The Story of a Simple and Dangerous OS X Kernel Bug

RazvanM writes "At the beginning of this month the Mac OS X 10.5.8 closed a kernel vulnerability that lasted more than 4 years, covering all the 10.4 and (almost all) 10.5 Mac OS X releases. This article presents some twitter-size programs that trigger the bug. The mechanics are so simple that can be easily explained to anybody possessing some minimal knowledge about how operating systems works. Beside being a good educational example this is also a scary proof that very mature code can still be vulnerable in rather unsophisticated ways."

Age is irrelevant, resistance is futile.

[girlintraining]

"Beside being a good educational example this is also a scary proof that very mature code can still be vulnerable in rather unsophisticated ways."

Since when did the age of code become a metric for evaluating its trustworthiness? Code should only be trusted after undergoing in-depth analysis by people with training and experience in information security. Code should also be written with security in mind from the beginning. The story of this kernel bug is simple and goes like this: "I was in a hurry."

Re:Age is irrelevant, resistance is futile.

[Secret+Rabbit]

Well, assuming that the code is actively (and properly) maintained, then that isn't a bad metric. Essentially, it's because any security flaw is the result of a bug. It's just a bug that can be exploited. So, if the code is maintained properly, then bug fixes will be continuous and as such, reduce the number of exploitable bugs.

Good metric, yes. Absolute metric, no.

"""... which is basically one of the tenets of OSS."""

And where did you hear that? Because, I never have and I've been around for a while.

Re:Age is irrelevant, resistance is futile.

[_Sprocket_]

While I'm not particularly sold on this notion myself, it does bear a lot of semblance to the idea that code can be proven "secure" if it stands after a multitude of random attacks, which is basically one of the tenets of OSS.

I'm pretty sure that's not a tenet of OSS. If someone is pushing that as a tenet, then they really need to pay closer attention to history. A history of resilience is a nice metric - but it's not "proof" that code is bug-free rather just that nobody has found a given bug or made it public. People who get caught up in vulnerability counts forget that the real metric is response to a given vulnerability.

One tenet you hear bandied about is "given enough eyeballs, all bugs are shallow." Criticism tends to revolve around whether enough eyeballs have been put to any particular piece of code. Although one could argue that it's not just the number of eyeballs - but whether said eyeballs have the training to look for particular kinds of bugs that might not show up in normal use of the given code. None of that has anything to do with the frequency of attack.

Re:Age is irrelevant, resistance is futile.

[johanatan]

Essentially, it's because any security flaw is the result of a bug. It's just a bug that can be exploited. So, if the code is maintained properly, then bug fixes will be continuous and as such, reduce the number of exploitable bugs.

It depends on your scope of consideration. Design flaws are not 'bugs' in the traditional sense of the word (i.e., implementation-related). However, if you expand your scope to include design specs then your statement is true. There do exist though exploits of perfectly-implemented but imperfectly-designed code.

Re:Age is irrelevant, resistance is futile.

[LO0G]

In my experience, a code's age/maturity is one of the better indicators of it's INsecurity.

We've learned a LOT about security (and more importantly about writing secure code) over the past 10 years.

10 years ago, nobody knew about arithmetic overflow vulnerabilities or heap overflow vulnerabilities. Now every coder needs to worry about them. And all that old code was written non knowing about those vulnerabilities so it's highly likely to contain issues.

I read

[Runaway1956]

Alright, I read TFA. I read the earlier slashdot article. I even googled around a little bit. What I find is, an obscure little bug, if exploited locally, enables a user to crash his machine. What I don't find is an exploit that makes use of this bug.

Am I missing something?

I suppose that I could accomplish something similar on my current Ubuntu installation. If I thought it made a difference, I could install a few other flavors of Linux and try doing something like that. But, why?

MS astroturfer's posts above are noted. And, I also note that MS bugs are routinely exploited, locally and remotely. The unwarranted superiority complex looks pretty pathetic, doesn't it?

