Slashdot Mirror
Apple Patches Massive Holes In OS X
Trailrunner7 writes with this snippet from ThreatPost: "Apple's first Mac OS X security update for 2010 is out, providing cover for at least 12 serious vulnerabilities. The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site." Hit the link for a list of the highlights among these fixes.
"if a Mac user is tricked into opening audio files or surfing to a rigged Web site."
I own a Mac G3, and STILL haven't been tricked into using OS X!
Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?:
Security Update 2010-001
*
CoreAudio
CVE-ID: CVE-2010-0036
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact: Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Tobias Klein of trapkit.de for reporting this issue.
*
CUPS
CVE-ID: CVE-2009-3553
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact: A remote attacker may cause an unexpected application termination of cupsd
Description: A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination. This issue is addressed through improved connection use tracking.
*
Flash Player plug-in
CVE-ID: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800, CVE-2009-3951
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact: Multiple vulnerabilities in Adobe Flash Player plug-in
Description: Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42. Further information is available via the Adobe web site at http://www.adobe.com/support/security/bulletins/apsb09-19.html Credit to an anonymous researcher and Damian Put working with TippingPoints Zero Day Initiative, Bing Liu of Fortinet's FortiGuard Global Security Research Team, Will Dormann of CERT, Manuel Caballero and Microsoft Vulnerability Research (MSVR).
*
ImageIO
CVE-ID: CVE-2009-2285
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.2.
*
Image RAW
CVE-ID
The Apple commercials have told me that viruses and security holes are only possible in Windows, so I gather they are patching boot camp installs now
I'm afraid your patch provides insufficient coverage.
The only hole I want Apple to fix is the one they put in my wallet.
I've got a Mac G3, and have yet to be tricked into installing Mac OS X!
A lot of the people that read the site are in their 40s, 50s and 60s (I'm not). That makes their moms mostly 60+.
Go dude, go.
Nerd rage is the funniest rage.
More like you fell in...
(Well, like exley said...)
I just want to know when they're going to patch that damn hole in their logo. It's been there for decades!
Let me put it to you this way: None of the malware-infested machines I have cleaned up in the last few days were running OS X, just Windows.
There has been a huge spike in infections since that exploit that hit Google was made public-- we're seeing the return of drive-by infections on Windows, it's a whole lot of fun.
Meanwhile, I go home at night and surf with impunity on my Mac running OS X, just like I've done for the last 8 years.
Sometimes newer isn't better.
Some days it's just not worth
chewing through my restraints.
You just couldn't wait to post that, could you? FYI: every piece of software needs updates, and there is still always one piece of software that will be more secure than the others. I don't know if OSX is more secure than Windows 7, but both of them will continue to receive updates, that fact doesn't make either of them less secure.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old
Non impediti ratione cogitationus.
I noticed. But where on earth did you find that helmet shaped like a wookie head from? ..Oh snap, that's not a helmet. My bad!
Also dude, the preferred nomenclature is vaginal-space challenged.
Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old
How would you know? Zero-day means a non-public exploit.
Two bugs were found in their image libraries (arbitrary code execution bugs in TIFF and RAW-DMG). Makes me wonder if they even tested their image libraries at all when they were being written, because that kind of bug can usually be found in an image library by feeding it random data.
Qxe4
Anything posted on some forum, whispers in an irc chat?
Anything new floating around for a Mac running 10.6 that will do an IE and pop the browser/OS from a remote site?
Most still need the user to enter his/her password as a application/codec.
Mac are still safe to surf with for now.
Macs have a list of malware and loggers, the pre OS 10 had lots too.
But nothing in the wild to infect just yet with a site visit.
If anything existed outside law enforcement, spooks and one off professional solutions, every Mac AV vendor would have a youtube vid up.
A link to buy protection at a fair price after the 2 to 3 mins of safari getting infected after following a link and their product saving the day.
Domestic spying is now "Benign Information Gathering"
No, it can't. Well technically, it can be exploited, but IE runs sandboxed in Win 7 so the exploiter can't really do much.
Yes, it's sarcasm. Deal with it!
Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old
How would you know? Zero-day means a non-public exploit.
Safari was released in early 2003.
Internet Explorer 6 was released in August 2001.
So the unfixed Internet Explorer bugs have been around quite a bit longer than Safari has. So Safari is unlikely have any bugs older than this IE bug, zero-day or otherwise.
(OK, there could be crusty KHTML era bugs left in the Safari code-base, but there's not much of that code left untouched)
Vupen Security has confirmed code execution on IE7 and IE8 as well, even in sandboxed mode.
Also dude, the preferred nomenclature is vaginal-space challenged.
I thought 'switcher' was the preferred nomenclature.
Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old
Regardless of whether or not your statement about IE in Windows 7 is accurate, that doesn't have anything to do with an update for OSX somehow implying that OSX is less secure than it was yesterday.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
But it is.
And patching vulnerabilities that are found just makes it more so.
Sorry, what was your point again?
Link?
This space for rent.
Saying that OSX is less secure due to these vulnerabilities is how MS said that Linux was less secure than windows. These aren't OS vulnerabilities, they're application vulnerabilities (well, for the programs I recognize as a non-Mac person). The OS itself is fine. The trick is, of course, that some of these things are included practically by default. So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.
