Pwn2Own contest winner: Macs are safer than Windows

Posted:
in General Discussion edited January 2014
Charlie Miller, the security expert who won both this and last year's CanSecWest Pwn2Own security contests by exploiting Macs running Safari, repeated in an interview that he'd recommend Macs to typical users as a safer alternative to Windows PCs.



Following both Pwn2Own contests, numerous sensationalist headlines played up the idea that a Mac had been "cracked in seconds," conspicuously neglecting to mention what Miller called "the many days doing research and writing the exploit before the day of the competition," enabling him to discover the bugs and develop a way to successfully exploit them on the first try at the event.



Macs less secure, more safe



In an interview with Tom's Hardware, Miller stated, "I'd say that Macs are less secure for the reasons we've discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn't much malware out there. For now, I'd still recommend Macs for typical users as the odds of something targeting them are so low that they might go years without seeing any malware, even though if an attacker cared to target them it would be easier for them."



Miller also offered some suggestions for users. "For all operating systems, make sure you keep your system up to date. That?s the best thing you can do. On a PC, I'd recommend running some AV software to help clean up when things go bad. Otherwise, just be smart, pay attention, and hope for the best. It is possible to really lock down your computer (running noscript for example) and make it safer, but in my opinion it?s not worth the trouble and the loss of functionality you experience."



Mac security software not recommended



When asked whether having outgoing firewalls, anti-spyware or anti-malware software, or not being logged in as a root user would have done anything to limit the extent of the exploits on the Mac that he demonstrated at the last two security events, Miller said, "None of those protections would have probably worked, or at least there were potential workarounds. The best thing the user could have done is not click on the malicious link. Of course, in some cases such as a man-in-the-middle attack, even this wouldn't have helped."



While neither of the exploits gained root access, Miller pointed out that "just [cracking into] running as the user is still very bad. I could have still watched keystrokes as you went to an online bank, read your calendar and address book, sent emails, etc. In real life, one or all of these things would have occurred."



No market for Mac malware



Repeating comments he made earlier, Miller noted that "Mac bugs aren?t really valuable," pointing out that while the CanSecWest award of a new Mac notebook and the $5,000 "is a lot of money, it?s really not that much when you consider what a bad guy could make with an exploit for an unknown vulnerability in, say, IE 8 running on Vista."



In a separate interview, Miller estimated that a researcher with an exploitable Windows vulnerability "could easily get $50,000 for that vulnerability. I?d say $50,000 is a low-end price point." The huge difference in vulnerability valuations between the Mac and Windows reflect the fact that there is no demand for creating malware on the Mac.



This winter Gregg Keizer wrote about Miller in Computerworld: "Criticizing security software for its cost ? both in dollars and in the processor cycles it consumes ? Miller admitted that he doesn?t bother running any on his Macs. 'I don?t think it protects me as well as it says,' he argued. 'If I was worried about attacks, I would use it, but I?m not worried.'"



At the time, Miller had taken Apple to task for recommending in a support document that Mac users consider installing antivirus software. Computerworld said Miller ?pooh-poohed Apple?s recommendation using the same logic as many longtime [Mac] users," and quoting Miller as saying, "Windows has 90% of the market, but [attackers] give it 100% of their time."



Vista's NX and ASLR malware counter-measures



While tech journalists and security vendors have been confidently announcing that the increasing popularity of Apple's Macs would eventually create a market for Mac malware, those warnings haven't materialized since they got started around 2003, just as Microsoft's efforts to ship what would become Windows Vista started to derail due to an epidemic of malware tainting Windows XP.



Microsoft was forced to start over with Vista several times and was distracted by the need to address immediate security problems in Windows XP. That resulted in Vista being delayed until the beginning of 2007. Once it did arrive, Vista introduced sophisticated new measures to make it more difficult for malicious crackers to inject code.



One is support for the CPU's NX bit, which allows a process to mark certain areas of memory as "Non-eXecutable" so the CPU will not run any code stored there. This is referred to as "executable space protection," and helps to prevent malicious code from being surreptitiously loaded into a program's data storage and subsequently executed to gain access to the same privileges as the program itself, an exploit known as a "buffer overflow attack."



