Attack code out for Apple flaw

Attack code that exploits a flaw in Apple Computer's Mac OS X was publicly released Wednesday, increasing the urgency to patch.

The code's arrival comes just a day after Apple made an update available for its operating system. The malicious program takes advantage of a locally exploitable vulnerability in an operating system component called "launchd".

"Attackers may exploit this issue to execute arbitrary code with elevated privileges," Symantec said in a security alert to customers that was updated on Thursday.

On Tuesday, Apple delivered Mac OS X 10.4.7. The operating system update repairs a total of five flaws. Four of them affect both the client version of Mac OS X. The other, in the ClamAV antivirus software, has an impact on the server release.

Apple is recommending that people install all updates when they're issued to keep their software fully up to date, a company representative said Thursday.

"This proof of concept was fixed in Tuesday's Mac OS X 10.4.7 update," the representative said, referring to the ability for the exploit code to run.

The exploit was created by Kevin Finisterre, a security researcher at Digital Munition. Earlier this year, Finisterre created the Inqtana worm, which targets Mac OS X and spreads using an 8-month-old vulnerability in Apple's Bluetooth software. His actions are in part to demonstrate that Apple software is not unbreakable, he has said.

Apple users can download Mac OS X 10.4.7 through Software Update or the standalone installer. Typically, the Mac OS automatically checks for updates once a week.

Separately on Thursday, Apple put out iTunes 6.0.5, an update that it said fixes a security problem that could be used in a denial-of-service attack or let an intruder run code on vulnerable systems.

"The AAC file parsing code in iTunes versions prior to 6.0.5 contains an integer overflow vulnerability," the company said on its security Web site. "Parsing a maliciously-crafted AAC file could cause iTunes to terminate or potentially execute arbitrary code. iTunes 6.0.5 addresses this issue by improving the validation checks used when loading AAC files."

The iTunes vulnerability affects Mac OS X versions 10.2.8 or later and Microsoft Windows XP and 2000, Apple said.

[M C]

What part of "proof of concept" doesn't CNet understand?

No exploit has been released. A security guy created a little something that theoretically could work as an exploit, issued a press release, and News.com is all over it.

The downward spiral continues.

[Tanjore]

Well..whats wrong with it

A proof concept is sufficient for some moron to write code to exploit the OS. News.com is doing a favor to users letting them know of the issue and defend themselves against a attack.

Just because an attack has not happend doesn't mean that is not going to happen!!!

[keaggy220]

Why does Cnet continue to deceive?

A guy in a lab creates a concept and Cnet writes a story like this?

[snodman]

Exactly!

Apple disclosed the flaw WHEN THEY RELEASED THE FIX for it.
Some guy in a lab reads Apple's description of the flaw and writes a
test program in his lab that exploits the flaw. Oh, by the way, his
exploit requires you to NOT have installed the patch Apple has
already written. How is this even news?

[keaggy220]

Why does Cnet continue to deceive?

A guy in a lab creates a concept and Cnet writes a story like this? I
continue to laugh without virus protection. Maybe one year I'll get
a virus. hehe

[mgreere]

More News.com BS

How is this a story?

A unreleased virus that would target a vulnerability that will be
nearly non-existent in a week.

Lame.

[pschlampp]

Where are the editors?

1) This is a non-story as the other commenters have pointed out

2) The article doesn't explicitly say that the patch addresses the vulnerability. It should.

3) What's up with this sentence? "Four of them affect both the client version of Mac OS X."

News.com has been replaced as my source of tech news because of this type of stuff. Now if the guys over at Engadget could get someone to focus on the industry...

[john55440]

How DARE Cnet Tell The Truth! :-)

Everybody knows that Apple is 100% perfect, and never, ever, has any security flaws, or design flaws, or manufacturing flaws... -lol

[Oleg Simkin]

Fan boys come out in droves

1. Is there a flaw? Yes
2. Is there code to exploit it? Yes

So now shut up and take it. You jump on MS when news like this come out but can't eat your own.

I laugh at all of you ignorant people that think your toys aka macs are invulnerable. Keep your had in the sand.

[Fray9]

I wouldnt say that

I cant help but laugh at the irony of someone accusing others of the behavior they themselves are displaying.

Proof of concept exploits like this are developed for Windows on a nearly daily basis. If "mac fanboys" were to "jump on MS when news like this comes out" they wouldnt have time for doing anything else.

[JulesLt]

Trolls come out to play

Talk about the pot calling the kettle black.

