Daniel Eran Dilger
Random header image... Refresh for more!

Pwn2Own contest winner: Macs are safer than Windows

 1389 990746317 9717074520

Prince McLean, AppleInsider

Charlie Miller, the security expert who won both this and last year’s CanSecWest Pwn2Own security contests by exploiting Macs running Safari, repeated in an interview that he’d recommend Macs to typical users as a safer alternative to Windows PCs.
.

Pwn2Own contest winner: Macs are safer than Windows
Following both Pwn2Own contests, numerous sensationalist headlines played up the idea that a Mac had been “cracked in seconds,” conspicuously neglecting to mention what Miller called “the many days doing research and writing the exploit before the day of the competition,” enabling him to discover the bugs and develop a way to successfully exploit them on the first try at the event.

Macs less secure, more safe

In an interview with Tom’s Hardware, Miller stated, “I’d say that Macs are less secure for the reasons we’ve discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn’t much malware out there. For now, I’d still recommend Macs for typical users as the odds of something targeting them are so low that they might go years without seeing any malware, even though if an attacker cared to target them it would be easier for them.”

Miller also offered some suggestions for users. “For all operating systems, make sure you keep your system up to date. That’s the best thing you can do. On a PC, I’d recommend running some AV software to help clean up when things go bad. Otherwise, just be smart, pay attention, and hope for the best. It is possible to really lock down your computer (running noscript for example) and make it safer, but in my opinion it’s not worth the trouble and the loss of functionality you experience.”

Mac security software not recommended

When asked whether having outgoing firewalls, anti-spyware or anti-malware software, or not being logged in as a root user would have done anything to limit the extent of the exploits on the Mac that he demonstrated at the last two security events, Miller said, “None of those protections would have probably worked, or at least there were potential workarounds. The best thing the user could have done is not click on the malicious link. Of course, in some cases such as a man-in-the-middle attack, even this wouldn’t have helped.”

While neither of the exploits gained root access, Miller pointed out that “just [cracking into] running as the user is still very bad. I could have still watched keystrokes as you went to an online bank, read your calendar and address book, sent emails, etc. In real life, one or all of these things would have occurred.”

No market for Mac malware

Repeating comments he made earlier, Miller noted that “Mac bugs aren’t really valuable,” pointing out that while the CanSecWest award of a new Mac notebook and the $5,000 “is a lot of money, it’s really not that much when you consider what a bad guy could make with an exploit for an unknown vulnerability in, say, IE 8 running on Vista.”

In a separate interview, Miller estimated that a researcher with an exploitable Windows vulnerability “could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point.” The huge difference in vulnerability valuations between the Mac and Windows reflect the fact that there is no demand for creating malware on the Mac.

This winter Gregg Keizer wrote about Miller in Computerworld: “Criticizing security software for its cost — both in dollars and in the processor cycles it consumes — Miller admitted that he doesn’t bother running any on his Macs. ‘I don’t think it protects me as well as it says,’ he argued. ‘If I was worried about attacks, I would use it, but I’m not worried.’”

At the time, Miller had taken Apple to task for recommending in a support document that Mac users consider installing antivirus software. Computerworld said Miller “pooh-poohed Apple’s recommendation using the same logic as many longtime [Mac] users,” and quoting Miller as saying, “Windows has 90% of the market, but [attackers] give it 100% of their time.”

Vista’s NX and ASLR malware counter-measures

While tech journalists and security vendors have been confidently announcing that the increasing popularity of Apple’s Macs would eventually create a market for Mac malware, those warnings haven’t materialized since they got started around 2003, just as Microsoft’s efforts to ship what would become Windows Vista started to derail due to an epidemic of malware tainting Windows XP.

Microsoft was forced to start over with Vista several times and was distracted by the need to address immediate security problems in Windows XP. That resulted in Vista being delayed until the beginning of 2007. Once it did arrive, Vista introduced sophisticated new measures to make it more difficult for malicious crackers to inject code.

One is support for the CPU’s NX bit, which allows a process to mark certain areas of memory as “Non-eXecutable” so the CPU will not run any code stored there. This is referred to as “executable space protection,” and helps to prevent malicious code from being surreptitiously loaded into a program’s data storage and subsequently executed to gain access to the same privileges as the program itself, an exploit known as a “buffer overflow attack.”

A second security practice of Vista is “address space layout randomization” or ASLR, which is used to load executables, and the system libraries, heap, and stack into a randomly assigned location within the address space, making it far more difficult for crackers to know where to find vulnerabilities they can attack, even if they know what the bugs are and how to exploit them.

