OS X Bug Exploited To Infect Macs Without Need For Password

An anonymous reader writes: A new flaw has been discovered in the latest version of OS X which allows hackers to install malware and adware onto a Mac without the need for any system passwords, researchers say. The serious zero-day vulnerability was first identified last week and results from a modified error-logging feature in OS X Yosemite which hackers are able to exploit to create files with root privileges. The flaw is currently found in the 'fully patched' OS X 10.10.4, but is not in the newest 10.11 El Capitan beta – suggesting that Apple developers were aware of the issue and are testing a fix.

Also fixed in 10.10.5

It's also already fixed in the latest 10.10.5 beta.

Re:Also fixed in 10.10.5

I hate Apple, but after the recent shitpile that is Windows 10, at least Mac OS has to have adware hacked in. Windows 10 comes integrated with that along with a hefty dose of spyware.

Re:Also fixed in 10.10.5

But Windows 10 is free and people already happily flock to free adware infested services like Facebook, Gmail, etc. So Microsoft just took the normal adware-filled web browsing user experience and transported it to the desktop to make using computers more consistent!

Anyway, with the way Apple's stock is going it's just a matter of time before the same thing in OSX. Except Apple won't give any options to disable it.

Re: Also fixed in 10.10.5

I just installed Win10 via upgrade and rather easily turned off almost all the reporting features within minutes from the control panel. I don't use their store and I login only with a local login and use Firefox. Win10 so far has been as good as Win7 and I haven't run into any of Win8 issues. You sound like another Microsoft bandwagon hater. Years ago I learned to use the best tool for job, maybe you should too.

Re: Also fixed in 10.10.5

[perpenso]

I just installed Win10 via upgrade and rather easily turned off almost all the reporting features within minutes from the control panel.

You could have turned off the reporting from the installer by selecting the custom configuration option.

Re: Also fixed in 10.10.5

turned off almost all the reporting features

But not all and you can't prevent MS from changing your shit with forced updates. Or are you using Enterprise?

Re: Also fixed in 10.10.5

[benjymouse]

turned off almost all the reporting features

But not all and you can't prevent MS from changing your shit with forced updates. Or are you using Enterprise?

Yes all. And you cannot prevent Apple from changing your shit when they update OS X. What makes you think that MS will use Windows Update to change settings? They have never done so before, and have not indicated that they reserve that right for the future.

Re: Also fixed in 10.10.5

So you are using Enterprise. It's impossible to disable all of the spyware in Windows 10 Home and Pro.

Re: Also fixed in 10.10.5

Years ago I learned to use the best tool for job, maybe you should too.

That statement seems inconsistent with the other historical information in your post.

Re:Also fixed in 10.10.5

Windows 10 is free for now.
But in a year, you'll have to pay for it, all that adware and spyware will still be present and enabled by default, and because everyone will have gotten used to it already, few will complain - just about as many as complain about the way Facebook treats privacy: a few tenths of a percent at most (look at the total user base, NOT just at those who read slashdot).

But that's not MS's fault, they just started on the same road that Facebook, Apple and Google were on already.
They were FORCED onto that road by the general public's wide acceptance of those practices.
And logically, they're taking it yet another step further. That's what 'trying to get ahead' means.

Re: Also fixed in 10.10.5

Actually you can easily gain full control of the windows auto updates, regardless if you are running enterprise, home or pro. But again, you'd have to actually be a windows user and bother to look to know this.

Ok that's a lie, enterprise is the only flavour that gives you total control (because enterprises don't use auto updates, they use SUS )

BUT you can get a standalone patch, not part of the auto updates, that will let you block and hide updates, and most importantly, stop windows from installing new hardware drivers.

99% of the bs these people are complaining about simply doesn't exist anywhere outside of some apple/linux fanboy blogs.

I'm not pleased with the adware baked in, just like I'm not pleased with amazon being baked into ubuntu 14. Just like I'm not ok with apple baking in ITUNES garbage into everything they build.

Re: Also fixed in 10.10.5

You cannot turn off basic reporting on home and pro.

Re:Also fixed in 10.10.5

That's a pity. This exploit could be used to automatically deinstall Apple's app store, install an open one and replace XCode with some free, cross-platform development environments. It would be a win-win for Apple and everyone else.

Re:Also fixed in 10.10.5

If you get Windows 10 on your computer for free in the first year, you won't have to start paying for it on that computer after the first year. It will be free on that computer forever.

Re:Also fixed in 10.10.5

[Applehu+Akbar]

"It's also already fixed in the latest 10.10.5 beta."

Good. Now can we work in the iOS bug that allows malicious ads to yank you into the App Store involuntarily?

Re:Also fixed in 10.10.5

I wish people would stop saying that Windows 10 is free!

Point me to a Windows 10 ISO (that's easy) that won't ask for any registration key when I'm installing it (doesn't exists)

Re:Also fixed in 10.10.5

[Plumpaquatsch]

"It's also already fixed in the latest 10.10.5 beta."

Good. Now can we work in the iOS bug that allows malicious ads to yank you into the App Store involuntarily?

Has it been fixed on Android already? Oh no, wait, that takes you to Google Play involuntarily - so not a bug, but a feature, right?

Re:Also fixed in 10.10.5

Well, Windows 10 is free for owners of Windows 7 or 8. That's free enough for me.

Re:Also fixed in 10.10.5

Shitpile? Don't be such a cunt.

Re:Also fixed in 10.10.5

[Bing+Tsher+E]

An acknowledgement of iOS/Android equivalence. I'm glad I switched to a Windows phone, I guess...

Re: Also fixed in 10.10.5

[Penguinisto]

And you cannot prevent Apple from changing your shit when they update OS X.

Turn in your geek card, because yes you can modify OSX post-patch - you just have to be comfortable with a *nix command prompt and have sudo privs.

Re: Also fixed in 10.10.5

[Penguinisto]

What makes you think that MS will use Windows Update to change settings?

Because they've done it before.

Re:Also fixed in 10.10.5

Because nobody wants to waste their time writing malware for the ZunePhone?

Re:Also fixed in 10.10.5

[Ravaldy]

But in a year, you'll have to pay for it

It's free for life for all devices that already own Windows 7 or 8 and install it within the year. This is information right off their website. The cost to purchase after that is fairly nominal.

all that adware and spyware will still be present and enabled by default,

What malware? Please point me to concrete evidence of this as I have yet to see it.

Re:Also fixed in 10.10.5

[Ravaldy]

Go ahead and redefine free as an ISO provided if you wish but for the rest of the world FREE means I get it at no charge.

Re:Also fixed in 10.10.5

Windows 10 isn't free in any way, shape or form. Windows 7 and 8 cost money and so does Windows 10 by extension, in addition to selling yourself out as Microsoft's product.

Re:Also fixed in 10.10.5

[Plumpaquatsch]

An acknowledgement of iOS/Android equivalence. I'm glad I switched to a Windows phone, I guess...

Well, then you switched less than 7 months ago, because there were reports of it happening there too. Which went mostly unnoticed because pretty much nobody was affected - well only all Windows Phone users.

Re: Also fixed in 10.10.5

You cannot disable device data reporting, search box keylogging, Microsoft advertising ID creation and reporting, Windows Defender or automatic updates in Home or Pro. Even if you do disable everything else, Microsoft can turn it all back on and/or add additional spyware with silent, forced updates.

Re:Also fixed in 10.10.5

You didn't get Windows 10 at no charge. The cost was the price of your current OS plus accepting spyware and in-OS advertising. You're just shortsighted.

Re:Also fixed in 10.10.5

Windows 10 spyware/advertising platform? Don't be such a tool.

Re: Also fixed in 10.10.5

Years ago I learned to use the best tool for job, maybe you should too.

The best tool for the job is still Windows 7. If you use Windows 10, then you are the tool.

Re: Also fixed in 10.10.5

He's a shill, ignore him. Or he doesn't know what free means.

Windows 10 is not free.

Re: Also fixed in 10.10.5

LOL what's wrong with iTunes. It's basically apples version of media player.

Re:Also fixed in 10.10.5

[macs4all]

But Windows 10 is free

I know you were trying to be humorous; but OS X has been Free for the past 3 Revisions now.

Re:Also fixed in 10.10.5

[macs4all]

That's a pity. This exploit could be used to automatically deinstall Apple's app store, install an open one and replace XCode with some free, cross-platform development environments. It would be a win-win for Apple and everyone else.

Apple uses the App Store platform to roll-out Software Updates; so you might want to think twice about that.

And as far as XCode goes, Apple hasn't automatically installed XCode for about a decade. Do try to keep up!

Re: Also fixed in 10.10.5

I don't know if it's still true, but I installed iTunes for Windows years ago and it silently installed Safari, Bon Jour, then started renaming and retagging my entire music library without confirmation or consent. Fortunately I had a backup, but that experience there put me off of iTunes forever.

I've been an MS-DOS and Windows user for a long time, but Windows 10 is making me feel the same way. If I could ever bring myself to switch to using a Linux or BSD based operating system full-time, it's now. If the companies behind some of the mainstream Linux distros (like Ubuntu, Red Hat and SteamOS) are smart, they will jump on the opportunity.

Re:Also fixed in 10.10.5

And the longer you use it, the more ads you'll be bombarded with and spying you'll be subjected too. Unless, of course, you pay a yearly subscription for Enterprise so you can shut all of that shit off. No thanks.

Re:Also fixed in 10.10.5

Of course Windows 10 is a free upgrade for owners of Windows 7 or 8. This is exactly the same as OS/X upgrades being free for owners of a Mac.

Re: Also fixed in 10.10.5

Well, someone doesn't know what free means.

Re:Also fixed in 10.10.5

OS X upgrades don't come with gaping privacy and security holes. OS X upgrades don't come with ads baked in.

Re: Also fixed in 10.10.5

Yes and it's you, Microsoft Tool (tm).

Re:Also fixed in 10.10.5

[KGIII]

What is cute is all this effort to deflect from the problem with OS X. And you all are falling for it. Silly users...

Re: Also fixed in 10.10.5

Calling someone a hater translates to you've got nothing. The reasons for hating Windows 10 were already laid out in detail and you have no counter argument that actually makes Windows 10 worth the invasion of privacy. You admit yourself that Windows 7 is better than Windows 10.

Re:Also fixed in 10.10.5

But in a year, you'll have to pay for it

It's free for life for all devices that already own Windows 7 or 8 and install it within the year. This is information right off their website. The cost to purchase after that is fairly nominal.

Windows 10 is meant to make the transision from license based Windows to software-as-a-service Windows. You bet Microsoft is going to provide that service for free :)

You WILL pay for it, whether you realize it or not, even if you stick to the "free" offerings. You will KEEP paying for it again and again, for as long as you use it. For example by reading those ads that pop up while you're playing [fill in your preffed kind of solitaire here].

If some third party gives Microsoft money to interleave your (desktop!) search results with their ads, YOU are the one paying, with your personal information and with the time you lose determining which result is an ad and which is what you were really looking for.

The problem is that people have already gotten used to that so much, from Google for example, that they're turning blind for it.

all that adware and spyware will still be present and enabled by default,

What malware? Please point me to concrete evidence of this as I have yet to see it.

Typical. Text says "adware and spyware", someone searching for grounds to disagree on reads "malware" into that and responds as if that's what it said.
I wasn't talking about any bundled spy- or adware. I was talking about the spyware and adware that Windows 10 *IS*.

BTW, the reason why I'm posting this as AC is not to hide from you. The reason is the same as why I don't have, and never will have, a Facebook account, or twitter, or Google, or MS Live, or anything like it.
And why, after having used every version from DOS and Windows 3.0 on over Win95, NT 4.0, 2k, XP, Vista, and 7, I'm now planning to (finally) upgrade my Windows 7 to Linux, rather than allowing Windows 10 to run of with my privacy.

Re:Also fixed in 10.10.5

Still believe it's free?

http://www.forbes.com/sites/gordonkelly/2015/08/05/windows-10-charging/

Solitaire has always been free until now. Upgrading removed it from your Win7/8.1.
Want to play it in Windows 10? Pay. And pay again next month. And pay again the month after that.

And that's just the first of many "services" to follow.

You don't have to believe me, just wait and see: Windows 10 will turn out MUCH more expensive than any Windows version before it.

Re: Also fixed in 10.10.5

And today, I got an update when I rebooted.

According to some websites, that update (among other things it did) turned on something called WUDO, so I looked at the windows update settings and found that my w10 Enterprise PC was now, in a torrent-like way, made into a windows update server helping distribute updates to the rest of the internet.

