Slashdot Mirror
Mac OS X Buffer Overflow Found
MacDork writes "Well, if default settings in Mac OS X made Lance Ulanoff excited, this is really going to make him do the monkey boy dance... SecurityFocus's Bugtraq mailing list just posted a buffer overflow, in the utility for mounting and probing ISO 9660 file systems. No exploits were mentioned. No word on whether 'Max' alerted Apple or anyone outside of the Bugtraq mailing list though." Also, 'Max' made entirely unfounded, sweeping statements about the general quality of Mac OS X from this one little item, but oh well. When you're on top, you make a tempting target.
The potential for exploit doesn't require you to insert a CD. It may be exploitable by command line arguments. If so, then there may be a vector for an attacker to begin privilege escalation if he can achieve access to a local account, in which case this would present a full root vulnerability to a remote user.
Huh? How do you figure this? All he said was that parts of MacOSX that didn't come from BSD were not very well written. Whoopdeedoo - any operating system of that size will be likely to have some not so great code in it. It's beyond me how you managed to interpret Max's comment as an 'unfounded, sweeping statement' about the quality of MacOSX, given that 'parts' is a rather indeterminate quantity.
The difference is that Apple, unlike Microsoft, provides timely patches. Not timely excuses.
-- james
Blind, stupid fanaticism doesn't do anything to help Apple -- it just means that people ignore Mac fans.
MacDork writes "Well, if default settings in Mac OS X made Lance Ulanoff excited, this is really going to make him do the monkey boy dance... SecurityFocus's Bugtraq mailing list just posted a buffer overflow, in the utility for mounting and probing ISO 9660 file systems. No exploits were mentioned. No word on whether 'Max' alerted Apple or anyone outside of the Bugtraq mailing list though." Also, 'Max' made entirely unfounded, sweeping statements about the general quality of Mac OS X from this one little item, but oh well.
I've seen *tons* of vulnerability releases about companies that contain harsh criticism of their security policies. This is not unusual. At the least, Apple screwed up on an important utility. They can take their lumps, same as everyone else does when they screw up.
When you're on top, you make a tempting target.
Apple isn't "on top" of much of anything that I can think of. Small/midrage servers? That's Linux-dominated. Workstations? That's Windows-dominated. I suppose they have more users than the other BSD variants, for what that's worth.
Frankly, "Max" may be biased. I suspect that he's mostly right -- that the hammered-on and designed-by-folks-with-security-experience BSD code is more reliable than the new stuff Apple churned out. I do know that "MacDork" definitely *is* biased.
I wish editors would reject stories that are just blatently biased, or at least reserve the right to re-summarize story submissions.
May we never see th
Take this one for example, which many considered to be a "big security issue". Basically it only was a problem:
- On laptops.
- When someone had sudo running in Terminal.
- When the computer was put to sleep.
- For 10-20 SECONDS after the computer was woken up, but before the clock was updated, someone with physical access to the computer could execute code.
What a massive, gaping, goatse proportioned hole. Who knew it was a bad idea to leave your computer running sudo just laying around in Starbucks while you went to the can? And Apple still had a patch out in a week or two. And in 10.3, passwords can be required to wake the computer, further negiating this and any similar problems.Now compare that to the 50 critical security fixes needed immediately for an install of a year old Windows XP disk. And the fact that there are about a hundred different ways to execute code in Windows, either legitimate or malicious, all across the system, even in the damn web browser.
Basically what I'm getting at here is that this is newsworth simply for the fact that it really isn't. I'd be willing to bet 0 people will have any problem with this before it is patched.
And on a personal note, "Max" sounds pretty fucking stupid and ignorent. "It appears that parts of MacOSX that didn't come from BSD are not very well written and have significant security issues." Oh boy! I found a buffer overflow that will effect no one and that I probably didn't even bother to inform Apple about before hand! I'm a L337 haX0r bitches! Now if he just would have thrown in something about how Apple is beleaguered and BSD is dying, we could just chaulk up "Max" as a lucky troll.
Request: ECM unit, 1000 km fullerene cable, 1 tactical nuclear weapon. Reason: Birthday party for foreign dignitary.