Miller told Tom’s Hardware “the NX bit is very powerful. When used properly, it ensures that user-supplied code cannot be executed in the process during exploitation. Researchers (and hackers) have struggled with ways around this protection. ASLR is also very tough to defeat. This is the way the process randomizes the location of code in a process. Between these two hurdles, no one knows how to execute arbitrary code in Firefox or IE 8 in Vista right now. For the record, Leopard has neither of these features, at least implemented effectively. In the exploit I won Pwn2Own with, I knew right where my shellcode was located and I knew it would execute on the heap for me.”

Snow Leopard security

While Apple did implement some support for NX and ASLR in Mac OS X, Leopard retains dyld, (the dynamic loader responsible for loading all of the frameworks, dylibs, and bundles needed by a process) in the same known location, making it relatively trivial to bypass its ASLR. This is slated to change later this year in Snow Leopard.

With the much larger address space available to 64-bit binaries, Snow Leopard’s ASLR will make it possible to hide the location of loaded code like a needle in a haystack, thwarting the efforts of malicious attackers to maintain predictable targets for controlling the code and data loaded into memory. Without knowing what addresses to target, the “vast majority of these exploits will fail,” another security expert who has also won a high profile Mac cracking contest explained to AppleInsider.

The future of malware

That indicates that long before the Mac installed base becomes large enough to become attractive to the kinds of malicious attacks that pundits have long anticipated, Apple will close off the remaining points of access for exploiting Mac OS X just as Microsoft has done with Vista. The main difference will be that Mac users are more likely to quickly adopt Snow Leopard this year after it is released. Of course, Mac OS X already has other security features that prevent the easy installation of difficult to remove malware.

In contrast, after more than two years since its launch Vista adoption is still well below a third of the Windows active installed base, leaving far greater exposure for PC users and a vibrant market for Windows malware that’s unlikely to go away anytime soon.

Additionally, the vast majority of netbooks, the only segment of the shrinking PC market that analysts see any hope for growth in, continue to run Windows XP rather than Vista. Microsoft hopes to get its new version of the Vista operating system, called Windows 7, running on netbooks some point this year after it is released for desktop and full sized notebook users.

Mac versus iPhone security

Despite having some of the same Safari-related vulnerabilities as the Mac, the iPhone was not exploited during the CanSecWest contest, even though the contest held out a $10,000 prize for cracking smartphones, double that offered for cracking desktop systems.

Speaking of an exploit that a researcher had successfully used against Safari on the Mac, Terri Forslof, manager of security response at 3Com Inc.’s TippingPoint security group, told Computerworld, “People wondered why wouldn’t it work on the iPhone, why didn’t he go for the $10,000. The vulnerability is absolutely there, but it’s a lot tougher to exploit on the iPhone.”

The article also apparently cited Forslof in saying, “’There was an exploit at the show that could have broken the iPhone,’ said. [sic] ‘But the researcher said that the $10,000 wasn’t enough to part with that level of vulnerability.’” That indicates that there is a market for iPhone vulnerabilities (at least more than on the Mac desktop), but that those bugs are also harder to discover and successfully exploit.

The article also said that “in some cases TippingPoint wasn’t able to pin down the exact phone or operating system version early enough to give researchers the lead time they needed to work up an exploit of a vulnerability they might have already uncovered,” further shaming the “cracked in seconds” headlines applied to the Mac cracks, as if those successful attacks had been invented and performed at the event Hollywood-style in moments.

Computerworld also reported that that “one researcher had prepared an exploit for a vulnerability on a BlackBerry Touch emulator, but the BlackBerry model used in the contest was the Bold. ‘There was enough difference [between the two] that his exploit wasn’t working,’ Forslof said.”

  • ericmurphy

    Regardless of the relative ease of exploitation of Mac OS X vs. Windows, the idea that Windows is even remotely as safe as OS X is on its face preposterous. No one in their right mind would connect a Windows PC, whether running XP or Vista, to the public Internet without multiple layers of malware protection. My workplace has no fewer than four layers of malware protection, filtering e-mail and the web, not including the hardware firewall.

    By contrast, my home network, comprised of three Mac desktops and one laptop, is directly connected to the public Internet via static IP addresses (i.e., no DHCP or NAT), with no hardware firewall or AV protection. In ten years of running my network this way, with ssh, ftp, afp, and web hosting turned on, I have yet to see an exploit.

