Friday, February 02, 2007

Bill Gates fights back against an evil corp?!?!

UPDATE: For a response to John Gruber check here. For more discussion on the lack of security features in OSX, check here.

http://apple.slashdot.org/apple/07/02/02/1940232.shtml

The Mac community is up in arms. Bill Gates gave an interview where his fights back against some Apple’s misleading and deceptive marketing.

As a side note those commercials are what lead me to do security research in Apple. Also the quote that is quite often attributed to me about “cigarettes in mac users eyes” is a misquote as I actually said “cigarettes in the eyes of the actors in the commercials”. But I digress.

"Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine."

Oh the Mac fans are upset. *rabble*rabble*.

http://www.limited-exposure.org/2007/02/02/hey-bill-keep-up-will-ya/

http://www.securityfocus.com/archive/142/458920/30/0/threaded

http://daringfireball.net/2007/02/lies_damned_lies_and_bill_gates

The limited exposure guy even went as far as to count the MoBB bugs to prove how insecure Windows is. He forgot to mention how many of the affect Windows Vista and IE7 (HINT: not 25, that’s for sure).

Take a seat, hold your hats because I am about to make a declaration: Windows Vista is more secure than OSX 10.4.8. Anybody that tells you anything different should immediately be treated with the same disdain as finding a parking ticket on your car. This hasn’t been a popular thing to say and it’s not often said, but I am here to stand my ground on this. It sure won’t win me any karma on Slashdot.

Why do I think this? One new exploitation methods have to be developed to take advantage of a Vista vulnerability. Let’s look at why:

Stack overflows are gone. Don’t think this is just because of NX, or Non-eXecutable stacks. NX just means I can’t execute code on the stack but return-to-libc attacks still work. With things like ASLR (which is implemented on Vista and not OSX) breaks return-to-libc attacks because the system libraries are loaded at different, random addresses every time. Count how many of the Month of Apple Bug exploits were stack overflows. The most dangerous one, MoAB #1, was.

Heap Overflows are pretty broken is not eradicated. With heap randomization, metadata elements and function pointers being XORed with random numbers it would be next to impossible to exploit a heap overflow on Vista in the traditional way. OSX doesn’t have any similar protection.

Tom Ptacek even comments on the lack of advanced security features in OSX here.

What does this mean? In order for attacks to continue in the same way there will have to be some MAJOR evolutions in vulnerability and exploit technology as almost all of the widespread flaws you have heard of take advantage of these methods. Blaster, Sasser, Slammer, Zotob, all those big worms have relied on either a stack or heap based overflow.

Don’t believe me? Prove me wrong. Now don’t get me wrong, you can still email executables to people and then trick them into running it…you can do that on OSX as well.

Of course this won’t do anything to calm the swell of zealots or people stuck in the belief that Microsoft hasn’t changed since 1998. Its kinda like when explaining, in-depth, a black Ferrari is a better car than a red Honda civic to a teenage girl. The same logic that would lead the teenage girl to say “but I like this one better because its red and goes with my lipstick” is the same logic a Mac zealot will use when they say “I don’t care about the facts, I KNOW OSX is more secure”. Know I can’t comment on usability or any of that jazz, that’s not my area of expertise. I’ve never had a problem setting up and running either.

The thing that really upsets me about the Mac community going off on Bill Gates is that Apple does the same exact thing. Their "we don't have security problems" commericals are the same thing as what Bill Gates said. If you want to be mad at Bill then hold Steve accountable for the same actions as well. The arrogant commericals Apple runs has done nothing but win them alot of researchers who are breaking their systems that would not have otherwise given them a second look.

I’ll leave you with my favorite Mark Twain quote:

“It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so.”

UPDATE: Please understand that I'm not referring to the average Mac user that just wants a safe, reliable computing experience. I'm taking exception with zealots who place those users at risk by giving them a false sense of security. OS X is pretty safe today for the average user, but the platform is definitely NOT as fundamentally secure as Vista. Microsoft only changed when users demanded better security, and it's only when the Mac community calls for similar protections that Apple will include them in products. I use my macbook on a daily basis. I write code on it, I watch movies on it, I chat with people on it. Just becasue I don't think highly of the security in OSX doesn't mean I am not a Mac user.

25 comments:

christian said...

David,

I am only recently a mac user (only been a few weeks since I got one) and I'm really not making any comparison here.

I don't really have any issues on whether vista or os x is more secure.

Maybe I wasn't too clear in my post, but my main point was bill's comment about breaking windows.


The point is Vista will be exposed to vulns and bugs just as XP was, and pointing out the MOBB stats was just to provide a brief history..

David Maynor said...

