Attack code that exploits a flaw in Apple Computer's Mac OS X was publicly released Wednesday, increasing the urgency to patch.
The code's arrival comes just a day after Apple made an update available for its operating system. The malicious program takes advantage of a locally exploitable vulnerability in an operating system component called "launchd".
"Attackers may exploit this issue to execute arbitrary code with elevated privileges," Symantec said in a security alert to customers that was updated on Thursday.
On Tuesday, Apple delivered Mac OS X 10.4.7. The operating system update repairs a total of five flaws. Four of them affect both the client version of Mac OS X. The other, in the ClamAV antivirus software, has an impact on the server release.
Apple is recommending that people install all updates when they're issued to keep their software fully up to date, a company representative said Thursday.
"This proof of concept was fixed in Tuesday's Mac OS X 10.4.7 update," the representative said, referring to the ability for the exploit code to run.
The exploit was created by Kevin Finisterre, a security researcher at Digital Munition. Earlier this year, Finisterre created the Inqtana worm, which targets Mac OS X and spreads using an 8-month-old vulnerability in Apple's Bluetooth software. His actions are in part to demonstrate that Apple software is not unbreakable, he has said.
Apple users can download Mac OS X 10.4.7 through Software Update or the standalone installer. Typically, the Mac OS automatically checks for updates once a week.
Separately on Thursday, Apple put out iTunes 6.0.5, an update that it said fixes a security problem that could be used in a denial-of-service attack or let an intruder run code on vulnerable systems.
"The AAC file parsing code in iTunes versions prior to 6.0.5 contains an integer overflow vulnerability," the company said on its security Web site. "Parsing a maliciously-crafted AAC file could cause iTunes to terminate or potentially execute arbitrary code. iTunes 6.0.5 addresses this issue by improving the validation checks used when loading AAC files."
The iTunes vulnerability affects Mac OS X versions 10.2.8 or later and Microsoft Windows XP and 2000, Apple said.
What part of "proof of concept" doesn't CNet understand?
No exploit has been released. A security guy created a little something that theoretically could work as an exploit, issued a press release, and News.com is all over it.
A proof concept is sufficient for some moron to write code to exploit the OS. News.com is doing a favor to users letting them know of the issue and defend themselves against a attack.
Just because an attack has not happend doesn't mean that is not going to happen!!!
Apple disclosed the flaw WHEN THEY RELEASED THE FIX for it. Some guy in a lab reads Apple's description of the flaw and writes a test program in his lab that exploits the flaw. Oh, by the way, his exploit requires you to NOT have installed the patch Apple has already written. How is this even news?
A guy in a lab creates a concept and Cnet writes a story like this? I continue to laugh without virus protection. Maybe one year I'll get a virus. hehe
1) This is a non-story as the other commenters have pointed out
2) The article doesn't explicitly say that the patch addresses the vulnerability. It should.
3) What's up with this sentence? "Four of them affect both the client version of Mac OS X."
News.com has been replaced as my source of tech news because of this type of stuff. Now if the guys over at Engadget could get someone to focus on the industry...
I cant help but laugh at the irony of someone accusing others of the behavior they themselves are displaying.
Proof of concept exploits like this are developed for Windows on a nearly daily basis. If "mac fanboys" were to "jump on MS when news like this comes out" they wouldnt have time for doing anything else.
If you had a point to make about the zealotry of the Mac faithful, you could have done so without calling Macs 'toys'. That makes you look somewhat petty, and is hardly going to make someone 'shut up and take it'.
Personally, I'm not going to lose any sleep. I will still take a system that now has ONE known live exploit and say it is LESS vulnerable. Not invulnerable but LESS vulnerable. Bit like no car is thief-proof but some of them are very easy to steal.
As for 'toys' - toys are good, toys are fun. Machines are for dull people. Toys than run Unix are even better.
Yea... my earlier post got deleted... so i guess it was a bit too radical.
