Slashdot Mirror
Apple Patches Massive Holes In OS X
Trailrunner7 writes with this snippet from ThreatPost: "Apple's first Mac OS X security update for 2010 is out, providing cover for at least 12 serious vulnerabilities. The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site." Hit the link for a list of the highlights among these fixes.
"if a Mac user is tricked into opening audio files or surfing to a rigged Web site."
I own a Mac G3, and STILL haven't been tricked into using OS X!
Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?:
Security Update 2010-001
*
CoreAudio
CVE-ID: CVE-2010-0036
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact: Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Tobias Klein of trapkit.de for reporting this issue.
*
CUPS
CVE-ID: CVE-2009-3553
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact: A remote attacker may cause an unexpected application termination of cupsd
Description: A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination. This issue is addressed through improved connection use tracking.
*
Flash Player plug-in
CVE-ID: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800, CVE-2009-3951
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact: Multiple vulnerabilities in Adobe Flash Player plug-in
Description: Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42. Further information is available via the Adobe web site at http://www.adobe.com/support/security/bulletins/apsb09-19.html Credit to an anonymous researcher and Damian Put working with TippingPoints Zero Day Initiative, Bing Liu of Fortinet's FortiGuard Global Security Research Team, Will Dormann of CERT, Manuel Caballero and Microsoft Vulnerability Research (MSVR).
*
ImageIO
CVE-ID: CVE-2009-2285
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.2.
*
Image RAW
CVE-ID
The Apple commercials have told me that viruses and security holes are only possible in Windows, so I gather they are patching boot camp installs now
I'm afraid your patch provides insufficient coverage.
The only hole I want Apple to fix is the one they put in my wallet.
A lot of the people that read the site are in their 40s, 50s and 60s (I'm not). That makes their moms mostly 60+.
Go dude, go.
Nerd rage is the funniest rage.
More like you fell in...
(Well, like exley said...)
Let me put it to you this way: None of the malware-infested machines I have cleaned up in the last few days were running OS X, just Windows.
There has been a huge spike in infections since that exploit that hit Google was made public-- we're seeing the return of drive-by infections on Windows, it's a whole lot of fun.
Meanwhile, I go home at night and surf with impunity on my Mac running OS X, just like I've done for the last 8 years.
Sometimes newer isn't better.
Some days it's just not worth
chewing through my restraints.
You just couldn't wait to post that, could you? FYI: every piece of software needs updates, and there is still always one piece of software that will be more secure than the others. I don't know if OSX is more secure than Windows 7, but both of them will continue to receive updates, that fact doesn't make either of them less secure.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old
Non impediti ratione cogitationus.
You already posted that in the first comment anonymously, and it wasn't funny then either.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old
How would you know? Zero-day means a non-public exploit.
Two bugs were found in their image libraries (arbitrary code execution bugs in TIFF and RAW-DMG). Makes me wonder if they even tested their image libraries at all when they were being written, because that kind of bug can usually be found in an image library by feeding it random data.
Qxe4
Anything posted on some forum, whispers in an irc chat?
Anything new floating around for a Mac running 10.6 that will do an IE and pop the browser/OS from a remote site?
Most still need the user to enter his/her password as a application/codec.
Mac are still safe to surf with for now.
Macs have a list of malware and loggers, the pre OS 10 had lots too.
But nothing in the wild to infect just yet with a site visit.
If anything existed outside law enforcement, spooks and one off professional solutions, every Mac AV vendor would have a youtube vid up.
A link to buy protection at a fair price after the 2 to 3 mins of safari getting infected after following a link and their product saving the day.
Domestic spying is now "Benign Information Gathering"
No, it can't. Well technically, it can be exploited, but IE runs sandboxed in Win 7 so the exploiter can't really do much.
Yes, it's sarcasm. Deal with it!
Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old
Regardless of whether or not your statement about IE in Windows 7 is accurate, that doesn't have anything to do with an update for OSX somehow implying that OSX is less secure than it was yesterday.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
But it is.
And patching vulnerabilities that are found just makes it more so.
Sorry, what was your point again?
Link?
This space for rent.
Saying that OSX is less secure due to these vulnerabilities is how MS said that Linux was less secure than windows. These aren't OS vulnerabilities, they're application vulnerabilities (well, for the programs I recognize as a non-Mac person). The OS itself is fine. The trick is, of course, that some of these things are included practically by default. So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.
/. and a Mac lover, I sincerely doubt you're one of the problem kids for updates on most any system you control.
That's not to say that Mac users have free license to ignore proper security practices. Trojans, poor/shared passwords and not updating their software can leave them as vulnerable, if less targeted, than PC users. Given that one of the problems is with flash (and the fix is as simple as an update), I wonder if there's a good enough of a target out there for hacking Mac WOW players through flash ads hijacks.
Before you flame, I will say that if you're on
"Common sense will be the death of us all"
Could it use/harvest saved passwords? Open new browser tabs? Launch perhaps an app that would run the escalation exploit from this morning?
LOL, ok now i get it. OP's point was valid. IE6 really does have bugs in the wild that are older than firefox itself. Mozilla is pretty old so that would be possible, but not FF technically.
Not in the default configuration it can't.
It's official. Most of you are morons.
I have a Mac G3. It is sitting in my basement collecting dust, because it is a worthless piece of shit.
Buy a computer from this century.
Has anyone driven a truck thru these gaping holes? Anyone? Beuller? When OSX is suffering from a deluge of viruses from all these supposed gaping holes in it's Architecture, please come back and let us know. Because while every operating system has vulnerabilities, only Microsoft was kind enough to make those vulnerabilities accessible by system wide scripting mechanisms that allowed millions of computer users the world over be the subject of attacks from the hundreds of thousands of pieces of malware constantly fighting to infect Windows PCs. The count (for those who think a security vulnerability makes Apple's points about viruses invalid) is about one hundred thousand to 0. This is being very generous. So, yes, as a matter of fact, there are no viruses for Mac OS X. Not virtually none, not almost none. None.
Fiat Homos et Pereat Theos
http://www.vupen.com/english/advisories/2010/0135
Meanwhile, I go home at night and surf with impunity on my Mac running OS X, just like I've done for the last 8 years.
You think you're the only one? My machine at home runs an unpatched version of XP SP3 (legally licensed, I just don't really bother to update it). I don't run a virus scanner, nor a software firewall, nor a memory-resident malware scanner. My current machine has never been infected (~2 years or so, since Crysis). My machine before that (same config) got infected once, when my roommate was porn browsing in IE.
The point? You don't need to run something other than Windows if you want to avoid infection, you just need to use your computer intelligently. It seems like you're saying that OSX is the platform for people to be as stupid as they want and still manage to avoid infection. That, my friend, is changing (as evidenced by the 7 patched vulnerabilities in Flash player).
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
The pwn2own contest would say otherwise. Mac is usually the first to go down.
-]Phreak Out[-
With default Windows 7 settings, the current exploit doesn't work. IE8 in XP without DEP protection. It CAN theoritically be expolited with DEP but haven't seen any current exploits that work around DEP protection. Also running with non-admin privileges (recommended, and default in vista & windows 7) reduces the attack surface (i.e. backdoors can't be installed without taking advantage of some other vunerability) so the IE vunerability is a bit overblown, following good security practices (which are default in vista & windows 7) already prevent the known attacks.
Being that there are many reasons to post things, and to post anonymously, "funny" isn't always the primary intent. What was my primary intent?
If it's necessary to have a discussion about your intent, how successful do you think you were in conveying it?
But it's possible I might say something funny.
Tell me a joke!
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
There aren't enough Windows with IIS installed to make the average script kiddie drool in anticipation in comparison to Linux/BSD with Apache. Oh wait.
If you don;t think the the chance to be the "first person to exploit the 'secure' OS X with a virus" isn;t driving some of these people then you are deluded. Or that genuine organised crime isn't going after the Mac platform (as a non-negligable marketshare) as well as Windows since it is amulti-million dollar industry compromising machines over the net. So far though, not much beyond proof of concept stuff and things that require user credential authentication.
It's no reason to be complacent (and the patching of vulnerabilities is not complacency), or the assertion that OS X is immune to threats, because it isn't. But it has proven to have a pretty good track record - not perfect, but pretty good. Continued work is still needed though.
So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.
Not saying you're in this group, but a lot of people around here have no problem counting IE vulnerabilities against Windows.
that doesn't have anything to do with an update for OSX somehow implying that OSX is less secure than it was yesterday
What kind of fanboi drivel is this ?
They've just patched 12 serious vulnerabilities, how could it NOT be less secure yesterday before the patch than it is now after the patch ?
That's exactly my point - read the first post in the thread and my reply. Someone responded to that with a non-sequitor about IE and you saw my reply. The original poster seemed to imply that Apple releasing an update somehow decreased the perceived security of OSX.
"Fanboi", huh? Exactly which company do you think I'm a huge fan of?
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
At least we're getting some...
So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.
So far as I have seen, problems with user-space components such as Notepad are indeed counted as Windows issues. Which makes perfect sense, since Notepad is present out of the box, and the box says "Windows" on it.
Similarly, OpenBSD has a fork of Apache 1.3 in their base system. If a vulnerability is found in that, then surely it's an OpenBSD vulnerability (hence the difference between base system and ports).
If Apple ships Flash plugin that way, then they have to deal with any security issues that may cause.
His point is that you can't take a Windows vulnerability, and write a /. comment around it that basically amounts to "and that's why Windows security sucks", but when a similar vulnerability is found in OS X, write another /. comment around it that amounts to "well, shit happens, but anyway, now it's even more secure than ever" - it's hypocritical. Either both vulnerabilities indicate systemic problems, or neither one does.
You hack whichever's easiest, considering pwn2own had $10k cash prizes.
You *have* to be a fanboi to post here ... you must take a side, there is no fence-sitting allowed on Slashdot.
You can take the "M$ sucks" route for infinite karma heaven, or the "A$$le sucks" route for instant karma hell. The "Linux (no dollar sign of course, this is FOSS) sucks" route simply leads to much debate and handwringing, with unknown karma effects ... look on that path as something like Buddhism.
Where we go from here, that's a choice I leave up to you. (oblig. Matrix reference)
Can we get this stickied ? Oh, damnit, I thought we were on a forum for a minute :-(
Well, it really depends *who* says it - the marketing departments at MS and Apple both tout "OS X/Windows is more secure than ever" - from a marketing standpoint they obviously aren't going to say anything else. From a certain perspective both are true - both Windows and OS X are more secure than ever, since they have been patched up - whether there are still a thousand other holes doesn't really change that, it just infers that there are no other problems which is where it gets muddy.
The GP's original point, I believe, was to totally discount that OS X is secure/more secure than Windows because of these patched vulnerabilities. No one is really claiming that there won;t be vulnerabilities found, but it doesn't negate a claim that the OS itself is pretty good when it comes to security. Not immune, and not perfect, but not bad.
While we're on it of course, I do take issue with the headline. "Massive Holes" really isn't accurate - at least, not in the context of other security updates. These are no better or worse than other security holes that have been fixed in OS X before, but the summary and headline dress it up like they just discovered that half the fence was missing and your troops are giving free bagels to the enemy as they usher them in through the gaps.
It is good that critical flaws are being corrected though, regardless of how they are reported.
I just wonder why the summary title says "MASSIVE holes..." when the original article "serious".. a bit of bias, perhaps??
More realistically, this is just another security update. Find me an OS that doesn't have them, and for similarly "obvious" or "easily found/fixed" (hindsight and armchair hacking being perfect of course) and I'll either switch right away, or dust off the old TRS-80 from my closet to run it on.
The way I see it, if you have a brain and use it while browsing, you are generally fine. But people are stupid. And if you are going to market your product to stupid people, you need to make sure you do everything you can to minimize the damage stupid people can do to others. (Stupid people generally deserve their own damages...)
Now to start the debate over which company is more in the business of marketing to stupid people...
Massive Holes? I wouldn't consider any of these critical vulnerabilities, except for the ever so popular Flash sponge.
* CoreAudio (CVE-2010-0036) -- A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.
Seems this could crash your audio player.
* CUPS (CVE-2009-3553) -- A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination.
A remote attacker may cause an unexpected application termination of cupsd. I don't see this happening on a home network, and unlikely on a firewalled work network. In any case, an irritant and nothing more.
* Flash Player plug-in (7 vulnerabilities) -- Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42.
This one unfortunately is serious. Its also due to a flaw in the Adobe Flash Player plug-in.
* ImageIO (CVE-2009-2285) -- A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
Crashes your Preview or whatever image viewing app your using.
* Image RAW (CVE-2010-0037) -- A buffer overflow exists in Image RAW's handling of DNG images. Viewing a maliciously crafted DNG image may lead to an unexpected application termination or arbitrary code execution.
I seriously had to look this one up. DNG is apparently an Adobe raw image format. I don't see this one as massive either.
* OpenSSL (CVE-2009-3555) -- A man-in-the-middle vulnerability exists in the SSL and TLS protocols. A change to the renegotiation protocol is underway within the IETF. This update disables renegotiation in OpenSSL as a preventive security measure. The issue does not affect services using Secure Transport as it does not support renegotiation.
This one appears to affect everyone, from OS X, to Windows, to Apache: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
That doesn't say anything about sandboxing or DEP, like you claimed it would "confirm", got any more references to back up your claim?
The GP's original point, I believe, was to totally discount that OS X is secure/more secure than Windows because of these patched vulnerabilities.
Yes, and GGP's original point was that the original assertion that OS X is more secure than Windows is based on precisely such Slashdot stories as this one.
To be fair MS themselves used to make a big deal out of claiming that IE was Windows and they couldn't be separated. That not being true didn't stop them.
One off professional solutions for a cash prize by a ex NSA worker.
Where are the in the wild hacks?
Where are the step by step scripts and FAQ's for setting up a Mac trap?
We have one very very very smart person showing up with a prize to win at this time.
Domestic spying is now "Benign Information Gathering"
Huh what? That was an incoherent fanboi rant. IIS has around 21% vs. Apache at 46% and still IIS6 has holded out to be pretty good, especially comparing to Apache.
So far though, not much beyond proof of concept stuff and things that require user credential authentication.
There were tons of vulnerabilities in Safari and Quicktime etc. not to mention the ones in TFA that would work without user credentials.
And this is one in the wild. http://it.slashdot.org/article.pl?sid=09/01/23/0127253
But it has proven to have a pretty good track record - not perfect, but pretty good
Says who? According to TFA, an mp4 video or a picture could install spyware or delete all user files.Thats a pretty good track record? wtf? The only OS with a good track record would be OpenBSD. Apple's software usually has tons of holes.
