Researchers pooh-pooh Mac OS X Leopard security

Researchers pooh-pooh Mac OS X Leopard security

Summary: The first independent reviews of the security enhancements in Mac OS X Leopard are in -- and they're not entirely pleasant for the folks in Cupertino.

SHARE:

Researchers pooh-pooh Mac OS X Leopard securityThe first independent reviews of the security enhancements in Mac OS X Leopard are in -- and they're not entirely pleasant for the folks in Cupertino.

First up is Heise Security's takedown of the new application-based firewall in Leopard, which Apple promises will specify the behavior of specific applications to either allow or block incoming connections.

However, Heise Security's Jürgen Schmidt finds cause for concern:

The most important task for any firewall is to keep out uninvited guests. In particular, this means sealing off local services to prevent access from potentially hostile networks, such as the internet or wireless networks.

But a quick look at the firewall configuration in the Mac OS X Leopard shows that it is unable to do this. By default it is set to "Allow all incoming connections," i.e. it is deactivated. Worse still, a user who, for security purposes, has previously activated the firewall on his or her Mac will find that, after upgrading to Leopard, the system restarts with the firewall deactivated.

In contrast to, for example, Windows Vista, the Leopard firewall settings fail to distinguish between trusted networks, such as a protected company network, and potentially dangerous wireless networks in airports or even direct internet connections. Leopard initially takes the magnanimous position of trusting all networks equally.

(More at Techmeme)

Researchers pooh-pooh Mac OSX Leopard security

The new firewall in Leopard isn't the only security feature being pooh-poohed by security researchers. According to Thomas Ptacek (right), co-founder of Matasano Security, Apple's implementation of memory randomization in Leopard doesn't make the operating system immune from virus and worm attacks.

[ SEE: Memory randomization (ASLR) coming to Mac OS X Leopard ]

For starters, Ptacek found that the dynamic linker library (dyld) is not randomized. "From what I can tell, ten different Leopard Macs booted at ten different times will have the same offset to dyld," Ptacek said in a first-take on Leopard security.

"Can I say right now that you can exploit this to take over a Mac? No. But ASLR is either something you get right, or is simply a speed bump for attackers," he added.

Ptacek said memory randomization, also known as ASLR (address space layout randomization), removes a talking point argument about Microsoft Windows Vista's superior security, but doesn't address the underlying point of that argument.

Cocoa programs running in Darwin are less secure than Win32 programs running under NTOSKRNL, and aren't even in the same ballpark as Managed C++ or C# programs.

Ptacek's analysis also found problems with Apple's implementation of Sandboxing (systrace) without any documentation for developers.

Topics: Networking, Apple, Hardware, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

121 comments
Log in or register to join the discussion
  • Let the bashing begin!

    Personal attacks will lead the charge.

    "Cocoa programs running in Darwin are less secure than Win32 programs running under NTOSKRNL"

    Oh boy are the Mac fanboi's going to have a great time spinning this.
    ye
    • Let the bashing begin! - Exactly - Way to recognize it for what it is.

      EXACTLY!!! Bashing is always obvious.

      But I disagree that the Mac fanboi's are going to have a good time with this, most likely it is the window's fanboi's that will have the most fun playing with this bit.

      At least I get a humorous read while I clear 29 pieces of malware off of my friends 3 month old gateway vista laptop.
      jjarman
      • Second Time...

        you have mentioned the "29 pieces of malware" off your friends new laptop.
        ivanotter
      • It's not bashing if its true

        The firewall in Leopard is a huge step back from Tiger.
        Finding it turned off after my upgrade did not make me happy.

        Some of the other findings about its lack of functionality are making me very unhappy.

        This ain't cool. And Apple has yet to step forward and explain this.
        Liveware Problem
        • It must be bashing then, 'cause it ain't true

          First off - Leopard does not need to run a single monolithic firewall. Leopard is specifically designed to grant network reception and send permissions on an app-by-app basis by default. Therefore, the firewall is actually always on. You have to make exceptions by opening up ports to allow file sharing, screen sharing, Skype, et. Otherwise, if you aren't running any servers, like sshd or "file sharing", a firewall is useless. Not running daemons that listen for outside connections is much more secure than a firewall. What a firewall is good for is allowing local network users access to services, while denying those services to other networks. But most of us have no need to run services at home, so a firewall is pretty much pointless.

          If Leopard trusts the app/service (which is either trusted via cryptographic signature or by being initiated by the root user), it gets network access. Otherwise, it does not get access, plain and simple.

          This means that in order to break in, you either have to have the cryptographic trust, or you already have to know the local machine's root password.

          For the truly paranoid, the traditional firewall is sitting there in System Preferences, where you can turn it on at any time after installation. This will give you twice the protection that Vista could ever hope to give in its current state. So long as you don't use Windows Sharing (NetBEUI/NBT), a web server, ssh, NFS, or p2p... you generally have no need for a firewall if there's nothing on your box listening for inbound requests from the network (local or otherwise).

          Oh and BTW, who do you think is a sponsor for Heise Security? Could it be Microsoft? Yes, it could!

          http://xrl.us/7vgw

          Always practice safe surfing, but breath a little easier, that Mac is safer than they want you to believe. Just had to exorcise seven trojans off a friend's PeeCee (XP), just in time for Halloween. Now that's scarey.
          MarcB_z
          • Just ignore the idiots

            They ain't worth all the effort you put into this response.
            labarker
          • Actually, it IS....

            ...for those sensible people who are sick of Vista (aka "OSX designed by Homeland Security") but aren't quite sure about switching to OSX yet. His clear explanation of how OSX's firewall works in both Tiger AND Leopard made this Windoze convert breathe a lot easier - and his pointing out of a possible ulterior motive for this security expert is worth being aware of.

            OTOH, I notice the article didn't mention at all that the "Back to My Mac" feature on Leopard requires UPNP on your router be switched on at all times - a genuine security concern according to security guru Steve Gibson. THAT concerns me a lot.

            BTW, in the past three months I've reinstalled WinXP on FOUR different PCs to wipe out the malware - and tried (and failed!) to downgrade two different Vista machines to XP b/c the owners couldn't get Vista to run their applications or hardware!
            drprodny
          • Back to my Mac

            doesn't apply if you do not have a .mac account or don't use the feature.

            If your .Mac account gets compromised you certainly have a problem and requiring an
            additional logon might not be a bad idea, perhaps it will be addressed in the next
            update. Until then, just don't get a .Mac account or turn Back to my Mac off. Problem
            solved!
            MarcB_z
          • Digital Signatures

            Anyone can digitally sign a binary file.
            Liveware Problem
          • What does a firewall do?

            'What a firewall is good for is allowing local network users access to services, while denying those services to other networks. But most of us have no need to run services at home, so a firewall is pretty much pointless.'
            --Actually, a firewall is designed to keep unsolicited traffic out. Neither the apps nor the operating system keep track of syntax, and a connected machine is always receiving packets from somewhere.

            Without a firewall to manage three-way handshakes or stealth ports (drop packets from unsolicited senders), hackers are free to waltz right in and view your files. While a server should have at least a Web application firewall, every desktop needs SPI.

            Just FYI, there is Mac OS malware out there now, and has been since February. By harnessing the power of polymorphic code, hackers have time on their hands to attack the remaining obscure platforms. It's bad enough that there is not so much as one free antispyware out there for Mac OS, but to have no firewall makes you a sitting duck.
            santuccie
      • aw shucks...

        This article makes me proud to be a Linux "fanboi." =)
        catseverywhere
  • Hard lessons learned

    Many of the Vista changes were built on some hard lessons learned by Microsoft with XP. Apple is going to be in for a nasty learning curve as they increase market share. Wait until the fan club gets hit by a nasty worm or virus attack specifically engineered for the MAC.
    net-com
    • You've been saying that for nearly 10 years...

      You've been saying that for nearly 10 years. Apple is the 3rd largest computer retailer. They command over 8% of the entire computing market.

      I find it hard to believe that not a single person has successfully deployed a malicious trojan or worm in almost 10 years.

      They're not impervious, but come on, 10 years without a single hit? That has to say something about Apple's security design & policy.

      (It's Mac, by the way. It's not an acronym, it's just short for Macintosh.)
      olePigeon
      • Too many POCs to feel safe

        The existence of countless POC viruses, trojans, and worms that target OSX doesn't lend credence to your argument that OSX isn't attacked due to its security design and policy.

        However, even if I believed you, is a spotless record a good excuse for breaking security features? Even you say that the record is so good due to Apple's security design & policy. They are now changing that "perfect" security design and policy for the worse and this is okay according to you?
        NonZealot
        • Countless proof of concepts?

          Countless proof of concepts? There are a handful, yes, developed by antivirus companies who want a reason for Mac users to buy their software; [i]none[/i] of which have been exploited or deployed.

          I never claimed Apple's security policy was perfect in any way. OSes get viruses and trojans, it's a fact of life. There [i]will[/i] be a virus, trojan, or worm for OS X eventually, and I don't defend Apple's fallacies regarding security. I was just point out that whatever Apple is doing currently, you have to admit it's working pretty well.

          10 years is a very long time.
          olePigeon
        • I'll bet you can't find a single virus for OS X

          "The existence of countless POC viruses, trojans, and worms that target OSX doesn't lend credence to your argument that OSX isn't attacked due to its security design and policy."

          I'll bet you can't find a single virus, trojan, or worm for OS X... Go ahead.. go to symantec and try.. and take a good look at the description and what it takes to get a "so called" virus infection fo any of the fake virii listed.. a minimum of 6 confirmations is absolutly necessary (it's not a virus)... and these so called viruses that were shipped in apple products.. Well that was a windows virus that was shipped on an estimated 10,000 ipods.. and that virus wasn't anything all that bad either, someone simply overlooked it because the ipods were loded via macs and windows viruses cannot do anything on a mac, so they were simply missed.. or maybe they were shipped that way on purpose... hmmmm???

          Fact is, I have yet to see any real virus for any Mac that ever existed... And trust me I have been looking.. I collect virii as a hobby... I still have yet to find a single "so called" mac virus that is actually a virus...

          And to all you MS butt loving fan boys... Zealot, Shadetree, Ye, and the other butt bunch fellas... You are not going to see a real virus for OSX, not now, not ever. It's a UNIX OS... and for those of you MS butt lovers that are too stupid to understand what that means.. Why don't you go do some research on L0pht and cDc... Those of us that actually did IT back in the 80s and 90s lived it, and we owe them for advancing the technology to where it is today. Then realize this.. OS X is a UNIX OS... I would love to sit back and laugh at any moron who tries to write a virus for OSX... he or she would find themselves elite enemy number one and those are some crosshairs you do not want to be in.

          Why do think the US Government has no control over the internet??? Oh they want it, they salivate over the thought of having that control, but they will never get it?? All attempts they have made have failed... It started out as a Military project, they feel that they are entitled to it... Problem is.. they lost it.... it is held by those who are more intelligent...

          So here is a thought that will get those rusty, never been used gears in your head creaking...

          Who has the most powerful supercomputer in the entire world?

          Who has the ability to shut down the internet at a whim? (here is a hint... in the summer of 1998 they went to Washington to testify before the US Senate as technical experts. When asked by the Senate, they told the Senate that they could shut the internet down in half an hour. They were addressed by both the Sentate and the President by their handles aka screen names and not by their real names.)

          Who is it who really benefits from the fact that microsoft makes an extremely hackable OS?

          Find the truth to those answers and you won't be blowing Mr Gates horn any longer. As for OS X, it's the best UNIX OS that has ever existed. For those of us that know how to dive into the core of it, it is every bit as powerful as any UNIX OS, but with the added benefit of driver support from the rest of the technology world... now we can focus on things other than tweaking a driver to burn music.

          Guys.. time to gets your heads outta your butts and grow a real brain... Some of us don't give a rats ass about Steve B Jobs, but we love an awesome UNIX OS and the best hardware money can buy.... Rembemer.. it was Woz that discovered ESD and how to prevent it... Apple wrote the book on it... Literally.
          i8thecat
          • Perhaps this?

            http://www.intego.com/news/ism0705.asp

            "Who has the most powerful supercomputer in the entire world?"
            ye
          • That's a Trojan, NOT a virus ...

            You know that there is a difference, right?
            Jens T.
          • You people are pathetic. Stop being so pedantic. You might look less a fool

            From his post which you apparently didn't bother to read:

            "I'll bet you can't find a single virus, trojan, or worm for OS X"
            ye
          • not a even a trojan - but thanks for playing

            What Intego is referring to is not a trojan. It's software with a single purpose... it's not a trojan which by definition is hidden inside another program.. there is nothing hidden ofther than the intent of the software.. Now if they actually had codec with a trojan inside it, then that would make it a real trojan. so in a nutshell, there isn't a horse. Just software that you have to download and install with an admin password.

            I find it extremely humorous that Intego is the only one claiming this mystery trojan exists, and claims the only protection is to install their software. They claim that certain porn sites have it present, but have not released any details about it... no one can confirm anything.. it's just a claim... you cannot find anything else on it anywhere... not to mention, thier description of it trumps it as being a trojan to begin with.

            So if you would like to try again Ye, we can continue to play... I for one, would love to capture a real virus for a mac, I have been waiting a long time to see one, but so far, none of the claims of a virus have ever yeilded anything.
            i8thecat