Macs are easy to hack: researcher

"Macs are as easy to hack as they are to use", according to researcher Charles Miller.

Miller and his colleagues at Independent Security Evaluators discovered the first known vulnerability within the Apple iPhone.

During his presentation, "Hacking Leopard: Tools and techniques for attacking the newest Mac OS X, at the recent Black Hat Briefings, Miller said that for some reason the Mac OS has over 50-plus suid root programs.

Suid stands for "set user ID" and is used to temporarily elevate privileges to perform a specific task such as running executables.

Given the root access provided by these tools, they provide at least one vector for attack.

Another vector is Safari, which when opened, also opens several applications including: Address Book, Finder, iChat, Script Editor, iTunes, Dictionary, Help Viewer, iCal, Keynote, Mail, iPhoto, QuickTime Player, Sherlock, Terminal, BOMArchiveHelper, Preview and DiskImageMounter.

A flaw in any one of these could be easily exploited over the Web. That's because Apple's operating system doesn't randomise the location of the stack, the heap, the binary image or the dynamic libraries, meaning an attacker would know where in memory these applications are loaded on almost every machine running Mac OS X.

Open source is yet another vector for new attacks on Apple Macs.

Miller said that on July 31 Apple did update its version of Samba -- but for the first time in two and half years, and the latest version still fell short of the current open-source version.

Miller said his formula for finding a zero-day flaw on a Mac is this: "Find an open-source package that they use that's out of date--there's, like I said, plenty of those."

He then suggested reading through the change log for the current version of any of the above open-source software to find a useable bug that's been fixed in the newer version but still vulnerable to Mac OS X users.

Miller said by doing this, "you won't have to worry about static analysis or fuzzing or any of that stuff".

Several attempts to contact Apple for comment on this story went unanswered.

• Related stories

• Alerts

Add your opinion

Oh Really? Anonymous -- 14/08/07

Clearly the plethora of hacked Macs that we here about in the news every day confirm Mr Millers assertions.

• Reply to comment
• Reply to story
• Report offensive content

yes. really Paul -- 14/08/07 (in reply to #320084345)

Microsoft users still far out number Mac users. Thats the only reason why we always hear about microsoft flaws. I've been working as a security consultant for an Australian University for the past 4 years. In that time it has been my primary objective to ascertain potential security flaws related to day to day operations in the research departments. The number of times i've had to deliver a solution for a Microsoft PC far outweigh those, for Macs. However it is generally those few security flaws in the Mac systems which generate the most potential for security breaches. Just because you still believe Macs are perfect, it doesn't mean they are. Just like the Easter bunny isn't real no matter how hard my kid believes it is...Oh wait you probably still believe in the Easter bunny, don't you. And if you don't believe me still, go ask that kid carrying around the portable class 4 laser system he "borrowed" after obtaining the security codes from his professors Mac. He'll show you how dangerous it is to live in a dream world.

We actually recovered the laser shortly after it was "borrowed", the kid wasn't that bright and went bragging about stealing it to his friends.

• Reply to comment
• Report offensive content

Mac users will be the death of us all Anonymous -- 15/08/07 (in reply to #320084360)

You've all seen them, in our classrooms, hallways, offices and even at home. Yes, I'm talking about the mac user, the one with that stained white piece of rubbish called an "iBook" or that over sized monitor. They're always looking for some "magical" kind of ram and asking rubbish questions like, "Is this ram compatible with my mac?". It's time mac users started learning to use real computers and not some giant toy with over sized buttons - so you just can't miss no matter now drunk you are.

• Reply to comment
• Report offensive content

Predictable Mac User Response. Wilbert -- 15/08/07 (in reply to #320084369)

I don't wish to boast, but I did predict Apple Fanboy's comment

www.iWilbert.com/g/59

(Okay, maybe I do want to boast)

• Reply to comment
• Report offensive content

We're not all the same Apple Convert -- 17/10/07 (in reply to #320084369)

I'm a proper nerd (comp.sys.eng/comp.sci double degree and all) and I use an Apple. I switched because I was jack of M$ crapware. I went Linux for about a year, loved the stability but hated the lack of polish and amount of setup required.

The next logical step was OSX. I got Unix stability and efficiency, with twice as much polish as I got from Windows and I haven't looked back.

P.S. My inner nerd also thinks the NextStep microkernel is a better way to go in the long term than say the Linux kernel because of the trend towards highly parallel processing demands on OS's these days.

P.P.S. Apples are real computers. They run on electricity and everything.

• Reply to comment
• Report offensive content

Windows - Y. B. Baitedbywindowsusers -- 24/10/07

Continually, windows users slag macs (and vice versa), but never actually come up with valid arguments. When asked why Macs were so bad, a mate of mine replied 'because'. i wanted clarification and again asked 'why'
and he replied 'they just are'. From that response i was convinced that macs were bad (not!).
i dont think i have EVER heard a PC user ask if RAM (or anything else for that matter) would be compatible for their computer... EVER!
who really cares what operating system someone uses - OSX IS superior to windows (and i use both for work). mac shortcuts are STUPID, but then so too are a lot of computer users.

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials