|Home » Learning Curve » Red Hat Diaries
Even Steve Jobs doesn't like it.
Despite their repeated commercial and media successes Apple are hobbling on a wooden leg. They're burdened by the past and by 'graybeards' both within and without their organisation. They're trying to do two things at once. And time and again they get whacked for it.
Charlie Miller's recent presentation at Black Hat brings it all to the surface again. Not focusing on Apple design deviations from the tried and true Unix norm but focusing instead on Apple's (lack of) security response procedures, Charlie demonstrated just how easy it is to pick holes in Apple's 'rock solid foundation'.
- Make a list of all open source modules Apple use.
- Compare Apple version numbers with open source version numbers.
- You'll most often find Apple sorely behind the times.
- Read the open source 'change logs' for modules with a version disparity.
- Look for evidence of bugs that have been fixed in the open source versions.
- Test the current Apple versions for these bugs.
- Create exploits from these vulnerabilities.
Charlie and his team 'moonlighted' over a two week period to create their iPhone exploit. The exploit was not limited to the iPhone: it was a Safari exploit that worked not only on the iPhone but on OS X, on the iPhone for Windows, on the Safari 3 beta for OS X, and on the Safari 3 beta for Windows.
The flaw was found in the Perl regular expression module. The module is open source. Its current version is 7.2. Up until 31 July Apple's current version was 6.2 - two and one half years old and out of date - and it was flawed. Apple never bothered updating it.
Microsoft have an impossible situation: they have to continually apply band-aid patches to a system that's endemically leaky and hopeless. But the onslaught of the legions of hackers has taught Microsoft a few things. They've had to learn to take security seriously (even if no one can take their operating system seriously).
Microsoft have had to keep their software up to date. There's no collaboration with open source to speak of because Windows is a closed proprietary system. This makes things easier for them.
Because of the acutely embarrassing situation they're in and because no amount of paid news pieces trying to downplay the severity of their situation can help in the long run they've also had to try to force updates on their users. This isn't done to protect users - this is done to protect Microsoft. But the effect is the same.
Microsoft keep things up to date and they propagate the changes effectively.
Apple are the 'great hope' of the resistance. They run something very close to Unix and have the greatest market share of all the Unix alternatives. But Apple are burdened heavily by their reluctance to dispense with 'graybeard' technology.
Before NeXT and Unix came to Apple the Cupertino company didn't have a leg to stand on - not even a wooden one. Their so called operating systems - a joke in the industry at large - crashed when idling. No Microsoft abomination was ever that bad. Apple had attempted to write their own secure 32-bit system much as Microsoft had contracted DEC's Dave Cutler to write theirs but Apple's attempt failed miserably. Apple outsourced for the system just like Microsoft did.
Apple got the better deal. Dave Cutler's NT, an offshoot of the bulletproof VMS, was meant as a server operating system; only late in the game - when Microsoft felt confident Cutler was so deep into his project no setback would be too great - did they tell him their true plans: make a workstation operating system too and put a GUI on both.
Cutler's reaction to this news is legendary. And all Cutler did was change two Registry keys to keep workstation clients from accessing the more advanced features the server clients could use. In all other aspects the workstation and server systems were identical.
And this is where Cutler - and Microsoft - failed. Cutler's security model for NT was perfect. It was more than adequate. As long as it was used as a server operating system and no more. The server was locked in a locked fireproof vault. Only authorised admins had access to the vault. It ran in console mode and probably wouldn't have to be reset more than once a year. It was stable, it was reliable - and it apportioned resources on a strict access token basis.
Workstation users had no physical access to the server. They couldn't connect to it in the ordinary sense. They couldn't browse its file system or read things there. They had to ask the server for permission.
The server sat there and waited for incoming requests. It held all the cards. Either you were authorised or you didn't get in. Period. Watertight. Bulletproof.
Putting this on a machine accessible by ordinary users downloading software all over the place and connecting to the Internet changed the ball game. And Cutler's NT wasn't ready for it. Not by a long shot.
