Hello MadMacs0,
first of: thanks for actually talking about the topic instead of just hating…
I get a pretty aggressive vibe here. I mean I am sorry if i have offended someone here but it seems that people here just get offended by the notion that Apple is not perfect….
Back to the topic:
Yeah Gatekeeper is not a firewall I associated the gatekeeper term with the Firewall functionality of the "OSX Security System" if I may call it that.
Also i will admit up front that i have note yet read up to much on the OS X security system. But I now will do so because this thread gets me even more curios.
Signature based detection might not be the perfect 100% security solution to keep every machine secure but what about the stuff that is out there and well known. What would be the point in getting infected by an year old worm/virus/threat whatever?
Again, I don't have studied XProtect yet but if it does actually contain signatures and scan files than it would be like a basic virus scanner integrated into OS X. Which is fine be me but seems to have worked up some people above?!
However to this moment i believe that XProtect does not really act as an On-Access-Signature Scanner but rather matches hashes of Safari Downloads and Installation Routines.
But what about filetype exploits? Especially the wide spread PDF format is a basic door for exploits.
What would be the harm in scanning a PDF file and disallowing further computation if it contains a well known Malware routine?
Heuristic is a really biased term. Let me formulate it bit different: On a basic level a lot of modern operating systems (OS X and Windows 7/8 included) tend to be not as secure as one might think. Most exploits out there are Memory based (heap/stack overflows) that can only exist and work because programs are able to read and write to the ram wherever they want.
Try dumping your memory and search for passwords in there. I actually did that on my OS X 10.8.3 and my Windows 7 PC at work. I found my password like 10times in cleartext in the Memory on OS X and not a single time on the Windows 7 machine.
Yes bad programming is not apples fault. But did I say that anywhere above? I did not. I asked why Apple does not distribute a Virus Scanner on there own that exactly does not what other people above think i want in a AV Software.
I would like a lean and optimized routine integrated in OS X that scans files on access for well known malware/exploit code/malicious code…. Until now i learned that XProtect already kind of does this.
This makes me even more irritated at the people above that call me stupid and ignorant windows user but whatever…
You also seem to compartmentalize the security of the Operating System and 3rd party software strongly. On what basis do you do that? One thing is from Apple and the other thing is now? That does not prevent either one from being targeted by an exploit.
I disagree with the opinion that there are no currently known threats for a fully up-to-date OS X. The Java had a bunch of exploits and OS X and even Apple as a company got directly targeted with Java Exploits. Again you can say this is not Apples fault and I agree the exploit itself is not with Apples code but the way an exploit of Java can lead to full operating system compromise (privilege escalation) is in the hand of Apple to prevent.
You say that a Java/GateKeeper might be able to prevent this but that would actually make XProtect/Gatekeeper even more to a "AV" Software. It would scan code that is to be executed and match it against a signature base. AV Software does the same…
Jailbreaking imho has everything to do with the topic as IOS is the second Operating System from Apple and it like OS X is based on Darwin Unix Kernel. IOS is locked down by default and the way Jailbreaks unlock the IOS is most of the time done via Exploits in some software that comes shipped with IOS. It already was down with 3rd party apps (games for example) but as mentioned previously it was also already accomplished via a PDF Exploit in the Safari PDF interpreter. So Jailbreaking in fact only exists because there are exploits available in Apples code.
I don't read apple forums regularly but i created this one thread and i just got hate for even mentioning AV could have a purpos in OS X. The 6th reply from Susan Howard suggests that "A Mac" is all AV Software you need...
@mende1: also thanks for posting something relevant instead of plain hating.
@Wiliam Lloyd: i agree agressive AV *****, thats why I initially asked for a properly integrated AV/Security system coming directly from apple (I would compare it to Microsoft Essentials, without really judging the quality of that right here).
@Csound1: just hate anywhere else….
@John Galt: rereading your 2 pots i might have overreacted as i was a bit ****** about the general belittling attitude here… Sorry for that.
@Eustace Mendis:
Searching for "osx" in a freshly updated msf i get this result:
IP:192.168.0.181 Ses:0 Job:0 > search osx
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/multi/browser/firefox_xpi_bootstrapped_addon 2007-06-27 00:00:00 UTC excellent Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution
exploit/multi/browser/java_atomicreferencearray 2012-02-14 00:00:00 UTC excellent Java AtomicReferenceArray Type Violation Vulnerability
exploit/multi/browser/java_atomicreferencearray 2012-02-14 00:00:00 UTC excellent Java AtomicReferenceArray Type Violation Vulnerability
exploit/multi/browser/java_calendar_deserialize 2008-12-03 00:00:00 UTC excellent Sun Java Calendar Deserialization Privilege Escalation
exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimpl 2012-10-16 00:00:00 UTC excellent Java Applet AverageRangeStatisticImpl Remote Code Execution
exploit/multi/browser/java_jre17_jmxbean 2013-01-10 00:00:00 UTC excellent Java Applet JMX Remote Code Execution
exploit/multi/browser/java_jre17_jmxbean_2 2013-01-19 00:00:00 UTC excellent Java Applet JMX Remote Code Execution
exploit/multi/browser/java_jre17_method_handle 2012-10-16 00:00:00 UTC excellent Java Applet Method Handle Remote Code Execution
exploit/multi/browser/java_rhino 2011-10-18 00:00:00 UTC excellent Java Applet Rhino Script Engine Remote Code Execution
exploit/multi/browser/java_rhino 2011-10-18 00:00:00 UTC excellent Java Applet Rhino Script Engine Remote Code Execution
exploit/multi/browser/java_signed_applet 1997-02-19 00:00:00 UTC excellent Java Signed Applet Social Engineering Code Execution
exploit/multi/browser/java_verifier_field_access 2012-06-06 00:00:00 UTC excellent Java Applet Field Bytecode Verifier Cache Remote Code Execution
exploit/multi/browser/java_verifier_field_access 2012-06-06 00:00:00 UTC excellent Java Applet Field Bytecode Verifier Cache Remote Code Execution
exploit/multi/handler manual Generic Payload Handler
exploit/multi/http/ajaxplorer_checkinstall_exec 2010-04-04 00:00:00 UTC excellent AjaXplorer checkInstall.php Remote Command Execution
exploit/multi/misc/indesign_server_soap 2012-11-11 00:00:00 UTC excellent Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution
exploit/multi/misc/java_rmi_server 2011-10-15 00:00:00 UTC excellent Java RMI Server Insecure Default Configuration Java Code Execution
exploit/osx/afp/loginext 2004-05-03 00:00:00 UTC average AppleFileServer LoginExt PathName Overflow
exploit/osx/arkeia/type77 2005-02-18 00:00:00 UTC average Arkeia Backup Client Type 77 Overflow (Mac OS X)
exploit/osx/browser/mozilla_mchannel 2011-05-10 00:00:00 UTC normal Mozilla Firefox 3.6.16 mChannel Use-After-Free
exploit/osx/browser/mozilla_mchannel 2011-05-10 00:00:00 UTC normal Mozilla Firefox 3.6.16 mChannel Use-After-Free
exploit/osx/browser/safari_file_policy 2011-10-12 00:00:00 UTC normal Apple Safari file:// Arbitrary Code Execution
exploit/osx/browser/safari_metadata_archive 2006-02-21 00:00:00 UTC excellent Safari Archive Metadata Command Execution
exploit/osx/browser/software_update 2007-12-17 00:00:00 UTC excellent Apple OS X Software Update Command Execution
exploit/osx/email/mailapp_image_exec 2006-03-01 00:00:00 UTC manual Mail.app Image Attachment Command Execution
exploit/osx/ftp/webstar_ftp_user 2004-07-13 00:00:00 UTC average WebSTAR FTP Server USER Overflow
exploit/osx/http/evocam_webserver 2010-06-01 00:00:00 UTC average MacOS X EvoCam HTTP GET Buffer Overflow
