Apple Patch Released, But Is It Enough?

entenman writes "Apple Computer's security update train rumbled into the station with fixes for a whopping 43 Mac OS X and QuickTime vulnerabilities. The Security Update patches 31 flaws in the Mac OS X, most of them serious enough to cause 'arbitrary code execution attacks.'" Unfortunately, InfoWorldMike writes "InfoWorld.com reports that Independent researcher Tom Ferris said there were still holes in Safari, QuickTime, and iTunes that he reported to Apple but were not patched in the latest release on Thursday. Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site. He also says he has found new holes in OS X affecting TIFF format files and BOMArchiver, an application used to compress files. He did not provide details about the flaws or proof of their existence."

Stupidity

[Phroggy]

and there is debate about whether Apple's shift to the same Intel architecture used by Microsoft Windows will change the security posture of Mac systems.

Let's settle this debate.

No.

Changing CPU architectures will have absolutely effect on security.

Switching to Intel will make it easier for game developers to port their code, which will lead to more games available for the Mac. This, combined with the ability to dual-boot to Windows and eventually the ability to run Windows apps through virtualization, makes the Mac platform more appealing to consumers, which will probably lead to an increase in Apple's market share. This could lead to more malware creators taking an interest in the Mac platform, which would lead to more security holes in Mac OS X being exploited (which is not the same as more security holes existing).

Re:Stupidity

I think you underestimate the importance of assembly language when coding exploits. There are plenty of crackers out there who know x86 ASM. There are *far* fewer who know PPC ASM.

You have to make the initial exploit to get "in." Once you are in you can use most standard unix libraries to do whatever you want. The hard part with PPC was finding someone who knew how to code the inital exploiit and the carefully crafted shellcode (with no null bytes, etc.). With Mac moving to Intel this part is MUCh easier for the people who know x86 ASM.

Re:Stupidity

[CODiNE]

You mentioned avoiding null bytes, I seem to recall reading that on PPC that's much harder to pull off because of many RISC ops tend to have a byte of null padding that smaller CISC ops don't need. So besides having to learn a new asm, its also much harder to exploit... PPC did have a real advantage here.

Re:Stupidity

[Jared+Lundell]

Buffer overflows are a software problem and have nothing to do with the CPU. The PowerPC would have been just as vulnerable, when running identical code.

That's not entirely true. Buffer overflows are exploited at the assembly level, not at the source code level. So the point is that, even if a PPC is running the same source code, it's not running the same assembly, since it uses a different ISA.

More to the point, the simplest and most common buffer overflow attacks rely on the fact that the user stack traditionally grows down. Since buffers are addressed upwards, writing of the end of a buffer can overwrite a previous stack frame and return address. If the user stack were to grow upwards instead, this wouldn't be nearly the problem it is, since writing past the end of a buffer would result in corruption of other user variables or some unused memory, instead of changing the return address of a function.

Even though stacks growing down is really just a convention which could be changed by the compiler, the x86 instruction set supports and almost enforces that convention. The x86 push and pop instructions that are used to handle stack frames expect that the stack grows down and wouldn't work for a stack growing upward. I don't know PPC assembly, so I can't say if it does the same thing.

Put simply, it is possible to create and instruction set architecture that is less vulnerable to buffer overflows than x86 is. Whether PPC is that ISA, I don't know, but it would be possible to create one.

Re:Stupidity

[bealzabobs_youruncle]

"Also don't forget: most hackers have self-assembled Intel/AMD machines... that certainly counts."

I've built literally hundreds of PCs for myself, friends, family, co-workers and clients. I couldn't craft an exploit if you paid me too.

what a ego

[falcon5768]

Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site.

I.E Im a giant penis and I would rather expose vulnerabilites that could potentially damage systems rather than wait for the coders at Apple to make sure everything is accounted for and put into a patch that wont effect other things that I didnt forsee.

Its one thing to find holes and tell Apple and people you did, and send the info to Apple. But I am so sick of these people who feel that if said company doesnt respond NOW they are then in the right to exploit said holes and make everyones life misserable.

Re:what a ego

[PhrackCreak]

Puh-lease.

1. Falco5768 is not slashdot.
2. There are at at least a few articles which are critical of Apple's security policies.
3. Apple has not actually stifled this person. They patched something. They may have failed to patch other holes. I hope they will work as quickly as possible to patch all exploits they know.
4. Note that the grandparent post is not yet modded very highly.

In future posts, please do not clump everyone on slashdot in to one unified entity.
In future posts, only include actual facts instead of implied conjecture into actions that have not occurred.

Re:What purpose?

[Phroggy]

What purpose would publishing the details on his site serve, other than as a kind of security vulnerability "first post!" type of thing?

In theory, it's possible that black-hats have already discovered the flaw, and will exploit it without telling anyone. If they've already figured it out, then releasing details to the public won't make the situation significantly worse. However, public embarassment will prompt the company to release a fix more quickly.

I'm not saying I agree with this theory.

Open "safe" files strikes again

[noidentity]

from the updater notes: " When Safari's "Open `safe' files after downloading" option is enabled, archives will be automatically expanded. If the archive contains a symbolic link, the target symlink may be moved to the user's desktop and launched."

