Slashdot Mirror
Apple Patch Released, But Is It Enough?
entenman writes "Apple Computer's security update train rumbled into the station with fixes for a whopping 43 Mac OS X and QuickTime vulnerabilities. The Security Update patches 31 flaws in the Mac OS X, most of them serious enough to cause 'arbitrary code execution attacks.'" Unfortunately, InfoWorldMike writes "InfoWorld.com reports that Independent researcher Tom Ferris said there were still holes in Safari, QuickTime, and iTunes that he reported to Apple but were not patched in the latest release on Thursday. Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site. He also says he has found new holes in OS X affecting TIFF format files and BOMArchiver, an application used to compress files. He did not provide details about the flaws or proof of their existence."
and there is debate about whether Apple's shift to the same Intel architecture used by Microsoft Windows will change the security posture of Mac systems.
Let's settle this debate.
No.
Changing CPU architectures will have absolutely effect on security.
Switching to Intel will make it easier for game developers to port their code, which will lead to more games available for the Mac. This, combined with the ability to dual-boot to Windows and eventually the ability to run Windows apps through virtualization, makes the Mac platform more appealing to consumers, which will probably lead to an increase in Apple's market share. This could lead to more malware creators taking an interest in the Mac platform, which would lead to more security holes in Mac OS X being exploited (which is not the same as more security holes existing).
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Good thing I use Microsoft® Windows XP so I don't have to worry about things like this.
I.E Im a giant penis and I would rather expose vulnerabilites that could potentially damage systems rather than wait for the coders at Apple to make sure everything is accounted for and put into a patch that wont effect other things that I didnt forsee.
Its one thing to find holes and tell Apple and people you did, and send the info to Apple. But I am so sick of these people who feel that if said company doesnt respond NOW they are then in the right to exploit said holes and make everyones life misserable.
"Slashdot, where telling the truth is overrated but lying is insightful."
What purpose would publishing the details on his site serve, other than as a kind of security vulnerability "first post!" type of thing?
In theory, it's possible that black-hats have already discovered the flaw, and will exploit it without telling anyone. If they've already figured it out, then releasing details to the public won't make the situation significantly worse. However, public embarassment will prompt the company to release a fix more quickly.
I'm not saying I agree with this theory.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I'd like to see Apple fix security problems as quickly as possible, but this guy threatening to release exploit information a few days after the first patch to go out after the notification? That seems like they are expecting an awful lot from Apple - certainly they want to take a few weeks to analyze their patch and make sure it doesn't break a bunch of things. Apple should not be forced to make an ill-prepared and possibly buggy patch release due to the threats of this "analyst". If he had given several months of warning I could see the justification, but it looks like he is doing this to get some publicity because he knows Apple won't rush something like this, not to the degree this fellow is demanding.
I work for the Department of Redundancy Department.
"Since I hate smug Mac users, let me be the first. . .to say hahahaha hahahaha ha ha ha ha ha hahaha hah ha hahahahahahaha HA!!"
Yeah, us Mac users and our potential vulnerabilities. All the potential data I haven't lost has really cost me.
And smug people suck, no matter what computer they choose.
Purpose? Easy... he makes money by promoting himself.
If you check out his web site, it seems that he's trying to maximize advertising revenue. Not only does he have many ads, he also has many Amazon referal links. In addition, he is directly selling advertising:
From his website:
Want to advertise on the Security-Protocols website?
Below are our rates:
Banner Advertising:
10,000 impressions = $75
20,000 impressions = $135
30,000 impressions = $180
from the updater notes: " When Safari's "Open `safe' files after downloading" option is enabled, archives will be automatically expanded. If the archive contains a symbolic link, the target symlink may be moved to the user's desktop and launched."
OK, second time this "Open 'safe' files is a lie. WHY THE HELL IS THAT OPTION STILL THERE?" I never trusted that open from the moment I first saw the checkbox. I guess that's why they put "safe" in quotes. Buy our "free" product for only $9.95!
Considering that there has not been one real, severe, in-the-wild, massively spread, substantial, damage-causing virus in the five year history of Mac OS X, I would say yes, the boys and girls in Cupertino are doing just fine. Thank you very much for all your hard work, and all naysaying columnists and pundits can go screw.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
The way I see it, they probably intend on patching the other problems, but they decided to get a decent amount done, and then release the update. Much like how Microsoft's once-a-month releases could give some time for the vulnerabilities to be taken advantage of (I recall that release cycle, I'm not sure if they are still done anymore though), if they waited for all patches to be done in this case, it may have prolonged the wait by quite a bit longer.
