While Snow Leopard includes some improvements in the area of security, noted security researcher Charlie Miller, winner of two consecutive “Pwn2own” hacker contests and co-author of The Mac Hacker’s Handbook, concludes that Apple missed the boat on security in Mac OS X Snow Leopard. “Snow Leopard’s more secure than Leopard, but it’s not as secure as Vista or Windows 7,” Miller said.
Before we dive into the details, it is important to note the difference between what I generally call “technical security” and “real-world security”. The former refers to the security of a platform on paper, whereas the latter refers to how secure a platform actually is out there in the wild. While Windows Vista and 7 may be technically more secure than Mac OS X, fact remains that we still haven’t seen any widespread problems on the Mac. “I still think you’re pretty safe [on a Mac],” Miller said, “I wouldn’t recommend antivirus on the Mac.”
Now, so why, exactly, did Apple miss the boat with Snow Leopard, according to Miller? First of all, address space layout randomisation in Snow Leopard is the exact same “half-baked” variant as implemented in Leopard, which fails to randomise important components of the operating system. Leopard’s ASLR has often been the subject of criticism, because it for instance doesn’t randomise the heap, the stack, and the dynamic linker.
“Apple didn’t change anything,” said Miller, “It’s the exact same ASLR as in Leopard, which means it’s not very good. I don’t understand why they didn’t. But Apple missed an opportunity with Snow Leopard.” Microsoft introduced full ASLR with Windows Vista, three years ago. Linux has a limited variant of ASLR by default, but there are various patchsets out there that introduce full ASLR to the Linux kernel.
Still, there are also areas where Apple made major strides forward, especially when it comes to QuickTime. Apple’s media framework has often been problematic security-wise, because of all the file formats it supports. “They’ve shaken out hundreds of bugs in QuickTime over the years, but it was still really smart of them to rewrite it,” said Miller. He would take it even further, though. “I’d reduce the number of file formats from 200 or so to 50, and reduce the attack surface. I don’t think anyone would miss them.”
Another area of improvement in Snow Leopard is DEP, which Apple has improved significantly, according to Miller. He argues, though, that you really need both DEP and ASLR. “If you don’t have either, or just one of the two, you can still exploit bugs, but with both, it’s much, much harder,” he explains.
He further states about ASLR and DEP: “Snow Leopard’s more secure than Leopard, but it’s not as secure as Vista or Windows 7. When Apple has both [in place], that’s when I’ll stop complaining about Apple’s security.”
While Macs may be technically less secure, the fact of the matter is still that there are no widespread security issues for Mac OS X. “It’s harder to write exploits for Windows than the Mac,” Miller explains, “but all you see are Windows exploits. That’s because if [the hacker] can hit 90% of the machines out there, that’s all he’s gonna do. It’s not worth him nearly doubling his work just to get that last 10%.”
This is the concept of security through minority (not security through obscurity!), and so far, it seems to serve the Mac pretty fine. However, as it stands now, both the Mac and Windows Vista (and 7, insofar an unreleased product has a track record) have quite a decent track record in real-world security.
Meanwhile in the real world, where the users of computers actually live, tens of thousands of windows PCs are infected with malware and there many new Window infections every day while the mac user community is free of such infections.
Can you list some of them? Which massive infections have we seen on Windows Vista?
I dare you to name… Let’s keep it simple: 2.
In the real world there is no massive deployment of windows Vista. In almost all companies, Vista never passed the test phase…
Can’t wait for se7en to be the “true” Windows XP replacement…
Do you guys have two mouse buttons yet?
Morglum
Actually, technically the mighty mouse (that horrible thing that comes with the new macs) does. It does both left and right click.
it can even middle click.
I worked at CompUSA some years ago and was a cashier at this time. Some guy brings up a White Pro Mouse that was $79.99 if I remember correctly. I inform the the man that there was a sale on Logitech mice for $14.99 that was mac compatible, included a second button and a scroll wheel. It had the Mac logo and I was I’m fairly acquainted with Apple/Mac products and know for a fact that it would work.
The man looks at me and tells me that he owns a mac, and has to buy the Apple mouse. I tell him again the Logitech mouse will work with his mac and could do more for less and that all I’m trying to do is save him some ca$h. His response was along the lines to STFU, I didn’t know what I was talking about and that Apple products would only work with other Apple products.
