backtop


Print 85 comment(s) - last by tmouse.. on Oct 5 at 8:20 AM

Memory protections in Snow Leopard are still too weak, though it shows other improvements

Apple has been bragging about the security of its new operating system, OS X 10.6 "Snow Leopard".  Leaping from Leopard to Snow Leopard, Apple gives its users limited antivirus/anti-malware protection (the feature currently only detects two signatures out of a handful of known OS X malware signatures).

Still, security experts aren't so hot on Snow Leopard, criticizing the operating system's default firewall setting of "off", its lack of fully automatic updates, and weak anti-phishing efforts for Safari.  They also weren't impressed that Apple shipped with a vulnerable version of Flash, which downgrade users from the safer current version.

Now one prominent Mac hacker has pointed out a significant difference that makes Snow Leopard less secure than the upcoming Microsoft OS, Windows 7. 

Charlie Miller, of Baltimore-based Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive "Pwn2own" hacker contests is about as experienced as OS X hackers come.  He recently criticized Snow Leopard, stating, "Apple didn't change anything.  It's the exact same ASLR as in Leopard, which means it's not very good."

ASLR is address space layout randomization, a security technology that randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions.  According to Mr. Miller, unlike Windows 7, which features robust ASLR, Snow Leopard's ASLR is half-baked. It does not properly randomize the heap, the stack and the dynamic linker, the part of Snow Leopard that links multiple shared libraries for an executable.  This means that it's much easier for hackers to attack Snow Leopard via memory injection than Windows 7.

Still Mr. Miller offered some praise for Apple.  They rewrote QuickTime X, their video player, largely from scratch fixing many holes and insecurities in the process -- including an exploit Mr. Miller had been saving.  He states, "Apple rewrote a bunch of QuickTime, which was really smart, since it's been the source of lots of bugs in the past.  They've shaken out hundreds of bugs in QuickTime over the years, but it was still really smart of them to rewrite it.  [Still] I'd reduce the number of file formats from 200 or so to 50, and reduce the attack surface. I don't think anyone would miss them."

He also praises Apple's relatively effective implementation of DEP (data execution prevention), another memory protection scheme that Windows 7 also has.  DEP is also present in Windows XP Service Pack 2 (SP2) and Windows Vista.  Still without ASLR, DEP is only so good he says.  He states, "Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7.  When Apple has both [in place], that's when I'll stop complaining about Apple's security."

So why aren't Macs being exploited left and right and why can Apple still air commercials claiming superior security?  Mr. Miller states, "It's harder to write exploits for Windows than the Mac, but all you see are Windows exploits. That's because if [the hacker] can hit 90% of the machines out there, that's all he's gonna do. It's not worth him nearly doubling his work just to get that last 10%."



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Quoted for truth
By Motoman on 9/17/2009 12:14:24 PM , Rating: 5
quote:
That's because if [the hacker] can hit 90% of the machines out there, that's all he's gonna do. It's not worth him nearly doubling his work just to get that last 10%.


Apple: security by obscurity.

They should be actively dissuading people from buying more Macs, because if their marketshare increases, they'll just attract hackers to their shiny, pastel-colored fields.

...although one would tend to believe that ridiculously high prices and ridiculously limited software options would be all the dissuasion people would need.

Of course, there is some group of people who, apparently, can't manage to figure out how to use 2 buttons on a mouse...thankfully, holding the Apple key plus the Ctrl key on the keyboard while clicking the one-and-only button the mouse is a lot easier than clicking the "other" button on your mouse by itself.




RE: Quoted for truth
By PhoenixKnight on 9/17/2009 12:41:01 PM , Rating: 3
In all fairness, Macs have included 2-button mice for a while now, since they started using Intel processors. Also, it's just Ctrl+Mouse button, not Apple+Ctrl+Mouse button. I have to use a single-button mouse at work, and it's a complete PITA.

Granted, I have still run into a few Mac users who can't quite grasp the concept of how to use the right button and scroll wheel.


RE: Quoted for truth
By headbox on 9/17/09, Rating: -1
RE: Quoted for truth
By omnicronx on 9/17/2009 2:50:54 PM , Rating: 5
quote:
The UI isn't designed for two buttons, but they added some right-click functionality just for the complainers.
The UI IS designed for two buttons, thats why people were whining. Mac's have had context menus for years, long before OSX, that has always been the primary use of the right click on any OS.

