http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

Last month's Month of Kernel Bugs (http://projects.info-pull.com/mokb/) (MOKB) has concluded, and a total of 10 Mac OS X vulnerabilities has been found. The vulnerabilities were wide-ranging, from a wireless driver exploit (http://www.macrumors.com/pages/2006/11/20061102085906.shtml) to a system call (http://www.macrumors.com/pages/2006/11/20061111185646.shtml), multiple disk image vulnerabilities (http://www.macrumors.com/pages/2006/11/20061121195941.shtml), and most recently an AppleTalk vulnerability (among others). Apple patched the first wireless driver exploit (http://www.macrumors.com/pages/2006/11/20061128162852.shtml) along with other unrelated vulnerabilities this week, however all remaining MOKB vulnerabilities remain un-patched.

Interview
MOKB organizer "LMH" spoke to MacRumors about the project. According to LMH, most of the project's time was spent on Linux and the Mac OS, both of which were described as "not hard" to break.

The Linux kernel takes little time to break. I'm more familiar with the code and thus it also takes less time to isolate issues. OS X kernel (XNU) takes less time but depending on the area you're checking, debugging and isolation may require a bit more time (if you take into account that AppleTalk source code is almost unreadable and totally deprecated) [...] I didn't have much time left for working on Microsoft Windows but I've received the most helpful feedback from the MSRC people on potentially interesting stuff to check. Not a huge reference of internal code nor NDA covered documents, but at least enough to start with.

In LMH's point of view, the state of Mac OS X security is not great.

From the technical perspective, OS X security is rather poor, at least when it comes to kernel-land code. This isn't a sign of negligence of Apple, but obviously when you take code from many different places and stick it together, it's prone to problems. Not just new ones but also old issues that 'went under the radar'. [...] (ed note: now comparing MS to Apple) I can say that Microsoft has a more thorough auditing process and investment when it comes to kernel code than Apple. They also have the advantage of having such code being produced within the company. Mac OS X kernel, for example, depends heavily on FreeBSD development. A security flaw in the FreeBSD kernel will likely affect OS X and probably other BSD "flavours"

However, just because LMH is a bit critical of Mac OS X's security, don't call him an Apple-hater.

Taking security arguments apart, I have to say that Mac OS X is a pretty well integrated system. It's tightly packaged [...] and nice looking. I'm an OS X user myself and I certainly feel like Apple has invested long time on tweaking the little details. Now they just have to invest a little more on security matters, but not hiring a 'turnover security firm' to do the consulting that leaves the job half done. That's what failed, IMHO.

First Adware for Mac OS X?
In related news, F-Secure claims to have received what is possibly the first ever proof-of-concept Adware program for Mac OS X (http://www.f-secure.com/weblog/archives/archive-112006.html#00001030). The program, dubbed iAdware, will launch Safari to specified web pages when the user used any number of applications, and installation of the adware did not require admin privileges.

[ Digg This (http://digg.com/apple/Month_of_Kernel_Bugs_Unveils_10_Mac_OS_X_Vulnerabilities) ]

iAdware apparently works by silently installing a system library. That sounds like a vulnerability that Apple could easily fix, by requiring Admin privileges, issuing a warning, and/or prompting for an Admin password.

I'll say it before, and I'll say it again, this is a critical time for Apple and it's no time to be an Apple apologist. It's time to hold Apple's feet to the fire. Being soft on them isn't helping them. It's just enabling them not to realize their full potential.

I for one, welcome our new Adware overloards.

I don't know but is the Adware related to this:

Sometimes when I download videos from LimeWire, and run then it will bring up a browser window and open a site. Essentially an ad. Do this supposed hole cause this?

Apple definitely needs to get more serious about security. As more people start to buy Macs, more people will start to tinker and find holes. I hope Apple will rise to the challenge.

I for one, welcome our new Adware overloards.

You don't have a sign behind you that says "Hail Adware," do you? ;) :D

Apple definitely needs to get more serious about security. As more people start to buy Macs, more people will start to tinker and find holes. I hope Apple will rise to the challenge.

My feelings exactly. Its bad enough that the vulnerabilities are "easy" to discover and puncture, but as the marketshare goes up, there is no doubt that we are going to get exploited more and more, and I really don't want our OS caught with its pants down by its ankles like Windows.

Apple has a couple of advantages by being Unix based, but because its a hybrid kernel, like LMH said, they also get some inevitable vulnerabilities. They gotta get a bit more serious about auditing their code. For all of the problems MS has had, I will say this. At least they have already had them, and by now have gotten such an auditing system in place that "dummy" vulnerabilities don't get through in releases as easily.

I'm glad they did this and I hope Apple acts on all the things they found ASAP!

It's time to hold Apple's feet to the fire. Being soft on them isn't helping them.

I agree. Tough love is best here. It's better to have the vulnerabilities exposed in this manner than in a live scenario. Let's just hope the press from this is enough for Apple to fix the problem before we have something bigger than a proof-of-concept exploit.

I think Apple's response to this, in both its speed and thoroughness will give us some real hard data to go on as far as OSX's security.

Because of increasing users, and the much-maligned Mac user smugness, you can rest assured that there will be an onslaught every step of the way for Apple from here on out. They need to respond quickly, and completely, with no mercy.

You don't have a sign behind you that says "Hail Adware," do you? ;) :D

Perhaps he was offering to round-up fellow Mac-users to toil in Adware "sugar-mines"... lol :D

I don't know but is the Adware related to this:

Sometimes when I download videos from LimeWire, and run then it will bring up a browser window and open a site. Essentially an ad. Do this supposed hole cause this?

Apple definitely needs to get more serious about security. As more people start to buy Macs, more people will start to tinker and find holes. I hope Apple will rise to the challenge.

No, that is not Adware. Adware is a program that is installed *on your computer*, so it can launch windows whenever it wants. In the case of Web pages that pop up when you are viewing a video, that's just because it's a "feature" of the particular video technology (e.g. in Real Media or Windows Media streams you can embed code to open a browser window). It's no more Adware than when you go to CNN.com and it launches a pop-up ad.

C'mon Apple... don't let us down here.

I agree with the other posters here that Apple needs to take this seriously and kick it into high gear. Send a message to the world (or at least your user-base) that you're on top of the situation.

I for one, feel that Apple will come through, and am glad becuase I think there will always be a huge "community effort" put into making our choice of platforms better in terms of security

Apple needs to get serious about security. They cannot develop such an integrated, holistic line of products ("in your den, car, pocket,...") without tightening their security.

Windows Vista is NOT Windows XP. Apple risks lagging behind in that area and, in an ironic reversal of fortune, being widely considered as inferior to Microsoft in terms of security.

But if we agree that the development of a secure OS is all about utilizing sound design, coding and auditing processes, then we must also accept that the challenge will be very difficult for Apple to meet: You just cannot do that with Open Source...

Maybe it's about time Apple closed the Mac OS kernel?

Maybe it's about time Apple closed the Mac OS kernel? Umm why?

I agree with the few others that are concerned about this.

Our Mac OS innocence is coming to an end. Part of this is due to the growing market share, and popularity in the Operating system. The other issue I feel that is of concern, is the new challenge this OS provides for Script kiddies, and bored coders. If you have an ego, and want to get your name out, why not do what hasn't been done before, as opposed to doing what everyone else does ?

This is going to be a growing trend, and the amount of Mac Haters in the wild is quite high! Once code tricks and secrets start to get out, it is only a matter of time before OS X is targeted by thousands, much like XP!

Apple has time to take this very seriously, and work to keep this system tight and secure! Hopefully this is going to be a big part of the focus on Leopard, but only developers will really know this!


These current headlines aside

1. Pay attention to what warning messages pop up when browsing the web.

2. Only download and install software from sources that you trust, and if you do trust them, take an extra moment to think about why you trust them, and if you really need to install that piece of 3rd party software!

3. Keep your firewalls on if possible

4. Don't permanently unlock preferences, folders, or other security areas on your system using your keychain, unless you really need to do so!


There are others, however that is a good baseline to follow for some minimal security checks and balances!

Router, firewall I feel OK.

Sober up, Steve. Less time on Time Machine and more time on solidifying the system.

AppleTalk: Who uses it, and why?

An interesting read in response to the kernel panic ability of the .DMG vulnerability:

Guess what I found? Not only is lmh’s diagnosis completely incorrect, but the problem isn’t a security flaw at all, let alone a critical, highly critical, or warn-everyone-via-the-BBC type event.

http://alastairs-place.net/2006/11/dmg-vulnerability/

A very insteresting read.. most of which I only barely grasp. Object oriented programming just makes my eyes glaze thinking about it.. The gist:

So, what have we learned:

• It is not a memory overwrite bug.

• It is not exploitable, except in that you can kernel panic a machine if you can persuade a user to double-click a damaged dmg file.

• It is not, therefore, possible to use this bug for privilege elevation or to execute arbitrary code in the kernel.

In fact, all lmh has found here is a bug that causes a kernel panic. Not a security flaw. Not a memory corruption bug. Just a completely orderly kernel panic. There aren’t even any processor exceptions involved; the path to the panic is perfectly normal non-exceptional code using ordinary function calls.