Thank you Microsoft, for using MY (limited) bandwidth that I pay for every month to distribute your updates for you.
Thank you, for turning that "feature" on by default, without even telling me, in my *non-free* Windows 10 setup.

Re:Also fixed in 10.10.5

[doccus]

It's not "Spyware", it's "protective observation". Surely you can't have any problem with Nanny Microsoft watching your back against these evil luddites and EFF maniacs. Plus if you take too many pills they can help you out with a phone call to the FDA for "your own good". OK we don't know if they would, but they certainly *could*. Doesn't that just make you feel ever so *safe* ? And the Adware? naw, it's essential information dispensation, to stimulate the economy. Don't ou want to do YOUR part? Or aren't you a patriot? Maybe you need to spend a little time in a FEMA "re-education" camp, to learn how to be a good "consumer". Spend spend spend. Don't you know the "American way" ? Microsoft can help with this too. We'll start charging for windows again, to help the economy.. Right?

I don't use mac but

How about periodically checking for the MD5 hash of the sudoers file ( for those who don't have the patch )

Re:I don't use mac but

How often are you actually modifying the sudoers file, though? I'd imagine this bug would be knackered if you "sudo chmod 400 /etc/sudoers" and only make it writeable as and when needed.

Re:I don't use mac but

It's a privilege escalation vulnerability allowing root without a password. Using chmod 400 is not going to help. Since 10.5, default settings allow root even to unset the schg flag.

Re:I don't use mac but

Why do people still use MD5 for anything? It's broken beyond repair, you can craft an arbitrary custom hash collision within minutes.

Re:I don't use mac but

While it is broken, there isn't a known pre-image attack on MD5. Yet.

Re:I don't use mac but

[Penguinisto]

It'd be easier to just do this:

#sudo chflags uchg /etc/sudoers

(chflags is the OSX equivalent of chattr. "uchg" is the equivalent of "+i" "nouchg" is "-i")

Re:I don't use mac but

Try it. Root can't write to a 400 file even when owned by root/root - you have to make it writeable first. Thus, "this bug would be knackered."

Click-bait FUD

NotMisleading title.
Old news.
Patched bug.

Not good

[tsa]

Seems like Apple made some really big mistakes in Yosemite. Let's hope they fix it asap.

Re:Not good

Done.

Re:Not good

Yeah, I hope they get it done too. Fingers crossed!

Better Title

"Significant vulnerability demonstrated in OS X. Apple releases patch a few days later. News at 11."

Not as exciting, is it ?

(it appears to be dealt with in both the 10.10.5 and 10.11 betas)

Re:Better Title

[gl4ss]

apple knows of bug. fixes it in beta(first anyways, dunno if it's fixed in non beta). journalist tells it's fixed in the latest version.

story gets posted again after a week on slashdot.

but osx being exploitable if you have console/local access? that's not really news.

Re:Better Title

"Significant vulnerability demonstrated in OS X. Apple releases patch a few days later. News at 11."

Not as exciting, is it ?

(it appears to be dealt with in both the 10.10.5 and 10.11 betas)

The news here is that the vulnerability has now been used in an exploit in the wild.

"Significant vulnerability demonstrated in OS X last week.

Apple does not release patch.
Exploit in wild.

Apple releases patch a few days later. News at 11."

Not so easy to be smug, is it?

Re:Better Title

[MSG]

but osx being exploitable if you have console/local access? that's not really news.

I don't know why so many people don't get this.

The bug doesn't require a human at the console. Any code-execution bug can be escalated to root access because of this bug. It is not, by itself, a remote root, but security vulnerabilities can be combined, and a combination of bugs typically rates at the highest threat level of any individual element of the combined attack.

That is, imagine that you have a bug in your browser that causes it to automatically open PDF files in an external viewer. This rates as a minor security threat. You also have a PDF reader that allows code execution, but code executes as the user, with limited rights, so this rates as a moderate security threat. You also have a dynamic linker that allows any process that can call system() to write to protected files. This is a critical security vulnerability.

An attacker can now infect a server that you visit, or maybe convince you to visit a server that they control, and combine those to get root access on your system.

Re:Better Title

[adhdengineer]

Not so easy to be smug, is it?

For an apple user? of course it is.

You mean this one?

[complete+loony]

A Tweet-Sized Exploit Can Get Root On OS X 10.10

Re:You mean this one?

"A word doc sized exploit"

"A Facebook status update sized exploit"

"A mobile online-gaming chat message sized exploit"

I can see where this is going...

Re:You mean this one?

[Plumpaquatsch]

"An empty word doc sized exploit"

FTFY

Re:You mean this one?

[RyuuzakiTetsuya]

this is an actual implementation of that vulnerability.

Re:You mean this one?

[complete+loony]

And my implied point is that the "editors" didn't bother to link to the previous story for context. Without that acknowledgement, I might assume that this is just a dupe with no new "news".

Re: You mean this one?

Thanks! It seems there was an Internet acronym sized bug there.

Re:You mean this one?

[Megane]

Macs may not get viruses... but when they do get exploits, they get Dos Dupis.

Better link

[phantomfive]

Here is a better link with more technical details.

It's a privilege escalation exploit, so an attacker would already need shell access on your computer to get something done. Every OS has privilege escalation vulnerabilities, because it's much harder to close all the holes when you allow someone to execute arbitrary code on a system.

That said, this is a particularly braindead bug from Apple, and it is worrisome because it shows they aren't thinking about security, or don't have proper processes in place to ensure the system stays secure. Their programmers should have known better than to create that kind of environment variable so lightly.

Re:Better link

[Dutch+Gun]

Ugh, don't give this asshole more traffic. I think there's a reason few people are linking to his blog directly. He released the details of this bug without even attempting to contact Apple. When asked why he didn't do so, he replied "Why should I?" Later he states that "Responsible disclosure is simply a way of redirecting blame for a vulnerability from the vendor to the reporter." Right on his blog he's advertising his own presentations. Essentially, he's making news about this at the expense of user safety in order to promote himself and his services.

A real piece of work.

Re:Better link

[phantomfive]

Last time I tried to report a bug to Apple through their bug tool, I got this error message. When I sent a message to the address in the error message, they responded, "please submit that bug through our error reporting tool." The initial bug I was trying to report still hasn't been fixed.

