Researcher Set to Announce 20 Zero-Day Holes in Mac OS X

[munkery]

I have yet to read anywhere about a crossover cable. Even if so, the rules would apply to all machines. And still windows/linux did not fall on day 2 like OSX did.

There are apps set to run on startup on OSX. Though viruses get launched by the user running them. Then once installed they can startup automatically but they need the user to first install them.

It's possible to get your secured OSX admin password. It is on your system. Even "secured" it's easy to grab. I think it was num nums who earlier said how to get it.

As far as ASLR how does linux do it better than windows? We know that it's not in leopard and SL only has a partial implementation of it. How is linux better?

Already installed software running at startup is different than software being autorun as soon as it accesses the system if the executable is set up to do so. I will admit that I was unaware that autorun exploit had been fixed in Windows 7.

But, Windows still only requires a single authorization to give software root access and this authorization is mandatory at software install. A hole in a piece of software on windows is a hole in the system because or this type of authorization system.

OSX nearly all of the software does not have root rights and software is only given those rights for a short time when authorized. Very few apps on OSX have chronic root access and those that do usually only have those rights for a limited part of the program.

Getting the admin password out of a mac requires already knowing the password, direct access to the computer, or (edited out my misinformation).

ASLR is better in linux because of all the other security features of the system such being UNIX based. These security features are the same or similar as OSX. They actually came from BSD then ported to Linux and implemented in OSX's BSD foundation.

 

[HLdan]

Mac having no viruses? Really??? Of course Mac's can get viruses... Every computer/OS can.

Mac's just have less, due to the "less interest".

I just love this same OLD same OLD same OLD argument. Interesting how Macs have become quite an interest in the consumer and you see them practically everywhere now, yet they seem to still be quite secure. Under 100 holes certainly is a non issue compared to over 200k viruses and uncountable holes in Windows.

 

[LagunaSol]

Shush.

You don't want LagunaSol's head to explode - he needs to
assume that any comment that doesn't sing hosanna to
the Lord God of Cupertino is due to a direct payment
from Redmond to the poster. In the LagunaSol world view,
only a bribe could prevent someone from heaping praise
on the Lords of Cupertino.

Sorry Shaw, but your claim that your 24/7 exclusive shilling of Microsoft fare on an Apple users' forum is only for the good of humanity smells funny no matter who you are.

 

[archer75]

Break out of your bubble and realize your system isn't the same as everyone else.

I wasn't hallucinating when in the middle of my sweet turn around jumper with a recreated digital Michael Jordan, Windows decided it was time to restart. I didn't photoshop the dialog box. Just because the article references Vista doesn't make it irrelevant, Windows 7 isn't a complete rewrite.

You can even edit the behavior with group policy

If your machine is set to automatic updates this can happen.

http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx

Delay Restart for Scheduled Installations

This policy specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart.

If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished.

If the status is set to Disabled or Not Configured, the default wait time is five minutes.
To delay restart for scheduled installations

1.

In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
2.

In the details pane, click Delay restart for scheduled installations, and set the option.
3.

Click OK.

Re-prompt for Restart with Scheduled Installations

This policy specifies the amount of time for Automatic Updates to wait before prompting the user again for a scheduled restart.

If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed.

If the status is set to Disabled or Not Configured, the default interval is 10 minutes.
To re-prompt for restart with scheduled installations

1.

In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
2.

In the details pane, click Re-prompt for restart with scheduled installations, and set the option.
3.

Click OK.


I guess your response is Microsoft's Technet Article is wrong.

My response is that article does not apply to 7. It applies to vista. Even says vista in the title. It was also posted back in 2008. You have to edit the group policy to get the dialog box I got according to that article. I edited nothing and get that dialog box. I used automatic updates and still don't get it. Which means it's the default setup for 7. You'd have to alter 7 for the box you got to appear. This is also the first i've heard of that.
Just saying it's strange if we both have the same OS, same settings and get different results.

 

[AidenShaw]

Originally Posted by AidenShaw
Shush.

You don't want LagunaSol's head to explode - he needs to
assume that any comment that doesn't sing hosanna to
the Lord God of Cupertino is due to a direct payment
from Redmond to the poster. In the LagunaSol world view,
only a bribe could prevent someone from heaping praise
on the Lords of Cupertino.

Sorry Shaw, but your claim that your 24/7 exclusive shilling of Microsoft fare on an Apple users' forum is only for the good of humanity smells funny no matter who you are.

What claim about the good of humanity?

Have you been eating the "fun" mushrooms again?

 

[archer75]

Read about bridging ipfw using a crossover cable. Windows does not have this type of firewall by default so the exploits they find for windows could occur across the web if the user does not have a hardware firewall.

Already installed software running at startup is different than software being autorun as soon as it accesses the system if the executable is set up to do so.

Getting the admin password out of a mac requires already knowing the password, direct access to the computer, or a crossover cable bypass of ipfw.

ASLR is better in linux because of all the other security features of the system such being UNIX based. These security features are the same or similar as OSX. They actually came from BSD then ported to Linux and implemented in OSX's BSD foundation.

There is no mention in any article of the use of a crossover cable. And yes, you can get the password without said cable and without already knowing the password.

That doesn't really answer why ASLR is better. If it's unix roots were the reason why then it would also be better in OSX but we know it's quite the opposite.

 

[AidenShaw]

My response is that article does not apply to 7. It applies to vista. You have to edit the group policy to get the dialog box I got according to that article. I edited nothing and get that dialog box.

"Vista" was the OS released in 2006, not the one released in 2009 -
right?

Shall we talk about issues with OS9 that have been fixed for years?

 

[Master Chief]

It is time for Apple to open source Safari – not just web kit – because there have been too many [security] issues with Safari in the past.

The other two candidates are most likely Flash and Java, again.

Let's hope that Apple gets its act together and fix these holes a.s.a.p. Not after six months like they did with the previous two Java exploits.

Action time for Window Snyder?

 

[archer75]

"Vista" was the OS released in 2006, not the one released in 2009 -
right?

Shall we talk about issues with OS9 that have been fixed for years?

You are correct. That article is from 2008. Before 7 was ever released. It applies to vista not 7. That is my point.

 

[3282868]

I just love this same OLD same OLD same OLD argument. Interesting how Macs have become quite an interest in the consumer and you see them practically everywhere now, yet they seem to still be quite secure. Under 100 holes certainly is a non issue compared to over 200k viruses and uncountable holes in Windows.

+1

What claim about the good of humanity?

Have you been eating the "fun" mushrooms again?

Don't mean to chime in here, but you have had an anti-Apple stance for the few years I've been reading (and the past year I've been directly participating) in the MacRumors forums. I must admit you're very good at it, if anyone tries to call you out on it you twist your view around enough to convince others that you're impartial. Overall you tend to argue with a Windows OS bias, which is fine, I like Windows 7. In fact it is a big step up from the previous Windows OS's. However, you do tend to bait people on an Apple fan based site into defending why they like Apple products. In truth, I find it rather smug (no offense). While the other extreme with some users is just as smug, understand that they are on an Apple fan site and may be sick of being backed into corners by some people for having a preference for Apple products. Their anger may be exacerbated by the baiting. To be fair.

Otherwise, I welcome your comments, they certainly keep me (and others) on their toes.

 

[munkery]

There is no mention in any article of the use of a crossover cable. And yes, you can get the password without said cable and without already knowing the password.

That doesn't really answer why ASLR is better. If it's unix roots were the reason why then it would also be better in OSX but we know it's quite the opposite.

I admit that OSX implementation of ASLR-like features is limited but no threat in the wild as of yet has indicated that OSX needs the performance costs associated with such security measures.

The hierarchy of the division of the system of unix-based systems and the permission model (different than windows) of these systems insulates the implementation of ASLR from being accessed like in windows.

For example:

Windows still only requires a single authorization to give software root access and this authorization is mandatory at software install. A hole in a piece of software on windows is a hole in the system because or this type of authorization system.

OSX nearly all of the software does not have root rights and software is only given those rights for a short time when authorized. Very few apps on OSX have chronic root access and those that do usually only have those rights for a limited part of the program.

As I said before:

Getting the admin password out of a mac requires already knowing the password, direct access to the computer, or (edited my misinformation).

If there is a way. I would like to know? I have read every article I could find concerning this and they all used one of the ways I mentioned.

 

[teknishn]

right

i dont put much weight in this at all. I know very well that Windows 7 is far more secure than Windows prior. However, it really depends on how the user configures it. A lot of ppl get fed up with UAC and disable or turn it way down. IE8 is barely functional at all so more advanced users are using FF or other webkit based browsers that negate any locked down advantage of IE.

The fact is no software is secure. OSX is very secure by default and there is no native root access by default. I don't put any stock in what this guy is saying until I see him present his findings. Most ppl don't have publicly accessible macs period. So we are down to attacking it via malicious website or social engineering. Most social stuff still requires the user to give up the admin password and websites are just down to Safari vulns. On that note I run 64bit compatible Safari ad-block and also Clicktoflash that automatically shuts down flash unless I say so. Im also running the 64 bit kernel.