AppleTalk: Who uses it, and why?

No one.. and stangely it's now ON by DEFAULT in all the MacTels I've received lately. No idea why.

No one.. and stangely it's now ON by DEFAULT in all the MacTels I've received lately. No idea why.

I do, and so does anyone who has a classic environment of System 7 and earlier for classic compatibility reasons.

Granted you can use TCP/IP on some of these, however the reliability of such extensions on early versions of Classic leaves much to be desired. I however turn off Appletalk when I am away from my home network.

Sober up, Steve. Less time on Time Machine and more time on solidifying the system.

AppleTalk: Who uses it, and why?

I'm pretty sure that any time you use Personal file sharing, you are using AppleTalk.

EDIT: More info... Personal File Sharing is based off of Apple Filing Protocol (http://en.wikipedia.org/wiki/Apple_Filing_Protocol). From wikipedia:

AFP versions 3.0 and greater rely exclusively on TCP/IP (port 548 or 427) for establishing communication, supporting AppleTalk only as a service discovery protocol. The AFP 2.x family supports both TCP/IP and AppleTalk for communication and service discovery. Many third-party AFP implementations use AFP 2.x, thereby supporting AppleTalk as a connection method. Still earlier versions rely exclusively on AppleTalk. For this reason, some older literature refers to AFP as "AppleTalk Filing Protocol". Other literature may refer to AFP as "AppleShare," the name of the Mac OS 9 (and earlier) AFP client.

I would really like to see how they installed this.

As far as I know, a web page can't save and install files, so how does the adware get installed in the first place. Does it trick the user into running an app? If so, then I wouldn't consider that a security hole.

Honestly, this is great news. :cool:

So many Mac users are completely ignorant and oblivious to the fact that their Mac is, contrary to popular belief, not that secure in some respects. Many Mac zealots and apologists will tout how bullet-proof OS X is, how it's nothing like Windows, how it's amazingly secure - well, it isn't in some cases.

Sure, it's still better in many respects than Windows, but Mac users should not be lured into a false sense of security over these matters. They need to be smart with their systems and not take anything for granted. Hopefully reports like this will assist those people in seeing the light. As Mac marketshare increases and more of a spotlight is put on OS X, it will attract more people who will try and exploit security vulnerabilities and so forth, so now more than ever this type of information needs to be made known. And more importantly, Apple needs to agressively address such matters timely and effectively.

OS X is great, but it isn't perfect. :cool:

I'm pretty sure that any time you use Personal file sharing, you are using AppleTalk.

EDIT: More info... Personal File Sharing is based off of Apple Filing Protocol (http://en.wikipedia.org/wiki/Apple_Filing_Protocol). From wikipedia:

I was about to correct your first post (politely) by saying that you can use AFP with AppleTalk disabled.

Apple really really needs to get on this... As far as some Script Kiddie wanting to make a name for themself the mass of mac users would need to be higher. There are still currently not enough mac users to warrent such acts, you would not get notice. I feel that a lot of coders find holes in XP because then they can exploit big business, were as macs are more often than not home computers. If apple its athe big 10% mark this will all change.

I have to agree with a lot of the people here who are concerned with security. Part of the reason OS X seemed so secure was because no one tested it. Now that we have Intel chips and a growing market share, vulnerabilities are being exploited. The day that I have to go out and buy virus protection for OS X is the day I consider going back to Windows. Vista looks like OS X so switching wouldn't be as big a pain.:)

OS X is great, but it isn't perfect. :cool:

Despite how depressing news or rumors related to security issues with OS X are I'm in agreement that attention to this issue is always a good thing. A little humility can go a long way.

I was about to correct your first post (politely) by saying that you can use AFP with AppleTalk disabled.

Good call... I initially thought you did have to have AppleTalk enabled for AFP to work, and actually have always had AT enabled. I guess I can turn it off now :)

iAdware apparently works by silently installing a system library. That sounds like a vulnerability that Apple could easily fix, by requiring Admin privileges, issuing a warning, and/or prompting for an Admin password.
I've been wanting them to do this for a while. There are already non-adware applications that do that (think "Smart Crash Reports"), which really bothers me.

For the 5 years or so of owning a Mac, I have not come across any breach of security by attacks from viruses from the Internet. Some safe guards to use firewall with a router, limiting ports, and so forth are pretty basic. I've had good luck using a very strong password with a combination of alphanumeric characters and underscores. Although one time, I connected onto an outside network and when I went to browse inside my secret porn folder, I found a pic that wasn't mine. Someone must've copied it into my hidden folder and labeled it myfav.jpg. Very odd, but that was the only time its ever happened.

Most of these Mac attacks seem to be more predominant with social engineering hacks and user error, than comprised code.

I do, and so does anyone who has a classic environment of System 7 and earlier for classic compatibility reasons.

Of course, and I meant that in the 'general sense'. I have long since abandoned the use of Classic on any of my OS X Macs or any of the Macs I support. AppleTalk is so deprecated that I can hardly believe that anyone will be able to use it much longer. In fact, I wouldn't be shocked if it was completely absent from 10.5.

As for the AFP needing AppleTalk, I'm glad you linked the correction. As AppleTalk was an Apple prorietary networking protocol and more and more places were dropping support for AppleTalk routing between subnets/routers (it is PROHIBITIVELY expensive for routers that will pass AT traffic) AFP moved to AFPoverTCP.

I do, and so does anyone who has a classic environment of System 7 and earlier for classic compatibility reasons.

Which makes it even MORE odd that it's enabled by default in MacTels, which don't run Classic. :confused:

But if we agree that the development of a secure OS is all about utilizing sound design, coding and auditing processes, then we must also accept that the challenge will be very difficult for Apple to meet: You just cannot do that with Open Source...
Sure you can. What you can't do is grab stuff and assume that it does the right thing without checking it for yourself. That's equally true for software developed in house, or developed by subcontractors or commercial partners. It has little at all to do with public vs. private source code.

Of course, and I meant that in the 'general sense'. I have long since abandoned the use of Classic on any of my OS X Macs or any of the Macs I support. AppleTalk is so deprecated that I can hardly believe that anyone will be able to use it much longer. In fact, I wouldn't be shocked if it was completely absent from 10.5.


Yeah I don't use classic on my OS X systems at all. I am actually referring to enabling it for network communication with my Quadra 840av, LC 575, and other older systems that I boot into system 7 or even OS 8. Granted the need for Appletalk in those situations can be substituted for TCP/IP, AT appears to be more stable with those older systems.


Which makes it even MORE odd that it's enabled by default in MacTels, which don't run Classic. :confused:

I just checked my MacBook, and found that it too is enabled! Strange indeed!

Router, firewall I feel OK.

This is a joke, right? :confused:

Which makes it even MORE odd that it's enabled by default in MacTels, which don't run Classic. :confused:

Hmm. I'm running a 17" MacBook Pro with 10.4.8 and when I checked under both Ethernet and Airport Appletalk was not enabled. On this machine I have never set it one way or the other.

Once someone 'proves' that installation into your System folder, NOT your user space, can be done without an Administrative account THAT will be newsworthy. Making Safari launch a certain web page can be done with preference/.plist files. These are in the USER space. I have yet to see or hear about a compromise of Mac OS X 10.4.8 that does Administrative tampering using a non-admin account (without physical access to the machine). Now I, and many others have submitted feedback to Apple that they have to include, in initial setup of a Mac system, the requirement of setting up a non-admin account. This is security 101 and something neither MS or Apple currently requires. Once you are an Admin all bets are off. We have all seen the installers that you double click and don't require a password to install. Scary. Apple needs to REMAIN diligent on security, but they are not totally lax like some suggest.

just my .02

So many Mac users are completely ignorant and oblivious to the fact that their Mac is, contrary to popular belief, not that secure in some respects. Many Mac zealots and apologists will tout how bullet-proof OS X is, how it's nothing like Windows, how it's amazingly secure - well, it isn't in some cases.

Yep, Artie MacStrawman (http://www.crazyapplerumors.com/?p=664), I hate that guy.

Apple's response is, I think, much more important than the MOKB finding a handful of vulnerabilities in OSX, if they address the problem quickly and respond accordingly with a good Security Update, than I think we can still be relatively assured that OSX is safe. We'll also have to see how quickly various black-hats respond to Vista.

It has been brought to attention that Apple is encrypting certain parts of the OS kernel. Does this have any bearing in this discussion or it is only to make piracy of the OS more difficult?

The day that I have to go out and buy virus protection for OS X is the day I consider going back to Windows.

Switching to Windows because you have to use antivirus software on your Mac would just be like jumping out of the frying pan and into the fire.

During the 15 years or so that Macs were around before the advent of OS X, most Mac users had antivirus software running on their computers. It was necessary, it was no big deal, and it was certainly no reason to start using a Windows box.

Hmm. I'm running a 17" MacBook Pro with 10.4.8 and when I checked under both Ethernet and Airport Appletalk was not enabled. On this machine I have never set it one way or the other.

/Applications/Utilites/Directory Access.app/ -> AppleTalk is checked.

