Snitches get stitches: Little Snitch bugs were a blessing for malware
Now-patched kernel-level flaw in OS X app firewall will be revealed this week
DEF CON A vulnerability in popular OS X security tool Little Snitch potentially granted malicious applications extra powers, undermining the protection offered by the software.
Little Snitch reports in real-time the network traffic entering and leaving your Apple computer, and can block unauthorized connections. It is a handy application firewall that reveals the information flowing out your system and the sources of those packets.
Unfortunately, it was trivial for a malicious app to bypass Little Snitch's network monitoring mechanisms, says security researcher Patrick Wardle.
Wardle is a former NSA staffer who heads up research at infosec biz Synack. He also discovered a heap overflow bug in Little Snitch's kernel extension code, which could be exploited by an installed application to gain administrator-level access via the security software.
This kernel-mode vulnerability will be the main focus of an upcoming presentation by Wardle on Little Snitch at the DEF CON hacker gathering in Las Vegas this week. He will also demonstrate how programs could silently disable Little Snitch's network filtering, and how an Apple bug fix made this previously unexploitable kernel bug exploitable on OS X 10.11.
Little Snitch tricked ... A slide from Patrick Wardle's forthcoming talk
Little Snitch is built by Austrian firm Objective Development Software. Wardle said its developers fixed the kernel-level flaw with the release of Little Snitch 3.6.2 without acknowledging his discovery. Pedro Vilaça aka osxreverser also found low-level bugs in Little Snitch that could be exploited to crash the Mac, or disable or bypass the network filtering: these were fixed in version 3.6.4, which was released last month.
Highlighting and pushing for improvements in Apple's malware defenses has been a major focus of Wardle’s research efforts for more than three years – you can find a bunch of his file-system security tools here. ®