Print 52 comment(s) - last by themaster08.. on Feb 28 at 5:44 AM

Vincenzo Iozzo  (Source: Black Hat DC)
Claims he can overwrite other programs’ code in memory without leaving a trace

Vincenzo Iozzo, a student security researcher at Politchnico di Milano University in Italy, unveiled a startling new attack against Mac OS X computers that allows hackers to inject malicious code into another program’s memory space – and then vanishes as soon as the computer is switched off.

Speaking at the Black Hat DC cybersecurity conference in Washington, DC, Iozzo said his technique relies on injecting arbitrary code into a program’s executable memory while it is running, guided by the memory locations described in the actual program binary, which is stored in a file format called Mach-O. The injected code runs when the code it originally overwrote is called upon by its host.

Attacks of this kind are nothing new, however, and the secret behind Iozzo’s memory injection attack is that it runs completely from RAM, leaving no trace on the host machine’s hard drive; other techniques have generally required, at least minimally, some form of temporary storage.

The main weakness of his attack is that it relies on an unspecified means of executing arbitrary code on the computer in the first place: according to Iozzo’s presentation (PDF), an attacker must have knowledge of remote code execution “in his pocket” in order to convince his mark’s computer run a bootstrapper that initiates the attack.

While it is unclear as to whether or not Iozzo’s technique allows hackers to tamper with code running at System-level privileges – Iozzo describes the attack as limited to “userland”, or regular desktop applications – it does allow an attacker to modify a program like Safari to do something malicious like monitoring passwords and keystrokes.

Iozzo’s technique most closely resembles Firewire-port memory injection attacks that previously felled Windows, Mac OS X, and Linux: both make use of some transient medium to arbitrarily inject code into the program section of a computer’s memory, which is normally heavily protected from attack. Once the malicious code is in, an attacker can make a computer do pretty much the OS would allow the original host program to do – all without setting off security software.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

This is only the start
By Makaveli on 2/20/2009 7:47:19 AM , Rating: 5
lol great news on a friday morning, now all those apple fan boys can stfu.

RE: This is only the start
By BZDTemp on 2/20/09, Rating: -1
RE: This is only the start
By tastyratz on 2/20/2009 8:33:10 AM , Rating: 5
Well that's the case with a majority of attacks - It is far more common to need to execute something before malicious code can do something. Just go into an apple chatroom, say your 18/f, and say your webcam software made a slideshow of you getting dressed this morning. You will have 100 lemmings line up to run your special "slideshow"

Apple has a significant security flaw that cant be corrected - lemming users with a god complex. They think they are invincible to attacks and Virii because Apple doesn't acknowledge most security problems, so they don't think twice before opening things.

RE: This is only the start
By zaxxon on 2/20/2009 10:03:55 AM , Rating: 1
And why would this be limited to an Apple chatroom?

Why should stupidity and acne-faced lemmingness be confined to a specific architecture/software-design?

RE: This is only the start
By Master Kenobi on 2/20/2009 10:04:48 AM , Rating: 5
Users are always the biggest threat to Security, This is why Apple is screwed ^2 compared to other vendors.

RE: This is only the start
By psychobriggsy on 2/20/2009 10:27:01 AM , Rating: 5
I think this is why Windows keeps on getting screwed over.

Face it, 95% of people using computers should be forced to take the computer equivalent of a driving test.

RE: This is only the start
By zaxxon on 2/20/09, Rating: 0
RE: This is only the start
By djc208 on 2/20/2009 12:05:06 PM , Rating: 5
80 years ago we're talking about cars most of us would recognize, post model T even. They were much simpler to work on and deal with than today. While they required more "normal maintenance" (grease joints, points, dwell, brake adjustments), they were far from hard to work on. A basic set of tools and one or two specialy items and you were set.

Driving them was no more complex than today, outside of the fact that many fewer were automatics, and you had to have some muscle since power steering and brakes were luxury items.

Today you need much more to work on the car, and technically more to drive it. However there's almost no "regular maintenace" outside of an oil change, air filters, and the occasional wiper blade. The car even tells you when the tires need air. But today cars have MP3 players, bluetooth, GPS, power adjustable everything, cruise control, etc.

Cars haven't gotten easier to use, just harder to use in different ways from their predecessors.

RE: This is only the start
By eman7613 on 2/21/2009 3:02:14 PM , Rating: 3
Actually, this type of attack can only run and effect the same things the original program had permission to attack. So actually, everything in /dev, /usr, and most all the directors (which means all the programs, since Applications directory requires root to edit) are safe. The most you could realy do is delete or download stuff to the user's home directory - and since apple allows you to send programs the kill signal, this is something that realy is not that huge a problem.

