CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security
March 28th, 2008
Daniel Eran Dilger
In back to back press releases with payloads of sensationalized misinformation, two apparently unrelated groups launched attacks on Mac OS X’s reputation for delivering better real world security for its users compared to Microsoft’s Windows. In the first, a contest held at the CanSecWest Applied Security Conference, sponsored in part by Microsoft, suggested that hacking a MacBook Air was faster than hacking a Sony or Fujitsu Windows PC laptop. Thousands of miles away, the Swiss Federal Institute of Technology engaged in Vulnerability Numerology to declare that Apple’s operating system had fewer promptly patched software vulnerabilities compared to Windows. The premise behind both widely publicized stories are wrong, here’s why.
Charlie Miller Cracks a Mac in Two Minutes at CanSecWest.
Echoing last years’ CanSecWest event, where security researcher Dino Dai Zovi was able to access files on a Mac after being allowed to guide an automated user to access a tainted website from the laptop, this year’s contest was won in two minutes by Zovi’s business partner, Charlie Miller. Both were unable to access the systems over the first day of the contest, where only direct attacks over the network were allowed.
On day two, both were able to quickly win the contest after the rules were relaxed to allow them to send emails to an automated user or direct it toward a malicious web server they had set up. While the quick win makes for a perfect headline and reflects the Hollywood image of “hackers” that twiddle on a keyboard and almost instantly “access the mainframe” while a counter runs in the background, a more intelligent question is: why did the Mac get hacked first, and why was the attack so quick?
The easy answer is that nobody had any political reason to attack Windows at an event sponsored by Microsoft. Such an exploit wouldn’t even have been newsworthy. The speed of the attack also has something to do with the business of security researchers like Miller, who have clearly expressed the intent to repeatedly prove that Macs (and the iPhone) are as easy to exploit as Windows-based systems. More on that in a moment.
It is an uncontroversial fact that Windows PCs suffer under the threat of tens of thousands of real world viruses, are routinely infected by malware and often unwittingly participate in spam and adware botnets, while Mac systems have no viruses, and no significant real world malware, spyware or botnet problems. However, there is a constant din of pundits, researchers, and security product salesmen who insist that Macs not only have serious security problems, but may actually suffer from more vulnerabilities than Windows PCs. How can these two contradictory ideas possibly be harmonized?
Attacking the iPhone.
Miller has worked hard to establish his reputation as a security expert. For any security expert, this means demonstrating the ability to discover high profile attacks on notable targets. Last year, Miller described a vulnerability on the iPhone related to the open source Perl Compatible Regular Expression Library libtiff software. This vulnerability was related to the jailbreak exploit that allowed users to install their own software on the iPhone by working around Apple’s security barrier, but it also had the potential for allowing a malicious user to inject their own malware onto unpatched iPhones that were directed to an exploiting website.
His attack on the iPhone’s security delivered Miller significant notoriety, but his discovery, even after being widely published, did not result in any malware industry popping up around the millions of iPhones being sold to well heeled users. Why not? For starters, PCREL libtiff was eventually patched; there were only a few weeks of any open vulnerability to exploit. Malware writers would have to return to the drawing board repeatedly in order to keep their iPhone attacks valid, just as the jailbreak community had to regularly rework their efforts to maintain the ability to install their unsupported (but non-malicious) apps on the iPhone.
The work of attacking the security barriers on the iPhone in order to maintain the ability to install unsupported apps has continued for months, and has kept the iPhone open to installing these applications since the first workaround was discovered. Why hasn’t the horde of spyware and spammer villians attacked the iPhone using the same tools? As I noted earlier, the iPhone does not actually offer much of an attractive target for malware authors because:
- the installed base is currently too small to be used for botnet spamming,
- the network uplink speed is also too slow and/or spotty to be used for spamming,
- unlike wide-open Windows, the iPhone is closed and any open exploits can be pinched off quickly,
- software updates on the iPhone are much easier to deliver and install than PC updates,
- unlike a PC, the iPhone can be instantly cleaned up by plugging it into iTunes and hitting Restore.
So despite Charlie Miller’s disdainful evaluation of the iPhone’s security, the phone has seen no real world security epidemics; even if a virus were delivered for it, the amount of problems it could cause would be limited by the easy to restore design of the device. Miller has noted significant flaws in the device, but those flaws have been irrelevant in terms of real threats facing users. In theory, the iPhone has been exploitable; in practice, it has not been exploited.