And if you are a power user, you should have to press more than one button? The entire point of keyboard shortcuts is so you have to do less, not more.


RE: Quoted for truth
By DCstewieG on 9/17/09, Rating: -1
RE: Quoted for truth
By omnicronx on 9/17/2009 1:21:30 PM , Rating: 5
I'm sorry but its still a pain in the ass on laptops. Using two fingers to do something that should take one click is counter intuitive, no 'seriously, the mouse argument' statement is going to change that. Gestures are also nice, but its no replacement for something as simple as a right click. Now I would understand if the functionality was different, but its not, context menus are exactly the same as unix and windows, so why not have a right click?
quote:
To get back on topic, no OS is perfect. But whether OS X doesn't get real world viruses because people don't try or because it's more secure, the outcome is the same: it doesn't get them.
Well why do osx malware keep poping up then? A few years ago there were no OSX malware/viruses out in the wild, and while the recent ones my be childesh compared to their Windows counterparts, they are still security threats. Furthermore many security analysts predict that malware creators actually pump out more malware as a result of the success of many security defenses. Now that Apple will bring security software by 2010 (which one again makes your claim even less credible, as why on earth would they do such a thing if 'they don't get viruses') it could easily act as a catalyst, in the usual cat and mouse game that happens on a day to day basis with PC's. Anyway you put it, your claim is dead wrong, OSX does have security flaws and can and has had viruses.


RE: Quoted for truth
By DCstewieG on 9/17/09, Rating: -1
RE: Quoted for truth
By afkrotch on 9/18/2009 5:36:28 AM , Rating: 1
quote:
With a second physical button, you need to tuck your thumb over there.


Seriously? Did you just argue that point? Putting a 2nd finger on the touchpad is as much work as moving your thumb over to push a 2nd button.

quote:
The biggest real world malware on the Mac that I can think of has been the trojan in the warez copy of iWork, and there can never be perfect protection against those.


There's always a perfect protection, just not logical. Can't catch malware if your sledgehammer your computer.


RE: Quoted for truth
By PrinceGaz on 9/18/2009 12:53:34 PM , Rating: 2
Since when have people being using their thumb to press either of the two main mouse buttons?


RE: Quoted for truth
By afkrotch on 9/21/2009 5:15:22 AM , Rating: 2
We're talking about the touchpad on a laptop, where you can use a single button to hit either left or right click.

I don't use my thumb though. I just move my index finger down, after I finish mousing. My touchpad has scroll sliders along the botton and sides, so I don't need to hold down my left/right click.


RE: Quoted for truth
By adiposity on 9/21/2009 5:02:58 PM , Rating: 2
quote:
Seriously? Did you just argue that point? Putting a 2nd finger on the touchpad is as much work as moving your thumb over to push a 2nd button.


Right click dragging sucks with the Macbook method, IMO. You shouldn't ever have to put two fingers on the pad in order to do a button click, because then you may move the mouse when you don't intend to. Just not a great solution, even if it is workable.

Obviously, this is not a huge issue for Mac users because the interface is very useable even without the context menus / right-click interface. Running windows on a Macbook, though, is annoying unless you plug in a real mouse.

Obviously, the real reason for not having a second mouse button is simplicity. Macs just look streamlined and straightforward. I know Mac users who actually prefer NOT to have a second button. When I point out all the wasted fingers on that hand, they just shrug, and point out that it's never been an issue for them.

Apple was in a unique position to force people into having both mouse buttons, but they deliberately didn't do it, most likely because the single button is part of their image. Users are used to it and the interface doesn't really require two buttons.

It's pretty difficult to argue that lack of a second button is really an improvement, but you could make the case that the second button doesn't do much for Mac users.

-Dan


RE: Quoted for truth
By dark matter on 9/17/2009 1:56:32 PM , Rating: 4
For the most exploits = virus.

Its like claiming Apple employees never get ill because they are immune to viruses.

Maybe, but they can still get ill from fungal (trojans) infections or bacteria (3rd party exploits)

Whilst you may not a virus from clicking "Kenya West gets beat up" you can certainly get compromised.

