IT Jobs
Snow Leopard less secure than Windows, says hacker
Wasted opportunity to lock down OS, says Mac security guru
By Gregg Keizer | Computerworld US
Published: 13:24 GMT, 15 September 09
Snow Leopard lacks security features that are built in to Windows XP, Windows Vista and Windows 7, a noted Mac researcher has said.
Dubbed ASLR, for address space layout randomisation, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus make it harder for them to craft reliable exploits.
"Apple didn't change anything," said Charlie Miller, of Baltimore-based Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive "Pwn2own" hacker contests. "It's the exact same ASLR as in Leopard, which means it's not very good."
Snow Leopard on a Windows PC? | Snow Leopard to ship with anti-virus detection | Snow Leopard: The in-depth review | Apple Mac OS X 10.6 Snow Leopard
Two years ago, Miller and other researchers criticised Apple for releasing Mac OS X 10.5, aka Leopard, with half-baked ASLR that failed to randomise important components of the OS, including the heap, the stack and the dynamic linker, the part of Leopard that links multiple shared libraries for an executable.
Miller was disappointed that Apple didn't improve ASLR from Leopard to Snow Leopard. "I hoped Snow Leopard would do full ASLR, but it doesn't," said Miller. "I don't understand why they didn't. But Apple missed an opportunity with Snow Leopard."
Even so, Miller said, Apple made several moves that did improve Mac OS X 10.6's security. Two that stand out, he said, were its revamp of QuickTime and additions to DEP (data execution prevention), another security feature used in Windows Vista.
"Apple rewrote a bunch of QuickTime," said Miller, "which was really smart, since it's been the source of lots of bugs in the past." That's not surprising, since QuickTime supports scores of file formats, historically its weak link. Last week, in fact, Apple patched four critical QuickTime vulnerabilities in the program's parsing of various file formats.
How Apple's rewrite of QuickTime for Snow Leopard plays out, of course, is uncertain, but Miller was optimistic. An exploit of a vulnerability in Leopard's QuickTime that he had been saving doesn't work in the version included with Snow Leopard, Miller acknowledged.
"They've shaken out hundreds of bugs in QuickTime over the years, but it was still really smart of them to rewrite it," said Miller. If it was up to him, though, Miller would do even more. "I'd reduce the number of file formats from 200 or so to 50, and reduce the attack surface. I don't think anyone would miss them."
Snow Leopard's other major security improvement was in DEP, which Miller said has been significantly enhanced. DEP is designed to stop some kinds of exploits - buffer overflow attacks, primarily - by blocking code from executing in memory that's supposed to contain only data. Microsoft introduced DEP in Windows XP Service Pack 2 (SP2), and expanded it for Vista and the upcoming Windows 7 .
Put ASLR and DEP in an operating system, Miller argued, and it's much more difficult for hackers to create working attack code. "If you don't have either, or just one of the two [ASLR or DEP], you can still exploit bugs, but with both, it's much, much harder."
Email
Print
Comment
Permalink
Contact Us
RSS
Digg
Add your commentComments
ebocious | Published: 19:16 GMT, 05 February 2010
@Louis Wheeler: Miller clearly said that OS X has both ASLR and DEP. Problem is, their implementation of ASLR doesn't work. Do you really expect Apple to tell you that their security measures don't work? I've got a bridge to sell you... really cheap!
ebocious | Published: 19:09 GMT, 05 February 2010
@anarionist: You're a bald-faced liar. Charlie Miller is a professional security researcher, and one of the best hackers in the world. Do you know how long it takes people like him to code an exploit? Two to four weeks, generally speaking. If you could code malware for any platform in 5-6 minutes, then your time would be better spent keying out PoCs for the big bucks, rather than keying out hogwash here, making it plain that you know the truth doesn't support your agenda. Ridiculous!
anarionist | Published: 06:04 GMT, 04 February 2010
Really it would only take me about 5 or 6 minutes to code a virus for mac or windows or linux for that matter, my point is nobody is an @$$hat on mac or linux.So there is no point coding a virus for either os(as mac would be the easier prey and linux would have more bite) windows is the only viable option as what does a majority of the world run? thats right windows the catch that take a little effort to infect. sorry but mac and linux are superior. windows=games,mac=media,linux=both :).
Daniel | Published: 10:43 GMT, 06 January 2010
Zeke, that's not true. Viruses do exist for macs, but most coders do not bother creating them. Saying they don't exist is explicitly not true.
Louis Wheeler | Published: 02:04 GMT, 28 October 2009
There is one thing wrong with this article: Apple has both ASLR and DEP in the 64 bit kernel. You can see this by visiting Apple's Snow Leopard security page. http://www.apple.com/macosx/security/ Apple, temporarily, is not booting into the 64 bit kernel, by default, until enough applications have been converted to make it worth the user's trouble. Hence, what Mr Miller says is true, but irrelevant for another six to nine months. Big deal, It's not as though we are under attack, Windows is.
Marcinkus | Published: 09:10 GMT, 23 September 2009
Very well: sometimes a stupid choice is the clever one :-)
Manfry | Published: 08:44 GMT, 23 September 2009
No one is so stupid to code a virus for a OS that covers around 2% of the market. :-)
Marcinkus | Published: 08:37 GMT, 23 September 2009
Hi Guys, I think there is a little misunderstanding: Miller it talking about hackers' attacks, which cannot be considered as a single user/final user problem. By this point of view, anyone knows that Apple OS is not affected by any viruses problem (which instead is the major problem with Microsoft OS). Hacker is a server/web server problem, but honestly I see no reasons to use Apple OS (or Microsoft OS) for a server, instead of Unix/Linux
Jimbo | Published: 14:29 GMT, 20 September 2009
Zeke, your analogy would make sense IF the 2004 Corolla was OS X and the M1 Abrams was Windows. The Abrams operates in a war zone and is a target for the enemy, whereas the Corolla operates on city streets where very few bullets fly (depending on the neighborhood, of course) and attracts little attention.
Zeke | Published: 21:11 GMT, 18 September 2009
There are no viruses in the wild for OS X. How is OS X less secure than ANY Windows OS with their millions of live viruses in the wild? Miller's argument that Windows 7 is more secure than OS X because it has ASLR is ludicrous. It's like saying a 2004 Toyota Corolla is more secure than an Abrams M1 tank because the Corolla has a car alarm and the Abrams doesn't. It's just silly.