Researcher Set to Announce 20 Zero-Day Holes in Mac OS X

[munkery]

Exactly. My point is (along with others here) is that we want OS X to continue fairing significantly better by having Apple be more responsive in patching security holes.

I totally agree with you, but OSX is not fairing better in the domain of malware in relation to the security issues investigated by PWN2OWN.

PWN2OWN is looking at local area network attacks and not issues related to malware.

The reason OSX and Linux are fairing better is because of the emphasis on the direction they are already taking. That direction being targeting issues related to malware.

An example of this is the new malware detection found in snow leopard that warns before installing known malware (trojans) and the protection from its UNIX foundation.

 

[Hal Itosis]

Oh look, it's this thread again.

You would prefer this one?

 

[chown33]

Identity theft in relation to mitm attacks, as used in PWN2OWN, occurs due to eavesdropping and not arbitary code execution.

As I posted above (post #456), the pwn2own contest rules require remote code execution on the target in order to win. Eavesdropping is not sufficient to win the contest.

This is clearly and definitely stated for the 2008 and 2009 contest rules. It is also clearly stated with regard to mobile devices for the 2010 rules. It is less clear for the laptop devices, but I have no reason to think it will be any different this time than it was in previous contests.

The 2008 rules clearly say that a specific file at a specific location on the target must be obtained by the attacker, as proof of remote code execution. That is a lot more than eavesdropping, nor does it require a mitm attack to cause it. Mitm is just one avenue of attack among many. It is possible to compromise a target without using a mitm attack, if a suitable system component contains a flaw (for example, mdnsresponder).

 

[LagunaSol]

I'm sorry, but when you're criticizing a guy saying that he's a bitter ex-Apple employee because he's concerned about OS X's security and Apple's efficiency in patching it, that's a problem.

No, I'm referring to Mattie Num Num's historical commentary on this forum, which speaks for itself.

As Apple fans, it's our job to demand more of Apple to fix our favorite OS, not be complacent, or worse yet, arrogant about the lack of malware.

Of course Apple needs to stay on top of security. I never said otherwise. That doesn't make one arrogant to point out the very real fact that OS X is the safer place to be - regardless of the reason(s) for it.

There is such a thing as karma, and it'll come back to bite us all in the nether regions one of these days.

Perhaps, but I've been hearing this for years already - mainly from the anti-Apple naysayers (miserable from their own unsafe computing environments no doubt) and from those who get page hits (and $$$) by trumpeting the latest OS X security crisis.

It's everyone's concern. Not just Windows users.

Indeed. Speaking of which, you'd think someone with the Windows expertise and enthusiasm of an AidenShaw, for example, would be far more effective trying to help educate the billions of Windows users actually suffering from Windows security problems rather than endlessly (and fruitlessly) try to convince members of MacRumors that Windows is a better - and safer - choice for computing.

Some people are here only to poison the well, and it's with those people that I take exception.

 

[munkery]

As I posted above (post #456), the pwn2own contest rules require remote code execution on the target in order to win. Eavesdropping is not sufficient to win the contest.

This is clearly and definitely stated for the 2008 and 2009 contest rules. It is also clearly stated with regard to mobile devices for the 2010 rules. It is less clear for the laptop devices, but I have no reason to think it will be any different this time than it was in previous contests.

The 2008 rules clearly say that a specific file at a specific location on the target must be obtained by the attacker, as proof of remote code execution. That is a lot more than eavesdropping, nor does it require a mitm attack to cause it. Mitm is just one avenue of attack among many. It is possible to compromise a target without using a mitm attack, if a suitable system component contains a flaw (for example, mdnsresponder).

Is this better?

Miller's exploit required a mitm approach over a local area network. He did achieve arbitrary code execution but the scenario was artificial in that he instructed the target where to go to get hacked.

Identity theft in the wild and in relation to mitm attacks most often occurs due to eavesdropping and not due to arbitrary code execution.

Arbitrary code execution applied in mitm attacks for identity theft occurs much less often due to the variable of the target computer user's intervention.

