Mac OS X System Security in Depth, Part I

| Analysis

Mac OS X system security is a complex subject. The issue is made more complex by the contrast between a relatively benign and trusted home network and corporate use. This multi-part series will examine a broad range of Mac security issues for both environments.

There are many ways a Mac can be compromised. While the open source BSD underpinnings of Mac OS X (called Darwin) affords peer review and that review has been going in for decades, new techniques are constantly being discovered or invented by the bad guys. As one weakness becomes managed, others open up thanks to new technologies that reside on top of Darwin. In addition, Mac OS X is complicated enough to generate some system administration issues as Apple markets the OS to both individuals and business.

Here are just some of the ways a Mac can be compromised or harmed:

  • Attacks against ports and daemons.
  • Denial of service against a port.
  • Malicious Web pages that send back malware via Port 80.
  • General system administration weaknesses or questionable defaults.
  • Weak system configuration in a corporate setting.
  • Network DNS spoofing and password eavesdropping.
  • Physical access to the computer.

As a result, it's not sufficient to simply point to the dearth of viruses on a Mac; one has to have a broad understanding of many different security principles. 

Classic Mistakes

One of the mistakes people make is trying to extend strong principles of corporate security to home use -- where some kinds of threats just don't exist. Then they become overwhelmed and do nothing or do things that are inconvenient, then abandoned. For example, setting a password for the screen saver is essential in corporate environments but just doesn't make sense for a home user with no children. Another mistake consists of ignoring or dismissing some corporate techniques as overkill without a good understanding the basics.  Yet another mistake is that threats against OS security are underestimated because of a tendency by some to interpret statements by Apple's marketing department that OS security is excellent as a statement that it is perfect. Or that no user action or education is necessary.

High Security or Ease of Use?

Mac OS X is based on an underlying UNIX core, Darwin, and that means there are lots of configuration options. Apple keeps those simple, both to preserve the appearance of a friendly OS but also to keep users from fiddling with settings they may not understand and which could invite security problems.

One way this works against home users is as follows. Apple could, at installation or first boot out of the box, propose highly secure, locked down settings or alternatively more relaxed settings for a savvy user in a benign environment. However, that would diminish the idea that Mac OS X is intrinsically secure. So the very action that would enhance security is something Apple cannot do for the sake of marketing and ease of use.

One example of this is the setting of the root password. (The root user is the ultimate UNIX super user, accessed on the command line, who can go anywhere and access any file. That user has even more power than the standard Admin user we are accustomed to.) UNIX policies force Apple to leave the root password blank until it is set. But the process of dealing with root, via NetInfo (Tiger) or the Directory Utility (Leopard) is so alarming to some, that Apple just disables root and leaves the password blank. If pressed, Apple says to just leave it that way.

To first order, enabling root, setting a good password for it, then disabling is probably a better practice, but, again, that's not a path Apple wants to drag novice users down. Don't forget, UNIX OSes are complex and Apple is into simple.

Another example is the Guest account. By default, Apple disables the local Guest account, (System Preferences -> Accounts) but leaves external Guest access open to shared folders. If you don't want guests on other computers rummaging around in your Mac, it's necessary to change the default setting. See the screen shots below. Not everyone is aware of this seemingly innocent setting.

Guest Account

Guests cannot log on locally, but external guests can connect to shared folders.

 

Guess Account

A third example is the default setting in Safari for launching downloaded files. Safari -> Preferences -> General. By default, it is on. (See the screen shot below.)

Downloads

Users should de-select "Open 'safe' files..." for best security

While Mac OS X marks downloaded files and warns the user of their origin, it's safer not to rush into an automatic launch of downloaded files. A few seconds of consideration and navigation to the Downloads folder will give a novice user just the additional time necessary to reflect on whether that file should be launched. Unfortunately, the default setting is not the optimum for best security, rather it's set for best ease of use.

Finally, Mac OS X has a facility for showing a password hint at login. That seems innocent enough until you forget about it during travel. A low end hacker who steals your Mac, and doesn't know about more exotic techniques, would probably find the password hint most helpful. Apple advises corporate users to use that hint to point to an administrator contact or a separate location where the password is well protected. Again, Apple has chosen not to complicate a home user's life by explaining how they shouldn't really use the hint feature in the manner implied.

These are four examples of Apple making delicate decisions about system administration options that can affect system security, independent of overall architecture considerations compared to, say, Windows. Those choices don't always take the path of maximum system security.

Summary

In future articles, I'll look at more issues that affect Mac OS X security. What's important to remember is that any computer connected to the Internet or any notebook computer that travels is a target. The bad guys try to access your computer for a living, and so they're are always more aggressive than the average Mac user. Having a broad understanding of what's critical and putting it all in perspective is wiser than just assuming, out of the box, the Mac is 100 percent impervious.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Josh

“Yet another mistake is that threats against OS security are underestimated because of a tendency by some to interpret statements by Apple’s marketing department that OS security is excellent as a statement that it is perfect.”

I don’t know anyone that believes this.  Out of the 20+ mac users I interact with on a regular basis, not ONE!  Please stop saying this.  It’s disingenous at best, and outright fabrication at worst.  If you want to make this kind of generalization, please provide a study where this question was asked and answered by a large enough, and representative enough sample of the population to be believable. 

Otherwise you just sound like a mouthpiece for one of the security vedors that is focused on the mac and not selling enough software. 

P.S. everything you mention here has been mentioned ad nauseam on other sites, please provide new examples if you’re going to insist on discussing mac security.

