Researcher thinks Mac OS X is easy to exploit
Charles Miller is no stranger to Apple and its products.
In July, Miller and his colleagues at Independent Security Evaluators discovered the first known vulnerability within the Apple iPhone. They then worked with the Cupertino vendor to release a patch for the iPhone the day before the start of the annual Black Hat Briefings in Las Vegas earlier this month. But all that goodwill didn't stop Miller from talking about pending problems lurking deep within the Mac OS. "Macs," he said, "are as easy to hack as they are to use."
During a 20-minute talk at the conference, "Hacking Leopard: Tools and techniques for attacking the newest Mac OS X," Miller said that for some reason the Mac OS has over 50-plus suid root programs. Suid stands for "set user ID" and is used to temporarily elevate privileges to perform a specific task such as running executables. For example, Miller cited Locum, NetCfgTool and TimeZoneSettingTool." Given the root access provided by these tools, they provide at least one vector for attack.
Another vector is Safari, the browser from Apple. Safari, when opened, also opens several applications, including Address Book, Finder, iChat, Script Editor, iTunes, Dictionary, Help Viewer, iCal, Keynote, Mail, iPhoto, QuickTime Player, Sherlock, Terminal, BOMArchiveHelper, Preview and DiskImageMounter. A flaw in any one of these could be easily exploited over the Web. That's because Apple's operating system doesn't randomize the location of the stack, the heap, the binary image or the dynamic libraries, meaning an attacker would know where in memory these applications are loaded on almost every machine running Mac OS X.
Open source is yet another vector for new attacks on Apple Macs. Miller said that on July 31 Apple did update its version of Samba--but for the first time in two and half years, and the latest version still fell short of the current open-source version. To prove his point, he presented a slide showing the recent versions available in Mac OS X 10.4.10 and the latest open-source version of the same program.
| Mac OS X | Open Source | |
|---|---|---|
| OpenSSH | 4.5p1 | 4.6p1 |
| OpenSSL | 0.9.8d | 0.9.8e |
| Apache | 1.3.33 | 1.3.37 |
| Samba | 3.0.10 | 3.0.25b |
| Cups | 1.1.23 | 1.2.11 |
Miller said his formula for finding a zero-day flaw on a Mac is this: "Find an open-source package that they use that's out of date--there's, like I said, plenty of those." He then suggested reading through the change log for the current version of any of the above open-source software to find a useable bug that's been fixed in the newer version but still vulnerable to Mac OS X users. Miller said by doing this, "you won't have to worry about static analysis or fuzzing or any of that stuff."
Several attempts to contact Apple for comment on this story went unanswered.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
I know Apple does very deep regression testing before deploying the latest versions of these tools, hence the lag, and it may be that there aren't issues in the diff between the versions, but it is a very visible issue that could lead to potential exploits.
source component was released, I would have to download an
update. Nothing would ever get done because I would be busy
downloading updates all the time, and then I may as well be
running Windows.
Additionally, I wonder if (as mentioned before) the
vulnerabilities that exist in the open source components, don't
pose a hazard in the OS X environment.
I'm not one to believe that OS X has zero security holes, but I
would think that if it is as easy to hack OS X as this guy is
saying, it would have been done by now on a scale larger than
somebody with physical access to the machine and their own
non-admin account. The wireless hole was a potential problem,
but once again, if you are surfing around on untrusted Wi-fi
points, you'll get what you deserve.
I think the best advice for any computer user is to use discretion
in your activities.
software better.
No OS designed by man will ever be perfect. But when it comes to
security I'm happy to take my chances running Mac OS X vs. my
chances running MS whatever
OS X *CAN* be hacked, just like every single other OS on the planet. Anyone who thinks that it's completely secure and they can ignore common security practices because they "aren't running Windows" has rocks in their head, but unfortunately that seems to be how about 90% of Mac users think. With all those SUID root programs, it should be relatively easy for an experienced malicious hacker to find a privilege escalation exploit. Combine that with a remote code execution exploit (harder to find but several have surfaced for OS X over the past few years) and the system can be totally pwned.
It's by no means trivial, but it's no harder than hacking Windows Vista or Linux.
think macs are virus proof, which is not true. You should not group
all of us with you there are (rocks in your head) If you want
percentages, 90% of windows machines are still not protected or
are poorly protected. SUID programs are very much in windows are
as well.
This has been shown over and over again as the only way to "break into" a Mac.
A worm is impossible because of the clever way Apple separated User and Root.