/. and a Mac lover, I sincerely doubt you're one of the problem kids for updates on most any system you control.
That's not to say that Mac users have free license to ignore proper security practices. Trojans, poor/shared passwords and not updating their software can leave them as vulnerable, if less targeted, than PC users. Given that one of the problems is with flash (and the fix is as simple as an update), I wonder if there's a good enough of a target out there for hacking Mac WOW players through flash ads hijacks.
Before you flame, I will say that if you're on
"Common sense will be the death of us all"
Could it use/harvest saved passwords? Open new browser tabs? Launch perhaps an app that would run the escalation exploit from this morning?
LOL, ok now i get it. OP's point was valid. IE6 really does have bugs in the wild that are older than firefox itself. Mozilla is pretty old so that would be possible, but not FF technically.
Not in the default configuration it can't.
It's official. Most of you are morons.
Has anyone driven a truck thru these gaping holes? Anyone? Beuller? When OSX is suffering from a deluge of viruses from all these supposed gaping holes in it's Architecture, please come back and let us know. Because while every operating system has vulnerabilities, only Microsoft was kind enough to make those vulnerabilities accessible by system wide scripting mechanisms that allowed millions of computer users the world over be the subject of attacks from the hundreds of thousands of pieces of malware constantly fighting to infect Windows PCs. The count (for those who think a security vulnerability makes Apple's points about viruses invalid) is about one hundred thousand to 0. This is being very generous. So, yes, as a matter of fact, there are no viruses for Mac OS X. Not virtually none, not almost none. None.
Fiat Homos et Pereat Theos
What...what is this?
http://www.vupen.com/english/advisories/2010/0135
There aren't enough macs out there to make the average scriptkiddie drool in anticipation.
They want the big score, and apple doesn't have enough market share to count.
That's not something to be proud of.
Meanwhile, I go home at night and surf with impunity on my Mac running OS X, just like I've done for the last 8 years.
You think you're the only one? My machine at home runs an unpatched version of XP SP3 (legally licensed, I just don't really bother to update it). I don't run a virus scanner, nor a software firewall, nor a memory-resident malware scanner. My current machine has never been infected (~2 years or so, since Crysis). My machine before that (same config) got infected once, when my roommate was porn browsing in IE.
The point? You don't need to run something other than Windows if you want to avoid infection, you just need to use your computer intelligently. It seems like you're saying that OSX is the platform for people to be as stupid as they want and still manage to avoid infection. That, my friend, is changing (as evidenced by the 7 patched vulnerabilities in Flash player).
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
The pwn2own contest would say otherwise. Mac is usually the first to go down.
-]Phreak Out[-
in your mom.
(May as well just get that one out of the way)
This is Apple we're talking about. Mac users have no interest in that type of hole...
With default Windows 7 settings, the current exploit doesn't work. IE8 in XP without DEP protection. It CAN theoritically be expolited with DEP but haven't seen any current exploits that work around DEP protection. Also running with non-admin privileges (recommended, and default in vista & windows 7) reduces the attack surface (i.e. backdoors can't be installed without taking advantage of some other vunerability) so the IE vunerability is a bit overblown, following good security practices (which are default in vista & windows 7) already prevent the known attacks.
I like to call it 'Rainbows, Unicorns, and Bullshit'
RUB and FUD are two sides of the same coin, and if you believe either: you're an idiot.
So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.
Not saying you're in this group, but a lot of people around here have no problem counting IE vulnerabilities against Windows.
There are 2 computers sitting on a table one costs $1199, and the other costs $729. Which are you going to try to hack?
$1199 = Cheepest MacBook Pro.
$729 = Dell Vostro with comparable specs.
If I were God, wouldn't I protect my churches from acts of me?
that doesn't have anything to do with an update for OSX somehow implying that OSX is less secure than it was yesterday
What kind of fanboi drivel is this ?
They've just patched 12 serious vulnerabilities, how could it NOT be less secure yesterday before the patch than it is now after the patch ?
That's exactly my point - read the first post in the thread and my reply. Someone responded to that with a non-sequitor about IE and you saw my reply. The original poster seemed to imply that Apple releasing an update somehow decreased the perceived security of OSX.
"Fanboi", huh? Exactly which company do you think I'm a huge fan of?
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
At least we're getting some...
So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.
So far as I have seen, problems with user-space components such as Notepad are indeed counted as Windows issues. Which makes perfect sense, since Notepad is present out of the box, and the box says "Windows" on it.
Similarly, OpenBSD has a fork of Apache 1.3 in their base system. If a vulnerability is found in that, then surely it's an OpenBSD vulnerability (hence the difference between base system and ports).
If Apple ships Flash plugin that way, then they have to deal with any security issues that may cause.
His point is that you can't take a Windows vulnerability, and write a /. comment around it that basically amounts to "and that's why Windows security sucks", but when a similar vulnerability is found in OS X, write another /. comment around it that amounts to "well, shit happens, but anyway, now it's even more secure than ever" - it's hypocritical. Either both vulnerabilities indicate systemic problems, or neither one does.
You hack whichever's easiest, considering pwn2own had $10k cash prizes.
It's only secure until its cracked.
You *have* to be a fanboi to post here ... you must take a side, there is no fence-sitting allowed on Slashdot.