The Theory of Vulnerability.
Many of those same principles that prevented Miller’s prognostication of dire woe for iPhone users from coming to pass have similarly protected Mac users from actually suffering from any of the theoretical vulnerabilities reported for their platform. While Windows Enthusiasts like to suggest that the only thing preventing a Mac malware meltdown is the platform’s relatively low market share compared to Windows, that idea is both wrong and deceptively simplistic.
First, Mac market share has risen in specific markets to the point where, if there were real vulnerabilities that left it wide open to attack like Windows, it would be facing real problems. While Apple sells a small proportion of the total worldwide market for all PC desktops, workstations, and servers, it now sells over 8% of all the computers sold in the US.
Further, Apple’s low penetration into the enterprise market means that Apple’s 8% of the total US market is actually a 10 to 20% or higher percentage in the home, SOHO, and education markets. Still, we don’t see Apple suffering from 10 to 20% of the malware out there in the wild; Macs effectively have no malware to worry about, and few users even run anti-virus software. There is also currently no need for spyware clean and repair utilities at all. Macs don’t have a fractional tenth of Windows’ problems; they have no real world security problems at all.
Even more damning to the pundits’ logic, the markets where Apple is strongest are exactly those where malware is most prevalent. Who writes spyware aimed at attacking servers supervised by professional IT staff and protected by sophisticated firewalls? Macs are a prime target for spyware and identity thieves, as the Mac user demographic tends to have more money to steal. The fact that Apple’s installed base lies directly on top of the most attractive target for malware authors, yet has zero viruses and no significant real world malware problem says more about the reality of vulnerabilities than any amount of statistical humdrum churned out by people trying to bait links and suggest that up is down.
Swiss Swing and a Miss.
Which brings us to the report issued by the Swiss Federal Institute of Technology. Following in the footsteps of such luminaries as CNET Apple hater George Ou, the group reported findings after looking “at how many times over the past six years the two vendors [Apple and Microsoft] were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate,” according to a report by IDG.
Their conclusion: “the number of unpatched vulnerabilities are higher at Apple.” That conclusion provided IDG such ripe opportunity for sensationalizing that the author of the IDG article threw in a bizarre disclaimer at the end. The study was “such a glowing affirmation of Microsoft’s increased focus on security in the past few years that it prompted [Andrew Cushman, director of Microsoft's Security and Research] to ask [study researcher Stefan] Frei, ”Did Microsoft fund this research?“ ”This is independent academic research,“ Frei replied.”
Why would IDG feel the need to note that Microsoft didn’t pay for this, and why would a Microsoft research director think to ask if his company had paid for the results of such a study? Because Microsoft is well known for funding “research” that serves to promote its marketing goals. However, we don’t even need to doubt the funding of the study in order to discard it as irresponsible garbage.
Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd
security.itworld.com – Microsoft vs. Apple: Who patches 0-days faster?
PdfMeNot.com – 0-Day Patch Study
Why the Swiss Study was Fatally Flawed.
The main tipoff that the study was completely worthless is that it neatly compares “0-day” patches across unrelated platforms. Three main points below describe specifically why this is inherently flawed. As an introduction: a 0-day patch is one delivered the same day the exploitable flaw that it corrects becomes publicly disclosed.
Many theoretical exploits are fixed at or before they are publicly disclosed, while other flaws linger for weeks, even years, before being patched. A publicly known but unpatched flaw sounds more dangerous than one hiding behind the veil of “security by obscurity,” but there are also many flaws that are discovered by malicious parties to be sold or directly exploited before they are ever disclosed, let alone patched. That means 0-day patches are only ideal for flaws that only the vendor knows about. The study simply ignored discovered but undisclosed flaws, no doubt because they are obviously more difficult to identify and write papers about. They are not any less dangerous to users however.
Windows is plagued by many discovered but undisclosed and unpatched flaws; Mac OS X is not; there are zero viruses and no real world malware problems dogging Mac users. But ignore all that for a moment to take a look at why the very specific study on 0-day patches is so very wrong in three significant areas.
