Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm Threat Forces Apple To Disable Software?

Posted by Zonk on from the batten-down-the-hatches dept.

SkiifGeek writes "After the debacle that surrounded the announcement and non-disclosure of a worm that targets OS X, the vulnerability in mDNSResponder may have forced Apple to remove support for certain mDNSResponder capabilities with the recently released Security Update 2007-007. 'Seeming to closely follow the information disclosed by InfoSec Sellout, Apple's mDNSResponder update addresses a vulnerability that can be exploited by an attacker on the local network to gain a denial of service or arbitrary code execution condition. Apple goes on to identify that the vulnerability that they are addressing exists within the support for UPnP IGD... and that an attacker can exploit the vulnerability through simply sending a crafted network packet across the network. With the crafted network packet triggering a buffer overflow, it passes control of the vulnerable system to the attacker. Rather than patching the vulnerability and retaining the capability, Apple has completely disabled support for UPnP IGD (though there is no information about whether it is only a temporary disablement until vulnerabilities can be addressed).'"

16 of 201 comments (clear)

  1. News at 11... by maztuhblastah · · Score: 5, Insightful

    Researchers find hole, act like 1337 733ns about it. Company can't be sure that they've fixed hole, so they temporarily disable the reportedly-vulnerable function.

    Yawn.

    --
    The real litigious bastards...
    1. Re:News at 11... by Jeremy_Bee · · Score: 3, Insightful

      Isn't it interesting that Slashdot threads that have anything to do with the adventures and histrionics of David Maynor instantly become peppered with a large number of idiotic, unsupported comments railing against Apple and "Apple FanBoiz," made by a variety of Slashdot accounts that rarely show up commenting on anything else?

      Here is a hint: A pretend army of supporters is still a pretend army.

      Isn't it fascinating to watch as shitty comments (like we see above), vacillate back and forth between "+5 Insightful" and "Flamebait" as the pretend army fights the good fight against Apple "FanBoiz" everywhere?

      Why can't we just install a filter that gets rid of any post that uses "fanboy" or fanboi" or the like? No one making a serious point or with any kind of intellectual integrity uses it except as a joke.

    2. Re:News at 11... by I'm+Don+Giovanni · · Score: 1, Insightful

      But Apple fanboys like to pretend that OSX is "secure by design", and "inherently secure". If so, why does Apple have to remove functionality to fight off a worm? Shouldn't the "security by design" thwart the worm? I speaking facetiously, but Apple fanboys are very smug and need to understand that OSX isn't "inherently secure", that Apple's programmers are not infallible gods.

      --
      -- "I never gave these stories much credence." - HAL 9000
    3. Re:News at 11... by mikeabbott420 · · Score: 2, Insightful
      The configurable spam filter would be a great idea for slashdot.

      I can think of a lot of phrases that would increase the signal to noise ratio (for me) if I could use them to exclude noise.

      I believe a site mandated filter would be both useless and undemocratic.

      --
      This program was made possible by a grant from the Ultra-Humanite, and viewers like you.
    4. Re:News at 11... by gutter · · Score: 5, Insightful

      Hello, Artie McStrawman! Sure, there are a few idiots out there that believe that OS X is infallible - there are also some idiots out there that believe the same about windows or linux. However, you aren't likely to find them around here. You'll find plenty of people that believe that OS X is MORE secure than the some of the alternatives, largely because their heavy use of open source and their default configuration that ships with no open ports, but very few that think it is "inherently secure".

      The proof is in the number of successful worms and viruses for OS X, which depending on how you define them, hover right around zero. Yes, some of this is likely because of market share, but there's plenty of bragging rights associated with creating the first large-scale OS X compromise, so I wouldn't expect to see none. And of course, even if the relatively low number of security issues is because of market share, it doesn't make it any less pleasant for those of us who use OS X, especially since I'm not expecting it's share to go over 15-20%.

      Anyway, if I accept your statement that OS X isn't perfect, will you stop bitching about smug mac users every time there is a discussion marginally related to Apple?

      Thanks,
      gutter

      --
      Check out DRM-free movies at http://www.bside.com
    5. Re:News at 11... by theelectron · · Score: 1, Insightful

      Apple's programmers are not infallible gods.
      I think the flamebait mods you received seem to indicate that your post is conceived by some as blasphemy. For anyone who wonders why there is such animosity towards 'Apple fanboys', there might be an explanation right here.
    6. Re:News at 11... by sl3xd · · Score: 4, Insightful

      Smugness is in the eye of the beholder; unfortunately, there's often nothing that can be done either way, as a great many people aren't able to accept that something other than their chosen product (or OS in this case) might have something that theirs doesn't.

