The recent move by Apple Computer to begin shipping Macintosh computers that use microprocessors from Intel could open the door to more attacks against computers running the companys OS X operating system, security experts warn.
The shift to Intel processors from the Motorola Power PC processors will make it easier to create software exploits for Macintosh systems, and could result in a steady stream of Mac exploits in years to come.
The change could put more pressure on Apple to build security features into OS X, according to interviews conducted by eWEEK.
Apple declined requests for interviews. In an e-mail statement, the company said that the security technologies and processes that have made Mac OS X secure for PowerPC remain the same for Intel-based Macs.
Apple first announced its intention to deliver Macs that use Intel processors in June and said it plans to transition all of its Macs to Intel by the end of 2007.
The companys CEO, Steve Jobs, unveiled the first Intel-based systems using Intels dual-core Duo chip earlier this month at the MacWorld Expo in San Francisco.
The move to Intel will end a 10-year relationship with Motorola, which produced the PowerPC microprocessors used in Macs, and is expected to bring immediate improvements in both processing power and efficiency to Apple.
However, experts cite a number of ways in which the shift to Intel will spell trouble for engineers at Apple and for Mac users:
- History: Using the Intel x86 platform pulls Macintosh systems onto the same platform used by Microsofts Windows computers, a prime target of the hacking community for years.
“Attackers have been focused on the [Intel] x86 for over a decade. Macintosh will have a lot more exposure than when it was on PowerPC,” said Oliver Friedrichs, a senior manager at Symantec Corp. Security Response.
There are many more malicious hackers who understand the x86 architecture in-depth than understand the PowerPC. And attackers have access to hundreds of documents and examples of how to exploit common vulnerabilities on x86, whereas exploits for PowerPC are far fewer, Friedrichs said.
“[Intel x86] lowers the bar dramatically for someone trying to exploit a vulnerability,” he said.
Architecture and Tools
- Architecture: Though its name suggests otherwise Intels CISC (Complex Instruction Set Computer) architecture is easier to audit for security holes than the RISC (Reduced Instruction Set Computer)–based chips from Motorola, said Lurene Grenier, a software vulnerability researcher and Mac PowerBook user in Columbia, Md.
“With Complex Instruction Set instructions, there are more of them, and they do more for you. Its just simpler to read and write to CISC systems and get them to do something,” she said.
Those differences make it easier for vulnerability experts and exploit writers to understand and write exploit code for systems that use the Intel architecture, and removes a big barrier to writing exploits for Mac systems, analysts agree.
“OS X will become more popular as prices drop. I think you have a variety of malicious folks who know the Intel chip set and instruction set. Now that Mac OS X runs on that, people can port their malware and other things over to OS X quickly and easily,” said David Mackey, director of security intelligence at IBM.
“If I want to pop some box, Mac on a Motorola chip is a barrier,” says Josh Pennell, president and CEO of IOActive Inc. in Seattle.
The population of individuals who can reverse-engineer code and read and write Assembly language is small, anyway.
Within that tiny population, there are far more who can do it for CISC as compared to RISC-based systems, Grenier said.
“There are payloads and shell code written for PowerPC, but there are far fewer people who can or care to write it,” Grenier said.
- Tools: Hackers need tools to help them in their work, and more of them exist for machines using Intels x86 than Motorolas PowerPC, experts agree.
Popular code disassembly tools like IDA Pro work for programs that run on both Intel and PowerPC, but theres a richer variety of tools such as shell code encoders and tools for scouring code that work with the Intel platform than for PowerPC, Grenier said.
“There are tools that are not written for PowerPC because theres not the user base or the interest,” she said.
Windows, Linux and Unix all use the x86 architecture, and exploit writers interested in those platforms have developed more tools to help them over the years.
Those tools, in turn, speed development of exploit code for buffer overflows and other kinds of vulnerabilities that require knowledge of the underlying architecture, Grenier said.
“I dont think [Intel] will make Mac more or less secure. But there will be a ton more exploits coming out for Mac,” Grenier said.
However, there are many other factors will determine whether Mac systems will be targets of future attacks, experts say.
“[Software] vulnerabilities still depend on the OS, not the underlying architecture,” said Erik Tayler, a security consultant at IOActive. “It will still come down to writing good code.”
OS X is generally a stable operating system that is built on top of BSD (Berkeley Software Distribution) Unix, and already has features such as automatic software updates, said Mark Grimes, an OS X security expert who runs Stateful Labs in San Diego, Calif.
Apple is also investing in security talent, and also pushing for stringent Common Criteria certification of OS X so that the operating system can be adopted by government agencies, Grimes said.
However, OS X is still a very “open” operating system compared to Windows, Grimes said.
“There are things you can do with OS X that are kind of scary,” he said.
The emergence of “haxies”—hacks for OS X that are used to make small adjustments to the user interface or applications are evidence that OS X could be used to spread malicious code, though maybe not self propagating viruses and worms, he said.
Security companies from IBM to Symantec Corp. have warned that attacks against OS X are on the rise, though they are still a small fraction compared to attacks on Windows systems.
A rich selection of OS X exploits can be found at online hacking sites like the Metasploit Project.
Despite that, OS X lacks many of the security enhancements, such as stack protection, that companies like Microsoft have added in recent years to blunt the impact of malicious code attacks, analysts say.
“Every part of memory is executable by default,” Grenier said. “Just about every place you can stick data into memory, you can get it to execute.”
That makes it easier to compromise OS X systems for hackers who get access to them, she said.
While Mac is immune to much of the Windows-focused malicious code that circulates on the Internet, that doesnt mean the operating system is without holes, as the frequent operating system patches from Apple indicate, she said.
With a relatively tiny user population and little presence on corporate networks, however, those patches usually dont make news.
“Every time you get an update for OS X, there are a slew of under-publicized vulnerabilities. You might have five, 10 or 15 security flaws, but nobody murmurs,” Grenier said.
In the end, the interest in Mac as a target may simply be a factor of its popularity. And switching to Intel could make the systems much more popular, analysts say.
Still, Apple should invest in technologies that make it harder for malicious code to run on their machines now, rather than waiting to see what happens. Protections against memory and stack overflows are a good place to start, analysts agree.
“Technologies that protect against stack based overflows are readily available, and its not difficult to leverage those and incorporate them into the OS,” Friedrichs said.
Apple should consider putting a large, public effort into security, much as its bitter rival Microsoft did with Trustworthy Computing, or the open-source GrSecurity effort to improve Linux security, Grenier said.
OS X exploits arent uncommon. The shift to Intel could be just the change that makes it worthwhile to write exploits for them, she said.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.