New Mac OS X Security Vulnerability Found

[MacRumors]

Security company Secunia reports that a new vulnerability in the way Mac OS X handles the "fpathconf()" system call has been discovered.

Quote:

The vulnerability exists due to an error in the "fpathconf()" syscall when it is called with an unsupported file type and can be exploited to cause a system panic.

The vulnerability was initially found in FreeBSD and was discovered in the latest version of 10.4.8 (with all patches applied) by Ilja Van Sprundel. The severity of the vulnerability is rated as "not critical," although a patch from Apple is not yet available. It is not currently known whether other systems (10.3.x, etc) are effected.

Recently, another Mac OS X concept virus was developed, code named OSX.Macarena. Similarly deemed "not critical", the virus is not known to be in the wild on more than 50 computers worldwide or at more than 2 sites (according to Symantec).

[Eidorian]

Get ready for a reboot and see you guys next time.

[scottlinux]

Nothing but FUD. You have to have a local account on the machine.

"Description:
Ilja Van Sprundel has discovered a vulnerability in Mac OS X, which can be exploited by malicious, local users to cause a DoS (Denial of Service)."

http://projects.info-pull.com/mokb/MOKB-09-11-2006.html

"Failure to handle unknown file types by the Mac OS X kernel (XNU) fpathconf() syscall causes a kernel panic, leading to an exploitable local denial of service by non-privileged users."

[gekko513]

It's not FUD in itself. It's a "not critical" vulnerability of which lots are found every year for all OSes. Secunia reports them all. If it's reported as anything other than "not critical" it becomes FUD. As a single news item, it's not even worth a page 2 article. Together with the other non-news item OSX.Macarena... perhaps, but only just.

[dr_lha]

Yeah, can we not label real security issues as "FUD" please? Just because its only going to be a threat if you have evil users on your machine, doesn't mean they should report it. These guys (Secuna) are doing everyone a favor by finding these issues. Maybe a local exploit isn't important to you, but not every Mac has local trusted users, think College Mac labs for example.

[longofest]

Quote:

Originally Posted by scottlinux

Nothing but FUD.

Is reporting on any security vulnerability FUD to you? due to the non-critical nature of this story, we put it on page2. But it is still a vulnerability, so we reported it. Remember also that the vulnerability is still unpatched as well.

[bousozoku]

Quote:

Originally Posted by scottlinux

Nothing but FUD. You have to have a local account on the machine.

"Description:
Ilja Van Sprundel has discovered a vulnerability in Mac OS X, which can be exploited by malicious, local users to cause a DoS (Denial of Service)."

http://projects.info-pull.com/mokb/MOKB-09-11-2006.html

"Failure to handle unknown file types by the Mac OS X kernel (XNU) fpathconf() syscall causes a kernel panic, leading to an exploitable local denial of service by non-privileged users."

It's still important that it's fixed. It may not happen that everyone is in the position to have the problem, but someone might. Security problems need to be handled correctly and quickly.

[benthewraith]

Quote:

Originally Posted by Macrumors

Security company Secunia reports that a new vulnerability in the way Mac OS X handles the "fpathconf()" system call has been discovered.

Secunia? The ones that everyday publish crap about security vulnerabilities on the world wide web that can be read by thousands of black-hatters?

[shadowfax]

this would be cool and interesting. if it could spread, before it ran itself, and by "running itself," i mean copying that code into startupItems, so you KP every time you turn on. that'd at least be a pain in the neck to fix, if still non-destructive.

[TheBobcat]

I wonder how large a message board would be if they had one of these threads every time a security vulnerability was found in Windows....

[scottlinux]

If you have local access to a machine, you can basically do anything.

There are worse things you can do with sudo in both Linux and OS X, than what this above 'vulnerability' describes. Hacking the sudo config file is easy enough, also.

That's almost like saying; "Here's a Linux and OS X vulnerability":

(note: don't actually do this, unless you want to erase your hard drive)

$ sudo rm -rf /

Wow! News headline. We have a *VIRUS!*
Macrumors: post me to a page 2 headline!!

Quote:

Recently, another Mac OS X concept virus was developed, code named OSX.Macarena.

The person who posted this in the first place has no idea what they are talking about. 'ANOTHER' virus? The FIRST link in question (secunia) is not a virus. It is about as far from being a virus as you can get. Why put a statement about a "virus" in with a local account bug?

I don't know how else you can spread FUD other than having a statement like the above statement.

[twoodcc]

Quote:

Originally Posted by Eidorian

Get ready for a reboot and see you guys next time.

yeah, that's what it's looking like

[iMikeT]

Why does everyone make such a hubbub over one, that's right one possible vunerability or a concept virus that is rated to be "extremely low-critical" that's discovered in Mac OS X? I mean, no one makes a big deal when thousands of new bugs are found on Windoze everyday. But every time anything is found on Mac, the computer world goes nuts! I have that feeling that the moment that one real threat is exploited in Mac OS X (which I hope will never happen), all the Windoze fanboys will throw the largest celebration in the history of the computer world.

[bousozoku]

Quote:

Originally Posted by iMikeT

Why does everyone make such a bubbub over one, that's right one possible vunerability or a concept virus that is rated to be "extremely low-critical" that's discovered in Mac OS X? I mean, no one makes a big deal when thousands of new bugs are found on Windoze everyday. But every time anything is found on Mac, the computer world goes nuts! I have that feeling that the moment that one real threat is exploited in Mac OS X (which I hope will never happen), all the Windoze fanboys will throw the largest celebration in the history of the computer world.

