Apple Responds to Exploit

Dave Schroeder writes, "This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services. This functionality has been around since NeXTSTEP, and is designed to allow for auto-configuration of new servers/machines brought into the network. The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3. ... One could argue that these features should be off by default, but if they are, it kind of wrecks the whole auto-configuration scheme." This sounds related to a great new feature in Mac OS X Server 10.3/Xserve called "automatic setup" that -- for machines that come with it preinstalled -- will get their address and LDAP server via DHCP and look for configuration files, and automatically configure the entire server, without any interaction beyond plugging it into the network and turning it on.

Quick fix, just not easy for Mac users..

The quick 'fix' for the vast majority of users who choose to implement it is to uncheck LDAPv3 and NetInfo altogether in Directory Access. Or, if LDAP services are used, just uncheck 'Use DHCP-supplied LDAP Server' in LDAPv3.

Yes that should be obvious to Mac users

Re:Quick fix, just not easy for Mac users..

[tgibbs]

Yes that should be obvious to Mac users

It's very complicated. You run Directory Access and a window comes up with a series of checkboxes. Then you have to uncheck the ones Apple says to uncheck.

Re:Quick fix, just not easy for Mac users..

[tgibbs]

Not too simple indeed, since I run Mac OS X 10.1.5 and there is no application called "Directory Access".

Yes, perhaps they'll eventually come out with an advisory for the people who are lagging two generations behind on their OS version and who are on untrusted networks. Not too surprising that they dealt with the bulk of current users first.

Re:Quick fix, just not easy for Mac users..

[TheCrazyFinn]

Not surprising, since from Apple's view, it's really a beta. Jaguar was the first version of OS X that was ready for prime time, and thus I suspect that it will be the first one to have real long-lived support from Apple, since it's also the end of the road OS-wise for OldWorld machines (Beige G3's and Wallstreet Powerbooks).

That said, the Technote on this will likely have instructions for pre-Jaguar versions of OS X.

Re:Quick fix, just not easy for Mac users..

[atheken]

just so you know:
a) you've probably never owned a Mac, or run OS X for an extended period of time
b) Surprisingly enough, sophistication doesn't require confusion. Easy of use doesn't cut back what OS X can do..

As a user of windows, linux and mac, I have to say Mac is by far my favorite, because it is VERY POWERFUL, but EASY and STRAIGHTFORWARD to configure.

Re:Quick fix, just not easy for Mac users..

[pudge]

So, you don't care whose rules YOU break, you just care that others follow YOUR rules.

Typical liberal.

It's an old argument

[Space+cowboy]

but it's as valid today as it ever was. There is a dichotomy between security and ease-of-use. Hitherto it has been impossible to have the one and the other simultaneously. Choose one.

Apple choose ease-of-use, and get criticised for leaving an open security "hole". Microsoft choose the same, and get criticised for (well, just about everything except wonderful marketing), and Linux chooses the other, and is criticised for poor ease-of-use.

That's not to say it's impossible, but it needs more than the current level of effort that goes into multi-node design. Apple is taking the first steps, and they've been somewhat burnt. Let's hope that doesn't discourage them from carrying on down the path... Unix as a genre can only learn from a successful easy-to-use and secure implementation of multi-machine computing. The thing is that you only learn by trying....

Simon.

Re:It's an old argument

[jazman_777]

Apple choose ease-of-use, and get criticised for leaving an open security "hole". Microsoft choose the same, and get criticised for (well, just about everything except wonderful marketing), and Linux chooses the other, and is criticised for poor ease-of-use.

Uh, you mean Red Hat Linux, where every service and it's 3rd cousin is running?

Try OpenBSD, which has just about nothing running default.

Re:It's an old argument

[cgenman]

I'd find the "Microsoft security vulnerabilities are the fault of ease-of-use" argument a little more valid if Microsoft's software were actually vulnerable due to useful features.

For example, the messenger service isn't used by anyone by spam senders, e-mail scripting was never a useful device to anyone, and a fragile, naked file system doesn't lend itself to easy usage anyway. A web browser that can be told to run arbitrary code due to a buffer overflow is not vulnerable because it is easy to use, but because it is poorly written. The autodetection of hardware and updating of drivers is very easy to use, and has (as far as I know) never been the source of an exploit.

You can both have security and ease-of-use... Just design a closed system with very limited purposes. A Hub, for example, is extremely easy to use, and has few possible points of security vulnerability. Routers, on the other hand, are frequently a bit archaic in their setup and get hacked all of the time.

That's not to say that your point is invalid, but that there are other factors involved... Flexibility, control, effort, etc.

I guess the point of this is that if I have to re-install windows or edit the registry again before Christmas I'm buying myself an iMac.

Re:It's an old argument

[Catnapster]

No, the parent is right. The security holes in MS products are all about ease-of-use; just to the cracker, though, not the user.

Re:It's an old argument

[Maserati]

Universal Plug and Play.

Re:It's an old argument

[rduke15]

the messenger service isn't used by anyone

A linux box here with an ISDN card sends Windows popups with "who is calling whom" info to the Windows boxes on the net. It occasionally annoys the children when they are playing a game, but we find it useful.