Vista looks like OS X so switching wouldn't be as big a pain.:)

Except that getting a computer that will run Vista WELL (not just "run" it) will be a pain in your wallet, probably more expensive than a mac for a while (unless you just dual boot it :) ). The other problem is that you would have to rebuy all of your software, mess with all of the incompatibilities with Vista and the constant performance and security updates, hope that WGA doesn't conk out on you, etc. Trust me, the bundle of fun that is Vista is just too much for most :p.

I do, and so does anyone who has a classic environment of System 7 and earlier for classic compatibility reasons.

Granted you can use TCP/IP on some of these, however the reliability of such extensions on early versions of Classic leaves much to be desired. I however turn off Appletalk when I am away from my home network.


lol system 7? Why?? No one runs Windows 95 for fun...

No one.. and stangely it's now ON by DEFAULT in all the MacTels I've received lately. No idea why.

Not here .. (1st gen MacBook 2 GHz)

iAdware is an ugly development to-be-sure, but not a big an scary one. As most Mac users know, proof of concept is not the same as actually having this kind of thing happen in the wild.

Still, Apple should take this seriously and anticipate similar developments in the coming months. If something like this does take off, it'll likely be through spoofing type sites and so on. For now I'm not going to loose any sleep over this and trust that Apple, as it angles itself-towards dominance in the marketplace, won't make the same blunders MS did with their buggy OS.

Apple knows that MS has them in their sights and any slip would be exploited. You can just see them shouting from the rooftops, "My Gawd, Apple has viruses, malware and adware!" as if that paralleled the umpteen thousands of virus developed to exploit their own sub-par software.

I suspect it's being looked into now by Apple's security team with an update to emerge long before this pup is found in the wild.

Windows Vista is NOT Windows XP.

Hey, somewhat going off on a tangent here but...

Vista is just now coming out. Are you old enough to remember that, when XP came out, it was lauded as "the most secure Windows ever"? It's silly to pay any attention to what MS says - until Vista has a track record, we won't know how its security stacks up.

Love or hate Steve Gibson, but he's pointed out some extremely stupid holes in Vista's security during the beta process. Stuff that was fixed in Windows back in the days of 95/98. They've got a totally new network stack in Vista, and frankly Microsoft has very little experience writing core network code (remember much or most of their previous stack was shown to have been pulled from BSD).

Now back to the Mac side. I'm glad to see this thread isn't filled with Apple apologists. :) Apple certainly has work ahead of them, but I think all in all they've been pretty responsive to most vulnerability reports over the past couple years. But Mac people need to shed this false air of invulnerability that's far too common on this forum and elsewhere. In the end, common sense will go far to protect you - don't run day to day as an admin account, use a strong password, don't use the same password everywhere. If you have a home network, use NAT (by default you probably will be). Don't try to download a "free" version of Microsoft Office off Gnutella. :D

lol system 7? Why?? No one runs Windows 95 for fun...

Exactly!

It is not Windows 95, and that is for me to worry about.

I know I'm going to get labeled as a mac zealot and linux apologist for asking this, but isn't it weird how the project spent ALMOST ALL OF ITS TIME looking for ways to crucify OS X/Linux, but they avoided MS like the plague, as if they were afraid to make them look bad?

"I didn't have much time left for working on Microsoft Windows but I've received the most helpful feedback from the MSRC"

Riiiight. :p

/Applications/Utilites/Directory Access.app/ -> AppleTalk is checked.

That is different then having AppleTalk active on a network connection.

I know I'm going to get labeled as a mac zealot and linux apologist for asking this, but isn't it weird how the project spent ALMOST ALL OF ITS TIME looking for ways to crucify OS X/Linux, but they avoided MS like the plague, as if they were afraid to make them look bad?

"I didn't have much time left for working on Microsoft Windows but I've received the most helpful feedback from the MSRC"

Riiiight. :p

Couldn't that be just because Windows security (or lack thereof) has already been thoroughly examined by the industry at large and therefore wasn't as high a priority?

It has been brought to attention that Apple is encrypting certain parts of the OS kernel. Does this have any bearing in this discussion or it is only to make piracy of the OS more difficult?

I believe it's primarily to thwart piracy. Here's a really good in-depth technical article on the subject:

http://osxbook.com/book/bonus/chapter7/binaryprotection/index.html

Couldn't that be just because Windows security (or lack thereof) has already been thoroughly examined by the industry at large and therefore wasn't as high a priority?

Right, they were looking for a particular set of problems, specifically kernel bugs, which OSX and Linux have their fair share. Interestingly enough some of the wireless bugs affected more than one OS.

These are vulnerabilities, which obviously need to be addressed, but just because they found more kernel bugs in OSX, Linux, and BSD, doesn't mean Windows is suddenly 'secure.'

it's time for apple to really make osx more secure then windows.

Apple really really needs to get on this... As far as some Script Kiddie wanting to make a name for themself the mass of mac users would need to be higher. There are still currently not enough mac users to warrent such acts, you would not get notice. I feel that a lot of coders find holes in XP because then they can exploit big business, were as macs are more often than not home computers. If apple its athe big 10% mark this will all change.

How do you know they are not on it? You don't right? The source of these reports is the people who want to sell you their security software. They capitalize on our fear. The author notes he spent most of his time on Mac and Linux. Very little time was spent on Windows/Vista. Well, that makes sense if you are trying to sell software. Everyone already installs it on Windows. No sales opportunities there. So, go scare yourself a new market with the people who do not need it. It even works better if you can create some mistrust amongst the user base. Just plant the seeds of doubt the manufacturers are unwilling, or unable to protect them. You are their savior.

I do not have a Pollyanna view on this. I have no doubts that threats exist and an aggressive, on-going effort is crucial. But, the real solution is to fight this crime with the seriousness it deserves. That means mandatory prison sentences, equal liability for facilitation and for profiteering, etc.

...that's just because it's a "feature" of the particular video technology (e.g. in Real Media or Windows Media streams you can embed code to open a browser window)...

And QuickTime, too. There are QT movies that will send you to a web page at the end of the film. It seems to me the trailer for Spiderman 2 did this.

I don't know but is the Adware related to this:

Sometimes when I download videos from LimeWire, and run then it will bring up a browser window and open a site. Essentially an ad. Do this supposed hole cause this?

Apple definitely needs to get more serious about security. As more people start to buy Macs, more people will start to tinker and find holes. I hope Apple will rise to the challenge.

I bet you're downloading .mov files. QuickTime .mov files have interactivity features that are being exploited by pornography websites to redirect you to their site.

I would strongly advise against dropping your Limewire habits and moving towards more legitimate sources for your content.

... As far as some Script Kiddie wanting to make a name for themself the mass of mac users would need to be higher. There are still currently not enough mac users to warrent such acts, you would not get notice......

I hope you understand what exactly you are saying. Under 10% is still Millions of systems. Included in that small percentage are hundreds if not thousands of businesses, thousands of schools, and many home businesses. Like anything in life, there are people that like the easy stuff, the work that effects the most people, or the work that provides the most challenge.

Worldwide impact is likely motivation for some hackers, however it doesn't include all of them!



I would strongly advise against dropping your Limewire habits and moving towards more legitimate sources for your content.

I am 100% in agreement with this statement! Besides P2P shares like this are a hotbed for corrupt files, trojans (windows world(for now)), and it is being cracked down more and more every day.

Okay, now I might end up being branded as an Apple apologist for this, but this thread is bugging me.

Really, people, lighten up! It's like the corner of the carpet is smoking a little bit and people start shouting about how the whole house is about to burn down.

Now, certainly, these issues should be looked at with all due diligence. But do you honestly think that Apple isn't? Do you honestly think that Apple has simple ignored security all this time? Certainly not. The fact that OS X is as secure as it is clearly shows that Apple has done a good job so far. Now, maybe we've crossed an invisible barrier on the scale of the visibility of the platform, and now a lot more people are trying to target OS X, so more vulnerabilities are being found. But, there really is a big difference between a vulnerability and an exploit in the wild. iAdware is the closest thing to a true exploit I've heard of to date, and we don't even know what kind of vector it uses to get itself installed.

So, really, lay off the heavy handed "Apple has to start paying attention to security" nonsense. The implication that Apple hasn't been paying attention to security is just irritating, to say the least.

I hope you understand what exactly you are saying. Under 10% is still Millions of systems. Included in that small percentage are hundreds if not thousands of businesses, thousands of schools, and many home businesses. Like anything in life, there are people that like the easy stuff, the work that effects the most people, or the work that provides the most challenge.

Worldwide impact is likely motivation for some hackers, however it doesn't include all of them!


Yes. This is part of why the low market share argument always seemed a bit weak. One can argue that there is a threshold beyond which a platform starts getting more attention from malware writers, but to argue that OS X had a small enough market share such that NO malware writers were trying to write a virus, trojan, worm, adware or spyware has just never made sense.

An interesting read in response to the kernel panic ability of the .DMG vulnerability:



http://alastairs-place.net/2006/11/dmg-vulnerability/

A very insteresting read.. most of which I only barely grasp. Object oriented programming just makes my eyes glaze thinking about it.. The gist:



i don't understand why everyone is ignoring this guys' post. i'm not a computer engineer, so can someone with the right knowledge explain this a bit more? is it really adware or just a bug? :)

Most of these Mac attacks seem to be more predominant with social engineering hacks and user error, than comprised code.

