PDA

View Full Version : Exploit released for Mac OS X flaw


hagjohn
Oct 2, 2006, 09:38 PM
Exploit released for Mac OS X flaw
By Joris Evers
Staff Writer, CNET News.com
Published: October 2, 2006, 6:25 PM PDT

Computer code that exploits a flaw in Apple Computer's Mac OS X was released over the weekend.

The code takes advantage of a weakness in core parts of Mac OS X and could let a user gain additional privileges. Apple provided a fix for the error-handling mechanism of the kernel last week, but the exploit appears to have been authored before then.

"It appears to have been written well before the vulnerability was fixed," said Dino Dai Zovi, a researcher with Matasano Security who was credited by Apple with discovering the flaw when the patch was released. "It appears to be a zero-day exploit and may have been distributed before the patch was released."

Apple representatives did not immediately return calls for comment.

Public exploits, while common for Microsoft's Windows, are a rarity for Mac OS X. "More people are looking for vulnerabilities in Mac OS X," Dai Zovi said.

read rest of article at the link below...

Source: news.com (http://news.com.com/2100-1002_3-6122015.html?part=rss&tag=6122015&subj=news)

iMeowbot
Oct 2, 2006, 09:46 PM
That sure was nice of them to hang on to the program until after the patch was released.

This particular bug required the attacker to already have a non-privileged account on the machine. This isn't something that any old random attacker could exploit. Places like school labs would have been vulnerable, but not your average home machine.

beatsme
Oct 2, 2006, 10:17 PM
Public exploits, while common for Microsoft's Windows, are a rarity for Mac OS X. "More people are looking for vulnerabilities in Mac OS X," Dai Zovi said.

it's only a matter of time, really. Someone industrious enough will figure out a way to corrupt OSX by exploiting an existing vulnerability. I'm inclined to think that the only reason it hasn't happened yet is because of the complexity of UNIX, which must seem pretty daunting to your average hacker kid.

bousozoku
Oct 2, 2006, 10:49 PM
It's good that they got it fixed. Now, they need to get to the other one in the kernel.

I wonder if anyone will use the exploit on machines loaded with Jaguar.

tvguru
Oct 2, 2006, 10:54 PM
As long as exploits are released after the patch I have no problems with them. :) It'll be a sad day when one gets released before there is a patch, but oh well the world will continue to turn.:p

MacBytes
Oct 2, 2006, 11:16 PM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: Mac OS X
Link: Exploit released for Mac OS X flaw (http://www.macbytes.com/link.php?sid=20061003001628)
Description:: none

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

scottlinux
Oct 2, 2006, 11:27 PM
Not a threat.

"The risk presented by this exploit is limited by the fact that it can only be exploited by a logged-in user, although the user may also be logged in remotely," Dai Zovi said. "The issue is also mitigated by the fact that a patch has already been released."

SC68Cal
Oct 2, 2006, 11:27 PM
But this was already patched, was it not? I think the CNET article noted that.

To the above poster. It is a threat. Any sort of priv. escalation is a threat because you can probably get a rogue process that is spawned by a logged in user (Like Oompa Loompa) to start an escalated priv. shell in the background

mduser63
Oct 3, 2006, 12:00 AM
It has already been patched, and it's only usable by a user that already has access to the machine.

Nothing to see here...

nagromme
Oct 3, 2006, 01:55 AM
SOMETHING to see here, but not much :)

Too many cries of Wold. Like the infamous iChat exploit that most "journalists" conveniently failed to mention could only spread over LAN, not over Internet.

hagjohn
Oct 3, 2006, 05:51 AM
That sure was nice of them to hang on to the program until after the patch was released.


quote from the article... "Apple provided a fix for the error-handling mechanism of the kernel last week, but the exploit appears to have been authored before then."

SPUY767
Oct 3, 2006, 06:30 AM
Ahhh, one of my favorite tales, The Boy Who Cried Wold.

Lollypop
Oct 3, 2006, 07:23 AM
Just out of interest sake, ssh is disabled by default in a mac right?

My worry is that a lot of mac users dont really update their mac software the day Software Update informs them of it :eek: but ye... nothing much to see here :D

SiliconAddict
Oct 3, 2006, 09:19 AM
Just out of interest sake, ssh is disabled by default in a mac right?

My worry is that a lot of mac users dont really update their mac software the day Software Update informs them of it :eek: but ye... nothing much to see here :D

The problem is that SU only runs once a week. Or I think that is the default. Could be wrong though. And as mentioned this exploit appears to have appeared PRIOR to the patch being released.
Exploits like this don't concern me. Wake me when OS X is susceptible to a worm.

nodabs
Oct 3, 2006, 09:22 AM
Dell probably hired people to attempt to hack OS X in order to stop the Apple marketing campaign... haha :D

whooleytoo
Oct 3, 2006, 10:25 AM
Is that really an "exploit"? Given that it's benign, I'd have called it just a "proof of concept". (maybe I'm just arguing semantics..)

nagromme
Oct 3, 2006, 10:44 AM
Ahhh, one of my favorite tales, The Boy Who Cried Wold.
Sorry. Typo. I meant Mold.

Earendil
Oct 3, 2006, 11:47 AM
This is personally my favorite part:


Dai Zovi agreed with van Duin, saying that a knowledgeable user can easily replace or modify the exploit payload to run a full-access root shell.

So, let's take all the Macs out there.
Now take out all the Macs that have only a single account on them.
Now take out all the Macs who's alternate user knows nothing about unix.

How many are we left yet? Now make sure that those who know Unix can actually "easily" make this work, and also eliminate all the unix gurus who are decent human beings.
(btw, we are hedging bets here that there is a main user without the knowledge to update their system, who has a 2nd user who: has less privledges, knows unix, and is evil)

Exactly how many people are we left with?

So someone could get screwed because their son/daughter is a genious, it's okay, he'll grow up to be a bright CS major (or a hacker).

Until it can either
A: spread over the internet automatically, or
B: any idiot can figure out the hack
I'm not going to be all that worried.

~Tyler

Earendil
Oct 3, 2006, 11:48 AM
Dai Zovi agreed with van Duin, saying that a knowledgeable user can easily replace or modify the exploit payload to run a full-access root shell

I think I'm going to go down to main street and yell "a thousand dollars to the first one to tell me what a root shell is!!" and just see if I lose any money...

Eraserhead
Oct 3, 2006, 01:42 PM
The problem is that SU only runs once a week. Or I think that is the default.

I think it is, it should go daily IMO.

ZLMarshall
Oct 3, 2006, 02:24 PM
So, let's take all the Macs out there.
Now take out all the Macs that have only a single account on them.
Now take out all the Macs who's alternate user knows nothing about unix.

How many are we left yet? Now make sure that those who know Unix can actually "easily" make this work, and also eliminate all the unix gurus who are decent human beings.
(btw, we are hedging bets here that there is a main user without the knowledge to update their system, who has a 2nd user who: has less privledges, knows unix, and is evil)


Not the concern. The more accounts a computer has, the more chances someone will "lose" their password or have it stolen. So that dummy 2nd user isn't individually a concern, it's the world of hurt they open your poor mac up to when they use the same password on 45 different accounts (mail, chat, amazon, YOUR COMPUTER) and then start telling friends.

Or almost as bad, people (I know some) who have NO password on their Mac for some users, or the password 'pass.'

Never worry about the people you *know* have access to your computer. Worry about the people you didn't know had access, but know how to
rm -rf *

bousozoku
Oct 3, 2006, 02:43 PM
quote from the article... "Apple provided a fix for the error-handling mechanism of the kernel last week, but the exploit appears to have been authored before then."

Authored does not mean distributed.

sahnert
Oct 3, 2006, 02:50 PM
So, let's take all the Macs out there.
Now take out all the Macs that have only a single account on them.
Now take out all the Macs who's alternate user knows nothing about unix.

How many are we left yet? Now make sure that those who know Unix can actually "easily" make this work, and also eliminate all the unix gurus who are decent human beings.
(btw, we are hedging bets here that there is a main user without the knowledge to update their system, who has a 2nd user who: has less privledges, knows unix, and is evil)

Exactly how many people are we left with?

So someone could get screwed because their son/daughter is a genious, it's okay, he'll grow up to be a bright CS major (or a hacker).

Until it can either
A: spread over the internet automatically, or
B: any idiot can figure out the hack
I'm not going to be all that worried.

~Tyler

IMHO this is a good summation of how worried most people should be.

shadowfax
Oct 3, 2006, 04:18 PM
I think that this can be a significant concern to people who would never be concerned--specifically, people who are so unconcerned as to put weak (as in, admin, 123, pass, etc...) passwords on their user accounts...

