Previous Page | 1 2 3 4 5 6 | Next Page

Examining the OS X Security Record

One of the most obvi­ous ways to gauge the effec­tive secu­rity of an oper­at­ing system is to take a close look at its secu­rity record. No soft­ware, no matter how good it is, can be com­pletely free of bugs and secu­rity vul­ner­a­bil­i­ties. It is usu­ally only a matter of time before spe­cific vul­ner­a­bil­i­ties become public knowl­edge and exploits even­tu­ally writ­ten. It is there­fore very impor­tant to note how respon­sive a com­pany is in respond­ing to secu­rity threats and also how effec­tively they dis­sem­i­nate infor­ma­tion regard­ing secu­rity threats.

Apple has released six ver­sions of OS X in just six years. In addi­tion to the major upgrades, Apple also reg­u­larly releases secu­rity updates, although not on any set sched­ule. Since the first release of OS X, Apple has issued over 100 security-​related updates(PDF), which some­times fix as many as 25 sep­a­rate vul­ner­a­bil­i­ties each. Based upon this rather aggres­sive release sched­ule, it is clear that Apple is at least aware and actively engaged the bet­ter­ment of secu­rity in OS X.

One of the biggest crit­i­cisms that can be lev­eled on Apple, as a com­pany that devel­ops an oper­at­ing system, is their lack of trans­parency when it comes to their com­mu­ni­ca­tion about secu­rity issues. They have been heav­ily crit­i­cized for slow responses to vul­ner­a­bil­i­ties and also very vague descrip­tions of what exactly secu­rity updates fix. From Apple’s own web­site, it is made clear that the com­pany has no inter­est in shar­ing this infor­ma­tion: “For the pro­tec­tion of our cus­tomers, Apple does not dis­close, dis­cuss or con­firm secu­rity issues until a full inves­ti­ga­tion has occurred and any nec­es­sary patches or releases are available.” A quick look at the release notes of any recent secu­rity update from Apple will con­vince anyone that it is clear that they take this policy seriously.

Unfor­tu­nately, secrecy in secu­rity is not a good policy. The head of the secu­rity firm Secu­nia, Niels Henrik Ras­mussen explains “Microsoft and most Linux dis­tri­b­u­tions have learned the lesson and prop­erly describe the nature and the impact of (most) vul­ner­a­bil­i­ties, allow­ing their cus­tomers to prop­erly esti­mate the sever­ity of a fixed issue. This is not pos­si­ble when read­ing an Apple update.” Apple has yet to learn this lesson despite being fre­quently crit­i­cized. Although the devel­op­ers at Apple have been faith­fully churn­ing out update after update, Apple’s com­mu­ni­ca­tion with secu­rity pro­fes­sion­als and its cus­tomers has a lot of room for improvement.

As pre­vi­ously men­tioned, all soft­ware con­tains vul­ner­a­bil­i­ties and bugs that must be patched. The report, The Mac OS X Threat Land­scape: An Overview, pub­lished by Syman­tec gleans some inter­est­ing infor­ma­tion by ana­lyz­ing the secu­rity updates from 1999 to 2006. There is a clear trend in the types of appli­ca­tions addressed in the secu­rity updates released by Apple. Early in the OS X life cycle, most secu­rity updates focused on vul­ner­a­bil­i­ties in third-​party appli­ca­tions. How­ever, in recent years the focus has shifted to Apple-​specific issues(PDF). This shift has also coin­cided with an increase in research papers, released vul­ner­a­bil­i­ties and media atten­tion on the secu­rity of OS X.

Most known vul­ner­a­bil­i­ties in OS X are of typ­i­cal oper­at­ing system vari­eties, includ­ing local priv­i­lege esca­la­tion, client-​side code exe­cu­tion and remote code exe­cu­tion (cita­tion same as last link). Based on data col­lected between 2003 and 2007, the secu­rity firm Secu­nia lists 109 secu­rity advi­sories for Mac OS X. Of the 109, only six remain to be patched. Con­sid­er­ing that this data con­tains vul­ner­a­bil­i­ties, not nec­es­sar­ily exploits, it seems that there are sur­pris­ingly few for a five-​year period. How­ever, the Syman­tec report does claim(PDF) that “exploiting these vul­ner­a­bil­i­ties on OS X is not notably more or less dif­fi­cult than doing so on most other platforms.”

The Mac OS X Threat Land­scape: An Overview(PDF) describes sev­eral of the more severe known vul­ner­a­bil­i­ties in depth. Par­tic­u­larly trou­bling are the five remote vul­ner­a­bil­i­ties listed because “remote hack­ers can exploit [them] with­out requir­ing authen­ti­ca­tion cre­den­tials or trust rela­tion­ships with an affected target.” One exam­ple of a sig­nif­i­cant remote vul­ner­a­bil­ity is the Apple Mac OS X Apple­File­Server Remote Buffer Over­flow Vul­ner­a­bil­ity. This can be trig­gered when authen­ti­cat­ing to an AFP share. The pass­word dia­logue expects a string of a cer­tain length, and when given a longer string will result in an exploitable stack buffer over­flow. The par­tic­u­larly trou­bling part about this vul­ner­a­bil­ity is that at least two exploits for it were pub­lished and freely available.