Microsoft did manage to get a C2 certification for NT. The certification was based on the assumption that no external devices could be arbitrarily hooked up to the system and no 'interlopers' could gain access to it. Which is tantamount to certifying that a leaky boat won't sink as long as you don't put it in the water. And it's very similar to Apple's recent Unix 03 certification: it says only that development tools and source files will work on all Unix 03 platforms. It doesn't say Apple's system from a user perspective is at all like Unix is supposed to be. Even Microsoft are getting 'Unix' certifications and Microsoft are about as far from Unix as any company can be - even farther away than Apple.
But Apple didn't have to be far away at all. The OpenStep they inherited from NeXT ran a clean interface between a bewilderingly brilliant GUI and a completely standard FreeBSD kernel - albeit with a MACH core. The reasons NeXT chose to do things this way were manifold but one of the more obvious and appealing reasons was that they were spared the work involved with keeping the kernel up to date. That could - and should - be done by the FreeBSD crew instead. And for that matter FreeBSD is much more than just a kernel: it's an entire (console mode) operating system. NeXT were given a complete platform on a silver platter. And used it. And Apple were given the same complete platform on the same silver platter but they didn't use it. Not as it was intended to be used.
Stuck in the quagmire of 1997 NeXT/Apple chief of software Avie Tevanian actually suggested gutting the entire OpenStep and starting anew. He understood that Apple were 'different'. If any consideration had to be made to the way Apple previously had done business they'd be in for a doomed marriage. The prevalence of Unix and Unix thinking in the most remote corners of the computing world is undeniable but it's never made it to Cupertino. When the rest of the world was thinking platform independence and open systems and the C programming language Apple were putting up Pascal programming posters in their offices. When even the most recalcitrant of institutions of higher learning were finally making the move from the schoolbook Pascal to the industrial strength C Apple were still wallowing in the past.
Apple had a few good ideas back then. They could tie documents to applications without the need for file extensions. To do this they had to create alternate 'streams' in the documents themselves. From a security standpoint in the connected era this is a gaping hole begging for exploit but back in the days of the overly simplistic dumbed down beige box with its two applications and no wires leading to the world outside it worked nicely.
Apple also made sure people couldn't lose files. Their file system kept track of things not by disk path but by internal IDs. If you moved a file the system would see it and update its internal records.
These were user friendly features people appreciated. What people didn't appreciate was how their systems ran out of memory, crashed on startup because of extension conflicts, how malware crept in so easily, and how they couldn't effectively communicate with the world outside.
The world outside never got past file extensions and the world of security will never allow alternate data streams inaccessible to the user but eminently accessible to the hacker. The Oompa Loompa exploit made it perfectly clear alternate data streams inaccessible to the user are a disaster.
But moving to OpenStep and thereby FreeBSD Unix was more than learning to cope with file extensions; and moving to the Internet was more than dispensing with alternate data streams. Apple's foundation file system HFS was totally incompatible with Unix and there were no two ways about it.
Avie's somewhat sarcastic suggestion to gut everything and start again - despite the $429,000,000 investment Apple had made in OpenStep - was of course not taken seriously. Instead Avie and his NeXT engineers set about trying to recreate the magic of OpenStep and veer as little as possible from the clean interfaces they'd so enjoyed.
They ran into snag after snag. Steve Jobs previewed the new file manager for a select group of third party 'Apple' developers and got booed off stage - mostly because the name of the program wasn't 'Finder' any longer. When Apple came back and presented the replacement - this time again named 'Finder' - there wasn't a murmur despite the two programs being functionally (and in terms of actual appearance) equivalent.
When Apple told their 'graybeard' developers to start thinking about the fact their users would be connected to the Internet and would need basic interoperability they got overrun with rabid pathological fanboy protests.
Apple may claim they are 'Unix 03' compatible and have the paper to prove it (and it cost them major cash be so certain about that) but that doesn't even suggest the Apple OS X experience is anything like the standard Unix experience. And it's not - Apple remain the only vendor anywhere who have dared show such disrespect to the work of Ken Thompson, Dennis Ritchie, and all the rest at Bell Labs, at Berkeley, and everywhere. Apple bastardised Unix pure and simple and even Microsoft wouldn't dare do that.