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
My only experience with someone named "Ferris" who happened to know computers was someone who changed his excessive high school absences from nine times (nine times?) to 0
--- There is a man in a smiling bag.
I think that this is inevitable. Mac OS X is a desktop OS, desktop customers demand shiny new features and Apple needs to compete with Microsoft in adding such features, otherwise it will fall behind in market share. These new features make for a supremely usable OS, but it means that development is always too fast. Security flaws are invariably human logic errors, and when a lot of new code is written really fast, errors are made. Conversely, take OpenBSD, its pace of development is slow and thorough and due to its comprehensive code audit (which slows development) very few security holes are found in the code. As complexity escalates, so will the number of bugs and until Apple's workforce is replaced with androids (Which I'm sure will have a negative impact on its cool reputation) errors will continue to be made.
Although inevitable, we need not accept that there should be quite as many flaws as there are - Apple is in a uniquely privilege position over microsoft in using the unix permission system and the mature core that mach and FreeBSD provides, it must not become complacent. Increasingly, it appears that Apple is becoming sloppy - There are reports of Apple not using automated bound checking and the such. Such arrogance is inexcusable from any developer, and as Apple's popularity increases poor security will invariably become more of an issue. Its time for Apple to seriously take stock of this issue.
Nothing sucks like a Vax, nothing blows like a PowerMac G4
I think you underestimate the importance of assembly language when coding exploits. There are plenty of crackers out there who know x86 ASM. There are *far* fewer who know PPC ASM.
I think you overestimate the effort required to learn PPC once you know x86. The first assembly language you learn is difficult, especially if it is x86, but for subsequent ones it is far less difficult. After many years of x86 I wrote my first serious PPC code, it beat Apple's MrC compiler quite easily.
I enjoyed today's (semi-relevant) Ctrl+Alt+Del comic
"The unicode stuff in the latest version is working fabulously well. My russian mafia friends are ecstatic."
Perhaps he chose to post AC because anything that goes against groupthink is inevitably modded down? Typically as Troll (Slashdot definition: I disagree with your opinion) or Flamebait (Slashdot definition: I disagree with your opinion)
Slashdot - where whining about luck is the new way to make the world you want.
Banner Advertising: 10,000 impressions = $75 20,000 impressions = $135 30,000 impressions = $180 Slashdotting = Priceless
The latest version of VLC, 0.8.5, is Intel native as a universal binary. You may want to upgrade.
Back in 1999, LinuxPPC decided to mock Microsoft's putting a Windows 2000 machine on the internet to see who would break into it by putting their own up and saying that whoever cracked it first would get the machine.
Their machine had a default install, with default sets of applications.
It took months before anyone cracked the machine. When it was cracked, the hole used to do it was a well-known buffer overflow that had widely known x86 exploits at the time they put the machine up. An Intel machine treated that way would have been instant toast. What took time was that nobody had written a PPC exploit. Therefore none of the automated tools that the script kiddies had would crack the machine.
Sure, for someone knowledgable, it wasn't a hard transition. But the major outside security threat for most of us is not from someone knowledgable, it is from people who are not knowledgable using tools written by people that are. Those people are NOT going to be able to make the transition easily.
It used to be that people would write an application for Windows then recompile for Macs. The result is that the exploit that worked against a Windows version of the application would likely not work on the Mac version. Since there are more Intel machines, odds were pretty good that nobody would get around to writing a Mac version of the exploit for some time. But now the odds are much better that the Windows exploit which the script kiddies are likely to have will work against the same application running on a Mac. Which does make the Mac less secure in practice going forward.
So 100,000 birds in the hand are worth 20 in the bush?
I mean, note the word "potential". There are thousands of vulnerabilities that have been exploited on Windows, and like 20 potential on Macs, and that's equal? The day you'll trade me 100,000 dollars for a chance at 20 bucks is the day I'll toss my Apple in the trash.
> Its one thing to find holes and tell Apple and people you did, and send the info to Apple. But I am so sick of these people who feel that if said company doesnt respond NOW they are then in the right to exploit said holes and make everyones life misserable.