A second security practice of Vista is "address space layout randomization" or ASLR, which is used to load executables, and the system libraries, heap, and stack into a randomly assigned location within the address space, making it far more difficult for crackers to know where to find vulnerabilities they can attack, even if they know what the bugs are and how to exploit them.



Miller told Tom's Hardware "the NX bit is very powerful. When used properly, it ensures that user-supplied code cannot be executed in the process during exploitation. Researchers (and hackers) have struggled with ways around this protection. ASLR is also very tough to defeat. This is the way the process randomizes the location of code in a process. Between these two hurdles, no one knows how to execute arbitrary code in Firefox or IE 8 in Vista right now. For the record, Leopard has neither of these features, at least implemented effectively. In the exploit I won Pwn2Own with, I knew right where my shellcode was located and I knew it would execute on the heap for me."



Snow Leopard security



While Apple did implement some support for NX and ASLR in Mac OS X, Leopard retains dyld, (the dynamic loader responsible for loading all of the frameworks, dylibs, and bundles needed by a process) in the same known location, making it relatively trivial to bypass its ASLR. This is slated to change later this year in Snow Leopard.



With the much larger address space available to 64-bit binaries, Snow Leopard's ASLR will make it possible to hide the location of loaded code like a needle in a haystack, thwarting the efforts of malicious attackers to maintain predictable targets for controlling the code and data loaded into memory. Without knowing what addresses to target, the "vast majority of these exploits will fail," another security expert who has also won a high profile Mac cracking contest explained to AppleInsider.



The future of malware



That indicates that long before the Mac installed base becomes large enough to become attractive to the kinds of malicious attacks that pundits have long anticipated, Apple will close off the remaining points of access for exploiting Mac OS X just as Microsoft has done with Vista. The main difference will be that Mac users are more likely to quickly adopt Snow Leopard this year after it is released. Of course, Mac OS X already has other security features that prevent the easy installation of difficult to remove malware.



In contrast, after more than two years since its launch Vista adoption is still well below a third of the Windows active installed base, leaving far greater exposure for PC users and a vibrant market for Windows malware that's unlikely to go away anytime soon.



Additionally, the vast majority of netbooks, the only segment of the shrinking PC market that analysts see any hope for growth in, continue to run Windows XP rather than Vista. Microsoft hopes to get its new version of the Vista operating system, called Windows 7, running on netbooks some point this year after it is released for desktop and full sized notebook users.



Mac versus iPhone security



Despite having some of the same Safari-related vulnerabilities as the Mac, the iPhone was not exploited during the CanSecWest contest, even though the contest held out a $10,000 prize for cracking smartphones, double that offered for cracking desktop systems.



Speaking of an exploit that a researcher had successfully used against Safari on the Mac, Terri Forslof, manager of security response at 3Com Inc.'s TippingPoint security group, told Computerworld, "People wondered why wouldn't it work on the iPhone, why didn't he go for the $10,000. The vulnerability is absolutely there, but it's a lot tougher to exploit on the iPhone."



The article also apparently cited Forslof in saying, "'There was an exploit at the show that could have broken the iPhone,' said. [sic] 'But the researcher said that the $10,000 wasn't enough to part with that level of vulnerability.'" That indicates that there is a market for iPhone vulnerabilities (at least more than on the Mac desktop), but that those bugs are also harder to discover and successfully exploit.



The article also said that "in some cases TippingPoint wasn't able to pin down the exact phone or operating system version early enough to give researchers the lead time they needed to work up an exploit of a vulnerability they might have already uncovered," further shaming the "cracked in seconds" headlines applied to the Mac cracks, as if those successful attacks had been invented and performed at the event Hollywood-style in moments.