Re:I read

[Thantik]

It's not the fact that it is local exploit code, it's the fact that local and remote exploits and the line between them are being blurred every day. TFA mentioned being able to write memory in 8-bit pieces, ANYWHERE in kernel memory. That's pretty dangerous if you ask me.

Re:I read

[Overunderrated]

So your argument is that even though the bug exists, it's okay because no one took the time to massively exploit it? you do realize that if OSX had anywhere near the market share of windows, this would've been exploited years ago, right? i accept that 'security through obscurity' is perfectly valid, but you need to recognize it for what it is.

Re:I read

[Runaway1956]

Yeah, I've read this "market share" argument used as a defense for shoddy MS code time and time again. That just doesn't cut it.

Mac has a presence in the business world. If it were as buggy as MS, crackers would be launching fishing expeditions for vulnerable Macs, so that they could gain access to company networks.

What I asked for were examples of exploits, or reasons why this bug were really dangerous. Posts before yours are attempting to put things into perspective. Please, no more lame defenses of from MS astroturfers - there are enough of those even before you arrive at my question.

Market share, indeed. Remind me that the next time I want a cheap padlock, I should purchase a no-name lock. Since it has no market share, burglars won't try to pick it or break it.

Re:I read

[nmb3000]

Mac has a relatively tiny presence in the business world.

Fixed that for you.

What I asked for were examples of exploits, or reasons why this bug were really dangerous.

And a bunch of people already pointed out that this bug gives you write-access to the kernel's memory. That's bad, privilege escalation bad.

Market share, indeed. Remind me that the next time I want a cheap padlock, I should purchase a no-name lock. Since it has no market share, burglars won't try to pick it or break it.

That's funny, because I recall seeing all sorts of instructions on how you can open MasterLock(TM)(R) and (ALL THAT) combination locks. They were so detailed, they would even specify which serial numbers of which models were vulnerable to which cracking techniques. And yet, I never saw any instructions for opening the Wal-Mart special RandomBrand of padlock.

Market share does matter when it comes to investing time and money into exploiting flaws in a product. To say it is the only factor in operating system security is false, but saying it doesn't matter at all is just as wrong.

Re:I read

[beuges]

The bug is really dangerous because it allows userspace to write anywhere to kernelspace. Yes, it's a local-only exploit, so the attack surface isn't that large. Or is it? How many pieces of software do you have running on your system right now that may contain vulnerabilities? It would be trivial for a skilled hacker to find an exploit in some arb application, with the payload being an exploit of this particular issue. So your local-only exploit has a remote entry-point from any other piece of software thats running on your system.

Local-only exploits are only less dangerous than remote exploits if your system has no contact with other systems. When you expose your system to others, all of your local exploits become remote exploits the moment any piece of software that you run has a remote exploit. Recently there have been a number of reports of vulnerabilities in common applications like Firefox, and Adobe doesn't have a particularly great security track record either. Ideally, a vulnerability in one of these applications would only be able to run code as the user, or attack the user's home directory. Except since you can now modify any address in kernel space, you can craft code that tells the kernel your userid actually has root permissions, in which case you now have complete control over the whole system.

Every kernel-level exploit is *really dangerous*. Marketing people will try to play it down by saying that since its local-only, it's not that bad, so that they can carry on making dumb 'im a pc, im a mac' adverts and patting themselves on the back. But all they're doing is lulling their userbase into a false sense of security.

Re:I read

[benjymouse]

Yeah, I've read this "market share" argument used as a defense for shoddy MS code time and time again. That just doesn't cut it.

So you think that an attacker thinks he must exploit each platform proportional to the market share?

Or do you believe that each attacker randomly chooses a platform to specialize in proportional to market share. Or do they keep a list with number of slots according to each OS's market share?

Consider this:

1. Imagine you were on a shooting range. You can shoot for two different targets, one labelled "OS X" and the other one "Windows"
2. One "OS X" target is 3 times larger than the other (OS X has 3 times the vulnerabilities compared to Windows) and is thus easier to hit.
3. Each time you hit "OS X" you get $10.
4. Each time you hit "Windows" you get $200.
5. You have 12 shots.

