Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Snow Leopard less secure than Windows, says hacker

Wasted opportunity to lock down OS, says Mac security guru

Article comments

Snow Leopard lacks security features that are built in to Windows XP, Windows Vista and Windows 7, a noted Mac researcher has said.

Dubbed ASLR, for address space layout randomisation, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus make it harder for them to craft reliable exploits.

"Apple didn't change anything," said Charlie Miller, of Baltimore-based Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive "Pwn2own" hacker contests. "It's the exact same ASLR as in Leopard, which means it's not very good."

Two years ago, Miller and other researchers criticised Apple for releasing Mac OS X 10.5, aka Leopard, with half-baked ASLR that failed to randomise important components of the OS, including the heap, the stack and the dynamic linker, the part of Leopard that links multiple shared libraries for an executable.

Miller was disappointed that Apple didn't improve ASLR from Leopard to Snow Leopard. "I hoped Snow Leopard would do full ASLR, but it doesn't," said Miller. "I don't understand why they didn't. But Apple missed an opportunity with Snow Leopard."

Even so, Miller said, Apple made several moves that did improve Mac OS X 10.6's security. Two that stand out, he said, were its revamp of QuickTime and additions to DEP (data execution prevention), another security feature used in Windows Vista.

"Apple rewrote a bunch of QuickTime," said Miller, "which was really smart, since it's been the source of lots of bugs in the past." That's not surprising, since QuickTime supports scores of file formats, historically its weak link. Last week, in fact, Apple patched four critical QuickTime vulnerabilities in the program's parsing of various file formats.

How Apple's rewrite of QuickTime for Snow Leopard plays out, of course, is uncertain, but Miller was optimistic. An exploit of a vulnerability in Leopard's QuickTime that he had been saving doesn't work in the version included with Snow Leopard, Miller acknowledged.

"They've shaken out hundreds of bugs in QuickTime over the years, but it was still really smart of them to rewrite it," said Miller. If it was up to him, though, Miller would do even more. "I'd reduce the number of file formats from 200 or so to 50, and reduce the attack surface. I don't think anyone would miss them."

Snow Leopard's other major security improvement was in DEP, which Miller said has been significantly enhanced. DEP is designed to stop some kinds of exploits - buffer overflow attacks, primarily - by blocking code from executing in memory that's supposed to contain only data. Microsoft introduced DEP in Windows XP Service Pack 2 (SP2), and expanded it for Vista and the upcoming Windows 7 .

Put ASLR and DEP in an operating system, Miller argued, and it's much more difficult for hackers to create working attack code. "If you don't have either, or just one of the two [ASLR or DEP], you can still exploit bugs, but with both, it's much, much harder."



Share:

More from Techworld

More relevant IT news

Comments

ebocious said: BTW are you thinking you can send assembly commands through TCPIP without a parent program to receive them Remember that you dont have local access yet youre attacking the corner office through a mail chute Assembly programming is all well and good once you have a foothold but you have to get a foothold first Until then best think about how to compromise a system via Internet-facing protocols

ebocious said: Intense emotion or slow equipment

ebocious said: anarionistYour four reasons are correct but probably not for the underlying reason you have in mind Youre right that UnixLinux servers are attacked more often than Windows PCs but there are two things youre not taking into consideration or at least not mentioning here 1 servers are rarely attacked for the purpose of botnet activity keylogging or identity theft With the exception of data mining crackers are interested in personal computers because there are 7 billion people out there many of whom use search engines and online banking not because the server cannot be compromised httpwwweweekcomcaSecur 2 the reason servers are attacked is for ROI You can compromise one Web site that receives a heavy flow of traffic and then sit back as the hits come in

ebocious said: anarionistAgain youre a bald-faced liar If you know more about computer security than a former NSA employee and 3-time Pwn2Own champion then feel free to set the record straight Meanwhile were reading frothy messages from you instead of reading about youJust FYI theres a big difference between coding a virus which requires user intervention and an exploit which does not this is NOT a 5-6 minute job And if it were so easy to remotely inject code on the stack as you say then criminal hackers would have the upper hand and could pwn us at will NOT the caseBTW I suggest you read up more on hacking vs cracking I am well aware of the ongoing debate and side with the white hats who say they deserve the term hacker and that cracker should be reserved for black hats My terminology is sharper than yours methinks

ebocious said: Louis Wheeler Miller clearly said that OS X has both ASLR and DEP Problem is their implementation of ASLR doesnt work Do you really expect Apple to tell you that their security measures dont work Ive got a bridge to sell you really cheap

ebocious said: anarionist Youre a bald-faced liar Charlie Miller is a professional security researcher and one of the best hackers in the world Do you know how long it takes people like him to code an exploit Two to four weeks generally speaking If you could code malware for any platform in 5-6 minutes then your time would be better spent keying out PoCs for the big bucks rather than keying out hogwash here making it plain that you know the truth doesnt support your agenda Ridiculous

anarionist said: Really it would only take me about 5 or 6 minutes to code a virus for mac or windows or linux for that matter my point is nobody is an hat on mac or linuxSo there is no point coding a virus for either osas mac would be the easier prey and linux would have more bite windows is the only viable option as what does a majority of the world run thats right windows the catch that take a little effort to infect sorry but mac and linux are superior windowsgamesmacmedialinuxboth

Daniel said: Zeke thats not true Viruses do exist for macs but most coders do not bother creating them Saying they dont exist is explicitly not true

Louis Wheeler said: There is one thing wrong with this article Apple has both ASLR and DEP in the 64 bit kernel You can see this by visiting Apples Snow Leopard security pagehttpwwwapplecommacosxseApple temporarily is not booting into the 64 bit kernel by default until enough applications have been converted to make it worth the users troubleHence what Mr Miller says is true but irrelevant for another six to nine months Big deal Its not as though we are under attack Windows is

Zeke said: There are no viruses in the wild for OS X How is OS X less secure than ANY Windows OS with their millions of live viruses in the wild Millers argument that Windows 7 is more secure than OS X because it has ASLR is ludicrous Its like saying a 2004 Toyota Corolla is more secure than an Abrams M1 tank because the Corolla has a car alarm and the Abrams doesnt Its just silly

AerAps said: DanTeThey would have to provide this service because they have no choice windows have no specific stores the whole world uses windows so you would find many services for that kind of thing plus windows is more open then apple so most users would know there way around re-installing windows even without formatting it

AerAps said: It is sad to see that apple is charging its users for a Service Pack Microsoft does that for free

DanTe said: Well what did you expect Apple is a DESIGN store not an IT vendor People pay for the design And when they get full of virus they just take their beautifully designed Apple to the Apple store and the employees there will happily reformat the harddrive for you for FREE Yes FREE I laughed my arse off when a group of Mactards told me of this wanderful service of theirs that Windows dont have



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *