Ancient Flaws May Leave Mac OS X Vulnerable

mdeb writes "ZDNet Australia is running a story that claims Mac OS X 'contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago.' As an example, in August of last year, Apple patched the 'dsidentity' bug, which could easily have been exploited to grant a non-privileged user with admin rights the capability to create and remove 'root' user accounts."

I thought OS X...

[msauve]

was an "alternative" operating system. Why is a hole which was patched 6 months ago news? No harm, no foul.

users with admin rights

[MasterShake]

Shouldn't users with admin rights, by definition, be able to create acounts of any level?

This doesn't really sound like a hole to me, but expected behavior.

Self-serving press release story

[cratermoon]

So Neil Archibald, senior security researcher at software security specialists Suresec, says so, and futher said his opinion is justified because Apple does not use software auditing tools to scan enough of its software. This same Suresec, as can be seen on their web page, sells tools and consulting around source code auditing.

Sour grapes

[jtorkbob]

I wonder if Suresec/ Neil Archibald pitched their services to Apple and got turned down?

Also, from TFA:

"In my experience -- which is also the experience of some of my peers -- Apple has been very slow to respond to reported security vulnerabilities. It expects security researchers to wait indefinitely to release the vulnerabilities and offers no incentive for them to do so," said Archibald.

So he's trying to make a living on discovering security holes and getting paid not to make them public? I'm okay with this practice, I suppose, but I get the feeling that he's trying to up the ante by generating some bad press for Apple. The whole things seems awful contrived.

Save me Jeebus!

[99BottlesOfBeerInMyF]

I think the article makes a good point and one that Apple needs to address. I've long had the impression that Apple does not do enough security auditing, especially of some of their inherited code and that some of their new software has not been as security minded as it could be. I've not heard any of the grumbling the author has about security researchers being treated poorly or response times being particularly slow, but he may be closer to such things than I.

That said, from the article it is unclear if any of the discovered bugs are remotely exploitable. The one concrete example given is just a local privilege escalation, which is not really all that serious. I do wish that Apple would pay more attention to security and I hope they have a team of elite hackers with their ears on IRC and their hours spent trying to hack boxes. I'm not sure that they do though. My suspicion is a lot of the security comes from the fact that many of the employees are old school UNIX guys that take it more seriously than management. This is, however, unlikely to really bite Apple given the giant target that is Windows where local privilege escalations like the one described here are so common no one reports on them and I don't think MS even bothers to fix them.

Re:Old code

[ettlz]

So the choice of a UNIX platform has come and bit Apple in the ass. Could somebody tell me again why Apple abandoned its perfectly functional OS9 code? I didn't see anything wrong with the old Macs. What was the benefit of basing it on the legally ambiguous (and dying) BSD? And what's with this ugly DOS throwback? Who wants to see an old-fashioned text terminal on their computer?

CmdrTaco! Please add a "-1, Crap joke" moderation option.

On those "too smug" Mac users

[ettlz]

I just hope Bill Thompson isn't the type of alarmist hack who'd jump up and down and say, "Neh! Told you so!"

Uh huh...

[msauve]

you quoted a claim that there is an unsubstantiated, unnamed hole. You really should try critical thought sometime.

Author is right, and wrong

[theolein]

He's right that Apple users are complacent about security. What he doesn't metnion is that this is a trend amongst security companies (scream loudly about how vulnerable Apple users are because they aren't buying his company's fucking products).

He's right that Apple is very secretive and sometime extremely slow to address security vulnerabilities. He's wrong that Apple not speaking to him means it isn't interested. Apple just learnt the lesson early that being too open to the press (on any topic) is make yourself a victim of their fickle moods.

He's right that there might be large holes in Apple's OS from earlier NeXT days, but he's sure as fuck wrong when he says it applies to both PPC and Intel architectures. Any crack that relies on memory in the stack being overwritten will not be cross platform.

He's right that there are open vulnerabilities. He's wrong and simply trolling (probably for profit, the fucker) when he doesn't mention that none of them are remote.

Re:Author is right, and wrong

[prockcore]

Any crack that relies on memory in the stack being overwritten will not be cross platform.

The exploit won't be cross platform, but the vulnerability sure can be.

Re:First maybe?