If you had a point to make about the zealotry of the Mac faithful,
you could have done so without calling Macs 'toys'. That makes
you look somewhat petty, and is hardly going to make someone
'shut up and take it'.

Personally, I'm not going to lose any sleep. I will still take a
system that now has ONE known live exploit and say it is LESS
vulnerable. Not invulnerable but LESS vulnerable. Bit like no car
is thief-proof but some of them are very easy to steal.

As for 'toys' - toys are good, toys are fun. Machines are for dull
people. Toys than run Unix are even better.

[PDG1]

Macs...

Yea... my earlier post got deleted... so i guess it was a bit too radical.

I'll summarize what was in that post... but say it in a nicer way:P

Macs are not my favorite Operating system... and by owning and occasionally using a mac, I preserve the right to say this.
This is an interesting article as it explains how Macs are not as bullet proof as some say they are.
I predict that ,in the future , there will be a BIG mac attack and mac users will have nothing to base their defenses against riducule on.
OSX has stayed relatively problem free, as most Unix based OS's are.
I am confident that hackers will find a way to break OSX... and this article will give them incentive and encourage them.
lets see if this will get deleted...
oh yea, I also said somehting like... Mac fans, get rowdy...
I'm expecting replies...
lol
I'm such a poop disturber:P

[ServedUp]

Apple's Bad Press.

The reason why Apple refuses to comment on this article is
because simply, its not news! They've been fairly diligent when it
comes to updating security for their software. Not to mention
answering the press's concerns with Apple's far east IPOD
factory dealings. They stood their ground to say the least.

So why the Bad Press?

Well you only need to look no further then the next article about
Microsoft's Office 2007 delay. Its seemingly to me a cover story
to put less shame on the black sheep of innovation, Microsoft.

[00rb]

Who are really the uneducated ones here?

Is it the researchers/publishers that share their valid findings for MAC exploits... or those that refuse to believe that their MAC's are at risk?

[mgreere]

No no -- simply a stupid story

nt

[DeusExMachina]

MAC?

In what way does this put the Medium Access Control (MAC) at risk?
Do you even know anything about computers?

[Aan02860]

c|net pimping for Symantec?

Are you guys pimping for Symantec or just trying to destroy your
credibility with alarming but false headlines?

[SNGecko]

Irony

Pimping for Symantec...While I was considering this, I noticed to the right a large advert for -- you guessed it -- Symantec anti-virus/security software. I can only hope the reason c|net exists is to give CS-dropouts employment and give jaded readers something to jaw about.

[hatandglasses13]

who cares if macs are at risk?

they're still better computers.

[aristotle_dude]

Why is this news? Already fixed in 10.4.7

This was already patched. Everyone should have updated to 10.4.7 already.

[Terry Murphy]

Setting the record straight - again.

Kevin Finisterre, founder of security startup Digital Munition
referenced in this article was interviewed by Security Focus on
2/27/06 (See http://www.securityfocus.com/columnists/389)

Since this Cnet article appears to needlessly try and resuscitate
the Bluetooth InqTana worm scare, the following excerpt from
Finisterre's interview is worth noting:

Q. In your paper, it sounds like both 10.4 and 10.3 were
vulnerable, but aren't any longer. Is that right?

A. The Bluetooth bug that InqTana exploits has been patched for
some time now.

In the same interview, Finisterre remarks about the less than
vigorous tendencies journalists have pertaining to accurately
reporting of software security issues:

Q. Did any antivirus company acknowledge that this was a lab
creation that would have a hard time spreading? Do you think
the vendors treated this well or as a marketing ploy?

A. Although blatantly mentioned in most of the antivirus threat
notices, you will find that folks are still implying that the code
will actually spread. I think this is a bit misleading. The fact of
the matter is that InqTana is not spreading and physically cannot
(spread) without a third party making their own variant.
Headlines like New Mac Worm Spreads Via Bluetooth and Second
Apple worm targeting Macs found are slightly skewed. First, the
code is not spreading in any sense of the word nor was it
"found" anywhere Since most articles are copied and pasted from
the same source, you will find that a number of sources correctly
identify this as "proof of concept." Quite a few folks actually
mention the fact that it is both time limited and crippled to a
specific set of Bluetooth addresses.

Unfortunately, not here. The present Cnet article continues the
"accuracy be damned" approach and relies on sensationalistic
claims while downplaying the actual (proof of concept) nature of
the issue. And in the present case, an issue for which nothing
exists in the wild and an issue for which a patch (10.4.7) has
already been released.

