An exploit in Mac OS X

[Eazkk123]

An exploit in Mac OS X according to http://www.frsirt.com/english/advisories/2007/4216

"Title : Apple Mac OS X "cs_validate_page" Local Denial of Service Vulnerability
Advisory ID : FrSIRT/ADV-2007-4216
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-12-13"



Is this common on a mac?

 

[Rorzabal]

In other news, security researchers have identified a vulnerability in Mac OS X whereby a malicious user can press the power button on the local machine, resulting in a Denial of Service attack.

Some of these things are just getting ridiculous.

 

[gauchogolfer]

First I've heard of it, and it sounds more like a proof-of-concept than an actual exploit I'm the wild.

Edit: what ^^^ said

 

[0007776]

wake me up when someone actually sucesfully uses one of these exploits that they find.

 

[SthrnCmfrtr]

via a specially crafted Mach-O binary.

Oooooh..... I'm so afraid. Eek, eek, shiver with fright, beg for mercy, etc.

 

[Sun Baked]

Is this common on a mac?

Yes, but it hasn't been a real big problem.

All OS's have vulnerabilities, but the biggest problem on the Macs tend to be MS Macros or trojan horses.

 

[unity]

One of these days you will ALL be proven wrong and a virus will spread ramped and start taking down all these "no virus Macs". People will scramble to the store to get the virus software they should have had in the first place! So, when this happens, please did me up from my grave in about 200 years....

 

[psonice]

This one is nothing - basically, you would have to download a program from the internet, and run it. Even then, all it would do is crash the mac, and you'd have to restart.

 

[Phil A.]

This one is nothing - basically, you would have to download a program from the internet, and run it. Even then, all it would do is crash the mac, and you'd have to restart.

Isn't that called Microsoft Office

 

[robert05au]

One of these days you will ALL be proven wrong and a virus will spread ramped and start taking down all these "no virus Macs". People will scramble to the store to get the virus software they should have had in the first place! So, when this happens, please did me up from my grave in about 200 years....

What a load of PC based BS

I for one do use Antivirus software on my mac not so much for any mac viruses but not wanting to send on windows crap that seems to be never ending coming via email daily.

 

[TheStu]

What a load of PC based BS

I for one do use Antivirus software on my mac not so much for any mac viruses but not wanting to send on windows crap that seems to be never ending coming via email daily.

Well, then at that point you aren't really using an OS X AV App... you are using a Windows AV program that has been ported over to OS X (not really, but the idea is the same). You aren't using the app to protect OS X against viruses, but rather to protect Windows against viruses you may pass along. I guess in that sense, OS X could be construed as a carrier... een-teresting.

 

[SC68Cal]

Yes, but it hasn't been a real big problem.

All OS's have vulnerabilities, but the biggest problem on the Macs tend to be MS Macros or trojan horses.

Yeah, because all the MOAB exploits were just M$ macros. Don't kid yourself.

Everyone's turning a blind eye towards all the quicktime stuff that was out in the wild, and just was patched?

 

[NAG]

Yeah, the quicktime exploits are kind of troubling. The MOAB junk was not that though. The quicktime exploit that was just patched was from a couple months back, which was the slowest they've ever patched, I believe. MOAB was like a year ago and most of that grandstanding egostroking was aimed at non-apple software. The funny part is that the Omnigroup fixed the omniweb one within a few hours and were not informed by the MOAB guys about the exploit (they had to read about it in the news). Bringing MOAB into a discussion of Apple security problems is just as bad as saying Hitler.

 

[SC68Cal]

MOAB != Godwin's Law.

MOAB had a few notable exploits. The big one for me was #15. They never should have setuid programs writable by admin group members, let alone have Disk Utility blindly escalate privileges with no authentication and no binary checks to make sure that nothing has been changed before giving back setuid bits.

 

[Mernak]

What a load of PC based BS

I for one do use Antivirus software on my mac not so much for any mac viruses but not wanting to send on windows crap that seems to be never ending coming via email daily.

Correct me if I am wrong, but I believe the previous poster was being sarcastic, notice the "dig up my grave in 200 years, when it happens" and the fact he was a MacRumors 6502.

