Winner of this and last year’s PWN2OWN contest Charlie Miller made some bold statements last week, stating that Mac OS X is easier to exploit than Windows. In a new interview with Tom’s Hardware, Miller explains that that doesn’t mean users should avoid Mac OS X for security reasons. He also gives a little more insight into his winning exploits, and what exactly they do.
The statement “Mac OS X is easier to exploit than Windows” is something people easily assume to mean that the former is the less safe operating system of the two. Many people, among which myself, were quick to point out that what matters, in the end, is theoretical security vs. real-world security. Simply by looking at the statistics, it is pretty obvious that the Mac is simply the safer choice for any given home user.
Miller agrees with this assertion, and explains that Macs are safer than Windows machines. “Between Mac and PC, I’d say that Macs are less secure for the reasons we’ve discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn’t much malware out there,” Miller says, “For now, I’d still recommend Macs for typical users as the odds of something targeting them are so low that they might go years without seeing any malware, even though if an attacker cared to target them it would be easier for them.” Miller adds that he is a Mac user himself (a Core Duo MacBook).
The question whether or not Miller actually gained root access with his two exploits has also been answered: no, he did not get root access, but he says it doesn’t really matter. “In neither case did I get root/admin access. That would have required additional vulnerabilities. However, just running as the user is still very bad,” Miller explains, “I could have still watched keystrokes as you went to an online bank, read your calendar and address book, sent emails, etc. In real life, one or all of these things would have occurred.”
Linux makes a small appearance during the interview, but Miller harshly dismisses it. “I’ll leave Linux out of the equation since I know my grandma couldn’t run it,” he says. I thought we had grown out of the grandma analogy by now. The fact of the matter is that no grandma would ever be able to install an operating system by herself, whether that be Windows, Mac OS X, or Linux. She would have someone do it for her, and in that case, you could set her up with a working, easy-to-use, and complete Linux install just as well as you could give her a Windows install.
Let’s retire Mythical Grandma, shall we?
http://osnews.com/thread?354965
I’m trying to come up with something catchier for the ‘mythical Grandma’ analogy. If possible, something along the lines of The Mythical Man Month.
The Mythical Mother’s Mother?
The Mythical Moronic Matron?
The Legendary unLearned eLder?
Audience, to participate in the contest, text your submission to #MOM, now. Or just type it in the forum…
Well, we can’t replace Grandma with Grandpa, because he was hired by <engineering firm> to program their PDP-1 to handle <task> back in ’63…
I know plenty of older people whose computer competence is above most people my age. I still don’t think they’d be comfortable installing OSes on their computer, but that’s not something most people my age do either.
is not so hard compared to uninstalling it when you have windows on another partition
What? Just uninstall it and repair the Windows partition using a Windows CD. How complicated is that?
If you don’t know the basics of partitions and boot sectors, you shouldn’t be installing an operating system.
Is this guy paying OSNews to have his name & company appear 3 times in a week as a hot story?
“I’m gonna $&% MacOSX”
“I’m $&%ing MacOSX”
“I did $&% MacOSX. See? Told you so”
What a loser
We haven’t actually mentioned his company.
But other than that, of course he’s paying us. I need some revenue to pay my army of upper-class hookers with which I’m planning to take over the world.
Edited 2009-03-26 22:43 UTC
Quick (and absurd) answer Thom. Have we been visiting those famous Dutch coffee shops recently? (I wish I had :-))
Welcome any time. 🙂
Do hurry a bit, the reactionaries here are trying to close ’em all down.
(In any case, alcohol is a lot worse for you.)
Legalize!
They’ll never defeat my Dinosaur Women!!!
– The Evil Dr. Ironstein (Flight of the Amazon Queen)
Edited 2009-03-26 23:02 UTC
I knew OSNews was a part of the global conspiracy to make apple look bad, but I never guessed your end game.
devious.
Thom,
[quote]Linux makes a small appearance during the interview, but Miller harshly dismisses it. “I’ll leave Linux out of the equation since I know my grandma couldn’t run it,” he says. I thought we had grown out of the grandma analogy by now. The fact of the matter is that no grandma would ever be able to install an operating system by herself, whether that be Windows, Mac OS X, or Linux. She would have someone do it for her, and in that case, you could set her up with a working, easy-to-use, and complete Linux install just as well as you could give her a Windows install.