The actual occurrence of the target computer user's inadvertent intervention is unlikely as the attacker would have to get the target to navigate to a malicious URL without the target being aware of the intent of the attacker.

If I remember correctly none of the OSes were hacked until the user of the target computer was instructed by the attacker where to go to get hacked. The target was not just going about their normal daily Internet activities.

Once the malicious URL injected code into the system, the attacker could access the system via being the mitm. Without being on the same network (hub/switch or unencrypted wireless), the attacker could not get into the system.

What is the chance that the attacker will motivate the target to the malicious URL in a way that is not indicative of intent if the target is only in the range of attack for only a few hours, such as waiting at the airport and using an unencrypted wireless connection at the airport while waiting?

 

[polaris20]

No, I'm referring to Mattie Num Num's historical commentary on this forum, which speaks for itself.



Of course Apple needs to stay on top of security. I never said otherwise. That doesn't make one arrogant to point out the very real fact that OS X is the safer place to be - regardless of the reason(s) for it.

I don't research every post made by every forum member when reading a thread; it's much too time consuming. I was addressing Mattie Num Num's contributions to this thread, which are quite relevant without being disparaging to Apple/OS X/Macs.

And arrogance is indeed rampant on this forum, even this very thread. Constantly trumpeting the lack of virus/malware problems, saying that one can surf the web unhindered by malware without a care in the world is certainly asking for it, IMO. One should still practice safe internet, even on a Mac.

Perhaps, but I've been hearing this for years already - mainly from the anti-Apple naysayers (miserable from their own unsafe computing environments no doubt) and from those who get page hits (and $$$) by trumpeting the latest OS X security crisis.

I see no current OS X security crisis, nor do I see one being trumpeted here. Merely some security concerns that hopefully Apple will patch as soon as they're made aware.

Indeed. Speaking of which, you'd think someone with the Windows expertise and enthusiasm of an AidenShaw, for example, would be far more effective trying to help educate the billions of Windows users actually suffering from Windows security problems rather than endlessly (and fruitlessly) try to convince members of MacRumors that Windows is a better - and safer - choice for computing.

Some people are here only to poison the well, and it's with those people that I take exception.

I wasn't really referring to AidenShaw, but I do wonder what enjoyment he derives from participating on a Mac-centric forum when he clearly doesn't care for them, nor own one. But to each their own.

 

[Cougarcat]

I hope Apple patches these fast. Historically, Apple takes an outrageously long time before they patch known holes.

 

[munkery]

And arrogance is indeed rampant on this forum, even this very thread.

I will admit it. I can be fairly arrogant. It is in my DNA and I can't help it from manifesting in forums on the internet. LOL

I know that was targeted for many individuals but I like to be honest about my failings. LOL

 

[rileyes]

Not a virus. It's a worm that travels itself by sending a file to another user via iChat. The user still have to allow the file transfer and download it and install it. It didn't even make any impact. Just a test worm that Sophos found and spreading FUD around. Don't trust any anti-virus vendors about "finding the first virus", they do that to spread the sales of their Mac antivirus product, which almost nobody on the Mac needs. The fact that Sophos has to redefine the word to fit their needs and the obvious sale pitch on the bottom, BS meter going off.

so it only counts if it is a virus and not a worm (and an end-user would want neither, by the way), and if it is a malicious person doing it and not an antivirus company? right. drink more kool-aide

 

[rileyes]

I'm naive? That's a worm, not a virus.

define for me the difference between a virus and a worm. Tell me how an end-user would want either.

Both usually take advantage of an unpatched security vulnerability, and both often require user interaction to get in.

 

[rileyes]

My response is that article does not apply to 7. It applies to vista. Even says vista in the title. It was also posted back in 2008. You have to edit the group policy to get the dialog box I got according to that article. I edited nothing and get that dialog box. I used automatic updates and still don't get it. Which means it's the default setup for 7. You'd have to alter 7 for the box you got to appear. This is also the first i've heard of that.
Just saying it's strange if we both have the same OS, same settings and get different results.

dude, you're wrong...let it go.

 

[chown33]

Miller's exploit required a mitm approach over a local area network.

Do you know this for a fact? If so, cite your source.

AFAICT, the exact flaw that Miller exploited to win the competition was not revealed. The flaw was submitted to Apple under "responsible disclosure" guidelines. To my knowledge, neither Apple, nor Miller, nor ZDI ever specifically stated which flaw gave him the win.

He did achieve arbitrary code execution but the scenario was artificial in that he instructed the target where to go to get hacked.

Same question: Do you know that for a fact? If so, cite your source.

Identity theft in the wild and in relation to mitm attacks most often occurs due to eavesdropping and not due to arbitrary code execution.

"Most often occurs"? Cite your source.

I'm more inclined to think identity theft in the wild is most often due to leakages from third parties (poorly secured data), or direct attacks on third parties (targeted database compromises). I don't think eavesdropping on internet traffic plays much of a role at all, mainly due to SSL/TLS. I have no citations to back that up, but it's at least as plausible as your assertion.

The actual occurrence of the target computer user's inadvertent intervention is unlikely as the attacker would have to get the target to navigate to a malicious URL without the target being aware of the intent of the attacker.

Awareness of intent counts for almost nothing.

For example, if there is an exploitable flaw in the handling of image files, then an attacker only needs to post images on a popular website, such as any social website. Information can be harvested every time any visitor loads an image. There is no obvious "malicious URL" involved, just a very outgoing person making friends, and a quiet yet unassuming malicious image waiting to snare the afflicted.

The same attack strategy works for any widely used public site, such as chat sites, image-posting sites, or anywhere ordinary users can upload their own content. The flaw only needs to be located in a section of code that the client-side software uses to present the site's content, but that's a pretty large surface area, since it encompasses decompression, images, movies, audio, chat protocols, transfer protocols, etc.

If I remember correctly none of the OSes were hacked until the user of the target computer was instructed by the attacker where to go to get hacked. The target was not just going about their normal daily Internet activities.

The iPhone was hacked in the 2009 contest simply by receiving an SMS message.
http://www.vupen.com/english/advisories/2009/2105

Once the malicious URL injected code into the system, the attacker could access the system via being the mitm. Without being on the same network (hub/switch or unencrypted wireless), the attacker could not get into the system.

If you think it requires a mitm to deliver a malicious image, you are wrong. If you think that the injected code can only deliver the compromised data to a mitm agent, you are wrong.

What is the chance that the attacker will motivate the target to the malicious URL in a way that is not indicative of intent if the target is only in the range of attack for only a few hours, such as waiting at the airport and using an unencrypted wireless connection at the airport while waiting?

If the malicious content appears to be safe, or at worst innocently failing ("Oh darn, Safari crashed again"), as with the above example of a maliciously crafted image file, then it's not necessary to mount an attack as you describe. The image file or other malicious content is posted on a public website, and it affects anyone who loads it using software that contains the flaw.

 

[satcomer]

Well there was an amendment by Charlie Miller adding a clarification to the story because of bad "tech journalists" jumping at any bad news about Apple they can get.

 

[munkery]

I agree there are ways that an unknown person could lure you to a malicious URL.

Remember these attacks require a local area network.

How long do you think it would take for someone to befriend you and then get you to tag along with them on the internet while each on your own computer. Could that all happen while you were randomly using a unencrypted wireless network.

I can see it happening if you were targeted around some pattern of behaviour, such as regular trips to a coffee shop with an unencrypted wireless network. I am not denying that it is possible.

We are talking about Mac OSX not iPhone OS.

Read these and follow the wiki sources:

http://www.darknet.org.uk/2009/03/charlie-miller-does-it-again-at-pwn2own/

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

http://en.wikipedia.org/wiki/ARP_spoofing

If you think it requires a mitm to deliver a malicious image, you are wrong. If you think that the injected code can only deliver the compromised data to a mitm agent, you are wrong.

If the malicious content appears to be safe, or at worst innocently failing ("Oh darn, Safari crashed again"), as with the above example of a maliciously crafted image file, then it's not necessary to mount an attack as you describe. The image file or other malicious content is posted on a public website, and it affects anyone who loads it using software that contains the flaw.

You provide a source stating that it can occur beyond a LAN, through routers, and over encrypted wireless connections.

I don't have a problem with Miller's work. It is good. Apple should give him a job.

I have a problem with the media treatment of it. And how some people like to sell Mac OSX as less secure because of these media headlines.

I totally agree that in this security context apple is trailing behind.

But I do not think it is as major a problem as how Windows is behind on the malware issue.

Edit: I was wrong, exploitation using these methods are not uncommon in the wild. But, it is rare in the wild in OS X because the impact of such exploitation in Mac OS X is limited by the low incidence rate of privilege escalation exploits and user space security mitigations that prevent keyloggers and other malware from logging security sensitive passwords, such as from authentication prompts or website logins, without privilege escalation. BTW, user interaction is required to hack a Mac via a crossover cable as the user has to allow "Internet Sharing" in System Preferences. Man-in-the-middle attacks facilitate these methods on wireless networks. Navigating to a malicious website facilitates these methods across the web.

 

[Droid13]

You would prefer this one?

Not sure that I would, now that you mention it. Have only been reading these forums since about '07 - never realised someone had actually tried using this site as a launchpad for nasties.

As for this thread, there'll be some more stuff to talk about by the end of the week. Hopefully patches for any exploits that have been found are available sooner rather than later.

 

[chown33]

We are talking about Mac OSX not iPhone OS.

They share the same "DNA", so to speak. I.e. they are based on the same OS architecture, security model, programming languages, etc.

In any case, I was specifically responding to your statement:

If I remember correctly none of the OSes were hacked until the user of the target computer was instructed by the attacker where to go to get hacked. The target was not just going about their normal daily Internet activities.

So to answer your claim: No, you've misremembered. The iPhone OS was hacked simply by receiving a maliciously crafted SMS message.

http://www.darknet.org.uk/2009/03/charlie-miller-does-it-again-at-pwn2own/

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

http://en.wikipedia.org/wiki/ARP_spoofing

None of those actually say that Miller's attacks relied on mitm. One url says that a malicious url was presented in the browser, and clicking on it caused the exploit. The wikipedia urls say nothing about Miller's attack being mitm or not.

You provide a source stating that it can occur beyond a LAN, through routers, and over encrypted wireless connections.

http://lists.apple.com/archives/Security-announce//2008/Sep/msg00005.html

The fixes done to ImageIO for JPEG and TIFF images specifically say "arbitrary code execution".

All it takes to provide a JPEG image to a client browser is to upload it to a website that supports user-supplied content, such as a social website, a picture-sharing website, etc. and then wait for visitors. If the content is attractive, visitors will arrive.

The fixes say nothing about the flaw being confined to LANs, nor being neutralized by routers, nor being avoided by encrypted connections. And rightly so, as none of those alter the actual JPEG content.

Was the flaw exploited before it was fixed? Apparently not.

Was the flaw exploitable using data that could have come from outside a LAN, over normal routers, on encrypted connections? Nothing says otherwise, so one should prudently assume that this was exploitable in the real world. If you have specific evidence otherwise, then you should provide it, instead of making vague or generalized assertions.

 

[munkery]

They share the same "DNA", so to speak. I.e. they are based on the same OS architecture, security model, programming languages, etc.

So to answer your claim: No, you've misremembered. The iPhone OS was hacked simply by receiving a maliciously crafted SMS message.


None of those actually say that Miller's attacks relied on mitm. One url says that a malicious url was presented in the browser, and clicking on it caused the exploit. The wikipedia urls say nothing about Miller's attack being mitm or not.

Read the pwn2own rules that were posted earlier, I did: The computers were connected via a crossover cable with the target computer exposed to the attacker via it's internet connection.

Now read about ARP poisoning and Man-in-the-middle attack again. You will figure it out.

The fixes done to ImageIO for JPEG and TIFF images specifically say "arbitrary code execution".

The arbitrary code can be injected by a malicious URL from anywhere. This is true.

How can the opening be exploited by the attacker if the connection is secured by a router or server at some point in between the attacker and the target, as in over WAN?

You can create the hole but you can't get in unless on insecure LAN. If I am wrong about this I would like to know.

Is it possible if connected directly to the internet without a router? This has implications for all OSes if so.

Remember we are not talking about malware here.

The iPhone OS was hacked simply by receiving a maliciously crafted SMS message.

"The attack is enabled by a serious memory corruption bug in the way the iPhone handles SMS messages, said Miller, a senior security researcher at Independent Security Evaluators."

http://news.cnet.com/8301-27080_3-10299378-245.html

How does this bug with handling SMS messages have anything to do with MAC OSX?

What type of network connection was the iphone using?

 

[cult hero]

I'd lvoe to see an Apple apologist answer this.

Operating systems have security issues?

As we become networked we are more open to attacks?

Blah, blah, blah.

The problems will get patched, most likely. Most of the problems are probably edge cases that won't affect most users.

Does Mac's smaller user base contribute to some of its security? Yes. Is that the only thing that helps keep viruses and Malware away? No.

Fact is, nobody gives a $%^& about a mac.

As clearly demonstrated by the existence of this site.

 

[chown33]

Read the pwn2own rules that were posted earlier, I did: The computers were connected via a crossover cable with the target computer exposed to the attacker via it's internet connection.

Now read about ARP poisoning and Man-in-the-middle attack again. You will figure it out.

What makes you think ARP poisoning or mitm has anything to do with Miller's exploits?

That's not a rhetorical question. I'm asking you to provide evidence that these were actually used in Miller's attacks. I found some evidence about how Miller performed his attacks, and neither mitm nor ARP poisoning appears to have been a factor at all.

You seem to think these are significant, but as I posted before, the crossover cable and attacker-as-gateway measures are taken at least as much to protect the exploit from being observed and logged, and to present the maximum attack surface for the contest, as for any other reason. You seem to think they're necessary for the exploit to work. My position has consistently been that they're not.

The evidence I found on the details of Miller's successful attacks can be found by googling the following keywords:

site:zerodayinitiative.com charlie miller

site:support.apple.com charlie miller

One attack used JavaScript regular expressions, and the other used an embedded Compact Font Format (CFF) font. Look at the reporting dates and the participation of ZDI. These look like Miller's winning exploits to me.

Conspicuous by their absence are mitm and ARP poisoning attacks.

How can the opening be exploited by the attacker if the connection is secured by a router or server at some point in between the attacker and the target, as in over WAN?

You can create the hole but you can't get in unless on insecure LAN. If I am wrong about this I would like to know.

You're wrong.

Your view of what constitutes a compromise is far too narrow. Real bad guys don't play by those rules.

The maliciously crafted data contains the code (or vectors to code) that will be executed by the client. If that code performs, say, an HTTP GET to an attacker's URL, with the URL-encoded data that was compromised as a query string, then that compromised data has now been transferred to the attacker's remote URL. If the transfer occurs over HTTPS, then the compromised data is not visible to any other observers, such as another machine on the LAN using 'tcpdump' in promiscuous mode, or say Interarchy in traffic-watching mode. All the observer sees is an HTTPS transfer to an IP address, if they see anything at all.

It could also make a separate GET to obtain more malicious code, so the maliciously crafted data contains the minimum simply to trigger the exploit.

Furthermore, the attacker's remote URL need not be some clearly nefarious black-listed server that no respectable person would visit. It could be any server, such as Amazon S3, where someone can setup an account that can receive GET requests and log the request's content. It could even be a hacked account on such a server. Or multiple hacked accounts on servers scattered around the world. Or it could be any public but unhacked server that accepts arbitrary user-posted data, such as pastebin.com, and so on. Frankly, the possibilities are almost unlimited.

The way you seem to be thinking about it is that the attack has to first establish itself as a separately running process on the target machine, and it then listens on a port for incoming commands before it can perform any nefarious deeds. That is one way to compromise machines or connect them in a botnet, but it's certainly not the only way to compromise user data.

Is it possible if connected directly to the internet without a router? This has implications for all OSes if so.

Yes. And yes.

Remember we are not talking about malware here.