Hmm.. I used to hate Microsoft, back when I had to develop for IE6, but with steps in the right direction for IE8 and Windows 7 I'm feeling less hatred and more optimism. I used to have not much of an opinion on Apple, but now I think Apple is my most hated company (somehow they overtook Sony). Google is sort of like a fun uncle who always comes over bringing gifts, but you're not sure if he just does that because he wants to molest you. I gave up on Linux after a terrible experience trying to install Debian many years ago, but now I've got my little EeePC with Xandros which has never done me wrong.
I'm not sure where that leaves me..
Wait, I know: I'm an Opera fanboy! I can live with that.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Why not just hear it from the horse's mouth?
From http://blogs.zdnet.com/security/?p=2941
Why Safari? Why didn’t you go after IE or Safari?
It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.
It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it.
With my Safari exploit, I put the code into a process and I know exactly where it’s going to be. There’s no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don’t know where it is. Even if I get to the code, it’s not executable. Those are two hurdles that Macs don’t have.
It’s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that’s only half the equation. The other half is exploiting it. There’s almost no hurdle to jump through on Mac OS X.
You mean the one with cheaper/slower celeron with less L2 cache, slower DDR2 800 Mhz memory, a cheaper/slower integrated graphics solution, no firewire, a cheaper battery, mono audio speaker, VGA Out Only, no bluetooth standard, no Cam standard, and no optical digital audio output?
Comparable specs?
Over the past few years I've met several people who claim to run XP without any anti-malware or firewall and never have any issues as they only browse websites they trust. I can't say I'm an expert as far as computer security goes, but I have heard reports of numerous sites, even those many people trust, being compromised and loading malware or exploiting code on people who visit them.
The point? You're not "us[ing] your computer intelligently" if you don't use any run some sort of security software just as a precaution.
Sent from my iPhone 5
how do you know if your PC is infected
That's a good point, most of the time I don't have a reason to believe that but if I suspect something funny is going on I'll fire up Malwarebytes or something like that to check on it. I've got one or two anti-malware programs installed, I just run them on an as-needed basis instead of constantly scanning.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
The point? You're not "us[ing] your computer intelligently" if you don't use any run some sort of security software just as a precaution.
That's a good point.
I'm not saying I only browse sites I trust (porn certainly needs to be watched occasionally), but when I'm browsing I'm using either Opera or Chrome, neither of which seem to get targeted. Not using IE (for anything) is actually the #1 security tip I can give to any Windows user. The only time I'll ever run IE is when I'm developing a site in Opera and I want to test it. I've got a toolbar button to open the current page in IE so it doesn't even need to go to its home page or anywhere else, it goes to the one page I'm working on and that's it, and then I close it. My days of downloading pirated material are also behind me, so that also probably had a significant impact on the average time between infections.
That being said, I'm feeling that with the increased focus on Flash player vulnerabilities, and my complete lack of faith in Adobe, that my days of browsing without explicit protection will be coming to an end relatively soon.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
I just RTFA'd; when I was reading I said to myself "there are holes in SSL and TLS? WTF when did this happen?! Why didn't I hear about it anywhere?"
$ make available
That's nice. And out of date. OS X does memory address randomization, and supports to NX bit.
Yes, my point about IIS vs Apache wasn't that there were more attacks against IIS, just that there are documented and exploited holes.
And yes, there have been many holes found in the various parts of OS X that have been fixed (and some yet to be fixed) but in terms of malware in the wild, there is practically none. There was a disk image that claimed to be Office for Mac on torrent sites that actually ended up deleting your files after you gave it your admin password, and a couple of other proof of concept attacks, but stuff actually out there roaming free in the wild is extremely rare - vanishingly so. I will not say "none" because it is clearly not true, and it allows the possibility of something to emerge, but for all the holes that have appeared in components of OS X, over the course of the life of the OS, no one has demonstrated stuff beyond possibilities.
The TFA does indeed say "could install spyware and delete files" - ie, if the hole is exploited. No one is denying that (and when the hole is closed, they can't) but so far, no one has been able to - the vector for attack has not been there. There was nothing in the wild that exploited some of these holes, and they have been nipped up before anything could be produced.
There are obviously other holes that have yet to be closed - including, as some security people have claimed, ones that have been open and exposed for a very long time (consider the guy who knew of two vulnerabilities and kept one to himself so he could exploit it the next year at the 'break OS X contest'). If that hole was known and vulnerable for a year, where are the in-the0wild exploits actually installing malicious software and keyloggers and so on? The hole was there for a malicious mp4 file, but the malware that exploited it was not.
I'm not not nieve enough to assume or assert that OS X gets a free pass on security, but the prior performance has been good compared to Windows, even with the difference in install base. It's in a similar position to Linux with regard to security holes (and shares holes with some BSD components that the OSS community is also exposed to).