You can take the "M$ sucks" route for infinite karma heaven, or the "A$$le sucks" route for instant karma hell. The "Linux (no dollar sign of course, this is FOSS) sucks" route simply leads to much debate and handwringing, with unknown karma effects ... look on that path as something like Buddhism.
Where we go from here, that's a choice I leave up to you. (oblig. Matrix reference)
Can we get this stickied ? Oh, damnit, I thought we were on a forum for a minute :-(
Well, it really depends *who* says it - the marketing departments at MS and Apple both tout "OS X/Windows is more secure than ever" - from a marketing standpoint they obviously aren't going to say anything else. From a certain perspective both are true - both Windows and OS X are more secure than ever, since they have been patched up - whether there are still a thousand other holes doesn't really change that, it just infers that there are no other problems which is where it gets muddy.
The GP's original point, I believe, was to totally discount that OS X is secure/more secure than Windows because of these patched vulnerabilities. No one is really claiming that there won;t be vulnerabilities found, but it doesn't negate a claim that the OS itself is pretty good when it comes to security. Not immune, and not perfect, but not bad.
While we're on it of course, I do take issue with the headline. "Massive Holes" really isn't accurate - at least, not in the context of other security updates. These are no better or worse than other security holes that have been fixed in OS X before, but the summary and headline dress it up like they just discovered that half the fence was missing and your troops are giving free bagels to the enemy as they usher them in through the gaps.
It is good that critical flaws are being corrected though, regardless of how they are reported.
I just wonder why the summary title says "MASSIVE holes..." when the original article "serious".. a bit of bias, perhaps??
More realistically, this is just another security update. Find me an OS that doesn't have them, and for similarly "obvious" or "easily found/fixed" (hindsight and armchair hacking being perfect of course) and I'll either switch right away, or dust off the old TRS-80 from my closet to run it on.
The way I see it, if you have a brain and use it while browsing, you are generally fine. But people are stupid. And if you are going to market your product to stupid people, you need to make sure you do everything you can to minimize the damage stupid people can do to others. (Stupid people generally deserve their own damages...)
Now to start the debate over which company is more in the business of marketing to stupid people...
Massive Holes? I wouldn't consider any of these critical vulnerabilities, except for the ever so popular Flash sponge.
* CoreAudio (CVE-2010-0036) -- A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.
Seems this could crash your audio player.
* CUPS (CVE-2009-3553) -- A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination.
A remote attacker may cause an unexpected application termination of cupsd. I don't see this happening on a home network, and unlikely on a firewalled work network. In any case, an irritant and nothing more.
* Flash Player plug-in (7 vulnerabilities) -- Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42.
This one unfortunately is serious. Its also due to a flaw in the Adobe Flash Player plug-in.
* ImageIO (CVE-2009-2285) -- A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
Crashes your Preview or whatever image viewing app your using.
* Image RAW (CVE-2010-0037) -- A buffer overflow exists in Image RAW's handling of DNG images. Viewing a maliciously crafted DNG image may lead to an unexpected application termination or arbitrary code execution.
I seriously had to look this one up. DNG is apparently an Adobe raw image format. I don't see this one as massive either.
* OpenSSL (CVE-2009-3555) -- A man-in-the-middle vulnerability exists in the SSL and TLS protocols. A change to the renegotiation protocol is underway within the IETF. This update disables renegotiation in OpenSSL as a preventive security measure. The issue does not affect services using Secure Transport as it does not support renegotiation.
This one appears to affect everyone, from OS X, to Windows, to Apache: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
That doesn't say anything about sandboxing or DEP, like you claimed it would "confirm", got any more references to back up your claim?
Anyone out there know what the numbers are for mac osx and windows 7? How many users? Is it a comparable base, or has windows 7 already outstripped the number of mac osx users?
The GP's original point, I believe, was to totally discount that OS X is secure/more secure than Windows because of these patched vulnerabilities.
Yes, and GGP's original point was that the original assertion that OS X is more secure than Windows is based on precisely such Slashdot stories as this one.
To be fair MS themselves used to make a big deal out of claiming that IE was Windows and they couldn't be separated. That not being true didn't stop them.
One off professional solutions for a cash prize by a ex NSA worker.
Where are the in the wild hacks?
Where are the step by step scripts and FAQ's for setting up a Mac trap?
We have one very very very smart person showing up with a prize to win at this time.
Domestic spying is now "Benign Information Gathering"
Seems to me that removing flash would remove the exposure. On a side note, if you don't run a virus scanner, how do you know if your PC is infected, other than the obvious crash symptoms? I seriously doubt a Mac would be infected just by browsing a porn site while it's almost a given on XP.
Hmm.. I used to hate Microsoft, back when I had to develop for IE6, but with steps in the right direction for IE8 and Windows 7 I'm feeling less hatred and more optimism. I used to have not much of an opinion on Apple, but now I think Apple is my most hated company (somehow they overtook Sony). Google is sort of like a fun uncle who always comes over bringing gifts, but you're not sure if he just does that because he wants to molest you. I gave up on Linux after a terrible experience trying to install Debian many years ago, but now I've got my little EeePC with Xandros which has never done me wrong.
I'm not sure where that leaves me..
Wait, I know: I'm an Opera fanboy! I can live with that.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Why not just hear it from the horse's mouth?
