Mac OS X Security Criticisms Countered

Paradox writes "In response to the recent PC Magazine story criticizing Mac OS X security, technologist/author Richard Forno has written a rebuttal criticizing the author and raising some good points about the fundamental differences between Windows and Mac OS X. Considering Lance Ulanoff's tone during his article, a rebuttal from the Mac OS X community was inevitable." Forno's conclusion: "Trustworthy computing must be more than a catchy marketing phrase. Ironically, despite a few hiccups along the way, it's becoming clear that Mac OS, not Windows, epitomizes Microsoft's new mantra of 'secure by design, default, and deployment'."

Slow site

article text, reprinted as permitted by author. Enjoyez-vous.

Muckraking, the PC Way
Richard Forno
12 Dec 03
Copyright (c) 2003 by Author. Permission granted to reproduce in entirety with credit given.


Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions.


Since Apple released Mac OS X, even the PC industry trade publications have raved about its quality, design, and features. PC Magazine even gave Mac OS X "Panther" a 5-star rating in October 2003. Perhaps it was because Macs could now seamlessly fit into the Windows- dominated marketplace and satisfy Mac users refusing to relinquish their trusty systems and corporate IT staffs wanting to cut down on tech support calls. Whatever the reason, Mac OS X has proven itself as a worthy operating system for both consumers and business alike.

Of course, as with all operating systems, Mac OS X has had its share of technical problems and even a few major security vulnerabilities. Nearly all were quickly resolved by Apple via a downloaded patch or OS update. But in general, Mac OS X is solid, secure, and perhaps the most trustworthy mainstream computing environment available today. As a result, Mac users are generally immune to the incessant security problems plaguing their Windows counterparts, and that somehow bothers PC Magazine columnist Lance Ulanoff.

In a December 11 column [1] that epitomizes the concept of yellow journalism, he's "happy" that Mac OS X is vulnerable to a new and quite significant security vulnerability. The article was based on a security advisory by researcher Bill Carrel regarding a DHCP vulnerability in Mac OS X. Carrel reported the vulnerability to Apple in mid-October and, through responsible disclosure practices, waited for a prolonged period before releasing the exploit information publicly since Apple was slow in responding to Carrel's report (a common problem with all big software vendors.) Accordingly, Lance took this as a green light to launch into a snide tirade about how "Mac OS is just as vulnerable as Microsoft Windows" while penning paragraph after paragraph saying "I told you so" and calling anyone who disagrees with him a "Mac zealot."

In other words, you're either with him or with the "zealots." Where have we seen this narrow-minded extremist view before?

More to the point, his article is replete with factual errors. Had he done his homework instead of rushing to smear the Mac security community and fuel his Windows-based envy, he'd have known that not only did Apple tell Carrel on November 19 that a technical fix for the problem would be released in its December Mac OS X update, but that Apple released easy-to-read guidance (complete with screenshots) for users to mitigate this problem on November 26. Somehow he missed that.

Since he's obviously neither a technologist (despite writing for a technology magazine) nor a security expert, let's examine a few differences between Mac and Windows to see why Macintosh systems are, despite his crowing, whining, and wishing, inherently more secure than Windows systems.

The real security wisdom of Mac OS lies in its internal architecture and how the operating system works and interacts with applications. Its also something Microsoft unfortunately cant accomplish without a complete re-write of the Windows software -- starting with ripping out the bug-riddled Internet Explorer that serves as the Windows version of "Finder." (That alone would seriously improve Windows security, methinks.)

At the very least, from the all-important network perspective, unlike Windows, Mac OS X ships with nearly all internet services turned off by default. Place an out-of-the-box Mac OS X installation on a network, and an attacker doesnt have much to target in trying to compromise your system. A default installation of Windows, on the other hand, shows up like a big red bulls-eye on a network with numerous network services enabled and running. And, unlike Win

Interesting Article

[voodoo_bluesman]

That is a great article, but for some reason it feels like he didn't really do that much research. For instance, his reference to DLL Hell is outdated - Windows XP doesn't suffer from that issue.

Saying that, I have to make the statement that I am an OS X user, and I love it. The simple fact that is asks for my username and password when I try to install applications is a wonder in itself.