Now, if the targets were 10 ft in front of you and both easily hit, how would you spend your 12 shots? Would you aim 3 shots that the smaller target and 9 shots at the larger target because that seems the fair thing to do? Or would you just shoot all 12 shots at the smaller target and go home with $2400? I know what the typical person would do.

Only when you move both targets so far back that both of them gets pretty hard to hit would any sane person consider spending any rounds on "OS X".

Attackers chose target platform based this simple economics. As long as Windows has 15 - 20 times (worldwide) the market share of OSX and as long as the limiting factor of attacks is time (the actual creation of an exploit), the attackers are going to target Windows each and every time. Only if they cannot find any exploitable vulnerabilities in Windows will they invest in another platform.

Oh, and what about Apache you say? Apache has 2 times the market share of IIS (roughly). Why isn't Apache attacked exclusively for the same reason. The difference here is that these targets are pretty distant; both Apache and IIS are pretty tight. Neither Apache nor IIS5, 6 and 7 has seen successful widespread attacks directly at the server. Neither Linux nor Windows are vulnerable at the network level anymore, especially not when behind a firewall as *all* webservers are nowadays.

The shooters have simply given up (for the time being) and went to another shooting range with better odds. BothApache and IIS has seen widespread attacks against vulnerable applications running on top of the servers. Here you could certainly argue that attackers has a preference for PHP and ASP.Ancient.

Re:I read

[node+3]

Market share does matter when it comes to investing time and money into exploiting flaws in a product. To say it is the only factor in operating system security is false, but saying it doesn't matter at all is just as wrong.

No one is saying that it's not a factor. On the other hand, there are countless people who make the reverse mistake and state that Macs don't have exploits solely due to market share.

This is easily debunked by:

1. IIS exploits.
2. Linux exploits (Linux market share is to Macs as Mac market share is to Windows)
3. Mac apps. People still write apps for the Mac, why not viruses?
4. There are plenty of viruses for the classic Mac OS.
5. There are tens of millions of Mac users. Even though Windows has hundreds of millions, tens of millions is still a large and lucrative group to attack.

The key isn't that Mac OS X is flawless or too low of a market share, it's that Windows is so easy to exploit. Design decisions made decades ago are still impacting Windows today. If you look at the typical Mac OS X bug and the typical Windows bug, you'll see that the Mac bugs tend to be very Unix-like in nature, that they are some part of the system can be tricked into crashing by being passed data in a specific way. Many a Windows bug is not due to getting something to crash, but by using some feature in a way that tricks it to allow unwanted things to happen.

Re:I read

[LurkerXXX]

Some problems with your arguments.

#1 IIS is a web server. That is a juicy target. It's much jucier than a lot more home OSX machines.

#2 Linux is used very often as a server. Once again, a much much jucier target than some OSX desktop.

#3 They do, just much less of them, as with apps. Less written, less looking, less discovered.

#5 Modern *nixes have pretty much all implemented this feature which OSX has neglected to implement. What else haven't they done right as the other *nixes have?

Re:I read

[Simetrical]

2. Linux exploits (Linux market share is to Macs as Mac market share is to Windows)

What are some examples of widely-exploited Linux bugs? (Of course there are isolated exploits, but the same is true for Mac. And of course there are very severe security vulnerabilities all the time, but that doesn't mean they're exploited in practice. And of course Linux machines are compromised on a regular basis, but that might be due to weak passwords and such.)

3. Mac apps. People still write apps for the Mac, why not viruses?

Apps have to compete with each other. If a particular niche is filled on Windows but not Mac, then a new Windows-only app will have to compete with the existing apps. A new Mac app won't, so it will get a much larger slice of a smaller pie. On the other hand, twenty different viruses can recruit your computer into twenty different botnets with no problem, as any Windows user should be able to attest. (How often does a virus scan on an infested computer turn up only one virus?)

Besides, the number of apps for Mac is tiny compared to Windows.