;-)
What do you mean? That he doesn't have the right to disclose what he found? Does his constitutional rights make you sick? Well then I think that YOU are the one with a problem. You should be thanking him for warning Apple. I know many who would have kept it secret and written all kinds of worms just to make fun of fanboys like you, and I guess that's what you're really asking for with your complaints.
Here goes my karma...
Please someone, give me a web address that will install spy/crudware without my consent automaticly, show me how, with no user intervention, an unpatched box can be hacked to hell by spamers to use in botnets in under 2 minutes...show me this or shut the fuck up!
I understand that OSX isnt perfectly secure, it has its bugs, so does BSD as a whole, but the holes get FIXED and not denied for months untill the hole is used to destry hundreds of thousands of PCs.
It's not that there are no vulnerabilities, all complex code contains multiple vulnerabilities, it's that Macs being set up with a user level account as opposed to Windows default admin account are much less liable to being actually exploited. The same can of course be said for most Linux distros which are also set up with a default user level account.
Vista will probably help IF it's ever released and as I read on here on slashot the way Vista handles admin tasks (at least in it's current release state) involves an infuriating number of dialog boxes. I'll stick with my mac for now so I can just get some work done (shrug).
I guess this is what I get for responding to a troll.
Tired of all the isms, don't exploit people as an employer, or a government, mmmmK?
One reason *everyone* is more secure than Microsoft Windows is that only Windows has implemented anything even vaguely as bad as the ActiveX/Windows Desktop/IE integration mess.
On the other hand, just about everyone to some degree or another commits the sin of trusting untrustable files. Even the darling of the security set, Firefox, has an installation mechanism that involves executing files directly from the Internet without a user's explicit request.
Apple has "Open safe files after downloading" compounded by the unforgivable sin of treating things like archivers or installers as "safe" files.
I've written about this before.
On a security level, this is like shaking hands after sneezing, compared to Microsoft's fascination with running barefoot through a "Hot Ward" and snogging the Ebola patients, but it's still unacceptable.
Most organizations (and most people) just don't want to believe exactly how bad it really is when a PC gets infected with malware these days. They don't want to know because if they remain in the dark about it they don't have to do anything to fix it.
If you mod me down, I shall become more powerful than you could possibly imagine.
I think someone hacked your spellchecker and caused a buffer overflow. I'd look into it, no matter how oscure it is.
It's not offtopic, dumbass. It's orthogonal.
I'm surprised people still take this guy seriously. He's _not_ a security researcher, in fact a browsing of the bugzilla archives will uncover lots of "bug reports" and "vulnerabilities" that are simply wrong. Check this out (won't work from slashdot, copy and paste into a new tab/window):
o rmat=specific&order=relevance+desc&bug_status=__op en__&id=303433
... posting from work so I'm AC for now ...
https://bugzilla.mozilla.org/show_bug.cgi?query_f
Read through it and you'll see the guy is a complete hack. He even issued an advisory when he didn't even understand the kind of overflow.
I'm so sick of hearing people tout this crap over and over... the truth is that security by obscurity does work, and you just highlighted that it does in fact work by noting that there are far fewer people attacking PPC than x86, that situation is only going to get better not worse, with Apple moving away from the PPC platform.
Ever since my company made it policy to move SSH away from the standard ports, the number of dictionary attacks and exploits has gone down from upwards of 20 a day across all our machines down to zero (0). Even though any automated scanning tool worth it's salt could easily identify that it's SSH running on an obscure port from the banner.
Security by obscurity is enough to break the default configuration of most automated scanning tools, which in turn is enough to stop most of the people out there attacking servers at random.
The great thing about using security by obscurity is that by effectively foiling most automated scanning tools, we limit our focus to only people who are genuinely trying to hack us, rather than just anyone, and can focus on tracking them down and turning them over to the authorities.
Security by obscurity does work, it doesn't devalue your other forms of security, and should be considered a useful and valid part of the arsenal of security defences that can be deployed to protect things.
Anyone who says otherwise has obviously never worked in a situation where their security knowledge actually made any difference. It's obvious that an SSH server getting blasted 20 times a day by attackers is at least 20 times more likely to be hacked than one that's hit 0 times a day, and security by obscurity can make that difference.
