Slashdot Mirror
Ancient Flaws May Leave Mac OS X Vulnerable
mdeb writes "ZDNet Australia is running a story that claims Mac OS X 'contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago.' As an example, in August of last year, Apple patched the 'dsidentity' bug, which could easily have been exploited to grant a non-privileged user with admin rights the capability to create and remove 'root' user accounts."
Duh. any user with admin rights can create and remove user accounts.
What's more diabolical is that you can do this without entering the admin password. That's not a bug either but maybe an unwise choice. (sorry but I ain't saying how till they patch it.)
Some drink at the fountain of knowledge. Others just gargle.
Of course, you might have actually read that part and part of your subconscious dismissed it as false. Reminds me of this post from yesterday.
There are bigger problems in OSX. Auto-installing Dashboard widgets was stupid, and "Open Safe Files After Downloading" (a silly name for "Open Potentially Unsafe Files After Downloading") is an unnecessary risk only minimally mitigated by adding warning dialogs... but at least you can turn it off. More details in these comments:
h tml
http://www.scarydevil.com/~peter/io/osx-security.
http://www.scarydevil.com/~peter/io/apple.html
http://www.scarydevil.com/~peter/io/apple2.html
Thankfully even these are not as easily exploited as Microsoft's poisoned gumbo of IE, Outlook, ActiveX, and Security Zones... but Apple really needs to take a good look at the way they approach the Internet, and quit being so trusting.
concrete5: a cms made for marketing, but strong enough for geeks.
They can't catch all the bugs, case in point: They applaud Microsoft for using these security auditing tools but they didn't catch the WMF exploit which was still in the Vista codebase.
The one concrete example given is just a local privilege escalation, which is not really all that serious.
This one sentence makes clear your lack of experience. A "local" priv escalation makes ANY remote hole r00t explotable. It's serious, maybe more than most "remote" exploits!
As somebody who's spent days (hopefully) digging rootkits out of hacked systems, I can assure you that while remote holes are important, local priv exp holes are every bit as serious.
For example, a system I admin was exploited by a hole in ProFTPd. (Yeah, thought I was catching everything with yum, this one had been compiled in and forgotten about ages ago) But, since the system was otherwise well patched, (no other known local exploits) he/she/it never got any farther than the unpriviledged anonymous account. Once discovered, the hole was easily closed off.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
(approx. $600 if you were staying current all along)
I'm currently running Panther (and Jaguar on one Mac), and I'm skipping Tiger unless something comes up that requires Tiger that I actually care about. I got Jaguar, used, for $50, and Panther came on my Mac minis, so I'm good until Leopard comes along.
It wasn't until Firefox hit around 10% we started to see hackers paying attention and start exploiting the MS alternative product.
And when precisely did this happen. When "hackers" exploited Firefox, I mean. Real, live, in-the-wild you-better-watch-out exploits?
Apple's always been a minor player, and back in the '80s and early '90s they had a corresponding share of exploits in the classic no-security Windows-like Mac OS. Being 5% back then didn't keep them from being exploited, being easily exploitable made them exploited.
They have patched literally thousands of bugs and security holes and continue to do so at a pretty steady rate. We don't hear about it
If we didn't hear about it, how do you know about it? Do you have GOLD JULY BOOJUM clearance?
Now we will just have to sit and wait for Steve Gibson's assessment that Apple intentionally left these exploits open as a backdoor to the system!
I wouldn't hold your breath on that one, he doesn't deal with Macs at all. I know, I asked.
Well, it was one of his employees, anyway. I was wondering how the built-in OS X firewall compared to other available products and asked why GRC didn't do any OS X stuff. Here's the reply:
Also, since Gibson Research only produces software for the
IBM-compatible personal computing platform, we are sometimes asked
why we don't write software for the Mac. The answer is:
(1) We don't know anything about the Mac. We're a small PC software
development shop and we've become leading experts with the PC. But
the PC and the Mac are SO DIFFERENT that knowing one tells us nothing
about the other.
(2) Being small, we must be careful to expend our resources where
they will yield the greatest return. With more then 90% of the
personal computer market dominated by IBM-compatible machines running
MS-DOS underneath the Microsoft Windows graphical operating
environment, that's where we much focus our efforts.
(3) Steve is an insane perfectionist who insists upon authoring all
of our software in assembly language. Assembly language is tied
directly to the processor chip in the computer, thus none of our
software CAN be moved from the PC to the Mac. It's completely tied
to the Intel processor platform. But because of reasons (1) and (2)
above, we're doing just fine, and Steve's slavish devotion to the
highest performance, tight and lean code helps make our products even
more unique and attractive to PC users.
This may not be related very well to your remark (yes, I recognized the jab at GRC) and overall OT but I thought the Slashdot crowd might find it somewhat interesting.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
FWIW if you look up the hacker "nemo" of felinemenace.org that's him. He has found a number of vulnerabilities for which he is credited by apple. Given the number of vulnerabiliites that he has found by him self(as well as with others from suresec) I'm sure he's probably getting a little tired of it by this time, and would like apple to get a little bit of bad press to shame them into doing better. Also he has written a rootkit for Mac OS X but removed it from public view. So don't let anyone ever tell you there's no malware for Mac OS X. Further he has given talks on how to infect mach-o executable formats. nemo is the solution, and nemo is potentially a problem when his tools meet more widespread use (which is why I'm glad he removed the rootkit)
but when he says that OS X is vulnerable, NO ONE knows better than him
The basic problem is that the main pieces of code in Darwin (Mach and 4.4BSD) are no longer maintained independently.
A deep unwavering belief is a sure sign you're missing something...
Ok, here is one.
.MOV, .GIF and QTIF (an Apple specific image format, like Microsoft's WMF) files to execute arbitrary code on both Mac OS X and Windows (assuming Windows has QuickTime installed) just by viewing them (such as through a webpage with an embedded QuickTime video).
On Jan 10 (2006), Apple, after having 2 and 3 months respectively to fix them, finally released a patch (7.0.4) that closed major holes in QuickTime, that allows
However as with many Apple patches and updates, it hadn't been properly tested, resulting in the forums being flooded with complaints about lost functionality (DVDs stopped playing and such). Apple quickly withdrew the patch, with little notice - as if the patch never existed.
Of course eEye, the security firm that had reported the vulnerabilities to Apple months before, had now already posted rather detailed advisories which included precise exploit details.
So ask yourself: Are you a Mac user (and thus have QuickTime because it's an integrated part of the OS used for OS 9 legacy emulation [long story]) or a Windows user that has installed Apple QuickTime by choice? Have you checked for patches for QuickTime in the last 2 weeks, or seen any kind of public advisory, like you normally do when Microsoft or just about any other large software maker releases a patch? If you answered yes to number one, but no to number two, congratulations. You a giant target for a zero-day exploit thanks to Apple and the Jobs reality distortion field.
it sounds like you're compensating for something...
Uhmmm. The submitter has missed the entire point of that exploit - admin rights aren't required, because the program checks for admin credentials with 'getenv("USER")' - ie "export USER=some_admin" is the exploit.
The funny thing about students is that they think they're brilliant at coding but that's just the arrogance of youth. Even the ones who "enjoy coding" are medicore at best and can produce some of the most wretched code you've ever seen. It takes time and experience to become a guru. The versions of Linux that Linus wrote as a student were crappy. Even Linus admitted embarrassment at the poor code he wrote.
The fact is that the early versions of Linux weren't very good. Linux wasn't portable. Linux wasn't fast. Linux didn't even have networking or video support when I started using it. Linux was vaguely stable after a lot of effort had been poured into fixing all the bugs, but for a very long time the BSD community used to laugh at us for running something lamer than MINIX. Linux only became good after 100s of developers had joined the project. Linux had input from graybeards including people who had worked on commercial UNIX. Linus provided a catalyst, not the polished gemstone.
I think it's very important to keep things in perspective. Worshipping Linus as if somehow Linux sprang forth from his forehead in the form you see it today, and using Linus to excuse the mediocrity that is the common student, is not keeping things in perspective. Linus was a talented coder from day one but he wasn't an experienced coder until well after graduation.
And the majority of students don't have half the talent of Linus.
The Darwin kernel is opensource already
Here's the deal:
This is the 'architecture' argument used so often here. For any attack to result from a vulnerability, there must usually be complementary bugs in authentication and access, and the user must explicitly enable the services that are vulnerable. Even browser-based attacks won't be able to spawn new processes without an additional exploit or social engineering to get the user to type their password.
It's the same with Linux and BSD. The difference is that Linux and BSD machines are usually doing tasks that require LDAP, SSH, DNS, SMTP, HTTPD, FTP, and other services. The probability of these services being active on a machine at any given time is greater, so the patch process gets a deservedly greater amount of attention.
That being said, I hope Apple doesn't drag their feet anymore. Once someone is trying to target the Mac, the additional 1-3 exploits required to successfully execute an attack could very well be discovered. Most home users wouldn't be vulnerable simply because they don't run the affected services, but I'd prefer to be protected all the same.
Jasin NataelTrue science means that when you re-evaluate the evidence, you re-evaluate your faith.