Slashdot Mirror
Mac OS X Struck By Severe Security Hole
An anonymous reader writes "Macworld is reporting about a new security hole in Mac OS X that can be exploited to compromise a system if the user simply visits a web site with Safari. Currently, no vendor patch is available. Secunia has a demonstration of the vulnerability and suggestions for temporary workarounds."
So the vulnerability 'only' allows a cracker to steal or delete the user's personal data. In other words, the most valuable files stored on the computer. Plus accessing things like web browser cache and history could give them passwords or at least information for a phishing attack.
I don't know how accurate that is.
For the most part, it always requires less skill to break something than to get something working. i.e. my ten year old nephew can destroy my car if I let him under the hood - it doesn't make him as talented as an automotive engineer. With some knowledge, he can do more sophisticated sabotage, but he still isn't as skilled as the average engineering undergrad.
The analogy works in other places: in sports, defensive teams succeed way more often than high flying offensive teams - in other words, it's easier to thwart what the other team is doing than to focus on perfect and intricate execution. I guess that's why Peyton Manning doesn't have a super bowl ring.
I grew up in a foster home - I ran away often, so finally, my foster mother resorted to locking me into a room to keep me from running. I scored an exacto knife and learned how to pick locks. To this day it remains one of my less marketable skills, but I in no way can design locks.
un burrito me trampeó.
I can see where you're coming from, but I think that's a poor analogy.
You nephew is more like a beta tester that can find bugs easily, as he can do something wrong or unexpected and "break" an application. Finding ways around security is something else; sometimes it's just exploiting a bug but sometimes there's a lot more to it (research, investigating, and some coding).
The I believe the poster's comments better relate wishing that hackers would act more like ex-criminals developing security systems. Ie, reformed bank robbers providing a service to make banks more secure; they obviously have the skills, they might as well use them for good.
Sure a lot (if not most) hackers are just scrip kiddies with too much time on their hands, exploiting a bug with a simple function call. But others are quite skilled and do more than just "break things."
For everybody else who says "thank heavens I use Firefox" in these threads, please read parent post. This is a problem held over from when OS used metadata/extensions to figure out what to do with a file, automatically, before we had to worry about the bad guys trying to manipulate this data. These techniques date back to single-user systems, and they are vulnerable.
(Usual disclaimer: I use a unix>windows mix at work, mac at home, and use primarily firefox on all three).
People need to learn techniques to lock down their boxes - different OS are not all equally vulnerable, but are all vulnerable.
Using plain ol' text since 1968
this exploit can only affect items that the user has rights to
Like ~/Documents/ where you're encouraged to store pretty much everything you make with your machine.
Or ~/Pictures/ where iPhoto keeps everything it loads up.
Or ~/Music/ where iTunes puts all your music.
Or wherever the hell iMovie keeps what you build with it - probably either ~/Movies/ or ~/Documents/
Or wherever the hell GarageBand keeps its work.
Sure, the machine still boots. But if a script does rm -rf ~*.* you're kinda fucked. Why is it that Slashdotters always say 'oh, this exploit just affects userland, no big deal'?
egypt urnash minimal art.
Granted, if I try to change firewall settings or affect anything outside of your account's permissions you will be prompted for a password. But I could still delete or corrupt all your files, change your bookmarks, send email to your friends and family with an exploit and try to IM your buddies with it - I just have to choose a well-crafted malware.
I'd say this is a potentially evil hole. I just had my wife and kids change their default settings (I'd always had mine disabled - never thought to change my family's). I think, though that this one will also be quickly and simply patched. And really, the more "benign" wake-up calls Mac users get the better protected they will be and the more difficult it will be for any malware to gain traction.
"terrorism" and "pedophilia" are the root passwords to the Constitution
For the most part, it always requires less skill to break something than to get something working
I agree, to a point.
Haphazard destruction doesn't generally require skill. On the other hand, speaking as someone with Integration & Test experience, the deliberate breaking of something that is engineered to be resistant in that manner does require skill.
Constructive destruction, I guess is what I'm referring to. Sticking RAM in an acid solution could conceivably cause BSODs, but that doesn't mean you've hacked Windows.
From another response I just gave:
:-(
Since we've gone through the whole "download safe files" business a year ago, and Apple provided a prompt fix, and, additionally, since this is just Safari's executable-recognition code missing this because the shell script is malformed (i.e., missing the shebang), I expect a fix soon.
I was speaking to the social engineering aspect of this, since the automated aspect of this is so easy to mitigate, has already been addressed in one form a year ago, and I'm assuming will be quickly patched, leaving only the social engineering aspect to deal with. Which, once again, is no more or less serious than any social engineering exploit on any other platform.
Also, in case you hadn't noticed, getting a user to visit a web site is still a social engineering principle. Whether it's double clicking a file or tricking a user to view a web site, it's still "social engineering". What makes this unique is that Safari, in its default state, could potentially download a file and execute a shell script without user interaction. That's a Bad Thing. But since we've already dealt with this a year ago and missing malformed shell scripts was apparently an oversight, I expect this to be fixed soon.
Once fixed (or, in the interim, a single box unchecked) every other aspect of this just becomes tricking the user to click something.
And as we all know, that can happen on any platform.
In other words, this isn't a flaw that is endemic or inherent to any fundamental functionality; by all rights this whole issue was intended to be "fixed" a year ago, but it appears Apple missed malformed shell scripts marked as executable. Oops. So, that will be fixed, and everything else left is social engineering.