On a feTw occaszzzions I have noticed that MY CAT HAS A TENDENCY to hacsssk my laptop when I12212111113e'm trying to fill out threadwww replies on 432222222222222222 macrum2ors3. I'm thinking apple might still be AT FAULTQ ON THIS QONE.

Okay, now I might end up being branded as an Apple apologist for this, but this thread is bugging me.

Really, people, lighten up! It's like the corner of the carpet is smoking a little bit and people start shouting about how the whole house is about to burn down.

Now, certainly, these issues should be looked at with all due diligence. But do you honestly think that Apple isn't? Do you honestly think that Apple has simple ignored security all this time? Certainly not. The fact that OS X is as secure as it is clearly shows that Apple has done a good job so far. Now, maybe we've crossed an invisible barrier on the scale of the visibility of the platform, and now a lot more people are trying to target OS X, so more vulnerabilities are being found. But, there really is a big difference between a vulnerability and an exploit in the wild. iAdware is the closest thing to a true exploit I've heard of to date, and we don't even know what kind of vector it uses to get itself installed.

So, really, lay off the heavy handed "Apple has to start paying attention to security" nonsense. The implication that Apple hasn't been paying attention to security is just irritating, to say the least.

Good points,

I agree with some of your points. Apple has done a good job historically, and currently with regards to security. I am not worried that my system is going to be taken over, or hacked the moment I go onto the internet, or sign into a public WIFI.

I do not agree that lower our demands for Apple with regards to security expectations. Now is Apple's chance to prevent getting an image that their competition has, with regards to holes in security. Apple themselves have advertised that Spyware, viruses, etc, are not part of the OS X experience (http://movies.apple.com/movies/us/apple/getamac_ads1/viruses_480x376.mov). In my opinion, that may be received as a challenge, or incentive for someone to make that argument a fallacy.

still better than windoze

On a feTw occaszzzions I have noticed that MY CAT HAS A TENDENCY to hacsssk my laptop when I12212111113e'm trying to fill out threadwww replies on 432222222222222222 macrum2ors3. I'm thinking apple might still be AT FAULTQ ON THIS QONE.
LOL! Bad kitty! :)

Welp, there is a trojan script you can run that'll wipe out your entire home directory, if you're not careful.

luv ya bunches! xoxoxo

On a feTw occaszzzions I have noticed that MY CAT HAS A TENDENCY to hacsssk my laptop when I12212111113e'm trying to fill out threadwww replies on 432222222222222222 macrum2ors3. I'm thinking apple might still be AT FAULTQ ON THIS QONE.

My cat is 1 l33t h4x0r too. Although, he's more of a problem at my desktop and he ALWAYS comes around when I'm gaming online and usually at a critical moment. ...He just knows.

I think I'm filing a patent for a USB-powered cat-zapper notebook/display peripheral tomorrow. :D

i don't understand why everyone is ignoring this guys' post. i'm not a computer engineer, so can someone with the right knowledge explain this a bit more? is it really adware or just a bug? :)

This is the summary from that page...

So, what have we learned:

It is not a memory overwrite bug.
It is not exploitable, except in that you can kernel panic a machine if you can persuade a user to double-click a damaged dmg file.
It is not, therefore, possible to use this bug for privilege elevation or to execute arbitrary code in the kernel.


I looked over his code analysis and I agree with his conclusion about it not being possible to corrupt memory (hence not possible to inject code). So it is at worst a denial of service type attack.

No, that is not Adware. Adware is a program that is installed *on your computer*, so it can launch windows whenever it wants.

I think he's saying that LimeWire is opening the popups when no browser window is open. That's not "adware" in the sense in which we're talking about, which is a hidden background program that opens browser windows randomly no matter what application you're running.

I'm still waiting to hear that someone--anyone--has actually been exploited by one of these "exploits."

...
I do not agree that lower our demands for Apple with regards to security expectations. Now is Apple's chance to prevent getting an image that their competition has, with regards to holes in security. Apple themselves have advertised that Spyware, viruses, etc, are not part of the OS X experience (http://movies.apple.com/movies/us/apple/getamac_ads1/viruses_480x376.mov). In my opinion, that may be received as a challenge, or incentive for someone to make that argument a fallacy.

Perhaps you missed me saying "Now, certainly, these issues should be looked at with all due diligence"? Again, I agree that Apple needs to keep on top of these vulnerabilities. With a little luck, we'll see a new security update within the next week or two that will patch most, if not all, of these. My objection was not to wanting Apple to fix these vulnerabilities. My objection was to the tone that suggested that if we didn't mount a public outcry, Apple would ignore these altogether, and by January 1st there'd be as many viruses on OS X as on Windows. It's the alarmist nature of so many of the posts here that I found objectionable. Give Apple the credit it's due, and trust that they are working on patching all of these vulnerabilities right now. How hard it is to patch them will determine how long we'll have to wait for the security updates.

I'm still waiting to hear that someone--anyone--has actually been exploited by one of these "exploits."

Yes, actually they're vulnerabilities, not exploits. There's a big difference. Determining a way to utilize a vulnerability as an exploit is no small challenge. And I'm with you. While I'm eager to see Apple plug these holes, I'm not worrying about the boat sinking until I see some water start to come in... ;)

F-Secure sells security software for getting rid of adware.
F-Secure claims to have found adware for Mac without providing evidence.

COINCIDENCE!?

I think not!

I know I'm going to get labeled as a mac zealot and linux apologist for asking this, but isn't it weird how the project spent ALMOST ALL OF ITS TIME looking for ways to crucify OS X/Linux, but they avoided MS like the plague, as if they were afraid to make them look bad?

"I didn't have much time left for working on Microsoft Windows but I've received the most helpful feedback from the MSRC"

Riiiight. :p

I wish ten times as many people were working on finding bugs in OS X. Or a hundred.

I wish they'd spend that time being productive writing new and cool things instead of worrying about what may possibly happen.

Security should be something that's handled at the low level, not something we have to sit here BSing about all day long and installing programs for. That's the part that bugs me about these stupid &W%@#%*( companies and MS' "anti crapware" program. THE PROBLEMS SHOULD NOT EXIST IN THE FIRST PLACE. Boy, that's what patches are for.

Looking for em is fine, but when people stop making stuff and worry more about designing security crap - **** we'll all be driving aronud armored cars.

After the Month of Kernel Bugs, are you concerned about Mac OS X security?

No - 62%


See, that bugs me. Everyone should be concerned about security. I believe OS X's overriding security feature is obscurity, and once that situation changes I can see the OS falling over very quickly.

One of the weakest links in the chain is the user, and if the user is not concerned then you have a problem.

Dont get me wrong, I think OS X is great, but it just hasn't been "weathered" in the wild like Windows has. If OS X becomes a viable target then we're in for a bumpy ride.

Hi, you all!

This iAdware thing is old news and has been already fixed in latest security update by Apple.

Greetings from Finland,
Toni

Installer

CVE-ID: CVE-2006-4404

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8

Impact: When installing software as an Admin user, system privileges may be used without explicit authorization

Description: Admin users are normally required to authenticate before executing commands with system privileges. However, the Installer allows system privileges to be used by Admin users when installing certain packages without requiring authentication. This update addresses the issue by requiring authentication before installing software with system privileges.

After the Month of Kernel Bugs, are you concerned about Mac OS X security?

No - 62%


See, that bugs me. Everyone should be concerned about security. I believe OS X's overriding security feature is obscurity, and once that situation changes I can see the OS falling over very quickly.

One of the weakest links in the chain is the user, and if the user is not concerned then you have a problem.

Dont get me wrong, I think OS X is great, but it just hasn't been "weathered" in the wild like Windows has. If OS X becomes a viable target then we're in for a bumpy ride.

OSX is based on FreeBSD, which has been around for an eternity and includes modules from even older Unixy stuff. There's paying attention, there's worrying, and then there's running around with your hair on fire digging for a bomb shelter with your bare hands. We're at the pay attention stage.
MOKB showed that the kernel can be a source of bugs and that OS design should incorporate this problem into the design. This doesn't mean panic or worry or take a pair of scissors to your broad-band connection, this means Apple has some things to fix. It also showed that wireless is inherently insecure and the problems with drivers can affect Windows, Mac OSX and Linux.
Again, MOKB isn't all that important, it's Apple's response to problems that really matters.

Hi, you all!

This iAdware thing is old news and has been already fixed in latest security update by Apple.

Greetings from Finland,
Toni
...

The iAdware is just one of the vulns discovered this month, the Month of Kernal Bugs found several problems in the kernel space of OSX. A few of these have been fixed, but others remain, Apple however responded quite quickly to the iAdware problem.

I have to agree with a lot of the people here who are concerned with security. Part of the reason OS X seemed so secure was because no one tested it. Now that we have Intel chips and a growing market share, vulnerabilities are being exploited. The day that I have to go out and buy virus protection for OS X is the day I consider going back to Windows. Vista looks like OS X so switching wouldn't be as big a pain.:)
I'm sorry, which of these vulnerabilities has been exploited?