Also, it said that a bootstrap needed to be run first, and while that statement alone makes little sense (what are we bootstraping?), it does indicate that some other program needs to be run first. So im very doubtful as to how realist or practicle a threat this is.

RE: This is only the start
By Makaveli on 2/20/09, Rating: 0
RE: This is only the start
By Smilin on 2/20/2009 11:53:25 AM , Rating: 5
With physical access you could certainly cause more mischeif but this doesn't require it. It would just take the usual "trick someone into running an app" social engineering.

You couldn't do this on a Vista box.

First of all UAC is going to pop if you ran such an app. Even assuming the user is "UAC condiditoned" and hits yes it still wouldn't work. Userland apps can't reach each other's memory space without popping an Access Violation. You would have to break things in kernel mode to get around this. Good luck with that: Pool tagging, ASLR, DEP, etc..

RE: This is only the start
By FaceMaster on 2/20/2009 7:52:28 AM , Rating: 5
As much as I hate Apple you're just trolling.

RE: This is only the start
By Totally on 2/20/2009 6:33:14 PM , Rating: 4
well, you got to admit he's right. They apple user's can't keep plugging their ears and singing la-la-la-la-la every time something like this happens.

RE: This is only the start
By Alexvrb on 2/20/2009 9:34:52 PM , Rating: 1
Why can't they? It has worked so well for them for so many years, and I suspect it will continue to serve the Mac faithful in the future.

RE: This is only the start
By kelmon on 2/21/2009 11:26:49 AM , Rating: 1
Something like what happens, precisely? Someone makes a presentation? I don't want to belittle what is being discussed but there is no more threat today than there was yesterday and probably tomorrow too. As and when something hits "the wild" and can actually do damage, then we'll worry but in the meantime this remains as theoretical as all the other announcements. I find it rather sad that people actually welcome news like this.

Put another way, we don't need to plug our fingers in our ears because there is no sound to hear.

Bloody scaremongers...

RE: This is only the start
By Pirks on 2/21/09, Rating: 0
RE: This is only the start
By FaceMaster on 2/21/2009 5:05:36 PM , Rating: 5
Shame they're only virus free because they're not worth writing viruses for.

Oh, but there are viruses. And it's easier to make viruses for them than ones that work with Windows.

You are quite entertaining, but in a frustrating way. I know you'll find this bit of the post a compliment, but the simple fact is that you're too stupid to understand that you're wrong, which makes it look as if people are having long and timely debates with you when they're actually just giving you the same response time and time again because you're too stupid to answer it, much like a politician. ie,

'Not as many people use them because they're not as good'
'Um, not, MACs just aren't as good. The hardware is dated.'
'Yeah but compare todays hardware and you'll see that PCs are better.'
'Um, I give in. You clearly aren't sane.'

RE: This is only the start
By waffle911 on 2/22/2009 12:58:57 PM , Rating: 2
I can say honestly I've run in to more PC zealots doing that than Mac zealots when both sides get into an argument like that. It really ends up as being as senseless as American bipartisan politics. "Dem vs GOP LOLOLOL". Seriously.

oh... and before anyone says something about Mac users being ignorant about their vulnerability... consider how many PC's don't run any protection software, how many people who use PC's don't know what is or is not risky behavior on the internet, and how many headaches I get from dealing with idiots who clearly have no business operating a computer. A lot of headaches I wouldn't have if half the people I help out on a regular basis would just switch to Macs and leave Windows to the people who actually understand how to use it (like me). To make computers safe, you have to make them stupidproof. Macs are as stupidproof as I've seen. The average consumer could care less about Apple's inferior hardware, the point is that it's good enough now and for the future. Considering the average new PC bought at a big box store houses 1-2 (or even 3) year old technology, I'd say Mac's aren't in any sort of trouble of being terribly outdated for the people that buy them. Given, of course, that we're talking about the Macs that people actually buy, like the iMac and the MacBook. The Mac Mini and Mac Pro are irrevocably outdated, but Apple hasn't seen enough sales in the Mini to justify updating it yet, and the Mac Pro is limited by VGA card makers' efforts to support the system, plus the fact that a lot of professionals who used to buy Mac Pros find themselves buying iMacs as a good-enough and cost-effective platform.

That said, I'm planning my i7/GTX285 gaming rig right now. But I get all my work done on a Mac, because it's basically Linux Premium, with added software support and less effort involved in day-to-day use. Plus Mac laptops, while not the most powerful for the price, are still a far cry from inferior machines, especially compared to HP/Dell/Sony/Gateway. Bring Lenovo, MSI, Acer, and Asus to the fight, then you've got something to talk about. But I still prefer the MacBook Pro.

