Slashdot Mirror
Worm Threat Forces Apple To Disable Software?
SkiifGeek writes "After the debacle that surrounded the announcement and non-disclosure of a worm that targets OS X, the vulnerability in mDNSResponder may have forced Apple to remove support for certain mDNSResponder capabilities with the recently released Security Update 2007-007. 'Seeming to closely follow the information disclosed by InfoSec Sellout, Apple's mDNSResponder update addresses a vulnerability that can be exploited by an attacker on the local network to gain a denial of service or arbitrary code execution condition. Apple goes on to identify that the vulnerability that they are addressing exists within the support for UPnP IGD... and that an attacker can exploit the vulnerability through simply sending a crafted network packet across the network. With the crafted network packet triggering a buffer overflow, it passes control of the vulnerable system to the attacker. Rather than patching the vulnerability and retaining the capability, Apple has completely disabled support for UPnP IGD (though there is no information about whether it is only a temporary disablement until vulnerabilities can be addressed).'"
Come here Apple fanboys-and-girls. Lunch is served.
Researchers find hole, act like 1337 733ns about it. Company can't be sure that they've fixed hole, so they temporarily disable the reportedly-vulnerable function.
Yawn.
The real litigious bastards...
I'm not opposed to temporarily disabling functionality to fix something potentially disastorous. However, I do hope Apple doesn't make it a practice of just turning things off once exploits are found. Turn it off, patch it, then re-enable it is fine by me.
Don't waste time... procrastinate now!
Apple find a vulnerability (before the worm is announced, according to TFA), and remove that vulnerability in their next security update.
I'm guessing there's a regular scheduled security update process in Apple. If you can't fix it in time for the next patch-release, isn't is *better* to temporarily disable it ? I really doubt it's a permanent removal of the feature - they're just being responsible.
Simon.
Physicists get Hadrons!
I'm sorry but the article must be a lie. The Apple fanboys assure me that there's no risk of vulnerabilities. Therefore, the article is wrong - it does not exist.
Conor "You're not married,you haven't got a girlfriend and you've never seen Star Trek? Good Lord!" - Patrick Stewart
I often wonder why the British (and now some Americans) say "Apple go on to identify..." Apple is ONE company. Shouldn't that be the singular "Apple goes on to identify"? If it were both Apple and Microsoft than indeed it would be "Apple and Microsoft go on to identify".
Yes, Apple is made up of many people; but my car is made up of many parts. You don't say "my car need gas" do you?
This perplexes me, can someone explain it? Sorry if it's completely OT (except that this (to me) error is in the blurb).
-mcgrew
(amusingly, the capcha is "contrary". Again sorry for being OT)
So an "apple" is threatened by a "worm"... you don't say.
-zariok-
Isn't mDNSResponder and Open Source package ported for OS X?
n jour.html
http://developer.apple.com/opensource/internet/bo
Is Apple the developer of mDNSResponder or are they just using it?
I might know what I'm talkin' about, but then again, this is Slashdot...
Hey Zonk, how about using more reputable sources than one guy's blog for your links? I know they were picked by the submitter, but linking only to a blog and then putting a question mark after the headline is sketchy. I can't put much faith in the article if I can't be sure that it's not just a blogger talking out of his ass.
Although I can understand the "secure-by-default" ethos, it would seem to me that some people could leave the vulnerable service active because they only use their computer in firewalled physical LAN environment. Does this update come with a new preference panel entry to reenable this mDNS service?
Two wrongs don't make a right, but three lefts do.
Does this mean that the MAC guy from the TV add will get fired?
I mean, it was a given that, given increasing market share, Apple becomes interesting for malware. No system is 100% secure.
But at least they decided that it's better to disable the feature and minimize the damage to the net as a whole (and yes, even if you don't have an Apple, a worm damages you by clogging your tubes with packets trying to spread itself). MS decided that it's better to keep the insecure service up and running 'til it can be addressed.
Question for 100: Still getting sober/blaster packets? I do.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
A) Pick a feature that's dumb. (like embed a scripting language into an image format, or give a spreadsheet scripting language access to the filesystem)
B) Choose to preserve the dumb feature in spite of known security problems.
C) Treat the resulting backlash as a "PR issue" rather than a technical one.