I'll summarize what was in that post... but say it in a nicer way:P
Macs are not my favorite Operating system... and by owning and occasionally using a mac, I preserve the right to say this. This is an interesting article as it explains how Macs are not as bullet proof as some say they are. I predict that ,in the future , there will be a BIG mac attack and mac users will have nothing to base their defenses against riducule on. OSX has stayed relatively problem free, as most Unix based OS's are. I am confident that hackers will find a way to break OSX... and this article will give them incentive and encourage them. lets see if this will get deleted... oh yea, I also said somehting like... Mac fans, get rowdy... I'm expecting replies... lol I'm such a poop disturber:P
The reason why Apple refuses to comment on this article is because simply, its not news! They've been fairly diligent when it comes to updating security for their software. Not to mention answering the press's concerns with Apple's far east IPOD factory dealings. They stood their ground to say the least.
So why the Bad Press?
Well you only need to look no further then the next article about Microsoft's Office 2007 delay. Its seemingly to me a cover story to put less shame on the black sheep of innovation, Microsoft.
Pimping for Symantec...While I was considering this, I noticed to the right a large advert for -- you guessed it -- Symantec anti-virus/security software. I can only hope the reason c|net exists is to give CS-dropouts employment and give jaded readers something to jaw about.
Kevin Finisterre, founder of security startup Digital Munition referenced in this article was interviewed by Security Focus on 2/27/06 (See <a class="jive-link-external" href="http://www.securityfocus.com/columnists/389" target="_newWindow">http://www.securityfocus.com/columnists/389</a>)
Since this Cnet article appears to needlessly try and resuscitate the Bluetooth InqTana worm scare, the following excerpt from Finisterre's interview is worth noting:
Q. In your paper, it sounds like both 10.4 and 10.3 were vulnerable, but aren't any longer. Is that right?
A. The Bluetooth bug that InqTana exploits has been patched for some time now.
In the same interview, Finisterre remarks about the less than vigorous tendencies journalists have pertaining to accurately reporting of software security issues:
Q. Did any antivirus company acknowledge that this was a lab creation that would have a hard time spreading? Do you think the vendors treated this well or as a marketing ploy?
A. Although blatantly mentioned in most of the antivirus threat notices, you will find that folks are still implying that the code will actually spread. I think this is a bit misleading. The fact of the matter is that InqTana is not spreading and physically cannot (spread) without a third party making their own variant. Headlines like New Mac Worm Spreads Via Bluetooth and Second Apple worm targeting Macs found are slightly skewed. First, the code is not spreading in any sense of the word nor was it "found" anywhere Since most articles are copied and pasted from the same source, you will find that a number of sources correctly identify this as "proof of concept." Quite a few folks actually mention the fact that it is both time limited and crippled to a specific set of Bluetooth addresses.
Unfortunately, not here. The present Cnet article continues the "accuracy be damned" approach and relies on sensationalistic claims while downplaying the actual (proof of concept) nature of the issue. And in the present case, an issue for which nothing exists in the wild and an issue for which a patch (10.4.7) has already been released.
Once again. Windows users can only dream that they have it this good.
Is it just me or are these so called Security Researchers/experts just trying to drum up publicity for themselves and increase sales? Why in the world would anyone with any integrity and truely interested in security first publicly announce a security flaw and then show everyone how to do so - particularly after Apple released a patch? How is this different from a hackers that write viruses, worms, bots, etc. aside from hiding behind the "expert" moniker? If the expert were truely concerned about security they would contact Apple and if Apple wasn't responsive, then make a public announcement of the "proof of concept", but for what reason would you ever release the attack code. If I decided that the US government wasn't taking the Bird Flu seriously and I released several infected birds into the population just to draw attention to the point to the government inaction, would you call me a terrorist?
Many researches work very hard to find these exploits. When these are reported to companies, they neglect to fix the problem or delay fixing the problem. Many times, these researchers are not provided with atleast minimal credit for their hardwork. By releasing information publically forces a company to issue a patch. In this specific case, apple issued a patch and the researcher issued a proof of concept attack. After all the researcher needs some credit for all the hardwork!!!
Listen to what apple said, "keep your computer up to date with patches." Please note that in the past, viruses have been written for exploits even after the patch to fix it has been released. Those computers that did not get the updates were vulnerable to the virus.
Computers that are up to date on OS patches and antivirus software dramatically reduce the risk of infection by a virus. It's rather simple to do, people. Why create so much friction over such a simple solution?