Let’s retire Mythical Grandma, shall we?[/quote]
Wait a minute, you say don’t bother old grandma with such analogies with her being able to use Linux, as you claim that’s not valid, while at the same time, you say she could never install an OS? Well, maybe not your grandma
But, don’t generalize on grandmas and their tech competence: there be dragons!
Not mine, either, but for a very legitimate reason: they’re DEAD! Perhaps that’s the same reason Miller has for his grandma, too, for all we know: it simply wasn’t stated
grandma A and mom.. no
grandma B.. no
pop.. yes
grandma-n-law A.. yes
grandpa-n-law A.. yes
It’s a tossup really. I think it’s better to use “average user” rather than assuming age is an indication of technological ability. In that case still, the average user takes the machine to a third party for things like OS installs. If your doing OS installs and dualboots; your not an average user, even if your a grandma.
Edited 2009-03-27 15:09 UTC
Thank you! Finally, somebody agrees with me
I’ve been having this debate with people (especially Linux users) for years when they say that even if a Linux box was rooted, it wouldn’t matter because the attacker wouldn’t have complete access of the system. Ha, like hell it wouldn’t! Also, are people still going to insist that marketshare has absolutely nothing to do with the reason why Windows is exploited more?
And who the hell is going to do it for her? The only person I know in real life who is anything close to a Linux geek is me, and I barely know enough to get by. I would have no idea how to troubleshoot it. As for Windows, when friends and family have problems with their PCs, they call me, cuz I am their tech support by default. If they moved to Linux, they’d be sh!t outta luck. Because I can tell you first hand… they ain’t using Google as a tech support tool. If they did, they wouldn’t be calling me with their Windows problems
Although I don’t agree with your definition of “rooted” (considering you are really talking about NOT getting root) I agree with your comment. Me too have been in debates with linux geeks and been presented the same argument. “linux is more secure because you don’t run as administrator”. That may very well be, but you are still f–ked when the attacker can read all your documents which just happens to be stored as your regular user, run your webcam and mic since applications running as regular users have access to these, and so on. Of course, what they can not do is to statically inject code into executables where the user only have the rights to execute. That is still something, but what really matters is the user generated data that the attack would have access to, and the attacker WILL have access to the resources the user has access to.
What I don’t get though is why people use this as an argument to say “system <insert whatever here> is more secure because they don’t run as admin”. Secure HOW? They are in reality talking about the _consequences_ of an _successful_ attack, but they act like they are talking about the _likehood_ of shit to happen. Big difference!
To conclude, when people give you that old speech just ignore them since they obviously have not made a proper risk assessement of what assets is of value for a person. They obviously think security is a static measure across systems and persons.
Edited 2009-03-27 06:32 UTC
A bigger problem is if your user account is compromised, it opens an attack on the rest of the system. OS kernel can have security flaws that a hacker can exploit to gain privilege escalation. The same applies to the suid executables which are run by the users and executed as root.
He don’t agree with you because is point is on Windows and MAc OS X machine and your point is trying to say the same thing would happen on GNU/Linux just as easy.
Care to point to one such real debate , that you know , exist in reality , that you know , involved you …
Actually I know your confused and lying on purpose and mix the hacked or compromised at the user level problem with roooted problem.
If your root in a machine you own that machine , be it on site , locally or remotely or on the internet.
But then a compromised user on GNU/Linux cannot gain access to root as easily as with Windows and MAc OS X machine.
That’s what people are saying to you.
They never said that the user who got compromised would not incure identity theft trouble or face prossible damage to it’s reputation or have is communication compromised. That’s what your making up.
First the #1 in marketshare globally is GNU/Linux … Desktop is a small market compared to the rest.
Second attempt to exploit GNU/Linux system are at 10 000 to 1 , due to there content being more secure and valuable , wich usually end up with the exploiter failling and trying is luck with windows or mac os x systems. Where as with windows see lots of succesfull exploit that have almost zero attempt because they are sucessfull on first try.