That was when I started to distance myself from Apple. Their user base is kind of crazy. I still think some pf their products are genius, but I still get weirded out by Mac people that seem to hang out on a daily basis in stores like Microcenter..
Edited 2009-09-16 18:00 UTC
Where you went wrong was going further than just making him aware of an alternative. You proceeded to argue with a paying customer.
When he went in to get what he wanted, he probably wasn’t looking to be “educated” by a sales clerk. You can’t deny that the mouse he selected would _not_ work. It doesn’t matter that the other mouse would also work. The Apple brand mouse is the one that he was _willing_ and _able_ to pay for.
Are you still surprised by the reaction you got? Nerds… <sigh>.
Exactly!
“I don’t understand how f’n stupid these customers are Bob. I tell them they’d be a moron to choose full price when this will do and that only an idiot wouldn’t listen to me, but they just don’t seem to give a crap. I told the prick to try Best Buy.”
There’s equal measures of blame to go around there. Yes, many geeks are poor salespeople because they assume the best product for their needs is also the best product for the customer’s needs.
But, by the same token, many people have such fragile egos that they will interpret any suggestion as implied criticism – no matter how careful you are to avoid phrasing the suggestion as “what you’re doing is stupid, here’s what you should do instead.”
And neither of those have anything to do with “Apple product owners.” The OP (of this little subthread of comments) started to distance himself from Apple users because they are all idiots? Ridiculous, it was a troll.
Eh? Why would my comment have anything to do with Apple product owners? My post was a response to a follow-up comment – not to the OP.
I know… I replied to you because you laid out valid reasons, unlike robojerk.
Ah, I see what you meant now (and agree) – mea culpa.
I’ll admit the last little paragraph was troll’ish. On hindsight I should have left it out. I don’t hate Apple products, the culture is a little too much to take at times.
The buried comment about Macs not having 2 mouse buttons just made me remember that story.
Why are people arguing with me what the price of the mouse was?
Edited 2009-09-18 22:38 UTC
The “Apple Pro Mouse” (1 button) retailed for $29.99 before it was discontinued.
The “Apple Mighty Mouse” (4 button) retails for $49.99.
And you wonder why the customer didn’t want to listen to your advice?
Edited 2009-09-16 20:13 UTC
This was years ago. At that time the mouse was $79.99
The price hasn’t changed.
Perhaps are are confused between USB and bluetooh?
sigh.. I can’t believe I looked this up.
http://web.archive.org/web/20020803065849/www.compusa.com/products/…
I think the timeframe of my story was a earlier than this date. 79.99 is the price. I’m like 90% sure..
3rd party markup price?
Oh well. If that makes you happy.
But your link is a great example of why CompUSA is out of business. Many of the products they carried had a 100% markup over where you could get them elsewhere.
Edited 2009-09-17 04:18 UTC
http://web.archive.org/web/20020604065416/www.apple.com/mouse/
I believe the additional cost was for shipping. Every retailer (CompUSA, Microcenter, Fry’s, etc.) sold the mouse for the same identical price.
http://web.archive.org/web/20020928043843/www.microcenter.com/singl…
I remember the markup on all Apple branded products were almost zero. The store management didnt really care if we sold Apple products or not unless it was TAPped (CompUSA’s extended warranty).
Why are you arguing with me over how much a mouse was 7 years ago?
You are correct. Same for the keyboards. I think they were even more expensive. Eventually the prices dropped.
That still doesn’t make Apple users obnoxious, I am sure if I (being a heavy Apple consumer) was addressed politely and with a “hey, you know what…” kind of helpful attitude I’d respond well – or at least if I still wanted the Apple Mouse I’d just say so, “but thank you anyway!”
Of course I am one of those who has always really preferred third-party mouse products. Keyboards too for the most part… altho’ I do like my current aluminum keyboard (not as much as my Tactile Pro, but I’m not allowed to use that due to the noise factor).
Quick google search.
http://www.welovemacs.com/m8690ga.html
I still believe the price was $79.99 at the store.
I think it must have been the Apple Mighty Mouse (Bluetooth), it used to be that costly I think. Well people tend to buy that mouse as it’s a laser mouse also to use that mouse no additional usb thing’s have to be attached. I am not saying that it’s the best mouse mouse but is convenient for most who can pay for it.
http://web.archive.org/web/20020604065416/www.apple.com/mouse/
I believe the additional cost was for shipping. Every retailer (CompUSA, Microcenter, Fry’s, etc.) sold the mouse for the same identical price.
http://web.archive.org/web/20020928043843/www.microcenter.com/singl…
I remember the markup on all Apple branded products were almost zero. The store management didnt really care if we sold Apple products or not unless it was TAPped (CompUSA’s extended warranty).
