Slashdot Mirror
Apple Responds to Exploit
Dave Schroeder writes, "This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network. The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3. ... One could argue that these features should be off by default, but if they are, it kind of wrecks the whole auto-configuration scheme." This sounds related to a great new feature in Mac OS X Server 10.3/Xserve called "automatic setup" that -- for machines that come with it preinstalled -- will get their address and LDAP server via DHCP and look for configuration files, and automatically configure the entire server, without any interaction beyond plugging it into the network and turning it on.
I wonder what new bug is waiting in their "automatic setup" to bite us.
.local tld with their Rendezvous/mDNS crap.
I was recently bit by their hijacking of the
(and when you call their support to ask why the Mac cannot see the local mail server called x.y.local, they have no idea and tell you to go around asking in web forums!)
So whatever they do and sell you as "making things easier", I would be very afraid to have it on my network.
This problem is rather simple... Operating systems such as Windows and MacOS X (don't troll me with Darwin) are commonly developed inside corporate environments, and a direct connection to the internet rather than a firewalled lan is the exception, rather than the rule. When the pointy haired boss walks in and requests a machine than can set up itself when he plugs in to the network, it gets delivered.
I expect retail software geared to the home user will continue to keep the tendancy of shipping flawed, because development often does not take place in a home environment. This goes for everything from Quake servers (remember ID's backdoor?) to all of the $40 photo-editing tools that are sold at Wal-Mart with marketing emphasis on the end user, with interfaces so all-encompasing, wizard-heavy, and dumbed-down that even I don't attempt to tech my low-tech friends how to use them.
...it's about *how it's handled*.
All software is, and will continue to be for the forseeable future, vulnerable. The question for the users and security people is, "How will company x handle themselves when a vunlerability is discovered in their product?"
This question, and its answer, is the most important issue when deciding who you trust with your data.
dmiessler.com -- grep understanding knowledge
really, from apples docs, you have to have a malicious dhcp server on your subnet. of course, someone could bring a rogue box into work, but this isn't on par with ms exploits. wouldn't a simple mac address filter at the switch level take care of all this. yeah, you could instal dhcpd on your authorized client, but this should also be a fairly easy thing to detect. i think apple is right, it's a configuration level solution.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
I was moderating, but this just burns me too much to remain silent.
I am not an artist. I'm bad at music, too. But I'm not much of a programmer, either. However, I know two people who are good examples.
First is my father. He has a doctorate in E.E., focusing on bottlenecks in computer systems, programmed assembly for TI in the 70s, and has been a professor in E.E. since long before I was born. He only uses Macs. We have one machine in the house that is not a Mac, this one, running Slack 7. He used Macs back in the "old days" for research because, for the money, they were the fastest things he could get his hands on. Now he uses them for work and at home because a) he's used to them and b) they are the best compromise between usability (he can still go into the terminal and screw around, but he can also use the very nice GUI when he doens't feel like typing everything or he's in a meeting with the Dean or the President of the university) and security/stability (it doesn't crash everyday and it has yet to get a virus). I use them for the same reason. And because I can't afford a computer of my own so I use what we have.
The other person is my music teacher. He's a professional musician as well. He's backed up Lionel Ritchie in concert before and plays bass in his own band. He also does some composing. On a Mac, only. He uses Macs because, back when he started, the best if not only composing software was for Macs. Since then, he's been sorta stuck with them. Not that he'd change, though, as my school has given him a PC and he hasn't found a program that works as well on it as his program for Mac (I wish I could remember the name, but alas, I can't. It's one of the major 2, though, I remember). Yes, he has been a "struggling musician" before. And yes, he stuck with his Mac through it because his Mac worked. Well.
Those are a couple of reasons why us "fruits" become blind zealots. It's sort of like being a Darwinian Evolution zealot. We get attacked by ignorant nay-sayers all the time, but we never lose sight of what we know works. Tell me, why are you such an ignorant bigot? Maybe you should get out of the house more...
No trespassing. Violators will be shot. Survivors will be shot again.
A friend of my brother's recently found this one in OSX: Link to his blog entry about it
Not SO bad, but could be bad, and it's considerably more dangerous for known Unix nerds.
WEP or not I think your wireless network would need to be much more complex that most to exploit this. At least on my Airport network (and probably by default) the wireless clients get their settings from the base station and the base station only. You can run and LDAP server all night and day in my front yard and it wont do you a bit of good. I'll probably ask you what youre doing when I mow the lawn though.
e-mail scripting was never a useful device to anyone
.vbs files embedded in emails was pretty stupid on Microsoft's part, but the ability to script emails is very valuable from an organizational standpoint. The Security Model (for Active X objects and Windows login) that Microsoft defined was the real culprit.
Exposing the Outlook object model to
-- You see, there would be these conclusions that you could jump to
Before anyone says "macinista", I've been using computers all day every day for 25 years now (since i was eight or so), and was a commodore man if you must know. I only got my first mac about two years ago. However, I will no longer have anything but a mac in my house because MacOS X based macs do everything I need - including a high quality X server - and never, ever, break. I'm a Solaris admin all day for a very large company. I don't want to hassle with munged computers at home. I prefer to farm.
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
Jaguar (10.2.8)
The keystrokes are transmitted to the front application behind the screen saver only if you are fast. They get transmitted during the load time of the prompt window and during the activation time of the screen saver (between the moment it is started and the moment it starts drawing).
Maybe we deserve this world ?
In light of the recent Debian break in, where the core servers were rooted and a rootkit installed on other machines, and all this using ldap for user authentification, I think Apple is making a huge mistake. All it needs is a couple of apple machines to be rooted by an exploit based on this and Apple will be in the same sorry boat that MS is in.
(And for the zealots, I'm posting this from a G4 PB so STFU thanks.)
Don't assume that people always do things because they have to. Some people do things because they choose to. I had a working manager that was a supervisor in a chem. dept. He worked there simply for the excercise. He figured it was better to make money than to pay it to a gym. We had others that were students, Navy personnel that wanted to make some easy money on the side. Some of the janitors you meet may be smarter than you.
Still, i strongly disapprove the way you went about releasing your exploit.
You should know damn well that the solution to this problem is far from being a simple patch to a piece of C code to plug a stupid buffer overflow vulnerability. People who expect, and, like you did, demand a solution to this problem within days or weeks, are people who blindly refuse to acknowledge the challenges surrounding the development of an appropriate and comprehensive solution. We are talking here about removing functionality from the DHCP protocol that had been taken for granted for years. Or significantly patching it to add a slew of warning dialog boxes, which are all usability enhancements. A short-term fix might need to be evaluated vs a longer-term fix. You don't develop this in days. it takes time.
if you had any clue about processes surrounding software development, especially intricacies behind design and development of user interface updates, there is just no way in hell you would have published your advisory, much less with a working exploit. A December time frame would have been perfectly reasonable and you fucking know it.
Now thanks to your dumbass move, chances are you've just cornered Apple into releasing an update that only solves problems partially.
The Panther code base and user interface had been locked-down and tested way before your advisory. This would have required a major change in the code, delayed testing certification, and subsequently launch, for a security issue that is, after all, not even close to be remotely as bad as other issues found earlier. more on that later. Shortly after Apple had to address more urgent security issues in 10.2.8. You can't hold against them the fact that they didn't just "include this fix" with either 10.2.8 or Panther, why? Simple: AGAIN, the solution to this problem is NOT, and i fucking repeat NOT a simple code patch, unlike most security issues which usually revolve arround buffer-overflow security exploits.
Why is this problem "not so bad after all"? Simple. While many people refer to it as a "remote exploit", i'd would like to strongly qualify this term and get people to understand that this exploit will not, absolutely NOT, allow just about anyone on the internet to "own your box". You can only get infected if you happen to plug your computer on a LOCAL AREA NETWORK with one or more "evil hosts", that could subsequently try to own you. But think, my friend, think hard: WHAT ARE THE FUCKING ODDS of this happening? Even if it does, it's not like some evil internet worm could sneak around and wreak havoc the whole internet. Each infection can only max out at hundreds of machines at a time, and always be localized to a fairly specific, restricted geographical location, and in most cases the source of the exploit could be located and terminated.
The point i'm trying to make here is that YES, Apple did miss their original november release date but fairly promply gave you a new december release date. You should fucking know by now that the fix to this problem is not trivial and could have waited another 30 days from the day you released your advisory.
I always wondered why there wasn't a sandbox approach to this automatic networking stuff... something to the tune of:
Plug new PC in, a daemon listens/pings for DHCP, LDAP, whatever... and if it finds it, politely asks the user if he/she would like to enable the service. If you have admin privileges you get to authenticate and proceed to register with the service or if in an untrustworthy environment you can choose to leave them disabled. If a new server is found at any time the process is repeated... though you could set a preference to ignore new servers as well.
See, sandbox. Requests are let in automatically but service must be opted into manually.
A fool throws a stone into a well and a thousand sages can not remove it.
Not surprising, since from Apple's view, it's really a beta. Jaguar was the first version of OS X that was ready for prime time, and thus I suspect that it will be the first one to have real long-lived support from Apple, since it's also the end of the road OS-wise for OldWorld machines (Beige G3's and Wallstreet Powerbooks).
That said, the Technote on this will likely have instructions for pre-Jaguar versions of OS X.
"You've got an invalid haircut" -Warren Zevon - Life'll Kill Ya
just so you know:
a) you've probably never owned a Mac, or run OS X for an extended period of time
b) Surprisingly enough, sophistication doesn't require confusion. Easy of use doesn't cut back what OS X can do..
As a user of windows, linux and mac, I have to say Mac is by far my favorite, because it is VERY POWERFUL, but EASY and STRAIGHTFORWARD to configure.