Dell …
Acer …
Asus …
Distributions …
You meant in WorknMan failed bubble world and you also meant GNU/Linux professional , some of us do get paid and make a living at it … your on **OsNews**
No shit ! really ? You think with the number of failure and excuse you attempt to put on your GNU/Linux usage , anyone with half a brain cell is not able to see your full of shit , lying , using every distribution problems , astroturfing …
That’s because your completely incompetent and lying … You got internet , use Google for GNU/Linux books and GNU/Linux class , GNU/Linux support …
Sure , they all do …
I see your out on your usual flaming. Try to come up with some arguments with just a tad of reality. I do know it must be a big hurdle for you not to trashtalk someone who doesnt agree with you. But you could atleast try.
Sorry hamster it’s 2009 , I refuse to respond to your lies and nonsense and constant personnal attacks on myself. Your only point , when responding to one of my comments , is that I don’t have the right to post here and respond to anyone about anything.
As you proved in the past an adult and realistic discussion with you is impossible.
learn the mening of the big words you use. Then you would see that your going down the wrong path. But just for the fun of it i would like you to backup your claims. But as usual you wont.
Sorry hamster it’s 2009 , I refuse to respond to your lies and nonsense and constant personnal attacks on myself. Your only point , when responding to one of my comments , is that I don’t have the right to post here and respond to anyone about anything.
As you proved in the past an adult and realistic discussion with you is impossible.
As i wrote you wont or more likely cant supply anything. Hell you cant even behave like an adult. One could hope that the moderators soon will grow a pair and do with you as they did with notparker
Sorry hamster it’s 2009 , I refuse to respond to your lies and nonsense and constant personnal attacks on myself. Your only point , when responding to one of my comments , is that I don’t have the right to post here and respond to anyone about anything.
As you proved in the past an adult and realistic discussion with you is impossible. Thks for proving my point again …
Those people are living in the past, a past where the bad guys gave a shit a bout rooting your box and not much about your data. Those days are long gone. What’s more useful? Rooting a box or getting your passwords and creditcard numbers?
Rooting a box is more important ..
Why get 1 credit card and 1 identity when you can get 4-5 …
GNU/Linux box are also trusted with real data , hence if you root into them you got access to hundred of thousands if not million of user’s data.
We’re talking about the desktop here. Get it? How many users are typically using a desktop? One or two, typically, and usually that’s a family box. In such cases, getting root is far less important than getting to your data.
Now, data servers and the like are a different story entirely, and there the cracker may very well go after root access, depending on the use to which the server is put.
No , this thread here is bashing GNU/Linux for fiction and is about root access vs user access and lying that some fantasy non existing person said user data is uninportant as a linux geek.
Yes , I get it , I can see you clearly don’t.
4 in most american familly ( 2 parent , 2 children ) , in the rest of the world it depends on the size of the familly and where the computer is located.
Wrong , because familly of only 2 people are not the norm globally …
Wrong again , user access is a one time thing , thieves can get bank account data for one individual , credit card data for one individual , one personnal info set of data.
Where as with root , using your own wrong example of only 2 , you get 2 bank account data , 2 credit card data , 2 personnal info set of data. AND when they change them to something else , you can get at all of them again , indifinatelly. Also you can use the computer to break security code or break password , and use it as botnet in numbers attack. ETC …
OS Security and OS being secure is the same thing at all level.
Edited 2009-03-27 15:29 UTC
Meanwhile, in the real world, application servers still run as regular users (not root) and can be attacked like any other users data.
Of course you can argue that rooting the system gives you access to _more_ since it gives you access to everything including the user data, BUT how often do you find security-critical servers running more than one dedicated service? The confidentiality, integrity and availability of user data, unless your building a random botnet, should be the primary target of any attack. Regardless of whether we are talking about servers or desktop computers.
Truth is that most desktop computers running linux have a very limited amount of users…mostly just the one owning the computer. For servers it may vary, but where it matters its mostly just a single user account owning all the application data. The extra privileges gained through rooting is irrelevant compared with the user data. If people want root for the sake of “owning a system” they could just buy a $200 computer and make their own server these days. Its not like servers and internet connections cost a billion dollars anymore. Even Internet is free and untraceable these days as every neighborhood has that one moron with open wifi. So…give me one reason why I would target root rather than the single user account owing all the data?
Edited 2009-03-28 20:40 UTC
At what company do you work for or worked on an application server that ran as normal user ?
