Slashdot Mirror
Ancient Flaws May Leave Mac OS X Vulnerable
mdeb writes "ZDNet Australia is running a story that claims Mac OS X 'contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago.' As an example, in August of last year, Apple patched the 'dsidentity' bug, which could easily have been exploited to grant a non-privileged user with admin rights the capability to create and remove 'root' user accounts."
Of course, you might have actually read that part and part of your subconscious dismissed it as false. Reminds me of this post from yesterday.
The awkward wording hides the actual meaning. The problem is that a non-priviledged user could *acquire* admin rights and *then* misbehave.
There are bigger problems in OSX. Auto-installing Dashboard widgets was stupid, and "Open Safe Files After Downloading" (a silly name for "Open Potentially Unsafe Files After Downloading") is an unnecessary risk only minimally mitigated by adding warning dialogs... but at least you can turn it off. More details in these comments:
h tml
http://www.scarydevil.com/~peter/io/osx-security.
http://www.scarydevil.com/~peter/io/apple.html
http://www.scarydevil.com/~peter/io/apple2.html
Thankfully even these are not as easily exploited as Microsoft's poisoned gumbo of IE, Outlook, ActiveX, and Security Zones... but Apple really needs to take a good look at the way they approach the Internet, and quit being so trusting.
concrete5: a cms made for marketing, but strong enough for geeks.
Now we will just have to sit and wait for Steve Gibson's assessment that Apple intentionally left these exploits open as a backdoor to the system!
I wouldn't hold your breath on that one, he doesn't deal with Macs at all. I know, I asked.
Well, it was one of his employees, anyway. I was wondering how the built-in OS X firewall compared to other available products and asked why GRC didn't do any OS X stuff. Here's the reply:
Also, since Gibson Research only produces software for the
IBM-compatible personal computing platform, we are sometimes asked
why we don't write software for the Mac. The answer is:
(1) We don't know anything about the Mac. We're a small PC software
development shop and we've become leading experts with the PC. But
the PC and the Mac are SO DIFFERENT that knowing one tells us nothing
about the other.
(2) Being small, we must be careful to expend our resources where
they will yield the greatest return. With more then 90% of the
personal computer market dominated by IBM-compatible machines running
MS-DOS underneath the Microsoft Windows graphical operating
environment, that's where we much focus our efforts.
(3) Steve is an insane perfectionist who insists upon authoring all
of our software in assembly language. Assembly language is tied
directly to the processor chip in the computer, thus none of our
software CAN be moved from the PC to the Mac. It's completely tied
to the Intel processor platform. But because of reasons (1) and (2)
above, we're doing just fine, and Steve's slavish devotion to the
highest performance, tight and lean code helps make our products even
more unique and attractive to PC users.
This may not be related very well to your remark (yes, I recognized the jab at GRC) and overall OT but I thought the Slashdot crowd might find it somewhat interesting.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
Ok, here is one.
.MOV, .GIF and QTIF (an Apple specific image format, like Microsoft's WMF) files to execute arbitrary code on both Mac OS X and Windows (assuming Windows has QuickTime installed) just by viewing them (such as through a webpage with an embedded QuickTime video).
On Jan 10 (2006), Apple, after having 2 and 3 months respectively to fix them, finally released a patch (7.0.4) that closed major holes in QuickTime, that allows
However as with many Apple patches and updates, it hadn't been properly tested, resulting in the forums being flooded with complaints about lost functionality (DVDs stopped playing and such). Apple quickly withdrew the patch, with little notice - as if the patch never existed.
Of course eEye, the security firm that had reported the vulnerabilities to Apple months before, had now already posted rather detailed advisories which included precise exploit details.
So ask yourself: Are you a Mac user (and thus have QuickTime because it's an integrated part of the OS used for OS 9 legacy emulation [long story]) or a Windows user that has installed Apple QuickTime by choice? Have you checked for patches for QuickTime in the last 2 weeks, or seen any kind of public advisory, like you normally do when Microsoft or just about any other large software maker releases a patch? If you answered yes to number one, but no to number two, congratulations. You a giant target for a zero-day exploit thanks to Apple and the Jobs reality distortion field.