Computerworld also reported that that "one researcher had prepared an exploit for a vulnerability on a BlackBerry Touch emulator, but the BlackBerry model used in the contest was the Bold. 'There was enough difference [between the two] that his exploit wasn't working,' Forslof said."
«1

Comments

  • Reply 1 of 40
    macosxpmacosxp Posts: 152member
    I disagree with the statement that Macs, even though safer, are less secure. Are you telling me that with 10% of the market share, not a single virus-writer bothered to have some fun to make a Mac virus? The statement would be false, as evidenced by the fact that Linux has had several viruses written for it, proof-of-concept or otherwise, and its market share is about a tenth as large as that of Mac OS X.



    No. There are other reasons. For one, you have to type in a password to make any system changes or install software. And for another, the UNIX operating system simply has less holes than Windows NT.
  • Reply 2 of 40
    mj webmj web Posts: 918member
    Hats off to Charlie Miller and AI for succinctly summing up the current state of Windows/OS X security in a nutshell.



    Enough with the metaphors, already!
  • Reply 3 of 40
    My only criticism of what appears to have been an otherwise very well written article was dubbing Windows 7 as the "next version of the Vista operating system" instead of the "next version of the Windows operating system".



    Certainly nobody would have called Mac OS X Leopard the "next version of the Tiger operating system".
  • Reply 4 of 40
    archer75archer75 Posts: 204member
    It's a good article. I hope people actually read it all the way through before making stupid comments.
  • Reply 5 of 40
    No viruses, no spyware - 2.5 years - no problems.
  • Reply 6 of 40
    It's Mac! Apple's platform is perfect and impenetrable! Any alternate theory to this iron-clad truth just doesn't compute. This guy is a liar! I know better than he does, because I'm a Mac user!



    etc, etc.



    Quote:
    Originally Posted by archer75 View Post


    It's a good article. I hope people actually read it all the way through before making stupid comments.



  • Reply 7 of 40
    copelandcopeland Posts: 298member
    No viruses, no spyware - 20 years - no problems.

    I know there were some viruses for the classic Max OS, but never used

    AV software and never got hit by a virus.



    Now I am working as a locked down user.

    Rarely using the administrator account, and when I use the admin account

    I don't use teh Intarweb.

  • Reply 8 of 40
    So he says they are safer due to less userbase. He also states that security wise if somebody wanted to its easier to right malware and virus's for macs.



    So if macs get more market share then it will be more and more likely to get targeted.



    So i wouldnt really say they are safer. Its like saying the Sun cant explode because it hasnt yet.
  • Reply 9 of 40
    lkrupplkrupp Posts: 10,557member
    "In a separate interview, Miller estimated that a researcher with an exploitable Windows vulnerability "could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point." The huge difference in vulnerability valuations between the Mac and Windows reflect the fact that there is no demand for creating malware on the Mac."



    So this low-life son-of-a-bitch finally admits that "researchers" sell exploits to the bad guys. So much for the so-called altruistic motives of these slimy worms. If it can be proven that someone like Miller offered his exploit for sale he should be prosecuted and thrown in jail. He's no different than an arms dealer selling guns to the Mexican drug cartels.
  • Reply 10 of 40
    nagrommenagromme Posts: 2,834member
    Too often, people discuss two separate (sometimes related) security issues as if they are the same thing: a hacker manually attacking one machine, vs. mass malware attacks. They're not the same. Individuals have sat down and hacked into individual target Macs many times, and they will again. Every OS will always have bugs left to catch. But nobody has ever made a successful self-spreading Internet virus or worm for OS X. As a result, saying that it's easy to do so is somewhat empty talk--year after year. (I do believe the day will come--but I've kept fearing that since 2001 and nothing has happened. When it does, I expect it to be quickly understood and stamped out.)



    Quote:
    Originally Posted by lkrupp View Post


    "In a separate interview, Miller estimated that a researcher with an exploitable Windows vulnerability "could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point." The huge difference in vulnerability valuations between the Mac and Windows reflect the fact that there is no demand for creating malware on the Mac."



    So this low-life son-of-a-bitch finally admits that "researchers" sell exploits to the bad guys. So much for the so-called altruistic motives of these slimy worms. If it can be proven that someone like Miller offered his exploit for sale he should be prosecuted and thrown in jail. He's no different than an arms dealer selling guns to the Mexican drug cartels.



