Apple Developer Center Outage Fixed 'Remote Code Execution' Flaw

[MacRumors]

Apple has released new details (via @cabel) on the security flaw that caused the Developer Center to be down for more than a week, noting via its Apple Web Server notifications page that a "remote code execution issue" was fixed.

On the site, Apple credits 7dscan.com and SCANV of www.knownsec.com for reporting the bug on July 18, which is the same day the Developer Center was taken offline. During the downtime, Apple reported that the Developer Center website had been hacked, with an intruder attempting "to secure personal information" from registered developers. The company noted that while sensitive information was encrypted, some developer names, mailing addresses, and/or email addresses may have been acquired.

The eight-day outage required a complete overhaul of Apple's developer systems and a restoration plan that slowly brought services back online.

While security researcher Ibrahim Balic speculated that he might have been behind the security breach, it is now clear that the issue he reported was unrelated to the major flaw that caused the downtime. Apple credits Ibrahim with reporting a separate iAd Workbench vulnerability on July 22. The vulnerability allowed Balic to obtain both names and Apple IDs of users.

On August 10, Apple reported that all of its developer services were back online, a full 23 days after the outage first occurred. As a result of the downtime, Apple gave all developers a one month extension on their developer memberships.

Article Link: Apple Developer Center Outage Fixed 'Remote Code Execution' Flaw

 

[jav6454]

If they used OS X, I hope they released a patch for the system.

 

[mdelvecchio]

interesting. guess all that vitriol towards Ibrahim Balic was completely unnecessary, since he had nothing to do with it.

glad its all settled.

edit: mispelling of vitriol.

 

[mdnz]

If they used OS X, I hope they released a patch for the system.

Apple doesn't use OS X on their servers IIRC

 

[shartypants]

Glad its finally all resolved. I'm sure someone is trying to find the next venerability.

 

[bbeagle]

Glad its finally all resolved. I'm sure someone is trying to find the next venerability.

ven·er·a·ble (vnr--bl)
adj.
1. Commanding respect by virtue of age, dignity, character, or position.
2. Worthy of reverence, especially by religious or historical association: venerable relics.
3. Venerable Abbr. Ven. or V.
a. Roman Catholic Church Used as a form of address for a person who has reached the first stage of canonization.
b. Used as a form of address for an archdeacon in the Anglican Church or the Episcopal Church.

vener·a·ble·ness, vener·a·bili·ty n.
vener·a·bly adv.

 

[jonnysods]

I wish that we got two months, IMO...

 

[gnasher729]

interesting. guess all that viterol towards Ibrahim Balic was completely unnecessary, since he had nothing to do with it.

glad its all settled.

Think of readers whose first language isn't English. When you use unusual words with spelling that is not found in any dictionary, they can have a hard time finding out what you mean. Ibrahim Balic is quite possibly one of them.

Now whatever was said about him, he deserved it. He took actions that he shouldn't have taken and openly boasted about it. If you want to appear as the tough guy who brought Apple's developer site down, then you deserve anything that comes as a reaction.

 

[rdlink]

Queue the, "Apple owes us more free time." rants.

 

[whooleytoo]

Nice to see they're being more open about things like this, which could affect any of us (who are registered Mac/iOS developers). Kudos.

 

[iPave]

If they used OS X, I hope they released a patch for the system.

This is quite unlikely. My educated guess points to server software (WebObjects?) or software running on top of it. Besides Apple has been reported to be using primarily Solaris for internet services.

 

[jav6454]

Apple doesn't use OS X on their servers IIRC

And you know this.... how exactly?

This is quite unlikely. My educated guess points to server software (WebObjects) or software running on top of it. Besides Apple has been reported to be using Solaris as main operating system for running internet services.

Key word, reported, but not confirmed. So, until that time I'll assume it is also a bug in OS X Server that needs addressing. However, I'll give the benefit of doubt and also throw in that it might be the software running on top of OS X.

 

[mdnz]

And you know this.... how exactly?



Key word, reported, but not confirmed. So, until that time I'll assume it is also a bug in OS X Server that needs addressing. However, I'll give the benefit of doubt and also throw in that it might be the software running on top of OS X.

OS X server has tons of memory overhead (like the GUI) and is not as scalable as some other solutions. Servers at enterprise level need to be as optimised for one job (granted, depends on the server) as much as possible to reduce overhead and costs.

Bottom line: If you need to host a website which has millions of viewers a day, it's just not efficient nor costfriendly do to it purely on OS X. Also one thing to add is if you look at their job applications for System administrator it's mostly for Solaris/Linux.

 

[macsrcool1234]

And you know this.... how exactly?



Key word, reported, but not confirmed. So, until that time I'll assume it is also a bug in OS X Server that needs addressing. However, I'll give the benefit of doubt and also throw in that it might be the software running on top of OS X.

Because he knows what he's talking about, unlike you. OSX Server is not designed for that kind of use and would crumble under the load.

 

[ValSalva]

Queue the, "Apple owes us more free time." rants.

You missed one How about free lifetime developer accounts for all developers and their family members who were even remotely affected by the outage? Seems fair

 

[Clubber]

Isn't this much better than calling the FBI dogs and DA to throw charges against the wall to see what will stick, placing the target in immediate bankruptcy? Level heads prevailed.