1. The scope and relative threat posed by a specific vulnerability is lost in the aggregated statistics that Vulnerability Numerologists like to report. Windows’ infamous “shatter attack,” an extremely serious, fundamental flaw in the architecture of Windows, was only just addressed in Vista. The flaw was not some simple buffer overflow error; Microsoft designed Windows NT/2000/XP in such a way to give all services within the interactive desktop the same, communally high privileges. The gravity of this extremely poor design decision was widely reported back in 2002, but never fully addressed until the release of Vista, which many Windows users still cannot or will not deploy for various reasons.
Windows XP and Server versions prior to 2008 are still exposed to shatter attack vulnerabilities, but “researchers” would only give this grave flaw one vulnerability count on their tally list. This is just a single example of how irresponsible and ignorant the practice of comparing vulnerabilities by numerical count is across unrelated systems. Mac OS X does not suffer from Windows’ overloaded services architecture nor the subsequent problem of shatter attacks, because it benefits from the well known, highly regarded, multiple concurrent process design savvy of Unix.
Unix has been pulled apart and examined by academia for decades, and individual utilities and software packages are commonly open to public scrutiny, as is Apple’s entire core OS of Darwin, the Mach/BSD hybrid that serves as the foundation for Mac OS X. Microsoft’s Windows kernel and its core OS foundation has not benefitted from such independent review and examination on a similar scale.
Studying counts of 0-day patches issued and plotting the delivery dates of patches relative to the public disclosure of the flaws they address strains out the gnat and gulps down the camel in a brain dead effort to analyze irrelevant statistics that have only a tenuous association with real security.
2. Microsoft’s operating system is entirely closed source. Relatively few third party researchers have inside access to see how it works, and therefore can’t as easily discover flaws before they are patched. The top half of Apple’s Mac OS X is also closed source, and Apple similarly releases patches for flaws nobody outside the company was aware of. The difference is that when Microsoft patches unknown flaws, the media hails it as proactive, while every time Apple releases a patch, tech pundits riffle through it, recounting the number of flaws that nobody knew existed, and then work to sensationalize this into the message that Apple’s software is riddled with problems. This is grossly hypocritical, yet occurs with clockwork precision every time Apple releases a security patch.
However, there is something even more grotesquely self serving and dishonest that Vulnerability Numerologists love to do. Flaws in Windows are always tallied up as bugs found exclusively in the Windows kernel, shell, and its core bundled utilities. Flaws in Internet Explorer, Microsoft’s server products such as Exchange email, IIS web services, and other software are nearly always excluded; each product has a significant list of flaws that grant it its own listing. However, for Mac OS X and Linux, Vulnerability Numerologists count all of the flaws reported for every open source package associated with the distribution, including the web browser, email and web servers, and all related libraries and packages.
One could reasonably argue that a flaw in Microsoft’s IIS wouldn’t affect desktop users, few of which would be using the service. However, these same “researchers” will gleefully tally up vulnerabilities found in PHP, Apache, Samba, and every other open source product bundled with Mac OS X (or Linux), regardless of whether such tools are likely to be in use, or even exposed to actual exploit. This is also grossly hypocritical and dishonest, yet characterizes every vulnerability diatribe.
The other side of the same coin is that security researchers, like CanSecWest contest winner Miller, can easily discover flaws in open source software, sit on them unreported, then dramatically employ them at events like CanSecWest to demonstrate being able to hack Mac OS X in minutes. Clearly, Miller knew what exploit he would use long before day two of the contest gave him sufficient machine access in order to use it.
The problem is, Miller’s intimate familiarity with the flaws in open source packages used by Mac OS X are not resulting in a real security problem for Macs in actual use outside of carefully planned security contests. Miller is focusing attention on the weaknesses of open source, but in reality, that openness is a strength. Apple can and does leverage the input of the community to incorporate security fixes for all of the packages it ships with Mac OS X. I’m sure Miller’s attack is directed upon Apple, not open source, but his methods are a reviling of open source, and he acts as a black hat researcher in exploiting the openness of the community to dig up his ammunition.
Microsoft’s flaws in Windows are hidden, and while supposedly not as well known as the flaws in open software, they’re also not addressed by the same community mechanism that constantly hardens Mac OS X and other distributions of Unix and Linux. Many researchers argue that Apple should be quicker to incorporate updates to the open source packages it bundles with Mac OS X, and Apple’s slowness does expose some risk. However, the majority of expert users with a need for hardened security also have the option of obtaining and installing newer versions of those open source libraries and packages themselves; Windows users don’t.
