Security expert at Black Hat: Whatever you do, keep Macs out of enterprise

Report describes clearly what malware attacks, what Macs defend and why networking is the weak link

By  

Windows client machines have far greater protections within the OS – especially within the heap and stack –structures within the OS applications use to assemble code, request the memory to execute it and set a priority for that function compared to others also waiting to run.

Malicious code can corrupt data in heaps or stacks specific ways to cause other security modules to choke, or overflow the buffer protecting the heap, allowing the virus to assign itself whatever memory and priority it wants and give it access to the lists of data or resources linked to the heap or stack for easy reference.

Versions of Windows from XP SP2 and above use a security cookie to identify chunks of code as safe.

They also include the ability to unlink tables pointing to other resources so that if the heap or stack are corrupted, the virus can be isolated there, rather than learning how to access other disks, more memory or other machines.

Mac 10.5 uses a checksum to verify the identity of the code that's about to execute within the heap.

The Login Keychain with the Mac OS is also vulnerable to brute-force cracking of the user's password, which a piece of malware can be designed to do after getting itself enough memory and privileges to run.

Login Keychains typically contain login data for more than one user, so once one password is cracked, the malware can give itself privileges of all the users in the chain, then use those to authenticate it to various segments of the OS through which it can then explore.

The Windows User Account Control is also vulnerable to spoofing, but not as simply as MacOS, Stamos said.

The Lion version of OSX includes a sandbox that can trap malware in an area with restricted access to memory, disk and network access and refuse to elevate its privileges far enough that it can get itself out of the trap.


What about the server?

Within the server itself – or at least on the way to the server – malware has a far easier time.

The default install of the Snow Leopard version of Mac OSX leaves 28 network ports open and includes so many authentication flaws it's not reasonable to trust it.

The host of available authentication mechanisms, for example, allows an attacker to degrade the authentication – request and receive a simpler signon process – that relying on the comparatively save Kerberos authentication gives server administrators a false sense of security.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question