Slashdot Mirror
Ancient Flaws May Leave Mac OS X Vulnerable
mdeb writes "ZDNet Australia is running a story that claims Mac OS X 'contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago.' As an example, in August of last year, Apple patched the 'dsidentity' bug, which could easily have been exploited to grant a non-privileged user with admin rights the capability to create and remove 'root' user accounts."
Wow, stop the presses. Security flaws on a *nix based system. Boy that's news no one expected. Or does somehow the magic Apple logo protect you from all harm - and Bill Gates?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Now we will just have to sit and wait for Steve Gibson's assessment that Apple intentionally left these exploits open as a backdoor to the system!
was an "alternative" operating system. Why is a hole which was patched 6 months ago news? No harm, no foul.
"National Security is the chief cause of national insecurity." - Celine's First Law
ZDNet Australia is running a story that claims OS X 'contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago.'
Only in the Southern Hemisphere. Up here, trolls rotate counterclockwise.
I watched C-beams glitter in the dark near the Tannhauser gate.
Thank God people have almost cracked running Windows XP on these new Mactels!
Good thing I use Windows ME.
So Neil Archibald, senior security researcher at software security specialists Suresec, says so, and futher said his opinion is justified because Apple does not use software auditing tools to scan enough of its software. This same Suresec, as can be seen on their web page, sells tools and consulting around source code auditing.
It must have happened when they translated the binary off of the stone tablets, likely because they were limited to only bronze tools.
If brevity is the soul of wit, then how does one explain Twitter?
That's the first time I've heard operating systems other than OSX described as "alternative".
--Rob
Towards the Singularity.
You keep using that word. I do not think it means what you think it means.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
We need a mod category for "baiting the untold OSX masses".
I wonder if Suresec/ Neil Archibald pitched their services to Apple and got turned down?
Also, from TFA:
"In my experience -- which is also the experience of some of my peers -- Apple has been very slow to respond to reported security vulnerabilities. It expects security researchers to wait indefinitely to release the vulnerabilities and offers no incentive for them to do so," said Archibald.
So he's trying to make a living on discovering security holes and getting paid not to make them public? I'm okay with this practice, I suppose, but I get the feeling that he's trying to up the ante by generating some bad press for Apple. The whole things seems awful contrived.
AC: Only on slashdot... could the sentence "My hovercraft is full of eels." be moderated "+4, Insightful
Considering the user must be priviliged is it safe to say that the user has already authenticated and in the system. I always use passwords like "asldkfje983r0u!56@#987$%^rnYA(*U()*U&0u" for standard users. If they can crack that they deserve to gain admin rights too. You should see my admin key: it is a 10^12 digit mersenne prime.
Of course, you might have actually read that part and part of your subconscious dismissed it as false. Reminds me of this post from yesterday.
The awkward wording hides the actual meaning. The problem is that a non-priviledged user could *acquire* admin rights and *then* misbehave.
"You keep using that word. I do not think it means what you think it means."
I ain't got a fucking clue what you guys are talking about, but hey! When in Rome.
Hey, it doesn't matter and mac os X is uber secure.
now that you've gone and said that, i went and tested it... WITH A GUEST ACCOUNT. and suprise! doesn't work.
I think the article makes a good point and one that Apple needs to address. I've long had the impression that Apple does not do enough security auditing, especially of some of their inherited code and that some of their new software has not been as security minded as it could be. I've not heard any of the grumbling the author has about security researchers being treated poorly or response times being particularly slow, but he may be closer to such things than I.
That said, from the article it is unclear if any of the discovered bugs are remotely exploitable. The one concrete example given is just a local privilege escalation, which is not really all that serious. I do wish that Apple would pay more attention to security and I hope they have a team of elite hackers with their ears on IRC and their hours spent trying to hack boxes. I'm not sure that they do though. My suspicion is a lot of the security comes from the fact that many of the employees are old school UNIX guys that take it more seriously than management. This is, however, unlikely to really bite Apple given the giant target that is Windows where local privilege escalations like the one described here are so common no one reports on them and I don't think MS even bothers to fix them.
That does it! I'm swiching back to Micorosoft Bob!
CmdrTaco! Please add a "-1, Crap joke" moderation option.
Is that, like, a decoder ring or a shoe-phone?