The bluetooth mouse was not released until Sep 2003
http://en.wikipedia.org/wiki/Apple_Wireless_Mouse
http://web.archive.org/web/20031230223752/microcenter.com/search_re…
Remote Vulnerability Reported in Vista, Windows 7 and Server 2008
Reports are spreading this morning of a remote network vulnerability in the SMB2 protocol, affecting Windows Vista, Windows Server 2008 and Windows 7. Earlier versions of Windows, including Windows XP, are not affected. File sharing has to be turned on, which is not the default.
The initial report, and the one with the most detail, is on Laurent Gaffié’s blog, The key part of the description: “SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality.” He includes a proof of concept exploit and HD Moore is working hard to get it into Metasploit.
http://blogs.pcmag.com/securitywatch/2009/09/remote_vulnerability_r…
ALSO ***69** MORE vulnerabilities for VISTA HERE:
http://secunia.com/advisories/product/13223/?task=advisories
Thom is that enough for you???
Edited 2009-09-16 15:54 UTC
Oh, no! I can play this game too:
Linux: Found: 9298 Secunia Security Advisories, displaying 1-25
Os X: Found: 18085 Secunia Security Advisories, displaying 1-25
Oh, no!
Come on guys, if MacOSX would have the marketshare Windows has, *Leopard would have more security issues than any version of Windows.
Anyway, all this people concerned about OS security shows some kind of paranoia; we need to have reliable systems, with some kind of security, of course, but, let’s be real, almost all of us do not have superdoopersecret information in our boxes, viruses infecting and erasing ALL our sensitive data are not every day beer and almost all of us do not have a hacker friend trying to break the security of our boxes to steal our…. photos or music…
I think almost all the responsability of the security in my box, depends more on me than on the OS.
Edited 2009-09-16 16:03 UTC
No.
I asked for two massive infections, i.e. the types we saw during the Windows XP days. Windows Vista has seen none.
The SMB issue is a security flaw – not a massive infection. And linking to Secunia is silly, as if you look at Secunia’s Mac OS X figures between 2006 and 2009 (which is the timespan of the Vista figures), it lists 71 of them.
Of course, none of those (either on Windows or Mac OS X) have lead to massive infections of up-to-date systems, so your point is moot anyway.
So, let me simplify the question: give me 1 massive infection on Vista.
Your definition of “massive infection” is wonky, Thom. There is malware and spyware ALL OVER Vista machines. That’s just as bad, if not worse, than the “massive infections” you’re talking about (virus/worm) because they are usually not as easily spotted and they persist and reduce system resources/speed/responsiveness.
Holes in Java and Flash still give people a successful doorway to Windows, and we simply don’t see that on the Mac. So I think the article is fair: OS X security is not up to par, but it really doesn’t matter on the grand scale, you’re still more vulnerable on Windows.
Yeah, the article was mine, so I fully agree with the fact that Mac OS X is currently the safer choice.
However, the gap is now narrower than it has ever been, and Apple can no longer trumpet the virus drum without sounding like a bunch of hypocrites.
What I get fed up with is the sensationalist reporting of every theoretical or minor security flaw in Mac OS X. If you counted the amount of words in articles on this site (and others like it) devoted to reporting arcane discoveries about possible security flaws in macs you would be led to think that out here – in the real world – it was Macs with big the security problems rather than Windows.
As I said in my original post, the fact of the matter is that tens of thousands (maybe hundreds of thousands – certainly a hell of lot) of Windows PCs are infected with all sorts of nasties. Macs are not. This may be because the Window community is still using pre-Vista versions of Windows (and whose fault is that) it doesn’t effect my argument. The current balance of reporting of this matter is skewed – it gives a false sense of what the shape of the issue of security breeches is in the real world.
Finally the argument that somehow the smaller market share of macs means fewer people write nasties for macs just doesn’t hold water. Most exploits seem to be written for fun and for shock. The bigger the story that a successful virus generates the bigger the attraction for lots of virus writers. If anyone could actually write something that spread around the mac community causing even minor problem it would generate huge publicity. The virus writers thrive on that sort of publicity. If they could do it they would – the fact of the matter is that – so far – they haven’t been able to.
