A notorious Mac white hacker has put the latest iterations of client operating systems from both Apple and Microsoft in the balance and, after weighing, found the most recent cat from Cupertino inferior in terms of security compared to the rival from Redmond. Charlie Miller, of Baltimore-based Independent Security Evaluators, who managed to hack Mac OS X Leopard in record time in the past, indicated that the security Apple built into Snow Leopard is inferior not only to Windows 7, but also to Windows Vista, a three-year old operating system released at the end of January 2007. Miller’s statement contradicts the general perception that Mac OS X is superior in terms of security compared to Windows, and the security researcher should know, since he hacked Apple’s operating systems on more than one occasion.
Charlie Miller is best known for its Mac OS X hacks in the past two years, which have generated headlines around the world. Back in March 2008, the team of Miller, Jake Honoroff, and Mark Daniel from Independent Security Evaluators successfully "pwned and owned" an Apple MacBook Air, in a hacking contest sponsored by TippingPoint's Zero Day Initiative. At that time, Mac OS X was the first to fall, ahead of Vista SP1 Ultimate and Ubuntu in the Pwn2Own contest from CanSecWest. But Miller wasn’t done. In mid-March 2009, he hacked Mac OS X in just 10 seconds in the same Pwn2Own CanSecWest hacking competition.
The difference Miller argues, according to TechWorld, is made by Address Space Layout Randomization (ASLR), a feature underdeveloped in Snow Leopard. “ASLR moves images into random locations when a system boots and thus makes it harder for shell code to operate successfully. For a component to support ASLR, all components that it loads must also support ASLR. For example, if A.EXE consumes B.DLL and C.DLL, all three must support ASLR. By default, Windows Vista will randomize system DLLs and EXEs, but DLLs and EXEs created by ISVs must opt in to support ASLR,” Microsoft reveals, and the same is valid not just for Vista, but also for Windows.
The security researcher indicated that Apple failed to introduce a fully fledged and fully functional, for that matter, ASLR in Snow Leopard. The largest problem related to ASLR according to Miller was the fact that Apple did nothing to improve the technology from Leopard to Snow Leopard. The latest versions of Mac OS X feature an ASLR that continues to ignore key components of the platform when it comes to randomization. Miller pointed out that the Snow Leopard ASLR fails to randomize the heap, the stack and the dynamic linker, delivering a wider attack surface than the ASLR in Windows Vista or in Windows 7.
"I hoped Snow Leopard would do full ASLR, but it doesn't," Miller stated. "I don't understand why they didn't. But Apple missed an opportunity with Snow Leopard. The security researcher revealed that while there are security enhancements in Snow Leopard, related to QuickTime and Data Execution Prevention, ASLR is the key factor that still makes Vista and Windows 7 more secure.
“Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7. When Apple has both [in place], that's when I'll stop complaining about Apple's security," Miller added. “It's harder to write exploits for Windows than the Mac, but all you see are Windows exploits. That's because if [attackers] can hit 90% of the machines out there, that's all [they’ll] do. It's not worth [them] nearly doubling [their] work just to get that last 10%."
Still, Snow Leopard continues to benefit from the perception of Mac OS X being more secure than Windows. Primarily, this is related to the security-through-obscurity model, which implies that Apple’s small share of the OS market makes its platform less attractive to attackers. "I still think you're pretty safe [on a Mac]," Miller noted. "I wouldn't recommend antivirus on the Mac. ASLR and DEP are very important. I just don't understand why they didn't do ASLR right."
Windows 7 RTM Enterprise 90-Day Evaluation is available for download here.