News Blog:Recent posts on technology, trends, and more

August 13, 2007 2:37 PM PDT
Researcher thinks Mac OS X is easy to exploit
Posted by Robert Vamosi

Charles Miller is no stranger to Apple and its products. In July Miller and his colleagues at Independent Security Evaluators discovered the first known vulnerability within the Apple iPhone. They then worked with the Cuptertino vendor to release a patch for iPhone. just the day before the start of the annual Black Hat Briefings in Las Vegas. But all that good will that didn't stop Miller from talking about pending problems lurking deep within the Mac OS. "Macs," he said, "are as easy to hack as they are to use."

During a 20-minute Turbo talk, "Hacking Leopard: Tools and techniques for attacking the newest Mac OS X," Miller said that for some reason the Mac OS has over 50 plus suid root programs, including a few odd ones such as Locum, NetCfgTool, and TimeZoneSettingTool. Given the root access provided by these tools they provide at least one vector for attack.

Another vector is Safari, the browser from Apple. Safari, when opened, also opens several applications, including Address Book, Finder, iChat, Script Editor, iTunes, Dictionary, Help Viewer, iCal, Keynote, Mail, iPhoto, QuickTime Player, Sherlock, Terminal, BOMArchiveHelper, Preview, DiskImageMounter. A flaw in any one of these could be easily exploited over the Web. That's because Apple operating system doesn't randomize the location of the stack, the heap, the binary image, or the dynamic libraries, meaning an attacker would know where in memory these applications are loaded on almost every machine running Mac OS X.

Open source is yet another vector for new attacks on Apple Macs. Miller said that on July 31, Apple did update its version of Samba--but for the first time in two and half years, and the latest version still fell short of the current open source version. To prove his point, he presented a slide the following information.

Mac OS X Open Source
OpenSSH 4.5p1 4.6p1
OpenSSL 0.9.8d 0.9.8e
Apache 1.3.33 1.3.37
Samba 3.0.10 3.0.25b
Cups 1.1.23 1.2.11

Miller said his formula for finding a 0-day on a Mac is this: "Find an open source package that they use that's out of date--there's, like I said, plenty of those." He then suggested reading through the changelog for the current version of any of the above open source software in order to find a useable bug that's been fixed in the newer version but still vulnerable to Mac OSX users. Miller said by doing this, "you won't have to worry about static analysis or fuzzing or any of that stuff."

Several attempts to contact Apple for comment on this story went unanswered.