How Snow Leopard can save Mac OS X from malware attacks

How Snow Leopard can save Mac OS X from malware attacks

Summary: Guest Editorial by Dino Dai ZoviAs reported by Intego and Matasano Security, a new local privilege escalation vulnerability has been found that gives local root access on Mac OS X Tiger and Leopard.While Intego calls this a critical vulnerability, I'm mostly with Matasano's Thomas Ptacek on this one where I am saying this vulnerability is not nearly that serious.

SHARE:

Flash attack may as well have been zero-day Guest Editorial by Dino Dai Zovi

As reported by Intego and Matasano Security, a new local privilege escalation vulnerability has been found that gives local root access on Mac OS X Tiger and Leopard.

While Intego calls this a critical vulnerability, I'm mostly with Matasano's Thomas Ptacek on this one where I am saying this vulnerability is not nearly that serious.  For one, it only works when it is run as the user who is logged into the console.  This means that no Mac OS X servers are affected by this, but it can allow a Web exploit or Trojan horse to gain root access without the user's knowledge or permission.  Also while root access is pretty serious, it is not necessary in order for the malware to do bad things to your system (i.e. install itself to run automatically, backdoor Safari, etc.)  So I will dub this a serious, but not critical, vulnerability.

Perhaps the most interesting fact about this vulnerability is where it came from: a thread (from Google cache because the forums seem to be down now) on the forums at Mac Shadows, a Mac underground site.  The aforementioned thread was discussing how to build AppleScript-based Trojans until "callmenames" discovered the vulnerability and the discussion moved towards the vulnerability and ensuing news and attention.  And at the time of writing, the forums on the site have been taken offline.

The big question on everyone's mind is when malware will begin to seriously affect Mac OS X and what will happen when it does.  As for when, I am betting that it completely depends on market share, as per Adam O'Donnell's game theoretic analysis.  As for how bad, that will all depend on Snow Leopard: when it will ship, how it will improve Mac OS X security, and how many users will install it.

Snow Leopard will hopefully raise the bar for Mac OS X as much as Vista did for Windows.  Of course it won't stop all security attacks, but it should make exploiting them beyond the reach of most attackers.  I'd personally like to see the following improvements:

  • Real ASLR (address space layout randomization).  Library randomization with dyld loaded at a fixed location just doesn't cut it.
  • Full use of hardware-enforced Non-eXecutable memory (NX).  Currently, only the stack segments are enforced to be non-executable.  Welcome to the new millennium where buffer overflows aren't only on the stack.
  • Default 64-bit native execution for any security-sensitive processes.  I don't particularly care that it may waste 5% more memory and a little bit of speed, I want Safari, Mail.app and just about everything else that has security exposure to run as a 64-bit process.  Simply because function arguments are passed in registers rather than on the stack, this makes working around ASLR and NX damn near impossible for many exploits.
  • Sandbox policies for Safari, Mail.app, and third-party applications.  Code execution vulnerabilities aren't the only kind of vulnerabilities and good sandbox policies for security-exposed applications can help mitigate the exploitation of code execution and other vulnerabilities in these applications.  I love the scheme-based policies, by the way.
  • Mandatory code signing for any kernel extensions.  I don't want to have to worry about kernel rootkits, hyperjacking, or malware infecting existing kernel drivers on disk.  Most kernel extensions are from Apple anyway and for the few common 3rd party ones, they should be required to get a code signing certificate.

[ SEE: Memory randomization (ASLR) coming to Mac OS X Leopard ]

I'm hoping that Snow Leopard ships before we see too much Mac malware, fixes all of the above, and that it is a free upgrade.  Yes, I know that’s unlikely, but users will not pay money for security features.  When users don't upgrade and are subjected to malware, Apple may still get a bad rap for it.

* Dino Dai Zovi is an information security professional, researcher, and author.  He is perhaps best known in the security and Mac communities for discovering the vulnerability and writing the exploit to win the first PWN2OWN contest at CanSecWest 2007.  He publishes the Trail of Bits blog and can also be found on Twitter.

Topics: Apple, Hardware, Malware, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

91 comments
Log in or register to join the discussion
  • Brilliant

    Well played Dino. For all of the positive of Mac not having the rough history of M$ with regards to being hacked, there are some very real concerns there. It'd be great to see this new version take a step forward in security.

    -Nate
    nmcfeters
  • Snow leopard seems the exact copy of Vista security features

    Snow leopard seems the exact copy of Vista security features
    qmlscycrajg
    • Because the authors wish list extends it

      The list are not Snow Leopard features, but a wish list.

      Nothing in the list jumps out (extensions of existing
      technologies incorporated into Leopard), but I'm not sure
      how user applications like Mail with extensive drag and
      drop support are going to work with restrictive MAC.

      [author writes]
      "Yes, I know that?s unlikely, but users will not pay money
      for security features."

      Snow Leopard is not a security release. The release will
      incorporate significant re-engineering which, hopefully,
      will produce an even better OS.
      Richard Flude
      • Re-engineering

        It's being re-engineered for it's poor security. It will be a Security release. Snow Leopard is Mac OS's XP SP 2. Except Apple will charge $129 for it and we'll all hear how it's somehow more cost effective than a Microsoft OS.
        LiquidLearner
        • ...

          Perhaps you could check your crystal ball and let us know
          what the next lottery numbers will be. That, at least, would
          be useful speculation.
          snberk203
          • I suppose...

            ...that Jobs saying 10.6 (Snow Leopard) will be a security release and not really add any new features to the OS outside of ZFS is a crystal ball. And perhaps you're right, maybe 10.6 will be the first POINT release of OSX that isn't charged for. After all, if they're will to do a usable replaceable battery for the iPhone and allow users to choose software to install on their iPhones without going through Apple's dictatorship of what is allowed on the device you own it could happen. Oh, what's that? Neither of those things happened? That's right... neither will a "free" point release of OSX.
            LiquidLearner
          • ...

            .... and what were those numbers again?
            snberk341
          • Yawn -- Wake me when...

            the first 10,000 Macs worldwide are
            incorporated into a botnet spewing forth
            billions of SPAM mails, clogging the pipes.
            It doesn't really matter WHY in my house
            doesn't get broken into, the fact is that
            Mac houses don't get burglarized. Thieves
            and hackers are lazy folks, who don't want
            to work very hard breaking into people's
            computers. If one computer is just a tiny
            bit more secure than another, the less
            secure one will be broken into. Macs ARE
            more secure than any flavor of Windows.
            arminw
          • Not quite

            I think Vista is quite a bit more secure than Mac OS. Apple has yet to have the trial by fire that Microsoft have been through and, as the buggy Safari shows, still have a lot to learn. Macs are less secure but also less likely to be attacked. They benefit from security through obscurity rather than security per se.
            alanrr
          • What hyperbole!

            Macs had their baptism by fire with Mac OS 6, 7, 8 and 9
            when they did get bad-nasties. Mostly through macros for
            MS Word.

            The score: Mac OS X is still zero to 144, 000 for the
            Windows environment. And yes, there have been root kits
            and other Trojans for the Mac, but you have to be
            physically at a machine to "infect" it. It would be easier to
            log in as "guest".
            pritchet1
          • Not quite is right...

            [i]"I think Vista is quite a bit more secure than Mac OS."[/i]
            Unfortunately, our personal opinions are irrelevant.

            [i]"Apple has yet to have the trial by fire that Microsoft
            have been through"[/i]
            What does that mean? Has Apple not been exposed to
            malware or public use? It seems to me, they have...

            [i]"as the buggy Safari shows, still have a lot to learn"[/i]
            If anything, Safari shows that all browsers are subject to
            vulnerabilities. However, statics show Firefox to be the
            buggiest with 122 vulnerabilities documented in 2007,
            followed by IE (57) and Safari (47).

            When Microsoft products get another vulnerability, it's
            hardly newsworthy as it's pretty much expected. When
            Apple products get a vulnerability, it's a much bigger deal
            and likewise, over exposed in the press.

            In any case, we're all entitled to our opinions, but statistics
            don't support your position very well. But, if it makes you
            feel better, you can hang on to that security through obscurity theory of yours.
            techconc
          • Re: What hyperbole!

            [i]And yes, there have been root kits and other Trojans for the Mac, but you have to be physically at a machine to "infect" it. It would be easier to log in as "guest".[/i]
            >>>>Looks like somebody didn't read the blog...

            '...but it can allow a [b]Web exploit[/b] or Trojan horse to gain root access [b]without the user?s knowledge or permission[/b].'

            Just FYI, a "Web exploit" that does [u]anything[/u] "without the user's knowledge or permission" is called a drive-by download. And it is understood today that Macs are sitting ducks against them. Alanrr was correct; the [u]only[/u] reason you're not in trouble is because of obscurity. Wanna see a drive-by download surreptitiously launch a program on your Mac right now? Go here: http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html
            santuccie
          • Maybe, but

            most PCs's aren't in a bot net. If you don't practice safe computing, you're a malware destination. I saw an old friend for the first time in 5 years a while back. he was having some PC problems, so I said I'd look at it. I figured it was his ancient PC with virtually no ram (which didn't help). Ran an AV scan and he had something like 100 viruses, worms and/or trojans. To put this in perspective, I rarely run AV software, and scan with adaware or spybot every few months.

            AV draws blanks....adaware and spybot rarely find much of note. I think adaware rated the severit...the worst I'd seen was a 3.

            My friend had adware that ranked an 8 or a 9.....I didn't no such things existed.

            I haven't seen him in a few years, I'm sure his PC is riddled with malware again....he doesn't practice save computing....no firewall. no router. No AV software....nothing. And I suspect he downloads attachments that he should not.....

            Over confident OSX users willsuffer teh same fate, unless they quit worrying about being superior to Windows and start worrying about criminal attacks.
            notsofast
        • How the hell do you know?

          First of all, who said it was being reengineered strictly for
          security purposes? I do believe Snow Leopard will do away
          with PowerPC code and is being reengineered to optimize it
          for the Intel platform *only*. That is great news since the
          OS's performance (which is fantastic on both my MacBook Pro
          and PowerBook G4) will see benefits. Just a shame my
          PowerBook won't benefit from this release, but they have to
          cut the cord sometime.
          <? gorno(); ?>
        • Liquid Learner = NonZealot?

          Or just his/her twin in carping at everything that Apple does...
          edward.arnold@...
          • You're using the same arguments

            on me as you would Non Zealot, and that's to say no argument at all.
            LiquidLearner
        • It's being re-engineered for it's poor security. NOT!

          It's being re-engineered for better performance;
          cleaning up obsolete code and removing no-longer-
          necessary functions. That alone is likely to make it
          more secure.

          However, there is word that security [i]is[/i] one of the
          things they are intending to improve as well as
          bringing in the next version of Safari and Mail.

          In other words, your blatant statement is only a tiny
          piece of the whole picture, not the picture itself.
          Sorry.
          Vulpinemac
      • Yes agreed

        Just like Vista was a major overhaul and cost more money and included more security features as well... BUT, this was Dino's wish list.

        Hell, I wish it was free too. I'm not likely to pay for a new OS just cause it is prettier, but I certainly would pay for better security.

        -Nate
        nmcfeters
  • RE: How Snow Leopard can save Mac OS X from malware attacks

    I agree. I am no way saying I think OS X is a breeding ground for viruses and malware, but with OS X gaining more and more of the market share, their OS is going to be a much larger target.
    JustinCarmony
    • So are there millions...

      or even thousands of nowhere infected
      Mac? For years now, people have been
      predicting the wholesale infection of
      millions of Macs, as the number of these
      computers have increased dramatically. So
      far, this has not happened. Why? Most
      people cite small market share as the
      reason, but there must be more at work
      here. If market share where the only
      reason, then the number of infected Macs
      should be roughly proportional to how
      many Macs are connected to the Internet.
      arminw