Bill Gates has done nothing that Steve Jobs hasn’t been doing for years, yet some how he gets a pass. Jobs direction of declaring OSX doesn’t have security problems have inspired people like me to spend a lot of time researching OSX and uncovering numerous flaws.

I agree it was a bad statement, I even went to Microsoft a few years ago for their bluehat conference and warned the about a statement made about the Xbox 360 having technology that will keep them safe from pirates because it has stuff “crackers never saw before. Things like that paint big bull’s-eyes. I stopped arguing that vendors shouldn’t be so brazen after seeing the apple marketing campaign. I figured it didn’t matter what anybody else could possibly say, Apple took the cake for most arrogant statement with out basis ever.

christian said...

This is my point, I'm glad people like you took that step against Job's statement, especially with your apple 802.11 vuln discovery at bh last year, etc.

That is the only thing I am saying about Bill's comments, It can/will be broken, Yeah maybe they did a great job with security at vista, and certan components and types of attacks that could be exploited before, now cant.

It was just a silly comment by him, and like Jobs' did, I think Gates' comments will encourage more people to break it. It's Not like anyone has issues breaking windows anyway..

Juan Miguel Paredes said...

I think the problem may be that people who don't do security for a living have a different understanding of what a secure system is. By some standards (i.e daringfireball), my commodore 64 is the most secure system in the planet. Oh, and my TRS-80 is definitely more secure than OSX or Vista!

Projects like MOAB and MOBB and what everyone is cheering on now, MOVB are really good for the third word in the acronym. Although the methods may be offensive to some, drawing attention to bugs, especially basic ones like the MOAB guys have will ultimately result in a more secure OS.

Mike said...

Security doesn't exist in a theoretical vacuum.

The question is "is the average MacOS X user more secure then the average Windows Vista user as both use their computers normally in their day-to-day lives?"

Jonathan said...

I don't understand why you quoted the only part of the interview that you didn't address:

"Every single day, [security experts] come out with a total exploit, your [Mac] can be taken over totally."

I'll be the first to admit that Macs have security vulnerabilities. However, they arise much less frequently than "daily," and none that I know of allow "total control" of the machine.

I invite you to present evidence that the degree and frequency of Mac vulnerabilities are even remotely near what Gates claims. (Even if they are, it's still an exaggeration.) He could have easily mentioned Vista's strengths, as you did, rather than lying about the Mac's weaknesses.

The people who are up in arms about this aren't mad that Gates said, "Windows is now more secure." They're upset because the statement you quoted was a total lie.

David Maynor said...

@Jon:
I didn’t quote the whole thing because I think you missed the point of my posting. Its not to defend or debunk his quote, although I am happy to see someone throw the same kind of FUD back at Apple that they often generate. The point of my point was to show how much more secure Vista is than OSX, which I did. What I find so funny is of the 38 comments people attempted to leave (many of which were so vile it would make you beg for a cigarette in the eye after reading them) not a single person has mentioned the fact that Vista has much more advanced anti-exploitation technology.

Robert C. said...

David,

I tend to disagree with your characterization of Apple's marketing as "misleading and deceptive."

There are proofs-of-concept, and exploitations that have been discovered, but have there been any Mac users experiencing security problems in the wild in the past three years?

I don't have to deal with viruses or anything else like that--and neither does anyone else I know who uses a Mac. That's a big deal to us. And that's what they say in the commercials. Macs don't get viruses. Not that they can't. But they don't. Where's the deception in that?

With that said, I don't want Apple painting a bullseye on OS X. I'd rather have it be my secret. Especially because (it seems to me) the biggest reason OS X doesn't have viruses is that it has a small market share.

I don't know whether Leopard will be as secure as Vista. I hope so. But I know bugs will be found in both systems eventually, and I'll be glad to be using the one that's a less profitable target.

Unknown said...

While the idea of ASLR is fairly good, it has already been proven to be not a working solution for preventing return to libc attack vectors. Your claim "Stack overflows are gone" is clearly not true, they are just inconvinienced by the ASLR, and in a 32-bit address space, they're not very hard to brute force.

See: On the effectiveness of address space layout randomization

On the issue that Vista has better security than OSX, I would still say the jury's still out. While on paper it does look better, not everything shows on paper. Time will tell.

Gates comments however were mistaken on various accounts, that that's what I believe set off mac "fanboys". Or can you show me where the "remote take fully over" type of exploits released "every day" are located? I believe most (if not all?) "remote" exploits in MoAB required user actions, either clicking a link, or opening a file/dmg. While dangerous and bad, I don't count them as "remote take fully over" bugs.

In fact I believe that perhaps we should have a third category for exploits, not just local and remote, but also something in between those "user assisted remote exploit"? Clearly less dangerous than unassisted remote exploits, they should still be considered worse than local privilege escalation attacks.

