1 2 Previous Next 23 Replies Latest reply: Mar 29, 2013 6:13 PM by petermac87 Go to original post
  • 15. Re: Why does Apple not provide a proper AV for OSX?
    MadMacs0 Level 4 Level 4 (3,725 points)

    sebastian brabetz wrote:

     

    But if OS X already includes _everything_ to protect itself how come there was a flashback and flashfake? How come Java exploits can compromise the entire OS?

    Obviously at the time it did not have everything and tomorrow we might be saying the same thing, but today we can be comfortable saying there are no currently known threats to a fully up-to-date OS X 10.6.8 and above. If another Java vulnerability is exploited by malware, the only thing that would probably catch is is a properly configured Java/GateKeeper combination. I don't believe for one minute that any third party A-V software on the market today will do any better.

    How can it be that evry IOS Version gets Jailbroken over time? Sometimes it was as easy as pointing safari to a webpage (PDF interpeter exploit)....

    That has nothing to do with this discussion. Different OS and it's the users choice to jailbreak it.

     

    There is a parallel, of course. Back when Java was disabled by Apple, many users were providing instructions for shutting XProtect down completely in so users could play their favorite games again.

    telling everyone OSX is perfect and does not need any security or does not need to keep up with the security world sound to me like a tale told by generation of MAC users that lived in times when OSX was a niche product...

    I rarely read anything close to that here in the forum. I know I always try to make it clear that I am referring only to the way things are at the moment. I have, at time, been equally critical of Apple when they have not shown what I consider to be appropriate reaction to a threat, but I must say they have listened and their approach to security is far better than it was even a year ago. Not perfect, of course, and unlike commercial A-V companies, they do have other development efforts that must be resourced. But IMHO, they are doing a lot better at this than either Adobe or Oracle seem to be doing at the moment in this area.

  • 16. Re: Why does Apple not provide a proper AV for OSX?
    sebastian brabetz Level 1 Level 1 (0 points)

    Hello MadMacs0,

     

    first of: thanks for actually talking about the topic instead of just hating…

    I get a pretty aggressive vibe here. I mean I am sorry if i have offended someone here but it seems that people here just get offended by the notion that Apple is not perfect….

     

    Back to the topic:

     

    Yeah Gatekeeper is not a firewall I associated the gatekeeper term with the Firewall functionality of the "OSX Security System" if I may call it that.

     

    Also i will admit up front that i have note yet read up to much on the OS X security system. But I now will do so because this thread gets me even more curios.

     

    Signature based detection might not be the perfect 100% security solution to keep every machine secure but what about the stuff that is out there and well known. What would be the point in getting infected by an year old worm/virus/threat whatever?

     

    Again, I don't have studied XProtect yet but if it does actually contain signatures and scan files than it would be like a basic virus scanner integrated into OS X. Which is fine be me but seems to have worked up some people above?!

     

    However to this moment i believe that XProtect does not really act as an On-Access-Signature Scanner but rather matches hashes of Safari Downloads and Installation Routines.

     

    But what about filetype exploits? Especially the wide spread PDF format is a basic door for exploits.

    What would be the harm in scanning a PDF file and disallowing further computation if it contains a well known Malware routine?

     

    Heuristic is a really biased term. Let me formulate it bit different: On a basic level a lot of modern operating systems (OS X and Windows 7/8 included) tend to be not as secure as one might think. Most exploits out there are Memory based (heap/stack overflows) that can only exist and work because programs are able to read and write to the ram wherever they want.

     

    Try dumping your memory and search for passwords in there. I actually did that on my OS X 10.8.3 and my Windows 7 PC at work. I found my password like 10times in cleartext in the Memory on OS X and not a single time on the Windows 7 machine.

     

    Yes bad programming is not apples fault. But did I say that anywhere above? I did not. I asked why Apple does not distribute a Virus Scanner on there own that exactly does not what other people above think i want in a AV Software.

     

    I would like a lean and optimized routine integrated in OS X that scans files on access for well known malware/exploit code/malicious code…. Until now i learned that XProtect already kind of does this.

    This makes me even more irritated at the people above that call me stupid and ignorant windows user but whatever…

     

    You also seem to compartmentalize the security of the Operating System and 3rd party software strongly. On what basis do you do that? One thing is from Apple and the other thing is now? That does not prevent either one from being targeted by an exploit.

     

    I disagree with the opinion that there are no currently known threats for a fully up-to-date OS X. The Java had a bunch of exploits and OS X and even Apple as a company got directly targeted with Java Exploits. Again you can say this is not Apples fault and I agree the exploit itself is not with Apples code but the way an exploit of Java can lead to full operating system compromise (privilege escalation) is in the hand of Apple to prevent.

