Slashdot Mirror

← Back to Stories (view on slashdot.org)

Snow Leopard Missed a Security Opportunity

Posted by kdawson on from the where-did-you-put-it-what-you-know-where-do-you-think-oh dept.

CWmike writes "Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. 'Apple didn't change anything,' said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive 'Pwn2own' hacker contests. 'It's the exact same ASLR as in Leopard, which means it's not very good.'"

18 of 304 comments (clear)

  1. It doesnt matter... by Ontheotherhand · · Score: 4, Funny

    Yeah, but it doesnt matter. everyone knows that apples are immume to viruses and malware. and they look better than ordinary Pcs.

    1. Re:It doesnt matter... by AnalPerfume · · Score: 4, Interesting

      Actually no, they're not. Every Mac has a set list of apps, with a set list of libraries etc. It's a mono culture. Not to mention the fact that Apple are insane about secrecy, so Mac users often don't know if there's a vulnerability even reported to Apple, let alone if Apple are doing anything about it, or when it's due if they are. Notice the common theme of "being subservient to Apple's whims". With Linux anyone can submit the fix, which will then be adopted as needed by all the different distros, and within a couple of days at most it's fixed. Also the fact that Linux is so varied, often an exploit or vulnerability found on one distro may not affect another, or not affect a different DE or WM.

      Let's assume the Mac share is around the same as Linux, both close to 10% which I think ain't too far off. An attacker can plan an attack on something they're guaranteed exists because it comes out the factory that way on every model, identical, with a slow acting vendor so the windows stays open for a while.....or they can plan an attack on a fast moving target that may only affect 30% of machines, and the window of opportunity will be gone within a day of it being noticed.

      Both Mac and Linux users tend not to run any protection software like Windows users NEED just to have their system stay alive till lunchtime, so any infection if successful will likely go unnoticed. Both Mac and Linux users often feel their systems are immune. In the case of Mac users, the people who can afford Macs have money (or at least HAD money before they bought their Mac) so combined with a blind spot for self protection they should be a ripe juicy target. Yet, apart from the odd story like this one which is self inflicted by Apple, it's still rare.

      OSX is UNIX, which is a HUGE advantage over Windows, but the closed Apple mono culture prevents it from being used to it's fullest.

    2. Re:It doesnt matter... by cerberusss · · Score: 4, Insightful

      A big post full of ifs and coulds. But I guess because of the size, it's modded up.

      So when there is a glitch there is a bunch of finger pointing as there is no mono-culture who is interested in making the overall product better but just one piece of it.

      RedHat, Canonical, SuSe, Debian, et cetera have not written all software that make up that distribution, however, their core reason for existing is that they take responsibility for the overall picture.

      So often the security fix doesn't fix the core issue just a stop gap somewhere in the line.

      Care to give examples?

      And if that module was replaced with an other then it could happen all over again.

      Just like other platforms.

      You'll have to do a lot better than that.

      --
      8 of 13 people found this answer helpful. Did you?
  2. Surely this is only of any use to a hacker if ... by Chrisq · · Score: 4, Insightful

    Surely this is only of any use to a hacker if they manage to run in "ring zero" anyway. Otherwise wouldn't normal page protection stop them. Am I missing something?

  3. Two week old "news" by Anonymous Coward · · Score: 5, Informative

    The summary alleges Miller said it "today". Except he didn't.

    The article linked to is dated September 14, which means he allegedly said it 2 days ago. Except he didn't.

    He actually said it *two weeks ago* on August 29th.

    Wake up, editors!

  4. He'll stop complaining when... by necro81 · · Score: 4, Insightful
    FTFA:

    Miller said. "Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7," he said. "When Apple has both [in place], that's when I'll stop complaining about Apple's security."

    Call me a cynic, but I somehow think he, and everyone else that looks at OS security, will still find things to complain about. The tech blog and journalism industry depends on it!

  5. Justified praise by Chrisq · · Score: 4, Informative
    From Address space layout randomization:

    Microsoft's Windows Vista and Windows Server 2008 have ASLR enabled by default, although only for those executables and dynamic link libraries specifically linked to be ASLR-enabled.[citation needed] This did not include Internet Explorer 7 on Windows Vista prior to Service Pack 1; ASLR and DEP are both disabled for application compatibility purposes. Newer versions, including Internet Explorer 8, enable these protections. A registry setting is available to forcibly enable or disable ASLR for all executables and libraries. The locations of the heap, stack, Process Environment Block, and Thread Environment Block are also randomized. A security whitepaper from Symantec noted that ASLR in 32-bit Windows Vista may not be as robust as expected, and Microsoft has acknowledged a weakness in its implementation.

