Although there is no shortage of relevant news regarding the Mac OS X platform, I’m usually faced with more questions than answers when considering ideas for new Macintosh articles or blogs for the Security Response Weblog. Even though Mac OS X has been available in one form or another for about six years (not counting its pre-Apple days as NeXT/OpenStep), its security education and research community is still young and underdeveloped. With Apple’s transition to an all Intel-based architecture and the steadily increasing adoption of Mac OS X by small, medium, and large enterprises, the Mac OS X security research and education landscape is rapidly being forced to grow up.
What follows are a number of important questions to spark further research and discussion on the subject of Mac OS X and security. Please feel free to join the discussion or start a new one on the Focus-Apple SecurityFocus mailing list.
End-of-life for versions of Mac OS X
Apple is still releasing security updates for Mac OS X 10.3.x (Panther), but not Mac OS X 10.2.x (Jaguar). When Mac OS X 10.5 (Leopard) is scheduled to be released sometime in the first half of 2007, how long will it be until Apple stops releasing security updates for Panther? To my knowledge, Apple does not publish planned end-of-life (EOL) policies for their operating systems.
Unfortunately, I know far too many customers who are only now starting to roll out Mac OS X 10.4.x (Tiger) in their organizations. I also know several organizations still using Jaguar for a variety of reasons and even a couple of organizations whose critical business processes rely on Mac OS 9. While it is entirely unreasonable to expect any company to indefinitely support each and every version of a product they produce, the lack of a clear roadmap regarding support for previous versions of Mac OS X is another detour for the enterprise.
Running Windows on Macintosh systems is nothing new. Before the PowerPC was powerful enough to emulate an x86 processor in software only (as with VirtualPC), you could buy a Mac with an x86 co-processor card pre-installed. (I used to own a Power Macintosh 6100 with a 66 MHz 486DX2 processor card pre-installed by Apple – circa 1994.) The fact that Intel-based Macs can boot into Windows or virtualize Windows (Parallels Desktop and soon VMWare) isn’t entirely groundbreaking, save for the native or near native speed with which you can run Windows.
Cross-infection has always been a theoretical possibility, but little researched. Of particular interest to me are the potential security implications of running compatibility-layer software like CodeWeavers’ CrossOver Mac. CrossOver Mac allows you to install and run a select and growing number of popular Windows applications in Mac OS X without needing to run Windows. Without the typical OS and filesystem separations (virtual or not, logical or physical), what security implications could there be in running Windows applications in Mac OS X without Windows?
Mac OS X honeypots
Informal public "I dare you" honeypots have existed for the Macintosh-platform from time to time dating back to Mac OS 9. However, there is a dearth of well researched and well built Mac OS X honeypots and honeynets. Is it because of a lack of interest, a lack of tools, or both? From my own anecdotal research, I believe it to be a combination of both factors. Mac OS X has only recently been receiving both general and targeted attention from the security community, so the tools necessary for a credible and effective Mac OS X honeynet are only now being ported.
If, according to The Honeynet Research Alliance, the goal of a honeynet is to “create an environment where the tools and behavior of threats can be captured and analyzed in the wild,” then some of the tools to accomplish this are missing from the Mac OS X toolbox. Some of the well-worn techniques applied to Windows-based honeynets are not applicable to Mac OS X. One common honeypot tool is virtualization. While virtualization tools, as mentioned in the previous section, are available for running various operating systems within a virtualized environment (“guest”) on a Mac OS X host, you cannot technically and legally run Mac OS X as a guest. It is possible to replicate some of the advantages that virtualization provides by using Apple Software Restore and NetBoot image management tools, and filesystem change management/monitoring tools like radmind.
As Mac OS X security research and education begins to become more proactive, valuable surveillance and early-warning tools like honeypots and honeynets will become an increasingly urgent requirement. I hope to cover this subject in greater detail in a future article.