January 18, 2005 5:40 PM PST

Darwin flaws survive in Apple's Mac OS X

Related Stories

Apple fixes flaw with iTunes update

January 12, 2005

Apple releases security update to Mac OS X

December 2, 2004

Mac users face rare threat

October 25, 2004

Apple builds on its core

September 1, 2004
A source-code audit of the open-source operating system from which Apple Computer borrowed much of the code for Mac OS X revealed four vulnerabilities of varying severity in Apple's software, a security company said Monday.

The flaws in Darwin affect Mac OS X version 10.3--dubbed Panther--and are caused by memory errors in the kernel, according to an advisory released by ImmunitySec, the security company that found the flaws.

"In terms of criticalness, this kind of bug mostly affects remote systems with multiple users," said David Aitel, founder and security consultant with ImmunitySec, adding that since Mac OS X is most often used on the desktop, the flaws will not be overly important on most people's systems.

The company originally found the flaws in June and published them to a private list of customers but did not notify Apple. It published the flaws on Monday, after presenting them at a seminar.

Apple confirmed that it had not been told of the flaws and said it was analyzing the vulnerabilities but would not elaborate.

ImmunitySec found the flaws by analyzing the publicly available source code of the Darwin operating system, which implements a variant of Unix known as BSD. Darwin forms the core of Apple's modern Mac OS X operating system, and the flaws found by the security company also affected Apple's operating system.

The flaws include a bug in Mac OS X's SearchFS function, several kernel memory overflows and a logic bug in the AT command, which is used to schedule tasks by the operating system.

16 comments

Join the conversation!
Add your comment
Waiting for a virus
I'm sure some enterprising young hacker out there would jump
on the chance to write the first virus for Mac OS X (why bother
being one of 70,000 on Windows). Of course there are all of
those other inherent security features to get past that MS
doesn't feel the need to include. May make the task somewhat
more difficult.

Anyone,,,anyone?
Posted by Dr Dude (49 comments )
Reply Link Flag
Which comes first the virus or the fix
I think it will take about as much time to write an effectivwe virus that takes advantage of these flaws as it will take apple to fix the flaw. Sure some people won't update there OS quickly and there for will be open to attacks but really what is the point. With only 3% market share surely there are more ugly, annoying, frustrating, larger bloatware of an OS to hack a WINDOW through that the Mac OS. Then again maybe that other Windoz based OS has had its share for a week and the virus writers have nothing better to do with there time so they might as well have a crack on Mac OS X. I for one don't care. I love my Mac and how it is set up but if I had to re-install then well that is a little fun too... Maybe I can be the first person to be infected :)
Posted by (19 comments )
Link Flag
Borrowed?
Reading the article one gets the picture that Apple has borrowed code from an open source operating system called Darwin. This is incorrect. Apple has created Darwin and in practice is the only contributor to the Darwin kernel. This is almost like saying that Microsoft had borrowed code for it's Windows XP from an operating system known as Windows.

The Darwin kernel itself is a mixture of code created by Apple and borrowed code from the FreeBSD and Mach operating systems.
Posted by (2 comments )
Reply Link Flag
Borrowed you say?
So, if the code is borrowed (from BSD), do they have to give it back?
Posted by herkamur (115 comments )
Link Flag
Bordering on the criminal
What strikes me is that they have done nothing in the way of
alerting Apple prior to disclosing the flaws...

Why ?

Discovering flaws and disclosing them is knowningly disruptive
and is tantamount to hacking... A Crime.

Let them rot in jail.... Bastards.

Normal behaviour of people interested in the general IT safety of
the public ALWAYS notifies the vendor first.
Posted by (1 comment )
Reply Link Flag
Public knowledge...
The code, being publicly available and reviewed
is public knowledge. The flaw, being contained
in the code, is thus also public knowledge. The
fact that they point out its existence might be
a nuisance, but not actionable.

Further, both Apple and the public are
forewarned and able to take corrective measures
the second the things are brought to attention.

Anyone looking for the flaws could have found it
and no doubt other people knew about them prior.
Now everyone is aware of the issues and can take
measures to safeguard against exploitation or to
remedy them.

Pointing out a bug, along with a fix, is by no
measure equal to cracking a computer system.
Significant effort would still be required to
develop and exploit.
Posted by Gleeplewinky (289 comments )
Link Flag
This report is obviously false.
Everyone knows that only Windows and Internet Explorer have security bugs. This report can't be true.
Posted by ProjectGSX (27 comments )
Reply Link Flag
Ah, how sarcastic.
We know Apple has security falws. OTherwise they wouldn't release security updates. However, you have to look at the amount of attacks, and holes as a whole, to determine which is safer. 70,000+ viruses/worms/spy and adware for Windows, or the couple of dozen security flaws with OS X?

There's only been one script, in the underground which circulates with a cracked version of a piece of software, that IS indeed Malicious. However, it's a script for the unix terminal, and cannot propogate itself over email or network connections.

I'm about 99% sure that these hackers aren't targeting Windows for the sake of its installed user-base. It's targeting for unethical business practices and trying to show the public how useless that platform really is when it comes to protecting the people who pay for piece of mind.
Posted by (461 comments )
Link Flag
There's a point that should be made...
This is actually an amazingly great thing. I'm a Mac user -- a recent switcher from Linux/Windows -- and I for one am excited by the fact that an independent group was able to audit the foundations of Apple's operating system for security holes. And when they discovered FOUR (I think it was... hardly a large amount)... they alerted the public.

Yes, the way they made the info public probably wasn't the best, and yes some Mac users are going to be offended that OS X has even one vulnerability... but this is a great example of potential upsides to basing software on open source.

Because Apple released the majority of their OS foundation to the public, someone was able to audit that code and discover a few issues that Apple was previously unaware of. This should be a positive note for OS X, not a negative one.
Posted by brasten (33 comments )
Reply Link Flag
Darwin flaws survive in Apple's Mac OS X
It is irresponsible and I think it is even criminal on the part of
ImmunitySec not to inform Apple of the security issues in Darwin
before making them public. Particulary when they found them
more than 6 months ago.
Posted by (3 comments )
Reply Link Flag
It's all about the headlines.
If the company had notified Apple when they found the
flaw, Apple might well have patched the flaw before the
company was ready to go public. Going public first lets
them say, "Hey look! We found a security flaw in the
'security flawless' OS-X!" and then all the tech writers and
Windows acolytes will give this ImmunitySec outfit several
acres of print space (hey, they got a headline on C|Net...).
If someone claims to find a security hole in OS-X, that's
news. If Apple already has the patch out before the news
breaks, well, that kind of takes the impact out of the
announcement, doesn't it?
Posted by RideMan (81 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.