People, the single worst thing that the Mac community faces in the area of security is upon us right now...

Little security experts who cry exploit.

Thanks to the media jumping at anything that looks like it could be a security problem with Mac OS X, we now have security experts who are willing to make half-baked claims to draw attention to themselves. But even more frightening is the fact that the Mac community isn't a target because it is a good target or an easy target... no, we are a target because it is the most notable target these days.

So, how do we fix this?

Frankly, I don't know.

The security experts are going to call anyone who questions their work names, and they seem bent on avoiding any consultation with real Mac experts before issuing press releases. I would have thought that these types of Pons & Fleischmann tactics would have died out on their own, but that doesn't seem to be the case. Part of the problem is that erroneous reports aren't being covered as widely as the initial claims.

The other problem is that even after real, working exploits start showing up in the wild, we are a long ways off from being anywhere near where the Windows community is today. In fact, we'd be a long ways off from where the Mac community was at the peak of it's virus period (how many here actually recall those days?).

The only thing I can suggest (which I doubt anyone will follow) is to avoid the hysteria. When a real threat emerges, you'll most likely hear about it long before you are actually in any danger from it.

I agree with the few others that are concerned about this.

Our Mac OS innocence is coming to an end. Part of this is due to the growing market share, and popularity in the Operating system. The other issue I feel that is of concern, is the new challenge this OS provides for Script kiddies, and bored coders. If you have an ego, and want to get your name out, why not do what hasn't been done before, as opposed to doing what everyone else does ?

This is going to be a growing trend, and the amount of Mac Haters in the wild is quite high! Once code tricks and secrets start to get out, it is only a matter of time before OS X is targeted by thousands, much like XP!

Apple has time to take this very seriously, and work to keep this system tight and secure! Hopefully this is going to be a big part of the focus on Leopard, but only developers will really know this!


These current headlines aside

1. Pay attention to what warning messages pop up when browsing the web.

2. Only download and install software from sources that you trust, and if you do trust them, take an extra moment to think about why you trust them, and if you really need to install that piece of 3rd party software!

3. Keep your firewalls on if possible

4. Don't permanently unlock preferences, folders, or other security areas on your system using your keychain, unless you really need to do so!


There are others, however that is a good baseline to follow for some minimal security checks and balances!

And here we go again with the "security through obscurity" myth...please, don't spread such things again, because they are not true.

The mere fact that some kernel vulnerabilities were discovered in an event SPECIFICALLY devoted to finding such things does not mean our OS X is unsafe. It is by far the MOST secure system out there, with 40 million or 400 million users, and nobody has been able to prove the opposite so far.

Besides, some (or many) of the arguments posed by this "anonymous" LMH were already debunked by other security analysts. Just an example:

"Apple DMG flaw not so serious? SecurityFocus reports on the controversy surrounding a disk image denial of service potentiality in Mac OS X. "While the common wisdom in the security world is that crashes are exploitable, Mac programmer Alastair Houghton published his kernel-code analysis showing that this particular vulnerability is not. "In fact, all (the MoKB) has found here is a bug that causes a kernel panic," Houghton wrote in his analysis. "Not a security flaw. Not a memory corruption bug. Just a completely orderly kernel panic." Following the analysis, Secunia downgraded their severity rating of the vulnerability from "highly critical" to "not critical." Several other companies still have the vulnerability rated as critical. The actions follow a heated exchange between Houghton and the founder of the Month of Kernel Bugs (MoKB) Project, a person who identifies himself as only L.M.H. Because of the exchange, Houghton decided to spend three days analyzing the issue and had his final analysis checked by Thomas Ptacek, a security researcher and founder of Matasano Security."

http://www.macfixit.com/

So please...before spreading more FUD in this forum, check the facts and take some time before believing some strange guys pretending to be specialists...

The mere fact that some kernel vulnerabilities were discovered in an event SPECIFICALLY devoted to finding such things does not mean our OS X is unsafe. It is by far the MOST secure system out there, with 40 million or 400 million users, and nobody has been able to prove the opposite so far.

The guy heading up the MOKB thing said that MacOSX's kernel (XNU) was the easiest kernel to crack. If that makes you feel safe, then go ahead and feel safe, but for me, even though I use extremely good security practices and networking measures, I still would rather have Apple get serious aboud security and start hardening their system more so that guys who are only fuzzing and stress testing can't come up with 10 vulnerabilities in a month.

The only thing I can suggest (which I doubt anyone will follow) is to avoid the hysteria. When a real threat emerges, you'll most likely hear about it long before you are actually in any danger from it.

Funny thing is that I don't see anyone in this forum going into hysteria about this other than the people saying that "this is a load of FUD." Why is it such a shock that MacOSX can be vulnerable? No, it hasn't been exploited to any large extent, but vulnerabilities open up the door to exploits, and the only thing that is keeping us away from having exploits happen is our market share. You may not want to hear that, but as long as we are below 10% of the market, people simply aren't going to target our vulnerabilities, but are going to target MS's vulnerabilities.

The problem of course, is that our Market Share is going up, and so we will likely be a larger target for hackers. So if these vulnerabilities keep popping up in this frequency, that becomes a major issue for the exploitation problem as time goes on.

OS X isn't perfect, and it's unreasonable to expect that it will never ever be breached.

That said, Apple have done a great job thus far. My worry isn't so much individual (trivial?) exploits, but rather that OS X would go down the XP route and require constant patching. The last thing Apple needs is to have to fight fires in the same way Microsoft has had to with XP.

Security is a key selling point for the mac platform and it is essential that Apple maintain their advantage with the vastly improved Vista fast approaching.

I hope Apple will address these problems with the urgency they merit.

Okay, now I might end up being branded as an Apple apologist for this, but this thread is bugging me.

Really, people, lighten up! It's like the corner of the carpet is smoking a little bit and people start shouting about how the whole house is about to burn down..

No, I won't brand you as an Apple apologist nor do I consider most here in the forum as mac zealots. For me, it's always just a matter of time someone will find vulnerbilities or hacks in any OS (Mac/Win) and for either good reasons or just for being the first..

I'll say it before, and I'll say it again, this is a critical time for Apple and it's no time to be an Apple apologist. It's time to hold Apple's feet to the fire. Being soft on them isn't helping them. It's just enabling them not to realize their full potential.

OSX is good, but that's no reason for complacency. If Apple doesn't work out these bugs (and I know of more than a few irritating ones, besides the kernal vulnerabilities) it's not going to remain a quality product.

i don't understand why everyone is ignoring this guys' post. i'm not a computer engineer, so can someone with the right knowledge explain this a bit more? is it really adware or just a bug? :)

I'll try to explain this: Someone can create a Disk Image File that is intentionally corrupt. They can put it on a webpage from where you could download it, and if you do that, Safari will try to mount the disk image file and then Things Go Wrong. But nothing at all can happen if you don't visit that webpage.

Now Apple can't do anything about that corrupted Disk Image File. The best that Apple can do is try to mount it, figure out that it is corrupted, and tell you that it is corrupted. This is what should have happened, it didn't happen, and that is a bug that Apple should fix. The question is: What damage can happen?

In this case, it has been examined, and the result is that there will be a Kernel Panic. That means your Macintosh will crash. Nothing else can possibly happen, the only possible result is a Kernel Panic. Sounds bad, but all that happens is that you have to restart your computer. About the same as if I unplugged the power cable of your Macintosh. The same thing will happen again if you try to mount the disk image again, or if you go to the same wegpage again. But you wouldn't do that, right? And if you visit the webpage again, you will learn quickly not to do that, right?

The important thing is, there is no security risk. Nobody can use this to install a virus or adware on your computer. They can use it to crash your computer - once if you are clever, twice if you are not quite so clever, but not more often. They can't do anything but crash the computer.

The guy heading up the MOKB thing said that MacOSX's kernel (XNU) was the easiest kernel to crack. If that makes you feel safe, then go ahead and feel safe, but for me, even though I use extremely good security practices and networking measures, I still would rather have Apple get serious aboud security and start hardening their system more so that guys who are only fuzzing and stress testing can't come up with 10 vulnerabilities in a month.

The "guy" heading up that thing is sketchy, to say the least...instead of showing yourself as "LHM", be a man and publish your identity as well as your corporate background...one of his points was already debunked, more will follow...he seems much more like someone looking for publicity and page hits than a serious researcher, as others have said in the specialized media. So for me, someone who "says that the OS X kernel is the easiest" is as reliable as someone who says that "oompa-loompa" is a OS X virus in the wild...

I couldn't care less about its remarks, notwithstanding the obvious need for any company to secure its OS as much as possible.

For more clarification and less FUD: http://alastairs-place.net/

Funny thing is that I don't see anyone in this forum going into hysteria about this other than the people saying that "this is a load of FUD." Why is it such a shock that MacOSX can be vulnerable?It isn't a shock that Mac OS X is vulnerable. What is shocking is that it is front page news to people.

Why is this even note worthy? Why is this even NEWS WORTHY?

Why cover what are (to most Mac users) non-issues? More importantly, why aid the PC press in making cracking a Mac a limelight subject?