In a company, the users seem to like the popup announcing them they have new mail. I intend to replace their Exchange server with a Linux box, so I guess I'll also have to script some gadget talking to messenger to keep them happy.

Re:It's an old argument

[tealover]

e-mail scripting was never a useful device to anyone

Exposing the Outlook object model to .vbs files embedded in emails was pretty stupid on Microsoft's part, but the ability to script emails is very valuable from an organizational standpoint. The Security Model (for Active X objects and Windows login) that Microsoft defined was the real culprit.

Re:It's an old argument

[Webmonger]

Hey, buffer overflows mean that the functionality provided is limited only by your imagination!

Re:It's an old argument

[RzUpAnmsCwrds]

"For example, the messenger service isn't used by anyone by spam senders"

System administators have used it for years. It's only recently that the spammers have decided to use it. That's why Microsoft is disabling the service by default in XPSP2.

"fragile, naked file system"

I don't honestly know what you are talking about. NTFS is a journaling filesystem with some very strong features. Metadata for every file, unlimited alternate data streams (Microsoft's version of the HFS data/resource forks, but you can have as many as you want), strong security permissions that even the OS obeys that can be applied on a per-user basis with inheritance and an allow/don't allow/deny system. NTFS one of the strongest attributes of Windows. Now, the permissions aren't set strict enough out of the box (and most users make their account part of the Administrators group - just like running as root all of the time).

Imagine how a Linux system would hold up under the following situation:
- User always running as root, even when they don't have to
- User downloading and executing unknown code from random locations (screensavers, shareware, warez)
- User installing software that is bundled with programs that spy on them / mess up their system
- User never patching their system, even though the OS can do it automatically
- User not using a password on their system in many cases
- User downloading and executing unknown code (in email attachments) even though system warns of extreme security risk
- User not using firewall even though it is built into the OS

Now, Microsoft could do more:
- No mail client should even be able to execute attachments. Even with a security warning. I do believe that Outlook Express now prevents you from executing attachments at all unless you uncheck a box hidden in some configuration dialog.
- The firewall should be on by default. XP SP2 fixes this.
- Users shouldn't run as root all of the time. Perhaps a warning when they log on would be helpful. The setup wizard already creates non-root users, but most people don't use them. I don't think users are adequtely informed of the security risks of running as root.
- Windows should come with an antivirus solution. Something integrated and transparent. Sometimes, you need to run untrusted code, and an good antivirus program can help reduce the threat.
- Windows should have more restrictive permissions by default. Currently, non-root users can write to "program files" and potentially destroy software (although not the OS).

Finally, some things that are good:
- As I said before, the permissions system is very good
- Windows File Protection is good for those stupid installers that try to overwrite system libraries
- Systm Restore is nice for those people who are too cheap or lazy to have a real backup solution
- Automatic updates are nice - if only people would use them
- Driver rollback is nice for nuking "crap rev" drivers

"I guess the point of this is that if I have to re-install windows or edit the registry again before Christmas"

If you do the following things, you won't have to:

- Don't run as root (administrator) unless you absolutely must
- Don't download and execute unknown code unless you have scanned it with an antivirus. Don't run it as root unless you absolutely must (many programs will install as nonroot)
- Turn on the XP firewall
- Run a spyware detection tool such as ad-aware or spybot to get rid of the crap
- Install the latest patches and service packs

Basically, use common sense. If Windows users would realize that, no, your computer *is not* a toaster and it *does* require a bit of work to keep it secure, there would be many fewer viruses and worms.

Second, if you *ever* have to edit the registry, you're doing something very wrong. That's like saying that you should dismantle your entire car because one of your headlights is out.

Re:It's an old argument

[Minna+Kirai]

There's no physical reason why you can't have both. Having a great UI and security is a resource allocation

Yes, there are real, physical (derived from natural laws) conflicts between ease and security.

An easier version of SSH wouldn't force the user to memorize passwords, which is a fundamental conflict with security. An automobile would be easier to use if you didn't need to carry around an ignition key.

However, the post you were responding to didn't say that. It said "Hitherto it has been impossible", which is an equivocation- a statement of how things have been so far, not a claim it must remain so in the future.

Re:It's an old argument

[cgenman]

Good advice overall, which any computer user should abide by. However, I'd like to point out a few things.

First of all by "file system," I had meant the organizational file heiarchy in Windows, the portion that the OS sees. You can still break all of the links to a program by, for example, re-naming a folder. Many programs fail to work if installed on something other than the C: drive... Many of these are Microsoft's programs. The Windows folder is a hodgepodge of thousands of items, some of which are protected and some of which aren't, but few of which are intelligently laid out for either the user or the programmer. I agree that NTFS is a much better file system than Fat32 was (though the fact that Windows XP doesn't support 160 GB drives out of the box is pretty shameful), but what the OS does with it is shabby.

Second, if you *ever* have to edit the registry, you're doing something very wrong. That's like saying that you should dismantle your entire car because one of your headlights is out.

Actually, some programs treat registry settings like they were a preferences dialog. Zone Alarm, for example, like thousands of other pieces of software has an annoying splash screen that appears every time your computer boots, and the only place the preference exists is in the registry. Program registrations need to be backed up from and occasionally restored to the registry... It's just a bad idea to keep your copy restriction authentication and your preferences in the same structure, but that's exactly what Microsoft designed.