OK, second time this "Open 'safe' files is a lie. WHY THE HELL IS THAT OPTION STILL THERE?" I never trusted that open from the moment I first saw the checkbox. I guess that's why they put "safe" in quotes. Buy our "free" product for only $9.95!

Re:Relativity

[Golias]

Whoever modded you down "Troll" has obviously not heard of sarcasm.

Anyway. The difference between Mac OS X and XP can be summarized thus:

Every time a potential breach of OS X security is discovered, it's front-page headline news on Slashdot.

If a new actual virus or worm comes along for Windows, making it ever more sure that you still can't even put a new Windows box online to download patches until after the patches you need are already installed... it's business as usual.

Windows users concerned about they penis size go on chanting "B B B But that's only because the Mac is less popular, so nobody bothers to write malware for it. Wait until the Mac gets more popular, then you'll be in a world of hurt!!!1!"

Whatever. The Mac is probably never going to see double-digit market share, and even if it does, it's still vastly more secure than Windows is, and you all know it. So there's no need to worry about such a scenario ever happening.

So I use Macs.

If the market dominance of Windows has anything to do with Macs being relatively free of haX0r attention, then I just gotta say to all you stubborn Windows users out there:

Hey man, thanks for taking one for the team.

Is it enough? Yes.

[sootman]

Considering that there has not been one real, severe, in-the-wild, massively spread, substantial, damage-causing virus in the five year history of Mac OS X, I would say yes, the boys and girls in Cupertino are doing just fine. Thank you very much for all your hard work, and all naysaying columnists and pundits can go screw.

Would it be better if they waited another month?

[ShyGuy91284]

The way I see it, they probably intend on patching the other problems, but they decided to get a decent amount done, and then release the update. Much like how Microsoft's once-a-month releases could give some time for the vulnerabilities to be taken advantage of (I recall that release cycle, I'm not sure if they are still done anymore though), if they waited for all patches to be done in this case, it may have prolonged the wait by quite a bit longer.

Only learning that first assembly language is hard

[AHumbleOpinion]

I think you underestimate the importance of assembly language when coding exploits. There are plenty of crackers out there who know x86 ASM. There are *far* fewer who know PPC ASM.

I think you overestimate the effort required to learn PPC once you know x86. The first assembly language you learn is difficult, especially if it is x86, but for subsequent ones it is far less difficult. After many years of x86 I wrote my first serious PPC code, it beat Apple's MrC compiler quite easily.

Re:Since I hate smug Mac users, let me be the firs

[ZachPruckowski]

So 100,000 birds in the hand are worth 20 in the bush?

I mean, note the word "potential". There are thousands of vulnerabilities that have been exploited on Windows, and like 20 potential on Macs, and that's equal? The day you'll trade me 100,000 dollars for a chance at 20 bucks is the day I'll toss my Apple in the trash.

Grow up kids!

[Deorus]

> Its one thing to find holes and tell Apple and people you did, and send the info to Apple. But I am so sick of these people who feel that if said company doesnt respond NOW they are then in the right to exploit said holes and make everyones life misserable.

What do you mean? That he doesn't have the right to disclose what he found? Does his constitutional rights make you sick? Well then I think that YOU are the one with a problem. You should be thanking him for warning Apple. I know many who would have kept it secret and written all kinds of worms just to make fun of fanboys like you, and I guess that's what you're really asking for with your complaints.

Here goes my karma... ;-)

Re:Relativity

[Wordsmith]

It most certainly is possible. I won't go as far as the grandparent, but close. I've never been -harmfully- afflicted by being hacked, rooted, or infected with a virus or spyware. I've almost never run into any of those at all - but once every couple of years something crops up.

I've (very) occasionally caught a virus present on the machine before it was ever executed or did any harm. I've (very) rarely wound up with spyware - but nothing major, and nothing that couldn't either be uninstalled via its own well-behaved uninstaller or removed easily via something like adaware.

Why? Because I don't run or install software if common sense says the source might be shady. The one or two spyware incidents I've had were with semi-legit software - it probably told me in a Eula all about the nasty reporting it wanted to do, and I clicked through - that, as spyware goes, was relatively benign.

Now my old roommate's machine, with the same basic setup, was another story. It was amazing she could move the mouse with all the crap going on in the background from various malware. Different computing use habits, I suppose.

Re:Security by oscurity

[angst_ridden_hipster]

I agree that people repeat that "security by obscurity doesn't work" without really understanding the concept. I mean, what is a password but an obscured piece of information? Still, the origin of the phrase is attacking the idea that an obscured algorithm will protect you; you have to assume that an attacker will capture one of your en/de-cryption devices, and learn the algorithm.

That being said, I disagree with your assertion that 20 dictionary attacks a day is 20 times more likely to get into an SSH server than 0 dictionary attacks. If your passwords are any good, they won't get in either way.

Yes, your "obscure" port protects you from the dumber automated scripts. That could buy you a little time if a genuine vulnerability shows up in the sshd. But it's only a matter of time before the stupid scripts scan for sshd on other ports.

Then you'll have to switch to port knocking ;)