Snow Leopard less secure than Windows, says hacker
Wasted opportunity to lock down OS, says Mac security guru
By Gregg Keizer | Computerworld US | Published: 13:24, 15 September 2009
Snow Leopard lacks security features that are built in to Windows XP, Windows Vista and Windows 7, a noted Mac researcher has said.
Dubbed ASLR, for address space layout randomisation, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus make it harder for them to craft reliable exploits.
"Apple didn't change anything," said Charlie Miller, of Baltimore-based Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive "Pwn2own" hacker contests. "It's the exact same ASLR as in Leopard, which means it's not very good."
Related Articles on Techworld
Two years ago, Miller and other researchers criticised Apple for releasing Mac OS X 10.5, aka Leopard, with half-baked ASLR that failed to randomise important components of the OS, including the heap, the stack and the dynamic linker, the part of Leopard that links multiple shared libraries for an executable.
Miller was disappointed that Apple didn't improve ASLR from Leopard to Snow Leopard. "I hoped Snow Leopard would do full ASLR, but it doesn't," said Miller. "I don't understand why they didn't. But Apple missed an opportunity with Snow Leopard."
Even so, Miller said, Apple made several moves that did improve Mac OS X 10.6's security. Two that stand out, he said, were its revamp of QuickTime and additions to DEP (data execution prevention), another security feature used in Windows Vista.
"Apple rewrote a bunch of QuickTime," said Miller, "which was really smart, since it's been the source of lots of bugs in the past." That's not surprising, since QuickTime supports scores of file formats, historically its weak link. Last week, in fact, Apple patched four critical QuickTime vulnerabilities in the program's parsing of various file formats.
How Apple's rewrite of QuickTime for Snow Leopard plays out, of course, is uncertain, but Miller was optimistic. An exploit of a vulnerability in Leopard's QuickTime that he had been saving doesn't work in the version included with Snow Leopard, Miller acknowledged.
"They've shaken out hundreds of bugs in QuickTime over the years, but it was still really smart of them to rewrite it," said Miller. If it was up to him, though, Miller would do even more. "I'd reduce the number of file formats from 200 or so to 50, and reduce the attack surface. I don't think anyone would miss them."
Snow Leopard's other major security improvement was in DEP, which Miller said has been significantly enhanced. DEP is designed to stop some kinds of exploits - buffer overflow attacks, primarily - by blocking code from executing in memory that's supposed to contain only data. Microsoft introduced DEP in Windows XP Service Pack 2 (SP2), and expanded it for Vista and the upcoming Windows 7 .
Put ASLR and DEP in an operating system, Miller argued, and it's much more difficult for hackers to create working attack code. "If you don't have either, or just one of the two [ASLR or DEP], you can still exploit bugs, but with both, it's much, much harder."
Comments
ebocious said: Louis Wheeler Miller clearly said that OS X has both ASLR and DEP Problem is their implementation of ASLR doesnt work Do you really expect Apple to tell you that their security measures dont work Ive got a bridge to sell you really cheap
ebocious said: anarionist Youre a bald-faced liar Charlie Miller is a professional security researcher and one of the best hackers in the world Do you know how long it takes people like him to code an exploit Two to four weeks generally speaking If you could code malware for any platform in 5-6 minutes then your time would be better spent keying out PoCs for the big bucks rather than keying out hogwash here making it plain that you know the truth doesnt support your agenda Ridiculous
anarionist said: Really it would only take me about 5 or 6 minutes to code a virus for mac or windows or linux for that matter my point is nobody is an hat on mac or linuxSo there is no point coding a virus for either osas mac would be the easier prey and linux would have more bite windows is the only viable option as what does a majority of the world run thats right windows the catch that take a little effort to infect sorry but mac and linux are superior windowsgamesmacmedialinuxboth
Daniel said: Zeke thats not true Viruses do exist for macs but most coders do not bother creating them Saying they dont exist is explicitly not true
Louis Wheeler said: There is one thing wrong with this article Apple has both ASLR and DEP in the 64 bit kernel You can see this by visiting Apples Snow Leopard security pagehttpwwwapplecommacosxseApple temporarily is not booting into the 64 bit kernel by default until enough applications have been converted to make it worth the users troubleHence what Mr Miller says is true but irrelevant for another six to nine months Big deal Its not as though we are under attack Windows is
Zeke said: There are no viruses in the wild for OS X How is OS X less secure than ANY Windows OS with their millions of live viruses in the wild Millers argument that Windows 7 is more secure than OS X because it has ASLR is ludicrous Its like saying a 2004 Toyota Corolla is more secure than an Abrams M1 tank because the Corolla has a car alarm and the Abrams doesnt Its just silly
AerAps said: DanTeThey would have to provide this service because they have no choice windows have no specific stores the whole world uses windows so you would find many services for that kind of thing plus windows is more open then apple so most users would know there way around re-installing windows even without formatting it
AerAps said: It is sad to see that apple is charging its users for a Service Pack Microsoft does that for free
DanTe said: Well what did you expect Apple is a DESIGN store not an IT vendor People pay for the design And when they get full of virus they just take their beautifully designed Apple to the Apple store and the employees there will happily reformat the harddrive for you for FREE Yes FREE I laughed my arse off when a group of Mactards told me of this wanderful service of theirs that Windows dont have