Security vulnerability demonstrated in Safari
At the IT-Defense 2011 security conference, organised by services company cirosec, Mac security experts Dino Dai Zovi and Charlie Miller have demonstrated a further zero day exploit for the 64 bit version of Safari 5. Miller's demonstration involved taking control of the Safari process on a fully patched MacBook by calling a simple URL. The two specialists are not keen to reveal too many details, as they may be able to profit by using the exploit at the Pwn2Own contest in early March.
The demonstration once again shows how vulnerable Apple's operating system and applications are, despite security mechanisms such as address space layout randomisation (ASLR) and data execution prevention (DEP). Until now, Mac users may have been able to draw some sense of security from the lack of interest shown by malware producers, but it remains the case that Snow Leopard is not able to withstand targeted attacks. Security experts consequently consider OS X to be significantly less secure than Windows 7.
The two US researchers go one step further. They describe some of the gains in security in Snow Leopard as happy accidents. Apple's implementation of ASLR, for example, uses a number of fixed entry addresses which leave many entry points wide open. Although DEP is sensibly implemented for 64 bit processors, JIT spraying (see white paper) is able to bypass ASLR and DEP. Because Safari is based on WebKit, this attack is, however, thwarted by the fact that WebKit itself randomises the memory addresses of the JIT code produced – it appears that the WebKit project did not trust Apple.
Similarly, changes in memory management in OS X 10.6 –
malloc assigns memory per CPU core in a zone known as a magazine – offer entirely unplanned security benefits. Miller classifies the changes as "performance enhancements".