Severe holes in Mac OS X Memory

March 23, 2009 Software Review

Dina Dai Zovi, an independent security professional in the financial services industry, demonstrated at a conference mac how to defeat Mac OS X by gaining access to its root memory. A few lines of arbitrary code will enable any attacker to take over a computer, establish a TCP connection and download additional malicious code.

Dai Zovi said the Mac OS X operating system lacks sufficient memory corruption defence features built into its internal coding. Apple’s growing market share is gaining attention in the hacking community. Today experts estimate about 9.6% of Web browsers run on Mac OS X.

His methods target Mac OS X’s heap memory, which is used to store memory allocated to applications running the operating system. It also uses Leopard’s weak library randomization, which leaves the heap allocated memory executable.

Mac OS X uses scalable zone heap security and can be bypassed by hackers. The techniques he demonstrated enable an attacker to execute 12 bytes of arbitrary code, which is enough to deliver a malicious payload and break into critical system files.

He also criticized Apple for not equipping Mac OS X with the GNU Compiler Collection (GCC) stack protector, currently a standard feature in most operating systems that protects running applications from stack-based buffer overflows. Mac OS X supports GCC protection, but the current version doesn’t use it, he said.

There is still good news for Mac users. Version 10.6 is due out later this year, is expected to be a security and stability update to Leopard. It contains a 64-bit kernel and more 64-bit processes make is extremely difficult for hackers to crack.