Hacking a Mac 'just works', says researcher

Macs are as easy to hack as they are to use, according to security researcher Charles Miller.

Miller and his colleagues at Independent Security Evaluators discovered the first known vulnerability within the Apple iPhone.

During his presentation, 'Hacking Leopard: Tools and techniques for attacking the newest Mac OS X', at the recent Black Hat Briefings, Miller said that for some reason the Mac OS has more than 50-plus 'Suid' root programs.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

Suid stands for "set user ID" and is used to temporarily elevate privileges to perform a specific task such as running executables.

Given the root access provided by these tools, they provide at least one vector for attack.

Another vector is Safari, which when opened also opens several applications including: Address Book, BOMArchiveHelper, Dictionary, DiskImageMounter, Finder, Help Viewer, iCal, iChat, iPhoto, iTunes, Keynote, Mail, Preview, QuickTime Player, Script Editor, Sherlock and Terminal.

A flaw in any one of these could be easily exploited over the web. That's because Apple's operating system doesn't randomise the location of the stack, the heap, the binary image or the dynamic libraries, meaning an attacker would know where in memory these applications are loaded on almost every machine running Mac OS X.

Open source is yet another vector for new attacks on Apple Macs.

Miller said that on 31 July Apple did update its version of Samba - but that was the first time in two and a half years, and the latest version still fell short of the current open-source version.

Miller said his formula for finding a zero-day flaw on a Mac is this: "Find an open source package that they use that's out of date - there's, like I said, plenty of those."

He then suggested reading through the change log for the current version of any of the above open source software to find a useable bug that's been fixed in the newer version but still vulnerable to Mac OS X users.

Miller said by doing this, "you won't have to worry about static analysis or fuzzing or any of that stuff".

Several attempts to contact Apple for comment on this story went unanswered.

Robert Vamosi writes for CNET News.com