There are bigger problems in OSX. Auto-installing Dashboard widgets was stupid, and "Open Safe Files After Downloading" (a silly name for "Open Potentially Unsafe Files After Downloading") is an unnecessary risk only minimally mitigated by adding warning dialogs... but at least you can turn it off. More details in these comments:
h tml
http://www.scarydevil.com/~peter/io/osx-security.
http://www.scarydevil.com/~peter/io/apple.html
http://www.scarydevil.com/~peter/io/apple2.html
Thankfully even these are not as easily exploited as Microsoft's poisoned gumbo of IE, Outlook, ActiveX, and Security Zones... but Apple really needs to take a good look at the way they approach the Internet, and quit being so trusting.
I just hope Bill Thompson isn't the type of alarmist hack who'd jump up and down and say, "Neh! Told you so!"
you quoted a claim that there is an unsubstantiated, unnamed hole. You really should try critical thought sometime.
"National Security is the chief cause of national insecurity." - Celine's First Law
He's right that Apple users are complacent about security. What he doesn't metnion is that this is a trend amongst security companies (scream loudly about how vulnerable Apple users are because they aren't buying his company's fucking products).
He's right that Apple is very secretive and sometime extremely slow to address security vulnerabilities. He's wrong that Apple not speaking to him means it isn't interested. Apple just learnt the lesson early that being too open to the press (on any topic) is make yourself a victim of their fickle moods.
He's right that there might be large holes in Apple's OS from earlier NeXT days, but he's sure as fuck wrong when he says it applies to both PPC and Intel architectures. Any crack that relies on memory in the stack being overwritten will not be cross platform.
He's right that there are open vulnerabilities. He's wrong and simply trolling (probably for profit, the fucker) when he doesn't mention that none of them are remote.
That's a pretty big statement. There are mainframe OS'es used in banks and the like that have not been rebooted in a decade+ - how has it been determined that OS X is that stable?
Secure? People involved in things like OpenBSD and VMS might be surprised to read such a thing. Let alone Wang's XTS-300 STOP (http://www.radium.ncsc.mil/tpep/epl/epl-by-class. html) or many many other operating systems. But hey, don't let a blanket statement be ruined by little things like that.
When I saw the headlines I thought someone had found Egyptian Hieroglyphs from aliens explaining how to break into OSX.
Guess my definition of Ancient isn't the same as the posters.
Find coupons in Greeley
concrete5: a cms made for marketing, but strong enough for geeks.
You see, you hold a crucifix straight up and down for Vampires; cock it 45 degrees so it sort of looks like the Apple logo, and you'll keep Gates away! But, there's a problem with Balmer, you also need the Firefox logo to ward him off. Sometimes, you need Nerdy, the MS Slayer. She's, yes, it's a woman, the chosen one. I can't say anymore now.
And then it was like... beepbeepbeepbeep, and then, like, half my accounts were gone. And I was like, huh?
They were really good accounts too. And then I had to recreate them and I had to do it fast, and they weren't as good...
-=Lothsahn=-
I was myself wondering what a non-privileged user with admin rights was. But a few more reads finds that it means that the exploit gives admin rights to non-priveleged users.
Software sucks. Open Source sucks less.
this will probably get dismissed by some, but you are wrong.
Plug an unprotected windows machine into most DSL networks, and you might survive 10 minutes before becoming infected(admittedly this was pre-OEM XP SP2). I've had customers plug in their brand new computer, and before they could even start running the OEM recovery disc creation software (always do this before connecting a network, people!) they were infected, and in turn spaming/spreading their infection.
And that is on an "unprotected" system. One of the writers of a couple hacking handbooks (which ones I can't recall, this was 2 yrs ago) came into a Foundstone class I was taking, and demonstrated an Outlook Express vulnerability that just required the end user to receive the message, they didn't have to preview, or open it in any other way. From what I recall it was deemed too nasty that it was kept very silent, and supposedly got fixed in one of the following patches.
You naysayers are part of the problem because you go around telling people that as long as they run a firewall and av they are fine, which is no the case. No matter how much you use a PC, most ppl still have unsafe computing habits. Social Engineering is the number one exploit, and no matter how smart applications are made, users are the weakest link. The people writing the exploits are just as intelligient, and sometimes are, the same people coding the applications/OS.
lets the spinning begin, and ironically the MS bashing to start. I think its funny this is going to turn into a debate on Windows Security, but what can you do.
