Slashdot Mirror
Ancient Flaws May Leave Mac OS X Vulnerable
mdeb writes "ZDNet Australia is running a story that claims Mac OS X 'contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago.' As an example, in August of last year, Apple patched the 'dsidentity' bug, which could easily have been exploited to grant a non-privileged user with admin rights the capability to create and remove 'root' user accounts."
Now we will just have to sit and wait for Steve Gibson's assessment that Apple intentionally left these exploits open as a backdoor to the system!
was an "alternative" operating system. Why is a hole which was patched 6 months ago news? No harm, no foul.
"National Security is the chief cause of national insecurity." - Celine's First Law
ZDNet Australia is running a story that claims OS X 'contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago.'
Only in the Southern Hemisphere. Up here, trolls rotate counterclockwise.
I watched C-beams glitter in the dark near the Tannhauser gate.
Good thing I use Windows ME.
So Neil Archibald, senior security researcher at software security specialists Suresec, says so, and futher said his opinion is justified because Apple does not use software auditing tools to scan enough of its software. This same Suresec, as can be seen on their web page, sells tools and consulting around source code auditing.
It must have happened when they translated the binary off of the stone tablets, likely because they were limited to only bronze tools.
If brevity is the soul of wit, then how does one explain Twitter?
That's the first time I've heard operating systems other than OSX described as "alternative".
--Rob
Towards the Singularity.
Considering the user must be priviliged is it safe to say that the user has already authenticated and in the system. I always use passwords like "asldkfje983r0u!56@#987$%^rnYA(*U()*U&0u" for standard users. If they can crack that they deserve to gain admin rights too. You should see my admin key: it is a 10^12 digit mersenne prime.
It protects you from everything up to the Triassic period. After that, you're on your own. These were ancient flaws, vulerable to ancient threats. Don't boot up in a museum of natural history or you're toast.
A feeling of having made the same mistake before: Deja Foobar
Of course, you might have actually read that part and part of your subconscious dismissed it as false. Reminds me of this post from yesterday.
The awkward wording hides the actual meaning. The problem is that a non-priviledged user could *acquire* admin rights and *then* misbehave.
now that you've gone and said that, i went and tested it... WITH A GUEST ACCOUNT. and suprise! doesn't work.
I think the article makes a good point and one that Apple needs to address. I've long had the impression that Apple does not do enough security auditing, especially of some of their inherited code and that some of their new software has not been as security minded as it could be. I've not heard any of the grumbling the author has about security researchers being treated poorly or response times being particularly slow, but he may be closer to such things than I.
That said, from the article it is unclear if any of the discovered bugs are remotely exploitable. The one concrete example given is just a local privilege escalation, which is not really all that serious. I do wish that Apple would pay more attention to security and I hope they have a team of elite hackers with their ears on IRC and their hours spent trying to hack boxes. I'm not sure that they do though. My suspicion is a lot of the security comes from the fact that many of the employees are old school UNIX guys that take it more seriously than management. This is, however, unlikely to really bite Apple given the giant target that is Windows where local privilege escalations like the one described here are so common no one reports on them and I don't think MS even bothers to fix them.
That does it! I'm swiching back to Micorosoft Bob!
There are bigger problems in OSX. Auto-installing Dashboard widgets was stupid, and "Open Safe Files After Downloading" (a silly name for "Open Potentially Unsafe Files After Downloading") is an unnecessary risk only minimally mitigated by adding warning dialogs... but at least you can turn it off. More details in these comments:
h tml
http://www.scarydevil.com/~peter/io/osx-security.
http://www.scarydevil.com/~peter/io/apple.html
http://www.scarydevil.com/~peter/io/apple2.html
Thankfully even these are not as easily exploited as Microsoft's poisoned gumbo of IE, Outlook, ActiveX, and Security Zones... but Apple really needs to take a good look at the way they approach the Internet, and quit being so trusting.
you quoted a claim that there is an unsubstantiated, unnamed hole. You really should try critical thought sometime.
"National Security is the chief cause of national insecurity." - Celine's First Law
He's right that Apple users are complacent about security. What he doesn't metnion is that this is a trend amongst security companies (scream loudly about how vulnerable Apple users are because they aren't buying his company's fucking products).
He's right that Apple is very secretive and sometime extremely slow to address security vulnerabilities. He's wrong that Apple not speaking to him means it isn't interested. Apple just learnt the lesson early that being too open to the press (on any topic) is make yourself a victim of their fickle moods.