To the main OP, Macs have security vurnerabilities just like anything else, just look at the patch notes when using Software Update. However these are usually minor and proof of concept.

 

[NAG]

MOAB != Godwin's Law.

MOAB had a few notable exploits. The big one for me was #15. They never should have setuid programs writable by admin group members, let alone have Disk Utility blindly escalate privileges with no authentication and no binary checks to make sure that nothing has been changed before giving back setuid bits.

When you're a group of attention seeking weirdos and you label something "apple bugs" yet go and drag in third party developers without giving them advanced notice or any notice at all (the later was true) and don't even bother to post the fix (such as with the omniweb example) then I have to seriously consider the motives.

 

[SC68Cal]

When you're a group of attention seeking weirdos

Someone's got a chip on their shoulder.

and you label something "apple bugs"

Well, that was the whole point. Apple bugs. OS X, software, fanboyism, etc...

yet go and drag in third party developers without giving them advanced notice or any notice at all (the later was true)

Full disclosure. Idea is to make people fix them, rather than sitting on it. If you don't like it, don't write software. Don't release it, don't sell it.

and don't even bother to post the fix (such as with the omniweb example) then I have to seriously consider the motives.

The point is not to be a sounding board for the companies. They'll announce patches. If anything, everyone was jumping up and down crying victory when a patch was released for a MOAB exploit. Somehow they "won" over MOAB? When the whole point of MOAB was to get them to release fixes and become more aware of secure coding practices?

You're just pissed because they didn't give people advance notice.

 

[NAG]

Someone's got a chip on their shoulder.

[...]

Idea is to make people fix them, rather than sitting on it.

[...]

You're just pissed

I admit my tone was strong but I have to say that your attitude is disturbing. Do you perceive everyone as thinking they're better than you and you have to show them how wrong they are or something?

Additionally, I like your comment about full disclosure. You unfortunately said that while ignoring my comment on how they never notified the omnigroup after they posted the bug and didn't provide an update pointing to the updated omniweb to fix said bug. They were grandstanding. Hiding behind a crusade to teach people a lesson does not change that.

 

[unity]

Correct me if I am wrong, but I believe the previous poster was being sarcastic, notice the "dig up my grave in 200 years, when it happens" and the fact he was a MacRumors 6502.

To the main OP, Macs have security vurnerabilities just like anything else, just look at the patch notes when using Software Update. However these are usually minor and proof of concept.

Yes, I was being very sarcastic.

And besides, I love this whole "I have Antivirus software so I don't pass on PC viruses." Are you really forwarding attachments that much? I mean if you open a doc and save it, there is a good chance the virus was removed during that. Also if someone from a PC does send you a legit file there is a GREAT chance its clean since most home users have anti-virus software to some extent.

So I am sorry, but the very lame excuse of having software on a Mac in order to prevent ones self from being a carriers is what I would call denial, denial of wasting $60.

I am not saying that viruses for OS X will never exist, but the primary drive behind them being created is that its easy on windows and windows is more prevalent, add that to the fact that a lot of people simply hate windows and now you have a BIG target!

 

[Schtumple]

Isn't that called Microsoft Office

HA

awesome reply

The last major exploit i found for mac is........ *drum roll*

If a malicious user takes the front row remote, that user can then press the menu button whilst the regular user is doing work, thus "taking control" of your mac and annoying the hell out of you.

college dragged at times.

EDIT: if this exploit turns up on any sites I will personally throw a powermac G3 at the person that wrote it

 

[notsofatjames]

Well, then at that point you aren't really using an OS X AV App... you are using a Windows AV program that has been ported over to OS X (not really, but the idea is the same). You aren't using the app to protect OS X against viruses, but rather to protect Windows against viruses you may pass along.

I was always under the impression that AV apps searched for known code of viruses against an the virus database the app downloads whenever you chose to update it. I was also under the impression that there never has been a virus attack on OS X, therefore an AV app would have absolutely nothing to look for. Please someone correct me if I'm wrong here.

 

[NAG]

A virus is still code/software so it has to exist somewhere. These things can exist in a file. If you took a file that was infected with an old classic mac os worm (back when the mac os actually had something like this) the virus scanner would detect it and remove it even though the worm wouldn't be able to run on your new system.

That being said, unless you're transferring large amounts of files between many windows users the likelihood you becoming a carrier is low. It is like a real life virus in that respect.

 

[SC68Cal]

they never notified the omnigroup after they posted the bug

Really?

and didn't provide an update pointing to the updated omniweb to fix said bug.

Redundant. Omniweb does their own PR.

But in any case, KF was kind enough to provide this link in their announcement.

DMA[2007-0107a] - 'OmniWeb Javascript Alert Format String Vulnerabiity'
Author: Kevin Finisterre
Vendor(s): http://www.omnigroup.com
Product: 'OmniWeb 5.51 (?)'
References:
http://www.digitalmunition.com/DMA[2007-0107a].txt
http://www.omnigroup.com/applications/omniweb/
http://projects.info-pull.com/moab/MOAB-07-01-2007.html
http://www.omnigroup.com/applications/omniweb/download/
http://blog.omnigroup.com/2007/01/07/omniweb-552-now-available-and-more-secure/

All your whining about not giving Omni enough time to patch is pointless.

MOAB released their exploit

MOAB-07-01-2007: OmniWeb Javascript alert() Format String Vulnerability

OmniWeb 5.5.2 now available and more secure.
POSTED BY TROY ON 01.07.07 @ 2:47 PM

They patched it the same day

They gave them POC, debugging, the works. They didn't leave them in the dark. They knew what they had to do, clearly, because they did it the same day. Not to trivialize their hard work, Omni did a great job patching the problem quickly.

Again, you just don't like the attitude that MOAB took, nor mine. You can't argue on any logic.

 

[NAG]

Linking to a fix is redundant? Ah, got it so full disclosure is redundant. So full disclosure is good except when it is bad. Okay, would you like to redefine any more of your points?

Here, lets look at this.

If the “Month of Apple Bugs” project had given us advance notice of the security issue, we would have posted a fix sooner; as it was, they sent us notice at 11:15am and (as you can see) we posted this fixed release a few hours later.

We’re not proud to have had a vulnerability in the first place, naturally, but we are proud of our response time! (Now I guess we’ll see how quickly they respond to our fix, updating their workaround section to point people at our fixed release.)

link

So they give them "warning" at 11:15 am and the fix took a few hours. Lets look at it this way. The premise is that by not giving developers a heads up and instead trying to "teach them a lesson" that they will be ashamed and make a fix fast because apparently they either need motivation or something similar. Keep in mind this is a not a developer the size of Apple.

Lets change something, what would happen if they instead gave them 24 hours notice. One of two things will happen. Either a) they will release an patch to fix the problem in a "few hours" (maybe slightly more due to having a "few" more hours to do things like test for new bugs) or b) they release at the same time as they did if they were given no information until 11:15 am of the day the bug was publicly released.

So, what is the net difference by giving them even a tiny bit of warning? Well, possibility b looks the same as what happened but relies on the assumption that developers are lazy and need to be taught a lesson. So, no real difference and in fact provides real evidence that developers are indeed no good and lazy (how dare they take more than 24 hours to patch a bug). This would do much to bolster the movement that developers need to be more responsible/taught a lesson or whatnot.

Of course, there is that little possibility called a. It makes you wonder if they could have released the fix much sooner if they were notified. A week? A month? However long MOAB was sitting on the bug compiling a list of ammunition for their crusade most likely.

Basically, MOAB only showed how they were so desperate to teach Apple a lesson (and I guess everyone who doesn't share their opinions) that they had to resort to targeting third party developers and then being deceptive (I'm using the definition of deceptive that doesn't include implying that these were all Apple or even mac specific bugs since I'd rather not get into a semantics argument).

Also, I have a hard time taking you seriously at all when all you can put forward is that I'm "whining" etc because I pointed out a contradiction in your crusade to force the world to understand.

I hope you eventually grow past this desire as it really is self defeating.