Re:Interesting Article

[voodoo_bluesman]

Take a look here for a brief overview. I'm not saying that this is perfect, but by being able to run multiple versions in memeory does help alleviate the pontential for DLL conflicts.

Re:Interesting Article

[umofomia]

Umm... no. The problem of DLL hell is because programs (including Windows) all throw their DLLs into the winnt\system folder. New versions of DLLs overwrite old versions, files get left behind during uninstalls, etc. All this contributes to the long-standing problem of "DLL hell". Simply allowing multiple/separate copies in memory is something that all OSes (including Windows) have been able to do for many, many, many years.

Umm... no. If you had done your own research, you would have found out that Windows XP does not allow random programs to overwrite DLL files in the system folder using System File Protection (SFP). Instead it will write the file to another location and keep track of the separate DLL through was is known as a manifest. When the application requests for that specific version of the DLL, the manifest will provide it for the application.

For more info, see:

• http://www.computersourcemag.com/articles/viewer.a sp?a=555
• http://members.lycos.nl/digispy/C4/P79/C4P79A1118. htm
• http://www.informit.com/isapi/product_id~%7B65015A 1E-A6C6-4C32-8403-CD62742ABB85%7D/element_id~%7BBD 4CE2E6-7684-4CDB-9AE1-247E81B7E7C9%7D/st~%7B9508C0 06-DD59-4F5D-8316-0AFDB0EA806C%7D/content/articlex .asp

Re:Interesting Article

[bovinewasteproduct]

Windows XP doesn't suffer from that issue

Considering that only about 8% of the windows users are running XP (95, 98 and 2000 are the majority), then his comments still stand. The recent spate of articles on MS dropping support for Win98 has posted the ratios quite clearly.

BWP

Curious..

[Metallic+Matty]

You could have found a fairly accurate rebuttle right here at . as well.

Minus the trolls and such.

Re:Don't always assume a smear campaing

[NaugaHunter]

From the original article:
How cocky are you feeling now, Mac elite?

While the original article's criticism may not have come from "zealous hate", it certainly didn't come from impartial journalism. This and other statements like it definitely tinted it from simple reporting to an apparent attack, complete with the subliminal childish prat-calls.

Re:Don't always assume a smear campaing

[antiMStroll]

There's and easy way to confirm or dispute the contention. Read the damn article. But since that's too troublesome for the moderators, enjoy some choice cut'n'paste:

I know this is wrong, but in one respect I was happy to learn earlier this month about the discovery of a significant security hole in the Jaguar and Panther...

I was tired of the "We use Macs because they don't get attacked by viruses and hackers" refrain from Mac nuts.

I generally counter with what is apparently a secret carefully hidden from Mac zealots:...

But the mindlessly superior retort is always the same....

Given this recent development, my question is, "Will you be stuffing that superior attitude in your crow or eating it separately, sir?"

Those quotes alone comprise half the first few paragraphs. See, that wasn't too hard, was it?

Re:trust

[telbij]

So you're saying there's no middle ground... either you need security and run Gentoo or you need to do some real work and then take your pick?

In the real world where a person may need to run various applications and perform unforeseen tasks, security is still a consideration. I myself run OS X because (among other reasons) I don't like having system performance degrade over time, or worry about opening emails. Is having my system hacked the end of the world? No, but I'll take the better odds any day.

Yeah yeah.

[mindstrm]

My summary of the situation:

- Nothing is totally secure, if it's at all useful.

- Windows is demonstrably NOT secure. IT's been riddled with nasty bugs for years.. and for Joe Average, WHY doesn't matter.

- OS X is without question far more secure than windows, and less buggy. That is not to say it's immune, or that it can't be hurt ever, but several factors both in low-level design, and in user interface design, specifically how easily users can turn on and off certain services, makes it less prone to exploits.

- Yes, it has a smaller market share, and hence, less attention is focused on it, and that certainly IS a factor.. but it doesn't change the fact that mac users don't have to worry about viruses on a dialy basis at the moment. It also isn't the only factor, and hardly means "Oh it's just as insecure as windows"

The #1 insecurities in windows are related to bad design... and a narrow interpretation of how the computer will be used in a network environment. Having all these services listening by default is bad. Having them difficult to shut off is even worse.

Re:stubborn institutional pride/hubris, etc...

[zgwortz962]

Honestly, Microsoft trying to put a Windows GUI on top of BSD is probably a bad move for them. The problem, as is always the issue with new OSes, is drivers.

Apple was able to get away with Mac OS X on top of BSD, using their own modern driver architecture (IOKit) because they had a relatively small hardware subset that they had to support (and you'll note they didn't even *try* and support a whole bunch of their older machines...). And it still took them 4 years to get the first version out the door.

For Microsoft to to the same thing would be tons more complicated, given the ungodly amount of hardware they have to support.

(Drivers are the long term bane of Linux and BSD as well -- The Linux driver model is, IMHO, a horribly antiquated mess needing a complete tear out and replacement. It's not going to get that anytime soon for the same reasons outlined above - too many new drivers to support. I'm not familiar with the BSD model, but if it's anything like the over 20 year old UNIX device model, I'm *very* glad Apple chose to use IOKit instead...)

IMHO, if Microsoft wants to produce a truly stable OS, they need to tear their kernel development away from the rest of the OS, and put everything else (especially IE) in a nice isolated sandbox. I would say the vast majority of Windows security holes are there because MS tries to integrate way too much high level functionality into the core OS.

Of course, if they do that, then they risk people adding their own sandboxes on top of their core OS (like Java...) and losing control of the application developers who currently are slaved to that highly integrated high level functionality...

So blown out of proportion ...

[Zwoop]

I still don't understand why this security "hole" got so much attention... Are people struggling to find problems with MacOSX? First of all, attacks like this is nothing new, just remember the old YP/NIS problems with broadcasting for the server, to mention just one example.

Secondly, when we wrote the DHCP LDAP option specs way back when, we explicitly documented this problem in the security section:

5. Security considerations

Security considerations discussed in [3], particularly with respect to the
provision of authentication information, are directly applicable here.
Additionally, it should be noted that providing LDAP server information by
a broadcast protocol such as DHCP may allow unauthorized clients to learn
the location of and authentication information for LDAP servers and hence
pose as valid clients. This presents a security problem when sensitive
information, such as user passwords, is published via LDAP servers.

The DHCP protocol provides no mechanisms for the client to verify the
validity and correctness of the received information. The security
considerations in [1] discuss several weaknesses, particularly the problem
with unauthorized DHCP servers.

This was written in 1997, note the last paragraph above. These issues has been discusses and documented in several RFCs, many years ago...

-- Leif

Re:The wierd thing...

[Graff]

Mac os 9 was completly safe to the outside world. AFIK there were no remote holes - now it did crash every ten to fifteen minutes on me, but I've never seen remote vulnerablitly.

The classic Mac OS's did have vulnerabilities, but they were not well-documented and sporadic. In certain places bad coding produced code that was vulnerable to buffer overflow exploits. However, those are difficult to use under the best of circumstances.

Because Mac OS did not run on x86 hardware it had a different stack structure. Not only that but the processors used have always been big-endian. In order to exploit the buffer overflow vulnerabilities you would need to code in PowerPC assembler, using big-endian, and in a manner able to exploit the stack structure of Mac OS. This is a tall order because it is uncommon enough that there is not many resources out there on how to do it. Script kiddies thrive on these exploits in the x86 world because there is a ton of info on how to do it.

Not only that but Apple's development is pretty tight and planned and they did nip a lot of these invunerabilities in the bud before they became common knowledge. So no Mac OS, classic or modern, has ever been completely bulletproof but it has been a very hard target to hit for exploiters. So hard. in fact, that almost no attempts have been made

Re:The wierd thing...

[Trurl's+Machine]

is that Mac os 9 was completly safe to the outside world. AFIK there were no remote holes - now it did crash every ten to fifteen minutes on me, but I've never seen remote vulnerablitly.