Can we meet face to face ? I am interested to know about your intrusion technique and your success rate ?
You won’t mind if I bring some friends , they will have questions too ?
”
I’ve been having this debate with people (especially Linux users) for years when they say that even if a Linux box was rooted, it wouldn’t matter because the attacker wouldn’t have complete access of the system.
”
If a unix like OS is “rooted” then it means root privileges so yes, one would have full access too the system. The difference is that you have to get root privileges. If it’s only a user account you broke, you haven’t “rooted” anything but you do have full access to anything that user has access too. I’d say, your friends and you are both partially right. Granted, any system can be badly configured to make gaining root/admin dead simple. With windows, that mostly means not keeping patches up to date. With unix like platforms, that mostly means configuration errors by the administrator.
”
Also, are people still going to insist that marketshare has absolutely nothing to do with the reason why Windows is exploited more?
”
Yes. Market share measures financial success not true usage numbers. It also does not measure the potential security of a system. What you can determine from it is that there are probably more attempts against Windows in markets where it is popular. It does not tell you how many of those attempts where successful. In the same way, markets where unix like platforms are the market majority share, that would suggest higher attempts against them but the evidence of successfull attempts is just not there. Somehow, unix like systems resist attempts more successfully than Windows systems. Again, I think it has much to do with user education since a Linux box can be configured wide open and a Windows box can be configured to be pretty hard to break into; these are not the default settings for each though.
I think the hype around blindly counting vulnerabilities and market share is about as ready to die as the myth that osX is invulnerable and Windows is complete swiss cheese regardless of hardening efforts by the admin.
(after sp2, winXP starts to offer some challenges, previous to that, it’s a 20 second breakin and extra few minutes to break the password hash dump)
Phuhck Charlie Miller. He sits on a vulnerability for a year as a sure thing so he could win yet another prize and show off his ‘1337 sKiLs’. So he basically sat around on his ass for a year and did NOTHING.
“In neither case did I get root/admin access. That would have required additional vulnerabilities. However, just running as the user is still very bad,”
So you get into a box as a ‘regular’ unprivileged user and you expect to accomplish just what? How would you ‘get root’ on the box after sitting around for a year thinking that you had it all sewn up and you couldn’t pull another vuln out of your hugely inflated ego. Maybe you’re not as ‘kEwL’ as you think, Charlie. The only things that his ‘uber-sploit’ shows is that it’s a bad idea for any software that connects to the ‘intarwebs’ to be integrated with the OS and that security ‘researchers’ like Charlie are egotistical mercenaries. Period.
I can’t agree that sitting on a known vulnerability for a year was a good thing but I’d say his NSA history and education in math trumps most of us here.
But just to make sure, your security and research credentials would be…
Security problem is a war, an attack-defense game. An anti-exploit feature is just like a barrier. You don’t account on a barrier to win a war! A war is won by the responsible time and determination of soldiers and commander, by the efficiency of the whole army system, not by a barrier.
That isn’t to say it is bad to have a barrier. But if your people is not idle, and they have other things more important than to building a barrier, let them do it rather than stop to build a barrier!
More important, ALSR and other anti-exploit features are relatively WEAK barrier. The purpose of a barrier is to buy you some time to kill the enemy that breaking the barrier. As to anti-exploit, you are completely blind if there is any enemy is breaking it, so you are not bought any time!
And on the other hand, security is a war but it is NOT a TOTAL war. You need your computer to do normal things rather than put all resource to secure it (otherwise you would simply turn it off). So when doing some normal things, anti-exploit features show their down-side by mess your executable image.
That’s I always say anti-exploit might be overestimated.
“The fact of the matter is that no grandma would ever be able to install an operating system by herself, whether that be Windows, Mac OS X, or Linux.”
Really? I think my mother (who is a grandmother) and is the IT department for her small non-profit would beg to differ. She’s installed Windows countless times at work, and at least twice at home.
And I think we’re fotgetting that with a lot of distros these days, if you’re just installing Linux to the whole drive, it’s actually easier than installing Windows.
My father can use Linux. He’s 60 and is the same age as many people’s grandfathers.
