The conception that Apple, Inc. computers
running OS X are magically
more secure than Windows computers was dealt another setback this week.
Using a flaw in Apple's pre-installed first-party Safari browser, it took
French security pro Chaouki Bekrar merely 5 seconds to hijack the unwitting
MacBook at the CanSecWest Conference's pwn2own
contest in Vancouver, British Columbia.
On a most basic level the attack exploited Apple's
weak memory protections in OS X Snow Leopard. Microsoft, more popular and
more commonly attacked, includes two critical types of memory protection --
data execution prevention and robust
address space layout optimization (ASLR) -- both of which attempt to
prevent memory injection attacks. By contrast, Snow Leopard only supports
ASLR and the implementation is badly
botched according to hackers.
The attack also exploited poor coding in Apple's
branch of WebKit, which features many bugs and security
flaws. While Apple's WebKit branch, which powers its Safari browser,
shares a certain amount of code with Google's WebKit browser Chrome, Google has
added much more robust security layers and is less buggy.
So if Apple computers are less secure than Windows
machines, why are Windows machines attacked so much more frequently?
Generally, the answer boils down to that there's far fewer Macs and that
hackers often have misgivings about mass attacks Unix-like operating systems
(Linux, OS X) as they view it as "attacking their own." Ultimately
these two factors combine into a greater barrier -- lack of information.
Since not many hackers target OS X, those that do
have to tread entirely new ground. Take Mr. Bekrar and his team at French
security firm VUPEN. He says that the exploit was "relatively difficult"
due to lack of documentation in the security/hacking community on OS X.
He states in a ZDNet interview,
"We had to do everything from scratch. We had to create a debugging tool,
create the shellcode and create the ROP (return oriented programming)
technique. The main difficulty was doing this on our own, without the
help of any documentation."
Another difficulty was in finding a
"reliable" vulnerability. All modern browsers have
vulnerabilities, but not all vulnerabilities are created equal.
Identifying the "best" vulnerabilities takes a lot of time and
dedication -- time that has been invested in attacking Windows machines, but
not so much with OS X.
Describes Mr. Bekrar, "There are many WebKit
vulnerabilities. You can run a fuzzer and get lots of good results. But it’s
much more difficult to exploit it on x64 and to make your exploit very reliable."
But the results show that when somebody puts in
the work to enter that undiscovered country, that Macs prove as hackable as
Windows computers or more so.
Luring the user to a suspect site in Safari, the
VUPEN researcher remotely launched OS X's calculator app and wrote a file to
the disc -- essentially paving the way for a full hijack of the machine.
This was all done without the browser crashing or showing any
He describes, "The victim visits a web page,
he gets owned. No other interaction is needed."
The victim would likely think they merely clicked
on a bad URL.
Mr. Bekrar and his VUPEN teammates are going to
next try to hack a Windows machine using similar flaws found in Internet
Explorer 8 on 64-bit Windows 7 (SP1).
For his success against OS X, Mr. Bekrar scores a
13-inch Apple MacBook Air running Mac OS X Snow Leopard and $15,000 USD in
In past years the contest has been dominated
by OS X hacking/security pro Charlie Miller. So it was nice to see a
fresh face for a change, though the MacBook was still the first to fall -- as
usual. Mr. Miller sums up OS X security the best, with his famous remark,
"Mac OS X is like living in a farmhouse in the country with no locks, and Windows
is living in a house with bars on the windows in the bad part of town."