On the copying features issue I couldn't care less. If there is an feature that clearly benefits users, why does it matter who thought about it first? I think what I care is who gets it to the market first.

-Marko

Macsandstuff said...

David

With ASLR implemented in at least one branch of BSD I wonder how much of a hassle it would be to bring it to OS X.
From my (admittedly limited) understanding of the way OS X is structured it should be feasible?
I am currently also using a dev build of Leopard,which features MACs; I have not heard of any other major security enhancements on 10.5 though.
Would you care to comment on those two points?
Thanks!

David Maynor said...

@mike
Per my post the advanced security features of Vista do indeed make the users safer than OSX users.

David Maynor said...

@Kevin
How many people that buy Macs know the difference between an exploit and a virus? I find that entire line of advertising disingenuous because most of the serious problems that have been brought to media attention (like the Blaster worm, the Sasser worm, the Salmmer worm) were not caused by viruses but instead self propagating worms that relied on exploitation of a vulnerability. The statements by Apple makes it appear that the only thing a computer user needs to worry about is catching a virus while completely ignoring malware and vulnerabilities in not only the operating system but in client side applications like Safari and Mail and Quicktime. This is why I think the statements and advertisements by Apple are deceptive and misleading.

David Maynor said...

@Marko
The paper you link is an academic paper in defeating ASLR in a lab. This is important as they are defeating one anti-exploitation technology, not the layered model employed in Vista. Also the technique required a flaw in that particular ASLR implementation. What is not discussed is that often a return to libc miss will cause the application to crash and when restarted everything is loaded at a different address unlike this particular application just hanging before gracefully cleaning up after itself. Based on the way Vista does ASLR this paper does not apply.

David Maynor said...

@robert
If getting a virus was the biggest security concern or the reason for mass security problems like the Blaster worm or the Slammer worm then I would agree with you. However getting a virus is not the way computers were compromised in the well publicized outbreaks, exploiting vulnerabilities is what did it. I find their commercials deceptive and disingenuous as they make users believe that due to a lack of virus outbreaks their users are safe which is completely false.

David Maynor said...

@Oliver
Excellent question! I must start off by saying I have not seen or touched Leopard so I can not comment on anything about it. As far as ASLR being in BSD, this is one of the reasons I think Mac users should be outraged that Apple is falling very far behind in the area of security and anti-exploitation technology. To be fair OSX has a Mach kernel so porting code from open source BSD projects is not as straight forward as one would think.

Adonis said...

If I recall correctly FreeBSD has had ASLR type technology for a while (I think when they unified the buffer caches, etc work). And OS X is based on FreeBSD 5.x ... so moving it over might not be so hard, although I'm not expert in XNU/Mach/BSD either.

Finally, David, when responding to Jon's comment, _you_ were the one not understanding what he was saying. He seemed to quite well understand and basically to help you out: he was giving you a compliment "aside".

Let me explain:
Jon said: "He could have easily mentioned Vista's strengths, as you did, rather than lying about the Mac's weaknesses."

So to make it clear: Gates COULD have done what you did, which would have been a hell of a lot more convincing and definitely not a lie (assuming you told us the truth, which I double checked and you did), and certainly wouldn't have gotten anyone upset or even given them the ability to yell FUD etc. But of course Gates chose the FUD, and it's sad that it permeates even those who are smart and knowledgeable...

Cheers

PS. I hope you take this the right way and not the wrong way: improving your writing skills would greatly enhance your already capable technical skills

Adonis said...

Ah! In fact what I wrote is seconded in the MSDN link you included in your post. Glad my "RAM" hasn't gotten been corrupted by malware yet :)

Anonymous said...

Jobs direction of declaring OSX doesn’t have security problems have inspired people like me to spend a lot of time researching OSX and uncovering numerous flaws.

Hey, the openBSD project is saying this since a lot of years. Where are the security holes you found about it ?

David Maynor said...

@mr.damien
There is a difference between a project who has a constant security audit and an OS that still handles untrusted remote data with string copy functions like strcpy.

jojoleb said...

I think that Vista's security is indeed impressive. Nevertheless, over time the security barriers will be breeched. The hackers will always rise to the occasion.

But the INTRINSIC SECURTY of the operating system is only a small part of the story. With barely 6% of the market and far less than that in the business world, an OSX laden system is not an attractive target.

If you parked two old VW Bugs in at the mall--one with a penny under the front seat and one stuffed to the gills with millions of $100 bills--which one is more likely to get broken into? Viruses/trojan horses/spyware developers etc. are more interested in where the money is. Right now, the best bang for the buck is to hack into the microsoft product.

