OS X Coming Under Increased Researcher Scrutiny
While it is still a less-targeted platform, Apple's OS X operating system has seen some interesting Information Research published in recent months.
In February, Vincenzo Iozzo presented at Black Hat 09 a method for injection of code directly into the memory of another application, while it is running. This takes place completely in memory (which separates it from previous vulnerabilities of this style) and disappearing when the application is terminated. It could be argued that this presents an epipyhtic rather than a parasitic attack route, given that there is no reliance on the host system to store any part of it (other than active memory), it attaches into an existing application, and disappears cleanly at the end.
This method still has to rely upon somehow getting the code launched in the first place, but it means that once launched it is going to be hidden from sight and not show up as a running process. Getting the user to launch an arbitrary application is more of a social weakness than a technical one, as the mountains of malware and infected Windows systems can attest.
More recently, Dino Dai Zovi demonstrated a heap overflow vulnerability (of which he claims there are several just waiting ready to find) which allowed him to take images with the iSight camera. Meanwhile, at the Pwn2Own contest at CanSecWest, last year's winner, Charlie Miller, walked away with the MacBook inside of ten seconds, on his first attempt. Using a Safari vulnerability, he was able to gain access at least to the privileges that Safari was running under and demonstrate code execution. Miller had been able to develop and test the exploit ahead of time and was confident that he would be able to take out the target system, even going so far as to claim ahead of the competition that Safari would be the first browser compromised.
Critics would argue that by allowing the use of web browsers on the first day of the competition, it effectively moved the competition from an attack against the underlying systems to an attack against web browser security. With the constant barrage of critical patches for web browsers across all platforms, it shouldn't come as any surprise that the competition systems were compromised so quickly. With researchers having had months to prepare and develop their pet exploits, it comes down to a race as to who gets to try their exploit first, rather than a valid example of how long it takes a representative system to fall to attack. Critics would also point out that the more desirable laptop (at least for many the more desirable) would also be the first and most targeted.
Critical arguments aside, it is getting harder to argue that OS X is a lesser targeted platform, especially with the recent work put into updating one of the most popular hacking toolkits, MetaSploit, with OS X specific capabilities and vulnerabilities. It should not come as any surprise that those most responsible for the increase in capability are Charlie Miller and Dino Dai Zovi.
In the face of increasing attention and public exploit demonstration and release, is it time for Apple to move to a pre-ordained patch release schedule? Some would argue that it is long past the time when this should have happened, while others are content with the relatively random release cycle currently in use. At the least, Apple could do well by considering how Microsoft has engaged all aspects of the Information Security community and how they handle Information Security vulnerability data and patches.
20 March 2009
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.