Apple has released the newest version of its OS X operating system, dubbed Lion, and it includes a batch of new security protections that bring it up to the level of Windows and Internet Explorer. The most significant additions, experts say, is the full implementation of ASLR and a sandbox that make it much more difficult for attackers to exploit browser bugs via a drive-by download to install malware on a victim’s machine.
Drive-by download attacks have been a popular and effective attack vector for a wide variety of phishing crews, cybercrime gangs and others for several years. As most Web users spend their online lives in the browser, it can be the most effective way to compromise a large number of people if you have an exploit for a bug in a popular browser. The major browser vendors have been adding exploit mitigations and other protections in recent versions, but researchers have said that Safari, in particular, has not been up to the levels of security provided by IE, Firefox and Chrome.
Apple is attempting to fix that in Lion by finally putting in a full version of ASLR (address space layout randomization), which makes it harder for attackers to run code on a machine by placing objects in random spots in memory.
“OS X has always had this goofy ASLR implementation where the randomized the libraries but not anything else, and you could still play the games and reuse code as long as there was one thing that wasn’t randomized,” said Charlie Miller, principal research consultant at Accuvant, who does a lot of OS X security research. “In Lion it seems like everything is randomized and no code is loaded at a predictable address. They made it much harder to exploit things. You probably need two bugs now, one for code execution and one for information disclosure.”
Miller added that it’s also more difficult to find information disclosure bugs because they can’t be found with a fuzzer. In addition to the improved ASLR implementation, Lion also includes a sandbox that prevents applications from being able to make changes to a machine or take other actions they shouldn’t be able to take. In the case of Safari, Apple has taken the step of putting Webkit in a separate process.
“Webkit lives in a second process, so what will happen is if you get one bug and exploit that gets around ASLR, you end up in that second process,” Miller said. “That process is sandboxed, so you can only read and write in certain places. You can’t do the things you want to do, like install malware. You need two to three bugs now where before you only needed one. To get from malicious site to installing malware is way, way harder.”
Apple also has added a couple of more obvious security and privacy features to OS X Lion, most notably FileVault 2, which now encrypts the entire disk using 128-bit AES. The tool also can encrypt USB and FireWire drives and has a feature called Instant Wipe that will immediately erase the encryption key from the hard drive and then erase the entire drive.
One other significant change is that Lion does not install Adobe Flash or Java by default.
Overall, Miller said, with Lion, Apple has raised its security game to the point where OS X is no longer the 98-pound weakling on the beach.
“It’s always been the easiest to exploit and now it’s to the point that it’s not that easy anymore,” he said. “OS X has always been way behind on security, but now it’s more or less comparable [to Windows]. Once you have ASLR and DEP and some sandboxing, that’s all anyone has.”