That hasn’t been the case for quite a while now. If you take just about any current Windows malware and trace it back far enough, you’ll find someone with a financial motive. It could be botnet owners selling the resources of zombie PCs for DDoS attaches/”distributed spamming,” it could be people selling click/advertising fraud services, it could be people using keyloggers to steal financial info – and then turning around and using that info to purchase hosting for products advertised via spam, etc etc etc.
Malware is big business nowadays – the majority of malware writers are doing it for profit, it’s no longer the exclusive domain of bored teenagers trying to be “l33t.”
Malware writers, like everyone else, try to get the greatest return for the least amount of effort. To use an analogy, where is a disease more likely to spread (and likely to spread quickly) – a sparsely-populated rural area, or a densely-populated urban area? Almost certainly the latter – and is that because people in urban areas have weaker immune systems? Or could it be that there are other contributing factors which result from large population sizes/high population density?
There are still holes, granted. Can you list some of the malware/spyware by any chance? Are you referring to things like Weather Bug that people install and OEM’s like to install, or is there some in the wild spyware/malware that people do not install on their own? No, this is not a troll, but a serious question.
Obviously that number is not perfect and everyone is shooting for zero. But it’s pretty hard, and one always has to be ready to issue patches and use defense in depth.
In comparison, there have been 84 such advisories reported in just the 2.6 kernel of the Linux OS stack over the 2007-2009 time period.
The terms “more secure” and “exploited less-frequently” are not interchangeable. While it makes sense for consumers/casual users to act as if there is no difference, it’s dangerously-myopic for IT professionals, geeks, etc, to take that view.
it’s like living in a place with high crime rate. Windows might have slightly better better locks on the doors, but the windows houses also have better stuff to steal (larger user base, more apps, etc… better target). There are less mac houses and poorer locks, but no one really cares because all the stuff in the house isn’t worth stealing. plus the furniture isn’t compatible with the crooks house .
Gotta agree. Hackers are now about stealing info like bank accounts. What is there to find on a Mac? Some photos or iTunes music… Yeah, they probably already downloaded that already from torrents.
LOL!
Given Apple’s description of what Snow Leopard was, it wasn’t a surprise to find that they’d not improved security radically. It was more about removing the mistakes that they introduced with Leopard.
It’s still a missed opportunity to show that they cared about security. (I give them credit for jumping on problems with Safari 4 but that’s not much.) They really have a poor record since the early days of Mac OS X have gone.
When I’m on Mac OS X, I don’t have a feeling of dread the way I do on Windows XP or Vista, but I know that compromises have been made. I’m just thankful that ActiveX isn’t anywhere to be found.
I don’t see a need for Apple to invest a lot of money on security as long as there are no real world problems.
Microsoft had problems in the past and let’s hope that those problems won’t appear again. The signs are good anyway.
Real world security issues are the best way to see whether they invest enough in security. It will always be a guess how much effort (and money) it takes to achieve that, but Apple does that quite good for now…
You invest now because security is like an oil tanker when things go bad you can’t easily turn things around.
Thom likes to spread Apple FUD, since he’s now turned his back on it.
So what, exactly, is “FUD” about this article? I’m genuinely interested.
“Snow Leopard’s more secure than Leopard, but it’s not as secure as Vista or Windows 7,” – to include this in your summary
That’s not FUD, and you know it. The article clearly differentiates between technical and real-world security. On top of that, it’s a quote, so even if it were FUD, it’s not MY FUD.
I’ll give you another try. Good luck!
Edited 2009-09-16 19:27 UTC
You present the information in the article summary from a technical perspective rather then real-world, to spread your biased opinion.
I disagree with you, so go ahead and delete this thread.
What I find interesting is a person from the Netherlands touting Microsoft and calling Apple greedy.
Truly classic.
Um … so Apple *isn’t* greedy? Where the hell do you get that?
Actually, all I’ve seen here is Windows FUD.
Mac OS X is vulnerable, Windows is vulnerable. It is Apple and Microsoft responsibility to care about security as software company. It is our responsibility to care for it as PC/Mac owners. Microsoft has shown how to act without a security based mindset and they have been forced to care for it since then. Same can still happened to Apple, and all they’ll face is bad press and potentially market share losses.
As for knowing the numbers of vulnerabilities, it is just kikimeter for the masses.