Ashley Grayson

This article could be much better if John had followed the classic process for development of an article: stick to an outline and develop each paragraph from its topic sentence. The bullet points that open the piece are not well ordered (physical access should be first) but are all worthy and would make a great article to put under the eye-catching title. Alas, modern journalism says, pick a grabber headline and write whatever comes to mind until you get tired or hit the word count. This is why the content (root passwords, guest accounts, Safari defaults and password hints) feels so weak. It is weak and only loosely tied to bullet #4, which might be called, what “Apple delivers and should you change anything.” As an old Mac user (since 1986) and UNIX guy, I can say that Apple’s choices are absolutely right for almost everyone and even raising these questions in front of naive users is not a productive idea. The real way to think of Mac security is to first look at what you want to secure: the physical machine? the data on it? (a clone or backup will ensure you don’t lose the data if you lose the Mac) or some aspect of the data that will lead to identity theft, fraud, or other loss. I’m really looking forward to the further parts of this report. I’d like to know how international criminals can reach into my office Mac network and acquire financial and contact information or send spam mails to everyone in my AddressBook. The latter breach happens to someone running Windows who has my email address about once a month.

Lee Dronick

Intego recently said that there is a critical vulnerability in Safari’s RSS reader and that we should use a different reader. Supposedly a website can use the vulnerability to get access to files on a hard drives. They also say that Apple has acknowledged this vulnerability, but did not provide a link to Apple. I understand that they are in the business of selling security software so I am always a bit skeptical when they issue a warning that has not been verified by someone else. Anyway, does anyone here think that there is real vulnerability in Safari’s RSS reader?

Josh

There probably is a vulnerability, but I don’t know anyone that uses safari or mail as their primary RSS reader.  I use NetNewsWire, it’s free and has a lot more features than safair or mail.  I (and everyone else I know) also only subscribe to RSS feeds I trust (Big name web sites, and scientific journals whom I read on a regular basis). 

AFAIK, you would need to subscribe to this RSS feed from a site, and the feed would need to be intentionally constructed to be malicious.  The odds of anyone subscribing to a feed on a site that is not trustworth is fairly low IMO.  Consequently, the actual danger posed by this flaw is probably rather minimal.

b9bot

If OSX security is in doubt, then why is it THAT NOT 1 OSX SYSTEM HAS EVER BEEN COMPROMISED IN THE REAL WORLD OVER A NETWORK? Please don’t make examples of those FAKE tests that in the end were done locally with the user already knowing the admin password. I’m talking real world over a network type stuff without any knowledge of the admin or anything.
Because although you can improve security by doing some of these tips. OSX is secure and only getting better because Apple does look to make security better every day. I’m not saying its perfect, but so far it has the best record when it comes to REAL WORLD SECURITY.

Thanks John

Thanks for picking this up John.  I’m looking forward to the rest of the series.  I’m tired of the same old posts by people saying you’re fine when on a Mac, and applaud you for highlighting some of the issues with OS X and especially the issues that end users can take action on to make their system more secure.

Thanks John

Sir Harry,

Yes, the Safari RSS problem has been confirmed by other sources and now even Apple itself.  It’s a real issue and the current workaround is to not use Safari as your default RSS reader.

http://www.macblogz.com/2009/01/13/apple-acknowledges-fairly-serious-safari-rss-vulnerability/

mrhooks

What, you mean you don’t have an RSS feed for your porn?

Lee Dronick

“What, you mean you don?t have an RSS feed for your porn?”

No, my son has “parental controls” enabled for my account. smile

Actually I was using the Safari RSS feature. I have feeds for TMO, IPO, MacWorld, Apple Press Releases, and some news/current event sites. I feel pretty secure with those sites.

Thanks John

“I feel pretty secure with those sites.”

Don’t.  The flaw doesn’t even require that you use the RSS feature in Safari, only that your settings have it configured to use the built-in reader.

Josh

Was I mistaken before?  Is it possible to hijack a “trusted” feed, or do you need to intentionally subscribe to the feed that is malicious (ie user clicks on the feed believing it to be a normal web link and it turns out to be a specially crafted RSS link)?

Thanks John

I would think that yes it is possible to hijack a trusted feed just as websites get hijacked.  There are a number of ways one could approach it, however, that is irrelevant.  You’re mistaken that someone needs to use an RSS feed to be exposed to the threat.  It helps if you go an read the articles and even more so if you go and click the link to the website that found it.

http://brian.mastenbrook.net/display/27

“All users of Mac OS X 10.5 Leopard who have not changed their feed reader application preference from the system default are affected, regardless of whether they use any RSS feeds or use a different web browser (such as Firefox).”

coaten

Reality check:

http://mi2g.com/cgi/mi2g/frameset.php?pageid=http://mi2g.com/cgi/mi2g/home_page.php

Not a poplar company, mi2g, but I’ve always found them to be frank and unbiased.

coaten

And yes, I’m aware that release is from 2004. That’s kinda my point. Security issues have been affecting Apple OS X for years and they’re not going away any time soon. I just wanted to post this, mainly, to address anyone who believes OS X is somehow impregnable.

Lee Dronick

Okay friends. I have switched my RSS reader from Safari and until this is all sorted out that is probably the best thing to do for all of us.

WelshDog

So I can’t use RSS on Safari - it isn’t there.  Somewhere back in time for unknown reasons I disabled it.  Now even though I have upgraded to Leopard and and even manually installed Safari.  Nothing works, if I click on an RSS icon on a web page Safari loads gibberish.

Any thoughts on how I can re-enable it.

Josh

Don’t re-enable RSS on Safari, it’s not safe to use until Apple has released a patch of some sort.  I would suggest finding a 3rd party piece of software to handle RSS feed aggregation.  I use NetNewsWire, it’s free and works very well.  I’m sure there are other programs around that can do it as well.

Log-in to comment