world

    Why would people trying to make money even go after the smaller amount of computers? Plus a lot of people hate microsoft. Any company that is against mocrosoft they will leave alone.

    By the way, if OSX is so secure why am I rebuilding OSX machines at work since those machines are actively attacking other machine in the network? The user is not a hacker or programmer. OSX has exploits. The easiest way to get them installed is to prompt the OSX user to enter in their password. Which is exactly how these OSX machines got hacked. The user just went to a website, the prompt popped up to enter in their OSX password. The users just entered in their password since "OSX has no virues, OSX is safe". That way of thinking has to stop.

  • by lordholm (649770) on Wednesday September 16, 2009 @11:37AM (#29440883) Homepage

    Executing code on the stack is prevented by the NX bit, it has nothing to do with address space layout. What it does prevent would be something like return to libc attacks and other nice things.

  • by Trillan (597339) on Wednesday September 16, 2009 @08:17PM (#29448575) Homepage Journal

    There's a few significant differences in the "modern" runtime library introduced with Mac OS X 10.5. I believe they've put some effort into making applications running against the modern runtime more resistant to runtime changes.

    But there's a catch: The modern runtime is not binary compatible with applications built to the old runtime. That's no problem for 64-bit apps, where there was nothing compiled against the classic runtime. (10.4 didn't support any 64-bit processes at all, and even the limited hybrid 64-bit processes available built for 10.5 linked to the new runtime.) Apple could have provided the modern runtime to 32-bit apps built specifically to it, a fifth flavor of universal app. But Apple chose to provide the classic runtime to 32-bit apps, and the modern one to 64-bit apps.

    I suspect as long as Mac OS X has to run apps linked to the old runtime, Apple is limited in what they can do under the application. 10.7 will probably drop Rosetta and not be supported on systems with 32-bit processors. But I suspect it will still offer *optional* 32-bit Intel compatibility, which means supporting that classic runtime somehow. 10.8 will finally drop 32-bit Intel, leaving the Mac with only the modern runtime. That's when we'll see interesting stuff start being added.

    That's probably 4-5 years away, though.

    Apple's used the 64-bit transition as an excuse for other things, too. For instance, the 64-bit System Preference runs preference panel plugins in a garbage collected environment.

    So I don't think Apple wants developers to stop shipping fat binaries as much as they want developers to start making their code use the new runtime features. I think Mac OS X is going to get very interesting when the need to run apps linked against the classic runtime goes away.

"If value corrupts then absolute value corrupts absolutely."

Working...