Ancient flaws leave OS X vulnerable?

Dave G. | January 27th, 2006 | Filed Under: Defenses

ZDNet has an article about Mac OS X being insecure due to ancient vulnerabilities. I am not sure if they are talking about legacy vulnerabilities from BSD/NeXT, or just vulnerability classes from a lost age. Maybe both. The article also predicts that Apple will go through some rough times and states that they aren’t the best company to work with as a vulnerability researcher.

As far as vulnerabilities go, I definitely think that OS X is still somewhat early on in the vulnerability path. I suspect that after an initial shakeout of legacy vulnerabilities inherited from its predecessors, the real problems OS X will face will be newer code written by OS 9 developers (both at Apple and third party developers). No one really thought about security on OS9, so even dealing with file permissions can be a new experience for developers. When I was doing vulnerability research for OSX, I was partial to looking at setuid binaries that had spaces or capital letters in the filename. Pristine, unaudited code.

Lets also take a moment to say what Apple does well.

1. Limited Attack Surface. Early on, they kept the number of services on the desktop to a minimum. Learned from everyone else’s mistakes.
2. Builtin Firewall. Barely necessary thanks to #1. While it didn’t always set up rules the way I liked it, it was forward thinking.
3. Pinched Opensource Code. This doesn’t always work out well for a vendor, but for the most part, they borrowed code that had already been audited by many, many people.
4. Replaced sendmail with postfix. Not as big a deal as it used to be, but continues to show security playing a role in decision making.

When it comes to reporting vulnerabilities to Apple, I would like to think that I have some experience working with Apple. I think they are pretty middle of the road when it comes to interacting with security researchers. They aren’t particularly fast, and they could communicate a little more frequently, but things usually get fixed in reasonable timeframe for an OS vendor. Of course, everyone’s experiences dealing with vendors on security vulnerabilities is different. Sometimes it has to do with communication styles of the researcher, other times the vendor is ignorant or even malicious.