[Achromatic1978]

the most stable and secure OS in the world

That's a pretty big statement. There are mainframe OS'es used in banks and the like that have not been rebooted in a decade+ - how has it been determined that OS X is that stable?

Secure? People involved in things like OpenBSD and VMS might be surprised to read such a thing. Let alone Wang's XTS-300 STOP (http://www.radium.ncsc.mil/tpep/epl/epl-by-class. html) or many many other operating systems. But hey, don't let a blanket statement be ruined by little things like that.

Re:It sounds simpler than I'm sure it is...

this will probably get dismissed by some, but you are wrong.

Plug an unprotected windows machine into most DSL networks, and you might survive 10 minutes before becoming infected(admittedly this was pre-OEM XP SP2). I've had customers plug in their brand new computer, and before they could even start running the OEM recovery disc creation software (always do this before connecting a network, people!) they were infected, and in turn spaming/spreading their infection.

And that is on an "unprotected" system. One of the writers of a couple hacking handbooks (which ones I can't recall, this was 2 yrs ago) came into a Foundstone class I was taking, and demonstrated an Outlook Express vulnerability that just required the end user to receive the message, they didn't have to preview, or open it in any other way. From what I recall it was deemed too nasty that it was kept very silent, and supposedly got fixed in one of the following patches.

You naysayers are part of the problem because you go around telling people that as long as they run a firewall and av they are fine, which is no the case. No matter how much you use a PC, most ppl still have unsafe computing habits. Social Engineering is the number one exploit, and no matter how smart applications are made, users are the weakest link. The people writing the exploits are just as intelligient, and sometimes are, the same people coding the applications/OS.

Perhaps the difference...

[msauve]

is that vulnerabilities in the Windows world are quickly exploited, leading to significant damage, while there are no known (or at least well known) exploits on Mac OS, and likewise no known damage.

So, yes, the real world has proven that same type of potential exploit in the two platforms can legitimately be viewed as a serious problem in Windows (because damage can and does occur) but theoretical in Mac OS (because damage has not occurred).

Re:Classic FUD- mark story troll

[RubberDuckie]

How is this hogwash? Simply because you have not been infected *yet*, means you never will? Ah, if only life was that easy.

Just because someone says something you don't like does not make it hogwash.

Re:Stop the Presses

Wait. I will reply to myself here to beat the Mac heads to the punch...

"Name one exploit in the wild for the Mac."

I don't have to name one today, it's the unnamed one that's going to hit you in the next day/week/month/year that you don't know about that is the problem. Even Windows users have no idea what unrealized exploits are waiting to be discovered in thier systems. But they are smart enough not to deny that there are any.

The "only" reason Max OS is safe?

[Kelson]

The author shows his true colors in the following statement:

"The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common UNIX platforms."

Anytime someone claims that the only reason A is safer than B is that B is used more often, alarm bells should go off. It's never the only reason.

We went through the same thing with Linux vs. Windows, Firefox vs. IE, I've seen people make the claim about Opera vs. Firefox, it was said about Mac vs. Windows long before OSX, etc.

If you think about it, the popularity-as-sole-reason argument boils down to claiming that security by obscurity is enough.

Re:The "only" reason Max OS is safe?

[nathanh]

"The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common UNIX platforms."

Anytime someone claims that the only reason A is safer than B is that B is used more often, alarm bells should go off. It's never the only reason.

We went through the same thing with Linux vs. Windows, Firefox vs. IE, I've seen people make the claim about Opera vs. Firefox, it was said about Mac vs. Windows long before OSX, etc.

There's a difference. Firefox and Linux and Apache were fairly secure from the very start so as they increased in marketshare the viruses and attacks and exploits didn't increase significantly. However IE and Windows and IIS were fairly insecure from the very start but even so they weren't exploited very much until they had reached a fairly large marketshare. You were pretty safe surfing the web with IE3 and even to a lesser extent IE4 (at least initially) despite being insecure pieces of crud.