From http://blogs.zdnet.com/security/?p=2941
Why Safari? Why didn’t you go after IE or Safari?
It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.
It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it.
With my Safari exploit, I put the code into a process and I know exactly where it’s going to be. There’s no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don’t know where it is. Even if I get to the code, it’s not executable. Those are two hurdles that Macs don’t have.
It’s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that’s only half the equation. The other half is exploiting it. There’s almost no hurdle to jump through on Mac OS X.
You mean the one with cheaper/slower celeron with less L2 cache, slower DDR2 800 Mhz memory, a cheaper/slower integrated graphics solution, no firewire, a cheaper battery, mono audio speaker, VGA Out Only, no bluetooth standard, no Cam standard, and no optical digital audio output?
Comparable specs?
Over the past few years I've met several people who claim to run XP without any anti-malware or firewall and never have any issues as they only browse websites they trust. I can't say I'm an expert as far as computer security goes, but I have heard reports of numerous sites, even those many people trust, being compromised and loading malware or exploiting code on people who visit them.
The point? You're not "us[ing] your computer intelligently" if you don't use any run some sort of security software just as a precaution.
Sent from my iPhone 5
how do you know if your PC is infected
That's a good point, most of the time I don't have a reason to believe that but if I suspect something funny is going on I'll fire up Malwarebytes or something like that to check on it. I've got one or two anti-malware programs installed, I just run them on an as-needed basis instead of constantly scanning.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
The point? You're not "us[ing] your computer intelligently" if you don't use any run some sort of security software just as a precaution.
That's a good point.
I'm not saying I only browse sites I trust (porn certainly needs to be watched occasionally), but when I'm browsing I'm using either Opera or Chrome, neither of which seem to get targeted. Not using IE (for anything) is actually the #1 security tip I can give to any Windows user. The only time I'll ever run IE is when I'm developing a site in Opera and I want to test it. I've got a toolbar button to open the current page in IE so it doesn't even need to go to its home page or anywhere else, it goes to the one page I'm working on and that's it, and then I close it. My days of downloading pirated material are also behind me, so that also probably had a significant impact on the average time between infections.
That being said, I'm feeling that with the increased focus on Flash player vulnerabilities, and my complete lack of faith in Adobe, that my days of browsing without explicit protection will be coming to an end relatively soon.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
I just RTFA'd; when I was reading I said to myself "there are holes in SSL and TLS? WTF when did this happen?! Why didn't I hear about it anywhere?"
$ make available
That's nice. And out of date. OS X does memory address randomization, and supports to NX bit.
This is actually a valid complaint, although this link is actually referring to hacking done under Leopard, not Snow Leopard. Snow Leopard is still missing a full implementation of ASLR, and that leaves it vulnerable to some exploits.
Vista was the first Windows OS to implement ASLR, and it was assumed that Snow Leopard would do the same, but that didn't happen, or at least not fully. They have prevented 'data' from being executed as arbitrary code (DEP), but they still don't randomize all of the OS components. Only some key pieces, but not all.
You casually dismissed three vulnerabilities that could lead to arbitrary code execution, two of which live in OSX system libraries. I'm not too sure you're being objective. The other possibility: you are talking straight out your ass.
I guess my question is which is it?
Because Safari hasn't been around that long. Even if it contained but that were exploitable since Safari 1.0, it still wouldn't have any vulnerabilities that went unpatched for as long as the one in IE.
I am TheRaven on Soylent News
Well, except get access to the authentication credentials for my Internet banking site and transfer all of my money to a numbered Swiss account as soon as I log in. Good thing it can't get at my Freecell high scores though...
I am TheRaven on Soylent News
That should read *IE was an integral part of Windows*, sorry.
The pwn2own contest would say otherwise. Mac is usually the first to go down.
Because for pwn2own you need a zero-day exploit - how high are the chances to find a 0day for Windows and nobody else having it out in the wild until that one day in the year of pwn2own? OTOH, Charlie Miller was sitting on his last winner for over a year, and nobody else found that exploit during that year.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Not at all. Your only looking at the end result as evaluating risk from that, and not the vector of infection.
The flash update wasn't 'dismissed' and I noted it was a serious issue, but the fault lies with Flash. It is an abomination.
The MP4 vulnerability would require someone actually get their hands on a specifically crafted MP4. The typical user either creates their own MP4's from their own audio CD's, or downloads them from iTunes on a Mac. If they are getting them from seedy sources, then they pretty much get what they deserve
The last one I wouldn't consider a huge risk simply for the fact that I had never heard of the format. It would require someone that works with raw image data who happens to get an Adobe DNG image that has this vulnerability. This isn't like some drive by hijacking. I don't see this as a likely path to infection.
That's how most MP4s come into existence. But an MP4 (or a TIFF for that matter) can be put up onto a webpage by an attacker, and rendered by the browser without the user needing to explicitly download and run it. If visiting a maliciously-crafted website can lead to arbitrary code execution, I'd say there's a serious problem. (I haven't investigated the particular flaws closely enough to tell if that is the case. However, based on the advisory, it seems quite likely.)
