Ancient flaws leave OS X vulnerable?

Ancient flaws leave OS X vulnerable?

Summary: OS X contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago, according to a security researcher credited with finding numerous bugs in Apple's increasingly popular platform.Neil Archibald, senior security researcher at software security specialists Suresec, told ZDNet Australia  that as Apple's market share increases, OS X will come under more scrutiny by security researchers, who he believes will find plenty of "low-hanging bugs".

OS X contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago, according to a security researcher credited with finding numerous bugs in Apple's increasingly popular platform.

Neil Archibald, senior security researcher at software security specialists Suresec, told ZDNet Australia  that as Apple's market share increases, OS X will come under more scrutiny by security researchers, who he believes will find plenty of "low-hanging bugs".

Archibald, who has already discovered a number of security vulnerabilities in OS X, speculates that should Apple's market share continue to increase, users of the platform could actually end up less secure than users of other platforms such as Microsoft Windows or Linux.

"The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common UNIX platforms.... If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems, regarding security vulnerabilities," said Archibald.

Archibald said his opinion is justified because Apple does not use software auditing tools to scan enough of its software. These types of tools have been heavily employed by Microsoft since the company launched its Trustworthy Computing initiative, in order to discover simple coding mistakes that could allow, for example, buffer overflow errors.

"The code that Apple uses in its applications and libraries is relatively under-audited, which leaves a lot of low hanging bugs.... Some of the security vulnerabilities we've seen during research on OS X were fixed on most other operating systems 10 to 15 years ago," said Archibald.

To prove his point, Archibald gave a number of examples.

In August last year, Apple patched the "dsidentity" bug, which was discovered by Archibald and affected OS X versions 10.4.x up to 10.4.2.

This "trivial" bug, according to Archibald, could easily have been exploited to grant a non-privileged user with admin rights and allow that user to create and remove "root" user accounts.

"Bugs like this require a simple glance over the code to notice and are long dead on other operating systems.... When we spoke to Apple on the phone about this issue, the security team had never even heard of the application, and burst out laughing at the simplicity of the vulnerability," said Archibald.

He also described another recently patched flaw in OS X's memory allocator that could allow certain applications to overwrite any file on the system and gain root privileges.

Another vulnerability described by Archibald could allow memory corruption and hand control of a process over to an attacker: "At the time of writing, the vulnerability remains unpatched. However Apple is aware it exists."

Software auditing is not the only thing Apple underutilises, according to Archibald, who also criticised the manner in which the Mac maker deals with security researchers that discover vulnerabilities.

"In my experience -- which is also the experience of some of my peers -- Apple has been very slow to respond to reported security vulnerabilities. It expects security researchers to wait indefinitely to release the vulnerabilities and offers no incentive for them to do so," said Archibald.

Apple's impressive security record is likely to be tarnished if the company continues to grow its market share while undervaluing security researchers and not properly auditing its code: "During the small time Suresec researchers spent auditing Mac OS X, many vulnerabilities like this turned up. Suresec is currently aware of many bugs which exist by default in the latest version of Mac OS X, on both the Intel and PPC Architecture."

Apple refused to comment on Archibald's views. A spokesperson for Apple told ZDNet Australia  that the company is "not going to comment on what other people say about Mac OS X".

"There's a lot of information on Mac OS X security on our Web site and we've done a great deal to ensure Mac OS X is a stable and secure platform for our customers, large and small," the spokesperson added.

Topics: Apple, Hardware, Operating Systems, Software

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Sounds like someone didn't make a sale...

    Given SureSec offers code auditing services on their home page it makes this whole article a little fishy, no matter what the truth is. Sounds like Apple said they weren't interested in paying and this is the price...
  • I agree - This is Blackmail

    This article is nothing more than blackmail - or these security "specialists" are blackmailing Apple. Pay us to use our tools or we'll expose your vulnerabilities. It is the publishing of vulnerabilities that makes them a problem.
  • agreed

    Guess what, I just established a security consortium that has discovered 28876 critical security vulnerabilities in Mac OS X, and unless Apple buys my software package, I'm going to start submitting flamebait to zdnet too.
  • You Still Have to be Stupid to Kill OS X

    I'm sure there are a few small quirks in the millions of lines of code that make up OS X. I'm sure someone could write an app to take advantage of at least one and do some stuff I wouldn't like.

    But for that to happen, I have to enter my password. The point is: OS X can't be compromised by simply visiting a website with some malware that automatically downloads and runs. I know - I've tried. Safari simply tells me: "This is an application. Are you sure you want to download it?"

    And then, even if I mistakenly click "yes" and EVEN if the downloaded program automatically runs (not likely) I STILL get a password prompt. The only way it could be more direct is if the prompt text read: "Hey, retard, this is gonna screw something up. Maybe you wanna check this out."

    Until someone finds a way to get around the password prompt for root access, I think I'm pretty safe and sound.

    Also - I don't think the "security by obscurity" argument is valid. There's quite a few bragging rights to be had by the hacker who first brings OS X to its knees. For 5 years that hasn't happened. I think that says a thing or two about the OS.