Now what I find most amusing about these "OS X is insecure" stories are the people with their heads in the sand saying "it's not true". They point to the lack of exploits and lack of viruses as proof but that's not proof that OS X doesn't have security holes, just that so far as we know they haven't been exploited yet. Take for example the dsidentity bug which IIRC was a setuid binary with this code...

if (strcmp(getenv("USER"), "root")) { /* do privileged stuff */ }

I kid you not. That's the quality of code in OS X. Now any seasoned security veteran at this point would be rolling around on the floor laughing. Apparently that's what the OS X developers did when they were informed of this bug. Because remember that OS X is not a brand-new rewritten-from-the-ground-up OS; it has an extremely long history dating back to the 80s. It began as AT&T UNIX, warped into BSD by students (*shudder*), was partially rewritten to avoid AT&T lawsuits, was further mangled by NeXt!1!1one!, then got a code infusion from FreeBSD, and has been further hacked by Apple since it's "birth" in 2000. There's code in there that is possibly older than you are. I was at a security conference recently where one of the presenters ran through a dozen bone-headed security mistakes in Tiger including kernel overflows of all things. The entire audience was laughing themselves silly.

Now don't get me wrong. OS X is still significantly better than Windows. They've done a lot of very sensible things such as not running with admin privileges, decent (not perfect) permissions, services disabled by default, built-in personal firewall, etc. Those are all good. But it's not enough. How the hell did getenv("USER") slip into a setuid binary? Why is there a kernel overflow; can't Apple afford one copy of Rational? Where is the virus scanner; even if all it looks for are UNIX-common attacks like the known Apache and Samba exploits. You guys are too complacent. OS X is not all that secure; impoverished marketshare and the subsequent lack of attention from criminals is hiding this truth from you.

So given that OS X is insecure and does have exploitable code it's only the fact that nobody has seriously attacked it yet that gives it this aura of impenetrability. I fully agree with the statement made by the security professional in the article. If OS X was better written then I would disagree with the security professional's opinion but my own experience and knowledge says that he is right and you are wrong.

Re:Stop the Presses

[Jezza]

All the flaws described in his examples need the "hacker" to login to the system with an account on that system. Most Macs disallow remote login (default) and you'd need an account and password anyway. Am I saying this isn't a problem? No, I'm not saying that, but these are not problems that "normal" users need to concern themselves with. Macs simply aren't used like "old style Unix" (I still miss the PDP) user don't share a Mac and login together with terminals (TTYs or X-Windows). So to the average home or even business user this isn't an issue.

Should these flaws be there? No, I might well want to share my Mac (especially in an academic setting) and a user gaining control over the root account IS a problem. So these things should be fixed. But I don't think this is quite the huge deal the article is trying to present it as.

Should Mac users been more security aware? Perhaps, keeping your Mac up to date with patches, thinking before installing things (do I trust this?) are to be advised no matter what platform you're using (Windows, Linux or Mac OS X). Anti-Virus is worthwhile so that Mac doesn't become a hiding place for infections (that could affect other platforms reading those files) and will provide the mechanism for protection if/when a Mac OS X virus is released. Clamav seems like a reasonable choice right now.

Re:Stop the Presses

You can try to scare us with the "unnamed" virus, but history shows that even that hasn't been a problem. An unnamed virus has had ample opportunity to hit OS X "any day now," but it never does. Not yesterday, not last week, not last month, not last year, not last decade. Windows, on the other hand, gets it by unnamed viruses all the time, then they get named. I'm not saying it'll never happen, but the gap between OS X and Windows is as big as the Grand Canyon in this respect.

That's the difference, and that's why trying to instill fear of the "unnamed virus" doesn't hold up when you pencil out the numbers.

Re:Top ten reasons why OS X has no viruses yet

[GnrcMan]

1) Mac owners just too damn pretty for God to let them get viruses.

Haha! Kudos for the great Firefly reference!

Re:Steve Gibson...

[Just+Some+Guy]

Steve is an insane perfectionist who insists upon authoring all of our software in assembly language.

If there's a special pit in hell for evil programmers, then it will probably involve writing GUI code in assembler.

If that's even partially true, then this guy is a jackass. Assembler? That's great (maybe, assuming he can out-optimize a good compiler), but for which chip? Does he have to re-write "all of our software" every time AMD or Intel release a new CPU, or does he just let his customers run the old version which isn't optimized for their processor (thereby defeating the whole purpose)?

If you know what you're doing, and you're smarter than the team who wrote ICC, then hand-tooling a few inner loops is perfectly reasonable. Hand-coding a whole suite of applications, though, points to wholesale toys-in-the-attic OCD-driven insanity.