The Author – Bart Busschots
Creative Commons
Unless otherwise stated, the content on this site is licensed under Creative Commons Attribution, Noncommercial, No Derivative Works 3.0 License
Jul
30
Apple’s Complacency Threatens OS X Security
Filed Under Computers & Tech, Security on July 30, 2007 at 3:56 pm
I regularly have a go a Microsoft for not patching vulnerabilities quickly enough. The recent shambles with the animated cursor flaw proves that MS still have a long way to go in terms of security. However, they are a not alone. Apple have a definite advantage over MS when it comes to security, they have built OS X on top of the very robust and security conscious FreeBSD distribution of Unix, while MS are building on the shoddy foundation that is DOS and early versions of NT. A lot of current Windows vulnerabilities lie in this very old code, the Animated Cursor flaw being a good recent example. However, Apple are being complacent. They seem to be drinking too much of their own cool-aid and are acting as if OS X really is immune from attack. It is of course not immune, and with Apple TV and the iPhone now also running OS X it’s becoming a bigger target every day. When vulnerabilities are reported Apple have to respond promptly, unfortunately the current SAMBA flaw in OS X proves they are not doing this.
[tags]SAMBA, OS X, Security, Apple[/tags]
Although it is not turned on by default, most Mac users turn on Windows Sharing on OS X. If you’re working in a mixed environment you really can’t do without it, and even in an all Mac environment, Windows Sharing provides a very simple way of transfer files. Like other Linux/Unix distributions, OS X uses SAMBA to implement Windows Sharing. A few months ago a very serious flaw was discovered in SAMBA which the SAMBA community patched within a day. The various OS vendors then began pushing out updated SAMBA packages very quickly, but Apple did not. To this day Apple have not incorporated the SAMBA fix into OS X. A fully patched OS X 10.4.10 machine with Windows Sharing enabled can be totally taken over. The code to do this has been added to MetaSploit so it is trivial for even an amateur programmer to write code to break into any Mac with Windows Sharing running.
This is bad. This is very bad, and TBH I consider it nothing short of a scandal. It makes a total mockery out of Apple’s security claims. However, don’t panic! All is not lost. Firstly, simply turning off Windows Sharing protects you completely from this vulnerability. If you want to be dead sure you’re safe you really need to do this. Secondly, if you’re enough of a nerd you can compile the new version of SAMBA yourself and get your machine patched without Apple’s help (seriously, leave this option to the true nerds).
However, you may not even need to do either of these things, if your home network connects to the internet via a regular NAT router (as is the norm) you are protected from the outside world. All machines on your home network will still be able to attack each other but since you probably trust your own family this shouldn’t be an issue in most households. One thing to watch out for is laptops, if you have a laptop which you connect to other networks you really do need to turn off Windows Sharing on it. In some small corporate environments it may also be OK to leave Windows Sharing switched on but on large corporate or university networks this would not be safe.
If you ever use an open WiFi point to connect to the internet you MUST disable Windows Sharing or you are in grave danger of being hacked.
At the moment we’re not seeing any wide-scale exploitation of this vulnerability in the real world but that doesn’t mean there won’t be in the future. Symantec are very worried about this and seem to think such attacks are imminent. I’d have to agree with them. The simple fact is that all Mac users are now more vulnerable than they need to be. Apple have no excuse for not patching this vulnerability sooner, the patch has been released by the SAMBA community for months now. Get your finger out Apple!
> Apple have a definite advantage over MS when it comes to security, they have built OS X on top of very the very robust and security concious FreeBSD distribution of Unix
No, Apple based it on NeXTSTEP and imported code from FreeBSD 3.x, a bunch of code that’s a decade old. And FreeBSD has never been particularly security-concious, just look at their track-record in contrast to the actually security-concious OpenBSD. Had Apple been smart, they’d not have had their own operating system at all, they’d have grabbed hold of the reigns of OpenBSD’s development, brought increased performance to it for the platforms they cared about, and sold a packaged version of that system with their Aqua interface and other tools tacked on top of it, similar to Darwin, but with some quality to it.
I’m intrigued that people keep it on at all – I live in a 98% Windows environment and I don’t seem to find a need for it. I wonder why people need it? I remember ages ago when I built a PC at home (for the education only, I assure you) I turned it on to move some files around. But in a big corporate environment it’s easier to put data on file servers, use eRoom, or Docushare so there are controls and authentication to get to the data.