But Apple are paying a price. For because they can't just take in open source code from around the world and amalgamate it into their system they can't possibly hope to keep up either. Apple long had an 'open source' project for their 'version' of FreeBSD. They called it 'Darwin'. But Darwin was never really open and the project managers - themselves Apple employees - called Apple out in the matter and in the end closed the project down. Apple wouldn't disclose what changes they'd made to the FreeBSD core.
The changes Apple have to make to all open source coming in are not trivial. At each and every twist and turn and bend in the road they have to 'merge' their own code with what the open source community are doing in the outside world. They have to do this because their system is not identical - it contains graybeard beige box artifacts. These artifacts are thankfully not in open source code. When Apple get a new version of an open source module they have to put their beige box artifacts in again. This takes time.
It takes time from the continual hysterical cycle of always coming out with new designs and new products to keep sales alive in their single digit market. It takes time from putting all the fancy graphic doodads in the interface. It takes time from putting rounded corners on dock menus and making the dock three dimensional, reflective, and transparent. It takes time from adapting the CoverFlow code Apple bought outright (and not wrote themselves) into their system. It takes time from tweaking all the features that are going to get media attention and create showroom flash.
Things can therefore be expected to drag when it comes to proper security procedures. Gaping holes like those Opener humiliated Apple with can take several years to plug. Others noted security researcher Kevin Finisterre has been nagging about for almost five years can obviously wait even longer. And when it comes to true Unix compatibility you can just forget it: at every fork in the road Apple have demonstrated they are not a player and will always opt to smear someone rather than own up to the fact they're hobbling on a wooden leg.
'Send Windows Friendly Attachments' and such rot: what you're doing in such case is getting rid of the abominable resource fork. And making sure no 'AppleDouble' nonsense is being attached. Such a method of attaching is also coincidentally 'Ubuntu Friendly', 'Zonbu Friendly', 'Mandriva Friendly', 'Gentoo Friendly', 'Kubuntu Friendly', 'AIX Friendly', 'SCO Friendly', 'HP/UX Friendly', 'FreeBSD Friendly, 'NetBSD Friendly', 'OpenBSD Friendly', 'Slackware Friendly', 'MS-DOS Friendly', and 'Apple DOS Friendly'. The alternative - to send attachments with resource forks/AppleDouble nonsense - isn't friendly to anyone else. Not a single system. Which is rather embarrassing, isn't it? So it's better from a PR spin doctor standpoint to just blame Microsoft again.
Charlie Miller's presentation at Black Hat in Las Vegas on 2 August brings it all home. Charlie's attack vector against Apple was not limited to the iPhone but it was one of two tried and true methods to bring Infinite Loop down: either find where Apple security procedures are lacking or find where cockamamie Apple design decisions in their deviance from secure Unix system architecture leave them wide open. In both cases you can blame the graybeards.
Switchers to OS X from other platforms don't give a flying fuck about resource forks, HFS, creator codes, file type codes, or any of the rest of the tommyrot the graybeards can't let go of. Switchers to OS X from other platforms regularly tell graybeards to eat shit and die. Switchers to OS X today greatly outnumber the increasingly geriatric graybeards who by now are ready for rocking chairs and Gerbers and leaving the world of computing and the Internet behind. And Steve Jobs is known to hate all that beige box shit anyway.
Apple ought to start looking twice at their market demographic and get rid of that silly wooden leg.
Postscript 1: 'Unfriendly Attachments'
Following is a more complete list of operating systems 'unfriendly' to Apple.