In fact, today he just painted some penguins and called the picture “Tux and Penny” – want to see?
http://www.flickr.com/photos/tram_painter
In the last thread people had some confusion about what security features are implemented in the present version of OS X. Full process randomization is not present, neither are nx-bits. As referenced here by the article:
“Charlie: The NX bit is very powerful.When used properly, it ensures that user-supplied code cannot be executed in the process during exploitation. Researchers (and hackers) have struggled with ways around this protection. ASLR is also very tough to defeat. This is the way the process randomizes the location of code in a process. Between these two hurdles, no one knows how to execute arbitrary code in Firefox or IE 8 in Vista right now. For the record, Leopard has neither of these features, at least implemented effectively.”
In the article Charlie goes on to say there is large difference in OS security and having security features in the OS. OS X implements non of these features effectively, but people feel safer since hackers at this time appear less interested in it. While the opposite is true of Vista.
Charlie Miller says that “…Leopard has neither of these features, at least implemented effectively”, which is not entirely true. In fact, for the record, Leopard has both of those features – [ http://www.usenix.org/event/lisa08/tech/hubbard_talk.pdf ]. The effectiveness of the particular implementation may be arguable but saying that Mac OS X has neither is absolutely misleading. And moreover these features are not be all, end all security features. There is a lot of inherent security in the Unix underpinnings of Mac OS X. And a good example of that is the fact that Miller’s hack didn’t get him root access. There may seem to be very little distinction between admin user access and root but in practice there is a world of difference. Until Vista there was no such distinction under Windows. It’s not all about perception.
Which is exactly what Miller said.
“I’d say that Macs are less secure for the reasons we’ve discussed here (lack of anti-exploitation technologies)”
“In the last thread people had some confusion about what security features are implemented in the present version of OS X. Full process randomization is not present, neither are nx-bits. As referenced here by the article:”
“For the record, Leopard has neither of these features, at least implemented effectively.”
Wrong!!! Miller is a zealot,
http://www.usenix.org/events/lisa08/tech/hubbard_talk.pdf
Saying that OS X does not have any anti-exploitation technologies is plain wrong, what, will you or Miller argue against Jordan Hubbard saying that OS X does?
Now there are quite few reasons why those features are not used by many applications on OS X right now, an example is that NX bit is only supported on 64 bits applications, and for compatibility reason with Tiger, 32 bits apps can not run with NX bit. And all apps are still compiled in 32 bits by default.
So i would say that everything should be settled with snow leopard as it is rumored to come standard with all applications compiled in 64 bits, so that we should see the security measures implemented in Leopard in action in a much visible manner.
The question is then not if OS X has anti-exploitation technologies but rather when applications will start to use them by default.
“Which is exactly what Miller said.”
Really! What i am saying is that he is only an expert on bashing on Apple.
And ironically, even if he tries to claim that OS X is less secure than windows because he does not have anti-exploitation technologies but windows does, the point is that windows failed to show that its implementation is effective anyway.
Yeah, Miller is an OS X basher…….who uses it as his main system (older MacBook) and recommends it for home users.
Did you read the interview? Guess not.
Well, for all the analysis, there is really only one broad security metric that matters. And that is the statistical one: If I choose this platform here and now, I will have a greater of lesser level of security breach problems. Assuming, for the sake of argument, that Microsoft really is doing a good job with security features, apparently even that is not good enough to offset the powerful, inherent security dangers that come, part and parcel, with a software monoculture. Would you rather be sitting comfortably in your living room, wearing a t-shirt and reading a magazine, or standing outside in the middle of a war zone wearing a really good bullet-proof vest? Sure, there *could* be a prowler outside your window. But in the war zone, you *know* the next artillery shell, or worse, is not far away.
All this analysys of the design of the t-shirt and of the bullet-proof vest really misses the point. Microsoft’s most basic security design decision has nothing to do with UAC or ACLs. Their most basic security decision was to try to support a large software monoculture. And clearly that has not worked, regardless of how good or bad their defenses are. In fact, the argument is even stronger if you assume that their current defenses are strong. At least in the other case one could argue that they just need to improve their defenses.
“So i would say that everything should be settled with snow leopard as it is rumored to come standard with all applications compiled in 64 bits, so that we should see the security measures implemented in Leopard in action in a much visible manner.”
