Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X Buffer Overflow Found

Posted by ryuzaki0 on from the and-so-it-begins dept.

MacDork writes "Well, if default settings in Mac OS X made Lance Ulanoff excited, this is really going to make him do the monkey boy dance... SecurityFocus's Bugtraq mailing list just posted a buffer overflow, in the utility for mounting and probing ISO 9660 file systems. No exploits were mentioned. No word on whether 'Max' alerted Apple or anyone outside of the Bugtraq mailing list though." Also, 'Max' made entirely unfounded, sweeping statements about the general quality of Mac OS X from this one little item, but oh well. When you're on top, you make a tempting target.

3 of 161 comments (clear)

  1. Re:You aren't doing a thing for Apple's image by steeviant · · Score: 5, Insightful

    Apple isn't "on top" of much of anything that I can think of. small/midrage servers? That's Linux-dominated. Workstations? That's Windows-dominated. I suppose they have more users than the other BSD variants, for what that's worth.

    Or more users than all of the other Unix systems put together if you're talking about the desktop.

    Apple sell more Unix than any other vendor in the world at the moment, so they are on top in at least one respect.

  2. When OSX becomes popular... by eyeball · · Score: 5, Insightful

    Unfortunately, when OSX becomes popular enough, it will become a huge security target. But it won't be security exploits that pose a problem, it will be the same problems that plague Windows today:

    Just like in the Windows world, it's social engineering that causes installation and execution of quasi-legal applications like Comet Cursor and Bonsai Buddy, as well as downright unethical and illegal programs (virus and worms) that get installed when a user is told "click on the .exe to see boobies." No type of security can possibly stop that type of human behavior (being an IT I'm convinced that education, warnings, and even threats can't stop it).

    --

    _______
    2B1ASK1
  3. Re:Looks low risk to me... by freerangegeek · · Score: 5, Insightful

    Excuse me, but to execute a mount I have to at least have a shell on the affected machine, right? I may not need console access, but I do need shell access.

    And, by default, the firewall is ON, and sshd is disabled, so 'by defualt' I do need local access. And to execute a 'shell capable' program I can't just mail an attachment to the user, the user has to actively open it.

    Admittedly, this is a serious problem that needs fixing, but this won't be narachi, codered, etc. I'll bet you we have a fix in less than 2 weeks available for download via the system update command. (probably less)

    Lee