Following both Pwn2Own contests, numerous sensationalist headlines played up the idea that a Mac had been "cracked in seconds," conspicuously neglecting to mention what Miller called "the many days doing research and writing the exploit before the day of the competition," enabling him to discover the bugs and develop a way to successfully exploit them on the first try at the event.
Macs less secure, more safe
In an interview with Tom's Hardware, Miller stated, "I'd say that Macs are less secure for the reasons we've discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn't much malware out there. For now, I'd still recommend Macs for typical users as the odds of something targeting them are so low that they might go years without seeing any malware, even though if an attacker cared to target them it would be easier for them."
Miller also offered some suggestions for users. "For all operating systems, make sure you keep your system up to date. Thats the best thing you can do. On a PC, I'd recommend running some AV software to help clean up when things go bad. Otherwise, just be smart, pay attention, and hope for the best. It is possible to really lock down your computer (running noscript for example) and make it safer, but in my opinion its not worth the trouble and the loss of functionality you experience."
Mac security software not recommended
When asked whether having outgoing firewalls, anti-spyware or anti-malware software, or not being logged in as a root user would have done anything to limit the extent of the exploits on the Mac that he demonstrated at the last two security events, Miller said, "None of those protections would have probably worked, or at least there were potential workarounds. The best thing the user could have done is not click on the malicious link. Of course, in some cases such as a man-in-the-middle attack, even this wouldn't have helped."
While neither of the exploits gained root access, Miller pointed out that "just [cracking into] running as the user is still very bad. I could have still watched keystrokes as you went to an online bank, read your calendar and address book, sent emails, etc. In real life, one or all of these things would have occurred."
No market for Mac malware
Repeating comments he made earlier, Miller noted that "Mac bugs arent really valuable," pointing out that while the CanSecWest award of a new Mac notebook and the $5,000 "is a lot of money, its really not that much when you consider what a bad guy could make with an exploit for an unknown vulnerability in, say, IE 8 running on Vista."
In a separate interview, Miller estimated that a researcher with an exploitable Windows vulnerability "could easily get $50,000 for that vulnerability. Id say $50,000 is a low-end price point." The huge difference in vulnerability valuations between the Mac and Windows reflect the fact that there is no demand for creating malware on the Mac.
This winter Gregg Keizer wrote about Miller in Computerworld: "Criticizing security software for its cost both in dollars and in the processor cycles it consumes Miller admitted that he doesnt bother running any on his Macs. 'I dont think it protects me as well as it says,' he argued. 'If I was worried about attacks, I would use it, but Im not worried.'"
At the time, Miller had taken Apple to task for recommending in a support document that Mac users consider installing antivirus software. Computerworld said Miller pooh-poohed Apples recommendation using the same logic as many longtime [Mac] users," and quoting Miller as saying, "Windows has 90% of the market, but [attackers] give it 100% of their time."
Vista's NX and ASLR malware counter-measures
While tech journalists and security vendors have been confidently announcing that the increasing popularity of Apple's Macs would eventually create a market for Mac malware, those warnings haven't materialized since they got started around 2003, just as Microsoft's efforts to ship what would become Windows Vista started to derail due to an epidemic of malware tainting Windows XP.
Microsoft was forced to start over with Vista several times and was distracted by the need to address immediate security problems in Windows XP. That resulted in Vista being delayed until the beginning of 2007. Once it did arrive, Vista introduced sophisticated new measures to make it more difficult for malicious crackers to inject code.
One is support for the CPU's NX bit, which allows a process to mark certain areas of memory as "Non-eXecutable" so the CPU will not run any code stored there. This is referred to as "executable space protection," and helps to prevent malicious code from being surreptitiously loaded into a program's data storage and subsequently executed to gain access to the same privileges as the program itself, an exploit known as a "buffer overflow attack."
A second security practice of Vista is "address space layout randomization" or ASLR, which is used to load executables, and the system libraries, heap, and stack into a randomly assigned location within the address space, making it far more difficult for crackers to know where to find vulnerabilities they can attack, even if they know what the bugs are and how to exploit them.
Miller told Tom's Hardware "the NX bit is very powerful. When used properly, it ensures that user-supplied code cannot be executed in the process during exploitation. Researchers (and hackers) have struggled with ways around this protection. ASLR is also very tough to defeat. This is the way the process randomizes the location of code in a process. Between these two hurdles, no one knows how to execute arbitrary code in Firefox or IE 8 in Vista right now. For the record, Leopard has neither of these features, at least implemented effectively. In the exploit I won Pwn2Own with, I knew right where my shellcode was located and I knew it would execute on the heap for me."
Snow Leopard security
While Apple did implement some support for NX and ASLR in Mac OS X, Leopard retains dyld, (the dynamic loader responsible for loading all of the frameworks, dylibs, and bundles needed by a process) in the same known location, making it relatively trivial to bypass its ASLR. This is slated to change later this year in Snow Leopard.
With the much larger address space available to 64-bit binaries, Snow Leopard's ASLR will make it possible to hide the location of loaded code like a needle in a haystack, thwarting the efforts of malicious attackers to maintain predictable targets for controlling the code and data loaded into memory. Without knowing what addresses to target, the "vast majority of these exploits will fail," another security expert who has also won a high profile Mac cracking contest explained to AppleInsider.
The future of malware
That indicates that long before the Mac installed base becomes large enough to become attractive to the kinds of malicious attacks that pundits have long anticipated, Apple will close off the remaining points of access for exploiting Mac OS X just as Microsoft has done with Vista. The main difference will be that Mac users are more likely to quickly adopt Snow Leopard this year after it is released. Of course, Mac OS X already has other security features that prevent the easy installation of difficult to remove malware.
In contrast, after more than two years since its launch Vista adoption is still well below a third of the Windows active installed base, leaving far greater exposure for PC users and a vibrant market for Windows malware that's unlikely to go away anytime soon.
Additionally, the vast majority of netbooks, the only segment of the shrinking PC market that analysts see any hope for growth in, continue to run Windows XP rather than Vista. Microsoft hopes to get its new version of the Vista operating system, called Windows 7, running on netbooks some point this year after it is released for desktop and full sized notebook users.
Mac versus iPhone security
Despite having some of the same Safari-related vulnerabilities as the Mac, the iPhone was not exploited during the CanSecWest contest, even though the contest held out a $10,000 prize for cracking smartphones, double that offered for cracking desktop systems.
Speaking of an exploit that a researcher had successfully used against Safari on the Mac, Terri Forslof, manager of security response at 3Com Inc.'s TippingPoint security group, told Computerworld, "People wondered why wouldn't it work on the iPhone, why didn't he go for the $10,000. The vulnerability is absolutely there, but it's a lot tougher to exploit on the iPhone."
The article also apparently cited Forslof in saying, "'There was an exploit at the show that could have broken the iPhone,' said. [sic] 'But the researcher said that the $10,000 wasn't enough to part with that level of vulnerability.'" That indicates that there is a market for iPhone vulnerabilities (at least more than on the Mac desktop), but that those bugs are also harder to discover and successfully exploit.
The article also said that "in some cases TippingPoint wasn't able to pin down the exact phone or operating system version early enough to give researchers the lead time they needed to work up an exploit of a vulnerability they might have already uncovered," further shaming the "cracked in seconds" headlines applied to the Mac cracks, as if those successful attacks had been invented and performed at the event Hollywood-style in moments.
Computerworld also reported that that "one researcher had prepared an exploit for a vulnerability on a BlackBerry Touch emulator, but the BlackBerry model used in the contest was the Bold. 'There was enough difference [between the two] that his exploit wasn't working,' Forslof said."