Mac Security research kicks off 16holes plugged

NutJob

(15 remote code execution holes here)
http://www.vnunet.com/vnunet/news/2165397/apple-patches-vulnerabilities

Cert advisory for above:
http://www.us-cert.gov/current/current_activity.html#aposup


The airport hole here (rumored to affect other cards menaning actual kernel code not driver code)
http://www.us-cert.gov/current/current_activity.html#airpbof

Jon Ellch and David Maynor video of the origonal research before patch.
http://blog.washingtonpost.com/securityfix/2006/08/hijacking_a_macbook_in_60_seco.html

Martyr

it was only a matter of time since they switched their processors to intel, stand by for viruses.

Capt'n Midnight

Average Joe wrote:

it was only a matter of time since they switched their processors to intel, stand by for viruses.

Do you mean the reuse of existing windows virus code,
or the way i386 doesn't separate code and data etc. ?
the adobe holes could be either

Martyr

Do you mean the reuse of existing windows virus code,
or the way i386 doesn't separate code and data etc. ?
the adobe holes could be either

well, i can't say, there will be an increase in viruses for MACs, i honestly don't know.
but MACs are definetely looking more & more vulnerable & attractive to attackers as time goes on.
Compared to windows, which has atleast some defenses available.(firewalls,automatic-updates & tonnes of research into finding holes, which were subsequently patched.)

windows is by no means perfect, but looks more secure than MACs running on intel processors at the moment to me.

there is a rich source of assembly code out there, which could possibly work on MACs with some modification.

taken from:bizweek

While Microsoft struggles to build firewalls, anti-spyware, and anti-virus technology into Windows, Mac users are for the most part untroubled by these annoyances, and that's a point it could press, says Richard Forno, a principal consultant with KRVW Associates, a computer-security firm in Alexandria, Va.

there are more than enough third-party products already available.
m$ are developing their own virus scanner, probably..if you look at the AntiVirusProduct class in SecurityCenter namespace, but to say they are "stuggling" compared to Apple is a joke.

Wscript.Echo GetObject("Winmgmts:root\SecurityCenter:AntiVirusProduct").GetObjectText_
....
        class AntiVirusProduct
        {
              [key, Not_Null] string instanceGuid;
              [Not_Null] string displayName;
              [Not_Null] boolean productUptoDate;
              [Not_Null] boolean onAccessScanningEnabled;
              string pathToUpdateUI;
              string updateUIParameters;
              uint8 updateUIMd5Hash[];
              string pathToEnableOnAccessUI;
              string enableOnAccessUIParameters;
              uint8 enableOnAccessUIMd5Hash[];
              string companyName;
              string versionNumber;
        }

could the reporter, or somebody here please name a few firewalls & anti-virus scanners developed by Apple (or anyone else)for MACs just for the record?

"I'm seeing more and more people in the security business using Macs and saying they trust them and don't have to cope with viruses and other hassles," he says. "I just wish Apple would market its security as a key feature to corporate customers."

i don't have a MAC & am just wondering, are there less viruses for MACs because they used PowerPC processors in the past when most virus writers only had access to intel cpus, because they were cheaper alternatives...

..or because MACs are just too super-secure, like Mr Forno claims :rolleyes:

Capt'n Midnight

In Windows Vista, microsoft have changed the rules again. Most existing third party security products don't work with it because of changes. The TCP/IP stack is new too - maybe they have tweaked their code / compilers to reduce automatic creation of buffer overflow vunerabilities, maybe not.

OSX is BSD based, and BSD is used a lot for dedicated firewalls. Doesn't mean OSX is magically secure, but it's a good foundation. Hey if you use Microsoft Word on a MAC you can still get word macro viruses regardless of what processor you use.

Windows still isn't safe without using third party products, so if you want to compare like for like here is a list of stuff for MAC's
http://www.firewallguide.com/macintosh.htm

http://www.firewallguide.com/tighten.htm - for windows

In the windows world many of the "leading security products" cause such problems, slow performance, difficult to uninstall/upgrade and generally are tolerated because of the high level of threat, especially of rapid infection of other machines in the organisation.

I can't find accurate stats on viruses but F-Prot claims to pick up over 300,000 nasties. There are probably more viruses in the wild for either amiga or atari than all flavours of unix/bsd/BeOS/Solaris put together - the Atari , Amiga and Pre PPC's apples shared the same processor.

Martyr

In Windows Vista, microsoft have changed the rules again. Most existing third party security products don't work with it because of changes. The TCP/IP stack is new too - maybe they have tweaked their code / compilers to reduce automatic creation of buffer overflow vunerabilities, maybe not.

many vendors use unsafe programming practices which can destabalise the system, Microsoft are teaching these vendors a lesson, as well as hardening the system against rootkit attacks.

a good example of this unsafe programming are anti-virus scanners..they install hooks directly in the SSDT (system service descriptor table)
things like Daemon tools also use this poor programming method, as well as hoards of rubbish rootkits.

registry monitor when it was first released used this method, but even in source code, Mark/Bryce stated that it probably wasn't a good idea.

for a good idea of what vendors are doing wrong, read this here

a good point the author makes about how AV scanners prevent a user from terminating the software from user-mode..
AV will hook NtTerminateProcess()

The whole purpose of this particular system service hook is "shady" as well.
The hook prevents certain KAV processes from being terminated, even by a
legitimate computer administrator - something that is once again typically
associated with malicious software such as rootkits rather than commercial
software applications. One possible explanation is to attempt to prevent
viruses from terminating the virus scanner processes itself, although one
wonders how much of a concern this would be if KAV's real-time scanning
mechanisms really do work as advertised.

Additionally, KAV appears to do some state tracking just before the process is
terminated with this system service hook. The proper way to do this would have
been through PsSetCreateProcessNotifyRoutine, a documented kernel function that
allows drivers to register a callback that is called on process creation and
process exit.

i highlighted the api in bold, because it is the proper method to use when detecting process execution & termination.
Not by hooking NtCreateProcess/NtTerminateProcess like we see in many poorly written rootkits AND most importantly in AV scanners & other "security" products

another ..peculiar note from bugcheck on rootkit.com

you found a bug in a device driver?!? must have been a windows driver because of course apple drivers dont have bugs...

i would say there are probably already rootkits for macs, just not publicly known about.

Martyr

here are some links:

Maynor Pulled from Toorcon; Ellch "Rants"

some reference to above..Security Update 2006-005 (10.3.9)

NutJob

quote=Average Joe]here are some links:

Maynor Pulled from Toorcon; Ellch "Rants"

some reference to above..Security Update 2006-005 (10.3.9) [/quote]


Finally after a long silence the research that was to appear at torcon gets a public demo and pending a release.

Poor Maynor and Ellch had a rough time with this one.
http://news.com.com/2061-10789_3-6163207.html


edit: cause i cant spell

mick.fr

MAC is not less secure because they have recompiled the code on a Intel CPU.

Take a Unix OS (FreeBSD, OpenBSD...), install KDE or Gnome, install a lot of desktop applications and you will also find a lot of security holes.

A Unix OS is more secure out of the box because there is no X running on it, almost everything has been excluded from the original source code.
If I remember, MONOWALL, based on FreeBSD, is 5MB in size, so yes, it makes it more secure than an OS that would be 600 MB in size with a lot of network layers, applications, services.

Martyr

mick.fr wrote:

MAC is not less secure because they have recompiled the code on a Intel CPU.

Well, we can flip the coin here and ask..how is MS WINDOWS less secure than MACS? i know you haven't claimed this, but..
Many MAC users (and some so-called "security consultant" Mr Forno)have over the years? but why do they believe this myth??

here is my guess.

In the beginning, intel cpus were always a cheaper alternative to powerpc, (powerpc being a better processor).

the world was full of "cheap" ibm pcs installed with ms-dos, which only ran on x86 hardware.
then we have macs, which only ran on powerpc, and as we know, more expensive.

so, there were MORE intel cpus around, therefore, it was only natural that more virus writing research occured for ms-dos initially, and x86 hardware.
powerpc wasn't excluded from research, just not as much done.

Virus writers would not have access to powerpc hardware and mac os, therefore there was less code written, less research, less exploitation of software and discovery of mac os vulnerabilities.

But how does all that make MAC more secure?
How can a MAC be more secure? just because hardly anyone uses it?

research has only recently in last couple of years started to take place..since being recompiled for intel.
Would Mr Forno NOW like to claim that Apple should promote its exceptional security history.

Actually, MACS are more like Win9x in design going by what some researchers have said recently, which is insecure, although i wouldn't be sure completely.

mick.fr wrote:

A Unix OS is more secure out of the box because there is no X running on it, almost everything has been excluded from the original source code.

i understand the point you are making here..
i've always thought of unix variants being more secure because they are open source, therefore open to code auditing, which can track down alot of bugs.
in the case of code auditing on windows, using binaries, this is a difficult task, but is improving as time goes on.



there are better tools, better documentation than ever before, so

NutJob

mick.fr wrote:

MAC is not less secure because they have recompiled the code on a Intel CPU.

Take a Unix OS (FreeBSD, OpenBSD...), install KDE or Gnome, install a lot of desktop applications and you will also find a lot of security holes.

A Unix OS is more secure out of the box because there is no X running on it, almost everything has been excluded from the original source code.
If I remember, MONOWALL, based on FreeBSD, is 5MB in size, so yes, it makes it more secure than an OS that would be 600 MB in size with a lot of network layers, applications, services.

No disagreement there.

I wasnt compareing platforms though for a long time the MAC platform was neglected in terms of security research.

This has now changed simply due to the increased popularity of the OS. This has little to do with the move to intel based cpus.

Well, we can flip the coin here and ask..how is MS WINDOWS less secure than MACS? i know you haven't claimed this, but..
Many MAC users (and some so-called "security consultant" Mr Forno)have over the years? but why do they believe this myth??

Macs do have the distinct advantage of having limited users implemented from day one and the hardend Unix they grew from.


The attack surface these days is mostly down to third party app flaws. This is where MAC has the upper hand over Vista simply down to running as a limited user.

Buffer overflows on Vista are just as effective as they were on XP (With third party apps!) *Shock*.
Heres why the address space randomisation changes to vista only effect software compiled to take advantage of it (beware half ported code)
http://blogs.msdn.com/michael_howard/archive/2006/09/26/visual-studio-2005-sp1-beta-windows-vista-and-aslr.aspx
Thus were back to limited permissions problem again and the gaining a foothold scenarios.
Again this will most likely change with education and time.


MACs do not have ASLR or ASR or whatever you want to call it. But give it time they will eventually.

As for which one is more secure bah who cares as long as the companies fix the bugs.

mick.fr

Average Joe wrote:

i understand the point you are making here..
i've always thought of unix variants being more secure because they are open source, therefore open to code auditing, which can track down alot of bugs.
in the case of code auditing on windows, using binaries, this is a difficult task, but is improving as time goes on.

there are better tools, better documentation than ever before, so

I will not elaborate about MAC/Windows being less or more secure, this would take a lot of ressources to prove in some situations one is more secure and in other situations, the other one is more secure.

Open source to me is nice, but pretty pointless for the enterprises.
They do not review applications sources, unless this is a security agency such as the army, intelligence or so.

Problem of Open Source, is that it is not proven at all it is more secure.
And technically it is less secure, because people involved in open source are usually working on their free time and the all Quality and code review process is rarely done in the Open Source world, because of project ressources (Money, time...). So many Open Source application are actually being constantly rewritten or fixed depending of the amount of feedback they got from the community.

Microsoft or any other serious company which is not publishing its source code is reviewing much more seriously the code, going through expensive quality processes, tests etc./.

For me, Open Source does not mean more secure, it may eventually means more freedom, but even myself as a professional working in the IT industry, I have better things to do than reviewing source code of applications I use on a daily basis.

Anyway the problem we used to have on Windows was education, and not really a less secure Operating System (Well since a few years ago now).

The fact almost everybody was using an admin account on a daily basis helped out to spread hundreds of viruses easily on millions of PC.
Nobody uses a root account on Unix/MAC OS on a daily basis.
People uses another account and use the ROOT account only when it is necessary. Unix people know that on. Not many Windows users...

There are a lot of more examples such as RPC, Netbios etc...

Anyway this has changed on Windows now, as even if you are using an admin account, you are actually logged in as a Lambda user.

mick.fr

NutJob wrote:

MACs do not have ASLR or ASR or whatever you want to call it. But give it time they will eventually.QUOTE]

Do you mean the recovery tool to restore your OS and some data ?

Martyr

mick.fr wrote:

Problem of Open Source, is that it is not proven at all it is more secure.
And technically it is less secure, because people involved in open source are usually working on their free time and the all Quality and code review process is rarely done in the Open Source world, because of project ressources (Money, time...). So many Open Source application are actually being constantly rewritten or fixed depending of the amount of feedback they got from the community.

i don't know of any evidence that exists to prove open source is more secure than closed source.
But look at it this way, if you had to review the security of an operating system, like windows.Would you rather audit 40 million lines of source code in C/C++. OR ..billions of assembly code instructions with just a disassembler/decompiler, without the friendly comments, without documentation as to what each routine does..hell, its difficult.

there is a level of security in that..funnily enough, because of the difficulty in auditing close-source software.
remember when LSD exposed remote holes in windows? few years back, very "simple" strcpy() problem, that would have been found in open source unix variants years and years ago.

mick.fr wrote:

The fact almost everybody was using an admin account on a daily basis helped out to spread hundreds of viruses easily on millions of PC.
Nobody uses a root account on Unix/MAC OS on a daily basis.
People uses another account and use the ROOT account only when it is necessary. Unix people know that on. Not many Windows users...

yes, and there are still bugs in windows that haven't been patched yet, most of them as i understand are local exploits, through the rpc interface.
there are also loads of third party applications that are vulnerable to local privilege escalation.

i don't believe simple bugs in windows software would exist so much, if the applications were open source, available to scrutinise using advanced tools that microsoft may not have at their disposal.

thats just my opinion however.
Vista is a very new operating system, it is too early to say whether or not it is "most secure yet"
lets wait and see.

NutJob

mick.fr wrote:

NutJob wrote:

MACs do not have ASLR or ASR or whatever you want to call it. But give it time they will eventually.QUOTE]

Do you mean the recovery tool to restore your OS and some data ?

http://en.wikipedia.org/wiki/Address_space_layout_randomization

Would be based on the Linux PAX patches and was in Open BSD as standard.(i think)

Attempts to foil buffer overflows by essentally moving base addresses about as exploits tended to hard code these but depending on the version of the os these were in known places.

This was probably the biggest leap forward for vista in security.

Martyr

Macs do have the distinct advantage of having limited users implemented from day one and the hardend Unix they grew from.

The attack surface these days is mostly down to third party app flaws. This is where MAC has the upper hand over Vista simply down to running as a limited user.

what i don't know is, and would be interesting to know, does mac run in protected mode on intel processors?
there was seminar at (this years?) CCC by Amit Singh??
the following sounds like Win9x to me.

risesecurity.org wrote:

The kernel provides a mechanism for system-wide memory sharing, the Shared
Memory Server subsystem. Using this facility, both the kernel and user
programs
can share code and data among all tasks on the system. It is also
possible to
give one or more tasks private versions of the shared memory.

read more

Mac OS X Internals: A Systems Approach

Capt'n Midnight

Back in 2003 there were probably more MAC or UNIX users connected to the internet than Microsoft SQL servers. So if the "security though obscurity" model were true then those machines should have been relatively safe from attack, because who'd bother. (if we ignore the value of those services) Also only unpatched machines could be infected.

Slammer) began to infect hosts slightly before 05:30 UTC on Saturday, January 25. Sapphire exploited a buffer overflow vulnerability in computers on the Internet running Microsoft's SQL Server or MSDE 2000 (Microsoft SQL Server Desktop Engine). This weakness in an underlying indexing service was discovered in July 2002; Microsoft released a patch for the vulnerability before it was announced
...
The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes.

http://www.caida.org/publications/papers/2003/sapphire/sapphire.html

How do MAC's fare in the buffer overun vulnerability stakes ?
I'm sick of seeing remote exploits that take full control of a windows machine because neither the programmer or compiler prevented input overwritting code. IIRC the non-intel CPU's used to have advantages here because of the way they loaded data / code.

Average Joe wrote:

But look at it this way, if you had to review the security of an operating system, like windows.Would you rather audit 40 million lines of source code in C/C++. OR ..billions of assembly code instructions with just a disassembler/decompiler, without the friendly comments, without documentation as to what each routine does..hell, its difficult.

read the license - you aren't allowed to reverse engineer most propietry code. So it should be machine code you'd be looking at

Martyr

read the license - you aren't allowed to reverse engineer most propietry code. So it should be machine code you'd be looking at

i know you're joking here but i don't believe that M$ would trust LSD with 40 million lines of source code..hehe