Modernizing Authentication — What It Takes to Transform Secure Access
Iozzo today delivered a session on Mac OS X hacking here at the Black Hat security conference, where he attempted to show how he had developed a new vulnerability that allows for a hacker to executes arbitrary code on Apple's OS X.
But if anything, the effort demonstrated that Apple users don't have much to fear -- for now, at least.
Iozzo's finding hinges on injecting a malicious payload directly into OS X memory, bypassing some of Apple's security filters. According to the researcher, an attack by way of memory injection marks a potentially new and dangerous attack vector for the Mac, which thus far has been largely exempt from the threat of malware plaguing Windows systems.
While it's unclear whether Iozzo's discovery could be a harbinger of things to come for Apple users, the attack could have wide-reaching implications, since it may also potentially lead to exploitation of Apple's iPhone, which shares a similar structure and uses the Safari Web browser, Iozzo said.
Apple spokespeople did not return a request for comment on the presentation by press time.
Iozzo's presentation at Black Hat comes barely a week after Apple last patched Mac OS X in an update that one security researcher criticized as having taken too long to fix a particular Safari flaw.
Black Hat sessions on Mac security are somewhat of a recent tradition. Earlier this year in a Webcast, researchers discussed Apple Mac security and alleged that the best security feature of OS X is its market share -- or lack thereof. The Black Hat Las Vegas 2008 conference also included a pair of Mac security sessions where released a Mac OS X rootkit called Irk. A year ago at Black Hat DC 2008, security researcher Tiller Beuchamp released a Dtrace-based toolfor offensive and defensive security operations on a Mac.
Iozzo's latest vulnerability findings involve encapsulating shellcode that he calls an autoloader, and injecting it into binary code. The next step is to execute the autoloader in the address space of the attacked process in order to deliver the payload.
In a detailed presentation today, Iozzo explained how his new technique could exploit OS X memory. He noted that his autoloader impersonates the Mac OS X kernel, un-maps the old binary from an existing application process and then maps the new one on the victim's Mac.
Apple's Mac OS X uses a technique called Address Space Layout Randomization (ASLR) that could potentially thwart such attempts at memory infection by scrambling memory. But an autoloader could be able to get around ASLR, since not all memory libraries are always randomized, he said.
This article was first published on InternetNews.com.