Share of the Mac operating system is growing, and with it the number of malware threats targeting the platform.
(Credit: Net Applications)
of the new version of the Mac OS, dubbed Snow Leopard, could include some security features that would make it secure, or at least push it closer to the level of security that Vista and Windows 7 have, experts said this week.
Contrary to popular Mac fanboy belief, Macintosh is not more secure from a software standpoint than modern Windows; it's merely safer to use because malware writers prefer to target the platform with the biggest install base, according to Charlie Miller and Dino Dai Zovi, co-authors of The Mac Hacker's Handbook, which came out this spring.
"Apple hasn't implemented all the security features that Vista has," Miller said. "They made some improvements in Leopard, but they are still behind."
If there is any truth to rumors circulating about Snow Leopard, the operating system security playing field could become more level as of this weekend and Mac users will really have something to brag about.
First off, a screen shot published on the Mac Security Blog of Intego on Tuesday appears to show a security feature supposedly in Snow Leopard that looks like it is detecting a Trojan in a disk image being downloaded via Safari. The post cites unnamed reports about an anti-malware feature being added.
"If it's true, it will mark a fundamental change in that Apple will be admitting that their operating system is as susceptible to malware as other operating systems," Miller said.
CNET's review of Snow Leopard posted late on Wednesday says that File Quarantine, first introduced in Mac OS X 10.4 Tiger, has been refined in Snow Leopard. File Quarantine checks for known malware signatures and displays an alert dialog if it finds a known offender and will be automatically updated via Mac OS X's software update as new malware signatures are found in the wild, the review says.
It's unclear whether rumors are true that Snow Leopard includes several internal features designed to prevent attacks that Vista and Windows 7 have, known as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) on that platform.
By randomizing the location of key pieces of data, ASLR makes it much more difficult for attackers to predict where data is going to be in order to execute their code or the code resident in the process. For exploit code that gets past the ASLR barrier, DEP will try to block it from running, recognizing that it is data and not a legitimate code.
"If you have both, it's hard for an exploit to get around it. Leopard has some ASLR but everything is not randomized and Leopard has no DEP," Miller said. "Things could change significantly for the Mac if they do a good job...That was my main gripe with it."
In June, Dai Zovi reported on a new local privilege escalation vulnerability researchers had discovered that gives local root access on Mac OS X Tiger and Leopard. He offered up a wish list for Snow Leopard that included: real" ASLR; "full use of hardware-enforced Non-eXecutable memory (NX);" default 64-bit native execution for security-sensitive processes; sandbox policies for Safari, Mail.app, and third-party applications (akin to what Chrome has); and Mandatory code signing for kernel extensions.
Apple's Mac OS X security page makes reference to offering sandboxing, Library Randomization, and Execute Disable, but there are no details.
An Apple spokeswoman did not follow up on an e-mail request seeking an interview for this story.
The Snow Leopard Web site says it will offer protection against some common types of heap buffer overflow exploits but not new types of such memory overflow exploits, according to Dai Zovi.
The security level in Leopard falls in between Windows XP Service Pack 2 and Vista, he said. If Snow Leopard has full ASLR and DEP, it would bring its security close to the level of Vista, he added.
While adding full ASLR and DEP to Snow Leopard will boost the operating system's defenses against targeted attacks, the Mac OS software arguably has more holes that malware can slip through, Miller said. "It would be fair to say that Mac has more bugs, but it's impossible to measure," he said.
Market pressure has been missing
In this sense, Microsoft has benefited greatly from the plague of security holes in early Windows versions. Those problems led the company to embark on a quasi-religious conversion in 2002 with Bill Gates launching the Trustworthy Computing initiative and setting security as a top priority for the company. Its Security Development Lifecycle (SDL) program--designed to build security into the software--has become the model for the industry.
Microsoft puts "much more effort into auditing their code, the entire SDL process, developer training, automated source code scanners, and hiring external penetration testers," Dai Zovi said.
So far, Apple hasn't felt that kind of market pressure to improve Mac security, largely because malware writers have ignored it, so its secure software development process isn't nearly as developed or mature as Microsoft's, the security researchers said.
"Microsoft has had a head start. That's why they had ASLR and DEP first," Miller said. "It's not because they're geniuses. They just started caring about it sooner."
"These things go lock in step and it doesn't make sense for businesses to expend a ton of resources when the threat is not there," said Dai Zovi. "So far, Apple has been keeping up pretty well with the level of threats in the wild."
As far as security goes, market share is a double-edged sword. As the Mac operating system gets more popular, the amount of malware targeting it is growing.
The Mac has only about 5 percent market share worldwide (nearly half is in the U.S. alone), compared with nearly 95 percent for Windows, according to market statistics provider Net Applications. But the Mac share is rising, from 3.73 percent to 4.86 percent in less than a year, the firm says.