exploit/osx/local/setuid_tunnelblick 2012-08-11 00:00:00 UTC excellent Setuid Tunnelblick Privilege Escalation
exploit/osx/local/setuid_viscosity 2012-08-12 00:00:00 UTC excellent Viscosity setuid-set ViscosityHelper Privilege Escalation
exploit/osx/mdns/upnp_location 2007-05-25 00:00:00 UTC average Mac OS X mDNSResponder UPnP Location Overflow
exploit/osx/misc/ufo_ai 2009-10-28 00:00:00 UTC average UFO: Alien Invasion IRC Client Buffer Overflow
exploit/osx/rtsp/quicktime_rtsp_content_type 2007-11-23 00:00:00 UTC average MacOS X QuickTime RTSP Content-Type Overflow
exploit/osx/samba/lsa_transnames_heap 2007-05-14 00:00:00 UTC average Samba lsa_io_trans_names Heap Overflow
exploit/osx/samba/trans2open 2003-04-07 00:00:00 UTC great Samba trans2open Overflow (Mac OS X PPC)
payload/generic/debug_trap normal Generic x86 Debug Trap
payload/generic/tight_loop normal Generic x86 Tight Loop
payload/java/jsp_shell_bind_tcp normal Java JSP Command Shell, Bind TCP Inline
payload/java/jsp_shell_reverse_tcp normal Java JSP Command Shell, Reverse TCP Inline
payload/osx/armle/execute/bind_tcp normal OS X Write and Execute Binary, Bind TCP Stager
payload/osx/armle/execute/reverse_tcp normal OS X Write and Execute Binary, Reverse TCP Stager
payload/osx/armle/shell/bind_tcp normal OS X Command Shell, Bind TCP Stager
payload/osx/armle/shell/reverse_tcp normal OS X Command Shell, Reverse TCP Stager
payload/osx/armle/shell_bind_tcp normal Apple iOS Command Shell, Bind TCP Inline
payload/osx/armle/shell_reverse_tcp normal Apple iOS Command Shell, Reverse TCP Inline
payload/osx/armle/vibrate normal Apple iOS iPhone Vibrate
payload/osx/ppc/shell/bind_tcp normal OS X Command Shell, Bind TCP Stager
payload/osx/ppc/shell/find_tag normal OS X Command Shell, Find Tag Stager
payload/osx/ppc/shell/reverse_tcp normal OS X Command Shell, Reverse TCP Stager
payload/osx/ppc/shell_bind_tcp normal OS X Command Shell, Bind TCP Inline
payload/osx/ppc/shell_reverse_tcp normal OS X Command Shell, Reverse TCP Inline
payload/osx/x64/dupandexecve/bind_tcp normal OS X dup2 Command Shell, Bind TCP Stager
payload/osx/x64/dupandexecve/reverse_tcp normal OS X dup2 Command Shell, Reverse TCP Stager
payload/osx/x64/exec normal OS X x64 Execute Command
payload/osx/x64/say normal OSX X64 say Shellcode
payload/osx/x64/shell_bind_tcp normal OS X x64 Shell Bind TCP
payload/osx/x64/shell_find_tag normal OSX Command Shell, Find Tag Inline
payload/osx/x64/shell_reverse_tcp normal OS X x64 Shell Reverse TCP
payload/osx/x86/bundleinject/bind_tcp normal Mac OS X Inject Mach-O Bundle, Bind TCP Stager
payload/osx/x86/bundleinject/reverse_tcp normal Mac OS X Inject Mach-O Bundle, Reverse TCP Stager
payload/osx/x86/exec normal OS X Execute Command
payload/osx/x86/isight/bind_tcp normal Mac OS X x86 iSight Photo Capture, Bind TCP Stager
payload/osx/x86/isight/reverse_tcp normal Mac OS X x86 iSight Photo Capture, Reverse TCP Stager
payload/osx/x86/shell_bind_tcp normal OS X Command Shell, Bind TCP Inline
payload/osx/x86/shell_find_port normal OS X Command Shell, Find Port Inline
payload/osx/x86/shell_reverse_tcp normal OS X Command Shell, Reverse TCP Inline
payload/osx/x86/vforkshell/bind_tcp normal OS X (vfork) Command Shell, Bind TCP Stager
payload/osx/x86/vforkshell/reverse_tcp normal OS X (vfork) Command Shell, Reverse TCP Stager
payload/osx/x86/vforkshell_bind_tcp normal OS X (vfork) Command Shell, Bind TCP Inline
payload/osx/x86/vforkshell_reverse_tcp normal OS X (vfork) Command Shell, Reverse TCP Inline