    It appears that only OpenBDD and some hardened Linuxes (not mainstream distributions) have a complete implementation.

  6. Re:Surely this is only of any use to a hacker if . by Anonymous Coward · · Score: 5, Informative

    ASLR makes executing code on the stack quite a bit more difficult, regardless of what privileges the program being exploited may have. Also makes calling libaray functions and pretty much anything in RAM far more difficult for a hacker. Page protection doesn't protect against these attacks per se.

  7. Re:Here they come... by Anonymous Coward · · Score: 5, Funny

    I don't even use a MAC

    Then how does your network card work?

  8. Re:Here they come... by Anonymous Coward · · Score: 5, Informative

    1. You identify a system API that has a local escalation vulnerability. These aren't that uncommon and because they cannot be directly exploited remotely they're not generally as high of a priority.

    2. You identify a vulnerability in a service or other application that permits execution of arbitrary code remotely.

    3. You exploit the remotely exploitable vulnerability with a payload that calls into the known mapped address of the system API with a second payload in order to escalate to root and then execute a third payload with those increased privileges to outright p0wn the machine.

  9. Re:Microsoft technology? Really? by drinkypoo · · Score: 4, Informative

    Linux's implementation of ASLR is substantially inferior to Windows Vista/7's, which was covered the FIRST time this guy won the pwn2own contest. However, it is far superior to OSX's, which appears to not really do anything useful, and which appears to have not even changed since it was discovered that OSX ASLR is useless. Please try to keep up, or don't comment. Thank you.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  10. Re:Surely this is only of any use to a hacker if . by oyenstikker · · Score: 4, Insightful

    It does not make it obscure, it makes it unpredictable.

    You may figure out the location of something once, but it will be somewhere else on a different computer, or even on the same computer after a reboot.

    --
    The masses are the crack whores of religion.
  11. Not at All "Perfected" by Doc+Ruby · · Score: 5, Informative

    technology that Microsoft perfected nearly three years ago

    If there's a phrase that should trigger skepticism, that's it. ASLR isn't "perfect", and has been reported (and confirmed) exploited as recently as 7 months ago:

    March 24, 2009 -

            quote:Internet Explorer 8 "critical" flaw in final version

            Microsoft confirmed that the vulnerability exists in the official release, said Terri Forslof, a researcher at TippingPoint, which sponsored the Pwn2Own contest that challenged competitors to find bugs in either web browsers or mobile devices

            "This is a single-click-and-you're-owned exploit," she told SCMagazineUS.com on Tuesday. "You click a link in an email or simply browse to a website, and your machine is compromised. This meets Microsoft's 'critical' bar [in its vulnerabilities and rating system]."

            The exploit apparently defies Microsoft's DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) technologies -- two features added to IE8 to prevent memory corruption vulnerabilities.

            "Once the browser was compromised, we handed over the exploit to Microsoft immediately, on site," Forslof said. "They went back and reproduced it and called to verify that the vulnerability was present. We retested again on the released version of IE8 that went live on the following morning and verified that the vulnerability was in it as well."

    --

    --
    make install -not war

    1. Re:Not at All "Perfected" by vistapwns · · Score: 4, Interesting

      That exploit took advantage of code MS left in the beta version of IE8 that opted out of DEP and ASLR, the RTM IE8 disables that code on the internet zone, and it can be disabled on the intranet zone as well, so it's not much of an issue in the RTM IE8.

      --
      "...I think the Microsoft hatred is a disease." - Linus Torvalds
  12. Re:It will cost them at some point by dkf · · Score: 4, Interesting

    As a long time Mac user, I completely agree with you. I have long thought Apple did not take security seriously or at least did not devote the resources they should on security matters. Worse, I absolutely do not want to go through a decade of painful and annoying security problems (like the windows users went through) before Apple begins to put real effort into security.

    To be fair, Apple have focused much more on the user-facing side of the security problem. There's just much less likelihood of a user installing something bad by accident. Deliberate badness is a problem (always) but by reducing the problem with accidents, real on-the-ground disasters are lessened. (It helps that Mac applications are really directories, and so aren't quite as simple to start from some website by accident, and their filesystem-level metadata that marks downloaded things with where they came from also makes a difference.) Which isn't to say that the other techniques are a bad idea; defense-in-depth is the watchword. But true high-quality security solutions need to address many levels of problems, including both system-level ones and user-facing ones.

    Oh... one last thing: Wasn't OpenBSD doing this long before windows?