Personally I think Apple are being totally irresponsible by continuing the misconception that Macs are immune from being exploited. It breeds complacency. And that is the last thing you need when it comes to the issue of security.


RE: Quoted for truth
By carrion on 9/17/2009 12:51:24 PM , Rating: 1
2-button USB mouse supported since 1998 (other formats supported prior to that), 2-button mouse shipped with all Macs since 2005. Update your rant - there're better reasons to gripe about Macs.


RE: Quoted for truth
By Icelight on 9/17/2009 9:13:49 PM , Rating: 5
So it can right click...

...but can it play Crysis?

;)


RE: Quoted for truth
By glennc on 9/18/2009 1:06:07 AM , Rating: 3
it doesn't want to


RE: Quoted for truth
By Boze on 9/18/2009 1:18:49 PM , Rating: 2
You mean it doesn't have time to, because its too busy trying to get rid of the trojan it got from iWork, to do some iWork in the first place.

I've always maintained that Macs are used by three classes of people:

1. Those who don't know any better and were indoctrinated through schools (shame on the schools, since Windows machines would be cheaper to buy, administer, and purchase peripherals for).

2. Those who want to look 'cool' by looking like other people (Note for the stupid and shallow, 'cool' people are 'cool' because they're nothing like you or anyone else. James Dean was 'cool' because no one like him had come before him).

3. Those who actually think they 'need' their Mac to do whatever it is they do. Hint people, whatever your Mac can do, there's a Windows program that will do it either: easier, with more precision, with greater degree of control and flexibility, or faster. And usually some combination of those attributes.

The irony of all this is that I'm posting this from an iMac in the Computer Commmons of the Mitchell Memorial Library on campus at Mississippi State University. Why you ask? Because there are over 100 Windows XP machines here and they're always taken. The iMacs, however, are always available...


RE: Quoted for truth
By ersts on 9/18/2009 2:34:44 PM , Rating: 1
quote:
1. Those who don't know any better and were indoctrinated through schools (shame on the schools, since Windows machines would be cheaper to buy, administer, and purchase peripherals for).


I don't know about that. Back when I was in school, there was Win9x and DOS, and in case you forgot, configuring IRQs, putting in entries in autoexec.bat to allocate ram for "expanded" and "extended" memory, and seeing that most apps couldn't use "expanded" and other fun stuff wasn't easy to do or administer.

The Macs in my high school's yearbook publishing room could auto-find and configure the Apple laser printers, had easy to use GUIs far more advanced than Win 3.1, and were already set for networking. We even had the original Mac from like 85 or so, and that had a 3.5inch floppy while the PC world still had 5.25 drives. What took Intel with ATX to bring soft power on computers, already was on the Mac computers from 1985.

Yep, they were expensive though. But for running PageMaker, it was necessary.


RE: Quoted for truth
By Lerianis on 9/18/2009 2:13:12 AM , Rating: 2
Then why does every Mac I see in Best Buy (which are not 4 years old) still have a freaking one button mouse? Explain that, bubu!

The fact is that Mac's are STILL being shipped with only ONE BUTTON MOUSES, bottom line, no lies, no fabrications.


RE: Quoted for truth
By Baladen on 9/18/2009 3:14:46 AM , Rating: 2
You're seeing the mighty mouse, which has 4 buttons. Left, right, mouse ball, and squeeze the sides. It's just about the most unintuitive design I've ever seen on a computer peripheral, since all the buttons are 'hidden' with no indications on the mouse that they even exist.


RE: Quoted for truth
By afkrotch on 9/18/2009 5:39:51 AM , Rating: 2
No, it's more than 1 button. It's just a total piece of crap mouse. The right-click on the mighty mouse doesn't work correctly, until you train your hand to use it.

Apple wants to keep the look of a 1 button mouse, while having more buttons. That's fine an all, but every single Mac user I know, goes out and buys a good mouse.


RE: Quoted for truth
By ersts on 9/18/2009 2:37:04 PM , Rating: 2
Yep, the people on Amazon rate their mouse 2.5 out of 5. Their keyboards though, get 4.5 out of 5, that they do a good job with.


RE: Quoted for truth
By afkrotch on 9/21/2009 5:19:03 AM , Rating: 2
The older keyboard I liked, cept they were for Macs. Now the new chicklet ones, I don't like. Sony has those chicklet style ones on their laptops too.


RE: Quoted for truth
By tmouse on 9/17/2009 12:49:48 PM , Rating: 1
I agree to a certain degree. But it is not purely security by obscurity, to some degree it is the perceived persona of the company. For example even if Linux exceeded Apple in market share it would remain less of a target, since there is no corporate persona associated with it. Microsoft is double hit with a huge amount of market share and the persona of being the corporate goliath. Now if Apple keeps getting more and more negative press and their real draconian corporate persona overshadows the carefully crafted public image then even without an increase in market they will experience increased attack exposure.


RE: Quoted for truth
By anotherdude on 9/17/2009 1:07:51 PM , Rating: 3
I have wondered if MS hate might be the source of some malicious software but lately it seems that most of these attacks are trying to make money somehow, buy getting you to buy fake security software or by stealing credit card info, for example. I assure you these criminals do not give 2 cents for Apple's bogus halo!

I suspect that virus/spyware writers are just doing what they know with methods developed over time specifically to attack Windows because it has about 93% of the market. Macs don't even have 10%, it's 5% or even less, worldwide, (according to net applications revised formula and according to sales figures). So why bother?


RE: Quoted for truth
By omnicronx on 9/17/2009 1:28:36 PM , Rating: 1
quote:
For example even if Linux exceeded Apple in market share it would remain less of a target, since there is no corporate persona associated with it. Microsoft is double hit with a huge amount of market share and the persona of being the corporate goliath.
Not a very good example, Linux/Unix has a huge presence in the server market, and they are targeted far more because of such.

It is security through obscurity, but there are many other factors. You are right, not being in a corporate environment does help Apple, but I think one of the big ones is you are far more likely to be networking with other PC's than you are on a to network from Apple to Apple. This is one of the main transportation methods for worms (especially) and many pieces of malware. Of course this also ties into security through obscurity, but as Macs become more prevalent in the home environment, this is likely to change.


RE: Quoted for truth
By RjBass on 9/18/2009 9:33:36 AM , Rating: 2
I was about to point out the same thing. In the server market Linux has a huge market share. Heck even in the little private school I teach at, we have 4 servers. Only one of them is a Windows server and the other three are running Ubuntu and Fedora.


RE: Quoted for truth
By tmouse on 10/5/2009 8:20:21 AM , Rating: 3
You missed my point completely. It has NOTHING to do with the systems being in a corporation environment per se. I'm talking about people's perception of Apple vs Microsoft. Microsoft is perceived as the big bad corporation, while Apple is perceived as being warm and fuzzy, hence it will remain less of a target. Real intrusion methods are not released on the net, they are for making money and the less that know about them the longer they last. The VAST majority of Microsoft's attacks are purely to throw a stone at Goliath and not necessarily to gain access. Now I agree most worms are used to create botnets for net attacks and here windows preeminence makes it a target. My point was Linux has no "evil" corporate identity, Apple has some but Microsoft has a huge one. Even if Apple and Linux gains more market share they will remain less of a target.


RE: Quoted for truth
By gstrickler on 9/17/09, Rating: -1
RE: Quoted for truth
By sprockkets on 9/17/09, Rating: -1
RE: Quoted for truth
By zsejk on 9/18/2009 5:37:09 AM , Rating: 1
I wanted to vote you up but I'm apparently an idiot 'cause I can't. But good comment, I liked it.


RE: Quoted for truth
By sprockkets on 9/18/2009 3:01:58 PM , Rating: 2
People have been proclaiming doom and gloom for OSX since 2003. It hasn't happened, and I doubt OSX will be the new XP.

Other people who proclaim doom for OSX are usually hard core Windows pundits like Dvorak or Enderle, and people who make the most noise about OSX viruses are anti-virus makers wanting to make a buck off of Macs.

Here's another little tib-bit: Most of my customers who get infected never see a dialog box or anything installing, but say it just happened. OSX doesn't have Windows silent background installation, so malware can't easily install without a user noticing.


RE: Quoted for truth
By afkrotch on 9/18/2009 6:04:06 AM , Rating: 1
quote:
Don't bother trying to explain it. Somehow these people think that since Microsoft left open unnecessary services in the background, ran those with system/root level permissions, auto executed attachments upon opening emails, left ActiveX unchecked, forced users to run as admins because running as users in XP didn't work, that Apple was stupid too and did the same mistakes.


I'm not sure what any of that has to do with where we are at today. As of right now, OSX is less secure than Vista/Win 7.

I don't see anyone saying that Apple was stupid in their security implementations, just that they should ramp up their security to match or exceed their competitors.


RE: Quoted for truth
By gstrickler on 9/18/2009 12:48:36 PM , Rating: 2
quote:
I'm not sure what any of that has to do with where we are at today. As of right now, OSX is less secure than Vista/Win 7.
No, it's not. The biggest security threat is the user, and Windows users are no more "secure" than Mac users. In fact, the default user security settings in Vista (haven't seen Win7 yet) are still not as secure as the default settings in Mac OS X. Win 7 might finally have sane and reasonably secure user defaults. I certainly hope it does.

The specific feature addressed in this article, ASLR, has nothing to do with being secure, it only affects the difficulty of developing a security hole into a working exploit. First you have to find a security hole, then you have to figure out a way to exploit it. Until you find a security hole, ASLR is a non issue.

The fact is that Mac OS X has ASLR, just not the best implementation of that feature. Hopefully, Apple will fix that with a service pack.


RE: Quoted for truth
By afkrotch on 9/21/2009 5:31:01 AM , Rating: 2
I think I'm going to believe the guy who hacks and is part of a Security Evaluator's company.

Apple's ASLR is weaker than Win7's ASLR. Bam, less secure. You don't need to find a security hole to be less secure.

One bank's vault has 5 ft thick steel walls, while another bank's vault has 3 ft thick steel walls. There's no security hole, but one is less secure than the other.

Also Apple doesn't do nice free service packs, like Windows. They do OS releases that cost you money and equate to little more than a service pack. Just like the minor move from Leopard to Snow Leopard.


RE: Quoted for truth
By gstrickler on 9/21/2009 9:15:12 PM , Rating: 2
quote:
Apple's ASLR is weaker than Win7's ASLR. Bam, less secure. You don't need to find a security hole to be less secure.

One bank's vault has 5 ft thick steel walls, while another bank's vault has 3 ft thick steel walls. There's no security hole, but one is less secure than the other.
It's more like, two banks, two similar vaults, both have safe deposit boxes in the vaults. One has safe deposit boxes with double key locks, the other has safe deposit boxes with single key locks. Either way, you have to get into the vault first, then you still have to get past at least one key lock.

quote:
Also Apple doesn't do nice free service packs, like Windows.
Yes, they do. There have 11 service packs for Mac OS X 10.4.x, and 8 service packs for 10.5.x
quote:
They do OS releases that cost you money and equate to little more than a service pack. Just like the minor move from Leopard to Snow Leopard.
Snow Leopard is a "service pack" in exactly the same way that Win7 is "a service pack for Vista". They both consist of significant rewrites and streamlining of the infrastructure, include significant new developer focused features in the infrastructure, are notably smaller and faster than their predecessors, and include very few changes in the the user interface or user features. You should learn something about Mac OS X before you misrepresent it.

Call it a "service pack" if you want, but compare the prices of these two "service packs" (neither one is a service pack):

Mac OS 10.6 = $29-$169. $49-$229 (MSRP) for a 5 computer Family pack. The $169 and $229 prices include new versions of all the iLife and iWork applications.

Win 7 = $99-$229. upgrade. $149 for a 3-computer Family Pack of Win 7 Home. Must buy a 32-bit or 64-bit version.


RE: Quoted for truth
By sprockkets on 9/18/2009 2:50:26 PM , Rating: 2
Well, like I posted, does Vista get infected like XP? No, because they fixed their glaring security problems.

OSX never had such wide open attack vectors. That's why both Vista and OSX will not have a blaster worm or conflicker. Just turning on the firewall blocked the blaster worm, something that OSX should have on be default.

Here is something else to consider: What happens after you remove the virus. I've seen Windows fail to load drivers, execute programs (when you open any program, it brings up the dialog box of "What program do you want to use to open it" since the virus put in the registry itself to shell execute when any program was opened), lose the internet, etc.