You can see one anytime you want by just checking this test site. It works in a similar way as the infamous autostart worm that plagued MacOS Classic machines. The vulnerability works as follows:

1. You click on a link on a website like the above. It starts to download a stuffit-packed disk image to your desktop [without asking; that's the default configuration]
2. Stuffit unpacks and mounts the image [without asking; that's the default configuration]
3. Classic QuickTime sees a newly mounted image and initiates Autostart procedure [DEFAULT CONFIGURATION!]
4. Bingo - you allowed a remote source to execute arbitrary code on your system; and even under MacOS X, it started as a Classic layer process so it runs actually as root

The test site "attacks" you only with a very simple AppleScript applet that only opens your trashcan and that's it. But just think of the possibilites for a really malicious use. It was a very severe vulnerability for all vanilla-configured MacOS 9 (and earlier) machines; but unfortunately, also MacOS X machines with their Classic layer configured as the vanilla MacOS 9 were affected. THIS INCLUDES the MacOS X 10.3 "Panther". In fact, Classic layer always was and still is the biggest security hole in MacOS X, but that's another story. Anyway, Apple was crazy to provide Autostart option in QuickTime (who needs it, anyway?) but it was even more crazy to provide it as the DEFAULT configuration.

Re:Interesting

[Wumpus]

While I agree that the author is poorly informed and mostly goes on one tangent after the other in this article, there are some problems with Windows that aren't easily fixed. This page, mentioned previously on /., is one example:

http://security.tombom.co.uk/shatter.html

There is a followup to this paper that discusses Microsoft response the it. The author isn't happy with the response.

The root of this issue is the Win32 API, and its origins as a real mode compatible API with no security, and no memory protection between processes. Much of the transition to Win32 seems to have been handled as a massive search and replace operation on the Windows headers, with backwards compatibility being considered more important than security.

Re:Don't always assume a smear campaing

[all+your+mwbassguy+a]

Macs CAN get viruses
which viruses would these be? there are still no virii that attack mac os x.

Re:OSX is weak - here is some homework.

[jceaser]

So what if root is readable by admins. The /System folder is much more secure as is /private which is much more important.

ls -ld /System
drwxr-xr-x 4 root wheel 136 12 Sep 16:41 /System

ls -ld /private/
drwxr-xr-x 5 root wheel 170 14 Dec 13:31 /private

/private, as you know, is where apple keeps etc, tmp, and var.

Also, the standard gui installer forces a su password from the user before writing to /System or /Library which seams very reasonable to me.

O, and if you were woried that someone could swap your commands with another:

ls -ld /usr/bin
drwxr-xr-x 652 root wheel 22168 14 Dec 13:24 /usr/bin

ls -ld /sbin
drwxr-xr-x 61 root wheel 2074 14 Dec 13:12 /sbin

ls -ld /usr/sbin
drwxr-xr-x 201 root wheel 6834 14 Dec 13:20 /usr/sbin

Only root belongs to wheel.

So as I hope you can see, it really does not matter what root is, so long as the important directories have the correct settings.

Re:Interesting

[Wumpus]

Have you read the followup? The author claims to have exploited similar weaknesses in MS software. You're right that Norton shouldn't have architected their application the way they did, but other people make the same mistake, Microsoft included.

As for the issue of memory protection between processes, what are you refering to?

I was refering to the old 16 bit Windows API, which the Win32 API is based on. My original post was phrased rather poorly - sorry.

Win32's roots in the 16 bit Windows API are the reason why the class of problems described in the paper I mentioned exist - applications used to be able to pass pointers around like cookies (Microsoft's words - not mine), and that includes pointers to timer callbacks. You can still get an application to map your data (potentially, exploit code) into its virtual memory space by sending it a WM_COPYDATA message. This was done, I assume, to make it easier to port applications that relied on the lack of memory protection to the new Win32 API.

Re:OSX is weak - here is some homework.

[pHDNgell]

The original point was about / being writable. The problem is that if / is writable (but not sticky), then it'd be possible to do this:

cp -r etc myetc; mv etc etc.old ; mv myetc etc

And then you control etc.

However, due to the sticky bit:

dustin2wti:/tmp/test 520% ls -ld . etc
drwxrwxr-t 3 root admin 102 15 Dec 14:10 ./
drwxr-xr-x 2 root wheel 68 15 Dec 14:10 etc/
dustin2wti:/tmp/test 521% mv etc newetc
mv: rename etc to newetc: Operation not permitted

(because of the sticky bit and my lack of ownership over etc)

Remember, renames are *directory* modifications, not file modifications. The sticky bit fills in the difference.

Re:Factual Error

[norkakn]

Did you do a clean install?

I think it uses your jaguar network settings when you do an upgrade or archive and install.