    Why do you assume ALL researchers are criminals just because SOME are? And why are you sure Miller is a criminal? Just because a cop knows the price of heroin doesn't mean he's a drug dealer. Most security researchers do nothing but good, even if they know the price of a Windows vulnerability.



    After reading this, YOU now know the price is $50,000+. Does that make you a criminal?



    P.S. Miller does use some hyperbole: "no" demand for Mac malware is an awfully extreme statement. I'd go with "much less." The Mac-using demographic is worthy of attack, and the prestige of a successful widespread Mac malware attack IS worth something to some people.
  • Reply 11 of 40
    djames42djames42 Posts: 298member
    Quote:
    Originally Posted by macosxp View Post


    I disagree with the statement that Macs, even though safer, are less secure. Are you telling me that with 10% of the market share, not a single virus-writer bothered to have some fun to make a Mac virus? The statement would be false, as evidenced by the fact that Linux has had several viruses written for it, proof-of-concept or otherwise, and its market share is about a tenth as large as that of Mac OS X.



    No. There are other reasons. For one, you have to type in a password to make any system changes or install software. And for another, the UNIX operating system simply has less holes than Windows NT.



    I agree when it comes to viruses, and most likely with spyware/malware. The spyware/malware issue seems to primarily affect IE users due to its support of the über-security compromised ActiveX control (which is why I always tell people to use IE only if they have to access a site that requires it, and also to not use software such as Windows Media Player, because it allows for embedded IE).



    However, the ability to have a malicious website insert executable code could still allow an attack of sorts, particularly of the type mentioned here (a keylogger for example quite probably would not need an administrative password to run for the currently logged in user).



    I'm not aware of any Linux-based viruses. I would think they would be just as difficult to implement as a MacOS-based virus for exactly the same reasons. I'm sure there are trojans and worms out there, just as there are for the Mac. And just as those for the Mac, they would most likely require some sort of user intervention (hey, double-click this file that looks like it might be a picture but really is code), and will wouldn't be able to affect system files or processes without an admin password.



    I believe Windows has generally been more susceptible because most users use a single login account which is a member of the Administrators group, and as such, has full reign of the system. Additionally, it's monolithic kernel has allowed some level of communication between so-called user and system processes.
  • Reply 12 of 40
    alfiejralfiejr Posts: 1,524member
    so Miller did not get root access with his attack, even though the Mac was running in Admin mode. he is right of course that he could still steal information, spoof emails, and invade/erase a user's files. but that is not turning the Mac into a bot like the Cornflicker worm does to PC's with no individual effort needed. it's a focused one-at-at-time attack that is labor intensive and slow to reward. the NSA might do it to spy on you, but for a crook phishing is a lot easier way to steal someone's bank account info quick (i get about one sophisticated phish email a month).



    no doubt with more effort on that individual Mac he could then crack the password(s) that would finally give him total root control of the computer and install any programs and do anything (most consumers use relatively simple pw's). but crooks aren't going to go through that much extra work with a single random consumer just to set up a single bot unit or look for financial info hit-and-miss (although business computers with lots and lots of money in their accounts to access are a whole other matter ...).



    all of which adds up to the Mac's practical security advantage. it's not just the market share, it is the inefficient (for the crook) extra trouble it takes. we'll see in a few months what Snow Leopard does for its improved technical security. and next wednesday we'll see what the Cornflicker bots do to everyone else.
  • Reply 13 of 40
    Quote:
    Originally Posted by lfmorrison View Post


    My only criticism of what appears to have been an otherwise very well written article was dubbing Windows 7 as the "next version of the Vista operating system" instead of the "next version of the Windows operating system".



    Certainly nobody would have called Mac OS X Leopard the "next version of the Tiger operating system".



    He may have been referring to the fact that Windows "7" (in reality, Windows 6.1) is an update to Vista (6.0).