I ran into a machine about two weeks back. The only obvious symptom was that when I tried to run Spybot the program would just close. This machine was stable and fast too.... really scary stuff some of the new crap. Then I took a peek at the AVG they where running, all up to date on version 8 point something (I use AVG too and knew that version 9 had already come out so this was messed up too the spyware or what ever it was had even taken over AVG lol)
I finally used an old trick of renaming the .exe for Spybot and it ran fine then and even recognized the infection although it could not clean it at least it gave me a name to google and removal instructions.
This infection came from Limewire so I can't blame XP or IE for this one, it was all user ignorance (not stupidity just not aware of file sizes and how bad something.mp3.exe can be lol)
So I guess the moral of the story on this one is that with the new stuff you might be infected and not even know it, and user security is even more vital then any other type.
Opera and a good hosts file can go a long way in keeping the riff raff off your system.
http://www.mvps.org/winhelp2002/hosts.htm
Its not security by itself but I find it combined with some other stuff really helps (I install this little thing on almost every machine I get my hands on, even an out dated version is better then nothing)
A cool side benefit of this hosts file is that it blocks a lot of ads (I guess by extension a lot of ads possibly loaded by compromised web pages?)
...from my Ubuntu laptop. How nice it is to have an OS that doesn't even need antivirus, which is still recommended for Mac.
These aren't OS vulnerabilities, they're application vulnerabilities (well, for the programs I recognize as a non-Mac person). The OS itself is fine. The trick is, of course, that some of these things are included practically by default. So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.
Disagree.. a bit. If notepad is included by default on Windows (and is seldom removed/disabled from installations) then for all practical purposes it is part of the OS.
The same must apply to the standard apps with any OS distribution package.
Such default bundled applications are all attack surface area.
Saying that OSX is less secure due to these vulnerabilities is how MS said that Linux was less secure than windows.
Agree. Linux security is difficult to quantify, thus too easy for Microsoft to spread FUD. Linux is a collection of open source projects from all over the place (who calls the kernel one project?). Security can vary greatly from one package to the next, and vary between distros depending on the selection. MS naturally overlook the impressively hardened distro's out there, and look for examples in the more slack projects.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
I say this as someone who has had a Linux box r00ted in the past...
That sort of complacency is exactly what makes you more likely be get owned - regardless of OS selection.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Your #1 tip should be #2. #1 should be IMMEDIATELY password protect all accounts with a strong password, which is the default tip for all OSes (Can someone tell me if any semi-mainstream OS can do passphrases or common non-alphanumeric characters? Passphrases seem to be easier to remember than passwords.)
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
How many times did I heard "I use Mac/Linux because there's no virus, no security problem and/or much safer". It's pretty much the same thing everywhere.
Unfortunately for you and MS, the core DLLs at the root of many of "IE"'s vulnerabilities are actually "core" pieces of the OS and can and are, in fact, exercised by other applications as well. "Uninstalling" IE, or never installing it, still results in an OS with these DLLs in place.
So yes, IE vulnerabilities ARE part of the MS OS vulnerabilities, but trust me, these are the least of MS's problems. The core issue is that the OS was "designed", if you could call it that, by the equivalent of 8th graders from a security stand point, and that might be unfairly insulting 8th graders. The OS is completely backwards in its outlook on security compared to any modern in use OS. It runs on a highest privileged token, which is "masked" or "filtered" in an effort to give "least privileges". You then "elevate" yourself by removing these privileges. Why is this a problem? If you need to do anything important, like, say, change passwords of users, then your process must run with that privilege all the time. So any flaw anywhere can be exploited to expose that privilege. In the newest version of 2008 R2 most of the token manipulation routines have been "broken" regarding any meaningful elevation, thus forcing this wrong-headed approach down your throat. Unless, of course, you don't mind injecting code into some random DLL that runs as "SYSTEM" somewhere.
Compare that with *nix for example, where your process runs with no privileges, so a flaw has no privileges when exploited... and you can see why security people that actually know anything RUN from an MS installation.
The cesspool just got a check and balance.
Unfortunately for you and MS, the core DLLs at the root of many of "IE"'s vulnerabilities are actually "core" pieces of the OS and can and are, in fact, exercised by other applications as well. "Uninstalling" IE, or never installing it, still results in an OS with these DLLs in place.
That depends on what you mean by "the OS". As far as I'm concerned, IE is less a part of "the OS" than, say, KDE or Gnome is on Linux (or at least Qt and GTK). At least one of libraries are more core to 99% of Linux users than the IE DLLs are to Windows users.
The rest of your post is a bit of a red herring; I made no statement regarding the overall security model of Windows.
So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.
Not saying you're in this group, but a lot of people around here have no problem counting IE vulnerabilities against Windows.
Actually, I'm with this group. MS made IE "part" of Windows, good choice or not. Any problems it has becomes an OS problem by their own design.
This is one reason I wonder if Tinycore Linux may be one of the more secure flavors out there. A minimal distribution at initial install and you pretty much have to add any sort of functionality beyond hardware setup, the GUI and some basic utilities (thankfully including an application manager/downloader). I love playing with distros, but if you install full gnome/kde suites and such, that's a lot of potential bugs. Open or closed source, a 10Meg distro is probably easier to audit by smaller groups, possibly even by a single person who really loves what they're doing. Not having apps until you install them helps reduce the "out-of-sight, out-of-mind" or endless list of new updates you can get with more robust operating systems.