Give up the dream hackers, it cannot be done unless it's an inside job.
-
like you use Windows so why would you think any other way.
You just do what your told to. I would never wish for someone's
computer to get a worm or a virus or malware just because they
used a different system then me and where proud of their
computer.
It's a shame that intentionally or unintentionally Windows is
exploited the way it is. Microsoft could be a very innovative
company again if they didn't constantly have to deal with
exploits in there software. Apple, os x and mac users don't have
to worry about it as much and that's tremendously special.
Maybe one day we will have to worry about virus protection and I
think that's why most mac users have the attitude of go ahead. If
you think it's so easy to exploit os x then do it. I'll by virus
software, think it's a shame and move on.
Either way, I would never think that It's "the best thing" that
could happen to a user and there computer, just because I'm
ignorant, force fed and bias.
you were to get one, and really study these issues you would
join the 90% of mac users. Mac users are not ignorant people.
Yes it could happen. But it hasn't and its been decades. Anti-
virus programs on macs are a waste of money, and the fastest
way to trash a mac is to put norton utilities on it. I mean the
definitions in the antivirus program protect against known
windows viruses, what are the mac viruses, if a new virus comes
up, you are vulnerable until the definitions are updated. (I've
found that they tend to say they got it fixed prior to actually
doing it) I dont see the point of buying a product that protects
against something that does not exist yet, that needs an update
to protect against it. I mean I can buy it faster then they can
update it.
I know i sound like im on a high horse, but im a bit saddle sore
from riding so long. I mean this is the same discussion i heard
when OS 9 was out and there were real mac viruses, ( and of all
of them, only the autostart worm caused issues, which was
deleting random files, the rest were more like pranks )
My impression is you need to manage security when you use
windows because someone did not do their job. I've yet to see
any adware, spyware, viruses, or trojans that are not a joke. I
mean i can make a shell script that deletes critical files on any
operating system, is this a real exploit, or a symptom of being
able to control my machine via a written program.
Phishing, DNS exploits, social engineering and other attacks that
work on all operating systems are a lot more prevalent than
trojans and suid root programs.
Also mac users tend to run autoupdate whenever it comes up,
we tend to trust apple, i really don't know any mac users that
don't keep their systems up to date. Its nice cause it only
reboots at the most once, even with multiple updates at the
same time.
exploit Mac osX.
Every time I read about exploiting MACs windows users always say
that we are arrogant pricks. But the truth is it is schmucks like you
who are acting arrogant.
None of those opensource packages are either running or are exposed beyond a firewall. What's his point?
Off the top of my head, OpenSSH, OpenSSL, Apache's httpd server, and Samba are all NOT enabled by default. So... it's like what's the deal?
If I'm going to run Apache as a web server on my machine, I'm going to download or compile Apache's web server personally. They also do a decent job of showing users how to enable only what they need to enable in terms of exposing themselves on a network.
I'm not the "no stranger to Apple and its products" person, but I don't see what all the alarms are about if the stuff isn't running core stuff or even enabled.
I think the media is still all up in arms about macs having some hidden security flaw.
Of course they can't keep up with stuff - what are you going to do run Gentoo-Mac OS X to get the latest of every project or something? Is he always running the latest of every single package? I suspect not. I would suspect someone might fuzz his machine and find *something* that was out of date *somewhere*. I'm not trying to downplay his results or him personally, but just to put the findings in perspective.
....so do it already.
happends. If I didn't have any XP machines I would never have to
work overtime.
No OS is totally secure, but OS X has been out for 5 or 6 years and
the only problems my Macs have caused is with my Windows users.
They all want to upgrade to iMacs.
security researcher thinks everything is full of holes or he is not
very good--and everytime anyone says OS X is as bad as
windows, even mere speculation that it is not.
This just seems like total nonsense that makes a good sound-
bite. Is that what the intention is. Is someones opinion news, i
mean how can a person with his job duties not think that? A
doctor at CDC is concerned about epidemic. A police captain
thinks there is a danger from crime. I mean i would assume that
is true without reading it.
This is based on speculation. From what i've seen a good hacker
can find something tangible very quickly, in fact they have. So
hire one.
Yet i still use my laptop with total disregard for security. I've yet
to install an anti-virus program. I have the firewall turned off.
I've got a webserver running. I'm doing everything wrong, and
yet somehow I am still using it. Why?
On the flipside, i dealt with nimda, i dealt with code red. I've
seen these things bypass all the best products, and i really can't
see how to really secure windows from the casual script kiddy.
Its better, microsoft is working on it, but they got a ways to go
and i still stop what im doing on a daily basis to deal with
something like this.
My impression is that if someone can hack os x, it should first of
all be a way that matters. This means a remote attack that allows
them to install what they like on my system, steal my money, or
get my info. I am sure that the opposing marketing camps have
a vested interest in mac being shown to be mortal, both
microsoft and the anti-virus companies will make a lot more
money if this is the case. I mean even the security guys are out
to make a buck by making the mac users afraid.
It also should be assumed i TURNED OFF automatically opening
files in safari. Just like it is assumed i got an anti-virus and
spyware detection program on my windows system. A good
article should state this is recommended next to the lines that
say that safari opens many things.
There are bugs of course, but they are the issues that linux folks
deal with. I don't think i have anti-virus in my linux boxes either.
They are also ones i just hit auto-update and they are gone,
because very rarely does updating cause an issue. Updating also
is much easier, the windows methods seem almost like they
want me to know they are taking care of things.
I can say for a fact that any computer can be remotely broken
into by someone with enough talent, resources, and time. I
would not take any laptop to a hacker convention and expect not
to find someone else as root. However this does not mean OS X
easy to exploit, it just means its possible.
If it is easy to exploit he should show exploits. And i really think
you should say that he is speculating with no facts to support
him. The truth is any exploits found will be quickly patched and
distrubuted to all the OS X systems, and the more that are
found, the harder it will be to exploit OS X.
I would really appreciate your trying to balance things a little
better, and get a little bit more meat in your articles. A
statement is made about someones opinion. How accurate is
that, did you ask someone else. How does this compare to
windows, linux, unix. How important is the threat if it is true,
does it require someone at my keyboard, or does it need an
internet connection.
Is there a mac virus out there, or a trojan i should worry about.
Is there a linux virus for that matter, i assume there are, but i
really have never heard of one. And if so are they actually
common.
could use to exploit, but the article does a poor job making clear
the risk. First, it's true that there are too many SUID root tools,
but he doesn't claim that they have flaws. It's true what he says
about randomization of the heap, etc., but that makes a lot of
presumptions about being able to inject code into an already
compromized app. And, while the F/OSS software is slightly
lagging, there's no known security issues in the versions used
and none of them are enabled services by default.
The highest risk vector for malware exposure on the Mac
remains at the console. An individual installing an application,
granting authority to install as root, is the single greatest threat.
It's the only one that has the ability to completely own the
system.
to exploit. Can't you see that with the threats out in the wild today?
There is no question that M$ pays for articles like this for them to
point to and claim that winblows is a secure OS. Problem is we're
not all that dumb.
vulnerable to the same security threats that plague Windows, but
the problem is that there simply are no viruses, worms or
whatever ravaging Macs out in the wild.
It is intellectually dishonest to claim that Macs cannot be hacked
and that OS X is perfect. And I don't think any reasonable person
is making that claim. Sure, the hackers can dream up a way to
get into a Mac on a local network, but it hasn't happened to you
or me when we connect to the internet like it does to Windows
users.
And what about all the lame "exploits" we hear about in the tech
media? It's always something idiotic like give-me-your-
password crap that anyone with a lick of sense wouldn't do.
Then cNet screams it's head off about how Macs are NOW just as
vulnerable as PCs.
But they're not. The exploits we are so warned about just don't
happen. It's all a crock of press releases designed to generate
web traffic (the legendary wi-fi card exploit is a good example).
Despite what you read or hear, Macs are the best security over
the internet as we are going to get. And it hasn't changed yet -
no matter how many lies are repeated on the web (this site
expecially!).
- Here we go again... (sigh)
- by buffer_overflow August 14, 2007 1:41 PM PDT
- I don't work for Apple. However I am a certified tech. I went ahead and followed the same steps to hack a Mac. I really doubt the validity of this; I really need to see a video demonstration.
- Like this Reply to this comment
-
(31 Comments)One flaw in the comment is this: "He then suggested reading through the change log for the current version of any of the above open-source software to find a useable bug that's been fixed in the newer version but still vulnerable to Mac OS X users".
I digress, I challenge the author for hard core proof. I wonder about the timing of all this from CNet and these people that are trying to figure out how to hack OS X.
Vista and XP, are far, far worse in security and the fact that Apple is making strides and creeping up on the folks from M$ makes me suspicious about all of this.