The conception that Apple, Inc. computers
running OS X are magically
more secure than Windows computers was dealt another setback this week.
Using a flaw in Apple's pre-installed first-party Safari browser, it took
French security pro Chaouki Bekrar merely 5 seconds to hijack the unwitting
MacBook at the CanSecWest Conference's pwn2own
contest in Vancouver, British Columbia.
On a most basic level the attack exploited Apple's
weak memory protections in OS X Snow Leopard. Microsoft, more popular and
more commonly attacked, includes two critical types of memory protection --
data execution prevention and robust
address space layout optimization (ASLR) -- both of which attempt to
prevent memory injection attacks. By contrast, Snow Leopard only supports
ASLR and the implementation is badly
botched according to hackers.
The attack also exploited poor coding in Apple's
branch of WebKit, which features many bugs and security
flaws. While Apple's WebKit branch, which powers its Safari browser,
shares a certain amount of code with Google's WebKit browser Chrome, Google has
added much more robust security layers and is less buggy.
So if Apple computers are less secure than Windows
machines, why are Windows machines attacked so much more frequently?
Generally, the answer boils down to that there's far fewer Macs and that
hackers often have misgivings about mass attacks Unix-like operating systems
(Linux, OS X) as they view it as "attacking their own." Ultimately
these two factors combine into a greater barrier -- lack of information.
Since not many hackers target OS X, those that do
have to tread entirely new ground. Take Mr. Bekrar and his team at French
security firm VUPEN. He says that the exploit was "relatively difficult"
due to lack of documentation in the security/hacking community on OS X.
He states in a ZDNet interview,
"We had to do everything from scratch. We had to create a debugging tool,
create the shellcode and create the ROP (return oriented programming)
technique. The main difficulty was doing this on our own, without the
help of any documentation."
Another difficulty was in finding a
"reliable" vulnerability. All modern browsers have
vulnerabilities, but not all vulnerabilities are created equal.
Identifying the "best" vulnerabilities takes a lot of time and
dedication -- time that has been invested in attacking Windows machines, but
not so much with OS X.
Describes Mr. Bekrar, "There are many WebKit
vulnerabilities. You can run a fuzzer and get lots of good results. But it’s
much more difficult to exploit it on x64 and to make your exploit very reliable."
But the results show that when somebody puts in
the work to enter that undiscovered country, that Macs prove as hackable as
Windows computers or more so.
Luring the user to a suspect site in Safari, the
VUPEN researcher remotely launched OS X's calculator app and wrote a file to
the disc -- essentially paving the way for a full hijack of the machine.
This was all done without the browser crashing or showing any
He describes, "The victim visits a web page,
he gets owned. No other interaction is needed."
The victim would likely think they merely clicked
on a bad URL.
Mr. Bekrar and his VUPEN teammates are going to
next try to hack a Windows machine using similar flaws found in Internet
Explorer 8 on 64-bit Windows 7 (SP1).
For his success against OS X, Mr. Bekrar scores a
13-inch Apple MacBook Air running Mac OS X Snow Leopard and $15,000 USD in
In past years the contest has been dominated
by OS X hacking/security pro Charlie Miller. So it was nice to see a
fresh face for a change, though the MacBook was still the first to fall -- as
usual. Mr. Miller sums up OS X security the best, with his famous remark,
"Mac OS X is like living in a farmhouse in the country with no locks, and Windows
is living in a house with bars on the windows in the bad part of town."
quote: A good firewall
quote: a good watchdog service
quote: they don't have those types of security measures available
quote: I'm still going to chose Windows over Apple-OS
quote: sure, for tech illiterate guys like you who know jack about os x security/firewalls/watchdogs windows is not too shabby
quote: Before Pirks jumps in with his predictable apples-oranges finger pointing...I know OS X != iOS.I posted in the BlackHole Rat article about specific hacks we've explored on OS X machines here at work.
quote: Microsoft takes a proactive approach and is more transparent about the flaws that are found than Apple is
quote: I see this little technicality made you really happy. Good for you.
quote: Did this somehow protect IE8 on Win 7 from being pwned right after Safari on OS X? :P
quote: Took the Windows guy about 3x as long.
quote: it took French security pro Chaouki Bekrar merely 5 seconds to hijack the unwitting MacBook
quote: Three-man team of researchers spent about two weeks to find the vulnerability (using fuzzers) and writing a reliable exploit.
quote: I'd like to think that you just fail at reading and comprehension, or that maybe you're just lazy or stupid
quote: in another few years, will Apple still have MacOS X while Windows has many newer and better features that make the Mac look old and outdated as a platform?
quote: Windows 7 is THE most unsecure OS. Period.
quote: "Software DEP" is unrelated to the NX bit, and is what Microsoft calls their enforcement of Safe Structured Exception Handling. Software DEP/SafeSEH checks when an exception is thrown to make sure that the exception is registered in a function table for the application, and requires the program to be built with it.
quote: half DEP then
quote: Took the Mac guy 1-2 weeks to do all of the work to make the exploit. Took the Windows guy like 5-6 weeks.
quote: Still took 3 exploits to 1 though
quote: I'll take the 3 obviously small exploits over your one huge one any day
quote: How long do you think it will take from the time a true malware author comes up with a way to infect a Mac to the time 50+ percent of the Macs in the world are infected?
quote: 1 guy 6 weeks Windows == 3 guys 2 weeks OS X
quote: This is just a bunch of meaningless numbers unless you've got a method to measure relative skill and speed amongst these 4 coders
quote: The same will happen again next year, and the year after that, and the year after that.OS X is THE most unsecure OS. Period.
quote: And in the real word, 9 out of every 10 people using a computer are running Windows.If 9 out of 10 people used Macs, you would be using Windows and happy that no one was writing malware for it because of its low market share.
quote: Choose another and those problems vanish
quote: So according to your logic one in ten malware attacks should be on Macs - except that is not what happens.
quote: The most *recent* Windows is always *more* secure than the most recent MacOS
quote: You're using [the browser] wrong.
quote: I cannot say the same thing about the PC I use at work, or the gaming PC I built for home.
quote: I could write a browser hook that would launch internet explorer inside a wrapper, navigate to a website of my choice, and manipulate the DOM and other system components as however I like all without the user seeing.
quote: But why would you need to do that on the Mac?