     

    You say that a Java/GateKeeper might be able to prevent this but that would actually make XProtect/Gatekeeper even more to a "AV" Software. It would scan code that is to be executed and match it against a signature base. AV Software does the same…

     

    Jailbreaking imho has everything to do with the topic as IOS is the second Operating System from Apple and it like OS X is based on Darwin Unix Kernel. IOS is locked down by default and the way Jailbreaks unlock the IOS is most of the time done via Exploits in some software that comes shipped with IOS. It already was down with 3rd party apps (games for example) but as mentioned previously it was also already accomplished via a PDF Exploit in the Safari PDF interpreter. So Jailbreaking in fact only exists because there are exploits available in Apples code.

     

    I don't read apple forums regularly but i created this one thread and i just got hate for even mentioning AV could have a purpos in OS X. The 6th reply from Susan Howard suggests that "A Mac" is all AV Software you need...

     

    @mende1: also thanks for posting something relevant instead of plain hating.

     

    @Wiliam Lloyd: i agree agressive AV *****, thats why I initially asked for a properly integrated AV/Security system coming directly from apple (I would compare it to Microsoft Essentials, without really judging the quality of that right here).

     

    @Csound1: just hate anywhere else….

     

    @John Galt: rereading your 2 pots i might have overreacted as i was a bit ****** about the general belittling attitude here… Sorry for that.

     

    @Eustace Mendis:

     

    Searching for "osx" in a freshly updated msf i get this result:

     

     

    IP:192.168.0.181 Ses:0 Job:0 > search osx

     

    Matching Modules

    ================

     

       Name                                                                  Disclosure Date          Rank       Description

       ----                                                                  ---------------          ----       -----------

       exploit/multi/browser/firefox_xpi_bootstrapped_addon                  2007-06-27 00:00:00 UTC  excellent  Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution

       exploit/multi/browser/java_atomicreferencearray                       2012-02-14 00:00:00 UTC  excellent  Java AtomicReferenceArray Type Violation Vulnerability

       exploit/multi/browser/java_atomicreferencearray                       2012-02-14 00:00:00 UTC  excellent  Java AtomicReferenceArray Type Violation Vulnerability

       exploit/multi/browser/java_calendar_deserialize                       2008-12-03 00:00:00 UTC  excellent  Sun Java Calendar Deserialization Privilege Escalation

       exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimpl  2012-10-16 00:00:00 UTC  excellent  Java Applet AverageRangeStatisticImpl Remote Code Execution

       exploit/multi/browser/java_jre17_jmxbean                              2013-01-10 00:00:00 UTC  excellent  Java Applet JMX Remote Code Execution

       exploit/multi/browser/java_jre17_jmxbean_2                            2013-01-19 00:00:00 UTC  excellent  Java Applet JMX Remote Code Execution

       exploit/multi/browser/java_jre17_method_handle                        2012-10-16 00:00:00 UTC  excellent  Java Applet Method Handle Remote Code Execution

       exploit/multi/browser/java_rhino                                      2011-10-18 00:00:00 UTC  excellent  Java Applet Rhino Script Engine Remote Code Execution

       exploit/multi/browser/java_rhino                                      2011-10-18 00:00:00 UTC  excellent  Java Applet Rhino Script Engine Remote Code Execution

       exploit/multi/browser/java_signed_applet                              1997-02-19 00:00:00 UTC  excellent  Java Signed Applet Social Engineering Code Execution

       exploit/multi/browser/java_verifier_field_access                      2012-06-06 00:00:00 UTC  excellent  Java Applet Field Bytecode Verifier Cache Remote Code Execution

       exploit/multi/browser/java_verifier_field_access                      2012-06-06 00:00:00 UTC  excellent  Java Applet Field Bytecode Verifier Cache Remote Code Execution

       exploit/multi/handler                                                                           manual     Generic Payload Handler

       exploit/multi/http/ajaxplorer_checkinstall_exec                       2010-04-04 00:00:00 UTC  excellent  AjaXplorer checkInstall.php Remote Command Execution

       exploit/multi/misc/indesign_server_soap                               2012-11-11 00:00:00 UTC  excellent  Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution

       exploit/multi/misc/java_rmi_server                                    2011-10-15 00:00:00 UTC  excellent  Java RMI Server Insecure Default Configuration Java Code Execution

       exploit/osx/afp/loginext                                              2004-05-03 00:00:00 UTC  average    AppleFileServer LoginExt PathName Overflow

       exploit/osx/arkeia/type77                                             2005-02-18 00:00:00 UTC  average    Arkeia Backup Client Type 77 Overflow (Mac OS X)

       exploit/osx/browser/mozilla_mchannel                                  2011-05-10 00:00:00 UTC  normal     Mozilla Firefox 3.6.16 mChannel Use-After-Free

       exploit/osx/browser/mozilla_mchannel                                  2011-05-10 00:00:00 UTC  normal     Mozilla Firefox 3.6.16 mChannel Use-After-Free

       exploit/osx/browser/safari_file_policy                                2011-10-12 00:00:00 UTC  normal     Apple Safari file:// Arbitrary Code Execution

       exploit/osx/browser/safari_metadata_archive                           2006-02-21 00:00:00 UTC  excellent  Safari Archive Metadata Command Execution

       exploit/osx/browser/software_update                                   2007-12-17 00:00:00 UTC  excellent  Apple OS X Software Update Command Execution

       exploit/osx/email/mailapp_image_exec                                  2006-03-01 00:00:00 UTC  manual     Mail.app Image Attachment Command Execution

       exploit/osx/ftp/webstar_ftp_user                                      2004-07-13 00:00:00 UTC  average    WebSTAR FTP Server USER Overflow

       exploit/osx/http/evocam_webserver                                     2010-06-01 00:00:00 UTC  average    MacOS X EvoCam HTTP GET Buffer Overflow

       exploit/osx/local/setuid_tunnelblick                                  2012-08-11 00:00:00 UTC  excellent  Setuid Tunnelblick Privilege Escalation

       exploit/osx/local/setuid_viscosity                                    2012-08-12 00:00:00 UTC  excellent  Viscosity setuid-set ViscosityHelper Privilege Escalation

       exploit/osx/mdns/upnp_location                                        2007-05-25 00:00:00 UTC  average    Mac OS X mDNSResponder UPnP Location Overflow

       exploit/osx/misc/ufo_ai                                               2009-10-28 00:00:00 UTC  average    UFO: Alien Invasion IRC Client Buffer Overflow

       exploit/osx/rtsp/quicktime_rtsp_content_type                          2007-11-23 00:00:00 UTC  average    MacOS X QuickTime RTSP Content-Type Overflow

       exploit/osx/samba/lsa_transnames_heap                                 2007-05-14 00:00:00 UTC  average    Samba lsa_io_trans_names Heap Overflow

       exploit/osx/samba/trans2open                                          2003-04-07 00:00:00 UTC  great      Samba trans2open Overflow (Mac OS X PPC)

       payload/generic/debug_trap                                                                      normal     Generic x86 Debug Trap

       payload/generic/tight_loop                                                                      normal     Generic x86 Tight Loop

       payload/java/jsp_shell_bind_tcp                                                                 normal     Java JSP Command Shell, Bind TCP Inline

       payload/java/jsp_shell_reverse_tcp                                                              normal     Java JSP Command Shell, Reverse TCP Inline

       payload/osx/armle/execute/bind_tcp                                                              normal     OS X Write and Execute Binary, Bind TCP Stager

       payload/osx/armle/execute/reverse_tcp                                                           normal     OS X Write and Execute Binary, Reverse TCP Stager

       payload/osx/armle/shell/bind_tcp                                                                normal     OS X Command Shell, Bind TCP Stager

       payload/osx/armle/shell/reverse_tcp                                                             normal     OS X Command Shell, Reverse TCP Stager

       payload/osx/armle/shell_bind_tcp                                                                normal     Apple iOS Command Shell, Bind TCP Inline

       payload/osx/armle/shell_reverse_tcp                                                             normal     Apple iOS Command Shell, Reverse TCP Inline

       payload/osx/armle/vibrate                                                                       normal     Apple iOS iPhone Vibrate

       payload/osx/ppc/shell/bind_tcp                                                                  normal     OS X Command Shell, Bind TCP Stager

       payload/osx/ppc/shell/find_tag                                                                  normal     OS X Command Shell, Find Tag Stager

       payload/osx/ppc/shell/reverse_tcp                                                               normal     OS X Command Shell, Reverse TCP Stager

       payload/osx/ppc/shell_bind_tcp                                                                  normal     OS X Command Shell, Bind TCP Inline

       payload/osx/ppc/shell_reverse_tcp                                                               normal     OS X Command Shell, Reverse TCP Inline