Misery may love company, but do we really need to add to the frenzied coverage that this subject currently has?

And oddly (or maybe not), the people most likely to fall for the hype on all this are former PC users who (wrongly) believe that any level of malicious software is equivalent to what ever the current level is for Windows (where malicious software is actually a profession).

You aren't a former (current) PC user, are you longofest? It would explain a lot.

No, it hasn't been exploited to any large extent, but vulnerabilities open up the door to exploits, and the only thing that is keeping us away from having exploits happen is our market share. You may not want to hear that, but as long as we are below 10% of the market, people simply aren't going to target our vulnerabilities, but are going to target MS's vulnerabilities.

The problem of course, is that our Market Share is going up, and so we will likely be a larger target for hackers. So if these vulnerabilities keep popping up in this frequency, that becomes a major issue for the exploitation problem as time goes on.Could you please tell me when the Mac community made up 10% of market share?

Why wasn't market share the magic shield 10 or 15 years ago that it seems to be today?

:rolleyes:

Well, while we wait for longofest to figure out the obvious, we should keep in mind what is really currently saving the Mac community from attacks like we once had... lack of a means of propagation.

Fortunately Apple is fully aware (even if some people aren't) that if an effective means of propagating malicious software to and from Macs pops up, that is the door that hackers are waiting for. That is why Apple watches any and every hacking attempt at these contests.

And of course Apple (like most of us who have used Macs for more than a few years) is aware that market share has nothing to do with any of this. Once an effective means of delivery is available, hackers aren't going to consult any market research before putting it to good use.


Maybe this is a good case where shooting the messenger is a good thing. If the press (both Mac and PC) wouldn't make mountains out of potential ant hills, we wouldn't have people like Mayner, Ellch and LHM jumping the gun on going to the press before having their work properly checked. In fact, these guys are pushing a disturbing trend of giving press releases before checking their work.


We get vapor exploits and they get their names in headlines. Does anyone else see the problem with this? :eek:

Up to the point, RacerX...I am tired of these "security warnings" that carry little more than vaporware and a thirst for publicity and hacker-like "fame"...

If a kernel panic is a "serious issue", think again...and go Vista...and please, no market share arguments anymore...we have probably more than 50 million Apple users out there...I am sure a few hackers are still trying hard to make a virus in the wild for them.

In this case, it has been examined, and the result is that there will be a Kernel Panic.

The important thing is, there is no security risk. Nobody can use this to install a virus or adware on your computer. They can use it to crash your computer - once if you are clever, twice if you are not quite so clever, but not more often. They can't do anything but crash the computer.Mac OS X is so stable that I am perfectly comfortable working for an hour in between saving my open files. If I was likely to run into websites that purposely exploited a flaw to crash my Mac, I'd have to change my habits and live more defensively.

Sure, losing work would be my fault for not saving after each keystroke, but I'd still blame the website. For example, suppose it was a site pretending to take a political poll, but if you voted against their favored choice, they punished you with a system crash. Even if this is not a security concern, it's a concern, and I'd like to see it fixed.

These types of reports don't panic me and I'm glad that Apple does pay attention to most bugs and security concerns. I don't expect them to avoid all glitches, only to make a reasonable effort when programming their O.S. and applications, and to fix problems that are later revealed.

Perhaps you missed me saying "Now, certainly, these issues should be looked at with all due diligence"? Again, I agree that Apple needs to keep on top of these vulnerabilities. With a little luck, we'll see a new security update within the next week or two that will patch most, if not all, of these. My objection was not to wanting Apple to fix these vulnerabilities. My objection was to the tone that suggested that if we didn't mount a public outcry, Apple would ignore these altogether, and by January 1st there'd be as many viruses on OS X as on Windows. It's the alarmist nature of so many of the posts here that I found objectionable. Give Apple the credit it's due, and trust that they are working on patching all of these vulnerabilities right now. How hard it is to patch them will determine how long we'll have to wait for the security updates.


I now understand what you are saying and agree.

Apple has done a good job, and I have faith that they are doing everything they can to keep their OS secure. I am also happy to hear the random bits of news that they are working with other groups to keep their system secure.

I just want them to keep this focus, grow on it, and keep there image of being a more secure system than the other side of the fence. I have faith in them being able to do this, and this is why I have kept purchasing their software and products! :)


And here we go again with the "security through obscurity" myth...please, don't spread such things again, because they are not true.

The mere fact that some kernel vulnerabilities were discovered in an event SPECIFICALLY devoted to finding such things does not mean our OS X is unsafe. It is by far the MOST secure system out there, with 40 million or 400 million users, and nobody has been able to prove the opposite so far.

Besides, some (or many) of the arguments posed by this "anonymous" LMH were already debunked by other security analysts. Just an example:

"Apple DMG flaw not so serious? SecurityFocus reports on the controversy surrounding a disk image denial of service potentiality in Mac OS X. "While the common wisdom in the security world is that crashes are exploitable, Mac programmer Alastair Houghton published his kernel-code analysis showing that this particular vulnerability is not. "In fact, all (the MoKB) has found here is a bug that causes a kernel panic," Houghton wrote in his analysis. "Not a security flaw. Not a memory corruption bug. Just a completely orderly kernel panic." Following the analysis, Secunia downgraded their severity rating of the vulnerability from "highly critical" to "not critical." Several other companies still have the vulnerability rated as critical. The actions follow a heated exchange between Houghton and the founder of the Month of Kernel Bugs (MoKB) Project, a person who identifies himself as only L.M.H. Because of the exchange, Houghton decided to spend three days analyzing the issue and had his final analysis checked by Thomas Ptacek, a security researcher and founder of Matasano Security."

http://www.macfixit.com/

So please...before spreading more FUD in this forum, check the facts and take some time before believing some strange guys pretending to be specialists...


Thanks for that rambling diatribe.

Please, can you tell me where I said that I support the myth that Apple is (or is not) holding operating system information from it's developers, in order to promote a more secure operating system?

Please also find a post where I stated that we should seek out virus protection, beg developers for adaware removing programs, and lock down our systems from anyone being able to access them.

I simply posted that our little world is growing in popularity with those that want to make it less easy, or stable for us. If you also took the time to actually read my other posts, you would understand that I am not overly worried, however I don't think we (or Apple) should let our guard down.

Further, the advice I posted is not my own, it is good common sense for anyone (on any operating system, on any platform) should follow to help reduce the risk of getting something nasty, or damaging (including simple code bugs that are commonly confused with viruses) on their system.

The sad fact remains, no matter how much we debate this topic on these forums, the people that continually get their systems infected in the Windows world, will most likely have that same problem with any OS they use if there are viruses for it. The issue is most often the end user, not the security of the system they are on.

and so far, just like every other "story" of this kind, this one is turning out to be more FUD than substance.

.....someone wake me when they post something that matters.

I voted "yes" becuase I'm concerned what this will do PR-wise for Apple, not so much about actual security concern. "LMH" may claim he's not an Apple-hater but a few things poke out from the interview:

The Linux kernel takes little time to break. I'm more familiar with the code and thus it also takes less time to isolate issues. OS X kernel (XNU) takes less time but depending on the area you're checking, debugging and isolation may require a bit more time (if you take into account that AppleTalk source code is almost unreadable and totally deprecated) [...] I didn't have much time left for working on Microsoft Windows but I've received the most helpful feedback from the MSRC people on potentially interesting stuff to check.

What I read from this passage is:


LMH is familar with the Linux Kernal.
LMH found Linux and MacOSX easy is to break (possibly because of his familarity with the Linux kernal).
LMH spent the majority of their time working on Linux and MacOSX.


Here's what I infer from the interview:

If LMH is so familar with Linux and found OSX so "easy to crack", why was the amount of time he spent on them so dispropotionate compared to Windows?
Looks to me like he spent most of his time looking for bugs in Linux and MacOS since they would garner more press (See Macbook Wifi grandstanding).
LMH takes this oppurtunity to make a crack about AppleTalk code that has little to do with this topic.
LMH takes this oppertunity to point out that he had assistance from Micorsoft people in looking into Windows, which happens to be the platform he spent the least amount of time on. I don't think Microsoft would be particularly helpful in assisting someone in finding exploits to report when they were going to be compared to OSX and Linux by the organizer.

I voted "yes" becuase I'm concerned what this will do PR-wise for Apple, not so much about actual security concern. "LMH" may claim he's not an Apple-hater but a few things poke out from the interview:



What I read from this passage is:


LMH is familar with the Linux Kernal.
LMH found Linux and MacOSX easy is to break (possibly because of his familarity with the Linux kernal).
LMH spent the majority of their time working on Linux and MacOSX.


Here's what I infer from the interview:

If LMH is so familar with Linux and found OSX so "easy to crack", why was the amount of time he spent on them so dispropotionate compared to Windows?
Looks to me like he spent most of his time looking for bugs in Linux and MacOS since they would garner more press (See Macbook Wifi grandstanding).
LMH takes this oppurtunity to make a crack about AppleTalk code that has little to do with this topic.
LMH takes this oppertunity to point out that he had assistance from Micorsoft people in looking into Windows, which happens to be the platform he spent the least amount of time on. I don't think Microsoft would be particularly helpful in assisting someone in finding exploits to report when they were going to be compared to OSX and Linux by the organizer.


