One such thing analysts would like to see in a Mac operating system is ASLR (address space layout randomization)a technology designed to allocate random space for memory, thus making it harder for an attacker to figure out addresses of critical functions and hence harder to get exploits running correctly. Microsoft implemented ASLR in Vista. Although Symantec discovered that ASLRs shuffling of the address space deck, randomly locating programs in memory, wasnt as random as expected, this technique of memory handling is one of multiple security enhancements in Vista that early adopters cite as their No. 1 reason to deploy the new operating system. But although Apple hasnt yet implemented ASLR, it has in fact recently added NX (No eXecute) bit to its memory handling in Mac OS X for Intel (from version 10.4.4 onwards), Mogull noted. Sections of memory flagged with the NX bit attribute can only be used for storing data, meaning that commands shouldnt reside there and cant be executed if they do. This prevents attackers from exploiting buffer overflows, during which memory overflows and overwrites some areas in memory that can be executable. (An attacker exploiting a buffer overflow sends commands to memory that are supposed to hold data, but since the processor cant tell the difference, it runs the commands instead.)But there are also some services running on OS X that can be exploited, Mogull said. Input Managers in particular are well-known to be security flaws in Macs. An Input Manager is an aspect of text input, enabling such things as the entry of non-Arabic characters. But, as Matt Neuberg, a blogger on the Mac Internet community forum TidBITS, pointed out, the trouble is that input managers inject themselves into every application as it starts up. "Thus an Input Manager is a general, legal method to modify application behavior," Neuberg writes. "Naturally it didnt take long for the thought to occur to someone that such modification need have nothing to do [with] inputting text! Thus, Input Managersor, at least, bundles of code installed in a Librarys InputManagers folderare the basis of many popular hacks, including StuffIt Deluxes MagicMenu feature, CocoaGestures, Smart Crash Reports, certain Growl Extras, PithHelmet (and SIMBL), Saft, Inquisitor, and many others (as those last examples show, this is a particularly popular way to hack Safari)." Input Managers were also used as part of one bug featured in the Month of Apple Bugs, on Jan. 22, 2007. Click here to read more about the Month of Apple Bugs. Mogull is hearing that Input Managers, which allow attackers to execute arbitrary code when applications launch, will be locked down when Apple ships its next version. At any rate, in spite of what Apple still hasnt done with regard to security, there are Mac exploits, but there are no mass Mac exploits. Is this merely a function of Apples small market share? Mogull grants that yes, the security shortcomings he sees in Mac OS X would mean that Apple might be having some problems if it had Microsofts market share. Still, its a pretty secure platform, he said. "Its not like its wide open." Even after the CanSecWest security conference, when hackers broke into a Mac in a Pwn-2-Own contest, Apple had the vulnerability patched within eight days, he noted. "Macs are not the bastions of security a lot of people would have you believe, but its not like Apples doing everything wrong, like some of the hacker types would have you believe," Mogull said. Still, it will be a good day when the company gets its first CSO, he said. "If we saw Apple getting up and warning people about things people are using to penetrate [its operating system], and talking about practices beyond patching, and embracing Symantec [and its Macintosh security products] instead of treating them like you would any other evil," it would all be for the good, he said. "At some point you have to step up to full responsibility of protecting your platform, and that means being aggressive about protection."
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
"[Famed hacker] HD Moore [and his ilk] can get around that stuff. I sure cant," Mogull said. "But it does offer extra protection."