Exploit released for Mac OS X flaw

Computer code that exploits a flaw in Apple Computer's Mac OS X was released publicly over the weekend.

The code takes advantage of a weakness in core parts of Mac OS X and could let a person with limited privileges gain full access to a system. Apple provided a fix for the error-handling mechanism of the kernel last week, but the exploit appears to have been authored before then.

"It appears to have been written well before the vulnerability was fixed," said Dino Dai Zovi, a researcher at Matasano Security, who was credited by Apple with discovering the flaw. "It appears to be a zero-day exploit." He added that it may even "have been distributed before the patch was released."

Indeed, a Dutch student named Matthijs van Duin claims he found the bug and crafted the exploit in November last year. He did not call attention to the exploit, but did store it in a public directory online to share it with a few people, Van Duin told CNET News.com. Symantec and the French Security Incident Response Team, or FrSIRT, issued alerts about the attack code over the weekend, but the exploit appears to have gone unnoticed by security monitoring companies before that.

"I didn't release it at such," Van Duin said in an interview via e-mail. "I just put it in a directory to show it to a few people...I was trying to figure out why the kernel code that was obviously meant to plug this vulnerability was present, but disabled. Then I had more urgent stuff to do, the vulnerability ended up on the bottom of my 'to do' list."

Apple representatives did not immediately return calls for comment.

Public exploits, while common for Microsoft's Windows, are a rarity for Mac OS X. "More people are (now) looking for vulnerabilities in Mac OS X," Dai Zovi said.

The vulnerability could be exploited by a local attacker or someone with privileges to remotely log on to a machine. Macs that are used by multiple people, as well as servers with remote access capabilities, are most at risk, experts said. A person with limited privileges could exploit the flaw to possibly gain full system access.

"The risk presented by this exploit is limited by the fact that it can only be exploited by a logged-in user, although the user may also be logged in remotely," Dai Zovi said. "The issue is also mitigated by the fact that a patch has already been released."

The patch is available on Apple's Web site.

Mac OS X, by default, checks for updates weekly, which means most Mac OS X systems will not be vulnerable much longer.

The exploit as it was publicly released does not do anything destructive; instead it runs the "/usr/bin/id" utility to show that a person enjoys full administrator privileges.

"I can then make it do anything I want," Van Duin said. "An ill-intended person with at least some skill could modify it to spawn a root shell."

Dai Zovi agreed with van Duin, saying that a knowledgeable user can easily replace or modify the exploit payload to run a full-access root shell.

[DJ-Panic]

not that big a deal

an exploit requires local or console access honestly isn't that big a
deal. You give a hacker physical access to a box running nearly
ANY OS, and he'll get in eventually. Thus the reason physical
security of a box is important as well.

[Peter Bonte]

Just run the osX DVD

If a hacker gets physical access to an osX machine he can use the
osX disk to change the password, console access is a bit harder but
additional safety measures are always needed for critical operations
with untrusted logins.

[aabcdefghij987654321]

Agree, not a big deal

However, this is the kind of hack that can be used in combination with a hack like the one just disclosed for the Firefox browser to both get remote access and the desired elevated privileges to create an "owned machine".

It's not a big deal only because it's got a patch available to fix it which is likely to be installed on any system connecting to the net regularly.

[Hoser McMoose]

Yes it is a big deal

Raised priviledge exploits might not be that big of a deal for the average home user, but they are most definitely a very big deal for servers. This is how MANY servers managed to be hacked. A malicious hacker will obtain a valid user login, either through a weak password, keylogger on the users computer or even a bit of "social engineering", and then make use of this sort of exploit to gain full control over the server.

This kind of exploit is also often used in conjunction with a remote code exploit to do actual damage. Typical use of a computer (whether it be OS-X, Windows, Linux or whatever) should always be performed ONLY as a user with limited priviledges with the root/administrator account only being used to install software and make certain configuration changes. This greatly limits the ability of any malicious code from remote exploits from actually doing any damage. However if you combine a remote exploit with a priviledge elevation exploit, a malicious hacker can then get around standard good computing practises.

Long story short, priviledge elevation flaws are probably the second most serious type of flaws after remote exploits. Good on Apple for fixing this one, but this should serve as a warning that *NO* OS is free from security flaws.

[qprize]

This is an exploit???

A logged-in, trusted user, with remote access rights can "exploit"
the system? That's like saying an emailer in your local post office is
able to bypass your spam filters.

There are some hacks reported in this story, but none appear to be
in the software...

[mjm01010101]

no....

"A logged-in, trusted user, with remote access rights can "exploit"
the system? That's like saying an emailer in your local post office is
able to bypass your spam filters."

No, it's not the same (your analogy doesn't even make sense,) and yes, a local exploit from a trusted user from a remote location is serious.

[mjm01010101]

again with the flaws in cnet articles

""More people are looking for vulnerabilities in Mac OS X," Dai Zovi said."

Can you quantify this statement? Put some context in it? Even the article you linked to doesn't quantify the statement.

[boyd087]

It's a quote...

The reason Cnet gets away with that is because they quoted someone. The author of the article didn't make the statement. If someone makes a statement, it can be quoted even if it's only an opinion with no real proof. I agree it's sort of poor writing but I hardly think Cnet is the only one guilty of such a thing.

Let me just say that in my opinion, if you think that OSX is "secure", you are sadly mistaken. No OS is secure. There will always be vulnerabilities in their code. I also don't think of OS X as the "most secure" Operating System. It's hard to compare because of the amount of users that Windows has compared to OS X. For now, it's probably the safest Operating System to use because it's not widely exploited. But, the more users OS X gains, the more hackers and exploiters that will be looking at OS X.

[Jon N.]

Well now, why does this not surprise us?

First of all, I think it's almost criminal to call these things "flaws". Whether you're a PC or MAC user, they are NOT "flaws". They are "vulnerabilities". Whether they are "Discovered", "Exploited", or "Perceived", they are "Vulnerabilities", NOT "flaws". Flaws are those things that either hiccup, shut-down, or lock up a system without outside intervention, interference, manipulation, or exploitation. On the other hand, those software problems that were overlooked by the software company's code proofing, and are causing problems for the user, these truly are "flaws". When someone looks for, and exploits discovered "vulnerabilities", it's different. I am so sick of people saying that these corporations are responsible and culpable for this exploitation, and damage control. They are doing us users a tremendous service by patching and being on the ball for these discovered & exploited "vulnerabilities". We should be thankful for their vigilance and help. Apple isn't at fault, and even though Microsoft could have done a better job in hardening XP against cyber attacks, neither is Microsoft. I still think that M$ Word, and Outlook are some of the best laid out programs available. I wish that Open Office had the calendar functions, variety, and options that Outlook has. This is the beginning of a whole new phase of "vulnerability" patching and updates for Apple. Just wait! M$ will have it's hands full when they finally release Vista. And that's gonna be January 30, 2007? Maybe. Maybe even later. Well, whether it's Apple or Microsoft, thank you both for helping us fend off these weasels that want to exploit our computers, and attempt to ruin our lives.

[DeusExMachina]

Semantics

Aside from the fact that your statement is merely about
semantics, it is also wrong. A "flaw" is anything that does not
work as intended. It does not need to cause any type of lock up,
shut down, or hiccup. If My OS occasionally types the "a" key
whenever I try to open Photoshop, that is a flaw. If it displays the
colour red instead of yellow, that is a flaw.


And of course companies that make OSes are responsible for
damage control. Especially when the foundational mind set that
underlies the product allows for this exploitation in the first
place. They made the product. It's use makes one vulnerable to
damage, in ways not intended by the user, and not a foreseeable
outcome of its use. This is the definition of product liability.

[toosday]

Well, dang...!

First off, I'm glad Apple fixed the flaw. Secondly, I hope it alerts
EVERYONE (even us Mac-users) to take security seriously. Hardly
anyone I know that uses a Mac has any additional security
protection on their computers. Most of them recoils at the thought
of it.

Anyhow, there was a flaw. Apple fixed it. But, it did exist. That's
proof enough to get secure.

[Steve Bryan]

and that would be ...

One of the confusing things about this issue is just what is a Mac user supposed to do for the sake of security other than hang his head in shame? In almost all cases they are already doing the most important thing by not doing anything. For instance by not changing default settings you will not have remote login enabled. That is in marked contrast to Windows which has been plagued by having exploits which work for default settings.

The last thing we need are masses of Mac users poking around in system preferences changing settings in the hope of making things more secure.

It remains important that vulnerabilities be found and patched regardless of settings but it is also helpful to be aware of the nature of these exploits. Leaving unneeded services turned off is your first level of defense. Second, always have a least two user profiles, one with administrator privileges and one without. Make the non admin user your usual login. With OS X that is not a problem (it is how my Mac configured) and just login with admin privileges if you are installing software. Finally there is physical security. Don't hand your iBook over to a bald guy with a goatee wearing a black turtleneck at Starbucks. More could be said but that should usually be sufficient.

[DeusExMachina]

mac users

"Hardly anyone I know that uses a Mac has any additional security
protection on their computers."

And I bet that most people you know do NOT have their machine
set up for remote access, with multiple accounts set up for people
they do not trust to use the machine. As such, this "vulnerability"
does not affect them, and they are perfectly safe in their current
computer practices.

[Seaspray0]

For security sake

I agree with tooday. No operating system is perfect and that is reason enough to protect their computers with whatever is available.

Think of it this way... Would you have unprotected sex with a hooker? Didn't think so. Don't leave your computer unprotected either.

[M v Duin]

not a big deal

I actually mentioned to Joris it wasn't a big deal, being logged in as a user is normally already quite enough to do most things a Bad Guy would want to do, without needing root access.

Some of the other vulns mentioned in the security update sound far more serious to me, like the buffer overflow in JPEG2000 decoding.

The only interesting thing about this vuln is that the code to prevent it has been present in the kernel for a long time, but had been disabled (#if 0) for unknown reasons.

[The_Nirvana]

Thanks Duin for clearing the confusion...

but I have a question - Doe this expoit work even if the root
account is disabled? I mean, will the attacker still be able to gain
root privileges? I ask this becasue, that's how most Mac desktops
and notebooks are configured by default.

[databyss]

fool

privilage escalation is always the start of any good hack.

[rcrusoe]

Another reason to protect your hardware

Of all the systems I've managed over the past 20 years the only one I have never been able to crack from the console is IBM's AS400.

Unix, Mac, OS2, Novell, VMS, etc. can all be cracked if you can access the console. And of course the only requirement to crack most Windows computers is that it is turned on.

[FutureGuy]

HahahaHAHAhaha

So much for bullet proof Mac.

[The_Nirvana]

Well, Mac is not bullet proof...

but it is also not parchment paper. The artilcle is exaggerating
things. For clarification please read the comment by Duin - the
creator of the expoit - in the talkback.

[DeusExMachina]

Any

Considering your track record in understanding any of the issues
involved, I don't see why anyone would take anything you had to
say with any degree of seriousness.

[Jesus#2]

im wondering

if you actually read the article. A patched exploit that requires a
user to already have an account on a machine is not a big deal. Is
that all you have? HAHAHAHAHAHAHA

[GGGlen]

Yeah, but...

It beats the heck out of the "I farted in the general direction of a
'Doze box in '95 and it made Vista crash in 2007" schtick" these
Gates sycophants suck up to!
:)

[grandmasterdibbler]

So?

Is this really news, the flaw has been fixed, so what?

[richleick]

I Love It.

When a flaw, vulnerability, whatever, is found in Windows, even if it's fixed/patched, all I read about is how bad Microsoft is or what have you. That you need to switch to a Mac or Linux, run a different browser, blah, blah, blah, blah, blah. But when it happens to a Mac, the postings go something like "It's no big deal..", "This has been fixed..", whatever.

Give me a break

Every OS is susceptable to attacks and as the popularity of Macs increase you will see more things like this. Nothing is perfect. Use what you like but get off your high horses and I'll get of my soap box.

[grandmasterdibbler]

Not quite.

Many of the flaws and exploits written about on Cnet haven't been patched and won't be patched until the next 'patch tuesday'. Thats the difference.

No one said Macs were invulnerable, that'd be stupid, nothings perfect.

[DeusExMachina]

Feel free to stay where you are

If you knew what you were talking about, or even understood the
article, maybe someone would care about your soapbox.

[heystoopid]

In a word

In a word, much of the security we see today, consists of overated hype with very little real fleshy substance.

But that's life!

[Swalters1]

Get use to reading about OSX issues

I won't call it an exploit, or a vulnerability at this point, because it wasn't used to do anything bad yet... and the operable word is yet. So that leaves OSX with a total of 3 worms, and 1 trojan..that we know about.

If recent studies are to be beleived the internet has a user population of 84% Windows and 3.7% OSX. (see other Cnet article on Apple growth slowing.) That means people looking for attention, or looking to defraud, or just out to cause chaos, are going to focus on the largest possible impact.. the 84%. It's not wonder you hear about security vulnerabilities every week in windows, it's the target! It's also been around in it's current kernel incarnation for nearly 5 years.

But as OSX popularity grows those who wish to do damage will pay more and more attention to it. The recent slew of "We're immune to that because we're better than everyone else" commercials has probably caused a significant increase in the number of people looking for exploits.

Why? It's like telling a jewel theif, "I bet you can't steal this jewel!" They'll try, and they'll succeed.

My personal advice to Apple users, get use to hearing about vulnerabilites, torjans and exploits, and stop beleiveing the propaganda about how immune you are, and start practicing "safe computing"

First step, fix the one flaw in every operating system... the user.

[OS11]

except that OSX is built anything like Windows

People not close to the situation may make the mistake as you have to "assume" OSX is desgined just the same as Windows.

Nothing could be further than the truth. OSX uses Launchd, so it's impossible for a program to spread on OSX systems.

http://en.wikipedia.org/wiki/Launchd

There have been ZERO exploits to OSX so far, and at this point in the game it's probably too late for any serious outbreak to ever occur. Launchd among 70 other differences, make OSX the most secure operating in massive use today.