Its sounds like a lot of Macintosh users want this kept hush hush so they can continue to make arguments that Macs don't have flaws, don't need user awareness or spyware tools etc. I agree its not big deal and I never got a feeling from the article that they were trying to make this into a huge issue. But there is nothing wrong with mentioning it so it makes me wonder if Mac fans prefer that issues like this be kept from the public like a certain corporation does.
People, articles like this are part of a concerted attack. The PC industry feels threatened by what it rightly perceives as a serious threat, and they are doing their dirty, lowdown best to steer you away from buying a Mac. <p> The Sky Is Falling!! The Sky Is Falling!! This so-called exploit is such a laughable excuse for the press to sound the alarm. "Attack Code For Apple Flaw?" "Trojan attack?" The hole was already patched before the exploit was released! Even if you were at risk, you would still have to give the infecting app *permission* to run with escalated privileges before it could possibly affect you!! <p> Contrary to what the Microsoft/Symantec tools would have you believe, it's been *six years* since the introduction of Mac OS X and there is *still* not a single virus, trojan or spyware affecting Mac OS X in the wild. None. Zero. Zip. Nada. It's all manufactured, made-up Fear, Uncertainty and Doubt. <p> The Mac is not impenetrable, but unlike Windows, it is very, very secure. In real life on a Mac, there is simply no need for virus software or for concern that you might be infected. It just doesn't happen. <p> If you're thinking of buying a Mac, then you're to be commended for thinking for yourself and ignoring the desperate, clutching PC anti-virus software makers who are afraid they're about to lose you as a captive customer. <p> Stop bankrolling the virus-peddlers. Get A Mac. Welcome to computing as it's supposed to be.
First, this "proof of concept" is for a Trojan, not a virus. Second, there is no attack code in the wild. Third, even if it got into the wild, it would have a great deal of trouble spreading.
Once again, CNET foists a hoax on Mac users. I'm guessing CNET editors have lots of Symantec stock they're trying to shore up.
First, this "proof of concept" is for a Trojan, not a virus. Second, there is no attack code in the wild. Third, even if it got into the wild, it would have a great deal of trouble spreading.
Once again, CNET foists a hoax on Mac users. I'm guessing CNET editors have lots of Symantec stock they're trying to shore up.
Mac's are for people who hate learning I own a mac... I hate the bageezuz out of it... It doesn't let me do anything I want to do, I find the interface is too awkward and to top it off the original aqua theme is ugly. heck... I like Damn Small linux more than a mac and this exploit is indeed proof that apple isn't unbreakable I've been waiting for a story like this to come out for a while now... give... there is no exploit now. But this will put more eyes on apple and give hackers and other malwareitious people more incentive to code for the apple's destruction. Mark my words... there will be a big one. I expect replies hold nothing back mac fans:D
Mac's are for people who hate learning I own a mac... I hate the bageezuz out of it... It doesn't let me do anything I want to do, I find the interface is too awkward and to top it off the original aqua theme is ugly. heck... I like Damn Small linux more than a mac and this exploit is indeed proof that apple isn't unbreakable I've been waiting for a story like this to come out for a while now... given... there is no exploit now. But this will put more eyes on apple and give hackers and other malwareitious people more incentive to code for the apple's destruction. Mark my words... there will be a big one. I expect replies hold nothing back mac fans:D
geez.. it wasn't deleted... now i feel stupid:P don't worry, guy... I'm used to it:( *sniffle* but now that I have two posts... one that's really offensive.. and one that is partially non offensive... I wish the offensive one was gone... poo please forgive my out of place comments and foul temper:P it's early in the morning.. my girlfriend went back to Austria and I'm still hungry...
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
European Union grants unconditional approval for $12.5 billion deal, but says it will monitor Google's and rival's use of patents to make sure that the deal complies with antitrust rules.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
We've got an itch to touch us some Super Stars and get all Mario on some poor unfortunate bitmappy baddies. Looks like Converse is set to hand us just the footwear for the job.
The downward spiral continues.
Just because an attack has not happend doesn't mean that is not going to happen!!!
Some guy in a lab reads Apple's description of the flaw and writes a
test program in his lab that exploits the flaw. Oh, by the way, his
exploit requires you to NOT have installed the patch Apple has
already written. How is this even news?
continue to laugh without virus protection. Maybe one year I'll get
a virus. hehe
A unreleased virus that would target a vulnerability that will be
nearly non-existent in a week.
