Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw Found in Apple Bug-Fix Tool

Posted by ScuttleMonkey on from the month-of-bug-creation dept.

eldavojohn writes "The Month of Apple Bugs (MOAB) is well under way with a startling bug released Monday. From the description: 'Application Enhancer (APE) is affected by a local privilege escalation vulnerability which allows local users to gain root privileges.' APE is the same software used to deploy fixes during 'The Month of Apple Fixes' (MOAF). I know it's confusing but MOAB came first and MOAF was a developer's answer to the bugs — after all, the purpose of posting bugs is to have them identified, confirmed and eradicated. The article talks about potential remote root access by an intruder. Note that this is third party software that all of the bugs seem to be stemming from. I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards."

5 of 168 comments (clear)

  1. A HA! by Thansal · · Score: 5, Funny
    I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards.


    I see it now. This entire MOAB thing is just there to tout how great and secure Apple Products are, and that the only bugs possible HAVE to come from 3rd party software!

    It is all a plot by Jobs!

    A PLOT I TELL YOU!

    [/psycho]
    --
    Do Or Do Not, There Is No Spoon, There Is Only Zuul. Everything in the above post is probably opinion.
  2. Instead ... by Salvance · · Score: 5, Funny

    Rather than just tell people not to use APE, Landon Fuller (who reported this bug on his blog), should have written an APE SHell Investigative Tool to help people find and fix this error.

    Technology needs more catchy acronyms

    --
    Crack - Free with every butt and set of boobs
  3. Re:Story at 11 by paulpach · · Score: 5, Insightful

    So, this is the best MOAB has to offer? A security bug in a third-party "enhancement"? No, the best they have to offer are vulnerabilities in quicktime, iPhoto, Disk Management, Finder which are apple products. Why CNet and slashdot chose to report on this particular vulnerability, which to many is the least important in the list, is a mistery to me.
  4. Sticking up for APE by usermilk · · Score: 5, Informative

    The vulnerability is that APE installs itself in /Library where its supposed to go. /Library is writable by local admins. So a local admin can replace the APE executable and gain root privileges. Read that again. A local admin can replace the APE binary to gain root access.

    A local admin, an effective root user account, can gain root access.

    Or they could open up NetInfo Manager and enable the root account and enter in a password of their own choosing and then log into the GUI as root. Or they could open up Terminal and run sudo sh and get a root shell.

    This is simple revenge. Rosyna called them trolls and linked to an APE fix for one of their bugs. I think Rosyna may be right of the 9 published bugs, 4 of them are not from Apple provided software.

  5. Re:Story at 11 by 93+Escort+Wagon · · Score: 5, Insightful

    "No, the best they have to offer are vulnerabilities in quicktime, iPhoto, Disk Management, Finder which are apple products. Why CNet and slashdot chose to report on this particular vulnerability, which to many is the least important in the list, is a mistery to me."

    Look, while they have included some legitimate bugs it's pretty obvious the project is flailing around somewhat, given that it's only the 10th of "MOAB". In addition to the APE flaw, they've included a VLC flaw and an OmniWeb flaw - neither of which is part of OS X nor installed on any stock Apple box. Additionally they've included a PDF flaw, which isn't even specific to OS X! That's just plain silly.

    --
    #DeleteChrome