       payload/osx/x64/dupandexecve/bind_tcp                                                           normal     OS X dup2 Command Shell, Bind TCP Stager

       payload/osx/x64/dupandexecve/reverse_tcp                                                        normal     OS X dup2 Command Shell, Reverse TCP Stager

       payload/osx/x64/exec                                                                            normal     OS X x64 Execute Command

       payload/osx/x64/say                                                                             normal     OSX X64 say Shellcode

       payload/osx/x64/shell_bind_tcp                                                                  normal     OS X x64 Shell Bind TCP

       payload/osx/x64/shell_find_tag                                                                  normal     OSX Command Shell, Find Tag Inline

       payload/osx/x64/shell_reverse_tcp                                                               normal     OS X x64 Shell Reverse TCP

       payload/osx/x86/bundleinject/bind_tcp                                                           normal     Mac OS X Inject Mach-O Bundle, Bind TCP Stager

       payload/osx/x86/bundleinject/reverse_tcp                                                        normal     Mac OS X Inject Mach-O Bundle, Reverse TCP Stager

       payload/osx/x86/exec                                                                            normal     OS X Execute Command

       payload/osx/x86/isight/bind_tcp                                                                 normal     Mac OS X x86 iSight Photo Capture, Bind TCP Stager

       payload/osx/x86/isight/reverse_tcp                                                              normal     Mac OS X x86 iSight Photo Capture, Reverse TCP Stager

       payload/osx/x86/shell_bind_tcp                                                                  normal     OS X Command Shell, Bind TCP Inline

       payload/osx/x86/shell_find_port                                                                 normal     OS X Command Shell, Find Port Inline

       payload/osx/x86/shell_reverse_tcp                                                               normal     OS X Command Shell, Reverse TCP Inline

       payload/osx/x86/vforkshell/bind_tcp                                                             normal     OS X (vfork) Command Shell, Bind TCP Stager

       payload/osx/x86/vforkshell/reverse_tcp                                                          normal     OS X (vfork) Command Shell, Reverse TCP Stager

       payload/osx/x86/vforkshell_bind_tcp                                                             normal     OS X (vfork) Command Shell, Bind TCP Inline

       payload/osx/x86/vforkshell_reverse_tcp                                                          normal     OS X (vfork) Command Shell, Reverse TCP Inline

       post/multi/gather/apple_ios_backup                                                              normal     Windows Gather Apple iOS MobileSync Backup File Collection

       post/multi/gather/dns_bruteforce                                                                normal     Multi Gather DNS Forward Lookup Bruteforce

       post/multi/gather/dns_reverse_lookup                                                            normal     Multi Gather DNS Reverse Lookup Scan

       post/multi/gather/dns_srv_lookup                                                                normal     Multi Gather DNS Service Record Lookup Scan

       post/multi/gather/enum_vbox                                                                     normal     Multi Gather VirtualBox VM Enumeration

       post/multi/gather/fetchmailrc_creds                                                             normal     UNIX Gather .fetchmailrc Credentials

       post/multi/gather/filezilla_client_cred                                                         normal     Multi Gather FileZilla FTP Client Credential Collection

       post/multi/gather/find_vmx                                                                      normal     Multi Gather VMWare VM Identification

       post/multi/gather/firefox_creds                                                                 normal     Multi Gather Firefox Signon Credential Collection

       post/multi/gather/gpg_creds                                                                     normal     Multi Gather GnuPG Credentials Collection

       post/multi/gather/multi_command                                                                 normal     Multi Gather Run Shell Command Resource File

       post/multi/gather/netrc_creds                                                                   normal     UNIX Gather .netrc Credentials

       post/multi/gather/pgpass_creds                                                                  normal     Multi Gather pgpass Credentials

       post/multi/gather/pidgin_cred                                                                   normal     Multi Gather Pidgin Instant Messenger Credential Collection

       post/multi/gather/ping_sweep                                                                    normal     Multi Gather Ping Sweep

       post/multi/gather/skype_enum                                                                    normal     Multi Gather Skype User Data Enumeration

       post/multi/gather/ssh_creds                                                                     normal     Multi Gather OpenSSH PKI Credentials Collection

       post/multi/gather/thunderbird_creds                                                             normal     Multi Gather Mozilla Thunderbird Signon Credential Collection

       post/multi/general/close                                                                        normal     Multi Generic Operating System Session Close

       post/multi/general/execute                                                                      normal     Multi Generic Operating System Session Command Execution

       post/multi/manage/multi_post                                                                    normal     Multi Manage Post Module Macro Execution