This vulnerability is already being exploited in the wild. In that case, responsible disclosure means announcing it publicly, so people can defend themselves. And if Apple gave him as much trouble as they gave me, I don't blame him for not reporting the bug to them.

Re:Better link

[Dutch+Gun]

Is it really too much work for a security researcher to send an e-mail to product-security@apple.com? About five seconds of searching got me Apple's support page and that e-mail address.

This guy admittedly didn't even try. And bugs that affect functionality are an entirely different matter than serious security issues. When dealing with a zero day, the decision on whether to announce it publicly depends on a number of factors.

The very act of announcing it publicly guarantees that new exploits will explode in the wild (as this article confirms). And the reality is that very few OS X users will have seen this idiot's initial posting a month ago. Did you? I sure didn't. In the meantime, my system was and is now vulnerable to a hell of a lot more malware than it otherwise would have been.

Sorry, but I have to disagree with you. Bad on Apple for making a stupid mistake in the first place and being slow to fix it, but I'm not giving this guy a pass either.

Re:Better link

[abhi_beckert]

That said, this is a particularly braindead bug from Apple, and it is worrisome because it shows they aren't thinking about security, or don't have proper processes in place to ensure the system stays secure. Their programmers should have known better than to create that kind of environment variable so lightly.

They are thinking about security. This entire class of exploit is impossible on iOS and will be impossible in the next release of OS X (where it's much harder if you want to be compatible with typical UNIX software).

Re:Better link

[benjymouse]

It's a privilege escalation exploit, so an attacker would already need shell access on your computer to get something done.

No shell access needed. A code execution bug in Firefox, Safari or Chrome (or whatever browser or internet-facing software you use) and the attacker is a local user. Especially Firefox does not have a sandbox, so a bug gives the attacker free reign. With this bug he can become root on your kit. That is bad. Blended attacks are the *norm* now - not the exception. Sometimes they are called "attack coctails" when they try multiple vulnerabilities to get foothold and then use privilege escalation bugs like these to break out of sandboxes or gain root.

Every OS has privilege escalation vulnerabilities, because it's much harder to close all the holes when you allow someone to execute arbitrary code on a system.

Unix and Linux with the braindead SUID/setuid design are especially susceptible to privilege escalation. The design is akin to the security model of ActiveX: You let someone gain privileges far beyond what is necessary and then hopes he is well behaved and - crucially - cannot be fooled to use those privileges in nefarious ways. Well, bugs is one way to fool a SUID process to do something wrong.

SUID/setuid breaches the security boundary of the *nix security model. Once a process becomes root there is no policy that constrain what the process can do*.

* (absent kludges like apparmor, SELinux that are bolted on with separate security policies).

That said, this is a particularly braindead bug from Apple, and it is worrisome because it shows they aren't thinking about security, or don't have proper processes in place to ensure the system stays secure. Their programmers should have known better than to create that kind of environment variable so lightly.

Again, the trap is in the basic Unix design. A SUID process executes in the environment where it was launched, but with privileges of the file owner (typically root). That means that *anything* from the user environment is potentially an attack vector. In this case it was as simple as environment variables. So the tables turn, and now the developer must *explicitly* guard against malicious injections rather than coding to a well-defined contract where parameters are explicit. Not to mention that the developer may not even be aware that someone will change the executable to SUID or just invoke the executable as a tool from another SUID executable (example: sudo).

Re:Better link

[CraigCruden]

NO, Code execution in a browser CANNOT escalate privileges.... none of those applications have sufficient rights to change the /etc/sudoer file. The user would have to download and install an application from an unknown developer - which is blocked by default. You would then have to go into security settings and say - open up that installer for the application anyways. That installer application would then have sufficient privileges to make changes to the file and give that user root access with no asking of the password in the future. It takes a fair amount of social engineering of stupid users to get to that point.

Most unix admins don't allow anyone root access or the ability to install applications. It only exists in OS X to be user friendly. The exploit is closed in 10.10.5 (currently in beta)
.
In El Capitan the security will be rootless by default.

Re:Better link

[TheRaven64]

NO, Code execution in a browser CANNOT escalate privileges.... none of those applications have sufficient rights to change the /etc/sudoer file

Way to miss the point. If they had the rights to write to /etc/sudoers then they wouldn't need a privilege escalation vulnerability. The entire point of this exploit is that it allows someone with an unprivileged account to gain root access. That said, both Chrome and Safari run the WebKit renderers in sandboxes that don't have the ability to run any setuid binaries (which this needs), so the grandparent is only partially correct: only Firefox would be vulnerable, out of the ones that he listed.

Re:Better link

[CraigCruden]

NO, you miss the point....

"On Monday, researchers from anti-malware firm Malwarebytes said a new malicious installer is exploiting the vulnerability to surreptitiously infect Macs with several types of adware including VSearch, a variant of the Genieo package, and the MacKeeper junkware. Malwarebytes researcher Adam Thomas stumbled on the exploit after finding the installer modified the sudoers configuration file."

The installer itself has been granted privileges by the operator to install the application to all users. It cannot install itself directly from the browser. It has to be downloaded (and potentially auto-opened) for installation. It either has to be installed maliciously into an application (which is unlikely to be a signed developer).

Subsequent to that installation of the malicious malware, that user that installed the application has been given effective root access WITHOUT requiring passwords on subsequent actions. But until that file is modified, that user does not have sufficient rights, nor do any 3rd party applications have sufficient rights to make changes to that file without user intervention.

The vulnerability is that the installer can make changes to the /etc/sudoers file during installation by use of the DYND_PRINT_TO_FILE.

It is highly unlikely an application that is from a certified/signed developer is going to contain malware in the installer -- possible but not likely. This means social engineering to get the user to download unsigned applications - then go into security settings and allow that installer an exception to start the installation.

http://arstechnica.co.uk/secur...
Read the code that is being executed by the installer

Re:Better link

He also provides a fix, so you don't have to wait on Apple while your machines are vulnerable. By all accounts, Apple (and probably others) already knew about it, and it should have been fixed by now. He didn't make the vulnerability; users were already unsafe.

Re:Better link

[TheRaven64]

Please go and read what the vulnerability does. It allows unprivileged code that is able to invoke a setuid binary, to append data to a root-readable file. If you have a browser exploit that allows arbitrary code execution in the context of the browser, then you have this ability unless the browser is running in a sandbox. Safari and Chrome run most of the code in such a sandbox, Firefox does not. A vulnerability in Firefox can be combined with this vulnerability to do anything that root can do.

