"It appears to have been written well before the vulnerability was fixed," said Dino Dai Zovi, a researcher at Matasano Security, who was credited by Apple with discovering the flaw. "It appears to be a zero-day exploit." He added that it may even "have been distributed before the patch was released."
Indeed, a Dutch student named Matthijs van Duin claims he found the bug and crafted the exploit in November last year. He did not call attention to the exploit, but did store it in a public directory online to share it with a few people, Van Duin told CNET News.com. Symantec and the French Security Incident Response Team, or FrSIRT, issued alerts about the attack code over the weekend, but the exploit appears to have gone unnoticed by security monitoring companies before that.
"I didn't release it at such," Van Duin said in an interview via e-mail. "I just put it in a directory to show it to a few people...I was trying to figure out why the kernel code that was obviously meant to plug this vulnerability was present, but disabled. Then I had more urgent stuff to do, the vulnerability ended up on the bottom of my 'to do' list."
Apple representatives did not immediately return calls for comment.
The vulnerability could be exploited by a local attacker or someone with privileges to remotely log on to a machine. Macs that are used by multiple people, as well as servers with remote access capabilities, are most at risk, experts said. A person with limited privileges could exploit the flaw to possibly gain full system access.
"The risk presented by this exploit is limited by the fact that it can only be exploited by a logged-in user, although the user may also be logged in remotely," Dai Zovi said. "The issue is also mitigated by the fact that a patch has already been released."
Mac OS X, by default, checks for updates weekly, which means most Mac OS X systems will not be vulnerable much longer.
The exploit as it was publicly released does not do anything destructive; instead it runs the "/usr/bin/id" utility to show that a person enjoys full administrator privileges.
"I can then make it do anything I want," Van Duin said. "An ill-intended person with at least some skill could modify it to spawn a root shell."
Dai Zovi agreed with van Duin, saying that a knowledgeable user can easily replace or modify the exploit payload to run a full-access root shell.
an exploit requires local or console access honestly isn't that big a deal. You give a hacker physical access to a box running nearly ANY OS, and he'll get in eventually. Thus the reason physical security of a box is important as well.
If a hacker gets physical access to an osX machine he can use the osX disk to change the password, console access is a bit harder but additional safety measures are always needed for critical operations with untrusted logins.
However, this is the kind of hack that can be used in combination with a hack like the one just disclosed for the Firefox browser to both get remote access and the desired elevated privileges to create an "owned machine".
It's not a big deal only because it's got a patch available to fix it which is likely to be installed on any system connecting to the net regularly.
Raised priviledge exploits might not be that big of a deal for the average home user, but they are most definitely a very big deal for servers. This is how MANY servers managed to be hacked. A malicious hacker will obtain a valid user login, either through a weak password, keylogger on the users computer or even a bit of "social engineering", and then make use of this sort of exploit to gain full control over the server.
This kind of exploit is also often used in conjunction with a remote code exploit to do actual damage. Typical use of a computer (whether it be OS-X, Windows, Linux or whatever) should always be performed ONLY as a user with limited priviledges with the root/administrator account only being used to install software and make certain configuration changes. This greatly limits the ability of any malicious code from remote exploits from actually doing any damage. However if you combine a remote exploit with a priviledge elevation exploit, a malicious hacker can then get around standard good computing practises.
Long story short, priviledge elevation flaws are probably the second most serious type of flaws after remote exploits. Good on Apple for fixing this one, but this should serve as a warning that *NO* OS is free from security flaws.
A logged-in, trusted user, with remote access rights can "exploit" the system? That's like saying an emailer in your local post office is able to bypass your spam filters.
There are some hacks reported in this story, but none appear to be in the software...
"A logged-in, trusted user, with remote access rights can "exploit" the system? That's like saying an emailer in your local post office is able to bypass your spam filters."
No, it's not the same (your analogy doesn't even make sense,) and yes, a local exploit from a trusted user from a remote location is serious.
The reason Cnet gets away with that is because they quoted someone. The author of the article didn't make the statement. If someone makes a statement, it can be quoted even if it's only an opinion with no real proof. I agree it's sort of poor writing but I hardly think Cnet is the only one guilty of such a thing.
Let me just say that in my opinion, if you think that OSX is "secure", you are sadly mistaken. No OS is secure. There will always be vulnerabilities in their code. I also don't think of OS X as the "most secure" Operating System. It's hard to compare because of the amount of users that Windows has compared to OS X. For now, it's probably the safest Operating System to use because it's not widely exploited. But, the more users OS X gains, the more hackers and exploiters that will be looking at OS X.
