Miller: Apple Misses Boat on Snow Leopard Security

While Snow Leopard includes some improvements in the area of security, noted security researcher Charlie Miller, winner of two consecutive “Pwn2own” hacker contests and co-author of The Mac Hacker’s Handbook, concludes that Apple missed the boat on security in Mac OS X Snow Leopard. “Snow Leopard’s more secure than Leopard, but it’s not as secure as Vista or Windows 7,” Miller said.

Before we dive into the details, it is important to note the difference between what I generally call “technical security” and “real-world security”. The former refers to the security of a platform on paper, whereas the latter refers to how secure a platform actually is out there in the wild. While Windows Vista and 7 may be technically more secure than Mac OS X, fact remains that we still haven’t seen any widespread problems on the Mac. “I still think you’re pretty safe [on a Mac],” Miller said, “I wouldn’t recommend antivirus on the Mac.”

Now, so why, exactly, did Apple miss the boat with Snow Leopard, according to Miller? First of all, address space layout randomisation in Snow Leopard is the exact same “half-baked” variant as implemented in Leopard, which fails to randomise important components of the operating system. Leopard’s ASLR has often been the subject of criticism, because it for instance doesn’t randomise the heap, the stack, and the dynamic linker.

“Apple didn’t change anything,” said Miller, “It’s the exact same ASLR as in Leopard, which means it’s not very good. I don’t understand why they didn’t. But Apple missed an opportunity with Snow Leopard.” Microsoft introduced full ASLR with Windows Vista, three years ago. Linux has a limited variant of ASLR by default, but there are various patchsets out there that introduce full ASLR to the Linux kernel.

Still, there are also areas where Apple made major strides forward, especially when it comes to QuickTime. Apple’s media framework has often been problematic security-wise, because of all the file formats it supports. “They’ve shaken out hundreds of bugs in QuickTime over the years, but it was still really smart of them to rewrite it,” said Miller. He would take it even further, though. “I’d reduce the number of file formats from 200 or so to 50, and reduce the attack surface. I don’t think anyone would miss them.”

Another area of improvement in Snow Leopard is DEP, which Apple has improved significantly, according to Miller. He argues, though, that you really need both DEP and ASLR. “If you don’t have either, or just one of the two, you can still exploit bugs, but with both, it’s much, much harder,” he explains.

He further states about ASLR and DEP: “Snow Leopard’s more secure than Leopard, but it’s not as secure as Vista or Windows 7. When Apple has both [in place], that’s when I’ll stop complaining about Apple’s security.”

While Macs may be technically less secure, the fact of the matter is still that there are no widespread security issues for Mac OS X. “It’s harder to write exploits for Windows than the Mac,” Miller explains, “but all you see are Windows exploits. That’s because if [the hacker] can hit 90% of the machines out there, that’s all he’s gonna do. It’s not worth him nearly doubling his work just to get that last 10%.”

This is the concept of security through minority (not security through obscurity!), and so far, it seems to serve the Mac pretty fine. However, as it stands now, both the Mac and Windows Vista (and 7, insofar an unreleased product has a track record) have quite a decent track record in real-world security.

69 Comments

  1. 2009-09-16 3:19 pm
    • 2009-09-16 3:22 pm
      • 2009-09-21 4:02 pm
    • 2009-09-16 3:35 pm
      • 2009-09-16 3:55 pm
        • 2009-09-16 4:13 pm
      • 2009-09-16 5:58 pm
        • 2009-09-16 6:49 pm
          • 2009-09-16 8:51 pm
          • 2009-09-17 10:26 pm
          • 2009-09-17 11:43 pm
          • 2009-09-18 3:22 pm
          • 2009-09-18 4:01 pm
          • 2009-09-18 8:57 pm
          • 2009-09-18 10:37 pm
        • 2009-09-16 8:01 pm
          • 2009-09-16 10:06 pm
          • 2009-09-16 11:59 pm
          • 2009-09-17 12:51 am
          • 2009-09-17 4:13 am
          • 2009-09-17 4:52 am
          • 2009-09-17 11:48 pm
          • 2009-09-16 10:31 pm
          • 2009-09-17 4:40 am
          • 2009-09-17 4:55 am
    • 2009-09-16 3:51 pm
      • 2009-09-16 3:55 pm
      • 2009-09-16 3:58 pm
      • 2009-09-16 3:59 pm
        • 2009-09-16 4:04 pm
          • 2009-09-16 4:07 pm
          • 2009-09-16 5:28 pm
          • 2009-09-18 3:41 pm
          • 2009-09-16 5:15 pm
      • 2009-09-16 4:14 pm
    • 2009-09-17 10:10 pm
  2. 2009-09-16 4:05 pm
    • 2009-09-16 5:21 pm
  3. 2009-09-16 5:12 pm
  4. 2009-09-16 6:07 pm
    • 2009-09-16 7:40 pm
  5. 2009-09-16 6:44 pm
    • 2009-09-16 7:18 pm
      • 2009-09-16 7:25 pm
        • 2009-09-16 7:26 pm
          • 2009-09-16 7:39 pm
          • 2009-09-16 8:56 pm
          • 2009-09-17 1:39 am
    • 2009-09-17 1:41 pm
  6. 2009-09-16 7:06 pm
  7. 2009-09-16 7:11 pm
  8. 2009-09-16 7:12 pm
    • 2009-09-16 8:38 pm
  9. 2009-09-16 10:00 pm
  10. 2009-09-17 3:58 am
    • 2009-09-17 6:51 am
  11. 2009-09-17 4:00 am
    • 2009-09-17 6:43 am
  12. 2009-09-17 6:14 am
  13. 2009-09-17 9:55 am
    • 2009-09-18 12:02 am
  14. 2009-09-17 10:07 am
  15. 2009-09-17 10:32 am
  16. 2009-09-17 1:11 pm
    • 2009-09-18 12:06 am
  17. 2009-09-18 6:19 pm
    • 2009-09-21 6:51 pm