    Quote:
    Originally Posted by majortom1981 View Post


    So he says they are safer due to less userbase. He also states that security wise if somebody wanted to its easier to right malware and virus's for macs.



    So if macs get more market share then it will be more and more likely to get targeted.



    So i wouldnt really say they are safer. Its like saying the Sun cant explode because it hasnt yet.



    Please refer to:



    Quote:
    Originally Posted by archer75 View Post


    It's a good article. I hope people actually read it all the way through before making stupid comments.







    Quote:
    Originally Posted by djames42 View Post


    I'm not aware of any Linux-based viruses. I would think they would be just as difficult to implement as a MacOS-based virus for exactly the same reasons. I'm sure there are trojans and worms out there, just as there are for the Mac. And just as those for the Mac, they would most likely require some sort of user intervention (hey, double-click this file that looks like it might be a picture but really is code), and will wouldn't be able to affect system files or processes without an admin password.



    While I can't speak from the point of view of an actual Linux user, my first thought would be that Linux might actually be harder to exploit due to the extreme fragmentation of window managers, applications, drivers, and other underlying frameworks that is inherent to the Linux world. You could uncover an exploitable bug in KDE, but that'd still leave out all the people using Gnome, Xfce, etc. etc. etc.
  • Reply 14 of 40
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by copeland View Post


    No viruses, no spyware - 20 years - no problems.

    I know there were some viruses for the classic Max OS, but never used

    AV software and never got hit by a virus.



    This is why I don't buy the "security through obscurity" argument. Pre-Mac OS X had viruses and yet the marketshare was significantly smaller and there was no widespread internet to help propagate viruses. Now with 10% of computers in the US being Macs and over 60% of $1000+ PCs being Macs (ie: people with money to burn) it makes no sense that there are considerably less viruses (including weak proof-of-concepts) for that argument to work.
  • Reply 15 of 40
    djames42djames42 Posts: 298member
    Quote:
    Originally Posted by Alfiejr View Post


    no doubt with more effort on that individual Mac he could then crack the password(s) that would finally give him total root control of the computer and install any programs and do anything (most consumers use relatively simple pw's). but crooks aren't going to go through that much extra work with a single random consumer just to set up a single bot unit or look for financial info hit-and-miss (although business computers with lots and lots of money in their accounts to access are a whole other matter ...).



    I'm guessing that would be very difficult. The passwords stored in the netinfo database files are are readable only by root. One would have to get root access first before they could then gain access to the password hashes.
  • Reply 16 of 40
    Quote:
    Originally Posted by Shunnabunich View Post


    He may have been referring to the fact that Windows "7" (in reality, Windows 6.1) is an update to Vista (6.0).



    Well, sure. But in that sense, Windows XP (in reality Windows 5.1) was an update to Windows 2000 (in reality, 5.0). And then so was Windows Server 2003 (in reality Windows 5.2).



    To look at it from the other side of the fence, Mac OS X version 10.3.0 was called Panther. The next version of Panther was version 10.3.1. On the other hand, the next version of Mac OS X was version 10.4.0, called Tiger.



    Microsoft generally labels such minor updates as "Service Packs".
  • Reply 17 of 40
    Quote:
    Originally Posted by lfmorrison View Post


    Well, sure. But in that sense, Windows XP (in reality Windows 5.1) was an update to Windows 2000 (in reality, 5.0). And then so was Windows Server 2003 (in reality Windows 5.2).



    To look at it from the other side of the fence, Mac OS X version 10.3.0 was called Panther. The next version of [b]Panther[/v] was version 10.3.1. On the other hand, the next version of Mac OS X was version 10.4.0, called Tiger.



    Microsoft generally labels such minor updates as "Service Packs".



    No disagreement there, although I might add that neither XP nor 2003 was intended to mislead consumers about the version number to artificially inflate the sense of "advancement", the way 7 is. 2003 refers to the year, like Windows 95 and 98 did, and XP was just a name (perhaps they were tired of using years for everything). So perhaps Dan just felt it bore pointing out. Apple didn't call OS 10.1 "Mac OS 11", they called it 10.1. But anyway, that's another thread.
  • Reply 18 of 40
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by lfmorrison View Post


    Well, sure. But in that sense, Windows XP (in reality Windows 5.1) was an update to Windows 2000 (in reality, 5.0). And then so was Windows Server 2003 (in reality Windows 5.2).



