Friday, May 26, 2006

Apple will have to work on the security of its software

page 14 [of Apple's "secure coding guidelines"]

"So far, Mac OS X has not fallen prey to any major, automated attack like the MyDoom virus. There are several reasons for this. One is that Mac OS X is based on open source software such as BSD; many hackers have searched this software over the years looking for security vulnerabilities, so that not many vulnerabilities remain. Another is that the default installation of Mac OS X turns off all networking services that might be used to exploit vulnerabilities. Also, the email and internet clients used most commonly on Mac OS X do not have privileged access to the operating system and are less vulnerable to attack than those used on some other common operating systems. Finally, Apple has an active program of reviewing the operating system and applications for security vulnerabilities and issues downloadable security updates frequently."

The fact that something is opensource software and that it has been audited before is no guarantee whatsoever that it's more secure then a commercial equivalent. There has been a lot of disscusion around this, and people have concluded that it can have the potential to be more secure but it doesn't have to be. In this particular case they use BSD as an example. Every once in a while I audit BSD code, and there is nothing magically secure about it, plenty of security bugs in there to go around.

So OSX turns off all network deamons by default. But the firewall is off by default last time I checked, there is dhcp parsing code IN THE FUCKING KERNEL, and it does send out an recieve mdns constantly.

So the email client, browser, and other utils don't run as root. So if you own them you don't instantly own the box. That's what local root exploits are for, it's a very common 2-step thing ! I know this is defense in depth, but I wouldn't go so far as to brag about it, it might bite you in the ass later.

The Idea that apple's browser and email client are less vulnerable to attack then others is total bullcrap. In fact, the opposite is true. When I did browser fuzzing safari was ALWAYS the first to break. It's simply not up to par with IE and Firefox when it comes to parsing input !
I don't know if all this is true, but once more and more people are going to switch to Macs, Apple will have a serious security problem if they don't change their attitude.

ilja's blog: Apple Secure Coding Guide

No comments: