OneOne of the bloggers on ZDnet interviewed Charlie Miller the bloke who nailed Mac OS X through Safari in seconds at the recent Pwn 2 Own contest, one of the questions asked is pretty interesting and nicely sums up the OS security situation over the last 3 or 4 years, of course you wouldn't know it reading the press or if you get your information from Apple's PR department.
Why Safari? Why didn't you go after IE or [Firefox]?
It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows.
It's more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn't have anti-exploit stuff built into it.
With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have.
It's clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that's only half the equation. The other half is exploiting it. There's almost no hurdle to jump through on Mac OS X.
Nice to see him mention how annoying Address Space Randomisation is (introduced with Windows Vista), which randomises where applications are in memory upon boot, preventing an attacker from knowing what address any executable code is that they've managed to get into memory. And also the No-Execute Bit (introduced with Windows XP SP2) which marks segments of memory as non-executable, preventing any code that could be inserted through say a buffer-overrun from being executed from these areas.
One of the comments asks:
Miller talks a lot about memory randomization but not much about ACL and the UNIX permissions structure. He was able to know where his exploit was in memory and access it, but was he able to do anything at the system level without throwing up a credentials dialog?
No, the goal was simply to get at user data, not run with administrative rights. To elevate one would follow up by exploiting another vulnerability which can lead to privilege escalation, of which there are far more on Unix based seems than on Windows.
Hopefully people will start to realise how insecure Mac OS X actually is. Although judging on the sort of headlines the press used to cover this, the worst of which saying IE8 released and hacked, without even mentioned how fast Safari went down, or that the build of IE8 used was a beta build and 4 months old.