I really seriously don't feel in danger what-so-ever. For the record, I am an IT Security Manager, so I am very well versed in what is what.... not just some fanboy in denial. Nearly every OSX exploit that has come to light requires either direct access, LAN access, or a stupid pilot between the keyboard and the chair. Some how I don't expect these findings to be any diferrent. Its also worth mentioning that 10.6.3 will be released any day now.

 

[archer75]

I admit that OSX implementation of ASLR-like features is limited but no threat in the wild as of yet has indicated that OSX needs the performance costs associated with such security measures.

The hierarchy of the division of the system of unix-based systems and the permission model (different than windows) of these systems insulates the implementation of ASLR from being accessed like in windows.

For example:

Windows still only requires a single authorization to give software root access and this authorization is mandatory at software install. A hole in a piece of software on windows is a hole in the system because or this type of authorization system.

OSX nearly all of the software does not have root rights and software is only given those rights for a short time when authorized. Very few apps on OSX have chronic root access and those that do usually only have those rights for a limited part of the program.

As I said before:

Getting the admin password out of a mac requires already knowing the password, direct access to the computer, or a crossover cable bypass of ipfw.

If there is a way. I would like to know? I have read every article I could find concerning this and they all used one of the three ways I mentioned.

OSX also must grant admin privillages when installing a piece of software. No different.
It's not a fault with windows if developers code their apps to require admin access. Microsoft even said the main point of UAC was to get developers to write their apps properly.
Still in windows running as admin and running as user but granting admin to an app are not the same things. Different levels of access.

As far as gaining the root password I would refer you to numi nums.

 

[50548]

He's sitting on it for his own publicity. That much is obvious.

And for those who are confused, a security hole is not the same as a virus. Viruses can often use security holes to operate, but having a security hole in your OS is not the same as having a virus. Many security holes require black hats to be operating on your internal network to exploit. Others require you to be in close proximity to exploit a BT driver or something like that. I even read about one guy who's claimed security hole required physical access to your computer! (How's that a hole? They get your computer, and you are done for).

Fact is, we know nothing about these holes he found, so I wouldn't run out and buy an anti-virus product just yet.

There are lots of security holes in every OS - this guy sounds like he went through a lot of trouble to discover his 20. Kudos to him. Hopefully he reports them to Apple before he reports them to the rest of the world. That's the responsible thing to do.

In other words, just more ******** from Mr. Miller...as if we were supposed to buy into that kind of FUD again. I use Macs since 1995 and am still waiting for a single virus to attack what now constitutes 10% of the personal computer market. So you'd think: "well, out of a million virus there's gotta be 10 or 100 for Macs, right?" WRONG. There is NONE because of some intrinsically secure features of OS X since day one.

Of course, if you have physical access to someone's computer and excellent hacking techniques you will probably succeed. Do most hackers have this privilege? No. So except where social engineering is the pure vector, none of this BS will affect the Mac market.

So go attend some Black Hat criminal conferences and stop spreading more of that self-serving crap, Mr. Miller.

 

[tesseract4d]

Explain how using a crossover cable bypasses ipfw.

Using a crossover cable was a requirement for own2pwn in 2008, may have been\will be in 2009 and 2010. It does NOTHING other than remove the need for a router. The computer has no idea that its a cross over cable and therefore can't behave differently on its side.

As I said before:

Getting the admin password out of a mac requires already knowing the password, direct access to the computer, or a crossover cable bypass of ipfw.

 

[munkery]

OSX also must grant admin privillages when installing a piece of software. No different.
It's not a fault with windows if developers code their apps to require admin access. Microsoft even said the main point of UAC was to get developers to write their apps properly.
Still in windows running as admin and running as user but granting admin to an app are not the same things. Different levels of access.

As far as gaining the root password I would refer you to numi nums.

OSX grant to install, yes. Gives permanent access to root, no

Windows when install elevates softwares access to root permanently (Edit: process do run with user privileges, but still authenticated to write to anywhere in system during installation). It is too much apart of the windows paradigm to change anytime soon as well but at least MS is acknowledging it.

 

[teknishn]

In other words, just more ******** from Mr. Miller...as if we were supposed to buy into that kind of FUD again. I use Macs since 1995 and am still waiting for a single virus to attack what now constitutes 10% of the personal computer market. So you'd think: "well, out of a million virus there's gotta be 10 or 100 for Macs, right?" WRONG. There is NONE because of some intrinsically secure features of OS X since day one.

Of course, if you have physical access to someone's computer and excellent hacking techniques you will probably succeed. Do most hackers have this privilege? No. So except where social engineering is the pure vector, none of this BS will affect the Mac market.

So go attend some Black Hat criminal conferences and stop spreading more of that self-serving crap, Mr. Miller.

