Major overhaul makes OS X Lion king of security
http://www.theregister.co.uk/2011/07/21/mac_os_x_lion_security/
“It's a significant improvement, and the best way that I've described the level of security in Lion is that it's Windows 7, plus, plus,” said Dino Dai Zovi, principal of security consultancy Trail of Bits and the coauthor of The Mac Hacker's Handbook. “
I generally tell Mac users that if they care about security, they should upgrade to Lion sooner rather than later, and the same goes for Windows users, too.”
Here is a more thorough comparison:
1) Until Vista, the admin account in Windows did not implement DAC in a way to prevent malware by default. Also, Windows has a far greater number of privilege escalation vulnerabilities that allow bypassing DAC restrictions even if DAC is enabled in Windows.
Much of the ability to turn these vulnerabilities into exploits is due to the insecurity of the Windows registry. Also, more easily being able to link remote exploits to local privilege escalation exploits in Windows is due to the Windows registry.
Mac OS X does not use an exposed monolithic structure, such as the Windows registry, to store system settings. Also, exposed configuration files in OS X do not exert as much influence over associated processes as the registry does in Windows.
Mac OS X Snow Leopard has contained only 2 elevation of privilege vulnerabilities since it was released; obviously, neither of these were used in malware.
http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/ -> guide to develop exploits to bypass UAC by manipulating registry entries for kernel mode driver vulnerabilities.
https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf -> more complete documentation about Windows kernel exploitation.
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k+ -> list of incidences of kernel mode driver vulnerabilities.
http://threatpost.com/en_us/blogs/tdl4-rootkit-now-using-stuxnet-bug-120710 -> article about the TDL-4 botnet which uses a UAC bypass exploit when infecting Windows 7.
2) Windows has the potential to have full ASLR but most software does not fully implement the feature. Most software in Windows has some DLLs (dynamic link libraries = Windows equivalent to dyld) which are not randomized.
http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf -> article overviewing the issues with ASLR and DEP implementation in Windows.
Also, methods have been found to bypass ASLR in Windows 7.
http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf -> article describing bypassing ASLR in Windows 7.
Mac OS X has full ASLR implemented on par with Linux. This includes ASLR with position independent executables (PIE). DLLs in Windows have to be pre-mapped at fixed addresses to avoid conflicts so full PIE is not possible with ASLR in Windows.
3) Mac OS X Lion has DEP on stack and heap for both 64-bit and 32-bit processes. Third party software that is 32-bit may lack this feature until recompiled in Xcode 4 within Lion. Not much software for OS X is still 32-bit.
But, not all software in Windows uses DEP; this includes 64-bit software. See article linked in #2.
4) Mac OS X implements canaries using ProPolice, the same mitigation used in Linux. ProPolice is considered the most thorough implementation of canaries. It is known to be much more effective than the similar system used in Windows.
http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf -> article comparing ProPolice to stack canary implementation in Windows.
5) Application sandboxing and mandatory access controls (MAC) in OS X are the same thing. More specifically, applications are sandboxed in OS X via MAC. Mac OS X uses the TrustedBSD MAC framework, which is a derivative of MAC from SE-Linux. This system is mandatory because it does not rely on inherited permissions. Both mandatorily exposed services (mDNSresponder, netbios...) and many client-side apps (Safari, Preview, TextEdit…) are sandboxed in Lion.
Windows does not have MAC. The system that provides sandboxing in Windows, called mandatory integrity controls (MIC), does not function like MAC because it is not actually mandatory. MIC functions based on inherited permissions so it is essentially an extension of DAC (see #1). If UAC is set with less restrictions or disabled in Windows, then MIC has less restrictions or is disabled.
http://www.exploit-db.com/download_pdf/16031 -> article about Mac sandbox.
http://msdn.microsoft.com/en-us/library/bb648648(v=VS.85).aspx -> MS documentation about MIC.
https://media.blackhat.com/bh-eu-11/Tom_Keetch/BlackHat_EU_2011_Keetch_Sandboxes-Slides.pdf -> researchers have found the MIC in IE is not a security boundary.
6) In relation to DAC and interprocess sandboxing in OS X in comparison with some functionality of MIC in Windows 7 (see #5), the XNU kernel used in OS X has always had more secure interprocess communication (IPC) since the initial release of OS X.
Mac OS X, via being based on Mach and BSD (UNIX foundation), facilitates IPC using mach messages secured using port rights that implement a measure of access controls on that communication. These access controls applied to IPC make it more difficult to migrate injected code from one process to another.
Adding difficulty to transporting injected code across processes reduces the likelihood of linking remote exploits to local exploits to achieve system level access.
As of OS X Lion, the XPC service has also been added to implement MAC (see #5) on IPC in OS X. (
http://developer.apple.com/library/...stemStartup/Chapters/CreatingXPCServices.html)
7) Windows has far more public and/or unpatched vulnerabilities than OS X.
http://www.vupen.com/english/zerodays/ -> list of public 0days.
http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker -> another list of public 0days.
http://m.prnewswire.com/news-releas...-vulnerability-in-microsoft-os-110606584.html -> article about 18 year old UAC bypass vulnerability.
8) Password handling in OS X is much more secure than Windows.
The default account created in Windows does not require a password. The protected storage API in Windows incorporates the users password into the encryption key for items located in protected storage. If no password is set, then the encryption algorithm used is not as strong. Also, no access controls are applied to items within protected storage.
In Mac OS X, the system prompts the user to define a password at setup. This password is incorporated into the encryption keys for items stored in keychain. Access controls are implemented for items within keychain.
Also, Mac OS X uses a salted SHA1 hash, which is still considered cryptographically secure. It is more robust than the MD4 NTLMv2 hash used in Windows 7.
http://www.windowsecurity.com/articles/How-Cracked-Windows-Password-Part1.html -> article about Windows password hashing.
(Not saying that ASLR on mac is somehow better than on those other systems as they are today, though).