Also, kudos for completely rewriting a pretty damn complex site so quickly.

 

[donutbagel]

interesting. guess all that viterol towards Ibrahim Balic was completely unnecessary, since he had nothing to do with it.

glad its all settled.

Viterol? Sounds like some kind of alcohol. http://www.dslaboratories.com/viterol/whatis.php

----------

Because he knows what he's talking about, unlike you. OSX Server is not designed for that kind of use and would crumble under the load.

Is the OS not able to handle it or the hardware? You can't run OS X server on a giant server computer, just a Mac Pro at best. I'm assuming they use some kind of Linux. No need to use OS X server to run a website. It's great for a multi-purpose smallish business server or school server.

 

[Northgrove]

If they used OS X, I hope they released a patch for the system.

I have a gut feeling it's more about software running on top, since these 23 days were largely spent on a total rewrite. OS X can't do much if the software has flaws.

 

[Terrin]

Think of readers whose first language isn't English. When you use unusual words with spelling that is not found in any dictionary, they can have a hard time finding out what you mean. Ibrahim Balic is quite possibly one of them.

Now whatever was said about him, he deserved it. He took actions that he shouldn't have taken and openly boasted about it. If you want to appear as the tough guy who brought Apple's developer site down, then you deserve anything that comes as a reaction.

I am confused. He did what all security researchers do. Namely try to find bugs. He then quietly reported the bugs to Apple. The site then went down the same day. The guy freaked thinking he was the cause. To try and cover himself he posted a video outlining what happened. He was clearly worried about Apple coming after him. Turns out Apple credited him with discovering another unrelated bug. The guy acted properly and never boasted.

 

[macs4nw]

…..He did what all security researchers do. Namely try to find bugs. He then quietly reported the bugs to Apple. The site then went down the same day. The guy freaked thinking he was the cause. To try and cover himself he posted a video outlining what happened. He was clearly worried about Apple coming after him. Turns out Apple credited him with discovering another unrelated bug…..

The most likely scenario.

…..On the site, "Apple credits 7dscan.com and SCANV of www.knownsec.com for reporting the bug" on July 18, which is the same day the Developer Center was taken offline.

"Apple credits Ibrahim with reporting a separate iAd Workbench vulnerability" on July 22. The vulnerability allowed Balic to obtain both names and Apple IDs of users.

Article Link: Apple Developer Center Outage Fixed 'Remote Code Execution' Flaw

New status symbol for security researchers: Official Apple recognition and credit.

This can only mean more thorough 'research' into potential software vulnerabilities.

 

[CFreymarc]

If they used OS X, I hope they released a patch for the system.

Where you think all of these XServer's went that didn't sell so well? But yes, I'm sure it will go out at a patch.

----------

New status symbol for security researchers: Official Apple recognition and credit.

This can only mean more thorough 'research' into potential software vulnerabilities.

This has been going on for years. Of all companies with a "stodgy" reputation, IBM is one of the biggest to payout in cash for people finding security and other product flaws. Remember one event where someone programed an IBM PC to swing the disk drive head matching the fundamental harmonic of the PC case. The whole thing started to vibrate and sway to the point of the motherboard cracking as the PC sparked and shorted itself out.

The whole security network team never considered a virus or other malware could expose a mechanical flaw but it did. This is one reason why you never see any closed system with an actuator and complementing sensor inclusive at the API level.

 

[munkery]

Remote code execution in the context of a web app could include SQL injection and/or other issues that would be unique to the specific web app and completely independent of the host OS of the web app.

Given the nature of the data exposed, SQL injection or a similar issue seems to make sense in this scenario.

 

[AidenShaw]

Remote code execution in the context of a web app could include SQL injection and/or other issues that would be unique to the specific web app and completely independent of the host OS of the web app.

Given the nature of the data exposed, SQL injection or a similar issue seems to make sense in this scenario.

...and the obvious cartoon to accompany any mention of SQL injection...

http://xkcd.com/327/

 

[jameskatt]

Apple's Server Farms use Solaris or Linux

If they used OS X, I hope they released a patch for the system.

Apple's server farm hardware includes:

• HP rack servers
• Teradata Extreme Data Appliances -
• NetApp FAS6200 Series Enterprise Storage

These run either:

• Solaris or
• Red Hat Enterprise Linux or its free clone: CentOS Linux or
• SUSE Linux 10, SP3 - which comes with the Teradata Extreme Data Appliances

The bug that took down Apple's developer servers are in Linux or Solaris or the database software used in the Teradata Extreme Data Appliances or Apple's custom applications for their Developer Center.

Thus, whatever was corrected won't apply to Mac OS X.

 

[kdarling]

Now whatever was said about him, he deserved it. He took actions that he shouldn't have taken and openly boasted about it. If you want to appear as the tough guy who brought Apple's developer site down, then you deserve anything that comes as a reaction.

He didn't boast. Quite the contrary, he only spoke up because he was frightened that his actions would get him in trouble.

This is quite unlikely. My educated guess points to server software (WebObjects?) or software running on top of it. Besides Apple has been reported to be using primarily Solaris for internet services.

Yep. One possibility is that it was a bug in Struts, the web services software that Apple reportedly uses:

https://news.ycombinator.com/item?id=6080620

(Personally, not a Struts fan. I had to do a site in it a few years ago.)