Print 52 comment(s) - last by themaster08.. on Feb 28 at 5:44 AM

Vincenzo Iozzo  (Source: Black Hat DC)
Claims he can overwrite other programs’ code in memory without leaving a trace

Vincenzo Iozzo, a student security researcher at Politchnico di Milano University in Italy, unveiled a startling new attack against Mac OS X computers that allows hackers to inject malicious code into another program’s memory space – and then vanishes as soon as the computer is switched off.

Speaking at the Black Hat DC cybersecurity conference in Washington, DC, Iozzo said his technique relies on injecting arbitrary code into a program’s executable memory while it is running, guided by the memory locations described in the actual program binary, which is stored in a file format called Mach-O. The injected code runs when the code it originally overwrote is called upon by its host.

Attacks of this kind are nothing new, however, and the secret behind Iozzo’s memory injection attack is that it runs completely from RAM, leaving no trace on the host machine’s hard drive; other techniques have generally required, at least minimally, some form of temporary storage.

The main weakness of his attack is that it relies on an unspecified means of executing arbitrary code on the computer in the first place: according to Iozzo’s presentation (PDF), an attacker must have knowledge of remote code execution “in his pocket” in order to convince his mark’s computer run a bootstrapper that initiates the attack.

While it is unclear as to whether or not Iozzo’s technique allows hackers to tamper with code running at System-level privileges – Iozzo describes the attack as limited to “userland”, or regular desktop applications – it does allow an attacker to modify a program like Safari to do something malicious like monitoring passwords and keystrokes.

Iozzo’s technique most closely resembles Firewire-port memory injection attacks that previously felled Windows, Mac OS X, and Linux: both make use of some transient medium to arbitrarily inject code into the program section of a computer’s memory, which is normally heavily protected from attack. Once the malicious code is in, an attacker can make a computer do pretty much the OS would allow the original host program to do – all without setting off security software.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

This is only the start
By Makaveli on 2/20/2009 7:47:19 AM , Rating: 5
lol great news on a friday morning, now all those apple fan boys can stfu.

RE: This is only the start
By BZDTemp on 2/20/09, Rating: -1
RE: This is only the start
By tastyratz on 2/20/2009 8:33:10 AM , Rating: 5
Well that's the case with a majority of attacks - It is far more common to need to execute something before malicious code can do something. Just go into an apple chatroom, say your 18/f, and say your webcam software made a slideshow of you getting dressed this morning. You will have 100 lemmings line up to run your special "slideshow"

Apple has a significant security flaw that cant be corrected - lemming users with a god complex. They think they are invincible to attacks and Virii because Apple doesn't acknowledge most security problems, so they don't think twice before opening things.

RE: This is only the start
By zaxxon on 2/20/2009 10:03:55 AM , Rating: 1
And why would this be limited to an Apple chatroom?

Why should stupidity and acne-faced lemmingness be confined to a specific architecture/software-design?

RE: This is only the start
By Master Kenobi on 2/20/2009 10:04:48 AM , Rating: 5
Users are always the biggest threat to Security, This is why Apple is screwed ^2 compared to other vendors.

RE: This is only the start
By psychobriggsy on 2/20/2009 10:27:01 AM , Rating: 5
I think this is why Windows keeps on getting screwed over.

Face it, 95% of people using computers should be forced to take the computer equivalent of a driving test.

RE: This is only the start
By zaxxon on 2/20/09, Rating: 0
RE: This is only the start
By djc208 on 2/20/2009 12:05:06 PM , Rating: 5
80 years ago we're talking about cars most of us would recognize, post model T even. They were much simpler to work on and deal with than today. While they required more "normal maintenance" (grease joints, points, dwell, brake adjustments), they were far from hard to work on. A basic set of tools and one or two specialy items and you were set.

Driving them was no more complex than today, outside of the fact that many fewer were automatics, and you had to have some muscle since power steering and brakes were luxury items.

Today you need much more to work on the car, and technically more to drive it. However there's almost no "regular maintenace" outside of an oil change, air filters, and the occasional wiper blade. The car even tells you when the tires need air. But today cars have MP3 players, bluetooth, GPS, power adjustable everything, cruise control, etc.

Cars haven't gotten easier to use, just harder to use in different ways from their predecessors.

RE: This is only the start
By eman7613 on 2/21/2009 3:02:14 PM , Rating: 3
Actually, this type of attack can only run and effect the same things the original program had permission to attack. So actually, everything in /dev, /usr, and most all the directors (which means all the programs, since Applications directory requires root to edit) are safe. The most you could realy do is delete or download stuff to the user's home directory - and since apple allows you to send programs the kill signal, this is something that realy is not that huge a problem.

Also, it said that a bootstrap needed to be run first, and while that statement alone makes little sense (what are we bootstraping?), it does indicate that some other program needs to be run first. So im very doubtful as to how realist or practicle a threat this is.

RE: This is only the start
By Makaveli on 2/20/09, Rating: 0
RE: This is only the start
By Smilin on 2/20/2009 11:53:25 AM , Rating: 5
With physical access you could certainly cause more mischeif but this doesn't require it. It would just take the usual "trick someone into running an app" social engineering.

You couldn't do this on a Vista box.

First of all UAC is going to pop if you ran such an app. Even assuming the user is "UAC condiditoned" and hits yes it still wouldn't work. Userland apps can't reach each other's memory space without popping an Access Violation. You would have to break things in kernel mode to get around this. Good luck with that: Pool tagging, ASLR, DEP, etc..

RE: This is only the start
By FaceMaster on 2/20/2009 7:52:28 AM , Rating: 5
As much as I hate Apple you're just trolling.