I believe it's because of all the ever-so-smug Mac users who are high on RDF but I could be mistaken.

[Analog Kid]

Each vulnerability is a link in a chain. You might be able to dismiss each issue individually, but when someone figures out how to chain a few of these together it becomes a problem.

Quote:

Originally Posted by iMikeT

Why does everyone make such a bubbub over one, that's right one possible vunerability or a concept virus that is rated to be "extremely low-critical" that's discovered in Mac OS X? I mean, no one makes a big deal when thousands of new bugs are found on Windoze everyday. But every time anything is found on Mac, the computer world goes nuts! I have that feeling that the moment that one real threat is exploited in Mac OS X (which I hope will never happen), all the Windoze fanboys will throw the largest celebration in the history of the computer world.

Might it have something to do with the fact that you get your news from Mac oriented sites? Your interests filter the information you see. You won't see a lot of Windows vulnerabilities posted here-- not even on page 2...

[bigandy]

Quote:

Originally Posted by shadowfax

this would be cool and interesting.

i don't think anyone affected by something like that would agree.

[yoavcs]

Quote:

Originally Posted by scottlinux

If you have local access to a machine, you can basically do anything.

There are worse things you can do with sudo in both Linux and OS X, than what this above 'vulnerability' describes. Hacking the sudo config file is easy enough, also.

That's almost like saying; "Here's a Linux and OS X vulnerability":

(note: don't actually do this, unless you want to erase your hard drive)

$ sudo rm -rf /

All well and good except for the fact that for sudo you need an admin password. For this security bug, you just need to write a program that makes a bad system call. No password needed.

[dr_lha]

scottlinux: You need to brush up on your English comprehension skills. Although I'll agree that the report about the virus seems out of place, when they say "another virus" they don't mean that this Secunia reported vunerability is the previous one.

[mkrishnan]

Quote:

Originally Posted by longofest

Is reporting on any security vulnerability FUD to you? due to the non-critical nature of this story, we put it on page2. But it is still a vulnerability, so we reported it. Remember also that the vulnerability is still unpatched as well.

I agree... it's FUD when you take this vulnerability and claim it is a super-high criticality vulnerability and shows clear evidence that "Mac OS X is not any safer than Windows" or something nonsensical like that. This sounds like a very reasonable report identifying a low-threat vulnerability that Apple should close. That's all. Meaning Secunia acted in a very responsible manner in this case. And you know I hate anti-virus companies, so I wouldn't say it if I didn't believe it.

[gnasher729]

Quote:

Originally Posted by yoavcs

All well and good except for the fact that for sudo you need an admin password. For this security bug, you just need to write a program that makes a bad system call. No password needed.

Replace "sudo rm -rf /" with "rm -rf ~/".

I don't actually care if you can mess up my system; just takes me about two hours of real time and three minutes of actual work to restore everything. Deleting my user files (if a user has no backups), that would be painful. And anyone with local access can do that.

And then of course what can a malicious person with access to my machine do if they have no admin password, but a large hammer (or a small screwdriver, which might actually be more effective)?

[Cubert]

First, Macarena was not really a virus. It was not self-propagating - it was simply a way to exploit standard UNIX file permissions. It had NO POTENTIAL TO DO HARM!

This new exploit is certainly real, but what can someone do with it? Can a hacker exploit it to gain access to your computer? NO.

End of story.

[Shadow]

Hmmm...it may be a security exploit but I'm sure Apple is working on a fix, and anyway, has it been seen in the wild yet?

[SMM]

Other than flashing our brilliance, is there any reason to give these hacker creaps ideas they have not thought of? Also, I too think the information is important, but I question the timing. Why not wait until it is patched? Or, is immediate gratification to strong a lure. Finally, I also agree this will be more exploited by the media/disinformation magnet. I would be willing to bet a paycheck someone will headline this as "Another MacIntosh virus found - this one with no known cure" (or a reasonable facimilie)

[Maccus Aurelius]

Quote:

Originally Posted by SMM

Other than flashing our brilliance, is there any reason to give these hacker creaps ideas they have not thought of? Also, I too think the information is important, but I question the timing. Why not wait until it is patched? Or, is immediate gratification to strong a lure. Finally, I also agree this will be more exploited by the media/disinformation magnet. I would be willing to bet a paycheck someone will headline this as "Another MacIntosh virus found - this one with no known cure" (or a reasonable facimilie)

Well it's nice to be forewarned. But anyway, simply saying a mac virus was found without actually having a single infected mac to show for it would make the claim quite dubious. but i agree with some that pointing out any security issue, no matter how small, is important. But this report of even non-critical exploits is very reassuring to me, because if you went up to someone with Windows and said "I have a virus on my PC" they'd either say "Again?" or "Me too!"

[Jig]

Quote:

Originally Posted by gnasher729

Replace "sudo rm -rf /" with "rm -rf ~/".

I don't actually care if you can mess up my system; just takes me about two hours of real time and three minutes of actual work to restore everything. Deleting my user files (if a user has no backups), that would be painful. And anyone with local access can do that.

And then of course what can a malicious person with access to my machine do if they have no admin password, but a large hammer (or a small screwdriver, which might actually be more effective)?

This assumes they have access to *your* account. Obviously if they have that, they can delete your files. This issue is about if they have access to *any* account. If you have the password to userA, you cannot delete the files belonging to userB. With this issue, you can get full admin access and do whatever you like.

This is a big issue if you have multiple accounts on a system, and especially if you run a server and allow remote access - harder to use a screwdriver then.

In short, it's a serious issue, but not one that is likely to be exploited in a worm.