While much of the design of OS X can be con­sid­ered very good in terms of secu­rity, there are a some severe weak­nesses. One such weak­ness of OS X is how it has been designed to take advan­tage of both BSD and fea­tures of the Mach kernel. This type of “best of both worlds integration” has been largely touted by Apple. How­ever, secu­rity researcher Nemo(PDF) has pointed out that the design has cre­ated a weak­ness that allows Mach-​specific calls with BSD-​equivalent ones that would be oth­er­wise rejected:

The securelevel fea­ture of BSD is a rudi­men­tary form of manda­tory access con­trol designed to pre­vent local users from car­ry­ing out spe­cific actions when at spe­cific securelevels. …by care­ful use of Mach system calls, it’s pos­si­ble to carry out what should be restricted activ­i­ties, includ­ing low­er­ing the securelevel value.

This type of low level weak­ness in com­bin­ing dif­fer­ent archi­tec­tures should be very alarming.

So far there have only been a couple of notable mali­cious code exam­ples for OS X. Two exam­ples of such code are OSX.Leap.A and OSX.Inqtana.A, both clas­si­fied as worms by Syman­tec. OSX.Leap.A was found in-​the-​wild while OSX.Inqtana.A was only demon­strated as a proof of con­cept. See: The Mac OS X Threat Land­scape: An Overview(PDF)

OSX.Leap.A is notable because it was declared the first ever virus for OS X¹. The worm was dis­cov­ered in Feb­ru­ary of 2006. It spreads via instant mes­sag­ing pro­grams, such as iChat, in a file called lastestpics.tgz, dis­guised as a pic­ture file. The virus had to be man­u­ally exe­cuted, at which point it then attempted to attach itself to other appli­ca­tions. When the iChat appli­ca­tion started, the worm would also try to send itself to all of the user’s bud­dies in iChat.

A fur­ther inspec­tion of the spe­cific details of the virus reveals that it only spread on local net­works through the Bon­jour pro­to­col. More impor­tantly, the worm was so poorly writ­ten that, due to a bug in the code, it was unable to actu­ally spread to other com­put­ers.

The dis­cov­ery of OSX.Leap.A was her­alded by a bliz­zard of news sto­ries from pop­u­lar media about the end of OS X’s care­free atti­tude towards secu­rity. A single Asso­ci­ated Press arti­cle ran on sev­eral major new out­lets, with head­lines rang­ing from “Viruses Catch Up to the Mac: Experts debate just how sus­cep­ti­ble Apple is becoming” to “Macs No Longer Immune to Viruses, Experts Say” and even “Macs Invul­ner­a­ble No More.” The secu­rity firm Sophos ran an opin­ion poll asking users if they now thought Macs would be more of a target in the future. The result­ing story ran with the head­line “79% believe Mac will be tar­geted more often in wake of Leap-A Mac OS X worm.”

Just a few days after the dis­cov­ery of the OSX.Leap.A virus, the OSX.Inqtana.A was dis­cov­ered as well. This par­tic­u­lar virus used the Apple Mac OS X Blue­Tooth Direc­tory Tra­ver­sal Vul­ner­a­bil­ity to gain access and attempted to spread itself over Blue­Tooth to other devices. Oddly enough, this worm also had trou­ble spread­ing. A note on Symantec’s descrip­tion page explains that the “worm attempts to spread by using a time lim­ited demo ver­sion of the Ave­tana library, which is bound to a blue­tooth address. As a result of this the worm may not be able to spread successfully.” Although this worm was not estab­lished to have done any harm, some­thing else did. Iron­i­cally, the update for the Sophos Anti-​Virus soft­ware designed to catch instances of OSX.Inqtana.A ended up caus­ing much more harm than the virus itself:

[Sopho's] update for the Inqtana-B virus iden­tity file incor­rectly flagged var­i­ous Microsoft Office and Adobe Acro­bat Reader files, to name just a few, which led to data loss for many of the program’s users. Hun­dreds and in many cases thou­sands of files were erro­neously flagged as being infected, and, depend­ing on the set­tings of the users, were then deleted. In sev­eral cases the spread of the ‘infected files’ was so great that after the ‘disinfection’ the sys­tems were left all but useless.

Given the mas­sive amount of media atten­tion for both these worms, it can be hard to pick out the impor­tant details. Nei­ther of them spread suc­cess­fully or were sophis­ti­cated on any level. All that was really estab­lished was that it was indeed pos­si­ble to write a virus for OS X. A claim that any seri­ous secu­rity researcher has been making for years.

1. Although both OSX.Leap.A and OSX.Inqtana.A are offi­cially clas­si­fied as worms by Syman­tec, there is a lot of debate among other sources as to whether it is a virus, worm or Trojan. ↩

Previous Page | 1 2 3 4 5 6 | Next Page