4. There are plenty of viruses for the classic Mac OS.

Such as? I'm not doubting you, but I've never heard that claimed before.

5. There are tens of millions of Mac users. Even though Windows has hundreds of millions, tens of millions is still a large and lucrative group to attack.

It's a matter of cost and benefit. If it's three times the effort to write Windows exploits and you get twenty times the victims, there's just no reason to write viruses for Macs. Hackers are usually motivated by money, pure and simple.

Anyway, I don't have any credentials in hacking. So I'll rely on Charlie Miller, who's a professional hacker (security expert). He demonstrated that he knows something about Mac exploits by cracking a Mac in two minutes flat a while back and winning pwn2own. In an interview, he said (emphasis added):

Between Mac and PC, I'd say that Macs are less secure for the reasons we've discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn't much malware out there. For now, I'd still recommend Macs for typical users as the odds of something targeting them are so low that they might go years without seeing any malware, even though if an attacker cared to target them it would be easier for them.

He's far from a Microsoft shill; he works for a security consulting firm and uses a Mac himself.

Re:I read

[Simetrical]

"... lack of anti-exploitation technologies..."

Uh, you mean like firewalls? Sandboxing? Library Randomization? Protected memory and Execute Disable? Encrypted virtual memory? System heap library checksums? The ability to actually run user accounts as non-admins? FileVault? Disabling root by default? Download screening? Antiphishing technology? Browser page isolation? Minimal outward facing ports and services? Parental Controls?

Those anti-exploitation technologies?

If you read the interview, you would see that he specifically refers to ASLR and the NX bit, at least. OS X apparently only has a very limited version of those, at least compared to Vista (and some Linux builds). Quote:

For the record, Leopard has neither of these features, at least implemented effectively. In the exploit I won Pwn2Own with, I knew right where my shellcode was located and I knew it would execute on the heap for me.

But hey, if you want to believe lists of features rather than the opinion of a professional security expert who was demonstrably able to hack an OS X machine in two minutes and win a high-profile hacking contest, then go ahead.

"...he works for a security consulting firm and uses a Mac himself."

And not Windows and not Linux. Guess that says it all.

Yes, it does, because he said Mac was safer. Less secure — much easier to hack — but safer, because nobody bothers to hack it. Which is exactly my point. I was responding to the great-grandparent, who claimed Windows is easier to hack than Mac, and that obscurity isn't the major reason Macs are safer. The security expert I cited believes exactly the opposite to be the case, that Macs are easier to hack and obscurity is the major reason they're safer. No one disputes that they're safer.

Mature code?

[Casandro]

I'm sorry, but what has MacOSX to do with mature code? Code is mature when it has lasted for _decades_ and no significant bug has been found. MacOSX is just your average kernel. OK, there are _much_ worse around, but that doesn't make OSX any better.

What _really_ is a shame that it took them 4 years to fix it.

Re:Mature code?

[Casandro]

Yes precisely, there is very little mature code. That's why you still have buffer overruns and other security critical bugs.

New features don't have to mean that old code will be changed or made more insecure. There are many attempts at making computer systems modular so adding one piece of code will add a lot of new features to unchanged programmes. The oldest concept incorporating it is the UNIX concept where you have lots of small single-purpose programs which you can connect via pipes to serve any more complex purpose. Each of those programs can easily be made mature. So you reduce the problem to a bit of managable code to string those programs together.

Other concepts are found on object oriented operating systems (even in MacOSX) where Applications typically are just connections between stock objects. If those stock objects are made out of mature code, you get stable software.

Make summaries more informative

[Bromskloss]

The mechanics are so simple that can be easily explained to anybody possessing some minimal knowledge about how operating systems works.

So then do so in the summary!

Re:But it's not Windows!

[Daniel+Dvorkin]

You know, at this point there are probably about a thousand times as many people whining about this supposed attitude on the part of Mac users than there are Mac users actually displaying it.

Re:But it's not Windows!

