'Month of Kernel Bugs' Ends, First Adware for Mac OS X?

[MacRumors]

Last month's Month of Kernel Bugs (MOKB) has concluded, and a total of 10 Mac OS X vulnerabilities has been found. The vulnerabilities were wide-ranging, from a wireless driver exploit to a system call, multiple disk image vulnerabilities, and most recently an AppleTalk vulnerability (among others). Apple patched the first wireless driver exploit along with other unrelated vulnerabilities this week, however all remaining MOKB vulnerabilities remain un-patched.

Interview
MOKB organizer "LMH" spoke to MacRumors about the project. According to LMH, most of the project's time was spent on Linux and the Mac OS, both of which were described as "not hard" to break.

The Linux kernel takes little time to break. I'm more familiar with the code and thus it also takes less time to isolate issues. OS X kernel (XNU) takes less time but depending on the area you're checking, debugging and isolation may require a bit more time (if you take into account that AppleTalk source code is almost unreadable and totally deprecated) [...] I didn't have much time left for working on Microsoft Windows but I've received the most helpful feedback from the MSRC people on potentially interesting stuff to check. Not a huge reference of internal code nor NDA covered documents, but at least enough to start with.

In LMH's point of view, the state of Mac OS X security is not great.

From the technical perspective, OS X security is rather poor, at least when it comes to kernel-land code. This isn't a sign of negligence of Apple, but obviously when you take code from many different places and stick it together, it's prone to problems. Not just new ones but also old issues that 'went under the radar'. [...] (ed note: now comparing MS to Apple) I can say that Microsoft has a more thorough auditing process and investment when it comes to kernel code than Apple. They also have the advantage of having such code being produced within the company. Mac OS X kernel, for example, depends heavily on FreeBSD development. A security flaw in the FreeBSD kernel will likely affect OS X and probably other BSD "flavours"

However, just because LMH is a bit critical of Mac OS X's security, don't call him an Apple-hater.

Taking security arguments apart, I have to say that Mac OS X is a pretty well integrated system. It's tightly packaged [...] and nice looking. I'm an OS X user myself and I certainly feel like Apple has invested long time on tweaking the little details. Now they just have to invest a little more on security matters, but not hiring a 'turnover security firm' to do the consulting that leaves the job half done. That's what failed, IMHO.

First Adware for Mac OS X?
In related news, F-Secure claims to have received what is possibly the first ever proof-of-concept Adware program for Mac OS X. The program, dubbed iAdware, will launch Safari to specified web pages when the user used any number of applications, and installation of the adware did not require admin privileges.

[ Digg This ]

 

[Doctor Q]

iAdware apparently works by silently installing a system library. That sounds like a vulnerability that Apple could easily fix, by requiring Admin privileges, issuing a warning, and/or prompting for an Admin password.

 

[swingerofbirch]

I'll say it before, and I'll say it again, this is a critical time for Apple and it's no time to be an Apple apologist. It's time to hold Apple's feet to the fire. Being soft on them isn't helping them. It's just enabling them not to realize their full potential.

 

[G5Unit]

I for one, welcome our new Adware overloards.

 

[suneohair]

I don't know but is the Adware related to this:

Sometimes when I download videos from LimeWire, and run then it will bring up a browser window and open a site. Essentially an ad. Do this supposed hole cause this?

Apple definitely needs to get more serious about security. As more people start to buy Macs, more people will start to tinker and find holes. I hope Apple will rise to the challenge.

 

[QCassidy352]

I for one, welcome our new Adware overloards.

You don't have a sign behind you that says "Hail Adware," do you?

 

[longofest]

Apple definitely needs to get more serious about security. As more people start to buy Macs, more people will start to tinker and find holes. I hope Apple will rise to the challenge.

My feelings exactly. Its bad enough that the vulnerabilities are "easy" to discover and puncture, but as the marketshare goes up, there is no doubt that we are going to get exploited more and more, and I really don't want our OS caught with its pants down by its ankles like Windows.

