'Month of Kernel Bugs' Ends, First Adware for Mac OS X?

[SMM]

.....<text removed>.......

Perhaps a few of the people who said yes may think that, but don't assume all of us are like that! Please feel free to look into my post history, not that it is any of your business anyway. You will find that I am a true Apple and Mac fan through and through!

I do not assume any such thing. There were two issues involved in my post. One was about the motivation, and reaction about security. The other was more generalized about the disinformation campaign (FUD), I am witnessing on this board. I did not reference any particular post, content, or person in this thread. So, I am unclear why you seem to feel I have attacked you, or (collectively) everyone.

 

[c.hilding]

I agree. Tough love is best here. It's better to have the vulnerabilities exposed in this manner than in a live scenario. Let's just hope the press from this is enough for Apple to fix the problem before we have something bigger than a proof-of-concept exploit.

Yeah, when the poll was loading I expected 80-90% to be concerned about security, turns out only 40% are. So many ignorant "blissful" people that excuse Apple and think "It's Apple, of course it's safe". Obviously it's not. Ten serious exploits in about as many days of looking (they spent 30 days total, about an equal amount on linux and mac, and the rest on other OS's, so 10 should be right) and that is just scratching the surface. I was shocked that Apple actually had so many vulnerabilities, and for those that didn't find it scary that someone can install a program with kernel access simply by having you download their dmg file (not even opening it), well they're just being silly and need to realize that this is 2006, and some extremely bad things can happen if we are to go by that analysts words (saying OS X is not hot on security and that it is easy to find new hacks). 😛

 

[Nym]

I feel safe running OSX...

Although the future will eventually bring us Mac users some "possible exploits" and other privacy invasions, I feel that Apple has made a good job so far protecting OSX and, as far as I'm concerned, they have earned my trust.
What I'm saying is that we should all just take it easy and worry about this stuff when it actually happens and IF it happens. However, as of now, I think these "kernel bugs" are nothing more than reverse advertisement for the new upcoming Windows, call me paranoid, but I know a lot of PC maniacs are dying for Mac's to get any kind of V.I.S.T.A (Virus Infections Spyware Trojans Adware). In fact, I'm more scared of being kicked by a horse today than getting Mac Viruses in the next couple of years 🙄

I for one loooooove to brag from the top of the mountains:
"MY Mac IS 100% V.I.S.T.A FREE!" 😀

Just my opinion on the topic 🙂 extreme neh?

 

[goosnarrggh]

Mac OS X is so stable that I am perfectly comfortable working for an hour in between saving my open files. If I was likely to run into websites that purposely exploited a flaw to crash my Mac, I'd have to change my habits and live more defensively.

Excellent point.

If you use a notebook or a desktop with a UPS, it can be extremely easy to forget about the fact that reboots may happen at any time, even without fautly software getting in the way. (Lately in Nova Scotia, the culprit has been "salty fog" invading our power substations...) Obviously this is a bug that can cause loss of work (and thus loss of money). And obviously the ultimate solution must be a more graceful failure response by the OS.

But a good stopgap measure to protect from the only potential damage which can so far be demonstrated to potentially come from this vulnerability, would be to enable the autosave feature of your software. That measure requires a one-time investment of effort on your part, and subsequently shouldn't have any effect on your work habits. I have never used any reputable productivity software which didn't have an autosave feature.

 

[yellow]

That is different then having AppleTalk active on a network connection.

How so? That means the AppleTalk network stack is loaded.. needlessly, and potentially wasting resources, no?

Regardless, I find it rather odd that the service should be enabled by default given it's depricated status. I mean.. MacTels cannot run Classic, yet a major banner of the Classic OS (pre-8.6) is enabled by default? No one else sees that as odd? <shrug>

 

[ChrisA]

iAdware apparently works by silently installing a system library. That sounds like a vulnerability that Apple could easily fix, by requiring Admin privileges, issuing a warning, and/or prompting for an Admin password.

Seems easy for an end user to fix it himself. Simply change permision on the library so a non-admin can't write there. About four clicks and you're done with it.

 

[ChrisA]

How so? That means the AppleTalk network stack is loaded.. needlessly, and potentially wasting resources, no?

Regardless, I find it rather odd that the service should be enabled by default given it's depricated status. I mean.. MacTels cannot run Classic, yet a major banner of the Classic OS (pre-8.6) is enabled by default? No one else sees that as odd? <shrug>

I worked in a place that still had old Apple equipment. I set up a server on a Sun/SPARC Solaris system that served Appletalk so those old Macs could get to home directories on the UNIX systems. I haven't worked there in 8 years but I can imagine someone buying a new Intel Mac and expecting to connect to the server using Appletalk. Of course the new macs could get the files using NFS just like the other UNIX machines.

When I was there they still have Appletalk printers on the network. Those old laser printers never die.