... LOL ... how does crow taste?
An observation I made in a post a few months ago was that since 2001 Apple has released 5 different releases of OSX, 4 of witch were paid upgrades (approx. $600 if you were staying current all along). They have patched literally thousands of bugs and security holes and continue to do so at a pretty steady rate. We don't hear about it, (In my opinion) because the media contains a majority of zealot mac users, but that doesn't mean it isn't true.
It's also worth noting that apple has less then a 5% market share. It wasn't until Firefox hit around 10% we started to see hackers paying attention and start exploiting the MS alternative product. It wasn't that is was so much more secure before, turns out just nobody cared to exploit it when it had no market share. If apple ever gained a respectable market share I believe they would have more holes then windows.
And before you say "its unix"... blah blah blah. You all said it wasn't "unix" a couple of weeks ago when the government released the unix/apple security holes, witch by the way were about triple the windows holes.
anyways go ahead and flame me, but I think its still pretty funny to see this "old" hole. Especially after reading the MS VP response earlier, and some arrogant SOB cleverly writes something to the affect "i'd like to see those same questions submitted to the security guy over at apple, what a difference it would be"
char *envStr = nil; //dum dee dum dum!
envStr = getenv("USER");
if ( (envStr != nil) && UserIsMemberOfGroup( inDSRef, inDSNodeRef, envStr, "admin" ) )
{
return true;
}
All sigs should be as funny as possible, but no funnier.
So, yes, the real world has proven that same type of potential exploit in the two platforms can legitimately be viewed as a serious problem in Windows (because damage can and does occur) but theoretical in Mac OS (because damage has not occurred).
"National Security is the chief cause of national insecurity." - Celine's First Law
As someone who admins a number of gateways and firewalls in different netblocks, I can assure you that there are a number of nasty codestreams out there... I set up one Default XP box outside a firewall as a demonstration, and within 15 minutes, it had already been compromised and joined to a botnet. After isolating it, wiping the drive and reinstalling the OS, installing a firewall and reconnecting it, the attempts at re-compromise on that IP address were near instant.
One thing to keep in mind is that some netblocks are more prone to this than others, because of the way a lot of this automated machine compromising software works. If you find that you get no probes/attacks at your current IP address, keep it -- this is one area where security through obscurity is better than no security at all. --I'd also recommend you get yourself behind a firewall, and run A/V and spamblocking software however, if you're running XP. It's possible that the only reason you think you haven't had your computer compromised is that the attackers did a good job writing their software.
How is this hogwash? Simply because you have not been infected *yet*, means you never will? Ah, if only life was that easy.
Just because someone says something you don't like does not make it hogwash.
Why... how awful. Or the user could have gone to the command line and typed 'sudo foo' and run anything as root that he wanted, including creating and deleting users or whatever else he wants to do, if he has admin rights.
You could at least have chosen an example that wasn't totally useless on 99.9% of Macs. (Those which allow admins to sudo. Most people aren't dumb enough to explicitly grant admin privs to people they don't want to run as root, either because they know they know what it means and choose not to or because they don't and they don't just randomly check every check-box that comes along.)
-fred
Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
10) Ten million+ active boxes still "too small a number" to target.
9) Worlds virus writers all work at Valve; have no idea what the hell OS X is.
8) OS X originally scheduled to have virus this year; pushed back till Q2 next year to add Intel support and a Universal Binary.
7) Russian Mafia all actually use Macs, tell underlings to keep macs virus free so they don't have to run virus scanners.
6) Forget buffer overflows; real mechanism viruses use to spread is actually second mouse button.
5) No viruses released for sale on ITMS yet.
4) Actually viruses everywhere but Jobs Reality Distorition Field keeps Mac users thinking they are not there.
3) XCode secretly detects and transforms viruses into RSS readers instead at compile time; explains glut on Macs.
2) Virus writers accientally drug virus into one of several hundred "Untitled Folders" on Desktop, now have no idea where it is.
1) Mac owners just too damn pretty for God to let them get viruses.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The main thing that allows so many Linux distributions to work with low maintenance cost is that they are all based around the same kernel. When a fix is issued to the main kernel tree, it is fixed on all Linux's as they update. So distribution makers aren't pressed to patch it manually themselves. Perhaps OS X's variant of the Mach kernel has strayed too far from the main Unix tree, and suffered a form of seclusion from the goings on of the main tree?
