Apple Forcing Panther Upgrade for Security Patch

The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see the next day's story.

Ouch.

[DrEldarion]

I remember how people reacted when they found out that Microsoft was going to stop patching Win98. At least they had the decency to wait 5 years. OSX is a really new product, why would they stop putting patches out so soon?

A subtle prod to upgrade, or a bluff?

[Octagon+Most]

This is a typical Apple bluff. Of course they want everyone to upgrade (and pay $129 yet again), and hope to encourage users to do so with new features (such as the drool-worthy Expose). Apple has many times tried to cut off support for earlier version of an OS and had to eventually relent. Sometimes it takes a lawsuit for them to do so. OS X is just getting some great press so it would be very damaging if the bad press from this decision serves to highlight a security vulnerability in what is otherwise being lauded as much more secure by design than any flavor of Windows. Expect Apple to quietly issue a patch for 10.2.

If true, leaves Beige-G3 users out in the cold

[tmoertel]

I, like many other folks, run OS X 10.2 (Jaguar) on an older, "Beige" G3, which is not supported by Panther. Unless Apple provides security patches for Jaguar in addition to Panther, Beige-G3 owners like me will be stuck with an OS that had known security holes and no reasonable way to plug the holes.

That's so wrong that I have a hard time believing that this is actually Apple's position. I expect that we'll hear from Apple shortly, and they will clarify their position -- that the patches for 10.2 will be out Real Soon Now.

But if not, Apple's going to get a lot of bad PR from this.

But don't you need physical access to the computer

[charlie_vernacular]

I just looked at the BUGTRAQ mailings, and I get the impression that you need physical access to the computer to break in to it. Have I got that right? I'm no expert, but I've always assumed that given physical access to a computer, a decent hacker could easily have their evil way with it. Of course that doesn't excuse Apple's failure to provide a patch and their rather glib upgrade suggestions.

Elvis sighted playing poker with JFK!

[dafz1]

"'In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that,' he said."
"'...this is the first time they have hinted that they will not be supporting any particular OS X version for more than that year...'"
Though Apple has been slow in providing updates to fully support their hardware in OS X (e.g. the ATI driver issue), this story is based on speculation on the part of the people interviewed. Also, there is no comment from Apple, so much for quality journalism.

Have you looked at the details of the bugs?

[masonbrown]

From the site at @stake....

Release: 10.28.03
Name: Long argv[] Buffer Overflow
Application: Mac OS X
Platforms: Mac OS X 10.2.8 and below
Severity: Attacker can crash Mac OS X and possibly execute commands as root
Author: Matt Miller and Dave G.
Overview: It is possible to cause the Mac OS X kernel to crash by specifying a long command line argument. While this primarily affects local users there may be conditions where this situation is remotely exploitable if a program which receives network input spawns another process with user input. It is possible to use this condition to dump small portions of memory back to an attacker.

Release: 10.28.03
Name: Systemic Insecure File Permissions
Application: Finder (and many others)
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: Many applications are installed onto Mac OS X systems with insecure file permissions. This is due to two distinct classes of problems:

A security issue regarding DMG files managed by Mac OS X
Insecure file permissions packaged by different vendors
The result is that many of the files and directories that compose various applications are globally writable. This allows attackers with filesystem access to an OS X machine to replace binaries and obtain additional privileges from unsuspecting users, who may run the replaced version of the binary.

Release: 10.28.03
Name: Arbitrary File Overwrite via Core Files
Application: Kernel
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: In the event a system is running with core files enabled, attackers with interactive shell access can overwrite arbitrary files, and read core files created by root owned processes. This may result in sensitive information like authentication credentials being compromised.

Yeah, they're bugs, and yeah, it's possible. But don't these phrases kinda limit the scope?

"While this primarily affects local users"

"This allows attackers with filesystem access"

"attackers with interactive shell access"

So to me this doesn't mean the end of the world, or that all my data is wide open and exploitable from the public internet. I'm guessing they'll patch it when they can, and the fact that it's patched in X.3 probably means they're using a different release of the software in question that is inherently invulnerable to these issues.

Re:Have you looked at the details of the bugs?

[russotto]

There's no remote root exploit, I'm fairly sure. @stake assumed there was a buffer overflow in the kernel causing the system to crash when a long command line was entered. I don't think there is. Instead, there's an infinite loop:

from xnu/bsd/kern/kern_exec.c:
do {
error = copyoutstr(cp, (caddr_t)ucp,
(unsigned)cc, &len);
ucp += len;
cp += len;
nc += len;
cc -= len;
} while (error == ENAMETOOLONG);

Note that if the data being copied out is too big, copyoutstr returns ENAMETOOLONG with len == cc. When called with a max length of 0 (which happens next iteration), copyoutstring returns ENAMETOOLONG immediately. So it's an infinite loop. It only happens if the argument list is less than ARG_MAX, but the argument list plus the envp list is greater than ARG_MAX.

If the argument list is greater than ARG_MAX, a similar loop correctly returns E2BIG when trying to copy data in. Copy-and-paste error anyone?

There _might_ be a remote exploit, if some service allows you to pass arbitrarily long command lines to applications. But even if so, it's a denial of service exploit, not an arbitrary execution of commands exploit (as root or anyone else)

The other two are both strictly local, and one isn't exploitable in the default configuration (i.e. cores disabled)

Great reporting, guys.

[Raptor+CK]

So, you mean that a vulnerability in 10.3 has to exist in 10.2?

It's not at all possible that with new functionality comes new bugs?

The very title of this story indicates a lack of proper investigative journalism. Of course, this is /., so I'm not at all surprised.

Has Apple stated there will be no Jaguar patch?

[SuperDuperMan]

Or are well all going based on the assumption that since there is a Panther patch and there isn't yet a Jaguar patch that none is forthcoming?

If I were running a company I'd patch my new product and test that before I worried about patching my legacy products.

Re:This will impede corporate use

[47PHA60]

Normally I don't answer this kind of thing, but you posted the second stupid reply to my concern. Here is how the big kids do things:

When choosing a corporate platform, we don't just consider the QuickTime Java patch, we talk about hypothetical situations. This is done by asking "What would we do if..." In this case, we could not buy from a vendor that only fixes the current release and will not publish a road-map detailing availability policy for future security patches. Microsoft typically publishes security patches for free for about 5 years, until the OS is end-of-life'd.

Now, Jaguar is currently using older versions of the following:

OpenSSH
Apache
OpenSSL
Samba
The Kernel

Security concerns will be found and have been found that affect both Panther and Jaguar, because they are using duplicate code in much of their software.

And by the way, if you read the article you would see that. It clearly states that @stake found vulnerabilities in Jaguar that Apple said they do not intend to patch:

David Goldsmith, director of research for @stake... confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.

"In my initial conversations with them, they said they weren't going to fix 10.2...

Typically, companies that charge for software provide security updates for the software for a certain period of time. Microsoft provides support for its products for about five years and releases service packs every year that include all the enhancements to the software. Microsoft doesn't charge for the service packs.

You could also try reading Apple Security Updates to see what the concern is about. In the FCS Panther release, Apple fixed many vulnerabilities that still exist in 10.2.8.

Like I said, I love my Macs, but they're home behind a firewall where internal security and unauthorised users are not such a big concern. I cannot bring them into the corporate world until we get some assurances that the OS will receive security patches for longer than one year.