Flaws found in underlying system of Mac's OS X

Security firm Immunity has reported several vulnerabilities in Darwin, the Unix implementation which Apple calls the "rock-solid foundation" of Mac OS X. The vulnerabilities affect all recent versions of OS X, Immunity said in an advisory published on Wednesday.

While they won't be serious for most users, the bugs are the latest blow to OS X's reputation as being free from the security problems that plague Windows. Some security researchers have argued that reputation is unwarranted, saying Windows bugs simply get more publicity and cause more mayhem because the operating system is so widespread.

Immunity discovered several kernel-level flaws during an audit of Darwin's kernel xnu-517.7.7 last summer, and says versions of OS X at least up to 10.3.4 are affected. At the time, only members of an Immunity vulnerability discussion group were informed; on Monday Immunity discussed the flaws at a company event in New York City and released the advisory publicy the following day. Apple Computer wasn't informed ahead of public disclosure.

The flaws are in user-to-kernel memory copy operations, along with a kernel memory allocation issue. They are mainly relevant to OS X systems used as servers rather than the desktop Macs that make up most of the OS X user base, the company said.

Immunity founder and chief executive Dave Aitel said the problems wouldn't be very serious for most users, because OS X isn't widely used as a server operating system. He said security experts have never considered the operating system particularly invulnerable. "Apple's never been that secure from a local perspective," he told Techworld. The company doesn't inform vendors ahead of time as a matter of policy, Aitel said.

Apple confirmed to Techworld that it hadn't been informed of the bugs ahead of disclosure, and said it is now investigating the flaws.

The flaws affect the searchfs() system call, found only in Mac OS X and the semop() system call. Immunity found several "heap" overflows that were left over from BSD, the version of Unix on which Darwin is based. The fourth bug is in the setuid binary /usr/bin/at, and could allow non-privileged users to read any file on the filesystem, Immunity said.

The company said it is currently producing reliable exploits for the vulnerabilities. Immunity sells a penetration-testing tool called Canvas that allows system administrators to test exploits on their own systems.

Darwin, a version of Unix variant BSD, is the core of OS X and supports both Mac and Unix file systems. It uses an open source licence developed by Apple and encourages the participation of the developer community; for example, community developers are porting Darwin from the Mac's PowerPC platform to Intel-compatible systems. Darwin doesn't support OS X's higher-level features, meaning, for instance, that Carbon and Cocoa development kits aren't compatible with it.

In an analysis last year, security firm Secunia found that OS X doesn't stand out as particularly more secure than the competition. The operating system had a similar proportion of critical bugs to competitors such as Windows XP Professional, Red Hat Advanced Server and Suse Linux Enterprise Server, Secunia said.