Security and the Mac – The Scary Truth

Mac security has been in the news lately, with the ten second pwning of OS X. Now, it’s a huge stretch to say that someone could walk up to a Mac and hack in within ten seconds but it’s a warning to those out there who think the Mac is invulnerable. While there has been nothing major on the malware front for OS X yet, that doesn’t mean OS X is impenetrable. For those out there who think OS X is perfectly safe, here’s the scary truth:

Why you think you’re safe – Lack of Attention:

Like an unlocked door in a small crime-free town, you think you are safe but it’s only because you are so far removed from crime. Finding vulnerabilities and getting an exploit working takes time which many malware authors are happy to invest. However, their platform of choice is Windows and that’s why Windows has such a hard time security-wise. Yes, Windows has “gaping holes” of vulnerabilities but you know what? So does OS X. Its inevitable in an OS. These vulnerabilities just need to be found and if no one is looking, they won’t be. Now if malware authors turned their attention to OS X, you’d see a very different side of things.

Another point that needs to be made is that the world is not centered around the United States. Mac market share is growing, but globally it’s nowhere near the same as US market share. Malware authors are a global group from many different countries. Countries where Windows has a huge majority and in which Apple doesn’t really sell computers.

Windows is also a dominant force in the Enterprise market and that’s where the money is. As Apple gains ground in the Enterprise, this will also attract unwanted attention.

All of this non-attention by Malware authors lulls Mac users into thinking we’re safe and there never will be any problems. It’s security by obscurity. Here’s the reality:

Commonly shared programs:

Windows and OS X share common programs. Microsoft Office, Firefox, Adobe Reader, Quicktime and Flash are common to both platforms. This is important because a Firefox, PDF or Quicktime vulnerability can affect both systems. The most notable of these being the major Flash exploit from last year.

It doesn’t take a compromised system to steal an identity:

One of the latest trends in malware is to mess with your DNS. What this means is that when you think you’re going to your bank’s website, you are actually redirected to a phishing site without even knowing. Or, even more deadly – a man-in-the-middle attack takes place where you think you are on your bank’s site and you are, except there’s someone else listening in.

There’s already malware out in the wild that does this specifically for OS X. OSX/RSPlug is quite active and while it does require user activation, just like malware in email attachments and the “Scareware” popups on Windows, authors are pretty good at getting people to click and allow the install. Especially if they’re thinking OS X is invulnerable.

OS X Security Architecture:

Here’s where we get into the real scary stuff. These are the reasons why OS X security is really just because malware authors aren’t interested in the Mac.

What’s under the hood: The many included open source daemons and services bundled with OS X are usually a few months behind. A security flaw could go unpatched for a while, waiting for Apple to release an update. Luckily these services are turned off by default, yet anyone with administrator rights can turn them on. Most people I’ve seen run as administrators with their personal machines and many have services like file sharing, and screen sharing running. The solution to this is not to run as an administrator and turn off these services if you aren’t using them. Not too scary but it can be if services are left running and unpatched.

Memory Randomization: A feature new to Leopard is dynamically randomizing memory registers to make exploits much harder to find. Sounds great. Too bad Apple didn’t go all the way with this feature and it’s why the Mac is insecure. They didn’t randomize the entire system, only a small portion and if you did want to go looking for memory locations, Apple made it real easy for you. dyld_shared_cache_i386.map not only contains exact memory locations, but it tells you exactly which process is using them. This is one reason why researchers like Charlie Miller label the Mac as easy to target. “With my Safari exploit, I put the code into a process and I know exactly where it’s going to be. There’s no randomization. I know when I jump there, the code is there and I can execute it there.” says Miller.

While all the headlines are on Charlie Miller for pwning OS X in ten seconds (not truly accurate if you count time he spent researching his exploit), another researcher, Vincenzo Iozzo did something scarier. He was able to inject malicious code directly into OS X without any forensic traces.

Another recent development is the updating of Metasploit for Mac. This tool is used by both researchers and malware authors. Now, it has even better code for the Mac. The ultimate goal of openness is to allow research to improve security, however the other side of the coin is that it gives the malware authors tools to work with as well.

What can you do?

To make sure OS X is as secure as possible the best things you can do are as follows:

- Create a Standard User for yourself and use that account for day to day use.

- Don’t leave services running if you aren’t using them.

- Lock down access to the services in the “Sharing” panel of System Preferences.

- Set Software Update to Download and Install updates in the background.

- Set software update to check for updates at least weekly.

- Keep up to date with all third party software updates (Firefox, Flash, etc)

- Use the NoScript addon with Firefox.

- Disable Java in your browser if not using it.

Lastly, I do believe that Apple will fix many of these flaws in the next release of OS X, Snow Leopard. When that comes out, it will be a wise upgrade. At least for the moment, the Mac is safe but for how long will that last?

David Balogh tagged this post with: , , , Read 228 articles by

Comments are closed