      In other words, Ford Mustang owners tend to see Chevy Corvette owners as smug. Neither side is really willing to appreciate that each has advantages the other doesn't possess, and can't stand it when somebody highlights the advantage. That isn't ever going to change

      I don't see how the situation is any different when an operating system is concerned, rather than a brand of vehicle.

      Here's a news flash: OS X has advantages over Windows, Linux, and FreeBSD. OS X can brag about security, because there is a far smaller percentage of its users that have infected, compromised, or zombified machines. Ffind reasons to discount that fact is meaningless: It doesn't matter if the number of attackers is smaller; the goal is to not fall victim to an attack, which OS X has an excellent record of doing.

      Here's another one: Macintoshes have disadvantages: They don't have as much native software. A virtualization product like VMware or Parallels is a rare sight on Windows, yet is quite common on a Macintosh. There's always some app that only exists for Windows that the user can't live without. So Mac users not only pay $130 for OS X, but also $80 for a virtualization product, and then they have to buy the most expensive license for Windows. Mac software doesn't enjoy the "freedom" that most Linux users enjoy; much of the software for the Mac is closed-source.

      Still, you don't have to like it when OS X users dismiss the advantages of other OSes (like the amount of software for Windows, or the freeness of Linux).

      Just take the time to realize that's it's a different flavor of the time-honored "Chevy vs Ford" debate. What is "better" depends on the way the beholder sees things, and it's childish to believe that there's only one true way.

      --
      -- Sometimes you have to turn the lights off in order to see.
  2. Um, so ? by Space+cowboy · · Score: 4, Insightful

    Apple find a vulnerability (before the worm is announced, according to TFA), and remove that vulnerability in their next security update.

    I'm guessing there's a regular scheduled security update process in Apple. If you can't fix it in time for the next patch-release, isn't is *better* to temporarily disable it ? I really doubt it's a permanent removal of the feature - they're just being responsible.

    Simon.

    --
    Physicists get Hadrons!
  3. Sensationalism by Zonk by Night+Goat · · Score: 5, Insightful

    Hey Zonk, how about using more reputable sources than one guy's blog for your links? I know they were picked by the submitter, but linking only to a blog and then putting a question mark after the headline is sketchy. I can't put much faith in the article if I can't be sure that it's not just a blogger talking out of his ass.

  4. Apple did the right thing by mcrbids · · Score: 5, Insightful
    Yes, I understand that there are certainly dissenting opinions here. But (IMHO) the thing that most Slash-bots complain about is that Microsoft will

    A) Pick a feature that's dumb. (like embed a scripting language into an image format, or give a spreadsheet scripting language access to the filesystem)

    B) Choose to preserve the dumb feature in spite of known security problems.

    C) Treat the resulting backlash as a "PR issue" rather than a technical one.

    D) Sometimes, if the backlash gets bad enough, they'll hack in security restrictions in response to specific known implementations that take advantage of the vulnerability rather than fix the vulnerability. EG: fixes that look for a XXX worm trace, rather than fix the thing that XXX worm exploits. (See anti-virus)

    Apple is doing the right thing, here, folks! It may or may not be that the feature mentioned is analogous to (A) above. Either way, Apple is chosing security over features, even though features are important.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  5. English? by iknownuttin · · Score: 1, Insightful
    Researchers find hole, act like 1337 733ns about it.

    Can't you write it in English? You supposedly wrote something "Insightful" but I can't tell. And when I Google "1336 733ns", I get electronics suppliers. Apparently, that's a part number for something.

    Along with tatoos, and piercings, I hope that trendy style of spelling words goes into the annals of stupid fads.

    --
    I prefer Flambe as apposed flamebait.
  6. Re:At least they disabled it! by GWLlosa · · Score: 2, Insightful

    The reason Apple disables features where Microsoft doesn't has more to do with their target audience than any kind of company 'ethos'. If MS advises people that vulnerabilities exist with and , and proceeds to disable them, actual businesses that rely on features and will be very upset and potentially out a pile of money. Instead, MS advises of the vulnerability, so that these businesses can instead rely on their IT guy hardening the system against the vulnerability (seal the appropriate port on the firewall, disable the services on the machines that don't need it, isolating the machines that do use it from outside attack, etc.) whereas the odds of anybody's business being affected by the loss of are minimal, and they need to assume that their device is not administered by a technical person in any way. I mean, imagine the fallout if there was a bug that allowed malformed MS word documents being loaded by Office 2007 to result in security issues, and Microsoft responded by disabling the load feature.