Once again. Windows users can only dream that they have it this
good.

[M C]

What's sad is that you're not being sarcastic.

The same old lines - it almost seems like you're making fun of the "oooh, the fanboys are out...head in the sand...toy computers..."

Haters are becoming a self-parody.

[Tui Pohutukawa]

Apple stays on top of security issues.

That would have been the correct headline. Anything else is
disinformation.

[canettijazz]

So called Security Researchers

Is it just me or are these so called Security Researchers/experts
just trying to drum up publicity for themselves and increase
sales? Why in the world would anyone with any integrity and
truely interested in security first publicly announce a security
flaw and then show everyone how to do so - particularly after
Apple released a patch? How is this different from a hackers that
write viruses, worms, bots, etc. aside from hiding behind the
"expert" moniker? If the expert were truely concerned about
security they would contact Apple and if Apple wasn't
responsive, then make a public announcement of the "proof of
concept", but for what reason would you ever release the attack
code. If I decided that the US government wasn't taking the Bird
Flu seriously and I released several infected birds into the
population just to draw attention to the point to the government
inaction, would you call me a terrorist?

[Tanjore]

Not necessariliy true

Many researches work very hard to find these exploits. When these are reported to companies, they neglect to fix the problem or delay fixing the problem. Many times, these researchers are not provided with atleast minimal credit for their hardwork. By releasing information publically forces a company to issue a patch.
In this specific case, apple issued a patch and the researcher issued a proof of concept attack. After all the researcher needs some credit for all the hardwork!!!

[Seaspray0]

The answer is simple

Listen to what apple said, "keep your computer up to date with patches." Please note that in the past, viruses have been written for exploits even after the patch to fix it has been released. Those computers that did not get the updates were vulnerable to the virus.

Computers that are up to date on OS patches and antivirus software dramatically reduce the risk of infection by a virus. It's rather simple to do, people. Why create so much friction over such a simple solution?

[Akiba]

Sounds like people are worried about reputations.

Its sounds like a lot of Macintosh users want this kept hush hush so they can continue to make arguments that Macs don't have flaws, don't need user awareness or spyware tools etc. I agree its not big deal and I never got a feeling from the article that they were trying to make this into a huge issue. But there is nothing wrong with mentioning it so it makes me wonder if Mac fans prefer that issues like this be kept from the public like a certain corporation does.

[qwerty75]

It is a big deal

You wouldn't know it from the article but,

1. There is no exploit in the wild for this.

2. It can not cause any trouble even if it somehow got on a mac.

3. This is just a lab finding for a problem already fixed.

[MacPinchi]

FUD, FUD, FUD.

People, articles like this are part of a concerted attack. The PC industry feels threatened by what it rightly perceives as a serious threat, and they are doing their dirty, lowdown best to steer you away from buying a Mac.

The Sky Is Falling!! The Sky Is Falling!! This so-called exploit is such a laughable excuse for the press to sound the alarm. "Attack Code For Apple Flaw?" "Trojan attack?" The hole was already patched before the exploit was released! Even if you were at risk, you would still have to give the infecting app *permission* to run with escalated privileges before it could possibly affect you!!

Contrary to what the Microsoft/Symantec tools would have you believe, it's been *six years* since the introduction of Mac OS X and there is *still* not a single virus, trojan or spyware affecting Mac OS X in the wild. None. Zero. Zip. Nada. It's all manufactured, made-up Fear, Uncertainty and Doubt.

The Mac is not impenetrable, but unlike Windows, it is very, very secure. In real life on a Mac, there is simply no need for virus software or for concern that you might be infected. It just doesn't happen.

If you're thinking of buying a Mac, then you're to be commended for thinking for yourself and ignoring the desperate, clutching PC anti-virus software makers who are afraid they're about to lose you as a captive customer.

Stop bankrolling the virus-peddlers. Get A Mac. Welcome to computing as it's supposed to be.

[TheConfuzed1]

Beautiful

Nicely said. :)

[Macsaresafer]

Nothing to see here

First, this "proof of concept" is for a Trojan, not a virus. Second,
there is no attack code in the wild. Third, even if it got into the
wild, it would have a great deal of trouble spreading.

Once again, CNET foists a hoax on Mac users. I'm guessing CNET
editors have lots of Symantec stock they're trying to shore up.