As a game developer, and an out-of-work one at that, Windows does need to be reinstalled every 6 months or so... If the constant flow of test games doesn't get you, the constant flow of uninstallers will. Rolling back to restore points is useful, but A: it doesn't always work and B: it doesn't address the cumulative damage of accrued extensions.

As an addition to your suggestions, the user needs to check what icons are in the bottom-right hand corner of their screen, and shut off what isn't needed. Many people I have spoken too don't realize that those are applications and not just quick-launch shortcuts.

Re:It's an old argument

[ernst_mulder]

Second, if you *ever* have to edit the registry, you're doing something very wrong. That's like saying that you should dismantle your entire car because one of your headlights is out.

That is simply so wrong. There are so many applications that require the user to edit their registry. Not by design of course but because of software bugs.

Some simple cases to illustrate my point.

Exact Globe 2000 (administration software) suddenly won't properly print anymore. Call helpdesk. Remove some keys and voila printing works again.

Windows XP won't remember Outlook Express' password. Look problem up on microsoft.com. Advice: remove some keys and voila problem solved.

I could go on, I won't.

Editing the registry has become such a common solution to all kindsof problems. Not necessarily because the USER does something wrong (unless using Windows in the first place is considered WRONG :-) ).

Ernst Mulder

Re:It's an old argument

[devnullify]

You don't need the OS to protect you. All it takes is some common sense.

So when Microsoft implements all these annoyances (for someone competent with common sense), I'll be doing something wrong by editing the registry to turn them off?

Re:It's an old argument

[HSpirit]

so I guess I'll also have to script some gadget talking to messenger to keep them happy.

Very easy to do, all you need to do is install smbclient and the samba codepages on your *nix server, and then use smbclient's -m switch.

I have an OpenBSD gateway on a dial-up connection serving my small office network, and I use this solution to inform the users when the dialup connection goes down/up.

Saves me many calls of the type: "Hey, is the internet down?!"

Re:It's an old argument

[TheCrazyFinn]

Two things I'd love to see MS steal from Apple:

Application Bundles. Ths means that the only dynamic libraries going into the System directories are actually part of the core OS. All an applications dynamic libraries are contained in the bundle. It's a bit wasteful space-wise, but HDD space is cheap. And it solves much of the problem of Users needing to install their own software, but needing to be Admin to do so. This is much like installing software in your home directory as an unpriviledged user in other unixes. .plist files. XML-based preference and config files. Replace the damned Registry with these. For user prefs, drop them in a hidden directory in the users home directory, which also means that they are easily backed up, transfered and migrate to all OS's when the home directory is shared. And it also means that installing apps just drop their system-wide plists in a common directory, and the system maintains a third directory for system services plists. Much more robust than the Registry (which was a nice idea, but has never worked reliably for workstations or desktops). It also means that in a pinch, an admin can edit the damned plist with a text editor, or just trash it to repair/reset b0rked software.

Re:It's an old argument

[Dylan+Zimmerman]

NTFS has a good permission system? That's news to me. As an administrator, I created a folder that denyed other users the ability to do anything with or to it. I set every single permission to "deny", especially the "Take Ownership" permission. I then logged in as a Limited account, navigated to the folder, right-clicked it, went to "Security", it told me that I wasn't allowed to view or change the security settings and that I couldn't take ownership. I then clicked on the "Advanced" button, went to the "Ownership" tab, and gave myself ownership. I then closed the two open dialogs, right-clicked again, added myself to the permissions, and gave myself full control over the folder.

In UNIX, I could set the permissions to 750 and not have to worry about it anymore.

Now, I like the link idea. Having the same file in multiple locations on your directory tree can be very useful. Also, the metadata and data streams are nice. However, NTFS doesn't have "strong security permissions" by any stretch of the imagination.

I have to edit the registry all the time. Programs like to set themselves up to autorun by putting themselves in HKLM/Software/Microsoft/Windows/Current Version/Run. Most of these are programs that I don't like such as Microsoft Messenger. I go into the Microsoft Messenger preferences and uncheck "Run this program when Windows starts", but it doesn't remove the registry entry.

Who will watch the watchers?

[Crypto+Gnome]

Realistically, an issue trusting the LDAP server that your DHCP server points you at?

What is the world coming to?

Do I need to manually verify every single setting supplied to me by my DHCP server because I don't trust it?

These days, the internet is not a safe place, we all need to be more than just a little paranoid - but are you paranoid enough?

Re:Who will watch the watchers?

[nehril]

Do I need to manually verify every single setting supplied to me by my DHCP server because I don't trust it?

in a way, yes. an evil machine on your network may answer your dhcp request with, say, itself as your default route. wham, you have yourself a machine routing all your internet bound packets through itself, doing whatever it is evil people do (nice little man-in-the-middle eh?)

it's back down to ease of use: dhcp, or have the network admin identify himself with DNA samples and personally configure each box on the network.

Re:Who will watch the watchers?

[Cysgod]

You trust the network (and DHCP) to tell you how to talk to the network. (IP address, netmask, gateway, DNS, etc.) And then you use things like SSL and SSH host keys to make sure you are really talking to who you think you are. You don't trust it with root access to your machine to do whatever it wants to.