Re:Better link

[benjymouse]

NO, you miss the point....

You need to learn to distinguish between vulnerabilities and exploits. An *exploit* (the "installer" in this case) takes advantage of a *vulnerability* (the privilege escalation bug) to perform the attack. The underlying vulnerability exists regardless of the exploit.

You focus on the exploit and (incorrectly) claim that it is unlikely to work. That's beside the point, however, as there are many *other* ways to exploit the vulnerability, where a code execution vulnerability in a browser, email client, facebook app or whatever can be combined with this vulnerability to create true drive-by exploits.

I took issue with the dismissal of this bug as "just a privilege escalation" bug. Privilege escalation bugs are *serious* and critical vulnerabilities.

You do not need an installer to exploit this vulnerability. A simple execution bug in Firefox (last version patched 4 of them, as did practically every version before that) or a sandbox escape bug in Chrome/Safari (more rare) will get you pwned should an attacker choose to create an exploit.

As an apologist you are looking for a way to explain away the seriousness of the bug. That's the wrong (and dangerous) way to think about it. There are many attackers with tons of creativity who are ready to leverage a privilege escalation bug in any way they can.

You cannot possibly cover all those scenarios. That is why we need OS vendors and software developers to maintain and respect security boundaries: Walls where as few as possible well-defined gateways, where each gateway is controlled by transparent policies that makes it easy to audit what can pass through the gateway and (preferably) why.

In this case a piece of the wall crumbled, which means that you must now consider the risk that all the bad guys on the outside can venture in to the protected inside and do whatever they like. You have identified one bad guy on the outside (the installer) and claim that he can be controlled. What about all those that you have not identified?

Re:Better link

You are making a fool of yourself. Seriously, do some reading.

Re:Better link

[pop+ebp]

No, no, no...

The bug has only been observed in the wild in an installer, but that doesn't mean it can only be exploited by an installer.
If you read the proof-of-concept in the OP link, no installer was involved at all.
More generally, I don't understand why you seem to think a non-privileged (i.e. not running as root) installer process could exploit this bug in a way that a browser process cannot.
Remember, we are discussing the hypothetical scenario of your browser already executing attacker-controlled code (through some other code execution exploit).

My technical analysis:

The bug lies in the dynamic linker (dyld) failing to close the log file descriptor before executing the (possibly setuid) program.
And the log file that it uses can be controlled by an environmental variable.
So if you can make any setuid program execute some other program of your choice (this is easy and usually legitimate, e.g. crontab running your editor), you can make dyld open any file as root, and your program will eventually inherit the file descriptor.
You can then use the file descriptor to write to that file that you can't normally write to.
At this point, of course, it is easy to gain root privileges by writing to any of a number of sensitive files. (The installer exploit used sudoers, but the POC overwrote other setuid programs instead.)

Sometimes I wonder if Mac users have been living in a world without malware for too long, they can't seem to grasp security concepts that other users encounter every day...

Re:Better link

[pop+ebp]

You might want to read up on what "privilege escalation" means...

none of those applications have sufficient rights to change the /etc/sudoer file

None of these applications should be able to change sudoers, but due to this bug all of them are actually able to. That is why it is called privilege escalation.

Most unix admins don't allow anyone root access

That is exactly why this is a vulnerability. If the users already have root access, there will be no privilege escalation and this wouldn't be a vulnerability at all...

Re:Better link

[Plumpaquatsch]

He also provides a fix, so you don't have to wait on Apple while your machines are vulnerable.

Yeah, installing a binary-only fix from a security researcher who says "Responsible disclosure is for pussies" - what could go wrong.

Re: Better link

For the last 15 years, Mac user == Unix user, Mister Smuggy Pants.

Re:Better link

Security professional (Ph.D.) and Mac user here.

You're right. The average Mac user has become complacent because Macs "just work" and don't seem to have the number of problems that Windows machines have. The cause is two-fold. One is due to the architecture of OS X being more secure by design, but obviously people still make errors and bugs still happen, and the other is that Macs are a small percentage of the overall market and thus not as tempting as Windows machines. A Windows exploit can result in many, many more exploited machines than a Mac exploit.

Re:Better link

[phantomfive]

This entire class of exploit is impossible on iOS and will be impossible in the next release of OS X

How will this 'class' of exploit be impossible on the next version of OSX (and how is it impossible now)? All you need to do is find a bug in an approved program (like Safari, and there are bugs in Safari), then use this exploit to get root permissions.

They are thinking about security.

This bug is clear evidence they don't have proper processes in place to give them security.

Re:Better link

[phantomfive]

Sure, he should have let Apple know. That was a mistake.

That said, Apple's bug process sucks, and letting people know about security bugs is a good thing, too.

Re: Better link

I comend you two, this what slashdot was meant for. Responsible discussion and finding common ground in a sea of difference. We all need to take notes from both of these active users. Thanks.

Re:Better link

Is it really too much work for a security researcher to send an e-mail to product-security@apple.com? About five seconds of searching got me Apple's support page and that e-mail address.

So, if he had sent an email to product-security@apple.com, you'd be kosher with his information release to the public?

This guy admittedly didn't even try. And bugs that affect functionality are an entirely different matter than serious security issues. When dealing with a zero day, the decision on whether to announce it publicly depends on a number of factors.

Such as...how trivial it is to exploit and the probability that it's already being exploited? Because the sooner the public knows, the sooner they can take steps to mitigate the risk. Honestly, there's a pretty small margin where I can see not wanting to release early and often--easy to exploit with the high probability to brick a device.

The very act of announcing it publicly guarantees that new exploits will explode in the wild (as this article confirms). And the reality is that very few OS X users will have seen this idiot's initial posting a month ago. Did you? I sure didn't. In the meantime, my system was and is now vulnerable to a hell of a lot more malware than it otherwise would have been.

Newsflash, your system was and is vulnerable to a hell of a lot of malware because Apple (just like near every other company/person) writes a lot of crap code without enough consideration for the consequences. Thankfully, the sooner you and Apple find out about it, the sooner it can be patched. The rest of it is just a game of crossing your fingers that MALicious people, you know MALware writers, don't have information on the exploit, are using it, and are not remotely trying to make details of the exploit public. The only real beef in all this would seem to be your original complaint: not trying hard enough to contact Apple.

