Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm Threat Forces Apple To Disable Software?

Posted by Zonk on from the batten-down-the-hatches dept.

SkiifGeek writes "After the debacle that surrounded the announcement and non-disclosure of a worm that targets OS X, the vulnerability in mDNSResponder may have forced Apple to remove support for certain mDNSResponder capabilities with the recently released Security Update 2007-007. 'Seeming to closely follow the information disclosed by InfoSec Sellout, Apple's mDNSResponder update addresses a vulnerability that can be exploited by an attacker on the local network to gain a denial of service or arbitrary code execution condition. Apple goes on to identify that the vulnerability that they are addressing exists within the support for UPnP IGD... and that an attacker can exploit the vulnerability through simply sending a crafted network packet across the network. With the crafted network packet triggering a buffer overflow, it passes control of the vulnerable system to the attacker. Rather than patching the vulnerability and retaining the capability, Apple has completely disabled support for UPnP IGD (though there is no information about whether it is only a temporary disablement until vulnerabilities can be addressed).'"

12 of 201 comments (clear)

  1. OT but... by Anonymous Coward · · Score: 2, Informative

    I often wonder why the British (and now some Americans) say "Apple go on to identify..." Apple is ONE company. Shouldn't that be the singular "Apple goes on to identify"? If it were both Apple and Microsoft than indeed it would be "Apple and Microsoft go on to identify".

    Yes, Apple is made up of many people; but my car is made up of many parts. You don't say "my car need gas" do you?

    This perplexes me, can someone explain it? Sorry if it's completely OT (except that this (to me) error is in the blurb).

    -mcgrew

    (amusingly, the capcha is "contrary". Again sorry for being OT)

    1. Re:OT but... by Space+cowboy · · Score: 2, Informative

      Companies are generally considered to be plural entities in "real" English [grin]. I suppose we put a higher value on a collection of humans compared to a collection of metal parts...

      If you prefer, consider mentally replacing "Apple" with "the people who work at Apple"...

      Simon

      --
      Physicists get Hadrons!
  2. Re:Hmmm... by shawnce · · Score: 4, Informative

    An Apple employee (Stuart Cheshire) is one of the authors of the RFC(s) related to mDNS, etc.

    mDNSResponder originated from Apple.

  3. Re:At least they disabled it! by Chang · · Score: 2, Informative

    Microsoft has done this with their products before.

    Outlook was plagued by viruses and Microsoft responded by releasing a patch that simply refused to allow the user to open certain types of attachments. There was no override in the original version of the patch.

    http://www.slipstick.com/outlook/esecup.htm

    When Exchange 5.5 was targeted by reverse-NDR spam attacks Microsoft shipped a patch that allowed the user to simply turn off non-delivery reports. Unfortunately the patch didn't work as described on many systems. A more correct fix would have allowed the administrator to simply suppress delivering the complete text of the failed message which makes the system much less likely to be used for reverse-NDR spam.

    http://support.microsoft.com/default.aspx?scid=kb; en-us;837794

    When the Windows messenger service was targeted by messenger spam. Microsoft elected to simply turn it off. Kudos to Microsoft - this was the correct choice on this one.

    http://www.theregister.com/2003/10/29/microsoft_sh oots_the_windows_messenger/

  4. Re:*Pulls out a plate 'o crow* by BuhDuh · · Score: 3, Informative

    I wonder who wrote the UPnP spec - perhaps they are the ones at fault? (*cough*BILL GATES' University of chair-throwing throwers*cough*)

    I don't think the issue is the spec, it's the asinine cute features that M$ decided to implement. Like UPnP, BHO, etc etc. Maybe we should follow Apple's example, and eliminate all vulnerabilities by disabling the TCP/IP stack?

    --
    Enlightenment? It's just a flush in the pan.
  5. Re:Standard Operating Procedure? by frdmfghtr · · Score: 3, Informative

    I'm not opposed to temporarily disabling functionality to fix something potentially disastorous.

    There are three options when implementing UPnP:

    1. Implement it to Microsoft's spec.
    2. Implement it correctly (by choosing a direction in places the spec contradicts itself or real implementations).
    3. Implement it securely.

    Choose only one.