The argument I make in the "philosophical details" section of the advisory is that realistically you should not trust a network for user authentication information without at least *some* user interaction so the user is aware of what is going on. To do otherwise is irresponsible and puts end users at risk.

Re:Who will watch the watchers?

Still, i strongly disapprove the way you went about releasing your exploit.

You should know damn well that the solution to this problem is far from being a simple patch to a piece of C code to plug a stupid buffer overflow vulnerability. People who expect, and, like you did, demand a solution to this problem within days or weeks, are people who blindly refuse to acknowledge the challenges surrounding the development of an appropriate and comprehensive solution. We are talking here about removing functionality from the DHCP protocol that had been taken for granted for years. Or significantly patching it to add a slew of warning dialog boxes, which are all usability enhancements. A short-term fix might need to be evaluated vs a longer-term fix. You don't develop this in days. it takes time.

if you had any clue about processes surrounding software development, especially intricacies behind design and development of user interface updates, there is just no way in hell you would have published your advisory, much less with a working exploit. A December time frame would have been perfectly reasonable and you fucking know it.

Now thanks to your dumbass move, chances are you've just cornered Apple into releasing an update that only solves problems partially.

The Panther code base and user interface had been locked-down and tested way before your advisory. This would have required a major change in the code, delayed testing certification, and subsequently launch, for a security issue that is, after all, not even close to be remotely as bad as other issues found earlier. more on that later. Shortly after Apple had to address more urgent security issues in 10.2.8. You can't hold against them the fact that they didn't just "include this fix" with either 10.2.8 or Panther, why? Simple: AGAIN, the solution to this problem is NOT, and i fucking repeat NOT a simple code patch, unlike most security issues which usually revolve arround buffer-overflow security exploits.

Why is this problem "not so bad after all"? Simple. While many people refer to it as a "remote exploit", i'd would like to strongly qualify this term and get people to understand that this exploit will not, absolutely NOT, allow just about anyone on the internet to "own your box". You can only get infected if you happen to plug your computer on a LOCAL AREA NETWORK with one or more "evil hosts", that could subsequently try to own you. But think, my friend, think hard: WHAT ARE THE FUCKING ODDS of this happening? Even if it does, it's not like some evil internet worm could sneak around and wreak havoc the whole internet. Each infection can only max out at hundreds of machines at a time, and always be localized to a fairly specific, restricted geographical location, and in most cases the source of the exploit could be located and terminated.

The point i'm trying to make here is that YES, Apple did miss their original november release date but fairly promply gave you a new december release date. You should fucking know by now that the fix to this problem is not trivial and could have waited another 30 days from the day you released your advisory.

Re:Who will watch the watchers?

[ernst_mulder]

It's pretty safe to assume your company's network, into which RJ45 socket you plug your network cable, is quite secure.

One of the fine points of this exploit however is that some users may never know they are on an untrusted network. Why? Because they have a wireless network card installed and enabled.

So when you boot your Mac with DHCP enabled could compromise your system when a "bad person" has setup a "bad wireless network" in the neighbourhood. No physical contact to your computer required.

The only fact that makes this exploit less likely is that computers with wireless network cards are usually PowerBooks and tht PowerBooks are hardly never rebooted. From peronal experience I can say that the only times I rebooted by iBook was after system upgrade which are usually performed while connected to my company's network (not wireless).

Ernst Mulder

Finally...

[Gothic_Walrus]

I'm sick of hearing about Windows exploits!

It's about damn time they found an explot for an Apple computer!

Re:Finally...

[Jonny+Ringo]

Yeah but there explanation seems like they are talking with you, and instead of at you.

I feel like Steve Jobs just bought me a drink and explained the problem, then gave me a hug when it was time to go home.
I'll miss him.

It's still an exploit

No matter what sort of spin Apple puts on it, it's still retarded of them to trust LDAP to the point that UID=0 is trusted to be root.

Still, I don't think that this exploit is really that easy to take advantage of... the circumstances which would lead to it are fairly limited for now (until WiFi is as pervasive as air, anyway).

Re:It's still an exploit

[jimi1283]

Novell's directory service has this problem too. It does not have a "minimum uid" setting, so it will gladly accept a uid of 0...

Which is why we don't use it at my company.

Yikes!

[Quasar1999]

This is horrible... First the machine comes with a pre-configured backdoor/exploit, and they want to leave it like this? Second, if you can just plug in the machine in a network, and have it totally configure itself, you've just killed a job for an IT guy... and we need all the jobs we can get...

Oh, wait... once the new machine gets owned by some script kiddies, then the IT guy gets called... okay... phew... nearly thought that a job was eliminated... nevermind... as you were... ;)

New bugs, ease breaking havoc on your LAN

[rduke15]

I wonder what new bug is waiting in their "automatic setup" to bite us.

I was recently bit by their hijacking of the .local tld with their Rendezvous/mDNS crap.

(and when you call their support to ask why the Mac cannot see the local mail server called x.y.local, they have no idea and tell you to go around asking in web forums!)

So whatever they do and sell you as "making things easier", I would be very afraid to have it on my network.

Re:New bugs, ease breaking havoc on your LAN

[Spy+Hunter]

mDNS isn't crap, it's cool, something like it been needed for a long time, and it's going through the IETF standards process. Apple's not "hijacking" anything. If you believe that using .local is a mistake, then you can bring up your concerns on the appropriate IETF working group. The IETF standardization process is completely open; anyone can join the mailing list and voice their concerns and get things changed. Look here for info on mDNS and the related IETF working groups you can join.

Use what you know...

[Rahga]

This problem is rather simple... Operating systems such as Windows and MacOS X (don't troll me with Darwin) are commonly developed inside corporate environments, and a direct connection to the internet rather than a firewalled lan is the exception, rather than the rule. When the pointy haired boss walks in and requests a machine than can set up itself when he plugs in to the network, it gets delivered.

I expect retail software geared to the home user will continue to keep the tendancy of shipping flawed, because development often does not take place in a home environment. This goes for everything from Quake servers (remember ID's backdoor?) to all of the $40 photo-editing tools that are sold at Wal-Mart with marketing emphasis on the end user, with interfaces so all-encompasing, wizard-heavy, and dumbed-down that even I don't attempt to tech my low-tech friends how to use them.

Re:Use what you know...

[tgibbs]

This problem is rather simple... Operating systems such as Windows and MacOS X (don't troll me with Darwin) are commonly developed inside corporate environments, and a direct connection to the internet rather than a firewalled lan is the exception, rather than the rule.

Neither is it much concern to the typical home user who either connects directly to DSL or cable modem, or at worst uses his own short-range WiFi with some level of security. Currently, it is mainly a concern for traveling businessmen who take their WiFi equipped laptops to Starbucks or a convention center and connect from there. It will probably become more of an issue as such semi-public WiFi nodes become more common.

It's not about the exploit...

[danielrm26]

...it's about *how it's handled*.

All software is, and will continue to be for the forseeable future, vulnerable. The question for the users and security people is, "How will company x handle themselves when a vunlerability is discovered in their product?"

This question, and its answer, is the most important issue when deciding who you trust with your data.

much ado about nothing

[b17bmbr]

really, from apples docs, you have to have a malicious dhcp server on your subnet. of course, someone could bring a rogue box into work, but this isn't on par with ms exploits. wouldn't a simple mac address filter at the switch level take care of all this. yeah, you could instal dhcpd on your authorized client, but this should also be a fairly easy thing to detect. i think apple is right, it's a configuration level solution.

Re:much ado about nothing

> you have to have a malicious dhcp server on your subnet.

Keep in mind "your subnet" could be the WLAN at the coffee house (I must have seen 6 macs down there today - near the Castro in SF, in case anyone's interested), or a cable modem connection. This also means that if you can own one box on the network, you automatically get root on the all the others.

Wireless attacks on local networks

[Mundocani]

In many discussions, people downplay the importance of exploits like these because the attacker has to be on your local network to take advantage of the security hole. What about all of the mis-configured (or deliberately) open wi-fi networks out there? I think that wireless networking has changed the importance of "local exploits" by allowing somebody passing by to become a local entity on an open wi-fi network.

Re:Wireless attacks on local networks

I am not so sure that I buy the whole... wireless dhcp server being that huge.

First, if someone can jack into my ethernet with a machine and place it on my same subnet... they deserve to h4x0r my boxen.

Now... if they get on my wireless network, what are the chances that my wireless machine will leave an already established lease to jump ship and run to another dhcp server especially if my base station is also my wireless dhcp server. And lets not forget the whole problem of "ssh" is not on by default. If it is on then obvsiouly we are not dealing with a simple novice and any open wireless network, misconfigurations, and lack of knowing when someone reboots your machine to take it over... is partly their own fault. Out of the box, you are safe.

Sure, this is an exloit, but it requires physical action as opposed to a few keystrokes or automated script. It is the same thing with the floppy or cd trick for linux. If you keep the power button, floppy or cd-rom exposed your just as vulnerable to getting rooted.

Re:Honestly..

[dasdrewid]

I was moderating, but this just burns me too much to remain silent.

I am not an artist. I'm bad at music, too. But I'm not much of a programmer, either. However, I know two people who are good examples.

First is my father. He has a doctorate in E.E., focusing on bottlenecks in computer systems, programmed assembly for TI in the 70s, and has been a professor in E.E. since long before I was born. He only uses Macs. We have one machine in the house that is not a Mac, this one, running Slack 7. He used Macs back in the "old days" for research because, for the money, they were the fastest things he could get his hands on. Now he uses them for work and at home because a) he's used to them and b) they are the best compromise between usability (he can still go into the terminal and screw around, but he can also use the very nice GUI when he doens't feel like typing everything or he's in a meeting with the Dean or the President of the university) and security/stability (it doesn't crash everyday and it has yet to get a virus). I use them for the same reason. And because I can't afford a computer of my own so I use what we have.

The other person is my music teacher. He's a professional musician as well. He's backed up Lionel Ritchie in concert before and plays bass in his own band. He also does some composing. On a Mac, only. He uses Macs because, back when he started, the best if not only composing software was for Macs. Since then, he's been sorta stuck with them. Not that he'd change, though, as my school has given him a PC and he hasn't found a program that works as well on it as his program for Mac (I wish I could remember the name, but alas, I can't. It's one of the major 2, though, I remember). Yes, he has been a "struggling musician" before. And yes, he stuck with his Mac through it because his Mac worked. Well.