Marketshare doesn't really matter, OSX is just as exposed to the network as Windows machines, the best minds in the business have tried and tried to crack OSX. It can't be done, the proof is in the facts. No Viruses or Spyware, or Trojans have affected OSX. Only a few issue with some bundled apps, but none have touched OSX.

Apple does all the Virus, Spyware, etc protection inside the OS, while Microsoft doesn't understand programming enough to do it internally, so they rely on 3rd parties, making the their OS far less secure than it should be.

If you want a trouble free, virus free, rock solid, fast OS, with a much better software library than Windows, Apple's Macs are by far the best computing device you can purchase.

Have a good day.

-

[OS11]

except that OSX isn't built anything like Windows

People not close to the situation may make the mistake as you have to "assume" OSX is desgined just the same as Windows.

Nothing could be further than the truth. OSX uses Launchd, so it's impossible for a program to spread on OSX systems.

http://en.wikipedia.org/wiki/Launchd

There have been ZERO exploits to OSX so far, and at this point in the game it's probably too late for any serious outbreak to ever occur. Launchd among 70 other differences, make OSX the most secure operating in massive use today.

Marketshare doesn't really matter, OSX is just as exposed to the network as Windows machines, the best minds in the business have tried and tried to crack OSX. It can't be done, the proof is in the facts. No Viruses or Spyware, or Trojans have affected OSX. Only a few issue with some bundled apps, but none have touched OSX.

Apple does all the Virus, Spyware, etc protection inside the OS, while Microsoft doesn't understand programming enough to do it internally, so they rely on 3rd parties, making the their OS far less secure than it should be.

If you want a trouble free, virus free, rock solid, fast OS, with a much better software library than Windows, Apple's Macs are by far the best computing device you can purchase.

Have a good day.

-

Well said! (NT)

I said, NT!

[Penguinisto]

Meanwhile, in Windowsland...

...while everyone is shouting ab't a patched flaw, Microsoft has a great big unpatched network-based one running rampant across the Internet:

http://www.microsoft.com/technet/security/advisory/926043.mspx

/P

[crumvoc]

good advice, bad reason

I really think that the market share idea is illogical. If I were a
person writing malware for fun, profit or attention, I would
definitely try to write a mac virus, et al for the simple reason that it
would be NEWS!. Writing windows malware is nothing particularly
special, but you get your name in lights (at Cnet anyway) if you
successfully booger up a bunch of macs.... but we should practice
safe computing... to keep from transfering infections to our
windows brethren....

[Thomas, David]

IS THIS THE SAME 30 SECOND SCAM?!

Some one tell me ...

--- by the way im not bothering because I've learned how shady
these stories have become, and how false they are. It seems
when it comes to Apple, there truly is a bias to regurgitate old
stories as new, and manufacture false information ---

is this the same contest winner who claimed to hack a mac in 30
seconds, but had to have local, or user privelages to do so?


IF THIS IS TRUE, SHAME, SHAME AND CONTINUED SHAME ON
CNET!

[rapier1]

Actually, no.

You do realise that in a world of multiuser servers this is
a pretty significant issue right? Also, considering how pathetic most
people make their passwords brute forcing a limited roll account
and then bootstrapping it with a root kit is a problem.

[macjimlin]

Oh Dear

Since when is making what should be simple more complex than it
need to be an advantage.

I suppose folk like you walk to work on their hands just for the
sake of it!!!

[macjimlin]

Oh Dear

Since when is making what should be simple more complex than it
need to be an advantage.

I suppose folk like you walk to work on their hands just for the
sake of it!!!

[crumvoc]

THE DIFFERENCE

THE DIFFERENCE IS THAT WINDOWS VIRUSES' MALWARE AND THE
LIKE ACTUALLY DO DAMAGE, SCREW UP COMPUTERS, WASTE TIME,
WASTE MONEY, AND RUIN THE COMPUTING FUN... SO FAR, MAC
MALWARE IS JUST A CURIOSITY AND SOMETHING FOR WINDOWS
FOLKS TO FEEL GOOD ABOUT.... WHICH IS WHY I SWITCHED TO
MAC A YEAR AGO... AND LIFE (AND COMPUTING) IS GOOD....

[lesfilip]

THE CAPS LOCK

Welcome to the Mac platform. I'm surprised you have not noticed
that little "caps lock" button on the left of your keyboard. Use it.

Have a nice day!

[rcrusoe]

crumvoc, here's a great Mac feature for you.

Open System Preferences
Click on Keyboard & Mouse
Click Modifer Keys
Select No Action to the right of Caps Lock

You Caps Lock key is now disabled, and everyone on the Internet is
happy. ;)