D) Sometimes, if the backlash gets bad enough, they'll hack in security restrictions in response to specific known implementations that take advantage of the vulnerability rather than fix the vulnerability. EG: fixes that look for a XXX worm trace, rather than fix the thing that XXX worm exploits. (See anti-virus)
Apple is doing the right thing, here, folks! It may or may not be that the feature mentioned is analogous to (A) above. Either way, Apple is chosing security over features, even though features are important.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Clearly something is unclear since iChat is obviously still using UPnP IGD, likely as a client?
But why is the mDNSResponder using UPnP IGP anyway? mDNS is for service discovery etc and is basically a competitor to UPnP (I thought). Perhaps there is a way for mDNSResponder to leverage UPnP IGP to broadcast service messages (e.g. bonjour) across a local NAT? If so I've never seen nor heard of this working -- so perhaps what they're disabling is vulnerable code that wasn't doing anything anyway?
... on a slashdot article?
;)
You must be new here
--I thought I was wrong once, but I was mistaken.
Can't you write it in English? You supposedly wrote something "Insightful" but I can't tell. And when I Google "1336 733ns", I get electronics suppliers. Apparently, that's a part number for something.
Along with tatoos, and piercings, I hope that trendy style of spelling words goes into the annals of stupid fads.
I prefer Flambe as apposed flamebait.
... that the iPhone will be the vector that finally gets Macs infected with a virus/worm that will replicate in the wild?
I bet there's a secret cabal at Microsoft that is working on this very thing.
Soon you'll be able to take advanced courses on "1337 5p34" to supplement those on "ebonics".
It's not just Dreamweaver; Photoshop CS3 does the same. Not only that, but it installs the service with the name "##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762 ##", so it's not exactly easy to spot.
p ic=4214
Here is a page with instructions about how to remove it (read the full thread; the first post has an error):
http://www.x64bit.net/site/board/index.php?showto
It's Apple's software, not Microsoft's. Try again.
A worm in your Apple, or half a worm?
It's actually Apple crap.
Just because you mark it flamebait doesn't make it less true.
to a world where the more famous you become(as in increased user base) the more will be your enemies. Microsoft is fighting this battle for a long long time.
Apple will realize this in very soon.
Now that Apple has disabled uPnP compatibility will the original anonymous extortionist reveal the hole that he claims he didn't want to reveal lest Apple come up with some excuse for not disabling whatever his hole was, or will we hear more FUD from him?
Now will Apple disable "Open Safe Files after Downloading" in Safari, or at the very least stop treating SOFTWARE INSTALLERS, ZIP ARCHIVES, and DISK IMAGES as "Safe" files? OK, this isn't a Mack Truck sized hole like ActiveX (you can only drive *small* trucks through it) but it's still vastly dumb.
Watch I'll show you how it works. The apple fanboi moderator club is pretty big and like all monomaniacs are poised to protect their little gem from any tarnish.
"I mean, imagine the fallout if there was a bug that allowed malformed MS word documents being loaded by Office 2007 to result in security issues, and Microsoft responded by disabling the load feature."
Apple didn't disable Bonjour, they disabled one of the components of Bonjour. That's not like disabling loading, it's like refusing to load certain files.
There was a bug that allowed autoexec macros in MS Word documents being loaded by Office 97 to result in security issues, so Microsoft responded by making it impossible for a user to simply deactivate autoexec and forcing them to make the choice of completely disabling macros (to the point where it was impossible to even inspect the macros to see if they were safe), or leaving them all open.
This resulted in an increase in the incidence of infections.
Somehow Microsoft manages to avoid the kind of bad press that this kind of user abuse deserves.
Collective nouns in English trigger agreement either in singular in plural, and the rate at which they trigger the latter is greater in the UK than in the USA, though it still happens in the USA. The choice of agreement actually corresponds to a very subtle semantic distinction: the collective noun can be interpreted as a reference to a single entity (the group), or as a reference to the aggregate of its members. This semantic distinction hardly ever matters, but there are examples where it does: you can say The committee were pleased, because the members of the committee were pleased, but you can't say The committee were formed, because what was formed was the committee itself, not its members.
Same thing happens with constructions like a group of people or a dozen of books, to different degrees.
Are you adequate?
UPnP kind of sucks anyway. Maybe this will get people to move to MDNS-SD, which is simple, straightforward, has several implementations (both open source and not).
"It almost certainly took them more effort to disable the feature than it would have to fix the broken code."
Leaving out a module? It's questionable whether they should be trying to hack some kind of limited uPnP compatibility into Zeroconf in the first place, especially if (as alleged) they're using it for "legacy NAT traversal"... this just screams "bad idea" to me.
