Sunday, September 6, 2009

Is the scared leopard hiding in the snow?

With the worldwide public availability of Mac OS X Snow Leopard since Aug. 28th 2009, a lot of Mac users could not prevent themselves from stepping into the train. "I don't know if it is worth these 29$, but since I'm a geek, I'm definitely going to buy it!" told me a co-worker of mine.

Enthusiastic people, okay. However, from a user point of view - since I am writing this post from 10.6 - very few new features were added, so I could not stop wondering: what about Snow Leopard's security features?


Because of the growing Apple's market, it becomes more and more sensible to hackers' attacks. And despite latest Apple's ads claiming that Macs do not suffer from viruses, Snow Leopard now has an integrated antivirus software. However this is a very very basic protection. Let's have a look at its virus definitions:
It is a XML file containing virus definitions for:
- OSX.Iservice
- OSX.RSPlug.A
.. and that's all!

Only 2 trojans signatures? Come on Apple guys, don't you know that there is hundreds of viruses targeting your platform? (it's not a new fact: on Feb 16th 2006, the first Mac OS X virus was discovered. Older versions of Mac OS were suffering virus attacks since 1998, according to Symantec news report ).


Since the integrated antivirus only contains 2 definitions, do not expect any rootkit protection to be part of Snow Leopard! Mac OS X rootkits is a quickly growing market. One of the most famous is the one integrated inside a P2P downloadable version of iPhoto 09.
An interesting article about Mac OS X rootkits is on Dino dai Zovi's blog, who presented this topic at the BlackHat USA 2009.


Since the very first release of Mac OS X 10.4, a firewall is integrated. However - and this is still the case in 10.6 - it is turned off by default! A dangerous choice, because a lot of Mac users have probably not even turned it on yet!
It is nothing else than a graphical interface for ipfw, the BSD firewall. But, from a user point of view, I still prefer the Windows 7 graphical firewall which provides a deeper overview and flexibility.


FileVault home folder encryption is present since 10.4 Tiger. However, keep in mind that FileVault is sensible to cold boot attacks (which consists in freezing the RAM so that the bits do not "disappear" from the memory. And since for performance, encryption keys are often stored in the RAM for performance issues, a thief can easily dump the memory content and retrieve the encryption key). On the other side, a Windows BitLocker drive encryption with a two factor authentication like TPM+PIN is definitely harder to retrieve.


Snow Leopard also adds:
- Executive Disable which uses the processor NX_Bit to prevent RAM datas zones from being executed. This feature is also known on Windows as Data Execution Prevention and was implemented on Windows XP. However, for such a protection to be fully effective, it has to be implemented with Address Space Layout Randomization. Which is not the case right now.

More starting points are on this very interesting Dino Dai Zovi's Zdnet article.

Finally, there's not a lot of juicy features for this 10.6 release of the Mac OS X operating system. Several bloggers wrote that Apple is going in the right direction. I personally believe that they first should focus on according their marketing strategy with their technical one. Because by always telling people that there is no possible security issues on Macs, they can blind the classic user who will not care at all about some basic security concepts.

I advise you to read this interesting Brian X. Chen's article about "Snow Leopard being less secure than Windows 7, but still safer".

But for how long will this last?