"Common sense will be the death of us all"
Yep, and that's the trick. At the very least OSS models do allow for distros to fix the software they ship themselves. I'd only give a group a pass on that if they can't fix the code themselves. In this case, one might consider Linux, BSD and other OSS based operating systems to be held to a higher standard than the traditional closed source project. It's broken AND you can fix it. Things like that are why some distros make me want to slam my head against a wall. Why are there 20 versions of notepad? Pick one, maintain it and we can install something else ourselves if it suits our needs.
Vi and Emacs would be an exception to that...
"Common sense will be the death of us all"
Actually, I'm with this group. MS made IE "part" of Windows, good choice or not.
I'll agree with you through XP... but it's not really part of windows, not any more. Not any more than Notepad.
I mentioned it in a previous post, but I'm having some fun with Tinycore linux for that reason. There's practically nothing installed from the get go. A 10meg OS floating around in 2g of laptop RAM is rather fun. Now I just need time to configure it for WINE and see how my games work on it. I wonder how it stacks up against hardened distros for basic security.
"Common sense will be the death of us all"
You hack whichever's easiest, considering pwn2own had $10k cash prizes.
Since you're talking pwn2own, then hack the Mac, since it's easiest.
No I'm not trolling, go read the last few contest details, the guy that won it said it first.
Funny you mention that. I used to hit my systems with 98lite and what have you, but around XP I just deleted the icons and had foxfire/firefox take it's spot. It didn't occur to me to even see if I could uninstall IE from my current W7 system...
Something to ponder for later on.
"Common sense will be the death of us all"
A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.
Seems this could crash your audio player.
Or execute arbitrary code. Like something that installs a rootkit, or wipes your hard disk, or uploads your password files, etc.
handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
Crashes your Preview or whatever image viewing app your using.
Or executes arbitrary code. Like something that... well I'm repeating myself now.
A buffer overflow exists in Image RAW's handling of DNG images. Viewing a maliciously crafted DNG image may lead to an unexpected application termination or arbitrary code execution.
I seriously had to look this one up. DNG is apparently an Adobe raw image format. I don't see this one as massive either.
Sigh.
Do you really have that much trouble with reading comprehension?
Let me explain a little. You go online and visit a web site. Embedded in that site is a TIFF or DNG, or maybe you grab a mp4 off a torrent or a warez site. Boom, thankyou, now you're exploited. This type of vulnerability is how the guys at the pwn2own contest keep cracking into Mac (and Windows, and Linux).
I think people would be a little less cavalier about the whole "safe Mac" image if Apple didn't spend so much time and money promoting Macs as 'virus free'. Seriously, when was the last time there was a big issue with a Worm on any platform? It's just not the MO of most malware these days to self-propegate. These days the standard MO is to drop a rootkit and join into a botnet, and do its best not to cause problems on the system or network. While I'll admit the Mac is still more secure against true Viruses, that's such a small part of what's out there to ruin your day that Apple deserves to be called out for it.
And just for the record, I own a couple Macs myself; not a fanboy, and not a hater, of any OS.
You are overlooking that Safari considers certain filetypes "safe" (including MP4, not sure about TIFF or DNG) and opens them by default. Its quite possible these vulnerabilities could be rigged to "drive by" a casual web surfer with no user interaction.
Furthermore Finder has a preview function which is activated by simply single-clicking on a file, which could be another vector to attack an 'innocent' user.
Business. Numbers. Money. People. Computer World.
It didn't occur to me to even see if I could uninstall IE from my current W7 system...
You probably can't uninstall IE in the sense that you want (then again, you probably can't uninstall Notepad either). I guess I wasn't being entirely fair, because the IE DLLs* are actually somewhat vital to the system: at the very least, for rendering help files.
That said, I think that might be all; in particular, the IE and Windows Explorer processes are definitely not tied together like they used to be. (This is true starting with Vista, and maybe even XP SP3, I can't check that easily at all.)
* More precisely, the MSHTML DLLs, which are used by IE and other programs
That depends on what you mean by "the OS". As far as I'm concerned, IE is less a part of "the OS" than, say, KDE or Gnome is on Linux (or at least Qt and GTK). At least one of libraries are more core to 99% of Linux users than the IE DLLs are to Windows users.
is anyone really disputing that IE, GTK, or Qt may/mat not be part the OS that ships them?
While there is a bug in IE8, including the Win7 implementation, none of the stuff I've seen regarding it says that IE8 on Win7 is vulnerable. They managed to exploit IE8 on XP by working around DEP, but made no mention of ASLR, which is a feature that makes DEP work-arounds vastly harder and is found on Vista and up. Additionally, they made no mention of Protected Mode, the process-level sandboxing that is used by IE on Vista and up (requires UAC to be enabled).
You have absolutely no evidence whatsoever that there isn't some vulnerable code in OS X that hasn't been around at least that long; the very nature of a 0-day bug is that the exploit comes out before the vulnerability is known.
There's no place I could be, since I've found Serenity...
For IE on Windows Vista or Win7 to do anything to the system, the user would also need to authorize the action. In fact, two levels of authorization would be needed: one to break out of the Protected Mode sandbox (normally, IE can't write anywhere on the file system outside a special "low integrity" folder, from which you can't execute any code). Second, the user would need to authorize Administrative permissions for writing to system files/folders/registry keys.
The fact that IE8 has a vulnerability doesn't mean that vulnerability can be exploited against an OS with modern security features and a user with even the vaguest hint of good sense.
There's no place I could be, since I've found Serenity...
OS X still doesn't provide a complete ASLR implementation.
Probably, since the browser has access to those anyhow. .doc file and want to view it immediately rather than saving it. However, this presents the user with a warning prompt.
Easily; you can do that with a bit of Javascript.
Nope. The Protected Mode (low-integrity process) sandbox prohibits the application IE from starting a different application. There is a way around it, of course, for things like when you download a
There's no place I could be, since I've found Serenity...
You seem to be ignoring all the parts that say arbitrary code execution.
Yep. Also, don't forget P2P programs - if your audio codec is vulnerable, somebody could put up a .m4a file on BitTorrent or whatever P2P system is used these days, and it could easily get spread around.
"Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution."
Emphasis added. This isn't a "crash iTunes" bug, this is a "copy all your local files + browser history to attacker, then turn your computer into a spambot" bug.
There's no place I could be, since I've found Serenity...
Opera and Chrome have both had security issues, although admittedly they weren't widely targeted. On the other hand, both use the Flash plugin and whatever PDF viewer you have installed, so things like the Acrobat Reader exploit (malicious PDF) that's going around will work just fine. In fact, since Opera doesn't include application-level sandboxing (the way IE and Chrome do on Vista/Win7) there's actually one less layer of security to breach.
There's no place I could be, since I've found Serenity...
IE6 (to Safari): "Get off my lawn before I render you like a standards compliant style sheet! I've got bugs older than you!"
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Insightful? WTF /.
The pwn2own contest would say otherwise. Mac is usually the first to go down.
Because for pwn2own you need a zero-day exploit - how high are the chances to find a 0day for Windows and nobody else having it out in the wild until that one day in the year of pwn2own? OTOH, Charlie Miller was sitting on his last winner for over a year, and nobody else found that exploit during that year.
...that you know of.
This infection came from Limewire so I can't blame XP or IE for this one, it was all user ignorance (not stupidity just not aware of file sizes and how bad something.mp3.exe can be lol)
It IS stupidity, just not on the part of the user. It's the OS's stupid decission to not show file extensions by default. It's one of the first options I change on every Windows install. If other OS's hide file extensions too, they are equally stupid.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Regardless of whether or not your statement about IE in Windows 7 is accurate, that doesn't have anything to do with an update for OSX somehow implying that OSX is less secure than it was yesterday.
You're right.
It wasn't secure yesterday either, you just thought it was.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
The last one I wouldn't consider a huge risk simply for the fact that I had never heard of the format. It would require someone that works with raw image data who happens to get an Adobe DNG image that has this vulnerability. This isn't like some drive by hijacking. I don't see this as a likely path to infection.
Anyone who works in RAW image files would've heard of DNG. It's the default RAW format for a few cameras and it's the only fully open RAW specification I can recall. It's very easy to create a DNG, you don't need to work with raw image data (Adobe has a RAW file to DNG converter, and the specification is open).
Further still DNG is a derivative of the TIFF specification, so a vulnerability in the latter may arise from a vulnerability in the former.
Don't forget, just because you haven't heard of DNG, doesn't mean someone couldn't get you to download a DNG. The weakest link in a security chain is almost always the humans.
Are you sure? Each browsing instance runs as its own process and AFAIK each process is sandboxed individually. That means cross-tabs access is still blocked. Correct me if I'm wrong.
^ And this, dear children, is the reason we should all be pushing for open-source; if IE were open-source, I wouldn't need to ask that question, I would just look over its source code
Yes, it's sarcasm. Deal with it!
Sounds like you Apple folk need real-time virus protection after all.
Sucks, doesn't it?
Finally had enough. Come see us over at https://soylentnews.org/
None of the malware-infested machines I have cleaned up in the last few days were running OS X, just Windows.
I bet none of them were running AmigaOS, either.
Meanwhile, I go home at night and surf with impunity on my Mac running OS X, just like I've done for the last 8 years.
Meanwhile, I go home at night and surf with impunity on my computer running Windows, just like I've done for the last 10 years.
If a computer is secure - as you claim - it shouldn't matter what most people try to hack.
OTOH, Charlie Miller was sitting on his last winner for over a year, and nobody else found that exploit during that year.
...that you know of.
That the judges of pwn2own know of. And nothing has appeared in the wild before or after - that the whole world knows of.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Brilliant. Just brilliant. I always marvel at how Apple PC fans can twist and spin a bad point into a good point, even when the same argument is used as a bad point against PCs.
Next time there's an article about patches for Windows, and Apple fans are falling over themselves to get first post with the "Look how insecure it is" comments, I'll be sure to post your comment, and get +4 informative too.
Consider, Windows seems to have had far more patches than OS X, or so Apple fans tell us - so by your logic, it must be far more secure, right?
" When OSX is suffering from a deluge of viruses from all these supposed gaping holes in it's Architecture, please come back and let us know - by His Shadow (689816) on Wednesday January 20, @05:39PM (#30839078) Homepage
LOL... well, tell you what: When MacOS X gets enough users to merit online criminals attacking it (same with any *NIX variant out there for Personal Computers, & yes, that includes LINUX, BSD's (like MacOS X), etc. et al)? That's when it will happen.
