PDA

View Full Version : Mac OS open to attack through unpatched Samba


MacBytes
May 29, 2007, 03:03 PM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: Mac OS X
Link: Mac OS open to attack through unpatched Samba (http://www.macbytes.com/link.php?sid=20070529160317)
Description:: none

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

wyatt23
May 29, 2007, 03:07 PM
i'll go as far as saying, this is a poor oversight of apple to not have updated samba.

that said... I'll never trust anything symantec says until a legitimate company verifies their findings.

montex
May 29, 2007, 03:43 PM
Did I read this correctly? Your Mac has to be connected to a Windows computer or server using the SMB protocol in order to be at risk for compromise? Wouldn't that make Windows Software the attack vector?

Keep it on AFP, baby.

shamino
May 29, 2007, 05:09 PM
Did I read this correctly? Your Mac has to be connected to a Windows computer or server using the SMB protocol in order to be at risk for compromise?
No. You simply have to have Windows File Sharing enabled to open the vulnerability.

That being said, it is unlikely that anyone would turn this on unless they are connected to a Windows/SMB network. Apple ships Mac OS with this turned off, and very few people would turn it on without an actual need to do so.

(FWIW, my Macs all have this disabled. I share files with my LAN via AFP, and the LAN is behind a router/firewall that blocks all inbound connections. I use FTP or USB keychains when I need to transfer files between the Macs and the PCs.)

Earendil
May 29, 2007, 08:16 PM
It sounds as if the attack would have to come from an internal network as well?
Can you access a windows file share from a remote location using internet protocols?

wnurse
May 29, 2007, 08:18 PM
No. You simply have to have Windows File Sharing enabled to open the vulnerability.

That being said, it is unlikely that anyone would turn this on unless they are connected to a Windows/SMB network. Apple ships Mac OS with this turned off, and very few people would turn it on without an actual need to do so.

(FWIW, my Macs all have this disabled. I share files with my LAN via AFP, and the LAN is behind a router/firewall that blocks all inbound connections. I use FTP or USB keychains when I need to transfer files between the Macs and the PCs.)

The security warning is obviously not meant for the usual consumer but for enterprises that have macs connected in a heterogenous network. As to the number of macs, i think you can hardly speculate. The number of macs in larger enterprises could easily exceed or compete with the total number of consumer macs. Schools for example most likely have macs connected to a windows network (for obvious reasons).

mkrishnan
May 29, 2007, 08:25 PM
Schools for example most likely have macs connected to a windows network (for obvious reasons).

This is true, although, to be fair, in the typical enterprise or school setting, printers are on servers and not being shared from computers, and usually only the servers host share volumes. I haven't been in a lot of enterprise settings on Windows or otherwise where client workstations are sharing out resources. From what I understand, the exploit affects you if you *serve* Samba, but not if you access a Samba share being hosted by someone else....

That being said, Apple should address this ASAP.

Soba
May 29, 2007, 10:41 PM
Samba 3.0.10 was released in early December of 2004. The current stable release is 3.0.25a.

As Samba is a major system component and updates have far-reaching consequences, Apple obviously needs to be careful about choosing which versions of open source software updates to roll out with their OS X updates. But having said that, the version they're using is incredibly old. What exactly are they waiting for? This seems sloppy on Apple's part.

While Windows file sharing is not on by default, it is a widely used component of OS X and is likely in use on a lot of heterogeneous home networks and more than a few business and academic networks - especially on college campuses in dormitories.

They need to get this updated ASAP, and keep on top of things better in the future.

shamino
May 29, 2007, 11:10 PM
Can you access a windows file share from a remote location using internet protocols?
Yes, if your LAN's router isn't firewalling the SMB ports.

Due to the potential security risk, I would recommend against ever opening these ports to the internet, but if you do, anyone can access your shares.

PCMacUser
May 30, 2007, 04:51 AM
that said... I'll never trust anything symantec says until a legitimate company verifies their findings.

Hi sorry, just wondering if you could explain that statement. I'm an IT professional and I can confidently say that Symantec is one of the most trusted companies when it comes to security. But I'm interested to hear what your experience has been with Symantec's products in your organisation, etc.

shamino
May 30, 2007, 08:42 AM
Hi sorry, just wondering if you could explain that statement. I'm an IT professional and I can confidently say that Symantec is one of the most trusted companies when it comes to security. But I'm interested to hear what your experience has been with Symantec's products in your organisation, etc.
I don't know what Wyatt was thinking, but I share his opinion.

Go look at Symantec's history with respect to Mac OS. They are one of the loudest voices in the "you Mac people are idiots, your systems will all be pwned because you aren't running our products" camp.

Their behavior over the last 4-5 years shows me that they are far more interested in scaring newbies into buying unnecessary software than they are in actually securing anything.

The fact that their software destabilizes Mac OS doesn't help either.

wnurse
May 30, 2007, 07:25 PM
I don't know what Wyatt was thinking, but I share his opinion.

Go look at Symantec's history with respect to Mac OS. They are one of the loudest voices in the "you Mac people are idiots, your systems will all be pwned because you aren't running our products" camp.

Their behavior over the last 4-5 years shows me that they are far more interested in scaring newbies into buying unnecessary software than they are in actually securing anything.

The fact that their software destabilizes Mac OS doesn't help either.

I use symantec's product on my mac and it does not destablize my mac.
Granted, Symantec may make statments that infuriate the mac faithfull but how is that related to whether their software is any good?.

impierced
May 31, 2007, 01:41 PM
I use symantec's product on my mac and it does not destablize my mac.
Granted, Symantec may make statments that infuriate the mac faithfull but how is that related to whether their software is any good?.

The argument that "it does not destablize MY mac", doesn't mean that problems haven't existed or that none continue to... ;)

I've been using Symantic products on Macs since they first offered their products, and have seen problems that have resulted in days of debugging and downtime. Not to mention, buggy releases and incompatibility problems that take forever to resolve when new hardware is released.

While I probably have a dozen or so examples, for the sake of time I'll provide two:

#1 (old version): We scanned our applications file server using NAV with r/w access. Then we would add a few new applications. Any new application that we added to the file server that had not been scanned would instantly, and completely lockup the workstation. Turns out that because the newly added application wasn't in the NAV scanned database on the file server NAV would cause a system halt. That one took a while to figure out as we started with randomly locking up computers.

#2 (last version tested): Using portable home directories, NAV enjoys locking up my client computer at random times unless you add the invisible mount share to a SafeZone.

Course, given the pervasive nature of the software, I suppose one should expect some problems to exist... :eek: :eek: :eek:

yellow
May 31, 2007, 01:46 PM
As Samba is a major system component and updates have far-reaching consequences, Apple obviously needs to be careful about choosing which versions of open source software updates to roll out with their OS X updates. But having said that, the version they're using is incredibly old. What exactly are they waiting for? This seems sloppy on Apple's part.

I feel the same way about apache.