They brag about how little they know compared to what it takes to keep a Windows machine happy
They brag about how little they NEED TO KNOW compared to what Windows users NEED TO KNOW.
The problem is that most Windows users are no better informed. They brag about how people who really do keep track of that stuff are "dumber" than the "dumb" users they want to be. They don't think they should have as much training as you need for a driver's license... even though they're operating a machine thousands of times more complex. This willful ignorance is not limited to Mac users by any means, and the gap between what Windows users DO know and what they NEED to know is vastly greater.
So they won't have the first idea of what to do when iChat suddenly breaks for no apparent reason.
You didn't read the advisory, did you?
I mean, imagine the fallout if there was a bug that allowed malformed MS word documents being loaded by Office 2007 to result in security issues, and Microsoft responded by disabling the load feature.
Consumers: Computer is patched En Masse, network as a whole is protected.
Company: Would note that vulnerability disables something they use, so they simply would not deploy the patch. Companies have control over Microsoft patches unless they are very small, and if they are that small they are probably not going to be using some corner feature.
Why should Microsoft fail to act to prevent MILLIONS of consumer systems from becoming zombies, for the sake of a few companies that wouldn't apply the patch right away anyway?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I can't wait to see that...
Mark as spam if message contains:
[x] fanboy/fanboi
[x] goatse
[x] 17 megabyte file
[ ] Kreskin
[x] Soviet Russia
[x] Profit!
[x] Beowulf
[x] I, for one
[x] hot grits
[ ] CowboyNeal
UnPlug n Play
Besides the blog cited, I saw something about this at this link.
Silly Apple, fixing the problems. Don't they know this leaves them open for taunting.
Knee-jerk PC fanboi: "Oh, I guess Apple isn't so secure after all, huh?"
Mac-fanboi: "Umm, they fixed a problem with some 3rd-party software before it became an issue."
Knee-jerk PC fanboi: "Yeah, old Apple finally getting some of what Windows gets."
Mac-fanboi: "No, they proactively fixed the problem"
Knee-jerk PC fanboi: "Yep, might as well just use Windows"
Mac-fanboi: "You do that, then."
-- Boycott Shell
Realistically, no OS is completely secure. This is hardly the first security issue in OS X, nor will it be the last. Linux has had its share of security flaws, too.
In the modern world, there are simply too many protocols and systems popping up; no operating system exists in a vacuum, and many vulnerabilities may be in services, subsystems and so on. And with the pressure to get things out and shave off extra CPU cycles, there are too many situations where someone simply goes 'oh, well, I checked that this data is valid up HERE, so I don't need to check again down here in this function I call later,' and then later another piece of code goes, 'oh, look, here is a function that does what I need, I will just reuse it' and assumes that function does its own error-checking, so does not check the data before passing into it. And thus, you create a pathway where unvalidated data gets passed down and can cause buffer overflows or whatever.
No operating system or development team is somehow inherently immune to this.
The thing is that Windows not only has kept large chunks of legacy code -- which makes it hard to really break down and restrict user permissions without breaking older programs -- but spent some time really pushing the Active X technology, which then proved to create a lot of problems. Apple, on the other hand, went off the tracks entirely and threw out their operating system; that was a risky move which could have killed them off entirely, but in the end they got an operating system which was built atop a multi-user system with better permissions.
That does not mean that Apple somehow writes inherently better code than Microsoft; I happen to like OS X, but Apple's engineers are not necessarily smarter or more careful in the actual lines of code they write. The difference as I see it is that Microsoft is bogged down by hard-to-debug and support legacy code, while Apple got to make a cleaner start... and then on top of that, many bits of OS X (CUPS, zeroconf/Bonjour, WebKit, etc.) are open source.
Apple contributes funds and engineering to these projects (and in some cases such as zeroconf, came up with the original specifications), but as they are open source things tend to get found and fixed faster in community review. That is why OS X, while not bulletproof, tends to be at least a bit more secure than Windows.
That is my take on it, anyway.
--Rachel
mDNS - Apple
UPNP - Microsoft
Apple have disabled the Microsoft protocol. Won't affect them in the slightest I'd expect.
mDNS is actually fairly useful.. you can advertise servers across the network using it, and it's an easy protocol to implement (a few hundred lines of code will do it).
UPNP is an XML infested mess with a huge spec that I wouldn't try to implement unless I had a deathwish. And in all that mess they forgot to add any user or machine verification.. the upshot being if you enable it on a router you can disable its firewall with a 10 line perl script.