Those are a couple of reasons why us "fruits" become blind zealots. It's sort of like being a Darwinian Evolution zealot. We get attacked by ignorant nay-sayers all the time, but we never lose sight of what we know works. Tell me, why are you such an ignorant bigot? Maybe you should get out of the house more...

No worse than DHCP itself

[clasher]

This problem seems little worse than other problems related to DHCP. If someone had access to your subnet and was able to configure a rogue DHCP server (e.g. to exploit the OS X ldap bug) they could just as easily return a rogue proxy as the default gateway or a tainted DNS server. If you are not vigilant about SSH warning messages or best practices you could be connecting to a server which is just recording your password and passing it along to the real server.

There may be something I missing, but this does not seem to be a problem with Mac OS X as much as it is with DHCP. DHCP in its simplest form is not secure. Using DHCP on a subnet requires trust. As with any other kind of security you will have to trust something, whether it is your computer or your home network.

I hope people do not blow this bug out of proportion too much.

Re:No worse than DHCP itself

[kwj8fty1]

Sure, someone can feed you bogus dhcp info, and they could then man-in-the-middle you.

That fine, but THIS hole (and it is a hole, not a bloody feature, IMHO), grants anyone on your subnet r00t access on your MAC.

This is a different attack completely.

AFAIK, no other OS offers root access to any little kiddy acting like a dhcp server.

Re:No worse than DHCP itself

[jcr]

THIS hole (and it is a hole, not a bloody feature, IMHO), grants anyone on your subnet r00t access on your MAC.

Not exactly. They'd still need either 1) physical access to your machine to log in, or 2) for you to have turned on incoming ssh access (the default configuration doesn't allow remote login.)

So, this is a problem if someone's able to get to your subnet and set up a rogue LDAP server, *and* you've turned on a service that isn't on by default. It's not a way for j.random script kiddie in Oklahoma to own you.

-jcr

Re:No worse than DHCP itself

[mgbastard]

That fine, but THIS hole (and it is a hole, not a bloody feature, IMHO), grants anyone on your subnet r00t access on your MAC.

IF you are running with DHCP.

And if you are on a network doing this? Trap out any unauthorized DHCP servers on your switches. You probably are already doing this to prevent headaches from people plugging in private 802.11 devices and screwing things up. Or you could just have an explicit allow list of MAC's (the standard accepted meaning of MAC, not your CaPsEd Mac.) Both are a standard network security measure.

I don't believe any home user should need to worry about this - broadband users using dhcp to get on the internet are likely to have unauthorized dhcp responses being filtered out already. That sort of activity would cause a lot of unnecessary support calls!

As Scotty once said.....

[leereyno]

The more they overthink the plumbing, the easier it is to stop up the drain.

Speaking of Apple bugs...

[iamdrscience]

A friend of my brother's recently found this one in OSX: Link to his blog entry about it

Not SO bad, but could be bad, and it's considerably more dangerous for known Unix nerds.

Re:Speaking of Apple bugs...

[Aliencow]

I just tested it on panther and at least 2 or 3 chars of the password get passed on to a window behind...

Re:Yikes! Who configures after connecting ethernet

I don't mind this at all.
No professional I know connects a server to the network BEFORE they configure security and network settings.

Shame on you if you do :-)

Home vs. Work

[LauraW]

I expect retail software geared to the home user will continue to keep the tendancy of shipping flawed, because development often does not take place in a home environment.

In this case, the software is actually more vulnerable in a work environment, because it requires a compromised DHCP server on the local subnet. Most home users would probably notice if you plugged in another computer in their house. It's less likely to be noticed in a corporate environment, at least for long enough to compromise a few servers.

Besides, if it's possible for someone to sneak a compromised DHCP server on your network, you're basically screwed anyway.

Re:Home vs. Work

[Rahga]

Besides, if it's possible for someone to sneak a compromised DHCP server on your network, you're basically screwed anyway.

The janitors in my bank building could probably do this on multiple networks on multiple floors with ease. Heck, just drop a decently modded dreamcast under a secretary's desk or anywhere you can find a ethernet drop and weak switching.

Re:Home vs. Work

[wolrahnaes]

Besides, if it's possible for someone to sneak a compromised DHCP server on your network, you're basically screwed anyway.

I have mod points, but I had to respond.

This is so true. Many organizations beyond a few (10-20 or so) computers do not have good physical security. Anyone can easily place a rogue node on a network and wreak havoc.

This happened recently at my school. Someone setup a DHCP server that responded faster than the school's Netware systems could. This seemed to be accidental because the configuration was all over the place, and didn't work at all. The techs have been investigating this for a few weeks and I'm not sure if they have found it yet.

While my above example didn't cause any harm, imagine if someone was to setup a DHCP system and also took advantage of IE's "autodetect proxy settings" feature. They could be almost undetectable, yet be able to log all Internet traffic by redirecting the proxy and default gateway through their box.

Re:Home vs. Work

[cscx]

Hell yeah, my boy is wicked smahht!

Re:Honestly..

