Slashdot Mirror
Apple Uncommunicative About Security Holes
blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
Well, let's see: If Apple has been uncommunicative about the presence (or absence) of any security holes, it is simply because they would rather not publicize the presence of particular holes. It's good policy for their OS while also maintaining an open source presence with Darwin that allows for public scrutiny. It should also be noted that Apple is also working towards approval of certain security ratings from assorted groups and governmental agencies, but they are not publicizing that either. They would rather maintain a low profile and have good reasons for doing so. After all, the core of OS X, the NeXT OS has a long history of a presence in intelligence and security circles (NSA, CIA, FBI etc...).
I read the linked article and was absolutely stunned at how superficial the evidence was given the claims being made. If one is going to make such statements, one would think there would be a little more substance, but hey the article certainly has garnered some attention, so perhaps that was the sole goal of the author? Or if one were likely to believe in conspiracies, one might guess that the author was put up to writing the article by a potential competitor? In science, we have to publish "disclosures" that establish corporate or political linkages. Perhaps it is time for the news media to do the same?
Visit Jonesblog and say hello.
A comment in response to the Scobleizer blog said it best:
The whole thrust of the article seems to be "There might be dozens of holes in OSX, how do we know?".
I don't think there's anything truer than "There are dozens of holes in OSX". Also "There are dozens of holes in Windows" and "There are dozens of holes in Linux - pick a distro any distro". You only have to look at the number of patches released for ALL operating systems to see the truth in that. Some OSs will be worse than others and have more exploited holes, that's an argument for another time.
Those holes aren't a dramatic problem, until they're found and IGNORED by a vendor. That's all there is to it, not whether a company is uncommunicative. I'd be willing to bet that as soon as Apple became aware of its AFP problems, work began on fixing the problem. I'd rather see a best effort is made towards fixing the problem rather than release press release after press release, SCO style.
Of course, openness is always admired and it would be a nice thing to know just what's happening with a fix for an exploitable hole, but that's a little less important than getting a well written patch out for the hole.
And now, it IS patched. fixed. Any default OSX install is going to have already alerted its owner to the existence of the fix.
DO they ship apache with every copy of mac os x?
Yes. The configuration is difficult to deal with, but it certainly ships on every OS X machine.
The long story is that you have to go to the "System Preferences" application, click on the "Sharing" panel, and check the box marked "Personal Web Sharing".
I realize that had a lot of "tech" "jargon", but that's how you configure Apache on Mac OS X.
There are no trails. There are no trees out here.
There lots of people out there who don't know what you know. Techworld, sounds so ... official, it must be true! I was trying to expose a BS article without explicitly calling it that. I'm glad we're debunking it.
If this were happening it's reasonable to assume those forums and media would be abuzz about it. Perhaps this is just more M$ FUD. BK425
Have you actually talked to some art students lately? Aside from people that are actually doing computer graphics work, their computer skills (in general) are pitiful. Having a Mac does not help this - in fact, it gives them even less incentive to actually learn how their computer works beyond "double-click the cute little icon to open IE/AIM/Photoshop/etc.".
Feel free to prove me wrong, but I go to a fairly geeky school, and with a couple exceptions, I haven't really seen otherwise among the art/photo majors here.
He had to send his PowerBook back to Apple and was pretty pissed off at the result. And that's just one of his tirades about the dealing with Apple experience.
It's rumored that he ended up smashing the shit out of it in the end.
It really kind of turns you off to paying extra for the priveledge of owning a Mac.
Man, I haven't read such an obviously antagonistic bit of tripe like that in a long time. Mentioning 5 possible exploits which all require default-off services to be enabled, only one of which could lead to a system-wide compromise under 99% of normal circumstances, then calling "Sasser" trivial in comparison (sorry.. "a blip") is not only completely incorrect but is irresponsible journalism.
The AFS vulnerability, which is the only process in the whole list which runs under root privs, would require someone be running AFS (the Apple equiv of NFS) over the Internet. It has been known for a very long time that NFS is *ONLY* for internal trusted networks. AFS is turned off by default on Macs, and the vast majority of users (certainly almost all home users) would never need to enable it.
The Quicktime vuln would only affect files owned by the executing user. Certainly a pain in the ass, but not fatal or prone to "zombification" of your computer like Sasser.
The Apache vulns, IIRC, are of the DOS type (one is a memory leak condition). Irritating, but not critical, unlike Sasser.
Kieren McCarthy should be ashamed of himself for writing such a disingenuous load of crap as that article. Microsoft's history of disclosure and cooperation with security research firms is ** FAR ** from unblemished.
I have something in common with Stephen Hawking...