This argument is logical non-sense.
Irrespective of if things should, could, would be settled with a *future* release of OS X does not make this *current* release anymore secure – shitty implementation/defaults are still shitty. This is akin to going around telling people, “hey buy vista because windows7 is going to have cool features.”
Probably he thinks it, judging by the general tone of the interview, but he doesn’t look to be saying it, judging by his actual comments, like:
and
These comments leave the impression that NX bit and ASLR are what distinguishes a secure OS from and insecure one, that, since it lack them, Leopard is an insecure OS , and that the current perception that Mac OS X is secure is just a result of it being rarely targeted. Neither of which is true.
And look, I’m not saying he is entirely wrong. Actually, if you assemble the nuggets of info he drops here and there together he is very much right. But he says it in a way that is meant to draw attention towards him (and produces much discussed and therefore page hit producing articles and interviews) rather than drawing an accurate picture of the state of things (the picture being – in Leopard, for backwards compatibility reasons, 32 bit applications have only NX protected stack, which historically is the most common vector for buffer overflow exploits, while the full non-execute XOR protection is applied only to 64 bit apps, and since Safari is run as a 32 bit process his heap overflow worked).
Probably he thinks it, judging by the general tone of the interview, but he doesn’t look to be saying it, judging by his actual comments, like:
and
These comments leave the impression that NX bit and ASLR are what distinguishes a secure OS from and insecure one, that, since it lack them, Leopard is an insecure OS , and that the current perception that Mac OS X is secure is just a result of it being rarely targeted. Neither of which is true.
And look, I’m not saying he is entirely wrong. Actually, if you assemble the nuggets of info he drops here and there together he is very much right. But he says it in a way that is meant to draw attention towards him (and produces much discussed and therefore page hit producing articles and interviews) rather than drawing an accurate picture of the state of things (the picture being – in Leopard, for backwards compatibility reasons, 32 bit applications have only NX protected stack, which historically is the most common vector for buffer overflow exploits, while the full non-execute XOR protection is applied only to 64 bit apps, and since Safari is run as a 32 bit process his heap overflow worked). [/q]
Which hopefully will change for Snow Leopard. Hopefully by next year we’ll be able to see what Miller does with Snow Leopard.
“There is a lot of inherent security in the Unix underpinnings of Mac OS X. And a good example of that is the fact that Miller’s hack didn’t get him root access.”
So what your saying is if a hacker keyloggs your credit info and passwords as a normal user account you should feel better about yourself than if the hacker were to do it from a root account?
You completely miss the point of COMPARISON. When someone says one thing is better, you insist it is bad by ignoring there is all WORSE otherwise. You should learn that a computer is by no way totally secured and everything is about trade-off. So what your saying is if a hacker keyloggs your credit info and passwords as a normal user account you AND his play a root account and do other things?
…Or maybe I should say ‘all bugs are bugs’ but not all bugs are tragic ‘exploits’. personally I am glad to see OS X come under scrutiny. And as I have said before people will not read news like ‘how to…’ fix the OS or ‘Security is…’ or when me and my Mac loving comrades say ‘Well it just works…’ that last part comes off a whole lot of smarmy. – It is a case of “dog bites man – ‘not news’ and man bites dog ‘now that’s news’.”
Now I have heard it said that hackers don’t exploit OS X b/c it is not popular. Or that The time is coming when… etc but fact of the matter is that OS X and most *nixes are “basically” secure, or fundamentally different than windows version of “new and improved” secure. This cycle is inherently iterative. One exploit is built on another. So maybe in Windows, one fix exposes another or two or three that are turnkey and exploitable. But in the *nixes (+Mac OS X) and so forth these exploits are not marketable.
In one world you are vulnerable until proven hardened and secure, and on the *nixes an exploit seems to require that the user actively do something, while un patched and then doing two or three actions that require more silly action. IT IS Similar to the old activeX exploit of the Click here to install this… (blah blah blah signed by) Install Me Now! (blah blah blah default button ) OK. That is not as much of a bug as just kicking it on the web and <bam> getting owned hard.
Now you do not have to care what I think… I am waiting until 4/1 where ‘laundry’ is on my calendar and ‘fix conficker’ is the Windows version of me (Bizarro-Dest version)