[TheBillGates]

You fool, have you even tried using a Mac lately? No? Just what I thought.

I'm a tech support (24+ years) who will have nothing but Macs in my house. Why? Because they work, don't crash, and my wife and son can't fuck them up.

After spending all day fixing other people's computer problems, the last thing I want to do at home is fix my own.

I'll stick with Macs.

Oh...

[MiniChaz]

This sounds related to a great new feature in Mac OS X Server 10.3/Xserve called "automatic setup" that -- for machines that come with it preinstalled -- will get their address and LDAP server via DHCP and look for configuration files, and automatically configure the entire server, without any interaction beyond plugging it into the network and turning it on.

Slashdotter A: "Are we being sarcastic?"

Slashdotter B: "I can't even tell anymore."

What's the difference?

[penguin7of9]

This isn't so much of a root vulnerability as a default configuration that trusts the integrity of the local network services.

That is a root vulnerability. You could perhaps trust LANs 20 years ago, you absolutely cannot trust them today, and any vendor that ships software that, by default, trusts the LAN is shipping software with severe security problems.

Re:In other words...

[CottonEyedJoe]

WEP or not I think your wireless network would need to be much more complex that most to exploit this. At least on my Airport network (and probably by default) the wireless clients get their settings from the base station and the base station only. You can run and LDAP server all night and day in my front yard and it wont do you a bit of good. I'll probably ask you what youre doing when I mow the lawn though.

I concur

[Fished]

Before anyone says "macinista", I've been using computers all day every day for 25 years now (since i was eight or so), and was a commodore man if you must know. I only got my first mac about two years ago. However, I will no longer have anything but a mac in my house because MacOS X based macs do everything I need - including a high quality X server - and never, ever, break. I'm a Solaris admin all day for a very large company. I don't want to hassle with munged computers at home. I prefer to farm.

Re:I concur

[Jordi+Bunster]

I've been saying the same. I am a programmer, and I also have to work with UNIX boxen. I also love the peace of mind of using a UNIX machine at home at not having to spend all weekends configuring something here or there. But ... I've had enough annoyances from Mac OS X so as to think about considering moving back to the free unices when the next upgrade do OS X comes. You know, Finder crashes, one aqua (or quartz I guess) lockup. Very rare, mind you, but I'm spoiled, I used to run Debian, the stable branch. Anyway, Panther just came out, so I guess I have some more time to take that decision. For the meantime, I try to only use applications and hardware that will not lock me in severely on the platform. I needed a substitute for Gnucash, I bought one that is written in Java, for example. Things like that.

Re:Mod Parent Up

[Jesrad]

Jaguar (10.2.8)

The keystrokes are transmitted to the front application behind the screen saver only if you are fast. They get transmitted during the load time of the prompt window and during the activation time of the screen saver (between the moment it is started and the moment it starts drawing).

Apple is making a huge mistake

[theolein]

In light of the recent Debian break in, where the core servers were rooted and a rootkit installed on other machines, and all this using ldap for user authentification, I think Apple is making a huge mistake. All it needs is a couple of apple machines to be rooted by an exploit based on this and Apple will be in the same sorry boat that MS is in.

(And for the zealots, I'm posting this from a G4 PB so STFU thanks.)

Re:Apple is making a huge mistake

[burns210]

so why the hell are you running a mission critical server via dhcp? give it a static address to negate even the possibility of the exploit you are talking about here.

Re:No, that's not so bad

[Squozen]

I work tech support, and if I had a dollar for every Windows owner that didn't understand the difference between right and left-clicking I could buy Slashdot and every AC posting to it.

Not Just Apple!

[linuxislandsucks]

Ah ahem, several storage servers like Snap and etc also come with this 'feature'..

and those run Linux...

A solution...

[igomaniac]

Since this is an autoconfiguration feature, why not have it on only for the first boot after installing the OS? This way the computer can autoconfigure and then when it is configured it turns the feature off again.

Re:zerg

[burns210]

because, unlike MS, apple has turned off services that aren't needed, by default.

Who cares that an exploit can create a new user, if ssh and remote login is turned off anyway? The Answer: well, not many people. this is somewhat of a bug/potential hole, that should be fixed, but NOT panicked about.

Oh give it a rest

[Sycraft-fu]

The messenger service is used by many orginazations for alerts. Where I work, our servers use it to send alerts to those that manage them. Works well since, unlike e-mail, it will get immediate attention. A web browser that is able to execute scripts is much more complex and therefore venurable than one that just doens't execute code at all.

Get off it, when you provide services to the world, you open yourself to the poiibility of getting hacked. Look at Linux. Consider the holes in OpenSSH. Is it essential? No. Is it useful? Hell yes. When you run services that the whole world can get at, you run the risk that there is a flaw in the coding that someone exploits.

Now, a valid solution to this is to have everything turned off and/or locked down by default. Ok, that works, but is a pain in the ass (read not easy to use) since you must then figure out how to enable everything and make it work. IF you have useful services enabled by default, it runs the risk they are venurable and can be exploited by default.

By the way, if you have to reinstall Windows continually, you need to get some skills with Windows. To fuck it up that often and that bad indicate poor skills of the user.