  7. Re:Standard Operating Procedure? by Anonymous Coward · · Score: 1, Insightful

    I call bullshit. You are saying it's not possible to implement UPnP without being vulnerable to a buffer overflow that may lead to remote code execution? Because that's one of the (at least) two issues at hand. Nice try on passing the responsibility for this bug to the spec writers (mentioning Microsoft seems to help too), but unless the spec literally says "copy the received network data over your stack frame so it may be executed locally" at least this bug is 100% Apple's fault.

  8. Re:wait a minute by Sparks23 · · Score: 4, Insightful

    Realistically, no OS is completely secure. This is hardly the first security issue in OS X, nor will it be the last. Linux has had its share of security flaws, too.

    In the modern world, there are simply too many protocols and systems popping up; no operating system exists in a vacuum, and many vulnerabilities may be in services, subsystems and so on. And with the pressure to get things out and shave off extra CPU cycles, there are too many situations where someone simply goes 'oh, well, I checked that this data is valid up HERE, so I don't need to check again down here in this function I call later,' and then later another piece of code goes, 'oh, look, here is a function that does what I need, I will just reuse it' and assumes that function does its own error-checking, so does not check the data before passing into it. And thus, you create a pathway where unvalidated data gets passed down and can cause buffer overflows or whatever.

    No operating system or development team is somehow inherently immune to this.

    The thing is that Windows not only has kept large chunks of legacy code -- which makes it hard to really break down and restrict user permissions without breaking older programs -- but spent some time really pushing the Active X technology, which then proved to create a lot of problems. Apple, on the other hand, went off the tracks entirely and threw out their operating system; that was a risky move which could have killed them off entirely, but in the end they got an operating system which was built atop a multi-user system with better permissions.

    That does not mean that Apple somehow writes inherently better code than Microsoft; I happen to like OS X, but Apple's engineers are not necessarily smarter or more careful in the actual lines of code they write. The difference as I see it is that Microsoft is bogged down by hard-to-debug and support legacy code, while Apple got to make a cleaner start... and then on top of that, many bits of OS X (CUPS, zeroconf/Bonjour, WebKit, etc.) are open source.

    Apple contributes funds and engineering to these projects (and in some cases such as zeroconf, came up with the original specifications), but as they are open source things tend to get found and fixed faster in community review. That is why OS X, while not bulletproof, tends to be at least a bit more secure than Windows.

    That is my take on it, anyway.

    --
    --Rachel
  9. Re:Does anyone use mDNS? by Tony+Hoyle · · Score: 3, Insightful

    mDNS - Apple
    UPNP - Microsoft

    Apple have disabled the Microsoft protocol. Won't affect them in the slightest I'd expect.

    mDNS is actually fairly useful.. you can advertise servers across the network using it, and it's an easy protocol to implement (a few hundred lines of code will do it).

    UPNP is an XML infested mess with a huge spec that I wouldn't try to implement unless I had a deathwish. And in all that mess they forgot to add any user or machine verification.. the upshot being if you enable it on a router you can disable its firewall with a 10 line perl script.

  10. Re:Big Loss! by DECS · · Score: 2, Insightful

    Well the subject under discussion was Apple's mDNS, its UPNP implementation, and the security issues that resulted in Apple simply turning UPNP off.

    You can give yourself points for knowing unrelated details about Microsoft's non-standard, security challenged architecture. The number of devices using UPNP as anything other than a way to play games over a router are really insignificant however.

    The wikipedia article you linked to points out:

    - UPnP uses HTTP over UDP (known as HTTPU and HTTPMU for unicast and multicast), even though this is not standardized and is specified only in an Internet-Draft that expired in 2001.

    - UPnP does not have a lightweight authentication protocol, while the available security protocols are complex. As a result, many UPnP devices ship with UPnP turned off by default as a security measure.

    That's the same reason Apple gave up on it and turned it off by default as well.

    -
    Ten Fake Apple Scandals: 10 - Apple's Mac and iPhone Security Crisis
    Windows Enthusiasts weary of making excuses for Microsoft's security failures have discovered that the best defense is a good offense.

    Ten Fake Apple Scandals: 9 - Troy Wolverton, Neil Cavuto, and the Apple Stock Scandal
    Google for 'Apple Scandal' and the results are overwhelmingly related to options backdating. Those backdated options from 1997 - 2001 resulted in Apple taking an $84 million charge against operations, but continued to monopolize the headlines for months with the panic that Steve Jobs might go to jail and Apple might be delisted from the NASDAQ stock exchange.