RE: This is only the start
By FaceMaster on 2/22/2009 1:32:49 PM , Rating: 2
My rant stretched far beyond MAC fanboys. I was talking about fanboys in general- trollers who don't seem to realise that they're not being clever or persuasive, but just plain RETARDED.

RE: This is only the start
By themaster08 on 2/28/2009 5:44:46 AM , Rating: 2
can say honestly I've run in to more PC zealots doing that than Mac zealots when both sides get into an argument like that

Probably due to the fact that there are many more PC users than Mac users, but looking at percentile, abut 99% of Mac users are zealots who need to prove themselves as the inferior users, whereas about 25% of PC users probably don't even know what a Mac is, let alone argue against one.

I think all Mac zealots should take a good look at this:-

RE: This is only the start
By theapparition on 2/20/2009 9:43:54 PM , Rating: 2
As much as I hate Apple you're just trolling.

Said the troll who's most relevant responses include something on the order of "I just trolled your mum".

RE: This is only the start
By FaceMaster on 2/21/2009 12:44:31 PM , Rating: 3
Said the troll who's most relevant responses include something on the order of "I just trolled your mum".

STOP JUDGING ME. All posts should be assessed separately as due to the Civil Protection City 17 act, 'previous cases should not be known about' as it leads to prejudice. Imagine, for example, the makers of FRIENDS finally making a good episode. So many people would dismiss it as rubbish because of the quality of the previous ones, even if it was actually funny.

RE: This is only the start
By theapparition on 2/23/2009 8:41:32 AM , Rating: 2
You got me. Your response was pretty good.

RE: This is only the start
By Desslok on 2/20/09, Rating: -1
By SavagePotato on 2/20/2009 9:58:16 AM , Rating: 5
It is getting more and more gratifying by the day as more and more osx infections and exploits come about.

Reality usually sucks but seeing comeuppance for people that smugly walk about with their nose in the air touting how their mac is invulnerable to any infection, is just so very enjoyable.

Security through obscurity, it's time is ending with each tick of apple market share growth.

RE: Gratifying
By ltcommanderdata on 2/20/09, Rating: -1
RE: Gratifying
By PhoenixKnight on 2/20/2009 2:17:05 PM , Rating: 5
Apple doesn't exactly have a good record when it comes to fixing security flaws. Their usual course of action is usually to either completely ignore it or denounce it as being a slanderous lie.

RE: Gratifying
By gstrickler on 2/20/09, Rating: -1
RE: Gratifying
By Pirks on 2/21/2009 5:37:07 AM , Rating: 1
Ever heard of the Darwin project?
I bet SavagePotato would use his nine iron on Darwin's teeth if he could :)))

RE: Gratifying
By zaxxon on 2/20/2009 11:26:07 AM , Rating: 2
What's better than walking around with your nose high, pointing out that another OS finally 'has been hacked'....

RE: Gratifying
By Totally on 2/20/2009 6:38:45 PM , Rating: 3
...pointing out that another OS finally [become worthwhile to be] hacked'...


RE: Gratifying
By kelmon on 2/21/2009 11:37:08 AM , Rating: 2
Really? And which exploits should we be worried about today? Please direct me to one that will attack my computer today.

I find it very entertaining that we occasionally get comments from people saying that Apple's "[s]ecurity through obscurity" is ending. Is this like the "Year of the Linux Desktop" I keep reading about?

Seriously, if you find news like this "gratifying" then I can only suggest that you need to find yourself something more interesting to do. I don't care what type of computer you or anyone else uses, so why do you?

RE: Gratifying
By Pirks on 2/21/2009 1:09:10 PM , Rating: 2
I don't care what type of computer you or anyone else uses, so why do you?
Because he's a genetically bred mindless Apple-bashing troll. If you read SavagePotato's Apple-related posts here, you wouldn't even consider talking to him. Talking to a piece of wood would be more productive. Trust me on that, kelmon, I know this guy for a loong time ;-)

By wwwebsurfer on 2/20/2009 7:49:58 AM , Rating: 5
Apple comments aside, these attacks just suck. Security software will find a way to stop this cold, and it's probably going to use up a truckload of my system resources.... I'm not sure who to hate more.

RE: a
By Master Kenobi on 2/20/2009 8:32:13 AM , Rating: 2
Host Intrustion Protection/Prevention Systems are going to be more commonplace in the future to combat this style of attack.

RE: a
By Dreifort on 2/20/2009 9:32:15 AM , Rating: 5
too bad there will be only 1 choice for Apple/Mac Intrusion protection. and it will cost about $40 more than the same software for the PC.

RE: a
By Noya on 2/20/2009 9:49:51 AM , Rating: 2
lmao, true

Show of hands: ...Bueller? ...Spicoli?
By Smokey48 on 2/21/2009 9:56:59 PM , Rating: 2
Can I have a show of hands from any of the millions of Mac users who have ever been hacked? Or got a virus? A worm? A trojan?