Open source is a strength; fixating on 0-day statistics while comparing unrelated numbers of vulnerabilities across two different platforms is an effort in proving that the trees in a forest can’t be seen through the forest itself, when they obviously can to anyone not trying to prove otherwise.
3. A third problem with the Swiss study relates directly to its “0-day” focus. Every open source package on Earth has both full transparency (its code is wide open for security experts to explore) and has documented notes on its revision progress. Apple bundles lots of these packages into Mac OS X. That makes it trivially easy for “security researchers” to tally up numbers of known and disclosed issues, and compare them to what Apple is shipping. Microsoft doesn’t include open source projects as part of a Windows distribution, so researchers have to do lots of actual work to discover problems in Windows and report them.
Despite Windows’ advantage of code secrecy and its resulting “security by obscurity,” there are still similar numbers of bugs found in Windows compared to Mac OS X and all of the open source libraries that ship with it. The study in question looked at “658 vulnerabilities affecting Microsoft products and 738 affecting Apple [and the open source projects Apple ships in Mac OS X].”
It should come as no surprise that flaws in the open software Apple uses are often publicly disclosed before Apple ships a patch, and that flaws in Windows’ closed code are less likely to go public before being patched. To clarify the timing of the discovery, reporting and patching of flaws, the study defined four points along the lifecycle of a vulnerability:
- discovery time: when the flaw is first discovered (commonly internally for closed source code)
- exploit time: when a virus or hacker tool of some sort is developed to exploit the flaw
- disclosure time: when the discovery of the flaw is publicly announced
- patch time: when the vendor solves the flaw with a workaround or patch
A 0-day patch would be one where the vendor releases a patch the same day as its disclosure. This is easier to do if only the vendor knows about the flaw’s discovery. Microsoft therefore has a huge advantage in issuing 0-day patches, because it patches flaws that are not exposed in open source. Apple’s use of open source presents many opportunities for third parties to discover a flaw and disclose it before Apple can deliver an official patch.
Also notable in the Swiss study is the idea that they refused to acknowledge a patch supplied by a third party. That means their 0-day numbers are biased toward closed source in that the vendor would likely discover its flaws first, and biased against open source in that they do not consider third party patches supplied the open source project itself, but only when the patch is officially distributed by Apple. On the other hand, the study defines a patch as being any sort of workaround or instruction given on how to avoid the flaw, whether or not that information is effectively communicated to users.
So if Microsoft publishes a Knowledge Base entry telling users not to perform a certain action that would result in exploitable vulnerability, it has “patched” a flaw. Conversely, if Apple bundles a version of an open source library that contains a flaw that can be patched by third parties (as was the case with the iPhone’s libtiff flaw, which was patched by the community before Apple addressed it), the flaw is still regarded as unpatched. But hold on, things get worse.
The Colors of Risk.
The Swiss study also defines three colors of risk describing periods of time before or after a vulnerability discovery or patch:
- Black Risk: the time between discovery and disclosure, where the public is unaware of a known, exploitable problem
- Grey Risk: the time between discovery and patching, where the public is aware of a flaw but does not yet have a solution for it
- White Risk: the time between patch availability and its installation, where the public has access to a patch but has not yet installed it
The study fixates entirely upon Grey Risk, which flatters Microsoft as a closed source vendor. However, the real problems affecting PC users involve Black Risk, where users are attacked through exploits they know nothing about, and White Risk, where patches exist but users don’t know to install them, or can’t be bothered to deal with poorly designed patching tools. Both problems are severe risks facing Windows users that the Swiss study pushed aside to entirely focus on the idea of how much time elapsed between the exploit going public (that is, not discovered, but rather publicly disclosed) and its being patched. This is ridiculous.
News Flash: Apple Better At Delivering Software Than Microsoft.
Also noted in the report, but suspiciously not in IDG’s coverage of it, was the fact that Apple has exceeded Microsoft in the number of security patches it has issued over the last six years, delivering 815 patches to Microsoft’s 678. That’s despite the fact that Microsoft serves more customers with greater security problems, more avenues for exploit, and infinitely more real world losses due to security issues. This also includes the patches Microsoft provides its “enterprise customers.” Microsoft has improved in the number of patches it offers, but Apple has made even faster progress, delivering nearly twice as many patches just last year alone.