No *nix of ANY stripe is as riddled with crappy programming and security errors as Windows. Period. DOS attack bots and spam bots owes their entire existence to Microsoft and it's terminally stupid system design and nearly non-existent security. This isn't some sliding scale where Mac OS X, Linux and UNIX are marginally better than Windows. When it comes to security issues such as viruses, trojans and worms, for all intents and purposes they do not exist on any platform but Windows.
Post articles about all the proof of concept descriptions and known security issues with *nix all you want. It will not change the fact that malware and viruses are simply a non-issue for any platform but Microsoft Windows running Internet Explorer and Outlook.
Fiat Homos et Pereat Theos
He's probably already on this thread, calling everyone "fanboiz," and that is about as much as he has ever contributed IMO.
They are only an issue because users are stupid. I can run windows xp or vista without any antivirus software or antispyware or even a firewall. I'm not stupid, I don't click the ecards that make you download .exes then run them.
The problem with windows is that it has the most users, and most of them know nothing about computers and end up running the viruses by themselfs.
Macs have quite a few unpacthed vulnerabilities aswell. They all have their flaws.
Not that I'm defending macs in any way, but you do realize that there have been quite a few remote exploits (in the wild, not theoretical) that require nothing other than having a windows computer online and having its card pulled by another infected machine, right? It's not about if you're "smart" enough not to click on something, but if you were a bit brighter you'd already know that.
The Farewell Tour II
And that is why they want the option of disablement right away.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Thanks for this comment. I'm not a networking clever-person and your bit about disabling the firewall concerns me somewhat. I checked my router and discovered that UPNP was on by default. It's off now, and I'm not seeing any less functionality.
Not that I'm defending macs in any way, but you do realize that there have been quite a few remote exploits (in the wild, not theoretical) that require nothing other than having a windows computer online and having its card pulled by another infected machine, right? It's not about if you're "smart" enough not to click on something, but if you were a bit brighter you'd already know that.
Those days are also over (atleast for the most part). Windows now comes with its firewall on by default, and those wide open services have been secured a lot better. It's not just a Windows thing either, I remember the days when a Redhat 5/6 install on the open internet would get pwned rather quickly too.
Please don't try to portray me as some kind of Linux zealot, since (as I've mentioned over and over again) I don't actually like Linux. I definitely don't like redhat and am only slightly more likely to defend it than a mac.
You're wrong however if you are trying to make the argument that windows is as secure as even a shoddy Linux.
The Farewell Tour II
worms, for all intents and purposes they do not exist on any platform but Windows
*yawn*.
Someone needs to refresh their memory of the Morris Worm (or read up on it, if their career in computer security perhaps doesn't go back that far...).
Not only was it the first major worm (technically - some reports persisted in calling it a virus), but in terms of scale (relative to size of the net), nothing since has come anywhere close. Morris took down a significant percentage of the internet directly and probably a larger part indirectly from networks which literally pulled the plugs.
malware and viruses are simply a non-issue for any platform but Microsoft Windows running Internet Explorer and Outlook.
In 1988, none of those platforms _existed_. I seem to recall that we still managed to have a major issue.
"Yawn" is right. No history lesson changes the pain and suffering inflicted on end users by Microsoft Windows security practices. It certainly doesn't recover the billions of dollars in lost IT time have evaporated due to same.
Fiat Homos et Pereat Theos
Type in "1337 733ns" into Google yourself and find out how (I'll refrain) you appeared.
I prefer Flambe as apposed flamebait.
"They are only an issue because users are stupid. I can run windows xp or vista without any antivirus software or antispyware or even a firewall. I'm not stupid, I don't click the ecards that make you download .exes then run them. The problem with windows is that it has the most users, and most of them know nothing about computers and end up running the viruses by themselfs. Macs have quite a few unpacthed vulnerabilities aswell. They all have their flaws."
From a non-technical (or "stupid" as you put it) users perspective, the Macintosh provides a lower-maintenance alternative to Windows, and it certainly helps that rather than just being a smaller target (as people are so fond of mentioning), for whatever reason it's practically a non-target for malware authors -there has never been any broadly effective malware of any kind for OS X.
Malware is one whole category of software that users of other operating systems are glad to be without, makes you wonder who the stupid ones are for putting themselves in harm's way at all. Personally, I'd rather be a draft-dodger than a martyr for someone else's ideals.