Anybody? ...Bueller? ...Anyone?

By Ichinisan on 2/23/2009 6:31:03 PM , Rating: 2
They question is, would they know or recognize that they have been compromised?

By Ichinisan on 2/23/2009 6:33:12 PM , Rating: 2
The question is, would they know or recognize that they have been compromised?

This is Old News
By hiscross on 2/20/2009 9:53:13 AM , Rating: 1
This has been know for sometime. Just because it finally has been posted on this blog doesn't have it news. Let's see over time if this issue becomes threatening, or just an issue with little or no impact. There are know security issues on mainframes that will never be fixed and those same mainframes store the world's financial data.

RE: This is Old News
By psychobriggsy on 2/20/2009 10:25:45 AM , Rating: 3
I thought Mac OS X utilised both the NX bit (i.e., protecting executable code in memory from being overwritten) and address space randomisation.

Either these are implemented incorrectly or not at all, or this code also works around NX and might also work on other platforms.

By Wightout on 2/20/2009 1:22:37 PM , Rating: 1
The anti-mac guys really come out of the woodwork when apple has a flaw pointed out...

I love my machine... you love your machine... stick with what you like.

You guys (both sides here) are about as bad as jehovah's witnesses. Like it makes that much of a difference...

Use what you like

RE: Wow
By Makaveli on 2/20/2009 3:06:30 PM , Rating: 2
lol and for the record i'm not anti mac. Its just amusing sometimes watching you guys jump up and down over silly comments.

I don't really care if you own a mac, sleep with it are married to it, that is your business.

Some the people on these internet forums need to get outside abit more and live alittle.

If I cared that much about it, I would be trying to convert every nerd with an apple machine at the local starbucks!

RE: Wow
By sprockkets on 2/20/2009 9:16:51 PM , Rating: 1
You guys (both sides here) are about as bad as jehovah's witnesses.


Go figure, people designed OSX !
By articbliss on 2/20/2009 12:23:13 PM , Rating: 2
I don't know why everyone is so surprised when people find security flaws in a major OS. Really I would be surprised when there weren't any flaws. The good news is that at least we're being proactive about security threats instead of reactive( which leads to our credit card information being stolen). No surprise that OSX has some exploits. Plus as more people begin to use OSX on their desktops there will be more resources put aside to both secure the OS and to inflitrate it. Call it the economics of digital security. There wouldn't be many safe crackers in the world if people didn't put "important" things inside them.

Bad conclusion
By CZroe on 2/20/2009 4:43:38 PM , Rating: 2
"Attacks of this kind are nothing new, however, and the secret behind Iozzo’s memory injection attack is that it runs completely from RAM, leaving no trace on the host machine’s hard drive; other techniques have generally required, at least minimally, some form of temporary storage."

This is ridiculous. Any buffer overflow attack puts code in memory (exactly what NX bit is supposed to reduce) and it's up to the code to decide what to do from there (nasty memory-resident payload or bootstrap a payload stored somewhere else). Basically, he half-baked it and said it was something more than any other buffer overflow. The only thing significant here is that the executable format shows what parts of memory contain executable code so that it can be cleanly executed without writing instructions in memory space marked as data, so it effectively gets around the NX bit issues except for finding a way to cause a buffer overflow to go there in the first place. The Firewire DMA trick means that a buffer overflow isn't even necessary to write a payload into this memory, but obviously someone or something would already need to be in control of the PC to.

Mac viruses are a real threat
By BailoutBenny on 2/23/2009 2:19:28 AM , Rating: 2

Here is a link to the first ever discovered OS X virus being discussed by Sophos in 2006. Key quote:

"Some owners of Mac computers have held the belief that Mac OS X is incapable of harboring computer viruses, but Leap-A will leave them shellshocked, as it shows that the malware threat on Mac OS X is real," said Graham Cluley, senior technology consultant for Sophos. "Mac users shouldn't think it's okay to lie back and not worry about viruses."
"This is the first real virus for the Mac OS X platform," continued Cluley. "Apple Mac users need to be just as careful running unknown or unsolicited code on their computers as their friends and colleagues running Windows."

Where is That loser Pirks when u need him ?
By chick0n on 2/20/09, Rating: -1
RE: Where is That loser Pirks when u need him ?
By Makaveli on 2/20/2009 1:19:04 PM , Rating: 1
do you mean the playstation 3 guy?

By FaceMaster on 2/20/2009 1:35:24 PM , Rating: 2
There's more than one abusive account on this site. I should know.

"I modded down, down, down, and the flames went higher." -- Sven Olsen
Related Articles

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki