So I'm not a HUGE fan of SYMC these days - but I have to give them props for releasing this:
It's a great look at the state of OSX today . . . it starts off by showing graphically that the vuln count discovery rate for OSX is increasing, not decreasing, then it goes on to talk about the lack of prevalant malware for the platform, then it switches to a look at nefarious techniques miscreants can use to do things like spreading malware, infecting files and hiding from OSX admins using rootkit technology (and OLD rootkit technology at that, simple syscal hooking seems to be 'state of the art' on this platform!?!). Finally - the paper takes a look at (fairly) recent security innovations that are showing up in competing operating systems that are either not yet implemented in OSX or are being slowly implemented in the latest release (10.4). A fairly intersting observation that was made that I was unaware of (I am a Mac newb . . . worse than that actually - I've got a total of maybe 5 minutes seat time driving OSX) is how the OSX kernel is actuall a hybrid of Darwin (Mach) and freeBSD . . . think about this . . . instead of having one kernel to secure - you effectively have *two* (or at best parts of two). Attack surface == more bigger. :) This fact has apparently not escaped the notice of security researchers who have taken advantage of this to bypass the security afforded by one kernel but not implemented in the other. Left hand - meet right hand. (I am referring to Nemo's work in using Mach system calls to perform operations that would not be allowed by the BSD securelevel restrictions to break out of the restricted environment).
The thing that struck me when reading this paper was how . . . in the beginning stages of security research and exploitation OSX really is. It's sssssoooooooo 5-7 years ago when thinking about Windows and where it was 5-7 years ago.
Things that stood out for me were:
So after all was said and done and I had finished reading this report - I couldn't help but thinking OSX is sooooo 5-7 years ago . . . even Windows XP, SP2 and WS2003 seem to have many more mitigation technologies at work (software based stack protection of core system binaries, hardware NX support, safe structured exception handling, the beginning of improved heap management in WS2003) than the latest version of OSX . . . and Vista is taking things to the next level with a decent first stab at an ASLR implementation and improved heap security improvements to make exploiting vulns that much harder or at the least less reliable - not to mention Patchguard in the kernel on 64bit sku's. OSX just seems so . . . so . . . Windows 2000 to me. :)
Which brings me to my final thought - is OSX doomed to repeat Windows' history in the coming years as it becomes more prevalent? It seems to me after reading this report - that writing reliable exploits for OSX would actually be pretty trivial given the lack of mitigation technologies . . . and while it doesn't seem to be making great inroads in terms of market penetration (they're *still* stuck at 4% of the overall OS market but allegedly increasing at 24% year over year) if it does . . . I wonder to myself "What could *possibly* go wrong?"