[e2d2]

They're an easy target because they stress this in their advertising thus bringing it on themselves. Why have pity for them? Their ads are smarmy so getting a little in return is all in good fun. It's ridiculous to think that any computer is perfect, that's why we point and laugh.

Re:But it's not Windows!

[characterZer0]

With Windows, there are two groups of people looking for bugs: Microsoft employees who do not want to admit to the bug and who will hide the fix in a service pack who knows how many months later, and those looking to exploit.

In Linux, in addition to those being paid to work on it such as RedHat employees and those hoping to exploit it, you have volunteer kernel hackers and users as well, to whom it is beneficial to release a patch immediately.

Love the editing

[Pedrito]

or lack thereof:

"The mechanics are so simple that can be easily explained to anybody possessing some minimal knowledge about how operating systems works."

"...so simple that it can be easily..."

The choice of "some minimal" is a bit questionable too. "some" or "minimal" alone would have been sufficient to convey the meaning. Together, it sounds almost redundant.

"Beside being a good educational example this is also a scary proof that very mature code can still be vulnerable in rather unsophisticated ways."

"Beside" means "next to". "Besides" means "other than".

Not that it really matters. The mainstream news sites can't seem to compose articulate sentences either. Grammar has really gone to crap and it really bugs me that English based news providers can't be bothered to produce fluent English stories.

Re:Less vulnerabilities? Yeah, right!

[walt-sjc]

All studies analyzing security vulnerability reports or released patch sets as a measure of OS security simply prove that the researcher is a fucking idiot. It's IMPOSSIBLE to measure security in this way because you are comparing lawn tractors to jet skis. The reasons are basic: everyone that releases an OS has their own way of dealing with reports and patches. The raw data is MEANINGLESS.

It doesn't matter what anti-exploit technology is in the OS because it has been proven time and time again that no matter WHAT the warning, Users hit OK anyway. In fact, studies have shown that even when presented with a dialog that says something like "If you click OK, your computer will be infected by a virus," users STILL click OK 50% of the time. Windows is particularly bad in this regard because it is CONSTANTLY asking permission to do this, that, or the other thing. A typical work day for me I get 100-1000 requests for permission. It's no wonder users click OK all the time.

Due to "OS conditioned" user behavior, NONE of the anti-malware software out there is actually effective at preventing infection. Most can clean it up after the fact (with the drive pulled and scanned from another machine.)

Users also continue to use stupid passwords like "password", "1234", etc. no matter how much training given. Forcing complex passwords just ensures that there will be a postit on the monitor with the password, and a 100x increase in calls to the help desk to reset passwords.

The ONLY measure we REALLY have is subjective, and based on my experience, the reality is that windows users are probably 1000 times more likely to have malware on their systems.

I don't have any good solutions to this problem other than to suggest that we need security technology that actually analyzes a program's behavior, possibly simulating it by running in a mini-secure sandbox before talking to the user about it. Maybe apps could be be checked against a reputation database... Known good could be passed with no prompting thus reducing the amount of warning dialogs to the user. The current situation has proven dire however.

Re:I'm a Mac

[ceoyoyo]

OMG! A Google search for two words shows up some hits! Most of which appear to say that there are one or two bits of malware for the Mac.

If you watch Apple's ads carefully, they don't claim there is no malware for the Mac. They only imply that it doesn't affect your user experience the same way it does on Windows. I think one of the actual statements goes something like "there aren't hundreds of thousands of viruses." Which is absolutely true.

You may find the commercials annoying (don't you find all commercials annoying?), and they are arguably misleading on other points, but that's not one of them.

Re:Less vulnerabilities? Yeah, right!

[stewbacca]

Yes, the severity of the exploits is what matters. I didn't read TFA, but a lot of people keep bringing this up in this thread. If the IBM study doesn't properly address the "magnitude of effect" (i.e. the seriousness of any differences between means or other comparative or inferential statistics), then it is ripe for biased-respresentation. People can pick and choose what they want to say without an accurate discussion of the findings. Raw numbers don't mean crap.