OS X Threat Landscape Document
Succinct information regarding the OS Xthreat landscape is hard to come by. Much of the information regardingOS X security and threats is blatantly wrong, overwhelmed by flamewars, and generally hard to digest. This isn’t to say that researchersaren’t releasing accurate and cutting edge information regardingviruses, vulnerabilities, and exploitation vectors affecting theplatform. On the contrary, it seems that many of the defenders or usersof OS X are unaware of their existence, don't understand them, orsimply choose to ignore them.
In light of all of the misinformation and confusion surrounding thetopic, there is a lack of a sufficient summary of what threats haveaffected OS X and what research is being carried out regarding theplatform. So, I decided to document it. The document I set out to writewas not meant to uncover anything new. No new vulnerabilities, exploitvectors, or rootkit techniques. Instead, I wanted to correlate andsummarize the information that was already available to the public in avariety of papers and other documentation. The goal was to create asingle source of reference that elucidates where the threat landscapeof OS X truly stands today and where it is going to move in the days tocome.
Earlier this year, I started documenting much of the useful researchthat has been carried out on the platform. This research has largelybeen undertaken by key researchers, including Dino, Nemo, HD Moore,Ilja, KF, and most recently, David Maynor and Johnny Cache with theirkernel driver exploitation. I also started to compile information aboutthe vulnerabilities, exploits, and rootkits that have been discovered,written, and released since the advent of OS X. After putting all ofthis information together, I started analyzing what features of OS Xlend themselves to threats and what can be done to prevent this in thefuture. The document was then released to Symantec customers and is nowbeing made available to the public.
Some of the points of discussion in the document are:
• Significant vulnerabilities that have affected OS X and its applications.
• Exploits that have been released and associated research that is available.
• Malicious code that has affected the platform.
• Rootkits that have been developed and released.
• The technology that is available to prevent some of these threats.
• Areas where defense and security can be improved.
The OS X threat landscape summary document is available from thelocation given below and hopefully will be of value to those who readit. If nothing else, I hope that it can be used as a reference point ofuser education for those who have, until now, felt that OS X is somehowimpervious to the exploitation that plagues all other platforms.
Apple is poised to release Leopard (OS X 10.5) in the near futureand there are some significant new functionalities in the security areathat are said to be coming. For ongoing discussion, Symantec hosts theFocus-Apple mailing list, which will no doubt host discussions aboutsome of the new features of Leopard, as well as the security landscapein general.