Sorry, but I have to disagree with you. Bad on Apple for making a stupid mistake in the first place and being slow to fix it, but I'm not giving this guy a pass either.

Meanwhile, if everyone were saints it wouldn't matter how exploitable the code was or how often people reported it. 99% of the blame falls on malware writers and cohorts. Really, the worst the guy could have said to have done is not been public ENOUGH. Honestly, that's your complaint as well. Well, here's /. and the truth that news on the internet can be instantaneous but it can be months or years for people to actually listen. It certainly wasn't for a lack of effort to make the news public. That Apple wasn't contacted first? At best a neutral complaint since it's really the USERS that should be told first, not leaving it to a company would admittedly "ma[de] a stupid mistake in the first place" to then quickly patch, test, and release while leaving USERS vulnerable.

In any case, the actual seriousness of the risk is relatively small thanks to being a local exploit. The real secondary problem is how many remote -> local exploits there are in all sorts of programs. To which, it's like floating a block of swiss cheese on water and complaining about people noting how few lifeboats there are. It's all pretty moot.

Re:Better link

Essentially, he's making news about this at the expense of user safety in order to promote

How conveniently phrased. And what is making Apple cutting costs by not putting enough resources to write software without those bugs in first place? It's all economics, you can hardly blame one side without blaming the other.

Re:Better link

[complete+loony]

No shell access needed.

Well, you do need the ability to set an environment variable, fork and exec a setuid binary. But you don't need to run /bin/sh.

Re:Better link

[KGIII]

I am *not* an Apple guy but it has Unix at its core. Can't you just chmod the file and be done with it? I have no idea what the commands should be but it seems likely there's a way to set it to read only even beyond root so that root would have to chown it before it can set the privileges to writable and actually do anything?

Maybe I am missing the exploit but that is what I got from it. A patch should not even be needed, really. It would be nice but it seems something easy enough to fix for the time being. It should not be more than one line in terminal, maybe two.

Privlege escalation exploit change looks like this

[CraigCruden]

if run "sudo cat /etc/sudoers" it will print out the file in question. The section normally looks like:

# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL


If it has been changed to include a new user or make changes at the end of any of the lines to add "NOPASSWD:ALL" then you have been affected:

eg.
username ALL=(ALL) NOPASSWD:ALL

Infect Mars?

[tinkerton]

I thought, what? But I misread.

Re:Privlege escalation exploit change looks like t

Maybe set immutable flag on /etc/sudores ? /me ducks

Re:Privlege escalation exploit change looks like t

[CraigCruden]

/etc/sudoers is already read only by root/wheel..... which of course is no problem to change if you are root (which is what you have to give access to to make the changes in the first place) -- and that requires user intervention to install the malware.

Re:Privlege escalation exploit change looks like t

There is a bug that allows you to add that line to sudoers without the password.
Hence my suggestion of setting the file immutable

http://arstechnica.co.uk/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/

Re:Privlege escalation exploit change looks like t

[CraigCruden]

"On Monday, researchers from anti-malware firm Malwarebytes said a new malicious installer is exploiting the vulnerability to surreptitiously infect Macs with several types of adware including VSearch, a variant of the Genieo package, and the MacKeeper junkware. Malwarebytes researcher Adam Thomas stumbled on the exploit after finding the installer modified the sudoers configuration file."

The installer itself has been granted privileges by the operator to install the application to all users. It cannot install itself directly from the browser. It has to be downloaded (and potentially auto-opened) for installation. It either has to be installed maliciously into an application (which is unlikely to be a signed developer) -- or a developer would have to link in external packages into their application that could potentially have the exploit.

Re:Privlege escalation exploit change looks like t

[CraigCruden]

Subsequent to the installer changing the sudoers file (which requires user installing the application containing the exploit) -- FURTHER applications or would no longer be asked for password during sudo escalation.

Re:Privlege escalation exploit change looks like t

Fair enough...
Still setting the immutable flag would mitigate this ... afaik

Re:Privlege escalation exploit change looks like t

[TheRaven64]

Modifying the sudoers file was only one example use for this. It allows you to write to any file that is normally only writeable to root. Modifying sudoers is a fairly simple and visible change, but modifying one of the system startup scripts that launchd runs as root would work just as well. I think it only lets you append to a file, but it would also be possible to temporarily modify sudoers, then set your worm's setuid bit and change the owner to root, then revert the sudoers change. The only user-visible thing would be the setuid bit on a suspicious binary hidden somewhere in the system (how many people check for this?). Of course, once you are root then you can do things like modify firmware and boot settings and hide inside the kernel...

Convoluted log subsystems add risk

Did OSX start using systemd?

Re:Convoluted log subsystems add risk

OS X uses launchd, which is a somewhat similar to systemd.

Re:Convoluted log subsystems add risk

Launchd had a five-year head-start over systemd, but systemd does *LOTS* more crazy things than launchd does. I'm just waiting for a veritable flood of systemd updates.

10.11 should be immune anyway

[itsdapead]

but is not in the newest 10.11 El Capitan beta – suggesting that Apple developers were aware of the issue and are testing a fix.

10.11 has a new SELinux-like 'rootless' security model that should mitigate against any privilege escalation attack like this. Odds are it was naturally immune..

Re:10.11 should be immune anyway

[benjymouse]

10.11 has a new SELinux-like 'rootless' security model that should mitigate against any privilege escalation attack like this. Odds are it was naturally immune..

That's interesting. This is waht I have been able to find from Apple on the feature (now called "System Integrity Protection"):

"System Integrity Protection

A new security policy that applies to every running process, including privileged code and code that runs out of the sandbox. The policy extends additional protections to components on disk and at run-time, only allowing system binaries to be modified by the system installer and software updates. Code injection and runtime attachments to system binaries are no longer permitted."

Hardly a new "security model". And from that description - no it would not have mitigated this attack.

Sounds an awful lot like Windows File Protection (later renamed to Windows Resource Protection). Welcome to 2004!

Re:10.11 should be immune anyway

So, because you are unable to find detailed information on apple's new security method you make assumptions?

Re:10.11 should be immune anyway

[benjymouse]

So, because someone throws a new cool Apple feature name out there, I should just accept that it is the ultimate security feature that will magically distinguish between malicious and legitimate writes to sudoers?

