The Macalope: An Apple blog Subscribe to The Macalope: An Apple blog
November 27, 2007 4:31 PM PST

OS X security just not there yet

Posted by The Macalope

David Maynor is back on his Apple security hobby horse and rocking it faster than a 5-year-old hopped up on pre-holiday candy canes. Despite his usual over-the-top Apple invective, he makes some valid points and provides some helpful information for people using QuickTime on Windows.

Apple announced ASLR as a feature in their latest version of the operating system, Mac OS X 10.5 (TigerLeopard). However, Apple largely lied.

You might be surprised to hear the Macalope agree with Maynor, but he's right. OK, maybe [See update below] "lied" is too strong, but they certainly misrepresented it.

Read the OS X Leopard Security Technology Brief (PDF).

In Leopard, libraries are loaded into random addresses when the system is installed and at any time that library prebinding is updated on the system (typically after system software updates, though you can manually force an update by running the "update_dyld_shared_cache -force" command).

Now read Thomas Ptacek's roundup of Leopard security features.

The dynamic linker library (dyld) is not randomized. From what I can tell, ten different Leopard macs booted at ten different times will have the same offset to dyld.

You care because dyld is full of useful functionality. Like, dynamically linking new libraries into memory, or recovering the base addresses for existing libraries.

Clearly, not all libraries are randomized and it's hard to take Apple's documentation any other way than saying that all of them are. [UPDATE: As a commenter points out, dyld is not a library itself. It's the pathway to libraries. So, yes, libraries are randomized, but that doesn't mean much if dyld isn't. It's like being in the witness protection program and having the government move you to an undisclosed location and then updating your address on Facebook so all your friends will know where you are!]

Microsoft has impressed the security community with its dedication to secure coding practice.

The Macalope suspects that the free keggers the company throws for security professionals and, well, everyone and their alcoholic mother don't hurt, either. And it's great that after years of making their users take it in the shorts on security by making them easy victims to, you know, actual real-world malware, that Microsoft can make bygones be bygones with security pros by tossing them some free shrimp like the barking seals that they are and then delivering a new OS with some good security features that sadly not that many people are taking advantage of because the cost in time, effort and cold, hard cash to upgrade from XP still often comes out to a losing proposition.

But the Macalope readily admits that Apple has rested on some comfortable security laurels and for every step forward they've made there's been a half a step back.

Installing Apple code on a Microsoft Vista system will make that system unsafe. Since these QuickTime vulnerabilities are equally exploitable on both Vista and Mac OS X 10.5, the fans might conclude that both operating systems are equally safe. This is not true, Vista is vastly more secure than the Macintosh.

"Vastly" is debatable. The structure is there, Apple just needs to implement it properly. Many of the items Ptacek points out are user-correctible. Apple could be just a dot release away from fixing them if it wanted to.

Apple's only advantage over Microsoft is their small market share, which means hackers are less interested in them. However, as hackers are having a harder time cracking Vista, they are getting more interested in the Mac, and we are seeing more exploits and more malware targeting Apple users.

This isn't yet a problem thanks to the legacy installs of XP and previous versions of Windows, but it will become more true as more Windows users inevitably adopt Vista (or move to the Mac or Linux). The situation is helped along, of course, by so-called security "professionals" who -- either because they love those Microsoft-sponsored security conferences or because they just really, really hate that "I'm a Mac" guy! -- are all too willing to yell "Look over there!"

Does the computer security industry ever strike you like a protection racket? "Nice operating system you have here. It'd be a shame if something were to happen to it."

Apple seems to be making some of the right moves, but not in a comprehensive manner. The Macalope would rather 2008 were not the year of the great Mac security epidemic.

Topics:

Microsoft,

OS X

Tags:

Security,

OS X,

Leopard

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from The Macalope: An Apple blog
This Christmas, your company's getting an iPhone in a box
Rob Enderle be a lady tonight
Where have you gone, George Ou? A nation turns its lonely eyes to you.
If wishes were horses.
Ditto
Add a Comment (Log in or register) 3 comments (Page 1 of 1)
by GlennF November 27, 2007 7:06 PM PST
Macalope, you're torturing me! Because I think "vastly" is correct. Maynor is right. Leopard's security model is sort of a disaster. Vista is...vastly better...aieeee....ow...ow...ow...
Reply to this comment
by Hal_B November 28, 2007 11:26 AM PST
dyld is not a library. Therefore, it's not incorrect to say that libraries are randomized.

It's true that Apple's library randomization is not as effective as it could be. It's not true that the claims about what it does were misleading.
Reply to this comment
by Macalope November 28, 2007 2:30 PM PST
Corrected above. The ***** one still thinks it's misleading.

Plus, wouldn't dyld be considered a system library?
Reply to this comment
Powered by Jive Software
advertisement

  • About The Macalope: An Apple blog

  • Born of the earth, forged in fire, the Macalope was branded "nonstandard" and "proprietary" by the IT world and considered a freak of nature. Part man, part Mac, and part antelope, the Macalope set forth on a quest to save his beloved platform. Long-eclipsed by his more prodigious cousin, the jackalope (they breed like rabbits, you know), the Macalope's time has come. Apple news and rumormonger extraordinaire, the Macalope provides a uniquely polymorphic approach. He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure.

Add this feed to your online news reader
Google
Yahoo
MSN

The Macalope: An Apple blog topics

Most popular stories

  1. Kaminsky provides the why of attacking DNS

  2. IKEA to sell solar panels?

  3. Black Hat a sure bet to be big, bold in Vegas

  4. Photos: More spins from the Oshkosh air show

  5. Images: Scientists develop eye camera

Latest tech news headlines

All News.com headlines »

Featured blogs

Beyond Binary by Ina Fried

Coop's Corner by Charles Cooper

Defense in Depth by Robert Vamosi

Geek Gestalt by Daniel Terdiman

Green Tech

One More Thing by Tom Krazit

Outside the Lines by Dan Farber

The Iconoclast by Declan McCullagh

The Social by Caroline McCarthy

Underexposed by Stephen Shankland

advertisement
Welcome (log out) |View profile
Log in | Sign up Why join?
On MovieTome: TRANSFORMERS 2 SPOILERS!
Advanced
search
advertisementGE Interest Plus
Advanced
search
Visit other CBS Interactive sites