    I believe so. It sounds like the sort of thing they'd do...

    --
    "Little does he know, but there is no 'I' in 'Idiot'!"
  13. Re:Let's not let facts get in our way by antifoidulus · · Score: 4, Interesting

    The biggest security problems with Windows still remain, namely that:
    a: compared to it's unix bretheren, Windows still requires administrative privileges for a LOT of common things

    b: Microsoft's reliance on proprietary protocols, many of which have a lot of known and probably even more unknown vulnerabilities.
    c: security policy on Windows has about 0 coherency, making it really hard to properly secure windows and really easy to accidentally miss something/screw something up. Windows security polices are all over the place, in the registry editor, in the windows security center, in the user/computer policy app(which at least as of xp wasn't searchable, so if you were looking for something and you didn't know EXACTLY where to find it you end up having to look through every single freaking policy. Whats worse is that Windows freely mixes client and server policies, even when the machine isn't a server! Most users get so frustrated and just leave everything open.

    I tried to recently secure a Windows XP box after coming from a background of unix(including OS X) and Linux, and I just could not believe how insanely obfuscated Microsoft made everything. What is insanely simple to do in the Unix world takes massive effort to even attempt in the Windows world, if it will even work at all.

    I swear Microsoft makes a lot of this stuff pointlessly complicated just so they can persuade more people to take the MCSE exams.

    --
    Monstar L
  14. Microsoft perfected ASLR ? by viralMeme · · Score: 4, Informative

    "Apple .. failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista"

    Address space layout randomization is a technique to randomize memory addresses of the base of the code, stack, heap, and libraries. First used by PaX and OpenBSD

  15. OS X Security Reporting by 99BottlesOfBeerInMyF · · Score: 5, Insightful

    I always find articles about OS X security, especially in discussion, painful. First you either have a security expert writing and being translated by a fairly clueless reporter, or you have a clueless reporter writing. In the former case what makes a good article and gets press is usually a security person pointing out weaknesses or flaws in OS X. After all, saying OS X still doesn't have much risk of malware for the average user is like reporting that most GM cars still use gas. It's old info and not news. The other type of article that gets picked up are soft articles about how cool OS X is and how it can't get malware, written for the 90% of the populace that has never used it, but from an uniformed perspective.

    Inevitably when either kind of story goes up on Slashdot we see tons of people who know little or nothing about what security is actually implemented in OS X, spouting off one way or the other, usually emotionally defending their favorite OS.

    So in this case we have a fairly knowledgeable security expert talking about security in OS X. His sentence about ASLR begins, "One major disappointment in the midst of all these security enhancements..." Based upon what reporters have made of his paper, do any of you know what those security enhancements are? Contrast the expert's conclusion:

    While the only true test of security is how effective it is in the real world, on paper it looks like life is now at least a little harder for any potential Mac attackers.

    With the title of article linked to:

    Apple missed security boat with Snow Leopard, says researcher

    That's not to say the article is a filthy lie. It is completely true. Apple did miss the opportunity to improve ASLR for the heap. That's very true and important and disappointing. It's also the only OS X security news most people will hear and that, is misleading. It's not the writer's fault either, they're just writing what's interesting and "news". Writing an article on how Apple's security got moderately better in a number of ways and Macs are still unlikely to have many serious or widespread malware problems going forward for a few years, is not news.

    And Apple is not blameless about what press reaches the public either. Apple is pretty quiet about security features in OS X because they don't like to bring up the topic for the general public, except in very generic ways. Their plan seems to be "tell users the security is cool and good and make sure they know they're unlikely to get viruses, but don't confuse them with details. Experts can read the whitepapers." This leaves out the whole middle portion of the spectrum, not security experts but not completely clueless either.

    It would be nice to have meaningful discussion on some of the OS X security features, but that might be too much to hope for. What do people think about the sandboxing approach and has anyone noticed any particularly surprising sandboxed services in Leopard? The mixed 32-64 bit thing seems like an interesting choice, with 64 bit application development now motivated by artificially restricting access to some new APIs. Since a lot of the security improvements are tied to 64 bit applications and/or 64 bit processors, do people feel this was an attempt to direct developers for security reasons or just to speed the transition for other reasons? What do people think the other heap protection checksums and protections for 64 bit kernels. Will we transition to 64 bit fast enough so that they will be useful? How about the application signing being tied to the application level firewall? It seems like Apple could have made that a default and really motivated developers to use it, but decided to go in baby steps instead. And why in the world has Apple not created a proper application and update manager that extends to third parties? That seems like a no-brainer from a security and usability perspective.