With all due respect, this is much ado about nothing. Let's examine some of the claims:
* Some older vulnerabilities in Apache 2 can be exploited by malicious people to inject malicious characters into log files and cause a DoS
Who is running Apache 2? Are most OS X users running their own web server in the first place? This isn't an Apple issue. Anyone who is running Apache, which includes all flavors of Unix as well as Windows has the same issues, but of those, the 2.x tree?? A tiny minority probably not even worth mentioning. This isn't necessarily Apple's responsibility unless they've branded Apache 2 and offered it as some core feature.
* Two vulnerabilities in the IPSec implementation can be exploited by malicious people to conduct MitM attacks (Man-in-the-Middle), establish unauthorised connections, or cause a DoS.
Again, this is an OpenSSL issue, not an Apple issue, and it has nothing specifically to do with Apple. The circumstances under which this exploit would be taken advantage of are pretty limited. That's not to say any of these issues shouldn't be addressed, and maybe Apple should more accurately call attention to these vulnerabilities but they aren't really the issues justified by the FUD being spewed.
* A vulnerability within AppleFileServer can be exploited by malicious people to compromise a vulnerable system.
Ok, this may be ONE issue so far that is attributable to Apple.
* An unspecified vulnerability exists within the CoreFoundation when handling environment variables. This may potentially be a privilege escalation vulnerability. This has not been confirmed, though.
WTF? An "unspecified vulnerability" that "has not been confirmed"? Did the lawyers from SCO write this article?
* An unspecified vulnerability exists within RAdmin when handling large requests. This may potentially be a system compromise issue. This has not been confirmed, though.
More unconfirmed vulnerabilities? Nice FUD.
Can you name a single Windows flaw that was in the kernel?
= CAN-2003-0112
n /MS03-013.mspx
http://www.net-security.org/vuln.php?id=3401
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name
I don't think Microsoft has ever released a patch to the Windows kernel via Windows Update. Can anyone confirm this?
http://www.microsoft.com/technet/security/bulleti
Google is your friend.
Secunia has given the five - yes, five - patches a "highly critical"
IS that all! My God Apple are doing a sterling job, I wonder how many good old MS have? Seriously, yes it is a shame that Apple doesn't write 101% perfect code but I think you will find that the average OS X user does in-fact use the prescribed patches. As I have done today.
This strange habit of pretending a big problem is of no significance was also displayed last month
Habit? Since when did Apple make it a habit of ignoring anything? Surely he must meant Microsoft?
This article is utter, utter drivel. Yes it's important for Apple to keep on their toes, yes it's ultra important for OS X users not to be complacent. However this article is just endorsed flambé bait. I suggest Keiren finds another profession.
As one poster on the Techworld discussion board comments:
Your headline by itself is possibly even actionable as an untruth, maybe a slander - I'd be very careful, if I were you. I hope for your sake that you got it vetted by Techworld's legal department before "going to press".
Buffer Overrun in Windows Kernel Message Handling Could Lead to Elevated Privileges
Update Rollup 1 for Windows XP Is Available. Search for ntoskrnl.exe for the proof of a kernel patch.
I read this article and thought it utter FUD. First the guy asserts that Mac OS X is rifed with security holes, when really compared to Windows there just aren't that many. But it seemed his real complaint is that not a lot of people are talking about the security holes. I mean, in all honesty, why would Apple talk about the security holes, unless they were so plagued by them that consumers were continously calling up complaining, there really is no reason to talk about a security hole.
Investigate it, acknowledge it, and patch it-- that's what I see as the typical course of action, even for Microsoft, and Apple does this reasonablly well. In fact, most of my knowledge about the various Apple related security holes comes directly from Apple in their knowledge-base articles related to the various security patches. It's only randomly that I hear about a security hole that will also effect Apple from a third party source, before I hear it from Apple. But I'll admit to most of my security subscriptions tend to cater to the PC, for obvious reasons.
Also, it seems to me that Apple spends a fair amount of time patching security holes in the various open source solutions its using/tying in with Mac OS X. Which means that technically many of these security holes are also effecting Linux, and Unix machines as well. Like the security update from yesterday or the day before address issues in Apache, IPSec, OpenSSL, and CUPS.
The guy mentions the QuickTime flaw, which was patched weeks ago by Apple, per normal, in a quite automated QuickTime update. He then also mentions that "trojan" that never was. Basically a proof of concept idea that was published, but works technically not that much differently on a Windows machine. Basically, someone can change the icon of an application to that of an MP3 file, and run code when double-clicked. Did anyone besides Intego consider this a big deal, even Symantec scoffed at it, and scolded Intego, though they did duly post a low level security warning.
The truth is, to my knowledge Apple doesn't rate security updates. An update is either a normal bug fix or feature addition, or its a security update. Apple expects all its users to Apple each of their security patches, and to the best of my knowledge has never used a security patch to ship in unwanted software or system changes. So why complain that Apple hasn't called the security updates a "critical" security update. The knowledge base typically includes who original posted the hole/flaw, and the item number, so you can go read the details yourself, and look at the rating attribute.
Blah, blah, blah...isn't this just more of I'm looking, scraping, scrouning for something bad to say about Apple security. I guess, I'd be more forgiving, if the article actual focused in on the various security issues, as opposed to chastising Apple for what, not taking out a press release about them?
Well, the whole message passing system in Windows is a local root exploit. Until this one is fixed (it never will be without a rewrite of the whole thing), there isn't a need for any other root exploits. I know it's not entirely in the kernel, but it doesn't matter, because there isn't any way to turn off the code that harbors the problem.
And the muscular cyborg German dudes dance with sexy French Canadians
In general you have a point, the Windows kernel is way more stable than stuff like IE, Explorer, Office, etc, but there are still fixes issued for it.
For example, the recent MS04-011 fix which patches the vulnerability exploited by Sasser actually updates the kernel. If you look in the list of updated files you'll see "ntoskrnl.exe", "ntkrnlpa.exe", etc amongst some other critical system files (such as Winlogon.exe, Lsass.exe, etc)
If you bother looking there are many other fixes that update the kernel, though not all are for security holes, but for other non-exploitable bugs that cause poor performance or incorrect behaviour.
Incidentally, the vast majority of kernel problems (i.e. system crashes) are actually due to 3-rd party drivers. Microsoft receive a huge number of crash submissions each year via it's Online Crash Analysis tool and the data from these is collated and passed to the driver vendor for fixing. So, next time your Windows system crashes and asks "do you want to tell Microsoft?" click "yes" - it really does make a difference!
Why would I want to buy a virus scanner?
ClamAV, among others, compiles and runs just fine under Mac OS X...
Specialization is for insects. - R.A.H.
"While Apple seems to be patching fairly regularly, the last security update (the group of 4) was a little lacking in that it offered no explanations ... As I work in IT, I'm often left installing patches with Apple with no clue what they're doing under the hood"
Apple's description of the patch was rather terse (AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue."), but it provides the reference (CAN-2004-0430) that provides full details. Admittedly, this did require a google search, or reading the usual advisory lists. But it's certainly not hidden from anyone who wants the detail.
Enable 3D printed prosthetics!
You're right, it's very often the case that worms and such are exploiting vulnerabilities for which Microsoft issues patches long before. However, there are a few reasons that's the case.
1) My very-non-expert understanding of Microsoft's update mechanism is that there are several semi-overlapping systems which are relevant, and that some or all of them do not default to running automatically. (I've never used Windows myself, so it's entirely possible that I'm mistaken about this. It's the impression I've acquired after listening to many Windows users.)
Contrast this to Apple's Software Update tool, which defaults to checking for updates once a week, and handles all hardware and firmware from Apple. It requires explicit permission from the user to perform upgrades, but it does take the liberty of downloading "important" updates before requesting a final go-ahead, making it as painless as possible.
2) Microsoft's patches have a pretty high incidence of causing problems for previously-working systems. My understanding is that this is often related to a very inflexible shared library system which encourages third-party developers to overwrite standard system DLLs with their own versions left and right, predictably causing problems upon future update.
While it is absolutely the case that updates from Apple occasionally cause problems, it seems to be relatively rare. I personally have no qualms about simply agreeing immediately to any update Apple offers me; I've been doing so for five years now, and I haven't had any cause to regret it yet.
So, yes, a very high percentage of systems out there are lacking patches which Microsoft has made available. But there are still some senses in which Microsoft is very responsible for that being the case.
From the article:
Secunia has given the series of patches a "highly critical" rating, which it explained was due to the Apple's dismissive attitude to one of the holes. Secunia described a vulnerability within AppleFileServer that allows for a buffer overflow as an attempt to "improve the handling of long passwords", but security specialists @stake warned that it could lead to the full system access.
These were the same guys who fired one of their employees because they had the temerity to say something bad and substantial about Microsoft.
Link.
Pretty FUDdy article to me.
That is entirely bogus if you make use of ACLs on your windows. See SetUserObjectSecurity. That's right: every window has a seperate ACL that you can use to restrict access. So does every other object on NT. Unfixable, bah! A solution has been available in every version of NT.
It's the [insert application] creator's fault for not implementing them.
You'll also notice that no microsoft software has something running as SYSTEM open windows that can interact with the user; they all use unpriveleged client apps. (other than Winlogon and it has its own protections) That makes it even more the app writer's fault and not an inherant system flaw. Notice they exploited some 3rd party virus scanner.