He's right that there might be large holes in Apple's OS from earlier NeXT days, but he's sure as fuck wrong when he says it applies to both PPC and Intel architectures. Any crack that relies on memory in the stack being overwritten will not be cross platform.
He's right that there are open vulnerabilities. He's wrong and simply trolling (probably for profit, the fucker) when he doesn't mention that none of them are remote.
When I saw the headlines I thought someone had found Egyptian Hieroglyphs from aliens explaining how to break into OSX.
Guess my definition of Ancient isn't the same as the posters.
Find coupons in Greeley
concrete5: a cms made for marketing, but strong enough for geeks.
And then it was like... beepbeepbeepbeep, and then, like, half my accounts were gone. And I was like, huh?
They were really good accounts too. And then I had to recreate them and I had to do it fast, and they weren't as good...
-=Lothsahn=-
10) Ten million+ active boxes still "too small a number" to target.
9) Worlds virus writers all work at Valve; have no idea what the hell OS X is.
8) OS X originally scheduled to have virus this year; pushed back till Q2 next year to add Intel support and a Universal Binary.
7) Russian Mafia all actually use Macs, tell underlings to keep macs virus free so they don't have to run virus scanners.
6) Forget buffer overflows; real mechanism viruses use to spread is actually second mouse button.
5) No viruses released for sale on ITMS yet.
4) Actually viruses everywhere but Jobs Reality Distorition Field keeps Mac users thinking they are not there.
3) XCode secretly detects and transforms viruses into RSS readers instead at compile time; explains glut on Macs.
2) Virus writers accientally drug virus into one of several hundred "Untitled Folders" on Desktop, now have no idea where it is.
1) Mac owners just too damn pretty for God to let them get viruses.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Wait. I will reply to myself here to beat the Mac heads to the punch...
"Name one exploit in the wild for the Mac."
I don't have to name one today, it's the unnamed one that's going to hit you in the next day/week/month/year that you don't know about that is the problem. Even Windows users have no idea what unrealized exploits are waiting to be discovered in thier systems. But they are smart enough not to deny that there are any.
The author shows his true colors in the following statement:
Anytime someone claims that the only reason A is safer than B is that B is used more often, alarm bells should go off. It's never the only reason.
We went through the same thing with Linux vs. Windows, Firefox vs. IE, I've seen people make the claim about Opera vs. Firefox, it was said about Mac vs. Windows long before OSX, etc.
If you think about it, the popularity-as-sole-reason argument boils down to claiming that security by obscurity is enough.
I, together with another guy on the MacNN boards, discovered some of the more serious aspects of the vulnerability pertaining to url types and mounting of remote volumes around two years ago, when a website could quite easily download, mount and execute an applescript or any application on your machine without you seeing it (Apple's response to this was the fact that you have to authenticate any new application the first time it's run these days, something now also in WindowsXP and Vista). We notified Apple and waited. And waited. And waited. Finally, after 3 or 4 months, Apple finally released the patch with the new functionality.
It was an extremely serious vulnerability because it was so easy to exploit and Apple really dragged their feet on that, and on other similar cases.
The guy is spot on with that comment. Apple is really slow in responding to possible exploits.
Ok, here is one.
.MOV, .GIF and QTIF (an Apple specific image format, like Microsoft's WMF) files to execute arbitrary code on both Mac OS X and Windows (assuming Windows has QuickTime installed) just by viewing them (such as through a webpage with an embedded QuickTime video).
On Jan 10 (2006), Apple, after having 2 and 3 months respectively to fix them, finally released a patch (7.0.4) that closed major holes in QuickTime, that allows
However as with many Apple patches and updates, it hadn't been properly tested, resulting in the forums being flooded with complaints about lost functionality (DVDs stopped playing and such). Apple quickly withdrew the patch, with little notice - as if the patch never existed.
Of course eEye, the security firm that had reported the vulnerabilities to Apple months before, had now already posted rather detailed advisories which included precise exploit details.
So ask yourself: Are you a Mac user (and thus have QuickTime because it's an integrated part of the OS used for OS 9 legacy emulation [long story]) or a Windows user that has installed Apple QuickTime by choice? Have you checked for patches for QuickTime in the last 2 weeks, or seen any kind of public advisory, like you normally do when Microsoft or just about any other large software maker releases a patch? If you answered yes to number one, but no to number two, congratulations. You a giant target for a zero-day exploit thanks to Apple and the Jobs reality distortion field.