Even with the doors relatively wide open, OSX is less attractive... Apple can stay less vigilant so long as they own less of the market share. Conversely, Microsoft due to its sheer success and huge market share will have to keep ahead of the hackers.

Gate's arrogance, however, is that he seems to deny that Vista is the OS with the target painted on it. A fact that will make it less secure in the end. Oddly, as the Microsoft's OS becomes more secure, my guess is that more and more users will rely on the OS specific security--the consistent features that are the target for the hacks. This should keep those third party anti-virus/spyware vendors in business for a good long time...

Finally, as pointed out many, many times before the most vulnerable component in the equation is between the seat and the keyboard. Whatever the OS, users need to be savvy about not accepting that cookie or not downloading that file.

I DO agree with you, however, that Apple Inc.'s hubris is rotten to the core. As a recent iMac purchaser I've opted to buy viral/spyware protection for BOTH the OSX and Window's sides. I am certain that should the Apple gain popularity, someone will take the opportunity to jump OSX's low fence.

Paul Gorski said...

Vista is susceptible to stack overflows, despite ASLR. A Vista stack overflow exploit has already been documented.

http://www.determina.com/security.research/vulnerabilities/ani-header.html

http://www.sysdream.com/articles/Stack%20overflow%20on%20Windows%20Vista.pdf

http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_bulletin0900aecd80622554.html

The Month of Apple Bugs was interesting, but most of the bugs were insignificant. The recent Quicktime exploit that affected not only Macs but XP and Vista should have been the wake up call to Apple, as it ports Quicktime, iTunes, and now Safari to other platforms; Apple needs to bullet proof these cross-platform apps.

Tonio said...

Speaking as a long-time Mac fan -- well said. Mac OS X needs a kick in the butt over stack overflows and other issues.

Unknown said...

I'm sorry but this is a situation of "Apple and Oranges" when talking about security. Microsoft has finally done more to address service exploits to stop the types of worms that replicated without any interaction with the user. Apple does continue to ignore (or even worse belittle) security researchers much like Sun Microsystems used too.

But Vista still has a bigger problem than Mac in terms of the applications the user does end up being an active participent in running.

UAC is implimented in a way that encourages the user to turn it off. Even worse, rather than provide a consistent message to developers to create apps that avoid generating UAC events, they encourage developers to run as full administrator to get the full functionality of MS Visual Studio. Then there is problem of misrepresentation where "green" UAC dialogs indicating an offical Microsoft application for the helper application to run third-party legacy control panels.

Then there is the "Trusted Path" of programs who's activities are not auditable. This feature seems to be mostly created for media players and media similar to Real Jukebox, the XCP player provided by Sony BMG and Zango video license code. The programs that have a history of anti-privacy behavior seem to be the type that will get the highest priviledges in Vista.

Even after installing Flip4Mac to playback WMV files in QuickTime, Mac still does not appear to be vulnerable to Zango style methods of installing malware. Can the same be said of Vista?

Unknown said...

So, if Windows Vista is more secure than Mac OS X, do you run it without any kind of anti-virus?

Because I don't know of anyone who's running Mac OS X with an anti-virus. Call that a false sense of security, it might well be, but the reality is that I've never seen a virus on a Mac in the past decade. Can't say that for Windows. Your theoretical stance on security just doesn't match everyday life practice.

HWgeek said...

I have been using Mac's since System 6 days, and Windows since 2.0 mainly as a user, some programming, and invariably having to deal with using both OS's and their idiosyncrasies.
OS X - I don't run any spyware, malware, or anti-virus software. I did for a while on OS8/9 due to some viruses being out and about. I never open unknown attachments (I also almost never get any to begin with, thats what filtering is for etc) and recently ran some anti-virus software for the mac (ClamXav) and didn't find any viruses. Doesn't mean we don't have any, it just means none were detected. Machine is fresh out of the box, no real addon's or modifications. Pretty easy.

Vista - bought a new Dell for work, came with Vista Home Basic. If this is what people have to look forward to as their GUI computer experience, I truly pity them. The default security is so stringent as to be ridiculous to use. Sure its secure, so is asking some one if you can breath, walk and talk. And sure you can turn off certain security features, thereby making it less secure.
We quickly reformatted and installed XP. The whole Vista thing was just plain bad. From relayout of the OS to placement of everything, to trying to network.

From a user "experience" XP/2000 were good and friendly, OS X is hands down easier. From a security viewpoint, Vista may start out more secure but most average users are going to be turning it off. Its a pain and gets in the way.
With XP, yes you dealt with having spyware programs, anti-viral programs etc, but the overall usage was reasonable. Vista does a bad trade off of security vs usability.