I find it very interesting that there’s not really much meaningful discussion in the comments about ASLR in OS X. For example, while it’s true that OS X doesn’t implement ASLR like Windows does (mostly), it’s still not true that you have predictable address space layouts in the same way pre-Vista versions of Windows did. Leopard introduced some simple ASLR, but also had prebinding of the libraries (replaced by the dyld cache in Snow Leopard) that randomized the addresses of the libraries, functions, and data. Also, in OS X, code on the stack is not executable, and sections of the heap can’t be executed without explicitly being marked executable.
I think it’s a little like comparing Apples to oranges to a certain extent. ASLR is designed to mitigate a risk that Apple addresses by other means. I’m not certain which is more effective — both certainly make exploits harder — but it’s true that ASLR does require substantially more resources (at runtime) to implement the entropy collection and perform the periodic randomization.
Were I developing an exploit, I can think of more efficient ways of attacking both operating systems then trying to exploit buffer overruns on either system.
EVEN Charlie Miller says that these are more theory than practical exploits as far as real-world exploits are concerned “…still think you’re pretty safe [on a Mac],” Miller said, “I wouldn’t recommend antivirus on the Mac.”
Ok then by this reasoning Linux is less secure than XP & Vista? Or just Vista. This is all fairly OR even unfairly biased because we as intellectuals or technicians or even just consumers will wish to believe that our choices are good and sound in logic and implementation. So while clearly and easily stated both Vista and OS X default security options are far better than XP or Windows 2000, but just because there is a possible better solution to a problem on the Mac OS that is not being used does not make the Mac OS insecure.
The real culprit is not the OS it is the casual ‘tinkerer’ who diddles in the control panel (or .conf files) thinking that they know what they are doing and then call one of us (my techie friend) asking how their system got hosed. I said it in 10.2, 10.3, 10.4, 10.5 and thought I was tired of saying it – on and on “do not stay logged in as an Admin – Do not stay logged in as the Owner” (Owner is a member of Admin and Wheel group). Yes I know my Admin password when I need it. I can enter it when I need to it is not cached anywhere. That shuts down what? >= 95% of strange vectors. If I am not logged in as Admin/Wheel group 24/7 or when browsing ‘suspect’ sites in the default browser with Safari set to ‘open safe files’ that the user downloaded… then my chances of getting Pawned are really low. AND because I was logged in as a plain user then the ‘exploit’ only has the same rights as a plain user.
I will start to worry about it when my users start to ask me. Until then this is not really news it is just an opinion. it could just as easily read… (when used incorrectly) “…Snow Leopard’s more secure than Leopard, but it’s not as secure as Vista or Windows 7”
ALSO I have run Vista since January 2008 just about daily with no malware. And I have run many versions of OS X since 2000 with not even the hint of malware. (AND it is still a Royal Pain to keep patched) The Mac is well known for ease of use – getting out of the user’s way (no popups or ‘wizards’ etc) so if Some version of Photoshop[k] or any other app asks me for my admin password I sort of believe that I will notice it. When I have to use XP I am always amazed that I can hit ‘return/enter’ when logged in as an admin and the system just assumes that I am ‘me’/authorized to do whatever. That is not the case in any Unix or Unix-Like os that I have observed. The fault is GENERALLY with the user.
I think SL is a great upgrade and I’m looking forward to developers taking advantage of GCD & OpenCL but I was deeply disappointed that Apple didn’t fully implement ASLR. I found it hard to find information about this since SL was released so I’m glad Charlie Miller has chimed in.
This has nothing to do with the number of attacks on Windows or the lack thereof on OS X, it’s Apple apparently failing to take security as seriously as they should. Since Leopard had a half-assed implementation I thought SL was bound to do it properly.
Why do so many Mac users when confronted with a perfectly valid criticism of OS X go into denial and start attacking Windows. WTF does a flaw in the underlying security model of OS X have to do with Windows? Just because hackers are seemingly uninterested in talking advantage of it at the moment, it doesn’t mean that they won’t in future. It’s a real problem that Apple needs to address. I live in hope they’ll do it in a point release for SL.
As was stated in a previous comment, Apple has taken security seriously. They’ve made strides to protect their binaries and libraries the stack and heap, etc. Even with all of the security mechanisms in place the system is able to be compromised. Adding further ASLR while beneficial of course, is not a magic bullet, nor does it mean that Apple does not take security seriously. They could have done it. I’m sure there are also valid technical reasons why they chose not to. Keep in mind that with much tighter security mechanisms available in Windows for years Windows systems have still been subject to compromise. Besides, the user is a far weaker link in the security chain and also a much larger and more likely target than the OS.