I agree that people repeat that "security by obscurity doesn't work" without really understanding the concept. I mean, what is a password but an obscured piece of information? Still, the origin of the phrase is attacking the idea that an obscured algorithm will protect you; you have to assume that an attacker will capture one of your en/de-cryption devices, and learn the algorithm.
;)
That being said, I disagree with your assertion that 20 dictionary attacks a day is 20 times more likely to get into an SSH server than 0 dictionary attacks. If your passwords are any good, they won't get in either way.
Yes, your "obscure" port protects you from the dumber automated scripts. That could buy you a little time if a genuine vulnerability shows up in the sshd. But it's only a matter of time before the stupid scripts scan for sshd on other ports.
Then you'll have to switch to port knocking
Eloi, Eloi, lema sabachtani?
www.fogbound.net
Heh, we have yet to encounter even a port scan on our obscure SSH port, let alone any kind of attack, so it's safe to say that script kiddies don't want to spend the time scanning all 65,000 ports on every computer when they can get a similar yield by only harvesting those computers that answer on port 22.
:)
It's also probably safe to assume that if someone has the intelligence to change the port that SSH is listening on that they are also clever enough to keep it up to date and securely configured.
Moving your potentially vulnerable services to a different port is effectively putting yourself in the too-hard basket as far as auto-scanning script kiddies are concerned, but doesn't do anything to stop attackers who are targetting you.
Unfortunately the soft pink human underbelly of your network is the most glaring weak point for attackers targetting your systems, and we can't really firewall their voice-boxes and fingers if we expect to keep doing business.
Heh, we have yet to encounter even a port scan on our obscure SSH port, let alone any kind of attack, so it's safe to say that script kiddies don't want to spend the time scanning all 65,000 ports on every computer when they can get a similar yield by only harvesting those computers that answer on port 22.
True, especially since it's easier to defend against broad, repeated scans (assuming they don't have a good way of doing it from distributed hosts).
Still, I'd argue your defense isn't as much one of obscurity as it is one of heterogeneity. If everyone ran sshd on a different port, the attack vectors would be different.
t's also probably safe to assume that if someone has the intelligence to change the port that SSH is listening on that they are also clever enough to keep it up to date and securely configured.
I wasn't suggesting that you weren't keeping your sshd up to date. I was thinking more along the lines of a 0-day exploit kind of situation. The first attack scripts will go for the easy targets.
Which kind of brings me full circle. Obscurity, in this case, is more a means to heterogeneity. One powerful way of being secure is just being a little more difficult a target than the next guy. Burglars will go to the house without a dog (or without an alarm system). Sure, a determined burglar will still be able to get into a protected house, but why bother? As the marketing folks say, they'll go for the low hanging fruit.
That is, unless the fruit you're protecting is really, really juicy.
OK, I've mangled enough metaphors to traumatize an entire English Department, so I'd best stop here.
Unfortunately the soft pink human underbelly of your network is the most glaring weak point for attackers targetting your systems, and we can't really firewall their voice-boxes and fingers if we expect to keep doing business.
I often think security would be so easy if we just didn't have those darn users...
Eloi, Eloi, lema sabachtani?
www.fogbound.net
I think it's also important to keep in mind whether people are talking about "theoretical" security, or "practical" security. Theorists are concerned with being impenitrable by nature, with as few secrets on your part as possible -- the assumption being that the spread of information is inevitable. In this view, obscurity is only a short-term, O(1), solution.
Of course, we all know there's a big difference between theory and practice... I agree that obscurity is a valuable tool in the arsenal, but it's only a bandaid compared to the theory side of things... obscurity may protect you against the common script kiddie nuisance, but you need theory to protect you against the professional cracker, which is the real danger to whatever you're trying to protect.
From that perspective, one could argue it's better to let the script kiddies bang on your system to ensure it's secure. If they do get through, the worst you get is a spambot or some other relatively obvious, but minor, mess to clean up, and you know you've got a hole to fix. But if you left that unknown hole sitting around, when the real cracker comes, he's going after your corporate business plans and new prototypes, and he's probably not going to be as obvious about it... which leaves you in for a surprise when your competitors beat you to market with a cheap copy of what you've been working on, costing you far more than the script kiddie cleanup ever would. Just a thought.