This is actually a valid complaint, although this link is actually referring to hacking done under Leopard, not Snow Leopard. Snow Leopard is still missing a full implementation of ASLR, and that leaves it vulnerable to some exploits.
Vista was the first Windows OS to implement ASLR, and it was assumed that Snow Leopard would do the same, but that didn't happen, or at least not fully. They have prevented 'data' from being executed as arbitrary code (DEP), but they still don't randomize all of the OS components. Only some key pieces, but not all.
You casually dismissed three vulnerabilities that could lead to arbitrary code execution, two of which live in OSX system libraries. I'm not too sure you're being objective. The other possibility: you are talking straight out your ass.
I guess my question is which is it?
Because Safari hasn't been around that long. Even if it contained but that were exploitable since Safari 1.0, it still wouldn't have any vulnerabilities that went unpatched for as long as the one in IE.
I am TheRaven on Soylent News
Well, except get access to the authentication credentials for my Internet banking site and transfer all of my money to a numbered Swiss account as soon as I log in. Good thing it can't get at my Freecell high scores though...
I am TheRaven on Soylent News
That should read *IE was an integral part of Windows*, sorry.
The pwn2own contest would say otherwise. Mac is usually the first to go down.
Because for pwn2own you need a zero-day exploit - how high are the chances to find a 0day for Windows and nobody else having it out in the wild until that one day in the year of pwn2own? OTOH, Charlie Miller was sitting on his last winner for over a year, and nobody else found that exploit during that year.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Not at all. Your only looking at the end result as evaluating risk from that, and not the vector of infection.
The flash update wasn't 'dismissed' and I noted it was a serious issue, but the fault lies with Flash. It is an abomination.
The MP4 vulnerability would require someone actually get their hands on a specifically crafted MP4. The typical user either creates their own MP4's from their own audio CD's, or downloads them from iTunes on a Mac. If they are getting them from seedy sources, then they pretty much get what they deserve
The last one I wouldn't consider a huge risk simply for the fact that I had never heard of the format. It would require someone that works with raw image data who happens to get an Adobe DNG image that has this vulnerability. This isn't like some drive by hijacking. I don't see this as a likely path to infection.
What you are linking to is NOT a virus, but a malware that user has to download, authenticate themselves as someone allowed to install software and install it.
If you have a user willing to do that, then all bets are off.
The original assertion still stands though. No viruses (i.e. self propagating code that spreads from machine to machine without user intervention). There aren't any for OS X and I'm not aware of any for Linux/BSD etc either.
As the island of our knowledge grows, so does the shore of our ignorance.
That's how most MP4s come into existence. But an MP4 (or a TIFF for that matter) can be put up onto a webpage by an attacker, and rendered by the browser without the user needing to explicitly download and run it. If visiting a maliciously-crafted website can lead to arbitrary code execution, I'd say there's a serious problem. (I haven't investigated the particular flaws closely enough to tell if that is the case. However, based on the advisory, it seems quite likely.)
I ran into a machine about two weeks back. The only obvious symptom was that when I tried to run Spybot the program would just close. This machine was stable and fast too.... really scary stuff some of the new crap. Then I took a peek at the AVG they where running, all up to date on version 8 point something (I use AVG too and knew that version 9 had already come out so this was messed up too the spyware or what ever it was had even taken over AVG lol)
I finally used an old trick of renaming the .exe for Spybot and it ran fine then and even recognized the infection although it could not clean it at least it gave me a name to google and removal instructions.
This infection came from Limewire so I can't blame XP or IE for this one, it was all user ignorance (not stupidity just not aware of file sizes and how bad something.mp3.exe can be lol)
So I guess the moral of the story on this one is that with the new stuff you might be infected and not even know it, and user security is even more vital then any other type.
Opera and a good hosts file can go a long way in keeping the riff raff off your system.
http://www.mvps.org/winhelp2002/hosts.htm
Its not security by itself but I find it combined with some other stuff really helps (I install this little thing on almost every machine I get my hands on, even an out dated version is better then nothing)
A cool side benefit of this hosts file is that it blocks a lot of ads (I guess by extension a lot of ads possibly loaded by compromised web pages?)
Yes, my point about IIS vs Apache wasn't that there were more attacks against IIS, just that there are documented and exploited holes.
Err no. Apache/PHP has more than it's share of exploits whereas IIS6 or IIS7 barely have any.
This space for rent.
What you are linking to is NOT a virus, but a malware that user has to download, authenticate themselves as someone allowed to install software and install it.
If you have a user willing to do that, then all bets are off.
The original assertion still stands though. No viruses (i.e. self propagating code that spreads from machine to machine without user intervention). There aren't any for OS X and I'm not aware of any for Linux/BSD etc either.
When did the last "virus" according to your definition, hit Windows? XP SP2 turned on the firewall by default and Outlook stopped opening attachments automatically. I would like to see a reference to a
recent "self propagating code that spreads from machine to machine without user intervention" for Windows that was successful.
This space for rent.
These aren't OS vulnerabilities, they're application vulnerabilities (well, for the programs I recognize as a non-Mac person). The OS itself is fine. The trick is, of course, that some of these things are included practically by default. So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.
Disagree.. a bit. If notepad is included by default on Windows (and is seldom removed/disabled from installations) then for all practical purposes it is part of the OS.
The same must apply to the standard apps with any OS distribution package.
Such default bundled applications are all attack surface area.
Saying that OSX is less secure due to these vulnerabilities is how MS said that Linux was less secure than windows.
Agree. Linux security is difficult to quantify, thus too easy for Microsoft to spread FUD. Linux is a collection of open source projects from all over the place (who calls the kernel one project?). Security can vary greatly from one package to the next, and vary between distros depending on the selection. MS naturally overlook the impressively hardened distro's out there, and look for examples in the more slack projects.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
I say this as someone who has had a Linux box r00ted in the past...
That sort of complacency is exactly what makes you more likely be get owned - regardless of OS selection.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Your #1 tip should be #2. #1 should be IMMEDIATELY password protect all accounts with a strong password, which is the default tip for all OSes (Can someone tell me if any semi-mainstream OS can do passphrases or common non-alphanumeric characters? Passphrases seem to be easier to remember than passwords.)
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
Unfortunately for you and MS, the core DLLs at the root of many of "IE"'s vulnerabilities are actually "core" pieces of the OS and can and are, in fact, exercised by other applications as well. "Uninstalling" IE, or never installing it, still results in an OS with these DLLs in place.
So yes, IE vulnerabilities ARE part of the MS OS vulnerabilities, but trust me, these are the least of MS's problems. The core issue is that the OS was "designed", if you could call it that, by the equivalent of 8th graders from a security stand point, and that might be unfairly insulting 8th graders. The OS is completely backwards in its outlook on security compared to any modern in use OS. It runs on a highest privileged token, which is "masked" or "filtered" in an effort to give "least privileges". You then "elevate" yourself by removing these privileges. Why is this a problem? If you need to do anything important, like, say, change passwords of users, then your process must run with that privilege all the time. So any flaw anywhere can be exploited to expose that privilege. In the newest version of 2008 R2 most of the token manipulation routines have been "broken" regarding any meaningful elevation, thus forcing this wrong-headed approach down your throat. Unless, of course, you don't mind injecting code into some random DLL that runs as "SYSTEM" somewhere.
Compare that with *nix for example, where your process runs with no privileges, so a flaw has no privileges when exploited... and you can see why security people that actually know anything RUN from an MS installation.
The cesspool just got a check and balance.
Unfortunately for you and MS, the core DLLs at the root of many of "IE"'s vulnerabilities are actually "core" pieces of the OS and can and are, in fact, exercised by other applications as well. "Uninstalling" IE, or never installing it, still results in an OS with these DLLs in place.
That depends on what you mean by "the OS". As far as I'm concerned, IE is less a part of "the OS" than, say, KDE or Gnome is on Linux (or at least Qt and GTK). At least one of libraries are more core to 99% of Linux users than the IE DLLs are to Windows users.
The rest of your post is a bit of a red herring; I made no statement regarding the overall security model of Windows.
So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.
Not saying you're in this group, but a lot of people around here have no problem counting IE vulnerabilities against Windows.
Actually, I'm with this group. MS made IE "part" of Windows, good choice or not. Any problems it has becomes an OS problem by their own design.
This is one reason I wonder if Tinycore Linux may be one of the more secure flavors out there. A minimal distribution at initial install and you pretty much have to add any sort of functionality beyond hardware setup, the GUI and some basic utilities (thankfully including an application manager/downloader). I love playing with distros, but if you install full gnome/kde suites and such, that's a lot of potential bugs. Open or closed source, a 10Meg distro is probably easier to audit by smaller groups, possibly even by a single person who really loves what they're doing. Not having apps until you install them helps reduce the "out-of-sight, out-of-mind" or endless list of new updates you can get with more robust operating systems.
"Common sense will be the death of us all"
Yep, and that's the trick. At the very least OSS models do allow for distros to fix the software they ship themselves. I'd only give a group a pass on that if they can't fix the code themselves. In this case, one might consider Linux, BSD and other OSS based operating systems to be held to a higher standard than the traditional closed source project. It's broken AND you can fix it. Things like that are why some distros make me want to slam my head against a wall. Why are there 20 versions of notepad? Pick one, maintain it and we can install something else ourselves if it suits our needs.
Vi and Emacs would be an exception to that...
"Common sense will be the death of us all"
Actually, I'm with this group. MS made IE "part" of Windows, good choice or not.
I'll agree with you through XP... but it's not really part of windows, not any more. Not any more than Notepad.
I mentioned it in a previous post, but I'm having some fun with Tinycore linux for that reason. There's practically nothing installed from the get go. A 10meg OS floating around in 2g of laptop RAM is rather fun. Now I just need time to configure it for WINE and see how my games work on it. I wonder how it stacks up against hardened distros for basic security.
"Common sense will be the death of us all"
Funny you mention that. I used to hit my systems with 98lite and what have you, but around XP I just deleted the icons and had foxfire/firefox take it's spot. It didn't occur to me to even see if I could uninstall IE from my current W7 system...
Something to ponder for later on.
"Common sense will be the death of us all"
You are overlooking that Safari considers certain filetypes "safe" (including MP4, not sure about TIFF or DNG) and opens them by default. Its quite possible these vulnerabilities could be rigged to "drive by" a casual web surfer with no user interaction.
Furthermore Finder has a preview function which is activated by simply single-clicking on a file, which could be another vector to attack an 'innocent' user.
Business. Numbers. Money. People. Computer World.
It didn't occur to me to even see if I could uninstall IE from my current W7 system...
You probably can't uninstall IE in the sense that you want (then again, you probably can't uninstall Notepad either). I guess I wasn't being entirely fair, because the IE DLLs* are actually somewhat vital to the system: at the very least, for rendering help files.
That said, I think that might be all; in particular, the IE and Windows Explorer processes are definitely not tied together like they used to be. (This is true starting with Vista, and maybe even XP SP3, I can't check that easily at all.)
* More precisely, the MSHTML DLLs, which are used by IE and other programs
While there is a bug in IE8, including the Win7 implementation, none of the stuff I've seen regarding it says that IE8 on Win7 is vulnerable. They managed to exploit IE8 on XP by working around DEP, but made no mention of ASLR, which is a feature that makes DEP work-arounds vastly harder and is found on Vista and up. Additionally, they made no mention of Protected Mode, the process-level sandboxing that is used by IE on Vista and up (requires UAC to be enabled).
You have absolutely no evidence whatsoever that there isn't some vulnerable code in OS X that hasn't been around at least that long; the very nature of a 0-day bug is that the exploit comes out before the vulnerability is known.
There's no place I could be, since I've found Serenity...
For IE on Windows Vista or Win7 to do anything to the system, the user would also need to authorize the action. In fact, two levels of authorization would be needed: one to break out of the Protected Mode sandbox (normally, IE can't write anywhere on the file system outside a special "low integrity" folder, from which you can't execute any code). Second, the user would need to authorize Administrative permissions for writing to system files/folders/registry keys.
The fact that IE8 has a vulnerability doesn't mean that vulnerability can be exploited against an OS with modern security features and a user with even the vaguest hint of good sense.
There's no place I could be, since I've found Serenity...
Probably, since the browser has access to those anyhow. .doc file and want to view it immediately rather than saving it. However, this presents the user with a warning prompt.
Easily; you can do that with a bit of Javascript.
Nope. The Protected Mode (low-integrity process) sandbox prohibits the application IE from starting a different application. There is a way around it, of course, for things like when you download a
There's no place I could be, since I've found Serenity...
Yep. Also, don't forget P2P programs - if your audio codec is vulnerable, somebody could put up a .m4a file on BitTorrent or whatever P2P system is used these days, and it could easily get spread around.
"Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution."
Emphasis added. This isn't a "crash iTunes" bug, this is a "copy all your local files + browser history to attacker, then turn your computer into a spambot" bug.
There's no place I could be, since I've found Serenity...
Opera and Chrome have both had security issues, although admittedly they weren't widely targeted. On the other hand, both use the Flash plugin and whatever PDF viewer you have installed, so things like the Acrobat Reader exploit (malicious PDF) that's going around will work just fine. In fact, since Opera doesn't include application-level sandboxing (the way IE and Chrome do on Vista/Win7) there's actually one less layer of security to breach.
There's no place I could be, since I've found Serenity...
Spreading between machines is a feature of worms. You might mean appending itself to ("infecting") files on your system - that is what a computer virus does. They're pretty rare these days even on Windows, although there have actually been some for Linux (none at present that I'm aware of).
There's no place I could be, since I've found Serenity...
IE6 (to Safari): "Get off my lawn before I render you like a standards compliant style sheet! I've got bugs older than you!"
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
The pwn2own contest would say otherwise. Mac is usually the first to go down.
Because for pwn2own you need a zero-day exploit - how high are the chances to find a 0day for Windows and nobody else having it out in the wild until that one day in the year of pwn2own? OTOH, Charlie Miller was sitting on his last winner for over a year, and nobody else found that exploit during that year.
...that you know of.
This infection came from Limewire so I can't blame XP or IE for this one, it was all user ignorance (not stupidity just not aware of file sizes and how bad something.mp3.exe can be lol)
It IS stupidity, just not on the part of the user. It's the OS's stupid decission to not show file extensions by default. It's one of the first options I change on every Windows install. If other OS's hide file extensions too, they are equally stupid.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Regardless of whether or not your statement about IE in Windows 7 is accurate, that doesn't have anything to do with an update for OSX somehow implying that OSX is less secure than it was yesterday.