…to make sure their systems are as secure as they can possibly make them. Beyond that, whatever happens, happens
I upgraded to SL the other day on my Mac and have installed Windows 7 on a new (VirtualBox) VM – although I still have my XP VM too. There is absolutely no doubt that Vista and Windows 7 are monumentally more secure than XP and its predecessors, but it doesn’t mean we can or should become complacent. I have ClamXav installed on SL, and use a combination of three (and sometimes four) utilities on Windows to make sure I’m checking for any nasties that may raise their ugly head.
Just like when you buy a car it is your responsibility to drive it safely on the road, the same applies to your computer. We expect car manufacturers to build in safety measures to make the vehicle inherently safe, but at the end of the day it’s the driver who determines how safe it really is. And no matter how many safety measures are built in to our cars it won’t stop some moron from getting shitfaced, running a red light and ploughing into that shiny new Spyker.
The same applies to our computer systems. We can expect that the manufacturers will build in security measures, but we should also learn how to drive it in a manner than makes it even safer and then be aware that unfortunately there are some things out there that we just can’t control…
This is total BS, really i am sorry. And again sorry Thom you are again making shame of yourself reporting it as it is.
First of all, there is nothing technical in your article, besides the claims from Miller who likes to spread FUD in order to attract sensational press on himself.
Speaking of “half-backed” implementation of ASLR when in the same times Miller or you fails to say exactly why, is totally meaningless? What is the technical point, what’s going there?
Well, what it is really all about? From this point, everything that i am talking about is assuming 64 bits compiled apps running from Leopard and above, then those security features are on by default.
– OS X supports stack frame protection with a canary. Useful when trying to protect against stack overflow.You can also specify for increased security that every routine in the program will be checked by passing -fstack-protector-all to the compiler with the penalty of having a greater performance impact.
– On the stack and heap, the code is not executable to protect against code injection. Therefore on Mac OS X. it applied to stack, static data and heap.
– Apple specifically asks developers to use safer library functions. An example:
Consider this code
char buffer[1024];
strcpy(buffer, untrusted_data);
This code is dangerous as it may result to a buffer overflow if the untrusted_data happens to be bigger than the hard coded buffer size.
Instead use
char buffer[1024];
strlcpy(buffer, untrusted_data, sizeof (buffer));
This routine instead will truncate any data given to the function that is greater than the size of buffer, avoiding then a buffer flow. The inconvenient is of course that because it truncates data, you may end up with some data being lost if for example you are logging this information and you would want to track where the attack is coming from. A better solution would then to check the return value of strlcpy
char buffer[1024];
if (strlcpy(buffer, untrusted_data, sizeof (buffer)) >= sizeof (buffer))
/* Handle error */
That’s the good way to handle string functions.
– But what if you have already a large program, you would then need to do hard work to change all the weak functions. In Snow Leopard, by default, the compiler will try to determine the array sizes, and if possible replaces the standard library functions with a more secure versions, like for example
strcpy -> _ _ strcpy_chk
It will pass the size of the buffer to the new routine and the routine will ensure that it never writes outside the size of the buffer. If it appears that it is the case, the routine will stop the program rather than to allow that it gets exploited by an attacker. Pretty neat.
– Extra heap consistency checks. In Snow leopard the heap checksum is randomized, that means that the attacker now has to manage to guess the correct value of the checksum and if the attacker fails, the program is terminated. This is particularly useful for web browser because it is unlikely that the user will just sit there and wait that the attacker guesses the correct value restarting every time the web browser after it crashed. Hopefully, the user will realize that the web page that he/she is trying to visit is something wrong. (On 32 bits app, the checksum is randomized but the program is not stopped leaving extra possibility for the attacker to be able to guess the correct value.)
– Permission changes. Some directories are no longer writeable by the administrator in Snow Leopard: most system applications (for the example the Safari plug-in directory is no longer writeable by the administrator) and /Library/ScriptingAdditions. And more similar changes to come.
– Avoid attacker to access to setuid tools. For that purpose, in Snow Leopard many system applications are now not using set-user-ID. AppKit will refuse to run setuid and ask for an admin password. Apple encourages developer that their executables are not setuid and instead use daemons backed by launchd.