The only place an exploit like this could be a major threat is in an environment where the root account gives access to other accounts that maybe have information on them or access to compromise other computers on the network (like a workplace network). This is definitely insignificant, being that the hack is only as good as the computer whose user (unprivileged or no) you have the password for.

Properly, that makes it an exploit--it's just too bad that a lot of the people that read an article like that won't realize that you can't write self-propagating viruses/worms with most exploits--certainly not this one--and so there is no concern unless you are being specifically targeted by an organization/person with some computer know-how....

FoxyKaye
Oct 3, 2006, 06:31 PM
My worry is that a lot of mac users dont really update their mac software the day Software Update informs them of it...
Does anyone have any idea how many OS X users connect to the internet via modem rather than broadband? I often wonder about this when Apple's updates start going over 10-12MB each in size - for example, try downloading the 10.4.8 update on a 56K modem. The sheer size of Apple's updates could also be a reason why a certain percentage of OS X users don't update.

Eraserhead
Oct 3, 2006, 07:57 PM
Does anyone have any idea how many OS X users connect to the internet via modem rather than broadband? I often wonder about this when Apple's updates start going over 10-12MB each in size - for example, try downloading the 10.4.8 update on a 56K modem. The sheer size of Apple's updates could also be a reason why a certain percentage of OS X users don't update.

They should sell them on a CD for $5-$10 each or something, they'd make a killing.

nagromme
Oct 4, 2006, 12:31 AM
They should sell them on a CD for $5-$10 each or something, they'd make a killing.
Or have a service where you get all your updates put onto your iPod for free at the Apple Store. This can be done by hand, with a lot of work, but it could be easy:

1. Software Update notes, as usual, what you need. This is stored.

2. iTunes syncs this info invisibly to your iPod.

3. An Apple app on one (or all) machines at the store reads this info and downloads all the updates you need.

4. Back home, iTunes notes the new updates and offers to install.

gerardrj
Oct 4, 2006, 01:22 AM
I really don't understand the hoopla over these "insecure local privilege escalation" exploits.
Each and every Mac shipped since 10.0 has had a local priv escalation exploit included in the box... it's called the software recovery CD. ANYone with physical access to the machine can change the admin or root user password and take complete control of the system.

Yes, you can use (to a good extent) the open firmware/EFI password to prevent someone from starting to a non-authorized volume, but even then they could just remove the drive and change the account passwords on another machine.

Sure local priv escalation could be an issue in a public lab, but if you have your Mac booting from the network or connected to an Open Directory system, as most public labs should, then most of these local-only issues go away. IE: what's the point of local priv escalation when you are restricted in your actions by the network server?

Lollypop
Oct 4, 2006, 02:03 AM
Or have a service where you get all your updates put onto your iPod for free at the Apple Store. This can be done by hand, with a lot of work, but it could be easy:

1. Software Update notes, as usual, what you need. This is stored.

2. iTunes syncs this info invisibly to your iPod.

3. An Apple app on one (or all) machines at the store reads this info and downloads all the updates you need.

4. Back home, iTunes notes the new updates and offers to install.

Sounds like a good idea, over here we have extensive bandwidth constraints, most of our population doesnt even have access to phones, granted that they very likely wont have a computer either any method to distribute essential security updates will still be appreciated!

Analog Kid
Oct 4, 2006, 02:15 AM
I think a lot of people are missing the point here-- exploits like this are not a problem by themselves, but they're a link in a chain. Combine this with a flaw in ssh, or load it into a social engineering attack and you have a problem.

The Windows attacks are often a series of attacks chained together to seize control. The Leopard screenshot attempt followed this model-- pieced together a series of vulnerabilities together with social engineering.

To the extent that you're patched up to date, this isn't that big of a deal apparently. If it were to be used before you patched, I'm not convinced a patch would close all the holes an attacker could poke into a system from the inside.

Don't panic. Don't be naive.

Analog Kid
Oct 4, 2006, 02:19 AM
They should sell them on a CD for $5-$10 each or something, they'd make a killing.
I like it. Heck, they should distribute them at cost or fill the empty space with demo apps. iPod distribution is another good idea.

Somebody should call these into Apple-- both of these methods should be made available. It would be revolutionary in both customer service and security.