Samuel, there is no doubt that OpenBSD is another step above just about everything else when it comes to security but I would still consider FreeBSD to be a more solid base than DOS/NT. For years MS just didn’t get security. They didn’t care, and their code suffered. Even MS said it would them a decade to recover when they finally caught on. FreeBSD were not as good about security as OpenBSD but still better than MS. Also, FreeBSD is a very stable and robust platform. In fact, this server runs FreeBSD.
As for your proposed business model for Apple, I don’t think it would have worked. Apple has one thing going for it, user experience. It is a joy to use a Mac. Some of that user experience is down to a good GUI and a good understanding of HCI but a lot of it is also down to excellent hardware integration because of the closed platform. A Mac is both hardware and software, if you separate them out you really do loose something.
Allison, in work all our staff and students have both personal and departmental network shares. All this is done via SAMBA. All our staff rely on it.
Bart, with Apple’s release of Darwin, that’s exactly what they’re doing. Selling a proprietary add-on to their Darwin operating system on their own hardware, they could have done that with an OpenBSD base, just as much as they have with their Darwin base.
Samuel, I’m not arguing that they couldn’t have used OpenBSD as their base but rather that they couldn’t sell a “packaged” version of their system. I have no idea why Apple Chose FreeBSD or what else they considered. Maybe they had a good reason for choosing FreeBSD? I’d sure be interested in hearing their logic.
[…] Apple’s Complacancy Threatens OS X Security […]
[…] not long ago that I posted about Apple not patching their SAMBA implementation for months after a patch became available. Now there is a Quick Time vulnerability in the wild that was apparently reported to Apple about a […]
[…] slow at patching them. The SAMBA flaw last year was a dramatic example of this which I blogged about at the time. When it comes to Safari Apple’s attitude to security is also worrying. Their […]
Your spelling’s atrocious and makes this blurb unbearable to read. Please get an education.
For shits and giggles I ran the entire post through a spell checker and then re-read it just to be sure. There were two miss-spellings, one repeated word, and one grammatical error (this rather than these). Four small typos. Sure, it would be nice never to make any mistakes, but I’m not a professional writer, just a Physicist and a Computer Scientist.
Finally, since you clearly believe your education to be superior to mine, I have no doubt that you noticed that this is an Irish blog, and hence written in UK/Irish English rather than American English. Some less educated and more arrogant people might mistake non-American spelling for incorrect spelling, but you’re clearly far too educated for that.
It’s always the illiterate who point out two spelling mistakes and harp on about how it makes a blog entry unreadable.
There’s an old internet rule of thumb that I’ve followed since my days on the pre-WWW internet.
If, when responding, all you are doing is correcting someone’s spelling, you have lost.
Corollary: If, when responding, all you are doing is pointing out that someone has bad spelling, without pointing out the spelling mistakes, you are a loser.
[…] year Apple left it’s users vulnerable for months when it failed to push out a critical SAMBA update, now they are failing to push out a patch to ISC BIND to protect us from the critical DNS […]
I find it ironic that you accuse apple of complacency in the same post as which you suggest people not worry about running tainted and insecure versions of samba provided their are sitting behind a SOHO router with an included firewall. Most of those devices are very easily defeated and a large proportion of home users don’t even bother modifying the default password.. now there’s complacency indeed! The fact that you have a firewall is no excuse for running software on your network with security vulnerabilities!
Hi Dave,
I certainly stand by the advice I gave here. This post is now over a year old. How many SOHO Mac users were hacked because of following this advice? Security is all about balancing risk and convenience. Unfortunately it is generally true that more convenience gives less security. SMABA attacks are limited to the LAN, so saying that you are probably OK if you trust everyone else on your network is reasonable.
As for home routers, if you read more on this site you’ll see that I have dedicated quite a bit of time to explaining to people why it is important to secure their home routers. It is also true that NAT offers great protection from the outside by its one-way-valve nature.
I almost agree with your last statement, I just think you left out a word. What I’d say is “The fact that you have a firewall is no excuse for NEEDLESSLY running software on your network with security vulnerabilities!”. When there are no patches you are left with a judgement where you have to weigh up the risks of running the software against the inconvenience of not running it.
Right now the entire world is using a fundamentally flawed version of DNS. We have the solution, DNSSEC, but to deploy it would be a truly Herculean task. Hence we potter along with a crudely patched DNS implementation for now. That’s the real world. Perfect security is almost never a viable option.
Bart.