– Domain Name System Attack by DNS spoofing. To protect against that, an UDP port randomization is introduced. DNS port has been randomized in Mac OS X 10.5.x. The results is that the attacker now needs to send considerably more packets to be successful, on average of billions packets. And in Snow Leopard, UDP ports are randomized for all protocols.
So far, all those features are on by default. Now the ones that are opt-in:
– Code layout randomization. System libraries are randomized since Leopard (you hear me Miller!!!). Since also leopard, executable should be built with PIE to me more randomized. So compiling executable with code layout randomization is not on by default even for 64 bits, but again you can activate it. On Snow Leopard, some system executable are now adopting code layout randomization.
What Apple should do from now is to enable more and more code layout randomization and that the third party apps gets compiled by default with it. But in terms of implementation, it is there.
– Developers can turn on sandboxing with the sandbox_init API. Five sandboxes are available: no internet protocols, no sockets at all, no filesystem writes, no filesystem write except temporary files and pure computation only. Custom sandboxes will be available in the future.
An application of sandboxing is for example that the H264 decoder library in Mac OS X is sandboxed. So if you happen to read a movie on the net and if it happens that the library has a security flaw that an attacker can exploit, the only thing that he can do is changing how the movie looks not the application which is actually using the library to decode the movie.
By the way, it seems that the sandboxing implementation on Mac OS X is well better than it is on windows:
http://blog.chromium.org/2009/06/google-chrome-sandboxing-and-mac-o…
So here we are, pretending that Apple does not do enough in security for OS X is plain wrong, plain wrong, If you take the time to read the developer documentations, you can find a lot of interesting informations about what Apple is doing, This is not the case of Miller (and surely neither you Thom) or actually i believe that Miller knows all of that, he just claims wrong or biased informations, again, when a guy is saying that windows is more secure than OS X, he gets the press to listen to him. Claiming that windows is magically more secure than OS X will turn the light to him so that the poor press and the poorly thinking people listen to him.
Claiming that because only one feature is not as well implemented in OS X as it is on windows, windows is more secure does not make sense at all, security is the collection of many technologies working together. Again the sandboxing implementation is much better on OS X than it is on windows, but does that make OS X more secure than windows? I don’t think it is an argument.
So I hardly believe that only ASLR is the answer to everything that would make windows more secure. And i believe that i have proved that OS X is actually using a lot of features to enforce its security.
Edited 2009-09-17 04:16 UTC
Microsoft have also been advising dev to use safer code. As much senior dev have been advising to use safer code, but it is often using non portable api.
Yourlink about sand-boxing also point that Apple api for sand-boxing kinda lack in the documentation departement.
And speaking about OS X being less secure than Vista or Windows 7, well lets takes too examples.
Vista:
http://arstechnica.com/microsoft/news/2009/09/new-flaw-can-remotely…
An outstanding flaw, which can be exploited to remotely crash and restart computers and eventually execute code totally remotely. The flaw is in the Microsoft’s Server Message Block 2 (SMB2) protocol, and the only thing an attacker needs is that the port 445 of the target system must be open, and it is open by default on windows. The attacker does not require authentication, just a sitting computer plugged to the net….
Vista more secure than OS X, no, please.
Windows 7:
Saying that windows 7 is more secure than OS X is even more stupid when everyone knows that Windows 7 has a severe code injection vulnerability associated with its implementation of UAC and even the source code of the injection is publicly available. So every potential user of windows 7 is at risk with that one, Microsoft knows it and refuses to fix the problem and in the same time Miller says us that Windows 7 is more secure than OS X. That is hilarious…. really, some people are real clowns.
http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
Your point in SMB vulnerability is valid for for vista but only valid for lan connections ( SMB should be deactivated on WAN connection ).
It was also valid for the RC version of windows 7, and not working ( as I read on various website ).
My point is windows 7 is no more secure than other OS but still better that older versions.
One so called expert opinion does not reflect the industry state, so instead of flaming you should take it with a grain of salt.
Another half baked article from Computerworld – anyone surprised? Nice to see the ignore the reality – the fact that infections these days on both Windows and Mac are due to social engineering rather than infections simply on the basis of connecting to the internet.
Windows XP (prior to Windows XP SP2) one could go onto the internet and get infected within a few hours (at the height of the worm infections). Fast forward to 2009 and this isn’t occurring on the same scale. I look at the tossers who were chirping over the malware for Mac OS X whilst deliberately IGNORING that it was spread through pirated software downloaded via torrents.
