Mac OS memory flaws pose challenges for enterprise endpoint protection

Recent research suggests that poor memory protections in the Mac OS make it much less secure than previously believed. Dee-Ann LeBlanc details how the Mac OS can be exploited and whether new defenses are needed to protect Mac endpoints on enterprise networks.

At the recent Source Boston security conference, researcher Dino Dai Zovi shared a presentation on the hackability of Mac OS X that's caused quite a stir.

According to Dai Zovi, a noted author and Mac security expert, easy access to the root memory in Apple Inc.'s operating system makes it trivial for malicious attackers to take over a Mac system, establish a TCP connection and download additional malicious code.

For years, the Mac OS has enjoyed a reputation of being considerably more secure than Microsoft's Windows operating system. But now, these findings suggest that Macs may no longer be impenetrable enterprise endpoints. In general, the practical implications are that the biggest bang for a hacker's buck continues to be found in going after Windows, but Apple must recognize the flaws in its security paradigm and fix some security issues that even Windows Vista has dealt with.

For more on Mac OS attacks

Security researcher Vincenzo Iozzo explains how he found a way to inject malicious code directly into Mac OS X memory, leaving no trace for forensics investigation.
Mac OS security issues and flaws
While those writing malicious software still overwhelmingly target Windows due to market penetration -- there are far more Windows machines out there than Macs, especially in the enterprise -- that doesn't mean hackers aren't interested in exploiting the Mac OS.

For example, a recently reported Mac exploit discovered by a pair of Symantec Corp. researchers involves pirated Trojan versions of Apple's iWork 09 software and Adobe Photoshop CS4. When someone downloads and installs the software, a program called iWorkServices.pkg launches just after the user enters their administrator password.

Once launched, the file /System/Library/StartupItems/iWorkServices is installed into the Mac's startup menu with full root permissions. This malware then connects to a remote server to join a zombie botnet and accept commands, possibly downloading additional components. When this botnet awakened on April 17, 2009, it was dubbed the first known Mac-based botnet.

Yet this particular malware exploits a human flaw -- downloading pirated software and/or not checking if the software was tampered with -- rather than an OS X flaw. Still, the exploit demonstrates that the Mac OS is just as susceptible to the same sorts of attacks that have victimized Windows-based computers for years. So now the question is, how much should enterprises worry about these sorts of Mac exploits? Are they aberrations, or a preview of what's to come?

Where Mac security falls short
To Dai Zovi's point, Mac OS security falls short when it comes to defending the system's memory. Buffer overflows, integer overflows, out-of-bounds array access and uninitialized memory can all be used to cause errors that give malicious code the chance to break out of the software and gain access to the computer itself.

The weakness Dai Zovi exploits is in heap memory, which is memory that's not in use. To address memory security issues, the PaX project for Linux developed a set of features to protect address space. Two of these are Address Space Layout Randomization (ASLR) and Non-executable memory (NX). ASLR makes it harder for malware authors to predict where a piece of information would be in memory, therefore making it harder to break into the system. NX prevents exploits by marking writable memory as non-executable.

While these features and more are available for Linux, and also for Windows Vista, they are only partly implemented in OS X (version 10.5 at the time of this writing). Heap memory, for example, is not randomized by OS X. It also doesn't have the NX bit set, so it's considered executable. This combination of issues allows programmers to write more information to a heap buffer than there's actually room for, overflowing the buffer and causing data corruption or unexpected behavior from the program. In particular, the exploit could cause data to be altered or the attacker's own code to be loaded into memory.

Protecting enterprise Macs Generally speaking, even amid the seriousness of these issues, the security community likely isn't terribly concerned. Microsoft products remain the most tempting targets for attackers, especially since so many Windows users have avoided Microsoft Vista; use of the less-secure Windows XP remains prevalent in the enterprise. For that reason alone, there's simply a much bigger payoff for going after Windows systems.

Still, it's a mistake to assume Mac systems are 100% safe. Dai Zovi advises the following precautions to reduce the malware risk.

  • Don't allow users to perform day-to-day activities logged in as administrators. All administration activities should be conducted with a second account.
  • Install security updates as soon as possible. Those using a backup utility such as Apple's Time Machine can easily restore to a previous configuration if an update causes problems.
  • Consider deploying antivirus on all (or many) of your organization's Macs by the end of the year, or at least having an action plan ready for when this precaution becomes necessary.

Also, be sure users are careful of which links they click, opening unexpected attachments, and where you download your software.

Another thing to consider is upgrading legacy 32-bit Mac hardware to 64-bit. OS X 10.5 (Leopard) and earlier are not completely 64-bit, but OS X 10.6 (Snow Leopard), which is expected to be released as early as August, is supposed to be. Due to differences in how memory is handled and addressed in the 64-bit architecture, 64-bit systems are inherently safer from the issues Dai Zovi has highlighted.

Finally, specific to the heap memory concern, one method of protecting your organization's Macs is to download DH, a memory error-protection program written by Emery Berger, an associate professor in the Department of Computer Science at the University of Massachusetts. DH makes it very difficult for attackers to locate individual heap objects, which is the key to many security exploits. While the DH site doesn't specifically mention OS X, Berger says the program does run on the Apple operating system as well as on Linux and Windows.

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!
The reality
All in all, security experts still feel that while OS X remains somewhat vulnerable, exploits remain few and far between and seem to rely so far on human error more than on memory flaws. The best defense is to make sure your policy and user education efforts are in line with Dai Zovi's recommendations.

And in the meantime, keep an eye out for Snow Leopard and whether Apple truly brings it to the 64-bit world with the memory issues taken care of.

About the author:
Dee-Ann LeBlanc is a technology author and editor specializing in Linux, OS X, CMS, and open source. Her work has appeared everywhere from "The Linux Journal" to "Linux for Dummies."

This was first published in June 2009

Dig deeper on Alternative OS security: Mac, Linux, Unix, etc.

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close