In the meantime, more and more Mac malware is appearing. Earlier this week, TrendMicro reported that it found a new variant of the JAHLAV family of Trojans that pose as pirated versions of legitimate applications, modify a computer's domain name system (DNS) settings and enabling successful phishing attacks and redirects to sites hosting malware. Earlier versions of the Trojan masqueraded as versions of QuickTime, but this one passes as Foxit Reader or an antivirus program.
Some malware is written for both Windows and Mac platforms and downloads the correct version depending on the browser. Last week, Symantec reported that sites purporting to show streams of new movies were actually feeding up a DNS-changing Trojan instead called OSX.RSPlug.A for Mac and Trojan.Fakeavalert for Windows. Last month, a McAfee blog post wrote about the OSX/Puper.a Trojan that is downloaded onto Mac systems when users download what they think is a video player.
ZDNet's Zero Day blog has covered a number of Mac malware threats this year alone. In January, Intego, which has been tracking Mac malware for several years, discovered a Mac OS X Trojan circulating in pirated copies of Apple's iWork '09 software found on BitTorrent trackers and other sites. Symantec researchers in April linked malware found in bogus copies of iWork '09 and Adobe Photoshop CS4 to what they said could be the first Mac OS X botnet launching denial-of-service attacks. And in May, a new e-mail worm dubbed OSX/Tored-A targeting the Mac was uncovered, although it was not found to be spreading in the wild.
"The frequency is increasing" for Mac threats in the wild, said Dai Zovi. "Still, there are only a handful of threats; no where near what Windows users face."
In addition to considering how buggy the software is, how secure the operating system code is, and whether malware writers are creating viruses and Trojans for the platform, another factor in play is how likely Mac users are to be duped into visiting a malicious site, opening a malicious e-mail attachment, and downloading a fake file.
Most Mac users seem to take pride in their supposed invulnerability, so one would think that they are less cautious in their surfing activities. But it's hard to tell.
"No computer or operating system is more or less secure when it comes to users being tricked into downloading something," Miller said.
Dino Dai Zovi
(Credit: Tehmina Beg)It was summer 2005. Dino Dai Zovi walked into a Manhattan Starbucks, ordered a coffee, sat down, and opened up his laptop.
Before his coffee was cold he had found a local privilege escalation vulnerability in Mac OS X Tiger, which could allow people to elevate from normal user to full super user, and had written code that could exploit the hole.
"I just think that I got lucky, but that's what I always think when I find a bug that quickly," he said in an interview on Wednesday.
Dai Zovi has been exploiting Macs for a long time, publishing his first Mac OS X shellcode (code used as the payload in an exploitation of a vulnerability) for the PowerPC in July 2001. He said he has reported more than 10 vulnerabilities to Apple over the years and does so out of love for the platform.
"I'm an avid Mac user," he said. "So I have a vested interest in them being more secure."
The 29-year-old got an early start in computers, using bulletin boards in second grade and accessing the Internet through a computer running VAX at 13. He taught himself to program and got a computer science degree from the University of New Mexico. While still in college, Dai Zovi worked for the Information Design Assurance Red Team at Sandia National Laboratories, which performs security assessments for the government, military, and commercial industry.
Since then he's worked for consultancies @Stake and Matasano Security, Bloomberg, been director of security at a hedge fund in New York, and now works as chief scientist at Endgame Systems, an information security start-up.
Dai Zovi's Mac hacking hobby has won him some measure of fame. He won the first ever PWN2OWN hacking contest at the CanSecWest security conference in 2007, exploiting a vulnerability in Apple's QuickTime that affected not only Mac-based computers but also those running Windows and for which Safari, Internet Explorer Firefox were vulnerable. (In the contest, participants show up with exploits ready to go. The exploits do not require local access to the systems; they only require that the user visit a web page to simulate a drive-by web exploit, as is common on the Internet today.)
He co-authored a book, The Mac Hacker's Handbook this year with security expert Charlie Miller that argues that contrary to popular belief, the Mac platform is not more secure than Windows, it's just not targeted by malware writers--yet.
"The sky is not falling," Dai Zovi said. But also, "the Mac is not magically protected from malware."
If security features are added to the new version of Mac OS X, Snow Leopard, which is due out on Friday, that could change Dai Zovi and Millers' opinion. (The CNET review of the product is here.)
Charlie Miller
(Credit: Charlie Miller)Miller has won the PWN2OWN contest the past two years. In 2008, he was able to gain control of a Leopard-based MacBook Air using a newly discovered vulnerability in Safari. That took him less than two minutes. This year, it only took him 10 seconds or so to exploit a hole in Safari on a MacBook running Leopard.
Miller is probably best known, though, for being the first to hack the iPhone, discovering a hole in the mobile version of Safari in 2007.
One of the reasons he entered the PWN2OWN contest was to prove that Mac OS security was lacking.