Huh? Of course we're talking about malware. Remotely originated malware, that arrives as apparently innocuous data, but contains malicious executable code.

Your view of what constitutes malware seems to be too narrow, almost bordering on naive.

How does this bug with handling SMS messages have anything to do with MAC OSX?

It doesn't. It merely refutes your statement that "... none of the OSes were hacked until the user of the target computer was instructed by the attacker where to go to get hacked".

iPhone OS was one of the OSes.
It was hacked without the user being instructed where to go.
Therefore your statement was wrong.

You made a statement. I responded to it with evidence it was wrong. That's how debate works.

What type of network connection was the iphone using?

It was compromised by receipt of an SMS message. I think that narrows it down sufficiently.

 

[munkery]

Provide an example of an HTTP Get exploit in the wild for Mac OSX?

What did the Javascript regular expressions and Compact font format exploits do to the target? So what is the real world by product of the exploit.

From the beginning of this thread, it has been about non-mobile OSes.

I was using malware to indicate viruses, Trojans, and worms. I agree that is not technically accurate.

 

[Digital Skunk]

You would prefer this one?

Right.

This is from 2006 and:

He was trying to do something with Fire.app but I don't know what. Also i know for a fact that it didn't do anything because the permission was denied.

Looks like a fail to me.

 

[munkery]

This is a link to a PDF concerning a mac hack book co-authored by miller;

http://trailofbits.files.wordpress.com/2009/03/macosxploitation_source2009.pdf

It is interesting but be careful it could be fuzzed? Lol

Seriously, it explains how Mac OSX is safer but less secure. This is the big debate. It states there are presently no exploits in the wild but that there could be and why.

It does not give much info on their methodology for implementing exploits to explain why there are no active exploits in the wild. To bad it doesn't as it would end this thread.

It explains how ASLR is better in Linux and what is lacking in OSX.

Given that I can not find an explanation as to why there are no exploits in the wild beyond the logic that it requires extenuating circumstances that are atypical, I concede that I no longer care.

 

[Hal Itosis]

(emphasis mine):

[Miller] did achieve arbitrary code execution but the scenario was artificial in that he instructed the target where to go to get hacked.

<snip>

The actual occurrence of the target computer user's inadvertent intervention is unlikely as the attacker would have to get the target to navigate to a malicious URL without the target being aware of the intent of the attacker.

If I remember correctly none of the OSes were hacked until the user of the target computer was instructed by the attacker where to go to get hacked. The target was not just going about their normal daily Internet activities.

You mean like using Google, or reading weblogs running on WordPress software, or looking up a user's profile in a Quickbooks forum perhaps? Clicking "trusted" links in such "trustworthy" places —as well as others, notably Spacebook and MyFace —is not so unlikely.

[how would you know that any link (including those three) is safe?]

 

[munkery]

(emphasis mine):

You mean like using Google, or reading weblogs running on WordPress software, or looking up a user's profile in a Quickbooks forum perhaps? Clicking "trusted" links in such "trustworthy" places —as well as others, notably Spacebook and MyFace —is not so unlikely.

[how would you know that any link (including those three) is safe?]

Thanks for the laugh. I clicked all three by the way. You do know that Trojan (dnschanger) is automagically detected by snow leopard when you try to install it. Installation requires your password so not actually a virus.

 

[Hal Itosis]

Even with the guy's track record, he's only been able to find these vulnerabilities after someone on the other side lets him in.

And it's nice to see that it still takes someone opening the backdoor, but then all one has to do is not be an idiot and open the spam or travel to that one porn site that tells them to download this or that.

I don't think you are aware of the rules. They are allowed to click on only one link, e.g., this one --> link <-- which leads to some page on the web. But no further clicking is allowed... so therefore, the user doesn't "download" anything (at least not knowingly or willingly). The simple act of visiting the page is sufficient to exploit Safari.

EDIT: in fact i think it's more constrained than that. Instead of "clicking on a link" somewhere, i think what they do is manually type a single URL into the address field. Again, the principle is that they simply load a web page —but do not physically interact with any of its content (buttons, links, popups, or what-have-you).