After the Month of Kernel Bugs, are you concerned about Mac OS X security?

  • Yes

    Votes: 94 38.4%
  • No

    Votes: 151 61.6%

  • Total voters
    245

MacRumors

macrumors bot
Original poster
Apr 12, 2001
54,191
16,010
https://www.macrumors.com/images/macrumorsthreadlogodarkd.png

Last month's Month of Kernel Bugs (MOKB) has concluded, and a total of 10 Mac OS X vulnerabilities has been found. The vulnerabilities were wide-ranging, from a wireless driver exploit to a system call, multiple disk image vulnerabilities, and most recently an AppleTalk vulnerability (among others). Apple patched the first wireless driver exploit along with other unrelated vulnerabilities this week, however all remaining MOKB vulnerabilities remain un-patched.

Interview
MOKB organizer "LMH" spoke to MacRumors about the project. According to LMH, most of the project's time was spent on Linux and the Mac OS, both of which were described as "not hard" to break.

The Linux kernel takes little time to break. I'm more familiar with the code and thus it also takes less time to isolate issues. OS X kernel (XNU) takes less time but depending on the area you're checking, debugging and isolation may require a bit more time (if you take into account that AppleTalk source code is almost unreadable and totally deprecated) [...] I didn't have much time left for working on Microsoft Windows but I've received the most helpful feedback from the MSRC people on potentially interesting stuff to check. Not a huge reference of internal code nor NDA covered documents, but at least enough to start with.

In LMH's point of view, the state of Mac OS X security is not great.

From the technical perspective, OS X security is rather poor, at least when it comes to kernel-land code. This isn't a sign of negligence of Apple, but obviously when you take code from many different places and stick it together, it's prone to problems. Not just new ones but also old issues that 'went under the radar'. [...] (ed note: now comparing MS to Apple) I can say that Microsoft has a more thorough auditing process and investment when it comes to kernel code than Apple. They also have the advantage of having such code being produced within the company. Mac OS X kernel, for example, depends heavily on FreeBSD development. A security flaw in the FreeBSD kernel will likely affect OS X and probably other BSD "flavours"

However, just because LMH is a bit critical of Mac OS X's security, don't call him an Apple-hater.

Taking security arguments apart, I have to say that Mac OS X is a pretty well integrated system. It's tightly packaged [...] and nice looking. I'm an OS X user myself and I certainly feel like Apple has invested long time on tweaking the little details. Now they just have to invest a little more on security matters, but not hiring a 'turnover security firm' to do the consulting that leaves the job half done. That's what failed, IMHO.

First Adware for Mac OS X?
In related news, F-Secure claims to have received what is possibly the first ever proof-of-concept Adware program for Mac OS X. The program, dubbed iAdware, will launch Safari to specified web pages when the user used any number of applications, and installation of the adware did not require admin privileges.

[ Digg This ]
 

suneohair

macrumors 68020
Aug 27, 2006
2,136
0
I don't know but is the Adware related to this:

Sometimes when I download videos from LimeWire, and run then it will bring up a browser window and open a site. Essentially an ad. Do this supposed hole cause this?

Apple definitely needs to get more serious about security. As more people start to buy Macs, more people will start to tinker and find holes. I hope Apple will rise to the challenge.
 
Comment

longofest

Editor emeritus
Jul 10, 2003
2,875
1,532
Falls Church, VA
Apple definitely needs to get more serious about security. As more people start to buy Macs, more people will start to tinker and find holes. I hope Apple will rise to the challenge.

My feelings exactly. Its bad enough that the vulnerabilities are "easy" to discover and puncture, but as the marketshare goes up, there is no doubt that we are going to get exploited more and more, and I really don't want our OS caught with its pants down by its ankles like Windows.

Apple has a couple of advantages by being Unix based, but because its a hybrid kernel, like LMH said, they also get some inevitable vulnerabilities. They gotta get a bit more serious about auditing their code. For all of the problems MS has had, I will say this. At least they have already had them, and by now have gotten such an auditing system in place that "dummy" vulnerabilities don't get through in releases as easily.
 
Comment

LostPacket

macrumors member
Jun 26, 2003
56
0
Canada, eh
It's time to hold Apple's feet to the fire. Being soft on them isn't helping them.

I agree. Tough love is best here. It's better to have the vulnerabilities exposed in this manner than in a live scenario. Let's just hope the press from this is enough for Apple to fix the problem before we have something bigger than a proof-of-concept exploit.
 
Comment

TheBobcat

macrumors 6502
Nov 1, 2006
351
0
East Lansing, Michigan
I think Apple's response to this, in both its speed and thoroughness will give us some real hard data to go on as far as OSX's security.

Because of increasing users, and the much-maligned Mac user smugness, you can rest assured that there will be an onslaught every step of the way for Apple from here on out. They need to respond quickly, and completely, with no mercy.
 
Comment

lmalave

macrumors 68000
Nov 8, 2002
1,614
0
Chinatown NYC
I don't know but is the Adware related to this:

Sometimes when I download videos from LimeWire, and run then it will bring up a browser window and open a site. Essentially an ad. Do this supposed hole cause this?

Apple definitely needs to get more serious about security. As more people start to buy Macs, more people will start to tinker and find holes. I hope Apple will rise to the challenge.

No, that is not Adware. Adware is a program that is installed *on your computer*, so it can launch windows whenever it wants. In the case of Web pages that pop up when you are viewing a video, that's just because it's a "feature" of the particular video technology (e.g. in Real Media or Windows Media streams you can embed code to open a browser window). It's no more Adware than when you go to CNN.com and it launches a pop-up ad.
 
Comment

OhEsTen

macrumors regular
Dec 29, 2003
173
0
Tough love is right....

C'mon Apple... don't let us down here.

I agree with the other posters here that Apple needs to take this seriously and kick it into high gear. Send a message to the world (or at least your user-base) that you're on top of the situation.

I for one, feel that Apple will come through, and am glad becuase I think there will always be a huge "community effort" put into making our choice of platforms better in terms of security
 
Comment

Macula

macrumors 6502
Oct 23, 2006
434
21
All over the place
Apple needs to get serious about security. They cannot develop such an integrated, holistic line of products ("in your den, car, pocket,...") without tightening their security.

Windows Vista is NOT Windows XP. Apple risks lagging behind in that area and, in an ironic reversal of fortune, being widely considered as inferior to Microsoft in terms of security.

But if we agree that the development of a secure OS is all about utilizing sound design, coding and auditing processes, then we must also accept that the challenge will be very difficult for Apple to meet: You just cannot do that with Open Source...

Maybe it's about time Apple closed the Mac OS kernel?
 
Comment

840quadra

Moderator
Staff member
Feb 1, 2005
8,362
3,795
Twin Cities Minnesota
I agree with the few others that are concerned about this.

Our Mac OS innocence is coming to an end. Part of this is due to the growing market share, and popularity in the Operating system. The other issue I feel that is of concern, is the new challenge this OS provides for Script kiddies, and bored coders. If you have an ego, and want to get your name out, why not do what hasn't been done before, as opposed to doing what everyone else does ?

This is going to be a growing trend, and the amount of Mac Haters in the wild is quite high! Once code tricks and secrets start to get out, it is only a matter of time before OS X is targeted by thousands, much like XP!

Apple has time to take this very seriously, and work to keep this system tight and secure! Hopefully this is going to be a big part of the focus on Leopard, but only developers will really know this!


These current headlines aside

1. Pay attention to what warning messages pop up when browsing the web.

2. Only download and install software from sources that you trust, and if you do trust them, take an extra moment to think about why you trust them, and if you really need to install that piece of 3rd party software!

3. Keep your firewalls on if possible

4. Don't permanently unlock preferences, folders, or other security areas on your system using your keychain, unless you really need to do so!


There are others, however that is a good baseline to follow for some minimal security checks and balances!
 
Comment

kalisphoenix

macrumors 65816
Jul 26, 2005
1,231
1
Sober up, Steve. Less time on Time Machine and more time on solidifying the system.

AppleTalk: Who uses it, and why?
 
Comment

yellow

Moderator emeritus
Oct 21, 2003
16,016
1
Portland, OR
An interesting read in response to the kernel panic ability of the .DMG vulnerability:

Guess what I found? Not only is lmh’s diagnosis completely incorrect, but the problem isn’t a security flaw at all, let alone a critical, highly critical, or warn-everyone-via-the-BBC type event.

http://alastairs-place.net/2006/11/dmg-vulnerability/

A very insteresting read.. most of which I only barely grasp. Object oriented programming just makes my eyes glaze thinking about it.. The gist:

So, what have we learned:

• It is not a memory overwrite bug.

• It is not exploitable, except in that you can kernel panic a machine if you can persuade a user to double-click a damaged dmg file.

• It is not, therefore, possible to use this bug for privilege elevation or to execute arbitrary code in the kernel.

In fact, all lmh has found here is a bug that causes a kernel panic. Not a security flaw. Not a memory corruption bug. Just a completely orderly kernel panic. There aren’t even any processor exceptions involved; the path to the panic is perfectly normal non-exceptional code using ordinary function calls.


AppleTalk: Who uses it, and why?

No one.. and stangely it's now ON by DEFAULT in all the MacTels I've received lately. No idea why.
 
Comment

840quadra

Moderator
Staff member
Feb 1, 2005
8,362
3,795
Twin Cities Minnesota
No one.. and stangely it's now ON by DEFAULT in all the MacTels I've received lately. No idea why.

I do, and so does anyone who has a classic environment of System 7 and earlier for classic compatibility reasons.

Granted you can use TCP/IP on some of these, however the reliability of such extensions on early versions of Classic leaves much to be desired. I however turn off Appletalk when I am away from my home network.
 
Comment

longofest

Editor emeritus
Jul 10, 2003
2,875
1,532
Falls Church, VA
Sober up, Steve. Less time on Time Machine and more time on solidifying the system.

AppleTalk: Who uses it, and why?

I'm pretty sure that any time you use Personal file sharing, you are using AppleTalk.

EDIT: More info... Personal File Sharing is based off of Apple Filing Protocol. From wikipedia:

AFP versions 3.0 and greater rely exclusively on TCP/IP (port 548 or 427) for establishing communication, supporting AppleTalk only as a service discovery protocol. The AFP 2.x family supports both TCP/IP and AppleTalk for communication and service discovery. Many third-party AFP implementations use AFP 2.x, thereby supporting AppleTalk as a connection method. Still earlier versions rely exclusively on AppleTalk. For this reason, some older literature refers to AFP as "AppleTalk Filing Protocol". Other literature may refer to AFP as "AppleShare," the name of the Mac OS 9 (and earlier) AFP client.
 
Comment

hayesk

macrumors 65816
May 20, 2003
1,450
85
I would really like to see how they installed this.

As far as I know, a web page can't save and install files, so how does the adware get installed in the first place. Does it trick the user into running an app? If so, then I wouldn't consider that a security hole.
 
Comment

~Shard~

macrumors P6
Jun 4, 2003
18,377
44
1123.6536.5321
Honestly, this is great news. :cool:

So many Mac users are completely ignorant and oblivious to the fact that their Mac is, contrary to popular belief, not that secure in some respects. Many Mac zealots and apologists will tout how bullet-proof OS X is, how it's nothing like Windows, how it's amazingly secure - well, it isn't in some cases.

Sure, it's still better in many respects than Windows, but Mac users should not be lured into a false sense of security over these matters. They need to be smart with their systems and not take anything for granted. Hopefully reports like this will assist those people in seeing the light. As Mac marketshare increases and more of a spotlight is put on OS X, it will attract more people who will try and exploit security vulnerabilities and so forth, so now more than ever this type of information needs to be made known. And more importantly, Apple needs to agressively address such matters timely and effectively.

OS X is great, but it isn't perfect. :cool:
 
Comment

orbital

macrumors member
Apr 18, 2006
82
0
Apple really really needs to get on this... As far as some Script Kiddie wanting to make a name for themself the mass of mac users would need to be higher. There are still currently not enough mac users to warrent such acts, you would not get notice. I feel that a lot of coders find holes in XP because then they can exploit big business, were as macs are more often than not home computers. If apple its athe big 10% mark this will all change.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.