Unfortunately, when OSX becomes popular enough, it will become a huge security target. But it won't be security exploits that pose a problem, it will be the same problems that plague Windows today:
.exe to see boobies." No type of security can possibly stop that type of human behavior (being an IT I'm convinced that education, warnings, and even threats can't stop it).
Just like in the Windows world, it's social engineering that causes installation and execution of quasi-legal applications like Comet Cursor and Bonsai Buddy, as well as downright unethical and illegal programs (virus and worms) that get installed when a user is told "click on the
_______
2B1ASK1
"When you're on top, you make a tempting target." I beleve it was ment as a sarcastic pun. After the recent plaming from other articles sayin that mac os x would have more holes found in it 'if' it were on top. This is s prity hard to exploit bug though. "Persuming" that u can execute malitious code think of the steps you would have to go through to get to actuallly execute the buged program? If by the time you can execute command line argument's then the OS is in trouble cause ne thing can be done. It doesnt seem likely that a hacker would gain acces to your computer just to run a buggy program that "may" or "may not" give them more access to your computer. It seems to me that all the mac bug's are hard to exploit as apposed to something like blaster and it's variants. Written on Windows XP BTW. Patched and fealing safe. Hardware router u know people :)
The difference is that Apple, unlike Microsoft, provides timely patches. Not timely excuses.
No, the difference is the grandparent poster quoted out of context. Pudge was referring to the "entirely unfounded, sweeping statements about the general quality of Mac OS X" that 'Max' made while reporting the bug, he wasn't trying to play down the fact a bug exists.
Even OpenBSD has local root exploits, and they have been fixing them for years. A local exploit could be used to load a root program that listens on the network, so you fix it.
I've seen lots of security advisories make fun of or insult the product and company in question. Big deal, a programmer skilled enough to find a buffer overflow makes fun of Steve Jobs' product. Mr. Jobs can afford a gold thread hanky to wipe his tears, but more likely it just rolls off their backs; people have been making fun of Apple for decades.
In general, it is hard to program an OS, and once it is out there, easier to poke holes in it. That is why security is difficult. Fix the problem, review your code for similar problems, fix those, move on.
And THIS parent post, ladies and gentleman, is EXACTLY why open source is good, and why Apple was VERY SMART to release its Darwin source code under an open-source license.
Windows has a root exploit, and we are dependent on Microsoft to get around to fixing it. Thanks to Darwin, we can fix our own OSX bugs much of the time.
- Vincit qui patitur.
"Flamebait?" It's the honest truth, and I speak from the experience of a Mac user. Mac users are still accustomed to software that requires an installer instead of simply rejecting anything that doesn't come as a single bundle that you drop into the Applications folder. Every installer I've ever seen pretty much requires you to give it admin privileges to run.
So, spyware for the Mac is inevitible if it ever gets enough marketshare for everyone to care. It's inevitable even if we just have to wait for some marketer to think we're a worthwhile niche market.
He's right. The ultimate hacks are always social hacks. Getting idiots to install malware on their own systems is much, much easier than writing exploit code.
Excuse me, but to execute a mount I have to at least have a shell on the affected machine, right? I may not need console access, but I do need shell access.
And, by default, the firewall is ON, and sshd is disabled, so 'by defualt' I do need local access. And to execute a 'shell capable' program I can't just mail an attachment to the user, the user has to actively open it.
Admittedly, this is a serious problem that needs fixing, but this won't be narachi, codered, etc. I'll bet you we have a fix in less than 2 weeks available for download via the system update command. (probably less)
Lee
Actually, using strlcpy() and strlcat() in place of most strcpy() and strcat()s would go a long way to preventing buffer overflows from happening.
Now, strlcpy() and strlcat() are relatively new, and may not have been available when this was written, but they are certainly available in Darwin now.
Danny
"What's the point of going abroad, if you're just another tourist..."
A buffer overflow is a bug. While all
exploitable defects allowing unauthorized
priviledge escalation are bugs, not all bugs
are defects which can be exploited to effect
unauthorized priviledge escalation.
-I like my women like I like my tea: green-