post/multi/gather/apple_ios_backup normal Windows Gather Apple iOS MobileSync Backup File Collection
post/multi/gather/dns_bruteforce normal Multi Gather DNS Forward Lookup Bruteforce
post/multi/gather/dns_reverse_lookup normal Multi Gather DNS Reverse Lookup Scan
post/multi/gather/dns_srv_lookup normal Multi Gather DNS Service Record Lookup Scan
post/multi/gather/enum_vbox normal Multi Gather VirtualBox VM Enumeration
post/multi/gather/fetchmailrc_creds normal UNIX Gather .fetchmailrc Credentials
post/multi/gather/filezilla_client_cred normal Multi Gather FileZilla FTP Client Credential Collection
post/multi/gather/find_vmx normal Multi Gather VMWare VM Identification
post/multi/gather/firefox_creds normal Multi Gather Firefox Signon Credential Collection
post/multi/gather/gpg_creds normal Multi Gather GnuPG Credentials Collection
post/multi/gather/multi_command normal Multi Gather Run Shell Command Resource File
post/multi/gather/netrc_creds normal UNIX Gather .netrc Credentials
post/multi/gather/pgpass_creds normal Multi Gather pgpass Credentials
post/multi/gather/pidgin_cred normal Multi Gather Pidgin Instant Messenger Credential Collection
post/multi/gather/ping_sweep normal Multi Gather Ping Sweep
post/multi/gather/skype_enum normal Multi Gather Skype User Data Enumeration
post/multi/gather/ssh_creds normal Multi Gather OpenSSH PKI Credentials Collection
post/multi/gather/thunderbird_creds normal Multi Gather Mozilla Thunderbird Signon Credential Collection
post/multi/general/close normal Multi Generic Operating System Session Close
post/multi/general/execute normal Multi Generic Operating System Session Command Execution
post/multi/manage/multi_post normal Multi Manage Post Module Macro Execution
post/multi/manage/record_mic normal Multi Manage Record Microphone
post/multi/manage/sudo normal Multiple Linux / Unix Post Sudo Upgrade Shell
post/multi/manage/system_session normal Multi Manage System Remote TCP Shell Session
post/osx/admin/say normal OS X Text to Speech Utility
post/osx/gather/enum_adium normal OS X Gather Adium Enumeration
post/osx/gather/enum_airport normal OS X Gather Airport Wireless Preferences
post/osx/gather/enum_chicken_vnc_profile normal OS X Gather Chicken of the VNC Profile
post/osx/gather/enum_colloquy normal OS X Gather Colloquy Enumeration
post/osx/gather/enum_keychain normal OS X Gather Keychain Enumeration
post/osx/gather/enum_osx normal OS X Gather Mac OS X System Information Enumeration
post/osx/gather/hashdump normal OS X Gather Mac OS X Password Hash Collector
But the sheer number of exploits in a single public framework should not be the basis to weight security. Metasploit is more like a framework for people in the IT security field to test and distribute exploit proof of concepts, to support penetration testing and so on.
The mere fact that there is a native OS X Meterpreter and a Crossplatform Java Meterpreter including post exploitation modules that works on OS X should be enough to see that OS X is not the untouched platform it was in the past.
You can also find exploit POC for OS X Programms here: http://www.exploit-db.com/
So maybe my first post was a bit short, aggressive? or even provocative? I don't know but i am here to discuss a real topic and I would love to learn more about OS X's security model here in a nice and civilized discussion. I heard that was what forums were for. Again maybe I also answered aggressive before let me again say sorry for that.
Regards
Sebastian