Apple has a couple of advantages by being Unix based, but because its a hybrid kernel, like LMH said, they also get some inevitable vulnerabilities. They gotta get a bit more serious about auditing their code. For all of the problems MS has had, I will say this. At least they have already had them, and by now have gotten such an auditing system in place that "dummy" vulnerabilities don't get through in releases as easily.

 

[jholzner]

I'm glad they did this and I hope Apple acts on all the things they found ASAP!

 

[LostPacket]

It's time to hold Apple's feet to the fire. Being soft on them isn't helping them.

I agree. Tough love is best here. It's better to have the vulnerabilities exposed in this manner than in a live scenario. Let's just hope the press from this is enough for Apple to fix the problem before we have something bigger than a proof-of-concept exploit.

 

[TheBobcat]

I think Apple's response to this, in both its speed and thoroughness will give us some real hard data to go on as far as OSX's security.

Because of increasing users, and the much-maligned Mac user smugness, you can rest assured that there will be an onslaught every step of the way for Apple from here on out. They need to respond quickly, and completely, with no mercy.

 

[OhEsTen]

You don't have a sign behind you that says "Hail Adware," do you?

Perhaps he was offering to round-up fellow Mac-users to toil in Adware "sugar-mines"... lol

 

[lmalave]

I don't know but is the Adware related to this:

Sometimes when I download videos from LimeWire, and run then it will bring up a browser window and open a site. Essentially an ad. Do this supposed hole cause this?

Apple definitely needs to get more serious about security. As more people start to buy Macs, more people will start to tinker and find holes. I hope Apple will rise to the challenge.

No, that is not Adware. Adware is a program that is installed *on your computer*, so it can launch windows whenever it wants. In the case of Web pages that pop up when you are viewing a video, that's just because it's a "feature" of the particular video technology (e.g. in Real Media or Windows Media streams you can embed code to open a browser window). It's no more Adware than when you go to CNN.com and it launches a pop-up ad.

 

[OhEsTen]

Tough love is right....

C'mon Apple... don't let us down here.

I agree with the other posters here that Apple needs to take this seriously and kick it into high gear. Send a message to the world (or at least your user-base) that you're on top of the situation.

I for one, feel that Apple will come through, and am glad becuase I think there will always be a huge "community effort" put into making our choice of platforms better in terms of security

 

[Macula]

Apple needs to get serious about security. They cannot develop such an integrated, holistic line of products ("in your den, car, pocket,...") without tightening their security.

Windows Vista is NOT Windows XP. Apple risks lagging behind in that area and, in an ironic reversal of fortune, being widely considered as inferior to Microsoft in terms of security.

But if we agree that the development of a secure OS is all about utilizing sound design, coding and auditing processes, then we must also accept that the challenge will be very difficult for Apple to meet: You just cannot do that with Open Source...

Maybe it's about time Apple closed the Mac OS kernel?

 

[shawnce]

Maybe it's about time Apple closed the Mac OS kernel?

Umm why?

 

[840quadra]

I agree with the few others that are concerned about this.

Our Mac OS innocence is coming to an end. Part of this is due to the growing market share, and popularity in the Operating system. The other issue I feel that is of concern, is the new challenge this OS provides for Script kiddies, and bored coders. If you have an ego, and want to get your name out, why not do what hasn't been done before, as opposed to doing what everyone else does ?

This is going to be a growing trend, and the amount of Mac Haters in the wild is quite high! Once code tricks and secrets start to get out, it is only a matter of time before OS X is targeted by thousands, much like XP!

Apple has time to take this very seriously, and work to keep this system tight and secure! Hopefully this is going to be a big part of the focus on Leopard, but only developers will really know this!


These current headlines aside

1. Pay attention to what warning messages pop up when browsing the web.

2. Only download and install software from sources that you trust, and if you do trust them, take an extra moment to think about why you trust them, and if you really need to install that piece of 3rd party software!

3. Keep your firewalls on if possible

4. Don't permanently unlock preferences, folders, or other security areas on your system using your keychain, unless you really need to do so!


There are others, however that is a good baseline to follow for some minimal security checks and balances!

 

[KingYaba]

Router, firewall I feel OK.

 

[kalisphoenix]

Sober up, Steve. Less time on Time Machine and more time on solidifying the system.

AppleTalk: Who uses it, and why?

 

[yellow]

An interesting read in response to the kernel panic ability of the .DMG vulnerability:

Guess what I found? Not only is lmh’s diagnosis completely incorrect, but the problem isn’t a security flaw at all, let alone a critical, highly critical, or warn-everyone-via-the-BBC type event.

http://alastairs-place.net/2006/11/dmg-vulnerability/

A very insteresting read.. most of which I only barely grasp. Object oriented programming just makes my eyes glaze thinking about it.. The gist:

So, what have we learned:

• It is not a memory overwrite bug.

• It is not exploitable, except in that you can kernel panic a machine if you can persuade a user to double-click a damaged dmg file.

• It is not, therefore, possible to use this bug for privilege elevation or to execute arbitrary code in the kernel.

In fact, all lmh has found here is a bug that causes a kernel panic. Not a security flaw. Not a memory corruption bug. Just a completely orderly kernel panic. There aren’t even any processor exceptions involved; the path to the panic is perfectly normal non-exceptional code using ordinary function calls.

AppleTalk: Who uses it, and why?

No one.. and stangely it's now ON by DEFAULT in all the MacTels I've received lately. No idea why.

 

[840quadra]

No one.. and stangely it's now ON by DEFAULT in all the MacTels I've received lately. No idea why.

I do, and so does anyone who has a classic environment of System 7 and earlier for classic compatibility reasons.

Granted you can use TCP/IP on some of these, however the reliability of such extensions on early versions of Classic leaves much to be desired. I however turn off Appletalk when I am away from my home network.

 

[longofest]

Sober up, Steve. Less time on Time Machine and more time on solidifying the system.

AppleTalk: Who uses it, and why?

I'm pretty sure that any time you use Personal file sharing, you are using AppleTalk.

EDIT: More info... Personal File Sharing is based off of Apple Filing Protocol. From wikipedia:

AFP versions 3.0 and greater rely exclusively on TCP/IP (port 548 or 427) for establishing communication, supporting AppleTalk only as a service discovery protocol. The AFP 2.x family supports both TCP/IP and AppleTalk for communication and service discovery. Many third-party AFP implementations use AFP 2.x, thereby supporting AppleTalk as a connection method. Still earlier versions rely exclusively on AppleTalk. For this reason, some older literature refers to AFP as "AppleTalk Filing Protocol". Other literature may refer to AFP as "AppleShare," the name of the Mac OS 9 (and earlier) AFP client.

 

[hayesk]

I would really like to see how they installed this.

As far as I know, a web page can't save and install files, so how does the adware get installed in the first place. Does it trick the user into running an app? If so, then I wouldn't consider that a security hole.

 

[~Shard~]

Honestly, this is great news.

So many Mac users are completely ignorant and oblivious to the fact that their Mac is, contrary to popular belief, not that secure in some respects. Many Mac zealots and apologists will tout how bullet-proof OS X is, how it's nothing like Windows, how it's amazingly secure - well, it isn't in some cases.

Sure, it's still better in many respects than Windows, but Mac users should not be lured into a false sense of security over these matters. They need to be smart with their systems and not take anything for granted. Hopefully reports like this will assist those people in seeing the light. As Mac marketshare increases and more of a spotlight is put on OS X, it will attract more people who will try and exploit security vulnerabilities and so forth, so now more than ever this type of information needs to be made known. And more importantly, Apple needs to agressively address such matters timely and effectively.

OS X is great, but it isn't perfect.

 

[840quadra]

I'm pretty sure that any time you use Personal file sharing, you are using AppleTalk.

EDIT: More info... Personal File Sharing is based off of Apple Filing Protocol. From wikipedia:

I was about to correct your first post (politely) by saying that you can use AFP with AppleTalk disabled.

 

[orbital]

Apple really really needs to get on this... As far as some Script Kiddie wanting to make a name for themself the mass of mac users would need to be higher. There are still currently not enough mac users to warrent such acts, you would not get notice. I feel that a lot of coders find holes in XP because then they can exploit big business, were as macs are more often than not home computers. If apple its athe big 10% mark this will all change.