Researcher Set to Announce 20 Zero-Day Holes in Mac OS X

[zombiedictator]

Yes, back in the days of when XP just came out, many people only had one computer, therefore they did not buy a router. However, having a router still doesn't make you immune to stuff like this.

God, that was 2001. I'm so old! Talk about the wayback machine.

Nice, but wrong.

Your groupings are oversimplified and far from complete. There is a fourth group of malcontents who are like evolved script kiddies, who have some know-how and real skills, who just like to cause trouble and they would surely do it just for the "LULZ." The most famous virus outbreaks are usually caused by them tinkering with existing viruses and reintroducing them into the wild.

I know what group you're talking about, but most of their tools are public domain. And it is a world of difference between their hive-mind mentality of attacks (the ones which are most successful are usually the simplest and are just social engineering) and the almost artful way these exploits are discovered.

I guess my point is that after you pass filter after filter, the potential threats to OS X are minimal (for now). The white hats are doing what they do, they aren't an attractive enough target to make money from (most Apple users are more computer literate on average (how many companies have people using Windows machine that don't use a computer recreationally at all?), the overwhelming majority of OS X installs aren't centrally managed by retarded admins (I kid you not, my MIS department STILL is using IE6), and most Windows machines in business are up 24/7 connected to beefy egress points), and Apple is a downright Goddamn scary company to deal with if you piss them off, so I don't think you'd find much in the glory department.

 

[mrzippy]

Mac having no viruses? Really??? Of course Mac's can get viruses... Every computer/OS can.

Mac's just have less, due to the "less interest".

Less as in ZERO.

I believe there have been a couple of 'proof of concepts' but nothing malicious or self replicating, these were just Trojans which aren't really viruses anyway.

 

[gmcalpin]

Yeah… Well that’s quite a load of… . Here are few:

Virus (PoC): OSX/Inqtana.A
Trojan-Downloader: OSX/Jahlev.A
Backdoor: OSX/iWorkServ.A
Worm: OSX/Tored.A

Inqtana.A is a worm, not a virus — and it doesn't even affect Macs running 10.5 or later.

http://www.symantec.com/security_response/writeup.jsp?docid=2006-021715-3051-99

Worms and trojan backdoors are not viruses. By definition, a virus must be able to self-replicate. Worms and trojans can not.

So again: Name one OSX virus.

 

[satcomer]

20 security issues really isn't that bad. Every OS X security update fixes at least that many. I'm curious if Charlie Miller has submitted these to Apple, or is he sitting on them for his own publicity?

The keyword is publicity. He is a media whore that thrives at shaming Apple because he is a huge freetard that hinks the only totally secure software is opensource and the Apple is "evil". He can't even exploit a Mac until he gets someone to click on an automatic install script, i.e. Trojan exploit.

Heck on any computer if a user blindly clicks on an automatic download from their web browser is a n00b and deserves to get hacked.

Now if he can get into an OS X machine on his own without having a user do anything then I will be impressed. He is just acting like a script kiddie that has moved onto JavaScript.

 

[tobyw7]

Some people are being rather silly.

Any computer CAN get a virus.

It's harder to get a virus on Mac/Linux because:

a) There used to be not as much interest
b) It's harder to exploit due to the OS being based around Unix. The code is different, it's a lot harder to code an exploit albeit be it a virus, worm or trojan etc
c) All the people coding stuff that's got an .exe extension won't affect Macs, 'cos Macs won't run anything with an .exe extension. Even if it is a virus it won't affect the computer.

I'm no expert but I'm lead to believe that a lot of the exploits for Mac/Linux would have to be through code injection which affect the RAM, and operating of software etc?

There is anti virus software for Mac, and your Mac does have a Firewall - better safe than sorry, right?

If you are connected to a router you shouldn't have to worry too much as most new models have a built in firewall.

I could go on, here!

 

[Mattie Num Nums]

Its amusing watching people here talk about "hackers want to make a name for themselves" and "people hate Apple why don' they attack them" etc etc etc. Most of you have no clue what a global conglomerate goes through on a daily base with security threats. We get attacked hourly. Most of the attacks are stopped by our Firewall and anything that makes it through SEP11 takes care of. Someone here said the "End User" is the biggest threat. You my friend are 100% correct. The biggest virus on the internet is the person clicking the mouse. The scary thing about Macs are that most users have Admin or Root access and they have no idea how much power that access gives them. Most major organized crime rings don't attack Macs not because they are safer but because they need numbers. They need a lot of computers to do what they are trying to do. The whole idea behind the real hackers is getting a ton of computers and having them networked or controlled by them remotely to then deploy malicious content to other machines. A lot of the time they are key loggers, XML exploits via browser, or even remote control. Once more Macs get out into the environment they will be prime targets.

Let me put it this way. How many of you here today used Secure Virtual Memory? How many of you have correctly set up RSA tokens with your SSH client? How many of you have SSH enabled but don't know it? How many of you have actually configured your home firewall? If you have answered No to any of the above I could get your root password, admin name, and ssh into your box in less than an hour. Why? MD5 hashed passwords in swap cache. MD5 is easy to crack, your password is there, I can use a browser exploit to get onto your machine and get that password, hide behind a clever website or download, and just like that you are officially hacked.

Thats how a lot of these things work but on a larger scale. Just some insight. We deal with this hourly. Our biggest problems come from Russia, Ukraine, China, Thailand, and some African countries.

 

[mrzippy]

Inqtana.A is a worm, not a virus — and it doesn't even affect Macs running 10.5 or later.

http://www.symantec.com/security_response/writeup.jsp?docid=2006-021715-3051-99

Worms and trojan backdoors are not viruses. By definition, a virus must be able to self-replicate. Worms and trojans can not.

So again: Name one OSX virus.

Agreed as per my post too.

Less as in ZERO.

I believe there have been a couple of 'proof of concepts' but nothing malicious or self replicating, these were just Trojans which aren't really viruses anyway.

 

[gmcalpin]

Any computer CAN get a virus.

It's harder to get a virus on Mac because:

a) Viruses for Macs DO NOT EXIST.

Fixed that for you.

 

[techwhiz]

No Virus on Mac

Repeat after me...
MacOX is UNIX. MacOS *IS* UNIX.

Simply put, having a virus/malware infect a UNIX system at the root level is difficult.

Permissions, even for root users sometimes must be checked.
I suppose if you had an installer that someone ran as root you could mess up the system.

As a non-privledged user you can't damage a UNIX install.
You can ruin your user account.

 

[padrino121]

I dunno. Every time someone even says the word "virus" all the Mac fans jump out and say things like "Not for us! There are no viruses for the Mac!" (Myself included.) For the last 10 years, it's been the same smug, condescending battle cry. "No viruses! Not here! Not us!"

You don't think that the first guy to create an actual, self-replicating virus on OS X, the first guy to prove them all wrong, the first guy to stick it in everyone's face, wouldn't become as famous as Steve Jobs and Linus Torvalds themselves?

You don't think that somewhere out there is a hacker who wants to make a name for himself?

That's why I don't buy "security by obscurity".

Where does your logic base come from? I'm asking because your comparison is apples and oranges. If being "famous" means running from the feds and not being able to take advantage of the fame aside from black market underworld deals then I don't think you have a lot of people standing up. Many holes have and do exist that allow the creation of what you are discussing but there is much more money to be made doing it for Windows so those that like to tread on that side of the law want the most pay off for the risk and it's an easier market on Windows. You are chased the same as you are breaking the same laws but you are in a stronger position until OSX market share breaks into the levels that will sustain this type of marketplace.

 

[angrynstupid]

You sure live up to your username.

Well, you got me there, Thunderbird. I really never expected to hear that one. Perhaps I should've thought more carefully about my choice of screen name. Perhaps... yes... more careful thought... hmm...

 

[err404]

More secure than what? Windows XP yes. Windows Vista? Maybe. Windows 7? Hell no.

MS has certainly put more effort onto securing Windows than Apple has with OSX. Unfortunately that because they had to. The NT core and legacy API's in which Win7 are built upon were designed 15 years ago w/o a strong security model. MS has had to walk a tight rope where they are trying to plug holes while retaining backwards compatibility. Win7 does the best job yet, but the loss of backwards compatibility has lead to a large portion of user to disable UAC and use Admin rights. While you could argue that this is the users fault, that not really honest. If the OS experience drives users to disable security, there is a fundamental flaw.
OSX is built on BSD and has proper rights isolation at it's core. Frankly Apple has less to fix than MS.

 

[enberg]

Why is everyone in this thread going on about viruses? The article has nothing to to with them.

 

[lostngone]

20 security issues really isn't that bad. Every OS X security update fixes at least that many. I'm curious if Charlie Miller has submitted these to Apple, or is he sitting on them for his own publicity?

I agree. If he went to Apple a month ago with these vulnerabilities and they didn't respond then I am 100% ok with him showing everyone the exploits.

However to tell everyone that he is going "announce" at a conference a zero day exploit that is a week in the future and not even give Apple a chance to comment on it(not that they would) or at least let them start working on a fix is a pretty stupid/lame move.

 

[stuffradio]

For those who say things about needing physical interaction or whatever to put a virus on the mac, such as going to a website or opening an email... that IS almost the only way people get viruses these days. It's through sheer stupidity and not being smart about what you do.

Stupidity is not only for Windows users, Mac users are not immune to that.

 

[Xtremehkr]

The methods this guy is talking about using are not methods that the vast majority of hackers have the capability of deploying.

He's quite pleased with the results he's achieved because it demonstrates what a clever haxx he is, but it's not as though there are a lot of people as well equipped and as he is snooping around looking to break into peoples computers.

Microsoft security holes are shockingly easy to exploit, which is what makes all the difference in the world.

It makes sense that his guy would play up his exploits because he can offer to share the results and keep quiet if Apple is willing to pay for the results.

The number of active OSX virii are still in the single digits, compared to the hundreds of thousands that can infect your windows system.

 

[Kristenn]

I'd lvoe to see an Apple apologist answer this.

Fact is, nobody gives a $%^& about a mac.

Oh yeah? Explain why OS 9 had less marketshare then OS X and had viruses?


Anyone?

Yeah... thats what I thought =/

 

[Mattie Num Nums]

Permissions, even for root users sometimes must be checked.
I suppose if you had an installer that someone ran as root you could mess up the system.

As a non-privledged user you can't damage a UNIX install.
You can ruin your user account.

Remote SSH into your machine, login as your admin, rm -R your system folder and see what happens.

The second statement isn't entirely correct though yet you can ruin a users account. If that is the intention though of the hacker than he is successful meaning that you have been "hacked". From a security standpoint that is one of Apples glaring holes is the standard user. Think of this more. How many of you at home are NOT admins on your machine...

 

[munkery]

All of Miller's exploits require the use of a cross-over cable, which is never a network configuration you see in the wild.

His exploits are not relevant to any one connected to a network wirelessly or via an unmodufied Ethernet cable.

Specifically, the target computer is connected to the Internet wirelessly and Miller's computer is directly connected to the target computer via a cross-over cable.

So, don't let a hacker connect to your computer with a cross-over cable. A cross-over allows the hacker to bypass many of the security features emphasized in OSX that are limited in Windows.

Edit: I was wrong. Miller's exploits require a local area network and an artificial (as in unlikely in the wild) situation.

Second Edit: I was double wrong, exploitation using these methods are not uncommon in the wild. But, it is rare in the wild in OS X because the impact of such exploitation in Mac OS X is limited by the low incidence rate of privilege escalation exploits and user space security mitigations that prevent keyloggers and other malware from logging security sensitive passwords, such as from authentication prompts or website logins, without privilege escalation. BTW, user interaction is required to hack a Mac via a crossover cable as the user has to allow "Internet Sharing" in System Preferences. Man-in-the-middle attacks facilitate these methods on wireless networks. Navigating to a malicious website facilitates these methods across the web.

 

[macfan881]

I'll put it this way i have used PC/Mac for quite a few years and the amount of Security patches for the mac don't even come to a quarter of the thousands of updates I've had to do on a windows pc and I have been using a PC since Windows 95.

Edit: I'm sure the PC Fanboys on engadget are having a field day with this.

 

[Mattie Num Nums]

Oh yeah? Explain why OS 9 had less marketshare then OS X and had viruses?

Maybe because at the time of OS 9 people were signing Apple's death certificate. Apple was nothing in those post Steve pre iCEO days. Thats why it had less market share. As for virii the reason why was because OS 9 had more holes than OSX will ever have.

No one is saying OSX isn't a great operating system. Its amazing! Its just not PERFECT, its not IMMUNE, and Apple hasn't been the best at patching known bugs... IE the Java exploit that got ignored for quite some time.

 

[mdatwood]

Very good, we need guys like Miller to shake things up a bit and keep Apple on their toes as they push their market share forward. What we don't need are Apple apologists or zealots, that gets nothing done.

I agree. Apple and many of its fans need to look up the word 'hubris' sometime.

No networked system is EVER totally secure. The only way to get and stay as secure as possible is to remain constantly paranoid. It would be nice if it wasn't that way, but that's the reality.

 

[Zorrow]

And even if some Windows virus would not effect you, you might be spreading the crap around. There’s just no good excuse not to use anti-virus.

.

Well, I will not spend a penny and go through the hassle of keeping my antivirus up-to-date and slowing down my machine because I want to protect the PC users that don't update their antivirus...

 

[archer75]

All of Miller's exploits require the use of a cross-over cable, which is never a network configuration you see in the wild.

His exploits are not relevant to any one connected to a network wirelessly or via an unmodufied Ethernet cable.

Specifically, the target computer is connected to the Internet wirelessly and Miller's computer is directly connected to the target computer via a cross-over cable.

So, don't let a hacker connect to your computer with a cross-over cable. A cross-over allows the hacker to bypass many of the security features emphasized in OSX that are limited in Windows.

Keep in mind no OS fell the first day. The second day when the rules were relaxes OSX fell. It wasn't until the 3rd day that windows was hacked. Windows still has better security technologies built in. Apple adopted some of the features that Microsoft implemented in Vista but not completely. Which is why this hacker says that OSX is easier to hack than windows.

 

[m0nastic]

I must be a masochist...

This post has been painful to read, and I've been sitting here debating whether or not it's worth replying, as I'd basically be contributing to what I'm complaining about, and I'm incapable of being succinct.

But it's Friday, and who doesn't like a good internet argument on a Friday

First off, to those claiming that Charlie is an attention-whore, or trying to get a job at Apple:

Charlie is a huge fan of OS X. He's had to state this in pretty much every interview, because people seem to think that by pointing out security vulnerabilities with the Mac, that means he doesn't like it. He uses OS X, he likes OS X. He wrote a book about hacking OS X (with another security researcher) that's a really good read. It's not about poking fun at OS X, it's about wanting the system that you yourself use to be more secure.

Charlie makes his living (like many of us) as a security professional. We get paid to either break into companies or try and break products. As far as security professional's go, he's a very well-regarded one. He's not a fourteen year old kid in a basement writing irc-bots.

There is near-unanimous agreement in the security community (as unanimous as we ever get) that Apple's security posture is near the bottom of all vendors. That includes companies like Microsoft, and Cisco, and Adobe. This is based on years of working with them to get them to patch vulnerabilities. They are categorically the last to release patches when a vulnerability has been discovered, and their whole "veil of secrecy" that people here discuss ad naseum carries over into even this area. Things are promising, however, as they just hired someone to work in this capacity (someone most of us have a lot of respect for and consider to be a great hire). Time will tell if they get better about handling vulnerabilities.

The thing is, Microsoft (who historically was the punchline to any joke about vulnerability management), has been doing things right for about the past five years. This doesn't excuse the way they acted before that, and it doesn't mean that now Windows is magically vulnerability-free (although both Vista and 7 have been a marked improvement from XP), but they've gotten significantly better about handling vulnerabilities (and are now leaps and bounds better than Apple is).

The thing is though, Microsoft had to do this, as they represent a huge portion of installed systems, and are the biggest target. They were getting beaten up about their security (rightfully so) and it was to the point that it actually effected business.

The same is not true about Apple. The reality, is that they can be as bad as they are about security management because they don't yet have a reason not to be. We in the security community are all about security for the sake of security (it's a philosophical tenant), but that's not pragmatic. Companies only care about security if it effects their business (and I don't necessarily think that's a bad thing), and for Apple, it doesn't.

People keep talking about viruses on here, and to be honest, we haven't cared about viruses for almost ten years. Viruses eat up CPU cycles, and generate network traffic and are easy to detect in an environment that has even basic security monitoring.

Everything comes back to money. Viruses don't cost money anymore (not of the magnitude that we worry about). What does cost money is malware that hijacks online banking credentials, or grabs ssn's, or online gaming accounts, or acts as a way for an attacker to obtain sensitive corporate information. This past year the amount of money stolen from banks electronically was about 10 times the amount taken in actual physical robberies.

And attackers don't care how they obtain this information. We don't care about owning a box for the sake of owning it, we don't care about stealing passwords from a user unless that is a means to obtain what we're actually after. Honestly, we're after the money, and we'll spend large amounts of our own time and money if it means we can get more of it.

If that means developing exploits for OS X, then that's what we do. If it means just getting a user to visit a website, then we do that.