The description says that it will protect the *binaries*. Reading comprehension? (hint: sudoers is not a binary)

Never assume your imune

I think the consensus for many years with Mac's was that they were basically immune to the ills of the internet. For many arguable reasons, but I think this was more true when Mac's used Power PC chips and when Apple switched to Intel chips. It generally opened up OS X to more problems. I am not sure how much it benefited Apple? But I am sure the shear amount of options in Intel chips was worth it. I do however still believe OS X is safer then Windows. But I also think Windows is safer then it used to be. Not withstanding the greater amount of malware targeting it still. But at least much of it is being stopped by Windows security. Nothing is 100% secure and by now we should know this.

Re:Privlege escalation exploit change looks like t

[benjymouse]

Modifying the sudoers file was only one example use for this. It allows you to write to any file that is normally only writeable to root. Modifying sudoers is a fairly simple and visible change, but modifying one of the system startup scripts that launchd runs as root would work just as well. I think it only lets you append to a file, but it would also be possible to temporarily modify sudoers, then set your worm's setuid bit and change the owner to root, then revert the sudoers change. The only user-visible thing would be the setuid bit on a suspicious binary hidden somewhere in the system (how many people check for this?). Of course, once you are root then you can do things like modify firmware and boot settings and hide inside the kernel...

Spot on. If I was a bad guy (I'm only a little bad) this is *exactly* how I would create an attack.

The only user-visible thing would be the setuid bit on a suspicious binary hidden somewhere in the system (how many people check for this?)

That part in particular highlights the problem with setuid.

It is, in effect, a deliberate hole in the security boundary: The mere existence of the setuid facility means that you can *never* audit the security policies (access rights) and be confident that they truly reflect the rights and restrictions of users.

Auditor: "Who can access this file"

Admin: "Easy" (ls in the directory), "User1 can write and users in the group "group1" can read it.

Auditor: "And no-one else can read or write the file, not even root?"

Admin: "What do you mean, of course root can read and write the file, root can do anything. This is Unix, d-oh!".

Auditor: "Ok. Who can run as root, then? I need to have an exhaustive list, you see. The insurance company needs the list to assert the risk and calculate the premium"

Admin: (sighs, looks up in sudoers and su) "The user admin1 and users in admingroup1 can run as root".

Auditor: "And no-one else can run as root? What about that setuid bit I've heard of?"

Admin: "yes, ok, a setuid root utility can run as root, I knew that. But I have those covered. I run a report every week which lists all of those utilities with the setuid bit that are owned by root. We accept only those utilities that we know. Trust me"

Auditor: "Ok then. So back to this file, how can you document to me that - say - this 'cmsagent' utility cannot access the file, now that we know it is setuid root?"

Admin: "What do you mean, I installed cmsagent myself, I'm pretty sure that it only allows remote users to access documents in the CMS system"

Auditor: "But how do *I* know that? The operating system does not protect the resource against root abuse?"

Admin: "No - this is Unix. I know what I am doing. Trust me. I have access to the source code, if you want to see what it can do".

Auditor: "Ok. I don't know how to read code, so I need to have one of our code auditors look at all the source code then. Assuming that, how do I know that the binary present on this system is the compilation of the source code you will give me?"

All of this because of a bad design decision. In other operating systems (with no all-powerful root and no setuid), the DACL of a resource *does* reflect who can access the file.

SELinux, apparmor etc are ways to add (yet another) security context with proper security boundary.

Re:Privlege escalation exploit change looks like t

That's all fine and dandy for this particular exploit but until Apple releases 10.10.5, Mac users need to be aware that their system is vulnerable.

As a side note, 10.7, 10.8 and 10.9 are permanently vulnerable to a separate privilege escalation ("rootpipe") that Apple has stated they will not patch.

There are other similar exploits

There's been an ability to execute root privileges in all *nix for years and it's still unpatched. This isn't news.

Re:There are other similar exploits

[KGIII]

One of the forums that I frequent had a user who supposedly had a remote execution on a Mac for sale. The price was not unreasonable and I have seen others come and go. I can only assume there are some in the wild. I have seen similar/same for every OS on the planet pretty much - including some of the more obscure stuff. Meh... Practice safe hex. No matter what you do there are risks. To be ignorant of them is folly but, well, some folks tend to think they are immune. I suspect they are already pwned and just attribute their credit card hack from being from a skimmer somewhere at a gas station even though they have no evidence for it and it likely is their computer. Oh well... 'Snot much I can do about it. Nobody listens to a KGIII and that is probably a good thing.

But..

Macs don't have security exploits. Just ask your local "genius" or know-it-all skinny jeaned, self proclaimed "tech expert because I have a blogger account and can't fuddle through basic markup scripting" guy in town.

Re: But..

Yeaaaaa because listening to him is a great idea. Users who don't know shit might, but they'll listen to anyone smarter than them at puters.

de haxx0rz

r in ur mac nao

"What Malware?"

[tlambert]

all that adware and spyware will still be present and enabled by default,

What malware? Please point me to concrete evidence of this as I have yet to see it.

I believe that's a reference to what they disable that used to work, and the bandwidth stealing.

The things that get ripped out from under you are:

(1) Windows Media Center
(2) DVD Playback
(3) Desktop gadgets
(4) Preinstalled games (Solitaire, Minesweeper, Hearts; you have to purchase replacements)
(5) USB Floppy drive support
(6) The OneDrive application from Windows Essentials (it's replaced instead with the sync application)
(7) Windows Updates are forced on you instead of being optional, unless you pay more for Pro or Enterprise

We've seen this already with the consistent installation of the Windows 10 Update tray icon and application, even on Windows 7 and 8. This is particularly insidious, since the application runs in the background, and acts as a torrent style replication server as part of their Windows 10 content delivery network used for the updates. Basically, they are stealing bandwidth from you, even if you do not opt in for the update.

Microsoft calls this "feature" Windows Update Delivery Optimization, and your computer is basically eating into your bandwidth cap, if you have on, since about July 29th when the update was released. This is enabled by default for the Home and Pro versions (but not Enterprise or Education, apart from the local network).

To disable it, you have to go to the "Settings" / "Update & Security" / "Windows Update" / "Advanced Options" / "CHOOSE HOW UPDATES ARE DELIVERED", and then turn the "Updated from More than One Place" from "on" to "Off".

And yeah, I think if something is eating into my bandwidth cap, it counts as "malware". The other problem is that it tends to monopolize upload bandwidth, which is usually asymmetric with download -- mean that it eats all of your ability to ACK your full download bandwidth.