    And since I'm sure you use Windows, enjoy your next ActiveX-sponsored virus, Archibald.
  • It's ok

    Understanding computer security, and how flaws are exploited, isn't for everyone.
  • getting around the password prompt for root

    Both advisories that get linked to in this aricle do just that, GET AROUND THE PASSWORD PROMPT FOR ROOT !!!
    also, in one of the latest apple advisories there is a bugfix for a heap based bufferoverflow (which apparently was found by Mr. Archibald) if exploited it could install malware on your box without even knowing about it.
  • ...

    What I meant to type was:
    ... a heap based bufferoverflow for safari ...
  • OSX

    Arch, here is a good definition of what your trying to get at.

    verb 1 he was blackmailing to extort money from, threaten; informal demand hush money from.
  • Apple should use Coverity/Stanford Checker

    The linux team is using Coverity (prveiously it was the Stanford Checker) and has found thousands of bugs.

    Apple, spend some of that hard-earned money on better tools.

    lint doesn't cut it.
  • Just because..

    His point seems to be more about the fact that he HAS shown them security holes and they don't seem to find it worthy of being fixed in any amount of time. You, as a Mac user, don't find a problem with that?

    I wish I knew you enough to be able to count the number of times that you point out how solid Mac is. One of the vulnerabilities that he points out is so ridiculous that it makes the developers laugh at the simplicity of the mistake... yet, apparently it granted root acces??? Man, if that were MS you would be all over it. I don't have to know you to know that, the whole world can tell by your cynicism

    I suggest that you be a little more concerned about your OS' security or you will end up taking it on the chin like all of those Windows users who, I'm sure, you make fun of all of the time.
  • And, for you

    This is what google has to say:

    Definitions of stupid on the Web:

    * lacking or marked by lack of intellectual acuity
    * dazed: in a state of mental numbness especially as resulting from shock; "he had a dazed expression on his face"; "lay semiconscious, stunned (or stupefied) by the blow"; "was stupid from fatigue"
    * a person who is not very bright; "The economy, stupid!"
    * unintelligent: lacking intelligence; "a dull job with lazy and unintelligent co-workers"

    Clearly, we do not know the full story behind everything that has been happening here, and these comments are just jumping to conclusions.

    I am thankful that their are people who are making the internet a safer place for us all.
  • Does anyone have any valid, logical statistics about exploitable bugs for 2005 f

    I would be very interested in seeing some valid statistics of exploitable bugs per the 3 vedors mentioned in the above.

    Valid means that the people doing the statistics should be impartial as possible, and the results should stand up to logical analysis.

    Preferably, can people who aren't ./fanboys respond to this thread?

    I think I saw some results somewhere saying Apple came close (or over) to issuing more product updates than Microsoft.
  • extra security???

    does ne1 now if their is extra security avalable for mac's?

    like microsft's NX bit? wat about ppc support?

    does lunix have that as well?
  • Use antivirus software

    like ClamXav or norton

    has more info on what you can do to protect your mac against viruses
  • some facts

    we disclosed to apple way back in may 2005 some 20+ bugs which were very critical , we even had working exploits for most of them.
    we never spoke to anyone about it till most of them got fixed , we could have made a huge media out of it but we did want to be this media whore company who goes after vendors for fame .
    Even now we are not ticked off with anything its just we spoke to one of the zdnet reporter who contacted us (mind you ) about things in general nothing aimed at apple security
  • blackmail? moron...

    Wether or not Apple has engaged Suresec or Suresec has had rejected proposals to undertake work is irrelevant.

    The vulnerabilities DO exist. Suresec didn't create them.

    The bug being addressed is i'd say the integer overflow in kernel code that affects malloc() amongst other things. It's a pretty poor effort on Apple's part to have this bug present. There was a similar bug in solaris (nowhere near as obvious) that was fixed a great deal of time ago.

    I don't see how you can consider this blackmail. There is a lot of debate over full vs non disclosure of bugs etc. which i will leave off here. A point made in this article was that Apple need to incorporate better quality assurance policies internally. INTERNALLY.

    Before you accuse people of blackmail maybe you should get the facts.
  • Isn't it interesting...

    Isn't it interesting that as the road to Vista ramps up there are more and more of these articles claiming this and that about OSX - all of it negative. Like the one about the flaws in the new Intel processors - as though its the only processor with flaws! And this article saying the OSX users could be less secure than users of other OSes like Windows! Where is the justification for that comment? With the root user disabled by default on OSX (except Server) even if something manages to get in it can do limited damage. Stop the media hype to try to sell more advertising and just tell the truth - "There are some old security flaws in OSX that Apple will need to fix" - and for crying out loud get out of Microsoft's pocket?
  • root user disabled ?

    Excuse me ? so you can't login as root, that doesn't mean you can't become root thru some bug on OSX, the kernel doesnt know nor does it care that the root user (more specifically uid 0) is disabled. To the kernel all request made by the root user will still work.
  • Five years ...

    It's been five years since 10.0's release and still no viruses. There have been vulnerabilities with no known exploits (due to Apple's responsiveness with fixing flaws). I'm constantly repairing Windows systems that are well-patched and well-maintained (I'm a security analyst), yet my own OS X box has had not one single problem. Only a matter of time, huh? Do let me know when that time is. I'll be waiting.
  • Anti-Apple Ignorance