RE: This is only the start
By Totally on 2/20/2009 6:33:14 PM , Rating: 4
well, you got to admit he's right. They apple user's can't keep plugging their ears and singing la-la-la-la-la every time something like this happens.

RE: This is only the start
By Alexvrb on 2/20/2009 9:34:52 PM , Rating: 1
Why can't they? It has worked so well for them for so many years, and I suspect it will continue to serve the Mac faithful in the future.

RE: This is only the start
By kelmon on 2/21/2009 11:26:49 AM , Rating: 1
Something like what happens, precisely? Someone makes a presentation? I don't want to belittle what is being discussed but there is no more threat today than there was yesterday and probably tomorrow too. As and when something hits "the wild" and can actually do damage, then we'll worry but in the meantime this remains as theoretical as all the other announcements. I find it rather sad that people actually welcome news like this.

Put another way, we don't need to plug our fingers in our ears because there is no sound to hear.

Bloody scaremongers...

RE: This is only the start
By Pirks on 2/21/09, Rating: 0
RE: This is only the start
By FaceMaster on 2/21/2009 5:05:36 PM , Rating: 5
Shame they're only virus free because they're not worth writing viruses for.

Oh, but there are viruses. And it's easier to make viruses for them than ones that work with Windows.

You are quite entertaining, but in a frustrating way. I know you'll find this bit of the post a compliment, but the simple fact is that you're too stupid to understand that you're wrong, which makes it look as if people are having long and timely debates with you when they're actually just giving you the same response time and time again because you're too stupid to answer it, much like a politician. ie,

'Not as many people use them because they're not as good'
'Um, not, MACs just aren't as good. The hardware is dated.'
'Yeah but compare todays hardware and you'll see that PCs are better.'
'Um, I give in. You clearly aren't sane.'

RE: This is only the start
By waffle911 on 2/22/2009 12:58:57 PM , Rating: 2
I can say honestly I've run in to more PC zealots doing that than Mac zealots when both sides get into an argument like that. It really ends up as being as senseless as American bipartisan politics. "Dem vs GOP LOLOLOL". Seriously.

oh... and before anyone says something about Mac users being ignorant about their vulnerability... consider how many PC's don't run any protection software, how many people who use PC's don't know what is or is not risky behavior on the internet, and how many headaches I get from dealing with idiots who clearly have no business operating a computer. A lot of headaches I wouldn't have if half the people I help out on a regular basis would just switch to Macs and leave Windows to the people who actually understand how to use it (like me). To make computers safe, you have to make them stupidproof. Macs are as stupidproof as I've seen. The average consumer could care less about Apple's inferior hardware, the point is that it's good enough now and for the future. Considering the average new PC bought at a big box store houses 1-2 (or even 3) year old technology, I'd say Mac's aren't in any sort of trouble of being terribly outdated for the people that buy them. Given, of course, that we're talking about the Macs that people actually buy, like the iMac and the MacBook. The Mac Mini and Mac Pro are irrevocably outdated, but Apple hasn't seen enough sales in the Mini to justify updating it yet, and the Mac Pro is limited by VGA card makers' efforts to support the system, plus the fact that a lot of professionals who used to buy Mac Pros find themselves buying iMacs as a good-enough and cost-effective platform.

That said, I'm planning my i7/GTX285 gaming rig right now. But I get all my work done on a Mac, because it's basically Linux Premium, with added software support and less effort involved in day-to-day use. Plus Mac laptops, while not the most powerful for the price, are still a far cry from inferior machines, especially compared to HP/Dell/Sony/Gateway. Bring Lenovo, MSI, Acer, and Asus to the fight, then you've got something to talk about. But I still prefer the MacBook Pro.

RE: This is only the start
By FaceMaster on 2/22/2009 1:32:49 PM , Rating: 2
My rant stretched far beyond MAC fanboys. I was talking about fanboys in general- trollers who don't seem to realise that they're not being clever or persuasive, but just plain RETARDED.

RE: This is only the start
By themaster08 on 2/28/2009 5:44:46 AM , Rating: 2
can say honestly I've run in to more PC zealots doing that than Mac zealots when both sides get into an argument like that

Probably due to the fact that there are many more PC users than Mac users, but looking at percentile, abut 99% of Mac users are zealots who need to prove themselves as the inferior users, whereas about 25% of PC users probably don't even know what a Mac is, let alone argue against one.

I think all Mac zealots should take a good look at this:-

RE: This is only the start
By theapparition on 2/20/2009 9:43:54 PM , Rating: 2
As much as I hate Apple you're just trolling.

Said the troll who's most relevant responses include something on the order of "I just trolled your mum".

RE: This is only the start
By FaceMaster on 2/21/2009 12:44:31 PM , Rating: 3
Said the troll who's most relevant responses include something on the order of "I just trolled your mum".

STOP JUDGING ME. All posts should be assessed separately as due to the Civil Protection City 17 act, 'previous cases should not be known about' as it leads to prejudice. Imagine, for example, the makers of FRIENDS finally making a good episode. So many people would dismiss it as rubbish because of the quality of the previous ones, even if it was actually funny.

RE: This is only the start
By theapparition on 2/23/2009 8:41:32 AM , Rating: 2
You got me. Your response was pretty good.

RE: This is only the start
By Desslok on 2/20/09, Rating: -1
"If they're going to pirate somebody, we want it to be us rather than somebody else." -- Microsoft Business Group President Jeff Raikes
Related Articles

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
Snapchat’s New Sunglasses are a Spectacle – No Pun Intended
September 24, 2016, 9:02 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki