Sep 24, 2015 By Andrey Zhuk In Blog

Insights from Black Hat and DEFCON 2015. Apple OS X: False Sense of Security for the Desktop.


Original August 26th blog:

Have you ever wondered why Microsoft releases updates to its Windows operating system every week, while Apple releases updates for the OS X only a couple times a year? Many people, particularly Apple users, will say it’s because OS X is a superior and more secure operating system.

Although I am a MacBook Pro user running OS X 10.10.5, I know this isn’t true. In fact, many of Apple’s security vulnerabilities were topics of discussion at the recent Black Hat and DEFCON conferences. I would argue that the real reason OS X gets fewer updates than Windows is not because OS X is more secure but because Apple can get away with it.

The harsh reality is that Apple products, and especially OS X, are susceptible to infection like everyone else’s. Moreover, Apple has not been as responsive, or as accurate in its responses, as have other PC vendors to industry-wide notifications of vulnerabilities. Consequently, Mac users have been left vulnerable to attacks that were fixed on other x86-based PCs. Below is a recap of the biggies.

The rootpipe vulnerability

Rootpipe vulnerability is a backdoor that allows an attacker to create any file anywhere on the Mac as a root user. A fix was made available only for Yosemite 10.10.3. Every other OS X version is left vulnerable. While this is a local privilege escalation vulnerability, there are many scenarios where it can be used in more nefarious ways. The vulnerability author wrote the following regarding this issue: Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older.”

So essentially, Apple refuses to patch this in all versions except the latest one because it is too much work. There is no official statement from Apple regarding the end of life (EOL) status about all previous OS X versions, so this course of action is quite strange. Even stranger when Apple backports some security patches to those older versions, making them implicitly supported.

Speed Racer CERT VU #766164

Speed Racer is a vulnerability that exploits hardware race condition in the interaction between the CPU and flash programming hardware. The vulnerability could be used to bypass UEFI Secure Boot. It could also be used to corrupt the platform firmware and cause the system to become inoperable. Impacted systems include MacMini 7,1, MacBook Pro Retina 10,1, MacBook Pro 8,2, MacBook Air 5,1, Late 2013 Mac Pro and MacBook Pro 9,1, all running the latest UEFI firmware available. Apple claims that it is not affected by this vulnerability.

Darth Venamis CERT VU #976132

This vulnerability is the basis for the Thunderstrike 2 firmware worm presented at this year’s Black Hat conference. A successful attack allows hacker root-level access to a computer and the ability to quietly move about the victim’s machine. Despite the vulnerability being publically disclosed in December 2014, Apple only released a partial fix on June 30th, 2015.

This is just a small sample of vulnerabilities that were “under-patched” by Apple. There are many others, most of which, to Apple’s credit, were remediated:

  • XSLCmd – provides reverse shell, keylogging, and screen capture
  • iWorm – creates standard’ backdoor, providing survey, download/execute, etc.
  • WireLurker – malicious code that uses USB to “trojanize” OS X and iOS applications
  • Crisis (RCS-Mac) – rootkit that creates a backdoor for collection of all OS X contents

Overall, in the last five years, more than 50 new OS X malware families have emerged. According to Kaspersky Labs, in 2014 alone there were nearly 1,000 unique attacks on Macs based on 25 major malware families.

All vendors have vulnerabilities in their products. Some vendors are very good about patching public vulnerabilities and auditing for non-public bugs. Apple is not. Apple leaves its customers vulnerable to already-public issues for long periods of time. Somehow, Apple is able to get away with reporting its products are not vulnerable when, in fact, they are vulnerable. Apple is susceptible to malware like everyone else. Yes, using a Mac is a good way to avoid the statistical majority of basic crimeware. However, using a Mac will not protect you from even moderately sophisticated adversaries.

Stay tuned for more security news from our ongoing blog series, “Insights from Black Hat and DEFCON 2015.”

UPDATE Sept 24th (Jean-Paul):  Since Andrey’s blog a couple of high profile new problems in Apple’s ecosystem have popped up.  Instead of a new blog, I am adding them to this one.

Malicious code in Apple AppStore.

Widely reported, so not a breaking story, but Apple’s iPhone App Store has around 4000 apps that were developed with a hacked version of Xcode that is the basis for IOS apps.  All so far were Chinese developed apps.  Apple pulled 39 of the known corrupted applications from their appstore a few days later.  The three highest profile apps are WeChat (600 Million users), Didi Travel (Chinese version of Uber) and CamCard (Business Card scanner app).  You can find a list of the first 39 known applications on GoogleDocs here.

IOS9 passcode bypass

A flaw in the IOS9 code allows someone who gets physical access to an iPhone to access contacts and photos even if the phone is locked with a passcode.  While this is not a full access to the phone like Andriod’s recent blooper, it’s still a significant issue.  As noted in the article, this isn’t the first time iPhonse have had this issue, although the last time it allowed the bad actor to send messages and make phone calls.  No word that I’ve seen on Apple’s fix yet.