You're right.
It wasn't secure yesterday either, you just thought it was.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Are you sure? Each browsing instance runs as its own process and AFAIK each process is sandboxed individually. That means cross-tabs access is still blocked. Correct me if I'm wrong.
^ And this, dear children, is the reason we should all be pushing for open-source; if IE were open-source, I wouldn't need to ask that question, I would just look over its source code
Yes, it's sarcasm. Deal with it!
Sounds like you Apple folk need real-time virus protection after all.
Sucks, doesn't it?
Finally had enough. Come see us over at https://soylentnews.org/
None of the malware-infested machines I have cleaned up in the last few days were running OS X, just Windows.
I bet none of them were running AmigaOS, either.
Meanwhile, I go home at night and surf with impunity on my Mac running OS X, just like I've done for the last 8 years.
Meanwhile, I go home at night and surf with impunity on my computer running Windows, just like I've done for the last 10 years.
If a computer is secure - as you claim - it shouldn't matter what most people try to hack.
OTOH, Charlie Miller was sitting on his last winner for over a year, and nobody else found that exploit during that year.
...that you know of.
That the judges of pwn2own know of. And nothing has appeared in the wild before or after - that the whole world knows of.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Brilliant. Just brilliant. I always marvel at how Apple PC fans can twist and spin a bad point into a good point, even when the same argument is used as a bad point against PCs.
Next time there's an article about patches for Windows, and Apple fans are falling over themselves to get first post with the "Look how insecure it is" comments, I'll be sure to post your comment, and get +4 informative too.
Consider, Windows seems to have had far more patches than OS X, or so Apple fans tell us - so by your logic, it must be far more secure, right?
I think you're missing the point - a large amount of the functionality of IE was moved into system DLLs, to make IE part of the OS proper during MS's claims that you couldn't remove IE.
Due to the incredible genius and well-disciplined engineering that comprises MS, that functionality became interdependent with other functionality that is part of the OS. So, in a way, MS was right, IE cannot be fully removed from the OS anymore without seriously reworking pieces of their architecture.
The rest of the post describes why this is a major problem due to MS's architecturally flawed security.
The cesspool just got a check and balance.
Who said I didn't think patching Windows holes was a good thing, because it is.
Look, just because I like Apple doesn't mean I'm some rabid fanboy who won;t accept that other OSes might actually have redeeming qualities. As it stands now, while both Windows and Mac are more secure than they have been before, by virtue of patching holes, OS X is ahead - mainly because it is easier to start again as they did with OS X than it is to keep building on top of their old code. The are advantages and disadvantages to both approaches.
I fail to see how you can suggest that patching 6 vulnerabilities in an OS is a "bad point". I don't consider Windows patches to be a bad point either - the sooner it gets rid of security issues the better.
As a Linux person (and a techy geek) I am often asked to help my less fortunate brethren and sisteren with their broken systems. The latest was the young woman who could no longer play the music she had paid for because of an automatic update to iTunes. It only took a couple of hours of my time (not to mention hers) to get her back to the version that actually played music. Turned out to be a dependency that was not met in the form of a library.
OK! Who the hell does an update without checking dependencies? How do we now trust Apple to do updates correctly, including this one?
btw - this is on a macbook that has had wifi problems since it was new, known to Apple but never fixed. I think Apple has lost a fan in this young woman. Having been around since the beginning, i wasn't too surprised.
Acrobat Reader most definitely does not have a home on any of my machines.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Yes, that's right. Personally, I don't really care enough about OSX to think about its security, but the point was that releasing an update does not make a piece of software less secure (unless obviously the update contains vulnerabilities).
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
I dunno. Apple seems to be selling millions of new Macs each quarter for about 10 years now. When will there be "enough macs out there" for your hypothesis?
I would have known something was up since very rarely are mp3 files like 4Kb (I forget the exact size but it was truely tiny)
I agree everyone should change viewing to show all extensions it just makes things much safer. Especialy if your downloading stuff... first rule of the open sea's a pirate should learn "Trust nothing and no one"
He probably meant a Latitude. While it's true that you can throw in a enough crap to make the low end Vostro cost $700+, for that money you're much better off buying a Latitude (or a Thinkpad...) which compares better.
I'm fairly certain any file I've saved, from safari at least, the first time it's opened, I get a warning saying "This is the first time this file downloaded from the internet has been opened - are you sure you want to proceed"
Really? You aren't aware of any for Linux/BSD? Not a single one? I sure hope you don't work in the security industry in any way, shape, or fashion...or if you do, you at least don't service my company or any of its clients.
The warning only appears for applications and certain filetypes like HTML. I have never seen appear for anything that opens in iTunes or Preview.
Business. Numbers. Money. People. Computer World.
Because I'm sure MS hasn't done anything to the codebase in the last decade...
(Hint: The place where I consider them separated begins with Vista, when Windows Explorer would no longer host the IE renderer.)