That vulnerability requires the SeDebugPrivilege in order to exploit. It is normally (default) only given to members of the Administrators group. If a program is running as admin, then it is already a huge security hole. See http://www.securityfocus.com/archive/1/354392.
That would be every single Windows user. All Windows versions.. at least all that are from the poisoned NT tree, actually make an RPC call back to themselves when they log in. If you disable RPC on a Windows box.. the box can't authenticate LOCAL users! How's that for clever design?
I'm not feeling witty so bite me
The iexplore executable is 89kb. It's just a kickstarter.
Internet explorer is in fact part of explorer.exe, the windows shell.
Test: Open task manager and close IE so you can only see explorer.exe, not iexplore.exe. Open windows explorer and type a URL into the location bar. It'll open a web page and you'll get the IE toolbars. Check task manager: no iexplore.exe.
It doesn't really matter _where_ the flaw is, as long as it leads to privilege escalation it's as bad as it can get.
I'm sorry if I haven't offended anyone
Forgive me, but who is Kieren McCarthy? And how can he prove the existence of something that he by definition cannot know anything about?
And why does this always happen whenever Windows gets the shit kicked out of it?
Kieren McCarthy, whoever you are, I am sure this comes as no great news to you, but 1) you are full of it; and 2) you're a dupe - perhaps a paid dupe, perhaps an unpaid (and therefore even more duped) dupe.
My argument is only anecdotal, but even as such it offers much more substance and evidence than this charlatan.
I have never - and I literally mean never - come across a company so freaking security conscious as Apple. I mean, these guys are out in front and thinking and preparing for possible security vulnerabilities waaay down the line - years ahead.
All you have to do is read the programming tutorials to understand this.
And their grasp of Unix is excellent. These guys really know security, and for them security is a top, if not the top, priority.
Exposing a bug in OS X gets you an immediate response - and by 'immediate' I mean 'immediate': within a couple of hours at the most. And the contact you get becomes a liaison between you and the development team. And even more impressive, they actually keep after you to complement your information so they can get to the bottom of it.
Now honestly, Mr Kieren McBullshit, who else does this? Eat you know what and do you know what. You should be ashamed.
There used to be a time when Apple traced every hardware flaw back to the design phase - and corrected it. This thinking they have today about software and security echoes that type of thinking.
You might accuse Apple of many things, but lax on security is not one. My information is only anecdotal, but it's more than good enough for me: in terms of security, Apple are simply best.
So crawl back into the woodwork, Mr Microslave, until next Windows gets walloped by a simple hack written by a teenager sitting in his underwear at his computer halfway around the world.
We'll be waiting.
This one causes a memory leak; DoS.
This one is possible information disclosure, not code execution.
This is another memory leak; a DoS.Design flaws like what? Give me exmples. Every object from window, to thread to registry key has a seperate ACL. API interfaces are divided into subsystems that all have to use the same system interface. All system calls go through ntdll.dll. All strings use a single format and are sized. NT uses memory protection like any other modern PC OS. All named objects are stored in the object manager. Services like the IO manager use layers to abstract functions.*sigh* There is really no point to argue the definition of a kernel. You are right though, if a vuln exists in something with the privledges of the kernel, it might as well be part of the kernel from a security standpoint. I think the discussion originally made the statement that no vulns exist in the kernel itself (ntoskrnl.exe); not including optional modules. You found some. The difference is that you can choose to not use optional modules, you can't choose to not use the kernel.
As for things that must be run in the kernel, a mircokernel architecture should have almost nothing. MS traded safety for less overhead by moving so much into kernel mode. I agree that there is too much. Ideally the user should be able to choose what they want to have where. However, MS has never been one for giving users choices.Bring 'em on!
"And the other 3? Apple should at least point to the relevant advisory."
Apple did. I'll quote more of the knowledge base article:
"* CoreFoundation: Fixes CAN-2004-0428 to improve the handling of an environment variable. Credit to aaron@vtty.com for reporting this issue.
* Apache 2: Fixes CAN-2003-0020, CAN-2004-0113 and CAN-2004-0174 by updating to Apache 2 to version 2.0.49.
* RAdmin: Fixes CAN-2004-0429 to improve the handling of large requests
* AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue.
* IPSec: Fixes CAN-2004-0155 and CAN-2004-0403 to improve the security of VPN tunnels. IPSec in Mac OS X is not vulnerable to CAN-2004-0392."
Admittedly this is listed in the knowledge base article, not in the consumer description of the patch, but it doesn't seem unreasonable that a sysadmin would read the KB article for the patch before installing it.
Enable 3D printed prosthetics!