Slashdot Mirror

← Back to Stories (view on slashdot.org)

Snow Leopard Missed a Security Opportunity

Posted by kdawson on from the where-did-you-put-it-what-you-know-where-do-you-think-oh dept.

CWmike writes "Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. 'Apple didn't change anything,' said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive 'Pwn2own' hacker contests. 'It's the exact same ASLR as in Leopard, which means it's not very good.'"

4 of 304 comments (clear)

  1. Two week old "news" by Anonymous Coward · · Score: 5, Informative

    The summary alleges Miller said it "today". Except he didn't.

    The article linked to is dated September 14, which means he allegedly said it 2 days ago. Except he didn't.

    He actually said it *two weeks ago* on August 29th.

    Wake up, editors!

  2. Re:Surely this is only of any use to a hacker if . by Anonymous Coward · · Score: 5, Informative

    ASLR makes executing code on the stack quite a bit more difficult, regardless of what privileges the program being exploited may have. Also makes calling libaray functions and pretty much anything in RAM far more difficult for a hacker. Page protection doesn't protect against these attacks per se.

  3. Re:Here they come... by Anonymous Coward · · Score: 5, Informative

    1. You identify a system API that has a local escalation vulnerability. These aren't that uncommon and because they cannot be directly exploited remotely they're not generally as high of a priority.

    2. You identify a vulnerability in a service or other application that permits execution of arbitrary code remotely.

    3. You exploit the remotely exploitable vulnerability with a payload that calls into the known mapped address of the system API with a second payload in order to escalate to root and then execute a third payload with those increased privileges to outright p0wn the machine.

  4. Not at All "Perfected" by Doc+Ruby · · Score: 5, Informative

    technology that Microsoft perfected nearly three years ago

    If there's a phrase that should trigger skepticism, that's it. ASLR isn't "perfect", and has been reported (and confirmed) exploited as recently as 7 months ago:

    March 24, 2009 -

            quote:Internet Explorer 8 "critical" flaw in final version

            Microsoft confirmed that the vulnerability exists in the official release, said Terri Forslof, a researcher at TippingPoint, which sponsored the Pwn2Own contest that challenged competitors to find bugs in either web browsers or mobile devices

            "This is a single-click-and-you're-owned exploit," she told SCMagazineUS.com on Tuesday. "You click a link in an email or simply browse to a website, and your machine is compromised. This meets Microsoft's 'critical' bar [in its vulnerabilities and rating system]."

            The exploit apparently defies Microsoft's DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) technologies -- two features added to IE8 to prevent memory corruption vulnerabilities.

            "Once the browser was compromised, we handed over the exploit to Microsoft immediately, on site," Forslof said. "They went back and reproduced it and called to verify that the vulnerability was present. We retested again on the released version of IE8 that went live on the following morning and verified that the vulnerability was in it as well."

    --

    --
    make install -not war