Not all bugs are security problems


I understand if everybody takes this with a grain of salt given my particular predilection for Macintosh computers and OS X in particular, but there's been a lot of talk lately about the "increasing number" of found "security holes" on the OS X operating system.

Unfortunately, the folks who find these things are put under very little scrutiny and, it appears, rarely know or at least fail to talk about the difference between a bug and a security issue. Evidence the current furor (visible on just about every Macintosh-oriented web site) about the 7 items found by Tom Ferris, a "security researcher" in California. His web site (security protocols) appears to be advertising based, and so it benefits him to get as many interested parties as possible to go to his site.

The seven issues (at least one of which has been fixed by Apple) involve software crashes, mostly when processing image or downloaded files. Every one of them is some form of crash or heap overflow, and yet most are categorized as heap overflows or vulnerabilities, although I can find no evidence on his web site that he has actually created a proof-of-concept for execution of arbitrary code.

According to the "Severity: High" security vulnerability for Safari 2.0.3, he has found 3 proofs-of-concept that cause Safari to crash. He lists these as causing "the application to crash, and or may allow for an attacker to execute arbitrary code". In the event of the latter, it would be a serious bug, and would warrant all of the clamor to tighten security on the Macintosh.

However, in the absence of a proof of concept here, I think he's falling into the trap of many people who started looking at vulnerabilities under windows: the assumption that all OS library code runs in some sort of privilege bubble and that code can be executed from the stack.

A bit of programming time on the Macintosh and you'll realize that this is much more of a UNIX system than Windows and has a privilege model (thankfully both endorsed and enforced by Apple) that requires that most code execute in the user space and under the user's privileges. Generally, this makes privilege escalation a harder task than say, under Windows, where the OS has compatibility holes that make this more likely.

There is an article about Heap Exploitation on OS X at Phrack.org that describes one method of exploiting certain errors in WebKit, although no actually PoC exists for it that works and works remotely.

In the end, there appears to be a lot of bug reporting being categorized as security probing and I think that's diluting important messages to the users.

I'm certainly not one for pushing this kind of important issue under the rug, and if it turns out that I'm wrong on this, I'll post another article and fix this one, but as far as I can tell (with >20 years of UNIX and Mac programming experience) these warnings are overblown. The bugs will lead to user annoyance, but not data loss or privilege escalation or the execution of arbitrary code, which are the key concerns.