"I had a feeling that Mac was easier (to hack) than Windows," he said. "If I can find the Safari bug or exploit in a few days and it would take me 10 times as long for IE, why would I do that? I go after the easiest guy."
Miller comes from a Linux and Windows background and is relatively new to the Mac platform because he worked in the financial and government sector before becoming a security whiz.
After getting a Ph.D. in mathematics at the University of Notre Dame, Miller worked at the U.S. National Security Agency for five years. Hired as a cryptographer, Miller pushed for computer security training because he was "looking for something else to do."
He then worked at a financial-services firm before moving back to his home town of St. Louis and taking a job as principal analyst at consultancy Independent Security Evaluators, where Macs are standard.
"I hack products I own and use and like," he said. "I want to know how they work and play around with them...I thought the Mac OS and the iPhone were cool."
Updated at 6:58 a.m. PDT with more details about the PWN2OWN contest.
Updated at 5:53 p.m. PDT with information on a second winner at the ongoing contest.
Charlie Miller won $5,000 after demonstrating a new Safari exploit as part of the Pwn2Own hacking contest at CanSecWest.
(Credit: Elinor Mills/CNET)VANCOUVER, Canada--The security expert who won $10,000 hacking a MacBook Air in less than two minutes last year won $5,000 on Wednesday by exploiting a hole in Safari in 10 seconds or so.
Charlie Miller, principal security analyst at Independent Security Evaluators, used a MacBook running the latest version of the Mac OS as part of a contest at the CanSecWest security conference called "Pwn2Own," which is hacker slang for gaining control of a computer.
The security hole, which Miller said he discovered last year, allows a remote attacker to gain control of a machine simply by getting the computer user to click on a malicious URL, as Miller demonstrated.
"It's not easy, but this worked with one click" from the Safari browser, he said.
Miller is prevented by contest rules from revealing details of the exploit. He said he told Apple representatives what he planned to do earlier in the day. "They're happy because they get free research and get a bug fixed," he said.
The contest is sponsored by TippingPoint, which will share details on the exploit with Apple and develop a patch for it. TippingPoint is offering $5,000 for each new exploit demonstrated in the major browsers and $10,000 for each successful exploit in the major smartphones, as well.
Previously, Miller discovered a hole in the mobile version of Safari shortly after the iPhone was launched in 2007.
Later in the day, a 25-year-old computer science student at the University of Oldenburg in Germany, won $15,000 for exploits he demonstrated in IE 8, Safari, and Firefox. The student, who declined to give his full name, gets to keep the Sony Vaio he did his exploits on, and Miller gets to keep the MacBook he used.
(Credit:
Android)
A researcher who found a security hole in the Android mobile platform in October has found another one that he says is serious enough for him to recommend people not use the Android browser until the patch is installed.
Charlie Miller, a principal analyst at consultancy Independent Security Evaluators, said on Thursday that a patch for the vulnerability is available on Google's source code repository, but has not yet been made available for download onto the phones via the T-Mobile service.
Like the previous hole, the new vulnerability could allow an attacker to remotely take control of the browser, access credentials, and install a keystroke logger if the Android user visits a malicious Web page.
"All the gory details are out there and they still haven't patched it," he said, adding that he recommends that Android users avoid browsing the Web until they have patched their phones.
Android Security Engineer Rich Cannings said PacketVideo developed a fix for the vulnerability on February 5 and patched Open Source Android two days later. Google offered the patch to T-Mobile when it became available and G1 Android users "will be updated at T-Mobile's discretion," he said in a statement.
The bug was found in code that was not written by Google but was contributed by multimedia software company PacketVideo to the open source Android project. PacketVideo's OpenCore media library is used in the mediaserver and is executed within its own Application Sandbox, according to Google.
"Media libraries are extremely complex and can lead to bugs, so we designed our mediaserver, which uses OpenCore, to work within its own application sandbox so that security issues in the mediaserver would not affect other applications on the phone such as email, the browser, SMS, and the dialer," Cannings wrote. "If the bug Charlie reported to us on January 21st is exploited, it would be limited to the mediaserver and could only exploit actions the mediaserver performs, such as listen to and alter some audio and visual media."
T-Mobile representatives were unavailable for comment.
Miller, who presented a talk on the Android vulnerability at the Shmoocon security conference in Washington, D.C., on Saturday, said he notified Google about 17 days before he gave the talk.
"By comparison, when we found the bug in October in Android, they fixed it in 12 days," with a patch available for the phones, he said. "They have it in their power to do this quickly."
A year ago at CanSecWest, Miller and colleagues hacked a MacBook Air in two minutes by exploiting a Safari vulnerability. And in 2007, Miller and colleagues discovered an iPhone security hole.
Forbes first reported on the new Android hole last week and ReadWriteWeb followed up.
Updated 4 p.m. PST to clarify Google comment that bug is limited to the mediaserver code and not the entire browser.
- prev
- 1
- next