       post/multi/manage/record_mic                                                                    normal     Multi Manage Record Microphone

       post/multi/manage/sudo                                                                          normal     Multiple Linux / Unix Post Sudo Upgrade Shell

       post/multi/manage/system_session                                                                normal     Multi Manage System Remote TCP Shell Session

       post/osx/admin/say                                                                              normal     OS X Text to Speech Utility

       post/osx/gather/enum_adium                                                                      normal     OS X Gather Adium Enumeration

       post/osx/gather/enum_airport                                                                    normal     OS X Gather Airport Wireless Preferences

       post/osx/gather/enum_chicken_vnc_profile                                                        normal     OS X Gather Chicken of the VNC Profile

       post/osx/gather/enum_colloquy                                                                   normal     OS X Gather Colloquy Enumeration

       post/osx/gather/enum_keychain                                                                   normal     OS X Gather Keychain Enumeration

       post/osx/gather/enum_osx                                                                        normal     OS X Gather Mac OS X System Information Enumeration

       post/osx/gather/hashdump                                                                        normal     OS X Gather Mac OS X Password Hash Collector

     

    But the sheer number of exploits in a single public framework should not be the basis to weight security. Metasploit is more like a framework for people in the IT security field to test and distribute exploit proof of concepts, to support penetration testing and so on.

     

    The mere fact that there is a native OS X Meterpreter and a Crossplatform Java Meterpreter including post exploitation modules that works on OS X should be enough to see that OS X is not the untouched platform it was in the past.

     

    You can also find exploit POC for OS X Programms here: http://www.exploit-db.com/

     

    So maybe my first post was a bit short, aggressive? or even provocative? I don't know but i am here to discuss a real topic and I would love to learn more about OS X's security model here in a nice and civilized discussion. I heard that was what forums were for. Again maybe I also answered aggressive before let me again say sorry for that.

     

    Regards

    Sebastian

  • 17. Re: Why does Apple not provide a proper AV for OSX?
    Csound1 Level 8 Level 8 (35,420 points)

    Have a nice day Sebastian.

  • 18. Re: Why does Apple not provide a proper AV for OSX?
    petermac87 Level 5 Level 5 (4,205 points)

    sebastian brabetz wrote:

     

    Also i will admit up front that i have note yet read up to much on the OS X security system.

    Pretty much says it all really. Time to stop feeding the troll, folks.

     

    Pete

  • 19. Re: Why does Apple not provide a proper AV for OSX?
    sebastian brabetz Level 1 Level 1 (0 points)

    I kinda lost the string on heuristic: I would want a Security Software/AV whatever to monitor basic API's and prevent obvious mischief. Thats what I would expect from a heuristic.

     

    Also if it is still unclear why I would want a AV Software lets consider this scenario:

     

    A driveby Java exploit infected my computer with a bad program. This program tries to stay operative in my OS so it writes itself into some nifty location/script which will trigger it on every reboot.

     

    Lets say this all happend with a 0 day that no AV Software would have detected. But after a week on the 7th reboot of my machine there is a signature update. On the 8th reboot the AV Scanners HDD read/write API-Hook would scan the binary/script and find a match in its signatures.

     

    If it could not remove it properly it could at least warn me about this issue and i could take action and reinstall my machine.

     

    Sure there are already bad boys out there that can trick AV Software and can hook an API in front of the AV but should that be a reason to not care and try to prevent this all together?

  • 20. Re: Why does Apple not provide a proper AV for OSX?
    sebastian brabetz Level 1 Level 1 (0 points)

    @petermac87: I would rather get interesting starting points on what to read up on and where to do so in here.

     

    And maybe even discuss the thoughts i have on stuff i read with someone who is willing to do so.

     

    Is that such a bad thing to try? Has everything on the internet be all or nothing? Hate it or love it?

  • 21. Re: Why does Apple not provide a proper AV for OSX?
    Csound1 Level 8 Level 8 (35,420 points)

    sebastian brabetz wrote:

     

     

    Is that such a bad thing to try? Has everything on the internet be all or nothing? Hate it or love it?

    Maybe you are or maybe you're not, but you come across as a troll. Trolls are rather dull.

  • 22. Re: Why does Apple not provide a proper AV for OSX?
    Susan Howard Level 3 Level 3 (715 points)

    Hi Pete,

     

    Sorry, he didn't say. I don't have that info.

  • 23. Re: Why does Apple not provide a proper AV for OSX?
    petermac87 Level 5 Level 5 (4,205 points)

    I didn't think you would.

     

    Pete

1 2 Previous Next