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
The author shows his true colors in the following statement:
Anytime someone claims that the only reason A is safer than B is that B is used more often, alarm bells should go off. It's never the only reason.
We went through the same thing with Linux vs. Windows, Firefox vs. IE, I've seen people make the claim about Opera vs. Firefox, it was said about Mac vs. Windows long before OSX, etc.
If you think about it, the popularity-as-sole-reason argument boils down to claiming that security by obscurity is enough.
He's ZDnet's designated "Apple hitman." They love him because Apple stories - especially negative Apple stories - generate more page views and discussion than any others, especially on News.com.
I'll grab some examples later, but it's no coincidence that this story is almost pure speculation.
I, together with another guy on the MacNN boards, discovered some of the more serious aspects of the vulnerability pertaining to url types and mounting of remote volumes around two years ago, when a website could quite easily download, mount and execute an applescript or any application on your machine without you seeing it (Apple's response to this was the fact that you have to authenticate any new application the first time it's run these days, something now also in WindowsXP and Vista). We notified Apple and waited. And waited. And waited. Finally, after 3 or 4 months, Apple finally released the patch with the new functionality.
It was an extremely serious vulnerability because it was so easy to exploit and Apple really dragged their feet on that, and on other similar cases.
The guy is spot on with that comment. Apple is really slow in responding to possible exploits.
FWIW if you look up the hacker "nemo" of felinemenace.org that's him. He has found a number of vulnerabilities for which he is credited by apple. Given the number of vulnerabiliites that he has found by him self(as well as with others from suresec) I'm sure he's probably getting a little tired of it by this time, and would like apple to get a little bit of bad press to shame them into doing better. Also he has written a rootkit for Mac OS X but removed it from public view. So don't let anyone ever tell you there's no malware for Mac OS X. Further he has given talks on how to infect mach-o executable formats. nemo is the solution, and nemo is potentially a problem when his tools meet more widespread use (which is why I'm glad he removed the rootkit)
but when he says that OS X is vulnerable, NO ONE knows better than him
When we spoke to Apple on the phone about this issue, the security team had never even heard of the application, and burst out laughing at the simplicity of the vulnerability," said Archibald.
don't take it personally. seriously. They were laughing with you, not at you.
Someday these smug mac users are going to get their comeuppance.
Really.
Someday.
Any day now...
Uhmmm. The submitter has missed the entire point of that exploit - admin rights aren't required, because the program checks for admin credentials with 'getenv("USER")' - ie "export USER=some_admin" is the exploit.
The Darwin kernel is opensource already
> Go ahead try: setenv USER 'name', and see what happens. Want to know? The next env
> command will show USER=name. Then do a 'who' command, and guess what? "who" command
> returns whatever name was already logged in, not the newly-set environment variable.
> Oh no, doesn't work does it? Maybe relaunch the console, try again. Then what happens?
> Run the command 'env' and you get the original, valid logged-in username, NOT the
> 'made up name' from the half-assed setenv USER 'trickadminname'. Trivial on Windows?
> Too bad, shoulda bought a Mac, or at least wiped the drive and loaded Linux, BSD, etc.
The behavior you describe is the behavior on all systems, because the environment belongs to a particular process, not to the logged-in user. It is normal for a given process to modify its environment. If you want the USER variable to be set to a particular value for all of your processes, you have to change it in a configuration file. (Yes, you can do this on OS X.)
The only difference on Windows is that the who utility is not included with the operating system, so if you want to be able to type who and get any meaningful result you have to download a third-party who utility.
The vulnerability happened because something _trusted_ an environment variable that shouldn't have, since it is known and expected that users are permitted to set environment variables to any value they want.
As far as an equivalent attack on Windows, there is actually an unpatcheable one due to a design flaw in the Win32 API; however, it's much more difficult to exploit than setting an environment variable and probably requires direct user interaction (i.e., probably cannot be automated like this could), since it is necessary to identify a process that is running with special privileges and send an event to a window owned by that process. There is almost always a privileged process running on Windows (antivirus software is a prime candidate), but one has to be identified, and exploiting it is complicated.
As for this OS X vulnerability, it's old news, a story about something that was already patched.
Cut that out, or I will ship you to Norilsk in a box.