Until then? "Stay tuned"...
The ONLY thing keeping MacOS X &/or Linux for example, 'safe', is "Security-By-Obscurity", & the fact that online criminals are just like ANY OTHER CRIMINALS: They gather where the most OTHERS gather, to maximize their surface area of attack - & guess where THAT is, online? Yes, that's right - Windows.
Windows has what? Roughly a 95% share of market out there for personal computing approximately?
Well - that "all said & aside", what the hell do you think goes through the mind of those doing the attacking (when they want to "hit" as many people as they can to victimize them, and maximize their criminal enterprise's profits)??
I.E.-> "LET'S ATTACK WINDOWS, IT IS THE MOST USED! WE WILL GET THE 'MOST MILEAGE OUT OF OUR ATTACK CODE' THAT WAY..."
So, they write their (for example) javascript code to attack Windows & its surrounding apps...
The Apple commercials? THEY ARE COMPLETE BULLSHIT, & ANYONE WITH ANY SENSE or KNOW-HOW IN THIS ART & SCIENCE/FIELD OF COMPUTING, REALIZES IT... "Security by Obscurity" is MacOS X & Linux's ally, & that's about it...
(Now, don't get me wrong: I like MacOS X, & Linux, as much as the next guy (they work, they are well-done by this point, & in general are as much a pleasure to use as Windows is)... but, I don't like hearing a bunch of misinforming market-speak bullshit lies, either).
HOWEVER:
IF ANYONE HERE TRIES TO TELL MYSELF OR OTHERS THAT IT'S "IMPOSSIBLE TO WRITE A VIRUS/WORM/TROJAN/SPYWARE/MALWARE-IN-GENERAL FOR LINUX or MAC OS X, THEN I SUGGEST THEY REALIZE THAT JAVASCRIPT (the main tool used to attack others online via webbrowsers & email programs as of the past 5++ yrs. now) RUNS ON THEIR OS' TOO... & THUS, THEY ARE JUST AS ATTACKABLE AS WINDOWS IS... EASILY!
APK
P.S.=> "Security-By-Obscurity" is the only so-called "security-advantage" that the *NIX variants on PC's have, & it's also their biggest enemy too (sales & market share, anyone?)... apk
I think you're missing the point - a large amount of the functionality of IE was moved into system DLLs, to make IE part of the OS proper during MS's claims that you couldn't remove IE.
Due to the incredible genius and well-disciplined engineering that comprises MS, that functionality became interdependent with other functionality that is part of the OS. So, in a way, MS was right, IE cannot be fully removed from the OS anymore without seriously reworking pieces of their architecture.
The rest of the post describes why this is a major problem due to MS's architecturally flawed security.
The cesspool just got a check and balance.
Who said I didn't think patching Windows holes was a good thing, because it is.
Look, just because I like Apple doesn't mean I'm some rabid fanboy who won;t accept that other OSes might actually have redeeming qualities. As it stands now, while both Windows and Mac are more secure than they have been before, by virtue of patching holes, OS X is ahead - mainly because it is easier to start again as they did with OS X than it is to keep building on top of their old code. The are advantages and disadvantages to both approaches.
I fail to see how you can suggest that patching 6 vulnerabilities in an OS is a "bad point". I don't consider Windows patches to be a bad point either - the sooner it gets rid of security issues the better.
As a Linux person (and a techy geek) I am often asked to help my less fortunate brethren and sisteren with their broken systems. The latest was the young woman who could no longer play the music she had paid for because of an automatic update to iTunes. It only took a couple of hours of my time (not to mention hers) to get her back to the version that actually played music. Turned out to be a dependency that was not met in the form of a library.
OK! Who the hell does an update without checking dependencies? How do we now trust Apple to do updates correctly, including this one?
btw - this is on a macbook that has had wifi problems since it was new, known to Apple but never fixed. I think Apple has lost a fan in this young woman. Having been around since the beginning, i wasn't too surprised.
Acrobat Reader most definitely does not have a home on any of my machines.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Yes, that's right. Personally, I don't really care enough about OSX to think about its security, but the point was that releasing an update does not make a piece of software less secure (unless obviously the update contains vulnerabilities).
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
I would have known something was up since very rarely are mp3 files like 4Kb (I forget the exact size but it was truely tiny)
I agree everyone should change viewing to show all extensions it just makes things much safer. Especialy if your downloading stuff... first rule of the open sea's a pirate should learn "Trust nothing and no one"
He probably meant a Latitude. While it's true that you can throw in a enough crap to make the low end Vostro cost $700+, for that money you're much better off buying a Latitude (or a Thinkpad...) which compares better.
I'm fairly certain any file I've saved, from safari at least, the first time it's opened, I get a warning saying "This is the first time this file downloaded from the internet has been opened - are you sure you want to proceed"
The warning only appears for applications and certain filetypes like HTML. I have never seen appear for anything that opens in iTunes or Preview.
Business. Numbers. Money. People. Computer World.
Um, sorry, but in their anti-trust trial Microsoft themselves said IE was an essential portion of the OS.
Because I'm sure MS hasn't done anything to the codebase in the last decade...
(Hint: The place where I consider them separated begins with Vista, when Windows Explorer would no longer host the IE renderer.)