Slashdot Mirror

← Back to Stories (view on slashdot.org)

Snow Leopard Missed a Security Opportunity

Posted by kdawson on from the where-did-you-put-it-what-you-know-where-do-you-think-oh dept.

CWmike writes "Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. 'Apple didn't change anything,' said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive 'Pwn2own' hacker contests. 'It's the exact same ASLR as in Leopard, which means it's not very good.'"

7 of 304 comments (clear)

  1. Mod parent up by shis-ka-bob · · Score: 3, Interesting

    The parent post's reference to OpenBSD seem spot on to me. See OpenBSD Security Features. This uses a BSD license and is written for a BSD 4.4 derivative (just like OS/X). Why doesn't Apple just adopt the OpenBSD mmap and just close this hole?

    --
    Think global, act loco
  2. Re:Microsoft technology? Really? by elrous0 · · Score: 3, Interesting

    Shouldn't you be flattered that MS recognized how useful this was and incorporated it into their own OS? The whole point of open source is that anyone is free to adopt its innovations, after all.

    And seriously, "M$"? Is anyone still using that in 2009?

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  3. Re:It will cost them at some point by dkf · · Score: 4, Interesting

    As a long time Mac user, I completely agree with you. I have long thought Apple did not take security seriously or at least did not devote the resources they should on security matters. Worse, I absolutely do not want to go through a decade of painful and annoying security problems (like the windows users went through) before Apple begins to put real effort into security.

    To be fair, Apple have focused much more on the user-facing side of the security problem. There's just much less likelihood of a user installing something bad by accident. Deliberate badness is a problem (always) but by reducing the problem with accidents, real on-the-ground disasters are lessened. (It helps that Mac applications are really directories, and so aren't quite as simple to start from some website by accident, and their filesystem-level metadata that marks downloaded things with where they came from also makes a difference.) Which isn't to say that the other techniques are a bad idea; defense-in-depth is the watchword. But true high-quality security solutions need to address many levels of problems, including both system-level ones and user-facing ones.

    Oh... one last thing: Wasn't OpenBSD doing this long before windows?

    I believe so. It sounds like the sort of thing they'd do...

    --
    "Little does he know, but there is no 'I' in 'Idiot'!"
  4. Re:Not at All "Perfected" by vistapwns · · Score: 4, Interesting

    That exploit took advantage of code MS left in the beta version of IE8 that opted out of DEP and ASLR, the RTM IE8 disables that code on the internet zone, and it can be disabled on the intranet zone as well, so it's not much of an issue in the RTM IE8.

    --
    "...I think the Microsoft hatred is a disease." - Linus Torvalds
  5. Re:Let's not let facts get in our way by antifoidulus · · Score: 4, Interesting

    The biggest security problems with Windows still remain, namely that:
    a: compared to it's unix bretheren, Windows still requires administrative privileges for a LOT of common things

    b: Microsoft's reliance on proprietary protocols, many of which have a lot of known and probably even more unknown vulnerabilities.
    c: security policy on Windows has about 0 coherency, making it really hard to properly secure windows and really easy to accidentally miss something/screw something up. Windows security polices are all over the place, in the registry editor, in the windows security center, in the user/computer policy app(which at least as of xp wasn't searchable, so if you were looking for something and you didn't know EXACTLY where to find it you end up having to look through every single freaking policy. Whats worse is that Windows freely mixes client and server policies, even when the machine isn't a server! Most users get so frustrated and just leave everything open.

    I tried to recently secure a Windows XP box after coming from a background of unix(including OS X) and Linux, and I just could not believe how insanely obfuscated Microsoft made everything. What is insanely simple to do in the Unix world takes massive effort to even attempt in the Windows world, if it will even work at all.

    I swear Microsoft makes a lot of this stuff pointlessly complicated just so they can persuade more people to take the MCSE exams.

    --
    Monstar L
  6. Re:It doesnt matter... by AnalPerfume · · Score: 4, Interesting

    Actually no, they're not. Every Mac has a set list of apps, with a set list of libraries etc. It's a mono culture. Not to mention the fact that Apple are insane about secrecy, so Mac users often don't know if there's a vulnerability even reported to Apple, let alone if Apple are doing anything about it, or when it's due if they are. Notice the common theme of "being subservient to Apple's whims". With Linux anyone can submit the fix, which will then be adopted as needed by all the different distros, and within a couple of days at most it's fixed. Also the fact that Linux is so varied, often an exploit or vulnerability found on one distro may not affect another, or not affect a different DE or WM.

    Let's assume the Mac share is around the same as Linux, both close to 10% which I think ain't too far off. An attacker can plan an attack on something they're guaranteed exists because it comes out the factory that way on every model, identical, with a slow acting vendor so the windows stays open for a while.....or they can plan an attack on a fast moving target that may only affect 30% of machines, and the window of opportunity will be gone within a day of it being noticed.

    Both Mac and Linux users tend not to run any protection software like Windows users NEED just to have their system stay alive till lunchtime, so any infection if successful will likely go unnoticed. Both Mac and Linux users often feel their systems are immune. In the case of Mac users, the people who can afford Macs have money (or at least HAD money before they bought their Mac) so combined with a blind spot for self protection they should be a ripe juicy target. Yet, apart from the odd story like this one which is self inflicted by Apple, it's still rare.

    OSX is UNIX, which is a HUGE advantage over Windows, but the closed Apple mono culture prevents it from being used to it's fullest.

  7. Re:Let's not let facts get in our way by gad_zuki! · · Score: 3, Interesting

    >compared to it's unix bretheren, Windows still requires administrative privileges for a LOT of common things

    Id say this is the one part of Windows MS has been improving. Running as limited user, runas, etc in Vista (especially SP2) and 7 is lightyears ahead of what it was in XP or 2000. Developers are pretty much being told to write software correctly or it just wont run in Vista/7. This is a sea change in how things are done in the Windows world and even today a lot of users without legacy cruft to support run without much hassle from the UAC. Eventually those old pieces of software causing these issues (lets write to c:\temp why not?) will be retired in favor of compliant newer versions.