That takes a long time to fix. Reinstalling windows and all your programs is equally time consuming.

OSX is different. Even if OSX got infected, you can do an archive and install and OSX will be cleaned out with all your programs and settings still intact.

Not having a registry makes it easy to keep your programs without reinstalling.


RE: Quoted for truth
By afkrotch on 9/21/2009 5:31:55 AM , Rating: 2
System Restore. Bam, fixed.


RE: Quoted for truth
By afkrotch on 9/18/2009 6:00:03 AM , Rating: 1
OSX runs the Mach kernel, which is not BSD. It's a replacement for the BSD kernel.

quote:
Consider this: If Mac users are tens of millions of richer, clueless, users running an insecure OS, connected to to the Internet, where are all the exploits that should invite? It sounds like a scammers dream come true. Tens of millions of "easy targets", yet the attacks and exploits are extremely rare. Why?


There's what? Like 50 million or less OSX/OS9/OS8 users in the world. There's over a billion PC users in the world.

Hmmm...hit the billion, then put the same amount of work to hit the other 50 million. Doesn't seem to make much sense.

Have to put more work in to hit the iPhone/iPod user crowd too. Again, doesn't make sense.

quote:
All security systems have vulnerabilities . If there is a human involved in it's operation, that's a big vulnerability. The questions are and always has been:

1. Is there enough security to discourage or defeat the vast majority of attacks, or to cause the attackers to look elsewhere?

2. How can we mitigate the loss/damage caused by an attack?

And those questions always have to be considered in the context of the value of what the security system is protecting. If you're protecting Ft Knox, a large bank, military secrets, or a celebrity, you need a different level of security than a typical business or average person.


Over a billion users, under 50 million users. Which do you think should have a higher level of security?


RE: Quoted for truth
By gstrickler on 9/18/2009 12:33:05 PM , Rating: 2
quote:
OSX runs the Mach kernel, which is not BSD.
You should try checking your facts before posting. NextStep was originally based upon Mach, but they dropped the Mach microkernel many years ago due to performance problems.

From http://en.wikipedia.org/wiki/Mach_kernel
quote:
Today further experimental research on Mach appears ended, ... Neither Mac OS X nor FreeBSD maintain the microkernel structure pioneered in Mach

From http://en.wikipedia.org/wiki/Mac_OS_X
quote:
Certain parts from FreeBSD's and NetBSD's implementation of Unix were incorporated in Nextstep, the core of Mac OS X

Mac OS X is built on a hybrid BSD derived kernel. Parts of Mach were incorporated into BSD, and Mac OS X does retain some additional features from Mach, but it's inaccurate to portray it as based upon Mach since the primary feature of Mach was the microkernel, which has mostly ceased development and been replaced with a hybrid BSD kernel. Mac OS X is more BSD than Mach.

Interesting side note from the Mach_kernel link above (emphasis added):
quote:
The lead developer on the Mach project, Richard Rashid, has been working at Microsoft since 1991 in various top-level positions revolving around the Microsoft Research division. Another of the original Mach developers, Avie Tevanian, was formerly head of software at NeXT, then Chief Software Technology Officer at Apple Computer until March 2006.


RE: Quoted for truth
By afkrotch on 9/21/2009 5:38:31 AM , Rating: 2
From: http://en.wikipedia.org/wiki/XNU

quote:
XNU was a hybrid kernel combining version 2.5 of the Mach kernel developed at Carnegie Mellon University with components from 4.3BSD


Sorry, still Mach, with some BSD.


RE: Quoted for truth
By glennc on 9/18/2009 1:12:46 AM , Rating: 2
why do you care what other people spend THEIR money on? really none of your business or are you 12 years old and feel the need to jump on every mac article and say the same idiotic thing?

i bought a mac because i felt like a change from windows, nothing more nothing less. and guess what, i like it more. i hate the styling and the stigma that goes with it but not enough to sway my decision as i don't buy into any of the marketing BS.


"Google fired a shot heard 'round the world, and now a second American company has answered the call to defend the rights of the Chinese people." -- Rep. Christopher H. Smith (R-N.J.)














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki