Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,287
30,356



filevault_icon-150x150.jpg


The Register reports on some of the new security improvements in OS X Lion, with researchers calling the changes a "major overhaul" that goes far beyond the minor security tweaks Apple made going from Mac OS X Leopard to Snow Leopard.
"It's a significant improvement, and the best way that I've described the level of security in Lion is that it's Windows 7, plus, plus," said Dino Dai Zovi, principal of security consultancy Trail of Bits and the coauthor of The Mac Hacker's Handbook. "I generally tell Mac users that if they care about security, they should upgrade to Lion sooner rather than later, and the same goes for Windows users, too."
In particular, the report points to such features as full support for address space layout randomization (ASLR), application sandboxing, and a revamped FileVault encryption system as being key to Lion's improved security.
"When they went from Leopard to Snow Leopard, as far as I'm concerned, there really wasn't any change," said Charlie Miller, principal research consultant at security firm Accuvant and the other coauthor of The Mac Hacker's Handbook. "They might have said there was more security and it was better, but at a low functionality level there really wasn't any difference. Now, they've made significant changes and it's going to be harder to exploit."
Miller isn't only interested in operating system and core application vulnerabilities, however, as evidenced by his recent discovery of a vulnerability in the chips that control the batteries in Apple's notebooks. That vulnerability could be exploited on a basic level to harm battery function or with additional effort to implant malware that could reinfect computers multiple times.
The batteries' chips are shipped with default passwords, such that anyone who discovers that password and learns to control the chips' firmware can potentially hijack them to do anything the hacker wants. That includes permanently ruining batteries at will, and may enable nastier tricks like implanting them with hidden malware that infects the computer no matter how many times software is reinstalled or even potentially causing the batteries to heat up, catch fire or explode. "These batteries just aren't designed with the idea that people will mess with them," Miller says. "What I'm showing is that it's possible to use them to do something really bad."
Miller plans to officially announce his discoveries at next month's Black Hat conference, and he will also be releasing a new "Caulkgun" tool to allow Mac notebook users to change their batteries' default passwords to randomized strings. That move would help keep hackers out of the batteries, but also prevent Apple from issuing its own upgrades and fixes for the battery firmware. Miller has also been in touch with Apple and Texas Instruments regarding the vulnerability.

Article Link: OS X Lion Raises Bar on Security, But Battery Firmware Vulnerability Surfaces
 

awsumth

macrumors newbie
Feb 27, 2011
3
6
There ought to be a way to change the battery's password and circumvent this soon.
 

jabbawok

macrumors 6502
Sep 30, 2004
313
80
Worcestershire
There ought to be a way to change the battery's password and circumvent this soon.

Miller plans to officially announce his discoveries at next month's Black Hat conference, and he will also be releasing a new "Caulkgun" tool to allow Mac notebook users to change their batteries' default passwords to randomized strings.
 

wordoflife

macrumors 604
Jul 6, 2009
7,564
37
Wow, I've never heard of this before. It's pretty interesting.
Just another great reason to use Lion.
 

NT1440

macrumors G5
May 18, 2008
14,450
20,389
There ought to be a way to change the battery's password and circumvent this soon.

That is exactly what Miller is releasing at the Black Hat conference, a permanent lockdown that changes the default passwords on the controller chips for the battery.

That said, knowing Miller is a highly respected security guy, I'm sure whatever utility he releases will change passwords to some randomized code for each run to avoid someone just using whatever password he wrote.

Edit: Beaten to the punch, you bastard! lol
 

Tucom

Cancelled
Jul 29, 2006
1,252
310
OK, most secure OS ever, love the line "I tell all users running Leopard or Snow Leopard to upgrade to Lion (and Windows user, too), haha, I take it, he means, to upgrade to Lion? :D


And remote detonation, besides that, its great to hear once again OS X is full blown the safest OS out there.
 

NT1440

macrumors G5
May 18, 2008
14,450
20,389
And remote detonation, besides that, its great to hear once again OS X is full blown the safest OS out there.

Safest full blown commercial OS out there. Though given that there really are only two players in the game....
 

Tucom

Cancelled
Jul 29, 2006
1,252
310
Safest full blown commercial OS out there. Though given that there really are only two players in the game....

IDK, as Linux can have its vulnerabilities, but with the new security overhaul I'd be willing to put Lion up against Linux for security top dog.
 

NT1440

macrumors G5
May 18, 2008
14,450
20,389

NT1440

macrumors G5
May 18, 2008
14,450
20,389
I like what I'm reading.

I think it'd be very cool to have a small super secure OS on hand, that said if its coming from the DoD and approved for public use (as in allowed for download) I can only assume there is some monitoring stuff in there (regardless of the official PR).
 

Tucom

Cancelled
Jul 29, 2006
1,252
310
I think it'd be very cool to have a small super secure OS on hand, that said if its coming from the DoD and approved for public use (as in allowed for download) I can only assume there is some monitoring stuff in there (regardless of the official PR).

Right, and given the public anouncement it's coming from the DoD, I can only imagine that's like a wet dream for hackers to get into and hack if anything just for proof of concept, which inherently makes it LESS secure?!! There's a logic loop for ya, eh? Hehe


Seriously though, just like with OS X as you said, Linux can fall too and get outdated, it shall be interesting I think.
 

smileyborg

macrumors 6502
May 12, 2009
267
0
Does the battery firmware vulnerability require physical access to the laptop/battery? If so, that's not very worrisome. But as best I can tell from the linked article, an attack could take place without being physically in control of the system...that's definitely a big problem.
 

lilcosco08

macrumors 65816
May 27, 2010
1,224
22
Dayton
Does the battery firmware vulnerability require physical access to the laptop/battery? If so, that's not very worrisome. But as best I can tell from the linked article, an attack could take place without being physically in control of the system...that's definitely a big problem.

I'm guessing root access is needed. I could be wrong, though.
 

Tucom

Cancelled
Jul 29, 2006
1,252
310
Does the battery firmware vulnerability require physical access to the laptop/battery? If so, that's not very worrisome. But as best I can tell from the linked article, an attack could take place without being physically in control of the system...that's definitely a big problem.

For Apple's sake and the sake of the product, shout outs for the person behind finding and talking about this severe security hole. How could have Apple missed this? Then again, OS X is now incredibly secure, mistakes happen.


But this needs to be addressed ASAP, or I know I'd honestly never buy an Apple laptop with this vulnerability - that's ofcourse to say, I wouldn't spend my well earned money on any other laptop if it's not a Mac, but with an issue like this, I would hold off until this is alleviated. :eek:
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
This comparison uses the most recent release of Ubuntu.

Linux has a higher incidence rate of local privilege escalation vulnerabilities than OS X. So, OS X has more secure DAC.

Linux has a lower incidence rate of remote vulnerabilities than OS X. This largely negates the difference in DAC.

But, the difference in remote vulnerabilities is also prior to the new security mitigations in Lion.

ASLR, DEP, canaries (propolice), and mandatory access control (sandboxing) are equivalent between the two with the release of Lion. Much of security mitigations used in OS X are derived from those in Linux.

Mac OS X's kernel has always had more secure interprocess communication (IPC) than the Linux kernel. Lion also adds sandboxing to IPC in OS X.

Password hashing in Linux is more secure. Linux uses sha512 while OS X uses salted SHA1.

Both have secured protected storage. Linux has keyring and OS X has keychain.

But, I do not believe the browser in Linux uses this secure storage. In browser password managers have been shown to be leveraged by malware.

I would say that OS X and Linux have equivalent security given the benefits and deficits of each OS.
 
Last edited:

soup4you2

macrumors regular
Apr 12, 2007
236
0
I'm guessing root access is needed. I could be wrong, though.

The sad thing is, in reality that 96% of people will just blindly type in their password when the dialog appears giving whatever application root access to perform whatever actions it needs to perform.
 

altecXP

macrumors 65816
Aug 3, 2009
1,115
1
Um, I don't really understand this article.

The "security guy" says that Lion is great because it has ASLR, disk encryption, and Sandboxing. Windows has had those since Vista, and Windows 7 improved on them. In fact last I read OS X still didn't support DEP, and Windows supported that since XP SP2. It reads as though he's a paid spokes person.

It sounds like all they did was improve SL's poorly implemented version of ASLR and just print it to part with full implementation, which is what Microsoft had in Vista. Sounds like OS X is just now attaching up with Windows security features. If I remember it was actually SL's poor version of ASLR that let the PWN to OWN guy hack the macbook last year.
 
Last edited:

munkery

macrumors 68020
Dec 18, 2006
2,217
1
Um, I don't really understand this article.

The "security guy" says that Lion is great because it has ASLR, disk encryption, and Sandboxing. Windows has had those since Vista, and Windows 7 improved on them. It reads as though he's a paid spokes person.

Here is a comparison of OS X to Windows:

1) Until Vista, the admin account in Windows did not implement DAC in a way to prevent malware by default. Also, Windows has a far greater number of privilege escalation vulnerabilities that allow bypassing DAC restrictions even if DAC is enabled in Windows.

Much of the ability to turn these vulnerabilities into exploits is due to the insecurity of the Windows registry. Also, more easily being able to link remote exploits to local privilege escalation exploits in Windows is due to the Windows registry.

Mac OS X does not use an exposed monolithic structure, such as the Windows registry, to store system settings. Also, exposed configuration files in OS X do not exert as much influence over associated processes as the registry does in Windows.

Mac OS X Snow Leopard has contained only 2 elevation of privilege vulnerabilities since it was released; obviously, neither of these were used in malware.

http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/ -> guide to develop exploits to bypass UAC by manipulating registry entries for kernel mode driver vulnerabilities.

https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf -> more complete documentation about Windows kernel exploitation.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k+ -> list of incidences of kernel mode driver vulnerabilities.

http://threatpost.com/en_us/blogs/tdl4-rootkit-now-using-stuxnet-bug-120710 -> article about the TDL-4 botnet which uses a UAC bypass exploit when infecting Windows 7.

2) Windows has the potential to have full ASLR but most software does not fully implement the feature. Most software in Windows has some DLLs (dynamic link libraries = Windows equivalent to dyld) which are not randomized.

http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf -> article overviewing the issues with ASLR and DEP implementation in Windows.

Also, methods have been found to bypass ASLR in Windows 7.

http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf -> article describing bypassing ASLR in Windows 7.

Mac OS X has full ASLR implemented on par with Linux. This includes ASLR with position independent executables (PIE). DLLs in Windows have to be pre-mapped at fixed addresses to avoid conflicts so full PIE is not possible with ASLR in Windows.

3) Mac OS X Lion has DEP on stack and heap for both 64-bit and 32-bit processes. Third party software that is 32-bit may lack this feature until recompiled in Xcode 4 within Lion. Not much software for OS X is still 32-bit.

But, not all software in Windows uses DEP; this includes 64-bit software. See article linked in #2.

4) Mac OS X implements canaries using ProPolice, the same mitigation used in Linux. ProPolice is considered the most thorough implementation of canaries. It is known to be much more effective than the similar system used in Windows.

http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf -> article comparing ProPolice to stack canary implementation in Windows.

5) Application sandboxing and mandatory access controls (MAC) in OS X are the same thing. More specifically, applications are sandboxed in OS X via MAC. Mac OS X uses the TrustedBSD MAC framework, which is a derivative of MAC from SE-Linux. This system is mandatory because it does not rely on inherited permissions. Both mandatorily exposed services (mDNSresponder, netbios...) and many client-side apps (Safari, Preview, TextEdit…) are sandboxed in Lion.

Windows does not have MAC. The system that provides sandboxing in Windows, called mandatory integrity controls (MIC), does not function like MAC because it is not actually mandatory. MIC functions based on inherited permissions so it is essentially an extension of DAC (see #1). If UAC is set with less restrictions or disabled in Windows, then MIC has less restrictions or is disabled.

http://www.exploit-db.com/download_pdf/16031 -> article about Mac sandbox.

http://msdn.microsoft.com/en-us/library/bb648648(v=VS.85).aspx -> MS documentation about MIC.

https://media.blackhat.com/bh-eu-11/Tom_Keetch/BlackHat_EU_2011_Keetch_Sandboxes-Slides.pdf -> researchers have found the MIC in IE is not a security boundary.

6) In relation to DAC and interprocess sandboxing in OS X in comparison with some functionality of MIC in Windows 7 (see #5), the XNU kernel used in OS X has always had more secure interprocess communication (IPC) since the initial release of OS X.

Mac OS X, via being based on Mach and BSD (UNIX foundation), facilitates IPC using mach messages secured using port rights that implement a measure of access controls on that communication. These access controls applied to IPC make it more difficult to migrate injected code from one process to another.

Adding difficulty to transporting injected code across processes reduces the likelihood of linking remote exploits to local exploits to achieve system level access.

As of OS X Lion, the XPC service has also been added to implement MAC (see #5) on IPC in OS X. (http://developer.apple.com/library/...stemStartup/Chapters/CreatingXPCServices.html)

7) Windows has far more public and/or unpatched vulnerabilities than OS X.

http://www.vupen.com/english/zerodays/ -> list of public 0days.

http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker -> another list of public 0days.

http://m.prnewswire.com/news-releas...-vulnerability-in-microsoft-os-110606584.html -> article about 18 year old UAC bypass vulnerability.

8) Password handling in OS X is much more secure than Windows.

The default account created in Windows does not require a password. The protected storage API in Windows incorporates the users password into the encryption key for items located in protected storage. If no password is set, then the encryption algorithm used is not as strong. Also, no access controls are applied to items within protected storage.

In Mac OS X, the system prompts the user to define a password at setup. This password is incorporated into the encryption keys for items stored in keychain. Access controls are implemented for items within keychain.

Also, Mac OS X uses a salted SHA1 hash, which is still considered cryptographically secure. It is more robust than the MD4 NTLMv2 hash used in Windows 7.

http://www.windowsecurity.com/articles/How-Cracked-Windows-Password-Part1.html -> article about Windows password hashing.
 

Tucom

Cancelled
Jul 29, 2006
1,252
310
Trolololol (not really, sweet info), that is an epic post, very informative, thanks.


And yeah, there are many variations of the Linux OS, however they still share certain core, root characteristics or else they wouldn't be called Linux, so I'd imagine certain Linux holes will be prevalent regardless of the distro? However, it's excellent that OS X and Linux are more or less on the same page at least given the info this guy posted.


And, for the respectively secure OS that Windows 7 is and the overhaul Microsoft took to get it to that secure state and how seriously they're taking security, I wonder just how Windows 8 will stack up security wise.

I've read Win 8 is gonna more or less be completely rewritten from the ground up and will just have an emulation layer for legacy Windows apps, ala Rosetta, but given it's not emulating a different architecture, it wouldn't affect performance too much.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.