Security flaw

Discussion in 'OS X Yosemite (10.10)' started by macmacmacr, Nov 14, 2015.

  1. macmacmacr macrumors member

    Joined:
    Dec 23, 2014
    #1
    I am using Yosemite 10.10.5 using a non-admin account and using the application called TOR 5.02 (secure web browser) sha 256: bc76e4d1a0b9deab144b199aba8d98fb508ec8858e5efacf942eb38f9d92a08e



    The application TOR which is for the most part a secure version of Firefox, was able to automatically update and install a new version of TOR 5.04 without me authorizing the installation or entering the administrator password. TOR 5.02 downloaded a file called Torbrowser.app.zip.



    This never occurred with previous versions of TOR and since it bypass the operating system I am interested in knowing what the possible flaw that would allow this to occur. It appears to be an elevated priviledge.
     
  2. CoastalOR macrumors 68000

    CoastalOR

    Joined:
    Jan 19, 2015
    Location:
    Oregon, USA
    #2
    TOR is about anonymity which is not the same as security. It will not protect you from malware for example. I have not used it, but check to see if there is a Preference setting that allows checking for updates.
    Here are some links that discusses what it does and does not do:
    http://www.theguardian.com/technology/2013/nov/05/tor-beginners-guide-nsa-browser
    http://lifehacker.com/what-is-tor-and-should-i-use-it-1527891029
    http://www.pcworld.com/article/2686467/how-to-use-the-tor-browser-to-surf-the-web-anonymously.html
     
  3. Ritsuka macrumors 6502a

    Joined:
    Sep 3, 2006
    #3
    Why would it need to be authorised to update itself? An application runs with the same permission as your user (if it's not sandboxed) so it can do whatever you can, if your user has the permission to modify the app the app itself has got it too.
     
  4. macmacmacr thread starter macrumors member

    Joined:
    Dec 23, 2014
    #4
    That is not the case with Firefox. when a new version is ready to install and even though I install it it still requires my O.S. admin password to complete the installation. This is the case for all my apps on Yosemite.
     
  5. macmacmacr thread starter macrumors member

    Joined:
    Dec 23, 2014
    #5
    This is not about the application TOR but the fact it installs an update automatically without my interaction. I must enter my Admin password for any application to install. This should of been corrected in the security update 10.10.5. see http://www.intego.com/mac-security-blog/yosemite-zero-day/
     
  6. Ritsuka macrumors 6502a

    Joined:
    Sep 3, 2006
    #6
    It all depends on the permissions of the app. Remove your user from the write permission of the app if you don't want it to replace itself.
     

Share This Page