David Maynor is back on his Apple security hobby horse and rocking it faster than a 5-year-old hopped up on pre-holiday candy canes. Despite his usual over-the-top Apple invective, he makes some valid points and provides some helpful information for people using QuickTime on Windows.
Apple announced ASLR as a feature in their latest version of the operating system, Mac OS X 10.5 (
TigerLeopard). However, Apple largely lied.
You might be surprised to hear the Macalope agree with Maynor, but he's right. OK,
maybe [See update below] "lied" is too strong, but they certainly misrepresented it.
Read the OS X Leopard Security Technology Brief (PDF).
In Leopard, libraries are loaded into random addresses when the system is installed and at any time that library prebinding is updated on the system (typically after system software updates, though you can manually force an update by running the "update_dyld_shared_cache -force" command).
The dynamic linker library (dyld) is not randomized. From what I can tell, ten different Leopard macs booted at ten different times will have the same offset to dyld.
You care because dyld is full of useful functionality. Like, dynamically linking new libraries into memory, or recovering the base addresses for existing libraries.
Clearly, not all libraries are randomized and it's hard to take Apple's documentation any other way than saying that all of them are.
[UPDATE: As a commenter points out, dyld is not a library itself. It's the pathway to libraries. So, yes, libraries are randomized, but that doesn't mean much if dyld isn't. It's like being in the witness protection program and having the government move you to an undisclosed location and then updating your address on Facebook so all your friends will know where you are!]
Microsoft has impressed the security community with its dedication to secure coding practice.
The Macalope suspects that the free keggers the company throws for security professionals and, well, everyone and their alcoholic mother don't hurt, either. And it's great that after years of making their users take it in the shorts on security by making them easy victims to, you know, actual real-world malware, that Microsoft can make bygones be bygones with security pros by tossing them some free shrimp like the barking seals that they are and then delivering a new OS with some good security features that sadly not that many people are taking advantage of because the cost in time, effort and cold, hard cash to upgrade from XP still often comes out to a losing proposition.
But the Macalope readily admits that Apple has rested on some comfortable security laurels and for every step forward they've made there's been a half a step back.
Installing Apple code on a Microsoft Vista system will make that system unsafe. Since these QuickTime vulnerabilities are equally exploitable on both Vista and Mac OS X 10.5, the fans might conclude that both operating systems are equally safe. This is not true, Vista is vastly more secure than the Macintosh.
"Vastly" is debatable. The structure is there, Apple just needs to implement it properly. Many of the items Ptacek points out are user-correctible. Apple could be just a dot release away from fixing them if it wanted to.
Apple's only advantage over Microsoft is their small market share, which means hackers are less interested in them. However, as hackers are having a harder time cracking Vista, they are getting more interested in the Mac, and we are seeing more exploits and more malware targeting Apple users.
This isn't yet a problem thanks to the legacy installs of XP and previous versions of Windows, but it will become more true as more Windows users inevitably adopt Vista (or move to the Mac or Linux). The situation is helped along, of course, by so-called security "professionals" who -- either because they love those Microsoft-sponsored security conferences or because they just really, really hate that "I'm a Mac" guy! -- are all too willing to yell "Look over there!"
Does the computer security industry ever strike you like a protection racket? "Nice operating system you have here. It'd be a shame if something were to happen to it."
Apple seems to be making some of the right moves, but not in a comprehensive manner. The Macalope would rather 2008 were not the year of the great Mac security epidemic.