64 Studio, A/UX, Adamantix, Adminsparadise, AIX, aLinux, AliXe, ALT Linux, Amber Linux, AMiLDA, AndLinux, Annvix, Apple DOS, Aquamorph, Arch Linux, Ark Linux, Arudius, Asianux, ASLinux Desktop, ASPLinux, AtheOS, ATmission, Aurox, Austrumi, BackTrack, Baltix, Bayanihan Linux, BeatrIX, Beejex, Berry Linux, Bharat, Big Linux, BinToo, BKUNIX, BLAG Linux, Bluewhite64 Linux, Bonzai Linux, Boss Linux, BSD, c't-VDR, CAELinux, Caiza Mágica, cAos Linux, Catix, CentOS, ClarkConnect, Coherent, Cooperative Linux, Coyote Linux, CP/M, CRUX, CryptoBox, Cytrun Linux, Damn Small Linux, DARKSTAR, DD-WRT, Debian, DeepStyle, DeLi Linux, DeMuDi, Dettu, DeveLinux, Devil-Linux, Domain/OS, DreamLinux, dyne:bolic, easys, EBox, Echelon Linux, Edubuntu, EduLinux, EHUX, Eisfair, Elive, ELKS Linux, Endian, EnGarde Secure Linux, epiOS, ESA/390, Etoile, Familiar Linux, Fantoo, Feather Linux, Fedora, Finnix, Firecast, Flash Linux, Fli4l, Foresight, Fox Linux, FreeBSD, FREESCO, Freespire, Frugalware, GC-Linux, GeeXboX, Generations Linux, Gentoo, GENtOS, Gibraltar, gNewSense, Gnoppix, gnuLinEx, GnYOUlinux, GoboLinux, Guadalinex, Hard Hat Linux, Hardened Linux, Heretix, Hikarunix, Hiweed, HP/UX, IBLS, Idris, ImpiLinux, IPCop, IRIX, JackLab, Jedi, Jlime, Julex, K12Linux, Kalango, Kanotix, KateOS, Knopperdisk, Knoppix, Kororaa, Kubuntu, KubuntuME, Kurumin, Linkat, Linomad, Linspire, Linux From Scratch, Linux Mint, Lunar Linux, Mandriva, MCNLive, Medeix, mediainLinux, MeNTOPPIX, Mepis, MicroVMS, MiniMyth, MINIX, MnOS, Mobilinux, MontaVista Linux, Morphix, MS-DOS, Murix, Musix, Mutagenix, MVS, myOS, NASLite, Navyn OS, NepaLinux, NetBSD, Nethack Linux, NeXTSTEP, NimbleX, NSA Linux, Ntix, nUbuntu, Omega, Onebase Linux, Open Zaurus, OpenBSD, OpenDevelop, OpenStep, OpenVMS, Operator Linux, OS/390, Oz Enterprise, PAIPIX, Pardus, PC-UX, PC/IX, PCLinuxOS, Peerix, Pentoo, Phrealon, Pie Box Enterprise Linux, Pingo Linux, PingOO, Plamo Linux, Plan 9, PLD Linux, PS2 Linux, Pumix, Puppy Linux, QiLinux, QNX, Red Flag Linux, Red Hat, Research Unix, ROCK Linux, Rocks Cluster, rPath, RSX, RUNT, RXART, Sabayon Linux, Salocin, SAM Linux, Sauver, Scientific Linux, SCO, Sentry Firewall, sidux, SINIX, Skolelinux, SkyOS, Slackintosh, Slackware, Slamd64, SLAX, SLinux, SlugOS, SmoothWall, Solaris, Sorcerer, Source Mage, Splack Linux, Sprite, Sun Wah, SuSE, Syllable, Symphony, System V, System/360, System/370, SystemRescueCd, T2 Linux, TA-Linux, Talon, TimeSys Linux, tomsrtbt, TopologiLinux, Trinux, Trisquel, Trix, Tru64, Trustix, Truva Linux, Tuga, TUNIS, Tuquito, Turbolinux, Uberyl, Ubuntu, Ubuntu Studio, Ultima Linux, Ultrix, UMIX, Underground Desktop, Unicos, Uniflex, UnixWare, Ututo, Vector Linux, Venix, VidaLinux, VigaanCD, Vine Linux, VM, VMS, White Box Enterprise Linux, Wolvix Linux, Xandros, Xebian, Xenix, Xinu, Xubuntu, YaKA, Yellow Dog, YOPER, z/OS, Zen Linux, Zenwalk Linux, ZeroShell, Zonbu.
Postscript 2: 'Friendly Attachments'
Following is the complete list of operating systems 'friendly' to Apple.
Hacking the iPhone
'How I Hacked the iPhone'
Effective UID: 0
iPhone and Security
iPhone and the Media
iPhone and Full Disclosure
iPhone Hack to be Patched
iPhone OS X System Architecture
Thanks to Devon at Pixel Groovy for the excellent artwork.