Previous Page | 1 2 3 4 5 6 | Next Page

Examining the OS X Security Record

One of the most obvious ways to gauge the effective security of an operating system is to take a close look at its security record. No software, no matter how good it is, can be completely free of bugs and security vulnerabilities. It is usually only a matter of time before specific vulnerabilities become public knowledge and exploits eventually written. It is therefore very important to note how responsive a company is in responding to security threats and also how effectively they disseminate information regarding security threats.

Apple has released six versions of OS X in just six years. In addition to the major upgrades, Apple also regularly releases security updates, although not on any set schedule. Since the first release of OS X, Apple has issued over 100 security-related updates(PDF), which sometimes fix as many as 25 separate vulnerabilities each. Based upon this rather aggressive release schedule, it is clear that Apple is at least aware and actively engaged the betterment of security in OS X.

One of the biggest criticisms that can be leveled on Apple, as a company that develops an operating system, is their lack of transparency when it comes to their communication about security issues. They have been heavily criticized for slow responses to vulnerabilities and also very vague descriptions of what exactly security updates fix. From Apple’s own website, it is made clear that the company has no interest in sharing this information: “For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.” A quick look at the release notes of any recent security update from Apple will convince anyone that it is clear that they take this policy seriously.

Unfortunately, secrecy in security is not a good policy. The head of the security firm Secunia, Niels Henrik Rasmussen explains “Microsoft and most Linux distributions have learned the lesson and properly describe the nature and the impact of (most) vulnerabilities, allowing their customers to properly estimate the severity of a fixed issue. This is not possible when reading an Apple update.” Apple has yet to learn this lesson despite being frequently criticized. Although the developers at Apple have been faithfully churning out update after update, Apple’s communication with security professionals and its customers has a lot of room for improvement.

As previously mentioned, all software contains vulnerabilities and bugs that must be patched. The report, The Mac OS X Threat Landscape: An Overview, published by Symantec gleans some interesting information by analyzing the security updates from 1999 to 2006. There is a clear trend in the types of applications addressed in the security updates released by Apple. Early in the OS X life cycle, most security updates focused on vulnerabilities in third-party applications. However, in recent years the focus has shifted to Apple-specific issues(PDF). This shift has also coincided with an increase in research papers, released vulnerabilities and media attention on the security of OS X.

Most known vulnerabilities in OS X are of typical operating system varieties, including local privilege escalation, client-side code execution and remote code execution (citation same as last link). Based on data collected between 2003 and 2007, the security firm Secunia lists 109 security advisories for Mac OS X. Of the 109, only six remain to be patched. Considering that this data contains vulnerabilities, not necessarily exploits, it seems that there are surprisingly few for a five-year period. However, the Symantec report does claim(PDF) that “exploiting these vulnerabilities on OS X is not notably more or less difficult than doing so on most other platforms.”

The Mac OS X Threat Landscape: An Overview(PDF) describes several of the more severe known vulnerabilities in depth. Particularly troubling are the five remote vulnerabilities listed because “remote hackers can exploit [them] without requiring authentication credentials or trust relationships with an affected target.” One example of a significant remote vulnerability is the Apple Mac OS X AppleFileServer Remote Buffer Overflow Vulnerability. This can be triggered when authenticating to an AFP share. The password dialogue expects a string of a certain length, and when given a longer string will result in an exploitable stack buffer overflow. The particularly troubling part about this vulnerability is that at least two exploits for it were published and freely available.

While much of the design of OS X can be considered very good in terms of security, there are a some severe weaknesses. One such weakness of OS X is how it has been designed to take advantage of both BSD and features of the Mach kernel. This type of “best of both worlds integration” has been largely touted by Apple. However, security researcher Nemo(PDF) has pointed out that the design has created a weakness that allows Mach-specific calls with BSD-equivalent ones that would be otherwise rejected:

The securelevel feature of BSD is a rudimentary form of mandatory access control designed to prevent local users from carrying out specific actions when at specific securelevels. …by careful use of Mach system calls, it’s possible to carry out what should be restricted activities, including lowering the securelevel value.

This type of low level weakness in combining different architectures should be very alarming.

So far there have only been a couple of notable malicious code examples for OS X. Two examples of such code are OSX.Leap.A and OSX.Inqtana.A, both classified as worms by Symantec. OSX.Leap.A was found in-the-wild while OSX.Inqtana.A was only demonstrated as a proof of concept. See: The Mac OS X Threat Landscape: An Overview(PDF)

OSX.Leap.A is notable because it was declared the first ever virus for OS X¹. The worm was discovered in February of 2006. It spreads via instant messaging programs, such as iChat, in a file called lastestpics.tgz, disguised as a picture file. The virus had to be manually executed, at which point it then attempted to attach itself to other applications. When the iChat application started, the worm would also try to send itself to all of the user’s buddies in iChat.

A further inspection of the specific details of the virus reveals that it only spread on local networks through the Bonjour protocol. More importantly, the worm was so poorly written that, due to a bug in the code, it was unable to actually spread to other computers.

The discovery of OSX.Leap.A was heralded by a blizzard of news stories from popular media about the end of OS X’s carefree attitude towards security. A single Associated Press article ran on several major new outlets, with headlines ranging from “Viruses Catch Up to the Mac: Experts debate just how susceptible Apple is becoming” to “Macs No Longer Immune to Viruses, Experts Say” and even “Macs Invulnerable No More.” The security firm Sophos ran an opinion poll asking users if they now thought Macs would be more of a target in the future. The resulting story ran with the headline “79% believe Mac will be targeted more often in wake of Leap-A Mac OS X worm.”

Just a few days after the discovery of the OSX.Leap.A virus, the OSX.Inqtana.A was discovered as well. This particular virus used the Apple Mac OS X BlueTooth Directory Traversal Vulnerability to gain access and attempted to spread itself over BlueTooth to other devices. Oddly enough, this worm also had trouble spreading. A note on Symantec’s description page explains that the “worm attempts to spread by using a time limited demo version of the Avetana library, which is bound to a bluetooth address. As a result of this the worm may not be able to spread successfully.” Although this worm was not established to have done any harm, something else did. Ironically, the update for the Sophos Anti-Virus software designed to catch instances of OSX.Inqtana.A ended up causing much more harm than the virus itself:

[Sopho's] update for the Inqtana-B virus identity file incorrectly flagged various Microsoft Office and Adobe Acrobat Reader files, to name just a few, which led to data loss for many of the program’s users. Hundreds and in many cases thousands of files were erroneously flagged as being infected, and, depending on the settings of the users, were then deleted. In several cases the spread of the ‘infected files’ was so great that after the ‘disinfection’ the systems were left all but useless.

Given the massive amount of media attention for both these worms, it can be hard to pick out the important details. Neither of them spread successfully or were sophisticated on any level. All that was really established was that it was indeed possible to write a virus for OS X. A claim that any serious security researcher has been making for years.

1. Although both OSX.Leap.A and OSX.Inqtana.A are officially classified as worms by Symantec, there is a lot of debate among other sources as to whether it is a virus, worm or Trojan. ↩

Previous Page | 1 2 3 4 5 6 | Next Page