Then again, as I’ve always said, zealots aren’t going to let a little annoyance like facts get in the way of their rant.
Edited 2009-09-17 06:15 UTC
Well I agree with that in general besides that windows 7 will ship with a vulnerability allowing code injection (i know that the Microsoft Security Essentials detect the UAC exploit as a malware but it is quite easy to bypass that and it is already the case). So again claiming that Windows 7 is more secure than any other OS, being OS X, Linux or Vista makes little sense when in the same time this OS ships with a vulnerability known publicly.
Come one, flaming? Expressing a point a view is not flaming particularly when it tries to put some truth in the mass of nonsense that we read every day.
Miller calls himself a security expert, so as such, he should behave professionally and really says what it is about. Pretending that Apple does nothing or little for security with OS X is wrong, right? Therefore I consider him as a jackass regardless the technical background that he has. And he has a big one, this guy presumably knows very well OS X, and so he should talk professionally instead of throwing into the air sensational statements.
“Yourlink about sand-boxing also point that Apple api for sand-boxing kinda lack in the documentation departement.”
Absolutely, nothing is perfect….
Edited 2009-09-17 09:57 UTC
I like you.
I did not say that Microsoft doesn’t do it, i say that because Apple does it, it by definition contradicts Miller claims, which is that Apple does not do enough in security.
Number of viruses are directly proporcional of number of installs of the OS; is normal that vista have near zero problems because who has vista? a lot of people went back to XP; An windows 7 is not enough spread jet
Jocking a bit: anyway WINDOWS *is* the virus 😉
1: OS X is secure (UNIX)
2: Windows is like Cheese with holes
3: On OPEN BSD or Windows, allways security is all about the user. If the user knows what he does, he can be secure on even windows XP SP1. If the user is useless, he can make an ubuntu based system (He will never be able to use BSD) fully insecure.
4:(My opinion) -If you don’t want to learn how to use (securly) a machine or computer DON’T BUY IT!!!
I agree with the sentiment.
Any of the aforementioned operating systems can be made more or less secure by the user. In the past one of the big problems with Windows is the level of privs a typical user/application ran with, etc. I think they are trying to tighten down on that.
Ahhhh. I don’t know. I run behind a firewall (which in itself does not guarantee anything, except to make it a LITTLE harder for the bad guys) and try to avoid strange websites, popups, ads, “free downloads,” etc.
I think most of us know that FreeBSD 5.0 was one of the components on which the OS X kernel is based (besides the Mach Kernel). Since there have been various updates and upgrades to the FreeBSD kernel, many of which would have been related to security how many of those have been incorporated in the latest release of Snow Leopard. Meanwhile FreeBSD is at 8.0 beta 4 stage, Apple is still stuck at FreeBSD 5.0. I am not an expert in this field but isn’t FreeBSD 5.0 like 4 years old to say the least and a lot has changed in the world of FreeBSD ever since, better optimization for 64 bit, multi-threading etc. Your comments are most welcome.
Darwin (Apple open source core OS) is from bottom to top (non exhaustive list):
– osfmk (based on Mach micro-kernel)
– plateform expert
– IOKit (driver interface)
– BSD interface for user/kernel land.
It is important to undersand that the fact that Apple decided to use the FreeBSD 5.0 interface has NOTHING to do with FreeBSD 5.0 implementation (and flaws,bugs…). To make it simple, the interface is the same but the implementation is very different (but sometimes not that different). The Mach micro-kernel don’t have any notion of process, PID, user associated rights, TCP/IP… Mainly it is an abstraction layer above hardware which deal with processors and memory to provide the notion of Tasks and threads which execute within a task. The BSD interface gives Mach derivative kernels (xnu is our case) very common interface (UNIX/BSD) for process to execute (process concept, user rights, network….). BSD process are mapped on Mach tasks. BSD thread are mapped on Mach threads… Some years ago a Linux flavor was built above Mach (see Mklinux) just like SunOS. Interface and implementation are very different thing. It is interesting to note that the two major devs who’s built the Mach kernel are Rick Rashid and Avie Tevanian (among other devs), Rick Rashid went to Microsoft (NT Kernel ?)and Avie Tevanian went to NeXT then Apple.
Edit: some typos…
Edited 2009-09-21 18:53 UTC