This is an interesting post. The Appletalk thing was especially silly.

I for one, welcome our new Adware overloards.

-1, Overrated

well i'm not very worried

How do you know they are not on it? You don't right? The source of these reports is the people who want to sell you their security software. They capitalize on our fear. The author notes he spent most of his time on Mac and Linux. Very little time was spent on Windows/Vista. Well, that makes sense if you are trying to sell software. Everyone already installs it on Windows. No sales opportunities there. So, go scare yourself a new market with the people who do not need it. It even works better if you can create some mistrust amongst the user base. Just plant the seeds of doubt the manufacturers are unwilling, or unable to protect them. You are their savior.

I do not have a Pollyanna view on this. I have no doubts that threats exist and an aggressive, on-going effort is crucial. But, the real solution is to fight this crime with the seriousness it deserves. That means mandatory prison sentences, equal liability for facilitation and for profiteering, etc.


dear lord, thank you! somebody else with some common sense. Its like all different repots come out about anything related and people go up in arms about it but never pay attention to who did the research. Just because its "published" does it somehow make it fact? What did the publisher have to gain from this? More so then often, you will note that the report that came out that says "chewing gum premotes healthy teeth" is indeed sponsered and funded and done by Stride Gum. Surprise! Same in this case, lets premote a few security flaws and every single news site will pick up on it by 3 days and bam, now we can advertise our Antivirus. :rolleyes:

Router, firewall I feel OK.

I hate to tell you this, but they are really no help when it comes to spyware. I don't know what you were referring to there, but with adware/spyware they won't help you one bit. Adware comes mostly through port 80, which is the port the internet comes through. So if you want, you can set your router/firewall to block port 80, but then you don't have any internet.

That being said, someone could figure out how to get around a firewall. As with any software based firewall, there are vulnerabilities in it, even the OS X one. A router (hardware based), well, thats a little different.

But there are things Apple could do to make OS X more secure. Hopefully Leopard will patch a bunch of holes and make it even harder for adware and anything else to get in. Then release patches for Panther/Tiger. They've done this in the past with Tiger security enhancements and then releasing a patch for Panther.

I believe SecurityWorks (or whatever they're called), works with Apple now instead of against them to aid in finding "holes" in the system. This is the way it should be. They should be hiring people/companies to find holes in the OS and to report them exclusively to Apple ONLY so they can be fixed.

We Mac users are way to secure with ourselves and one day its going to bite us in the butt bigtime. A lot of us throw the talk to the hand up when OS X starts getting bashed about its insecurity. This is a bad thing and some of us need to shape up. These very people will be the first to bitch and complain about their Mac getting spyware and/or viruses when it happens. And of course, its all Apple's fault!

This is the summary from that page...


I looked over his code analysis and I agree with his conclusion about it not being possible to corrupt memory (hence not possible to inject code). So it is at worst a denial of service type attack.

merci beaucoup for you explanation and gnasher you too :)

Judging by the progression in the poll numbers, looks like FUD is gaining traction.

People, the single worst thing that the Mac community faces in the area of security is upon us right now...

Little security experts who cry exploit.

Thanks to the media jumping at anything that looks like it could be a security problem with Mac OS X, we now have security experts who are willing to make half-baked claims to draw attention to themselves. But even more frightening is the fact that the Mac community isn't a target because it is a good target or an easy target... no, we are a target because it is the most notable target these days.

So, how do we fix this?

Frankly, I don't know.

...........<text omitted>............

The only thing I can suggest (which I doubt anyone will follow) is to avoid the hysteria. When a real threat emerges, you'll most likely hear about it long before you are actually in any danger from it.

I am with you 100%. Every time one of these 'expert reports' comes out, I see a plethora of panic posts following it. The common theme is; 'we're screwed, someone save us, why doesn't Apple do something! :eek:

I think the majority of the security reports are motivated by ego, or most likely, profit. When companies like Network Associates funds a security vulnerability study, it is not done because they are a concerned, benevolent member of the technical community. They are out to make a buck. What they promote is fear. What they sell is reassurance. Nice gig.

Judging by the progression in the poll numbers, looks like FUD is gaining traction.

Does that surprise you, or is it just a comment? Right now, MS is in the highest stakes game it has been in for many year, maybe ever.

The mighty giant has been pantsed. The cut-throat business practices of the past are not only well-known, but are also being scrutinized.

MS does not have the best PC OS/Desktop and that is now a known fact by many.

The business community, long a MS stronghold, has grown weary of paying predatory licensing fees for MS backoffice and the desktop. MS does not want to give this up. They want to keep their stranglehold on this market. Purchasing managers are taking a hard look at alternatives, like Apple.

Vista...so much is riding on Vista. it absolutely has to succeed for them. If after five years, with all of its' vast resources, Vista cannot beat OSX, Redmond's reputation, and credibility, is going to suffer badly. The floodgates may open. The wildcard is Leopard.

MS could not delay Vista any longer. But, Redmond knows Apple has the last play. Steve just has to love the position he is in. MS has to play their hand and he can come in and trump it at will. At most, Vista could draw Windows even with Tiger, although most thing this is fanciful thinking on their part. MS is definitely scared by what is coming next (and when).

So, we are going to see even more of this message board trolling and FUD. There are many obvious 'newbie' troll posts. But, I am also seeing some 'moles' trolling too. Some of them showed up many months ago and are now regulars. What they are doing is providing newbie support.

The newbie comes on with a troll post, and bam, he gets a regular, or two to give legitimacy to the disinformation. The thread is off and running. Another tactic I notice is the thread subject troll. The subject line is written to be very negative, but then the first post is very much toned down, sometimes even apologetic, "Sorry for venting, I know this is rare...", that type of stuff. The damage is done and no one is aware it was a disinformation attack.

The stakes are high and MS has been found guilty in court of doing the things I am describing. This is not the ranting of a paranoid. I happen to know a considerable amount about disinformation and the tactics involved. With a little work, you can see the same things. Look at the post history for those making anti-Apple posts. The critical eye can discern the inconsistencies in what they write.

So, we are going to see even more of this message board trolling and FUD. There are many obvious 'newbie' troll posts. But, I am also seeing some 'moles' trolling too. Some of them showed up many months ago and are now regulars. What they are doing is providing newbie support.

The newbie comes on with a troll post, and bam, he gets a regular, or two to give legitimacy to the disinformation. The thread is off and running. Another tactic I notice is the thread subject troll. The subject line is written to be very negative, but then the first post is very much toned down, sometimes even apologetic, "Sorry for venting, I know this is rare...", that type of stuff. The damage is done and no one is aware it was a disinformation attack.

The stakes are high and MS has been found guilty in court of doing the things I am describing. This is not the ranting of a paranoid. I happen to know a considerable amount about disinformation and the tactics involved. With a little work, you can see the same things. Look at the post history for those making anti-Apple posts. The critical eye can discern the inconsistencies in what they write.

I can understand the feelings behind what you are saying, and do appreciate that point of view. I however however, am not sure that I can really see anyone doing hopeless FUD spreading on this particular thread. You seem to be (like a few others) concerned that those of us who have security concerns, have given up on Apple, and want to work with these 3rd party groups to provide us with security solutions. I don't see many people on this thread with that attitude, I see concerned users like myself, that want to see that Apple heads up security themselves.

To me the poll and question "After the Month of Kernel Bugs, are you concerned about Mac OS X security?" was interpreted by me as ..

Yes I am concerned about Mac OS X security. Meaning, I am concerned about my operating system security in general.

For whatever reason, I believe that anyone that voted Yes, is being interpreted by some people as it meaning "Yes I am concerned about Mac OS X security, as it is a hopelessly unsecured operating system, god save us, the world is going to end!".

Perhaps a few of the people who said yes may think that, but don't assume all of us are like that! Please feel free to look into my post history, not that it is any of your business anyway. You will find that I am a true Apple and Mac fan through and through!

.....<text removed>.......

Perhaps a few of the people who said yes may think that, but don't assume all of us are like that! Please feel free to look into my post history, not that it is any of your business anyway. You will find that I am a true Apple and Mac fan through and through!

I do not assume any such thing. There were two issues involved in my post. One was about the motivation, and reaction about security. The other was more generalized about the disinformation campaign (FUD), I am witnessing on this board. I did not reference any particular post, content, or person in this thread. So, I am unclear why you seem to feel I have attacked you, or (collectively) everyone.

I agree. Tough love is best here. It's better to have the vulnerabilities exposed in this manner than in a live scenario. Let's just hope the press from this is enough for Apple to fix the problem before we have something bigger than a proof-of-concept exploit.

Yeah, when the poll was loading I expected 80-90% to be concerned about security, turns out only 40% are. So many ignorant "blissful" people that excuse Apple and think "It's Apple, of course it's safe". Obviously it's not. Ten serious exploits in about as many days of looking (they spent 30 days total, about an equal amount on linux and mac, and the rest on other OS's, so 10 should be right) and that is just scratching the surface. I was shocked that Apple actually had so many vulnerabilities, and for those that didn't find it scary that someone can install a program with kernel access simply by having you download their dmg file (not even opening it), well they're just being silly and need to realize that this is 2006, and some extremely bad things can happen if we are to go by that analysts words (saying OS X is not hot on security and that it is easy to find new hacks). :p

I feel safe running OSX...