Why was this detail omitted from IDG’s corporate media report? Because it didn’t flatter Microsoft. The Swiss report also noted the number of major operating system releases each vendor delivered, but for some reason, counted Microsoft’s Service Packs as a major release while only counting Apple’s retail references releases as such. These numbers were presented relative to the idea that delivering a major software release consumed the vendor’s development resources, making it more difficult for them to supply security patches in a timely matter.
Undercounting Apple’s far more prolific ability to deliver significant new feature updates–despite having a far smaller engineering team–distorts the report’s findings in egregious ways. When actually counting the real number of significant updates each vendor has released since 2002, Apple comes in at 33 (not including 5 iPhone OS X updates) but Microsoft at 7. Note that this credits Windows Server service packs as a release, but does not count Mac OS X Server releases. When those are added in, Apple has delivered 66 major releases to Microsoft’s 7 over the six years of the study. That should play into the study’s 0-day reporting, but it unfortunately did not.
So why did the Swiss team issue a sensationalized report suggesting proof to refute the reality that Mac users have zero viruses and no real malware problems, symptoms that would logically follow if Apple’s operating system were open to easy exploit?
Attacking Windows’ security would not be noteworthy. Suggesting that Apple is lying when it advertises that Macs have no viruses and that users are spared the problems of malware that are very real on the Windows platform is not only salable “news,” but plays right into the prejudices of an idiot public that wants to believe something other than the truth.
IDG wants to titillate its Windows Enthusiast readership by falsely discrediting Apple, and the Swiss team obliged by providing it a misleading report to support such a story. Both parties win notoriety at the expense of being entirely wrong and deceiving the public.
How to Prove the Truth Is Wrong.
It is simply far too easy to refute the truth. Humans have a built in mechanism for collecting useful information that is completely vulnerable to liars. Propagandists have exploited this flaw since the dawn of time. Repeat a lie frequently enough, and it will become reality to the sheepish audience that listens to it uncritically.
As an example, compare the reality of Federal spending by US presidents by their party affiliation. According to the Republican right, Democrats “tax and spend,” working up deficits that impede growth and stifle economic productivity. This message has been repeatedly pounded into the public by right-leaning think tanks for decades. However, a look at the actual spending record of presidents over the last few decades proves this to be entirely false.
Why Windows Enthusiasts Refute the Truth.
Similarly, while there are many reasons for various parties to advance the idea that Macs are troubled by latent security problems that have made it “as bad as Windows” since at least 2003, including:
- security researchers like Miller who are making a career from reporting sensational, yet inconsequential vulnerability findings,
- security think tanks like the Swiss group, who desperately crave the attention that a sensationalized report will bring them,
- columnists and pundits who make a name for themselves by refuting reality with carefully cited statistical fallacy, and
- groups directly sponsored by Microsoft to report the idea that Windows is not the most irresponsibly security plagued software in the Universe,
the fact remains that Windows has and continues to suffer from serious security flaws. The security advancements that Microsoft has made in Windows Vista are significant, but have only served as a theoretical remedy for many users, who can’t even use Vista due to its hardware requirements, its architectural changes that have left enterprise customers with a “wait and see” perspective, its increased expense, increased license policing, and its performance problems, made only worse by the problematic release of SP1.
What Needs To Happen Around Here.
Rather than trying to overturn the simple truth that Microsoft chased short term profits throughout the 90s and subsequently delivered a poorly architected operating system with little regard for real world security issues, and then failed to see any need to fix things before finding itself paralyzed by the worst security epidemic the world has ever seen, security researchers should admit that Microsoft ushered in a lot of problems it would now like to pretend don’t exist, when they most certainly do.
Microsoft should spend its fortunes really solving the security problems of its Windows users at its own expense, rather than expecting them to pay an astronomical premium for Vista, software that largely only fixes issues that resulted from the company’s wild profiteering over the previous decade, and doesn’t really work all that well itself.
The corporate media should look past the enormous advertising revenue it receives from Microsoft in order to tell the truth and actually inform its readers, rather than serving to advertise the importance of declaring allegiance to Microsoft in every news story. But of course no one in the corporate media needs to listen to someone like me, who is so biased toward good technology and fair competition in the market that they can’t see much good at all in Microsoft’s criminal actions against its customers, partners, and the state of the art itself.
Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!