Ancient Flaws May Leave Mac OS X Vulnerable

mdeb writes "ZDNet Australia is running a story that claims Mac OS X 'contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago.' As an example, in August of last year, Apple patched the 'dsidentity' bug, which could easily have been exploited to grant a non-privileged user with admin rights the capability to create and remove 'root' user accounts."

Yeah, okay...

[daeley]

ZDNet Australia is running a story that claims OS X 'contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago.'

Only in the Southern Hemisphere. Up here, trolls rotate counterclockwise.

OSX is a security nightmare

[QCompson]

Good thing I use Windows ME.

Re:OSX is a security nightmare

Yup, good thing I'm using your Windows ME as well.

Self-serving press release story

[cratermoon]

So Neil Archibald, senior security researcher at software security specialists Suresec, says so, and futher said his opinion is justified because Apple does not use software auditing tools to scan enough of its software. This same Suresec, as can be seen on their web page, sells tools and consulting around source code auditing.

Ancient?

[Shadow+Wrought]

It must have happened when they translated the binary off of the stone tablets, likely because they were limited to only bronze tools.

Re:Ancient?

[BorgCopyeditor]

It must have happened when they translated the binary off of the stone tablets

Rosetta will remedy all that.

Requires User to Authenticat

[ta+ma+de]

Considering the user must be priviliged is it safe to say that the user has already authenticated and in the system. I always use passwords like "asldkfje983r0u!56@#987$%^rnYA(*U()*U&0u" for standard users. If they can crack that they deserve to gain admin rights too. You should see my admin key: it is a 10^12 digit mersenne prime.

Re:Requires User to Authenticat

[AutopsyReport]

You should see my admin key: it is a 10^12 digit mersenne prime.

Also known as the number of days you'll be spending as a virgin.

Re:Stop the Presses

[ackthpt]

Or does somehow the magic Apple logo protect you from all harm - and Bill Gates?

It protects you from everything up to the Triassic period. After that, you're on your own. These were ancient flaws, vulerable to ancient threats. Don't boot up in a museum of natural history or you're toast.

Re:Big f-in deal

[i+kan+reed]

now that you've gone and said that, i went and tested it... WITH A GUEST ACCOUNT. and suprise! doesn't work.

I'm switching!

[Anonymous+Poodle]

That does it! I'm swiching back to Micorosoft Bob!

There are bigger problems with OSX

[argent]

There are bigger problems in OSX. Auto-installing Dashboard widgets was stupid, and "Open Safe Files After Downloading" (a silly name for "Open Potentially Unsafe Files After Downloading") is an unnecessary risk only minimally mitigated by adding warning dialogs... but at least you can turn it off. More details in these comments:

http://www.scarydevil.com/~peter/io/osx-security.h tml
http://www.scarydevil.com/~peter/io/apple.html
http://www.scarydevil.com/~peter/io/apple2.html

Thankfully even these are not as easily exploited as Microsoft's poisoned gumbo of IE, Outlook, ActiveX, and Security Zones... but Apple really needs to take a good look at the way they approach the Internet, and quit being so trusting.

Author is right, and wrong

[theolein]

He's right that Apple users are complacent about security. What he doesn't metnion is that this is a trend amongst security companies (scream loudly about how vulnerable Apple users are because they aren't buying his company's fucking products).

He's right that Apple is very secretive and sometime extremely slow to address security vulnerabilities. He's wrong that Apple not speaking to him means it isn't interested. Apple just learnt the lesson early that being too open to the press (on any topic) is make yourself a victim of their fickle moods.

He's right that there might be large holes in Apple's OS from earlier NeXT days, but he's sure as fuck wrong when he says it applies to both PPC and Intel architectures. Any crack that relies on memory in the stack being overwritten will not be cross platform.

He's right that there are open vulnerabilities. He's wrong and simply trolling (probably for profit, the fucker) when he doesn't mention that none of them are remote.

Ancient Flaws

[robertjw]

When I saw the headlines I thought someone had found Egyptian Hieroglyphs from aliens explaining how to break into OSX.

Guess my definition of Ancient isn't the same as the posters.

Top ten reasons why OS X has no viruses yet

[SuperKendall]

10) Ten million+ active boxes still "too small a number" to target.

9) Worlds virus writers all work at Valve; have no idea what the hell OS X is.

8) OS X originally scheduled to have virus this year; pushed back till Q2 next year to add Intel support and a Universal Binary.

7) Russian Mafia all actually use Macs, tell underlings to keep macs virus free so they don't have to run virus scanners.

6) Forget buffer overflows; real mechanism viruses use to spread is actually second mouse button.

5) No viruses released for sale on ITMS yet.

4) Actually viruses everywhere but Jobs Reality Distorition Field keeps Mac users thinking they are not there.

3) XCode secretly detects and transforms viruses into RSS readers instead at compile time; explains glut on Macs.

2) Virus writers accientally drug virus into one of several hundred "Untitled Folders" on Desktop, now have no idea where it is.

1) Mac owners just too damn pretty for God to let them get viruses.