The other thing that I'd count as "malware" is Wi-Fi Sense, which shares your Wi-Fi password with various email and social network contacts. But it doesn't allow you to pick and choose with which ones it's shared, so for every enabled network, it's "everyone on this social network in my contacts, not just family or close friends".... also: kinda not cool.

Again: trun-offable, but on by default: "Windows Settings" / "Network & Internet" / "Change Wi-Fi settings" /"Manage Wi-Fi settings" then turn off all the items under Wi-Fi Sense. Then have Wi-Fi Sense (and JUST THAT) "forget the list of known networks".

Re:"What Malware?"

[Ravaldy]

The things that get ripped out from under you are:

(1) Windows Media Center
(2) DVD Playback
(3) Desktop gadgets
(4) Preinstalled games (Solitaire, Minesweeper, Hearts; you have to purchase replacements)
(5) USB Floppy drive support
(6) The OneDrive application from Windows Essentials (it's replaced instead with the sync application)
(7) Windows Updates are forced on you instead of being optional, unless you pay more for Pro or Enterprise

1) The installer notifies you that you will lose that feature if you currently have it enabled. So no issue there. Note the feature wasn't popular so that's why MS made away with it.
2) DVD Playback. Performing updates will install Windows DVD Player at no charge (limited time) which will provide DVD playback
3) It was a shitty feature that reeked security holes. MS decided it wasn't a popular enough feature to keep it. So as far as I'm concerned it was a good decision
4) Big deal. There's tones of better offerings online for free
5) The nostalgia. 99.9% of users do not use floppy drives on computers that can run Windows 10. If you need that support you can still use a Windows 7 machine in a virtual box or equivalent. Good on MS to finally drop some legacy support. You'll still be able to use them using 3rd party software.
6) It's built-in. How is this a problem?
7) I'm not a fan of this one either but I can see why they did it. There's pros and cons to either way of doing. For most users it's no skin off their nose since they were already setup for auto updates

I fail to see malware in any of the 7 points.

The bandwidth sharing for Home and Pro is a big deal for me too but it's not malware as it's intent is not malicious. See definition https://en.wikipedia.org/wiki/....

You have the option to disable it and the estimated monthly bandwidth usage is minimal (estimated at a maximum 2GB of sharing / month). If everybody disables it, that could increase the load for the ones who have it on (I'm assuming as I don't fully understanding their peer to peer implementation).

So is this truly an issue? Depends if the estimated max of 2GB / month of sharing is accurate. After all, the product is offered for free and we all know there's significant cost in hosting updates. I guess the next question is: "Would you pay for your updates?". That would bring us back to a subscription model which most aren't a fan of. At the end of the day something has to give and consumers often prefer paying for it indirectly (such as advertisement). MS is working with the tools it has so it's hard to blame them even if I'm not a fan of the torrent style updates.

One OS better than another?

[zferrini]

For years all of you state one OS is better than another. Proof is now in the pudding, as the MAC os reaches the point of profit for hacking you will see neither one is better. If Linux reached the same level it too wuold show to have huge flaws in coding. Humans are not perfect in anything we do so I ask you, show me absolute proof that you are correct. I actually think that non of you can either the MAC community nor the Windows community. ZFerrini

Re:One OS better than another?

[david_thornley]

To address the actually comprehensible part of your post, it's not true that all OSes are equal in security, or anything else for that matter. We'll have to see how this unfolds.

Re:One OS better than another?

[KGIII]

What is true is that no OS is secure. Well, not one you can turn on at any rate. Nothing connected is secure. No OS is secure. No code is bug-free. Well, almost no code is bug free. I have a couple of Hello World's that I trust. Some are more secure, OS X is - traditionally - one of the more secure operating systems out there. No, no I am not an Apple fan. I do not even use them. I use Linux, Windows, and sometimes play with Unix. My phones I do not care about - even smart phones. I do nothing on them that is hidden really. I just discount them as insecure by default. I tend to do very little on my computer either.

I have not used a real credit card online in many years and always just get my credit union or bank to either make an account specifically for online transactions or just have them hook me up with a re-loadable card. This way, when (not if - though it has never happened oddly enough and I'd assume I would be targeted) it happens the risks are minimal. As banks pass the fault on to the vendor, and I side with the vendor - usually, I would likely just eat the cost and it would be trivial.

As for Macs? I own an iPod and an MacBook Pro. I gave my last MBP to my daughter and bought a new one just about a year ago. I only have it so that I can poke at it to help friends and family. I do not use the OS enough to be comfortable in it but, I suspect, it is a fine operating system. I have had no problem with it and the hardware is top notch even though it feels flimsy. I do find it to be a bit too light (if that makes sense) for my taste. I am a big laptop fan and prefer a large laptop with a full number pad and a second drive bay.

It is not big deal, Chicken Little...

[tlambert]

Ugh, don't give this asshole more traffic. I think there's a reason few people are linking to his blog directly. He released the details of this bug without even attempting to contact Apple.

It is not big deal, Chicken Little...

If you looked at his LinkedIn profile -- assuming you have access because you are a close enough contact -- Stefan Esser is a first degree contact with Aaron Sigel, who is the Manager in OS Security at Apple. He's also a first degree contact with Alex Ionescu, who used to work on iPhone until 2011 (the same year I left Apple), and of course, I know Stefan through various forums, and from my tenure on the Core OS Kernel team at Apple (I was there 8 years).

So yes, Apple had to have known about this prior to the general disclosure.

In my time at Apple, this is typically not something Apple would issue a security update over. Specifically local shell privilege escalations are typically not considered an issue, since if you have access to the hardware, you can own it anyway.

While layered attacks are getting more common, the specific attack in the wild has to do with a click monkey installer permitting the use of a non-local developer key signature on a compromised installer, as opposed to something code signed by the Apple App Store. Further, it requires a settings change (which you've probably already made, if you are a developer, or get third party apps directly), coupled with an explicit install authorization using an "admin" account.

In other words: it's not a big deal, and is in fact rather "ho-hum" compared to, for example, the last 7 Adobe Flash vulnerabilities. It's *NOT* a "drive by attack", where if you just go to a web site with a Yahoo Ad on it, and no "Click To Flash" and no "Click To Run Plugins" settings, you're p0wned.

LIES

Macs don't get viruses! I know this for certain because my mommy told me!