Agreed, this guy is doing nothing more than self-promoting himself. Hes going to show off his findings and tell everyone how awesome he is to prop up his resume.

As for his analogy.... I have to say its the best Ive heard to date. However, by that logic Apache webservers, which make up the majority, should be under the heaviest attacks on the web. They are not. Its still the minority of IIS/SQL webservers..... MS... that are under constant seige.

 

[archer75]

OSX grant to install, yes. Gives permanent access to root, no

Windows when install elevates softwares access to root permanently. It is too much apart of the windows paradigm to change anytime soon as well but at least MS is acknowledging it.

I don't believe you are correct. If it granted permanent access, which I don't believe it does, then why do some apps require admin access again to run? They would already have it.

 

[aristotle]

It is time for Apple to open source Safari – not just web kit – because there have been too many [security] issues with Safari in the past.

The other two candidates are most likely Flash and Java, again.

Let's hope that Apple gets its act together and fix these holes a.s.a.p. Not after six months like they did with the previous two Java exploits.

Action time for Window Snyder?

You have fallen for the idea that "more eyeballs" == more secure software. The majority of exploits are the result of not handled null references and other programming errors and buffer overflows. Such errors can just as easily be missed by a human looking over code as the human who wrote the code in the first place.

Open Source development can lead to an improvement of software but what you really need is developer discipline to use test driven development and using tools to smoke test your software to detect these sort of errors before they fail in the wild.

 

[bpd115]

Just saying it's strange if we both have the same OS, same settings and get different results.

It's not strange it's Windows. That's why I use OSX. The technet article is current and doesn't say Vista anywhere.

I've experienced it first hand.

 

[munkery]

Explain how using a crossover cable bypasses ipfw.

Using a crossover cable was a requirement for own2pwn in 2008, may have been\will be in 2009 and 2010. It does NOTHING other than remove the need for a router. The computer has no idea that its a cross over cable and therefore can't behave differently on its side.

Edit: I was wrong. Miller's exploits require a local area network and an artificial (as in unlikely in the wild) situation.

Second Edit: I was double wrong, exploitation using these methods are not uncommon in the wild. But, it is rare in the wild in OS X because the impact of such exploitation in Mac OS X is limited by the low incidence rate of privilege escalation exploits and user space security mitigations that prevent keyloggers and other malware from logging security sensitive passwords, such as from authentication prompts or website logins, without privilege escalation. BTW, user interaction is required to hack a Mac via a crossover cable as the user has to allow "Internet Sharing" in System Preferences. Man-in-the-middle attacks facilitate these methods on wireless networks. Navigating to a malicious website facilitates these methods across the web.

 

[archer75]

It's not strange it's Windows. That's why I use OSX. The technet article is current and doesn't say Vista anywhere.

I've experienced it first hand.

It says vista in the first paragraph. I'm guessing you altered your system to do that. Windows just doesn't do strange things any more than OSX does. There is a reason for things. I use OSX too. I just prefer to use windows 7 now. OSX has it's own annoyances as well. They all do.

 

[satcomer]

Why don't you hear from the other guys? Because they don't win. Every year.

No because they are true professionals that don't seeking media attention. Professional firms that work in OS X security would have him employed if he was so good. He is just a first class jerk that craves the limelight. He knows the PC/Mac wars and OS X security news would get the most tech news attention.

Like I said before, I would be impressed with him if he can hack an OS X machine without physical access and getting a user to install a Trojan. Then I will respect him, not before.

 

[munkery]

I don't believe you are correct. If it granted permanent access, which I don't believe it does, then why do some apps require admin access again to run? They would already have it.

Which ones require admin to run again other then User Account Control to install applications. I have never encountered an application to ask for rights other than to change settings.

I have apps on OSX, like my packet analyzer, ask for root every time I run it and it only gives rights to one component of the whole program.

 

[teknishn]

I am not going to go through everything I have read to find it again to give you a link or name of source/book.

In UNIX based operating systems, it is set up such that connecting two computers with a crossover cable essentially gives you full access to the other computer. Like the same as sitting right at that computer working on it.

In a crossover cable the ends are mirror image of each other. Connecting the two unix-based computers with such a wire bypasses the implementation of ipfw. This does not occur with hub, switch, router or modem as the ends are not mirrored. This is done on purpose for IT usage for rare instances when those types of networks are needed.

Sorry, but this is not true. Connecting via crossover cable mearly negates the need for a hub or switch. With 2 connected via crossover its no different than simply being on the same network.

However, connecting via crossover and setting one system to 'target-disk-mode' is another story.

Further, you can boot to a Snow Leopard disk to gain access as well.