October 30th, 2007

Researchers pooh-pooh Mac OS X Leopard security

Posted by Ryan Naraine @ 11:41 am

Categories: Apple, Botnets, Browsers, Data theft, Digital rights management, Exploit code, Hackers, Metasploit, Microsoft, Open source, Passwords, Patch Watch, Pen testing, Punditocracy, Spam and Phishing, Vulnerability research, Zero-day attacks

Tags: Firewall, Apple Macintosh, Network, Leopard, Thomas Ptacek, Firewalls, Apple Mac OS X, Network Security, Apple Mac OS, Security

The first independent reviews of the security enhancements in Mac OS X Leopard are in — and they’re not entirely pleasant for the folks in Cupertino.

First up is Heise Security’s takedown of the new application-based firewall in Leopard, which Apple promises will specify the behavior of specific applications to either allow or block incoming connections.

However, Heise Security’s Jürgen Schmidt finds cause for concern:

The most important task for any firewall is to keep out uninvited guests. In particular, this means sealing off local services to prevent access from potentially hostile networks, such as the internet or wireless networks.

But a quick look at the firewall configuration in the Mac OS X Leopard shows that it is unable to do this. By default it is set to “Allow all incoming connections,” i.e. it is deactivated. Worse still, a user who, for security purposes, has previously activated the firewall on his or her Mac will find that, after upgrading to Leopard, the system restarts with the firewall deactivated.

In contrast to, for example, Windows Vista, the Leopard firewall settings fail to distinguish between trusted networks, such as a protected company network, and potentially dangerous wireless networks in airports or even direct internet connections. Leopard initially takes the magnanimous position of trusting all networks equally.

(More at Techmeme)

The new firewall in Leopard isn’t the only security feature being pooh-poohed by security researchers. According to Thomas Ptacek (right), co-founder of Matasano Security, Apple’s implementation of memory randomization in Leopard doesn’t make the operating system immune from virus and worm attacks.

[ SEE: Memory randomization (ASLR) coming to Mac OS X Leopard ]

For starters, Ptacek found that the dynamic linker library (dyld) is not randomized. “From what I can tell, ten different Leopard Macs booted at ten different times will have the same offset to dyld,” Ptacek said in a first-take on Leopard security.

“Can I say right now that you can exploit this to take over a Mac? No. But ASLR is either something you get right, or is simply a speed bump for attackers,” he added.

Ptacek said memory randomization, also known as ASLR (address space layout randomization), removes a talking point argument about Microsoft Windows Vista’s superior security, but doesn’t address the underlying point of that argument.

Cocoa programs running in Darwin are less secure than Win32 programs running under NTOSKRNL, and aren’t even in the same ballpark as Managed C++ or C# programs.

Ptacek’s analysis also found problems with Apple’s implementation of Sandboxing (systrace) without any documentation for developers.