Re:Oh give it a rest

[drinkypoo]

By the way, if you have to reinstall Windows continually, you need to get some skills with Windows. To fuck it up that often and that bad indicate poor skills of the user.

You asinine troll. Windows is quite simply broken. Want proof? If something is f*cked up on your Windows system, and you reboot it, it frequently fixes the problem. Try that with another operating system. A reboot shouldn't fix anything, it's a symptom of the operating system breaking itself.

I've been using NT since 3.51, I've been using computers since I was four years old, and I have always had to periodically reinstall windows. Oh sure, I could fuck with it for weeks and figure out which program has done what strange and undocumented thing to my registry, or my DLLs in spite of the system restore, or some third stupid thing, but it's a lot faster and easier to simply do a repair install, and then reinstall service packs and patches.

Now, I have had my XP system running without a reinstall for quite some time now, but things are not as simple as you imagine them to be. Windows is seriously flawed in just about every department except ease of use -- when it works. When everything is working fine I find Windows XP to be the most pleasant user desktop experience around, and yes I have run OS X. But when it's not working, Windows is worse than any other operating system than I have ever encountered short of MacOS 6 through 9, which are all now dead or dying. (If you're handy with a debugger, which you should not have to be to simply run some programs, you can figure out what's going on with older versions of MacOS. To me, it was not encouraging when Apple provided the debugger free, because you were going to need it.

sandbox?

[foniksonik]

I always wondered why there wasn't a sandbox approach to this automatic networking stuff... something to the tune of:

Plug new PC in, a daemon listens/pings for DHCP, LDAP, whatever... and if it finds it, politely asks the user if he/she would like to enable the service. If you have admin privileges you get to authenticate and proceed to register with the service or if in an untrustworthy environment you can choose to leave them disabled. If a new server is found at any time the process is repeated... though you could set a preference to ignore new servers as well.

See, sandbox. Requests are let in automatically but service must be opted into manually.

Re:sandbox?

I've always wonder about this myself. Best answer I could come up with was if it's a laptop you might then join a hostile network later and since you opt'd in you'd be owned.

The solution of course is simply for the machine to remember networks and auto conf services that it's told are safe and prompt for any it doesn't know.

I use DHCP because it's easy, but have always thought it was a pretty big hole waiting to happen.

Re:In other words...

[uroshnor]

If remote setup is spin, why is it in the documentation that was released for Panther when the OS was released ? See the server administration pdfs.

This isn't a new "exploit" - all previous versions of MacOS X and NeXTStep had this with NetInfo by design - thats for nearly 15 years. However, it requires specific non-default configuration to work ( the network directory does not have precedence over the local directory by default - what is claimed in the original web page announcing the exploit is wrong )

For this to work, someone with local access to the machine has to go and change the directory lookup order for authentication, so that the network directories override local.

This is one of a long list of "exploits" that fall into the category of "If I have local administrator/root access and misconfigure something in a specific way, then I am potentially remotely exploitable" .

The UI in MacOS should definately warn you if you tried to make the change, but this really isn't the sort of thing you'd work people day and night to fix.

Re:Read the IETF documents before posting!

[rduke15]

Before misleadingly filling your comment with "IETF", maybe you should read a few IETF documents and join their working groups yourself.

I will gladly admit that mDNS doesn't have to be crap in itself, and may be cool, but Apple's proposed implementation is NOT going through the IETF standards process.

And Apple IS hijacking the .local tld, and not only did the IETF never recommended that it be reserved for Apple's Rendezvous, but in fact, had "concerns about multicast storms resulting from site-wide mDNS usage, as well as concerns about cache pollution" (among others).

What they eventually adopted in the standards track is LLMNR.

LLMNR also doesn't require suddenly taking over a widely used tld.

Also: "Rendezvous is an individual submission that is not a work item of any IETF working group, and is currently not an IETF standard. While it is possible for an individual submission to become an IETF standard, this is unlikely in this case because an existing WG (DNSEXT) is already working on a competing protocol (LLMNR), which has just completed DNSEXT WG last call."

See the LLMNR FAQ.

Re:Well, it's not the only security problem.

[argent]

If it launched IE, it was recognising FTP but IE had over-ridden the default handler. You can use MisFox

http://www.clauss-net.de/misfox/misfox.html

or IC-switch

http://flip.macrobyte.net/software/ic-switch_en

to change these settings. I've taken to using Cyberduck for FTP.

http://icu.unizh.ch/~dkocher/cyberduck/

shadow passwords

[hayne]

If you have a user account that was present in 10.2, it stays as it was in 10.2 - i.e. the password is world readable and limited to 8 significant characters. If you make a new account in 10.3 or even change the password of an existing account that was brought over from 10.2 to 10.3, then the new password handling will take effect: shadow passwords and a larger number (I don't recall how many) of significant characters.

Important wrinkle

[awtbfb]

What is not fully documented is that if you have multiple network locations, you have to deselect this checkbox for each location. Fortunately, this is straightforward since there is a network location pull down menu right above the checkbox.

Note that this means you can leave it checked for trusted networks but uncheck it for untrusted networks.

Re:Do I Need Any Of Them On?

[RAMGarden]

If that's the only computer on your network, turn it all off. Rendezvous is for other apples and SMB is for looking at windows file shares.