Although the future will eventually bring us Mac users some "possible exploits" and other privacy invasions, I feel that Apple has made a good job so far protecting OSX and, as far as I'm concerned, they have earned my trust.
What I'm saying is that we should all just take it easy and worry about this stuff when it actually happens and IF it happens. However, as of now, I think these "kernel bugs" are nothing more than reverse advertisement for the new upcoming Windows, call me paranoid, but I know a lot of PC maniacs are dying for Mac's to get any kind of V.I.S.T.A (Virus Infections Spyware Trojans Adware). In fact, I'm more scared of being kicked by a horse today than getting Mac Viruses in the next couple of years :rolleyes:

I for one loooooove to brag from the top of the mountains:
"MY Mac IS 100% V.I.S.T.A FREE!" :D

Just my opinion on the topic :) extreme neh?

Mac OS X is so stable that I am perfectly comfortable working for an hour in between saving my open files. If I was likely to run into websites that purposely exploited a flaw to crash my Mac, I'd have to change my habits and live more defensively.

Excellent point.

If you use a notebook or a desktop with a UPS, it can be extremely easy to forget about the fact that reboots may happen at any time, even without fautly software getting in the way. (Lately in Nova Scotia, the culprit has been "salty fog" invading our power substations...) Obviously this is a bug that can cause loss of work (and thus loss of money). And obviously the ultimate solution must be a more graceful failure response by the OS.

But a good stopgap measure to protect from the only potential damage which can so far be demonstrated to potentially come from this vulnerability, would be to enable the autosave feature of your software. That measure requires a one-time investment of effort on your part, and subsequently shouldn't have any effect on your work habits. I have never used any reputable productivity software which didn't have an autosave feature.

That is different then having AppleTalk active on a network connection.

How so? That means the AppleTalk network stack is loaded.. needlessly, and potentially wasting resources, no?

Regardless, I find it rather odd that the service should be enabled by default given it's depricated status. I mean.. MacTels cannot run Classic, yet a major banner of the Classic OS (pre-8.6) is enabled by default? No one else sees that as odd? <shrug>

iAdware apparently works by silently installing a system library. That sounds like a vulnerability that Apple could easily fix, by requiring Admin privileges, issuing a warning, and/or prompting for an Admin password.

Seems easy for an end user to fix it himself. Simply change permision on the library so a non-admin can't write there. About four clicks and you're done with it.

How so? That means the AppleTalk network stack is loaded.. needlessly, and potentially wasting resources, no?

Regardless, I find it rather odd that the service should be enabled by default given it's depricated status. I mean.. MacTels cannot run Classic, yet a major banner of the Classic OS (pre-8.6) is enabled by default? No one else sees that as odd? <shrug>

I worked in a place that still had old Apple equipment. I set up a server on a Sun/SPARC Solaris system that served Appletalk so those old Macs could get to home directories on the UNIX systems. I haven't worked there in 8 years but I can imagine someone buying a new Intel Mac and expecting to connect to the server using Appletalk. Of course the new macs could get the files using NFS just like the other UNIX machines.

When I was there they still have Appletalk printers on the network. Those old laser printers never die.

what does not kill us makes us stronger however this is a wake-up call :eek:
Go Apple kick but :D

Yeah, when the poll was loading I expected 80-90% to be concerned about security, turns out only 40% are. So many ignorant "blissful" people that excuse Apple and think "It's Apple, of course it's safe". Obviously it's not. Ten serious exploits in about as many days of looking (they spent 30 days total, about an equal amount on linux and mac, and the rest on other OS's, so 10 should be right) and that is just scratching the surface. I was shocked that Apple actually had so many vulnerabilities, and for those that didn't find it scary that someone can install a program with kernel access simply by having you download their dmg file (not even opening it), well they're just being silly and need to realize that this is 2006, and some extremely bad things can happen if we are to go by that analysts words (saying OS X is not hot on security and that it is easy to find new hacks). :p

Not at all. I voted no, and I did so because I've spent enough time reading through vulnerability assesments to know that <i>all</i> software has problems, therefore I tend not to light my hair on fire and run around screaming the sky is falling the minute someone finds a flaw or a vector of flaws like the MOKB. Instead, I pay attention to the results, take steps to mitigate any possible problems, and then wait for the Security Update from Apple. The sooner the update happens, like the quick fix for the iAdware flaw, the happier I am.

Furthermore, one of the MOKB flaws is just a bug and is not actually a security vulnerability. The dmg vulnerability, wherein a malformed disk image can crash OS X and during this inject uknown code, has been debunked according to this guy (http://alastairs-place.net/2006/11/dmg-vulnerability/).

So, no I'm not concerned. I'm watchful, but I'm going to withhold the running and screaming and the Apple-better-*******-fix-this! rant until something serious happens.

Personally I voted no, not because I am ignorant, but because there wasn't a more appropriate answer. It is my job to be concerned about all aspects of computing, but I am NO MORE concerned because of this "month of kernel bugs" than I was before the month of November. I also I find it highly unlikely that I will be nipped by any of these bugs shoehorned into malware before they are wiped clean by a security update.

Furthermore, one of the MOKB flaws is just a bug and is not actually a security vulnerability. The dmg vulnerability, wherein a malformed disk image can crash OS X and during this inject uknown code, has been debunked according to this guy (http://alastairs-place.net/2006/11/dmg-vulnerability/).


Indeed on first read, I'd say that he presents a convincing argument. I'll go along with his diagnosis that there's no hole that could open you up to arbitrary code execution. If that's your definition of a security hole, then it follows that there's no security hole there. But it's still leaving you open the possibility that the operating system may crash for no apparent reason, causing you to lose any unsaved work.

Lost work... Depending on how productive you are, that can easily result in monetary damage being done.

As I posted previously, that leaves you in no worse a situation than you always are if you're running a desktop computer without a UPS. But I think that it still warrants attention.

At best it still qualifies as an inconvenience, because the savvy user who saves her work regularly will only have lost 5 or 6 minutes of productivity including the reboot. At worst, it can result in hours of lost work for the user who doesn't understand the "save your work" mantra -- especially if we're talking about somebody who's protected by a battery backup and doesn't think that unexpected reboots should be possible on such an inherently stable operating system.

And it's undoubtedly a bug inside Apple's software that's causing this problem, therefore it is absolutely appropriate that Apple should be expected to fix it. I appreciate anybody's effort to bring such bugs to light, because that increases the probability that Apple will find out about it and fix it.

Indeed on first read, I'd say that he presents a convincing argument. I'll go along with his diagnosis that there's no hole that could open you up to arbitrary code execution. If that's your definition of a security hole, then it follows that there's no security hole there. But it's still leaving you open the possibility that the operating system may crash for no apparent reason, causing you to lose any unsaved work.

Lost work... Depending on how productive you are, that can easily result in monetary damage being done.

As I posted previously, that leaves you in no worse a situation than you always are if you're running a desktop computer without a UPS. But I think that it still warrants attention.

At best it still qualifies as an inconvenience, because the savvy user who saves her work regularly will only have lost 5 or 6 minutes of productivity including the reboot. At worst, it can result in hours of lost work for the user who doesn't understand the "save your work" mantra -- especially if we're talking about somebody who's protected by a battery backup and doesn't think that unexpected reboots should be possible on such an inherently stable operating system.

And it's undoubtedly a bug inside Apple's software that's causing this problem, therefore it is absolutely appropriate that Apple should be expected to fix it. I appreciate anybody's effort to bring such bugs to light, because that increases the probability that Apple will find out about it and fix it.

I'm saying Apple shouldn't fix it, I'm merely pointing out that many people are reacting to the MOKB as a wealth of major security flaws.
This is a bug, an annoying bug that should be fixed, but that's very different from a security flaw in which a crash can be used to inject malicious code. MOKB's author LMH was wrong about this particular instance and he did not do the research required of a security professional in this particular problem.

Again, don't dismiss the MOKB or the warnings from Secunia or F-Secure or even the demonstrations by Ellrich and Johnny Cache, instead we need to assess the problem as best we can.

I would say that you probably shouldn't be installing .dmgs while you're doing important work that hasn't been saved, that's just asking for trouble.

V.I.S.T.A (Virus Infections Spyware Trojans Adware)


I like that one :D

I was happy to see that the last two bugs (one Linux, one OS X) were being handled responsibly - they weren't going to release the details until a patch was available. I'm guessing this was submitted by someone other than the project leader, since he seemed to be more of a "me too" glory hound.

I thought the bugs found were not particularly surprising ones; and not all are applicable to the vast majority of users (any local exploit isn't likely to be relevant on a one-person box). I'd hope people would use the MOKB as yet another reminder to practice better security - e.g. not run as an admin for day to day stuff :D be careful what you put on your machine, etc. - but I know that's not likely to change in the short term.