 

[Linito]

what does not kill us makes us stronger however this is a wake-up call 😱
Go Apple kick but 😀

 

[hulugu]

Yeah, when the poll was loading I expected 80-90% to be concerned about security, turns out only 40% are. So many ignorant "blissful" people that excuse Apple and think "It's Apple, of course it's safe". Obviously it's not. Ten serious exploits in about as many days of looking (they spent 30 days total, about an equal amount on linux and mac, and the rest on other OS's, so 10 should be right) and that is just scratching the surface. I was shocked that Apple actually had so many vulnerabilities, and for those that didn't find it scary that someone can install a program with kernel access simply by having you download their dmg file (not even opening it), well they're just being silly and need to realize that this is 2006, and some extremely bad things can happen if we are to go by that analysts words (saying OS X is not hot on security and that it is easy to find new hacks). 😛

Not at all. I voted no, and I did so because I've spent enough time reading through vulnerability assesments to know that <i>all</i> software has problems, therefore I tend not to light my hair on fire and run around screaming the sky is falling the minute someone finds a flaw or a vector of flaws like the MOKB. Instead, I pay attention to the results, take steps to mitigate any possible problems, and then wait for the Security Update from Apple. The sooner the update happens, like the quick fix for the iAdware flaw, the happier I am.

Furthermore, one of the MOKB flaws is just a bug and is not actually a security vulnerability. The dmg vulnerability, wherein a malformed disk image can crash OS X and during this inject uknown code, has been debunked according to this guy.

So, no I'm not concerned. I'm watchful, but I'm going to withhold the running and screaming and the Apple-better-*******-fix-this! rant until something serious happens.

 

[yellow]

Personally I voted no, not because I am ignorant, but because there wasn't a more appropriate answer. It is my job to be concerned about all aspects of computing, but I am NO MORE concerned because of this "month of kernel bugs" than I was before the month of November. I also I find it highly unlikely that I will be nipped by any of these bugs shoehorned into malware before they are wiped clean by a security update.

 

[goosnarrggh]

Furthermore, one of the MOKB flaws is just a bug and is not actually a security vulnerability. The dmg vulnerability, wherein a malformed disk image can crash OS X and during this inject uknown code, has been debunked according to this guy.

Indeed on first read, I'd say that he presents a convincing argument. I'll go along with his diagnosis that there's no hole that could open you up to arbitrary code execution. If that's your definition of a security hole, then it follows that there's no security hole there. But it's still leaving you open the possibility that the operating system may crash for no apparent reason, causing you to lose any unsaved work.

Lost work... Depending on how productive you are, that can easily result in monetary damage being done.

As I posted previously, that leaves you in no worse a situation than you always are if you're running a desktop computer without a UPS. But I think that it still warrants attention.

At best it still qualifies as an inconvenience, because the savvy user who saves her work regularly will only have lost 5 or 6 minutes of productivity including the reboot. At worst, it can result in hours of lost work for the user who doesn't understand the "save your work" mantra -- especially if we're talking about somebody who's protected by a battery backup and doesn't think that unexpected reboots should be possible on such an inherently stable operating system.

And it's undoubtedly a bug inside Apple's software that's causing this problem, therefore it is absolutely appropriate that Apple should be expected to fix it. I appreciate anybody's effort to bring such bugs to light, because that increases the probability that Apple will find out about it and fix it.

 

[hulugu]

Indeed on first read, I'd say that he presents a convincing argument. I'll go along with his diagnosis that there's no hole that could open you up to arbitrary code execution. If that's your definition of a security hole, then it follows that there's no security hole there. But it's still leaving you open the possibility that the operating system may crash for no apparent reason, causing you to lose any unsaved work.

Lost work... Depending on how productive you are, that can easily result in monetary damage being done.

As I posted previously, that leaves you in no worse a situation than you always are if you're running a desktop computer without a UPS. But I think that it still warrants attention.

At best it still qualifies as an inconvenience, because the savvy user who saves her work regularly will only have lost 5 or 6 minutes of productivity including the reboot. At worst, it can result in hours of lost work for the user who doesn't understand the "save your work" mantra -- especially if we're talking about somebody who's protected by a battery backup and doesn't think that unexpected reboots should be possible on such an inherently stable operating system.

And it's undoubtedly a bug inside Apple's software that's causing this problem, therefore it is absolutely appropriate that Apple should be expected to fix it. I appreciate anybody's effort to bring such bugs to light, because that increases the probability that Apple will find out about it and fix it.

I'm saying Apple shouldn't fix it, I'm merely pointing out that many people are reacting to the MOKB as a wealth of major security flaws.
This is a bug, an annoying bug that should be fixed, but that's very different from a security flaw in which a crash can be used to inject malicious code. MOKB's author LMH was wrong about this particular instance and he did not do the research required of a security professional in this particular problem.

Again, don't dismiss the MOKB or the warnings from Secunia or F-Secure or even the demonstrations by Ellrich and Johnny Cache, instead we need to assess the problem as best we can.

I would say that you probably shouldn't be installing .dmgs while you're doing important work that hasn't been saved, that's just asking for trouble.

 

[joeshell383]

V.I.S.T.A (Virus Infections Spyware Trojans Adware)

I like that one 😀

 

[Westside guy]

I was happy to see that the last two bugs (one Linux, one OS X) were being handled responsibly - they weren't going to release the details until a patch was available. I'm guessing this was submitted by someone other than the project leader, since he seemed to be more of a "me too" glory hound.

I thought the bugs found were not particularly surprising ones; and not all are applicable to the vast majority of users (any local exploit isn't likely to be relevant on a one-person box). I'd hope people would use the MOKB as yet another reminder to practice better security - e.g. not run as an admin for day to day stuff 😀 be careful what you put on your machine, etc. - but I know that's not likely to change in the short term.