    I do not think it is possible to implement UPnP securely and have it based on the spec. Also, the specific code they removed existed only for legacy NAT traversals and may not even be needed any more.
    Is this the same UPnP capability that the FBI recommeded disabling in any Windows environment due to security issues quite some time ago?
    --
    Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
  6. Re:*Pulls out a plate 'o crow* by teknopurge · · Score: 2, Informative
    Looks like Apple just followed Wikipedia:

    Problems with UPnP * UPnP uses HTTP over UDP (known as HTTPU and HTTPMU for unicast and multicast), even though this is not standardized and is specified only in an Internet-Draft that expired in 2001. [1] * UPnP does not have a lightweight authentication protocol, while the available security protocols are complex. As a result, many UPnP devices ship with UPnP turned off by default as a security measure.
    --
    Website Hosting
  7. Re:*Pulls out a plate 'o crow* by Nullav · · Score: 3, Informative

    You mean like how MS crippled the stack in SP2 by lowering the cap on half-open connections to 10 to slow worm propagation? (I know there are times when a solution isn't always immediately obvious, but I'd rather not have my OS force me to live in a bubble.)

    --
    I just read Slashdot for the articles.
  8. Big Loss! by reed · · Score: 3, Informative

    UPnP kind of sucks anyway. Maybe this will get people to move to MDNS-SD, which is simple, straightforward, has several implementations (both open source and not).

  9. Re:Moderations tell all by node+3 · · Score: 3, Informative
    I'm just going to collect a few of your more inane tidbits together here:

    "Apple failed" (they did not)

    "OS X is every bit as crash prone and unreliable as Windows" (It's crash prone, but not "every bit as crash prone")

    "not so with Apple, which radically changes their OS every few years" (Two points here: 1. if this is true, it belies your following statement 2. it's not true)

    "There is no inherently superior security in OS X" (the overall design and implementation of OS X is more secure than the overall design and implementation of XP. Vista is a vast improvement over XP, but it remains to be seen how this works out)

    "those people who blame Microsoft for vendor lock-in" (straw man, no one claims this)

    "OS X is the ultimate in vendor lock-in" (OS X is an extremely open system. The only "lock-in" is with their hardware, which really isn't that big of a deal.) For someone who claims to be fighting against religious zeal, you sure come across fanatically angry. You make the basic fallacy that, "Windows is flawed, OS X is flawed, therefore Windows and OS X are equally flawed," which is complete nonsense.

    There are people who get fanatical about Macs, but you're lumping a whole lot of rational people in with them, and fully deserve flaimbait or troll modding for it.

    the minute you take a bite of the precious worm-ridden Apple, mods put you to sleep for a year No, stupid shit like, "eat crow" gets modded down. Eat crow for what? A security flaw existed? It was patched? WTF? A lot of anti-Apple sentiment gets modded up, as well, though generally the more rational stuff, like people complaining about vendor lock-in (like you did above) or various other things that actually make sense.

    Not to mention the fact that both you, and the OP are both (at present) modded positively, which makes your cries of being oppressed a bit silly.
  10. Re:News at 11... by owndao · · Score: 2, Informative
    Yawn, truly. If one reads the Apple patch notes they say quite plainly:

    mDNSResponder CVE-ID: CVE-2007-3744 Available for: Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the Mac OS X implementation of mDNSResponder. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by removing UPnP IGD support. This issue does not affect systems prior to Mac OS X v10.4. If one reads the entire note there were other, more noteworthy, bugs addressed rather than one that would take great care to craft and would have to be deployed on your LAN. Also, the derogatory terms used to refer to people who have an operating system preference are reminiscent of my three year old calling someone "poopie butt." Save us all.
    --
    Be as you would have the world become.
  11. Re:wait a minute by toddestan · · Score: 2, Informative

    Not that I'm defending macs in any way, but you do realize that there have been quite a few remote exploits (in the wild, not theoretical) that require nothing other than having a windows computer online and having its card pulled by another infected machine, right? It's not about if you're "smart" enough not to click on something, but if you were a bit brighter you'd already know that.

    Those days are also over (atleast for the most part). Windows now comes with its firewall on by default, and those wide open services have been secured a lot better. It's not just a Windows thing either, I remember the days when a Redhat 5/6 install on the open internet would get pwned rather quickly too.