  • Pingback: Stock Trading News » Blog Archive » Pwn2Own contest winner: Macs are safer than Windows()

  • d235j.1

    @ericmurphy: I hope all, and I mean *all* your passwords are strong. Leaving those services open without NAT or hardware firewall is a problem if your passwords are weak. Otherwise, you should be fine. I run Linux systems that are exposed to the internet and so far haven’t seen them get exploited.

  • gus2000

    I always use “secr3t” as my password, is that strong enough?

  • http://all.net/ hylas

    Jesus Christ!
    Five years with the NSA, is that what it takes?

    http://www.tomshardware.com/reviews/pwn2own-mac-hack,2254.html

    Props to you Charlie Miller.

  • NB

    Apple introducing a few more techniques to stop stack overflow exploits from working would be neat. Time and time again Apple’s programmers have proven that they suck at coding in this respect (hellooo QuickTime). OpenBSD, to name one example, has done great research into this field of randomising stack access points, dynamic library loading, and the NX bit and other non-executable data pages. Although Apple will have a bit of work to do with ObjC’s tendency to use trampolines.

    It’d be nice to hear of a way to get this message to Apple. It is high time for them to take security more seriously. They’ve made some great design decisions on how to not have security in the way of usability but the computer still needs to do what it advertises as doing: load an image rather than execute it.

  • dustbag

    Great article overall Daniel. I don’t get to say often enough how much I appreciate everything you do.

    Mr. Miller’s comments seem to lend weight to the ‘security through obscurity’ argument so often spouted by MS defenders. As someone who is not as educated as I would like to be on the technical details, I would be interested in your take on the comments on your article from the Appleinsider forum:

    Alfiejr said:
    “so Miller did not get root access with his attack, even though the Mac was running in Admin mode. he is right of course that he could still steal information, spoof emails, and invade/erase a user’s files. but that is not turning the Mac into a bot like the Conficker worm does to PC’s with no individual effort needed. it’s a focused one-at-at-time attack that is labor intensive and slow to reward. the NSA might do it to spy on you, but for a crook phishing is a lot easier way to steal someone’s bank account info quick.”…

    “no doubt with more effort on that individual Mac he could then crack the password(s) that would finally give him total root control of the computer and install any programs and do anything (most consumers use relatively simple pw’s). but crooks aren’t going to go through that much extra work with a single random consumer just to set up a single bot unit or look for financial info hit-and-miss”…

    “all of which adds up to the Mac’s practical security advantage. it’s not just the market share, it is the inefficient (for the crook) extra trouble it takes.”

    Is Afliejr correct? It would help me in my practical discussions with my companies IT department Windows pundits. If for nothing else, than to give them something to go research (when they’re not installing anti-virus updates of course).

    Thanks again!

  • Pingback: GranneBlog » Vista & Mac OS X security features()

  • stefn

    It’s hard to believe that there are computer experts who recommend Windows over OSX for HOME use. How do they sleep at night?

  • Joel

    I like the way one “security researcher” has stated his opinion and therefore IT MUST BE SO…! This is the security researcher who sat on at least one known exploit for a year without informing anyone…

    Lets have a car analogy. Imagine if someone knew how to break into a BMW, but didn’t tell anyone for a year. Would we all still take him seriously…? Or perhaps someone who has kept a known fault from Airbus or Boing that lets people access the cockpit in flight…?

    This researcher is an opportunistic self-promoter. He isn’t interested in increasing security. He’s interested in $$$$$. So no-wonder he isn’t interested in OS X. The big targets are in Windows Xp… This guy is a “security celebrity” not a “security researcher”. And like all celebs, although he hasn’t done anything substantial, people still listen to him…

    Is OS X more secure though obscurity…? Unlike Windows, and via its BSD roots, OS X has security built-in. There’s also the umpteen features Dan has mentioned. There’s also a very small (compared to Windows) user base. In order to spend time over-coming all the OS X security you’re going to need very good motivation. I’ve posted this before, but until OS X users leave their Gold stash passwords in the clear with instructions how to access it, no “security researchers” are going to be motivated. (And remember, nothing is “obscure” on the Internet)

  • Joel

    @ stefn. They sleep at night because they know how much $$$$$$ they can charge for removing malware and viruses…!

  • beetle

    > Mr. Miller’s comments seem to lend weight to the “security through obscurity” argument so often spouted by MS defenders.

    That would MS defenders *and* Daniel! :-)

    But your extended quote goes on argue _against_ just such a conclusion! This particular vunerability could not be leveraged to create a worm or virus. Until and unless someone presents evidence of research, market share alone is not a convincing argument as to why OS X remains secure. Especially not given the presence of, as Joel points out, “security celebrities”!