    You do have a point but so does the author as the differences were very slight in relation to the underlying code. Some apps were added, some taken off and there was the Fischer Price UI change that we all know and love to make it more consumer friendly over business, but I think that most of it was pretty much just a facelist which it does make it more of a lateral, rather than a forward move.



    Quote:

    To look at it from the other side of the fence, Mac OS X version 10.3.0 was called Panther. The next version of Panther was version 10.3.1. On the other hand, the next version of Mac OS X was version 10.4.0, called Tiger.



    Microsoft generally labels such minor updates as "Service Packs".



    While the duration between Apple's point releases and MS' Service Packs were inline, that is the only similarity between the two. Apple's point releases are major revisions to the code from the kernel to the UI, while their point updates are mostly bug fixes and performance updates, with very little attention given to new features unless needed. Service Packs offer bug fixes and performance updates just like Apple's point updates, though they are more likely to add some new features that the original OS did not have, but that is to be expected in the world of SW when you are selling the same OS so many years later.



    It's hard to see why Apple is able to release a drastically new OS much more often that MS when you think about it. Apple has limited HW to support, is using a lot more open-source code and has incorporated a module design that allows for dynamic transitions of one area without affecting the rest of the widget. A 64-bit OS between Mac OS X and Windows illustrates this last part well.
  • Reply 19 of 40
    princeprince Posts: 89member
    Quote:
    Originally Posted by lfmorrison View Post


    My only criticism of what appears to have been an otherwise very well written article was dubbing Windows 7 as the "next version of the Vista operating system" instead of the "next version of the Windows operating system".



    Certainly nobody would have called Mac OS X Leopard the "next version of the Tiger operating system".



    "Windows" is not an operating system, it's a brand name.



    There is little or no OS technology similarities between Windows 3.1, Windows CE, Windows NT. So referring to Windows 7 as the next version of Windows Vista is useful because it says something about what Windows 7 actually is (it's built on Vista, not the XP code base that netbooks currently use), while calling it the "next Windows" is just marketing babble.



    For the same reason, we take pains to call the Mac system software prior to Mac OS X the "classic Mac OS." But since there have been no branches in Mac OS X since it was released, nor any other unrelated products sold under the Mac OS X brand, there's no reason to call Leopard a version of Tiger.



    If Apple starts using "Mac OS X" to refer to completely unrelated products with no similarities, then we'll have to start drawing the link between Tiger to Leopard to Snow Leopard explicitly, but you already know that they're related because Apple isn't just marketing a meaningless name.
  • Reply 20 of 40
    bageljoeybageljoey Posts: 2,004member
    Quote:
    Originally Posted by nagromme View Post




    Why do you assume ALL researchers are criminals just because SOME are? And why are you sure Miller is a criminal? Just because a cop knows the price of heroin doesn't mean he's a drug dealer. Most security researchers do nothing but good, even if they know the price of a Windows vulnerability.



    After reading this, YOU now know the price is $50,000+. Does that make you a criminal?




    What you say is true and mass generalizations are almost always unfair. However, the implication of the article, as I see it, supports ikrupp.



    Quote:

    The article also apparently cited Forslof in saying, "'There was an exploit at the show that could have broken the iPhone,' said. [sic] 'But the researcher said that the $10,000 wasn't enough to part with that level of vulnerability.'" That indicates that there is a market for iPhone vulnerabilities (at least more than on the Mac desktop), but that those bugs are also harder to discover and successfully exploit.



    This clearly indicates that it is not just that the sedurity experts know what an iPhone exploit is worth, but also that they will not part with one for only 20% of what it is worth on the "market." For this to make sense, either they are waiting for a bigger legal prize to be offered (Who is going to do that?) or they are planning to sell the exploit.
Sign In or Register to comment.