Lame.
2) The article doesn't explicitly say that the patch addresses the vulnerability. It should.
3) What's up with this sentence? "Four of them affect both the client version of Mac OS X."
News.com has been replaced as my source of tech news because of this type of stuff. Now if the guys over at Engadget could get someone to focus on the industry...
2. Is there code to exploit it? Yes
So now shut up and take it. You jump on MS when news like this come out but can't eat your own.
I laugh at all of you ignorant people that think your toys aka macs are invulnerable. Keep your had in the sand.
Proof of concept exploits like this are developed for Windows on a nearly daily basis. If "mac fanboys" were to "jump on MS when news like this comes out" they wouldnt have time for doing anything else.
If you had a point to make about the zealotry of the Mac faithful,
you could have done so without calling Macs 'toys'. That makes
you look somewhat petty, and is hardly going to make someone
'shut up and take it'.
Personally, I'm not going to lose any sleep. I will still take a
system that now has ONE known live exploit and say it is LESS
vulnerable. Not invulnerable but LESS vulnerable. Bit like no car
is thief-proof but some of them are very easy to steal.
As for 'toys' - toys are good, toys are fun. Machines are for dull
people. Toys than run Unix are even better.
I'll summarize what was in that post... but say it in a nicer way:P
Macs are not my favorite Operating system... and by owning and occasionally using a mac, I preserve the right to say this.
This is an interesting article as it explains how Macs are not as bullet proof as some say they are.
I predict that ,in the future , there will be a BIG mac attack and mac users will have nothing to base their defenses against riducule on.
OSX has stayed relatively problem free, as most Unix based OS's are.
I am confident that hackers will find a way to break OSX... and this article will give them incentive and encourage them.
lets see if this will get deleted...
oh yea, I also said somehting like... Mac fans, get rowdy...
I'm expecting replies...
lol
I'm such a poop disturber:P
because simply, its not news! They've been fairly diligent when it
comes to updating security for their software. Not to mention
answering the press's concerns with Apple's far east IPOD
factory dealings. They stood their ground to say the least.
So why the Bad Press?
Well you only need to look no further then the next article about
Microsoft's Office 2007 delay. Its seemingly to me a cover story
to put less shame on the black sheep of innovation, Microsoft.
Do you even know anything about computers?
credibility with alarming but false headlines?
referenced in this article was interviewed by Security Focus on
2/27/06 (See <a class="jive-link-external" href="http://www.securityfocus.com/columnists/389" target="_newWindow">http://www.securityfocus.com/columnists/389</a>)
Since this Cnet article appears to needlessly try and resuscitate
the Bluetooth InqTana worm scare, the following excerpt from
Finisterre's interview is worth noting:
Q. In your paper, it sounds like both 10.4 and 10.3 were
vulnerable, but aren't any longer. Is that right?
A. The Bluetooth bug that InqTana exploits has been patched for
some time now.
In the same interview, Finisterre remarks about the less than
vigorous tendencies journalists have pertaining to accurately
reporting of software security issues:
Q. Did any antivirus company acknowledge that this was a lab
creation that would have a hard time spreading? Do you think
the vendors treated this well or as a marketing ploy?
A. Although blatantly mentioned in most of the antivirus threat
notices, you will find that folks are still implying that the code
will actually spread. I think this is a bit misleading. The fact of
the matter is that InqTana is not spreading and physically cannot
(spread) without a third party making their own variant.
Headlines like New Mac Worm Spreads Via Bluetooth and Second
Apple worm targeting Macs found are slightly skewed. First, the
code is not spreading in any sense of the word nor was it
"found" anywhere Since most articles are copied and pasted from
the same source, you will find that a number of sources correctly
identify this as "proof of concept." Quite a few folks actually
mention the fact that it is both time limited and crippled to a
specific set of Bluetooth addresses.
Unfortunately, not here. The present Cnet article continues the
"accuracy be damned" approach and relies on sensationalistic
claims while downplaying the actual (proof of concept) nature of
the issue. And in the present case, an issue for which nothing
exists in the wild and an issue for which a patch (10.4.7) has
already been released.
Once again. Windows users can only dream that they have it this
good.
Haters are becoming a self-parody.
disinformation.
just trying to drum up publicity for themselves and increase
sales? Why in the world would anyone with any integrity and
truely interested in security first publicly announce a security
flaw and then show everyone how to do so - particularly after
Apple released a patch? How is this different from a hackers that
write viruses, worms, bots, etc. aside from hiding behind the
"expert" moniker? If the expert were truely concerned about
security they would contact Apple and if Apple wasn't
responsive, then make a public announcement of the "proof of
concept", but for what reason would you ever release the attack
code. If I decided that the US government wasn't taking the Bird
Flu seriously and I released several infected birds into the
population just to draw attention to the point to the government
inaction, would you call me a terrorist?
In this specific case, apple issued a patch and the researcher issued a proof of concept attack. After all the researcher needs some credit for all the hardwork!!!
Computers that are up to date on OS patches and antivirus software dramatically reduce the risk of infection by a virus. It's rather simple to do, people. Why create so much friction over such a simple solution?
1. There is no exploit in the wild for this.
2. It can not cause any trouble even if it somehow got on a mac.
3. This is just a lab finding for a problem already fixed.
<p>
The Sky Is Falling!! The Sky Is Falling!! This so-called exploit is such a laughable excuse for the press to sound the alarm. "Attack Code For Apple Flaw?" "Trojan attack?" The hole was already patched before the exploit was released! Even if you were at risk, you would still have to give the infecting app *permission* to run with escalated privileges before it could possibly affect you!!
<p>
Contrary to what the Microsoft/Symantec tools would have you believe, it's been *six years* since the introduction of Mac OS X and there is *still* not a single virus, trojan or spyware affecting Mac OS X in the wild. None. Zero. Zip. Nada. It's all manufactured, made-up Fear, Uncertainty and Doubt.
<p>
The Mac is not impenetrable, but unlike Windows, it is very, very secure. In real life on a Mac, there is simply no need for virus software or for concern that you might be infected. It just doesn't happen.
<p>
If you're thinking of buying a Mac, then you're to be commended for thinking for yourself and ignoring the desperate, clutching PC anti-virus software makers who are afraid they're about to lose you as a captive customer.
<p>
Stop bankrolling the virus-peddlers. Get A Mac. Welcome to computing as it's supposed to be.
there is no attack code in the wild. Third, even if it got into the
wild, it would have a great deal of trouble spreading.
Once again, CNET foists a hoax on Mac users. I'm guessing CNET
editors have lots of Symantec stock they're trying to shore up.
there is no attack code in the wild. Third, even if it got into the
wild, it would have a great deal of trouble spreading.
Once again, CNET foists a hoax on Mac users. I'm guessing CNET
editors have lots of Symantec stock they're trying to shore up.
Mac's are for people who hate learning
I own a mac... I hate the bageezuz out of it...
It doesn't let me do anything I want to do, I find the interface is too awkward and to top it off the original aqua theme is ugly.
heck... I like Damn Small linux more than a mac
and this exploit is indeed proof that apple isn't unbreakable
I've been waiting for a story like this to come out for a while now...
give... there is no exploit now. But this will put more eyes on apple and give hackers and other malwareitious people more incentive to code for the apple's destruction.
Mark my words... there will be a big one.
I expect replies
hold nothing back mac fans:D
Mac's are for people who hate learning
I own a mac... I hate the bageezuz out of it...
It doesn't let me do anything I want to do, I find the interface is too awkward and to top it off the original aqua theme is ugly.
heck... I like Damn Small linux more than a mac
and this exploit is indeed proof that apple isn't unbreakable
I've been waiting for a story like this to come out for a while now...
given... there is no exploit now. But this will put more eyes on apple and give hackers and other malwareitious people more incentive to code for the apple's destruction.
Mark my words... there will be a big one.
I expect replies
hold nothing back mac fans:D
don't worry, guy...
I'm used to it:(
*sniffle*
but now that I have two posts... one that's really offensive.. and one that is partially non offensive...
I wish the offensive one was gone...
poo
please forgive my out of place comments and foul temper:P
it's early in the morning.. my girlfriend went back to Austria and I'm still hungry...