This isn't the first time a "view a webpage and something will download that can run without user interaction" exploit has happened on Mac OS X. But I'm sure the press will make a HUGE deal of this one, even though the previous two "viruses" discovered this week are *pure* social engineering, utterly useless, and the vulnerability that one used had even been patched since June 2005 and only affected Mac OS X 10.4.0.
I fully expect this to be the beginning of attacks on Mac OS X as "just as insecure as Windows" in earnest in the mainstream press, and also for people to completely misunderstand and believe it's related to the x86 transition. Yay.
I believe the poster's comments better relate wishing that hackers would act more like ex-criminals developing security systems. Ie, reformed bank robbers providing a service to make banks more secure; they obviously have the skills, they might as well use them for good.
I think your analogy doesn't really support your point and in fact supports the GP. Reformed bank robbers are not really security experts who can design new security systems, I think you your opinion is based more on movies than on reality. Similarly, hackers are romanticized, their skills exaggerated, in movies and in ill informed nerd mythology spread by sites like slashdot.
It really is that hackers outnumber developers and that developers have to be perfect all the time and one of the hackers just needs to get lucky once. Hackers are often more like specialized technicians that are skilled in a narrow range, not a skilled engineer that can design a system from scratch. And then there are the kiddies.
For the most part, it always requires less skill to break something than to get something working.
Your car analogy would be good if we were talking about computer code -- it takes a lot more skill to write some good code than to mess it up (in textual form). But that's not what we're talking about here.
We're talking about circumvention of security, often known as "breaking" it; but that break (to circumvent protection) is a very conceptually different break than your car example (to render nonfunctional).
Finding exploits like this takes time, intelligence, and often understanding of the software in question. Especially in a well-crafted system, you have to know how the system works in order to circumvent it.
/.'s comments that you can activate this problem by simply visiting a web site is absolute bunk
It's possible for a website to initiate a download.
and have the automatic "safe file open" option turned on
Which is on by default, therefore it can be used to propogate worms.
Files that don't match their extension should be handled.
WRONG! There's three things that MUST be fixed.
Open safe files after downloading SHOULD NOT BE ON BY DEFAULT EVEN IF IT IS AN OPTION.
Zip files and other containers SHOULD NOT BE TREATED AS SAFE FILES EVEN IF IT IS ON.
Unpackers MUST NOT AUTOMATICALLY OPEN ANY FILES IN THE CONTENTS OF A PACKAGE.
Both Apple's unzipper (attacked in this case) and stuffit expander violate this last in different ways.
Since we've gone through the whole "download safe files" business...
I think the lesson to be learned is that there is no such thing as a "safe" file type. Zip files can be auto-executed, image files can be run through scripting interpreters, malformed images can create buffer overflows in parsers...
We've seen security updates on Windows, Mac and Linux for GIF, PNG, JPEG and TIFF libraries.
Shell scripts are nothing but executable text files.
The solution, I suspect, is to simply not auto-open *anything* that isn't handled by the downloading app itself. Process whatever transfer encoding, but if the file is a disk image, wait for the user to open it. If it's a StuffIt or Zip archive, wait for the user to open it. If it's a video clip, and it's not playing in the browser, wait for the user to open it.
Sure, it removes a little convenience, but in the long run Apple might be better off disabling and then removing this option entirely.
Filename extensions.
People figure this out by looking at corner cases, and prodding stuff to see if it breaks. Most exploits are fairly simple though; we're finally getting away from buffer overflows, but they're easy to find by looking at where programs deal with a string, and seeing what happens if you put a much too large string in. Time consuming, but straight forward.
There are some genuinely skilled crackers out there, but they're fairly few and far between. I maintain a bunch of computers, and most of them deal with a cracking attempt a day. Let me give you a quick log extract:
Feb 21 03:22:56 <hostname> sshd[25243]: Invalid user firebird from <IP removed>
Feb 21 03:22:57 <hostname> sshd[25245]: Invalid user art from <IP removed>
Feb 21 03:22:59 <hostname> sshd[25247]: Invalid user manu from <IP removed>
Feb 21 03:23:00 <hostname> sshd[25249]: Invalid user peru from <IP removed>
Feb 21 03:23:02 <hostname> sshd[25251]: Invalid user contra from <IP removed>
Feb 21 03:23:03 <hostname> sshd[25253]: Invalid user fbi from <IP removed>
Feb 21 03:23:05 <hostname> sshd[25255]: Invalid user melanie from <IP removed>
That's just someone trying random username/password combinations and hoping. Eventually, they'll find somewhere with looser security, and get in, but that doesn't make them skilled, it makes them annoyingly persistant.
Don't get me wrong, this OS X exploit is actually fairly interesting, but most crackers have just enough knowledge to be dangerous, and not enough to use it wisely.
If you want impressive, have you considered the people securing these things? They don't have to find just one security hole, they have to find them all. They have to know every way someone might try breaking the system, and then some...
I for one am happy that each security flaw that appears on the OSX platform gets this much attention. I hope it stays that way. Windows users may think they have a reason to gloat, but security flaws and new viruses there are so commonplace that no one even seems to care -- it's just another iteration of a larger problem. As long as we get this kind of uproar over easily-fixed flaws, OSX will always be a more secure platform.
// This is not a sig.