First of all, I think it's almost criminal to call these things "flaws". Whether you're a PC or MAC user, they are NOT "flaws". They are "vulnerabilities". Whether they are "Discovered", "Exploited", or "Perceived", they are "Vulnerabilities", NOT "flaws". Flaws are those things that either hiccup, shut-down, or lock up a system without outside intervention, interference, manipulation, or exploitation. On the other hand, those software problems that were overlooked by the software company's code proofing, and are causing problems for the user, these truly are "flaws". When someone looks for, and exploits discovered "vulnerabilities", it's different. I am so sick of people saying that these corporations are responsible and culpable for this exploitation, and damage control. They are doing us users a tremendous service by patching and being on the ball for these discovered & exploited "vulnerabilities". We should be thankful for their vigilance and help. Apple isn't at fault, and even though Microsoft could have done a better job in hardening XP against cyber attacks, neither is Microsoft. I still think that M$ Word, and Outlook are some of the best laid out programs available. I wish that Open Office had the calendar functions, variety, and options that Outlook has. This is the beginning of a whole new phase of "vulnerability" patching and updates for Apple. Just wait! M$ will have it's hands full when they finally release Vista. And that's gonna be January 30, 2007? Maybe. Maybe even later. Well, whether it's Apple or Microsoft, thank you both for helping us fend off these weasels that want to exploit our computers, and attempt to ruin our lives.
Aside from the fact that your statement is merely about semantics, it is also wrong. A "flaw" is anything that does not work as intended. It does not need to cause any type of lock up, shut down, or hiccup. If My OS occasionally types the "a" key whenever I try to open Photoshop, that is a flaw. If it displays the colour red instead of yellow, that is a flaw.
And of course companies that make OSes are responsible for damage control. Especially when the foundational mind set that underlies the product allows for this exploitation in the first place. They made the product. It's use makes one vulnerable to damage, in ways not intended by the user, and not a foreseeable outcome of its use. This is the definition of product liability.
First off, I'm glad Apple fixed the flaw. Secondly, I hope it alerts EVERYONE (even us Mac-users) to take security seriously. Hardly anyone I know that uses a Mac has any additional security protection on their computers. Most of them recoils at the thought of it.
Anyhow, there was a flaw. Apple fixed it. But, it did exist. That's proof enough to get secure.
One of the confusing things about this issue is just what is a Mac user supposed to do for the sake of security other than hang his head in shame? In almost all cases they are already doing the most important thing by not doing anything. For instance by not changing default settings you will not have remote login enabled. That is in marked contrast to Windows which has been plagued by having exploits which work for default settings.
The last thing we need are masses of Mac users poking around in system preferences changing settings in the hope of making things more secure.
It remains important that vulnerabilities be found and patched regardless of settings but it is also helpful to be aware of the nature of these exploits. Leaving unneeded services turned off is your first level of defense. Second, always have a least two user profiles, one with administrator privileges and one without. Make the non admin user your usual login. With OS X that is not a problem (it is how my Mac configured) and just login with admin privileges if you are installing software. Finally there is physical security. Don't hand your iBook over to a bald guy with a goatee wearing a black turtleneck at Starbucks. More could be said but that should usually be sufficient.
"Hardly anyone I know that uses a Mac has any additional security protection on their computers."
And I bet that most people you know do NOT have their machine set up for remote access, with multiple accounts set up for people they do not trust to use the machine. As such, this "vulnerability" does not affect them, and they are perfectly safe in their current computer practices.
I actually mentioned to Joris it wasn't a big deal, being logged in as a user is normally already quite enough to do most things a Bad Guy would want to do, without needing root access.
Some of the other vulns mentioned in the security update sound far more serious to me, like the buffer overflow in JPEG2000 decoding.
The only interesting thing about this vuln is that the code to prevent it has been present in the kernel for a long time, but had been disabled (#if 0) for unknown reasons.
but I have a question - Doe this expoit work even if the root account is disabled? I mean, will the attacker still be able to gain root privileges? I ask this becasue, that's how most Mac desktops and notebooks are configured by default.
Of all the systems I've managed over the past 20 years the only one I have never been able to crack from the console is IBM's AS400.
Unix, Mac, OS2, Novell, VMS, etc. can all be cracked if you can access the console. And of course the only requirement to crack most Windows computers is that it is turned on.
but it is also not parchment paper. The artilcle is exaggerating things. For clarification please read the comment by Duin - the creator of the expoit - in the talkback.
Considering your track record in understanding any of the issues involved, I don't see why anyone would take anything you had to say with any degree of seriousness.
if you actually read the article. A patched exploit that requires a user to already have an account on a machine is not a big deal. Is that all you have? HAHAHAHAHAHAHA
It beats the heck out of the "I farted in the general direction of a 'Doze box in '95 and it made Vista crash in 2007" schtick" these Gates sycophants suck up to! :)
When a flaw, vulnerability, whatever, is found in Windows, even if it's fixed/patched, all I read about is how bad Microsoft is or what have you. That you need to switch to a Mac or Linux, run a different browser, blah, blah, blah, blah, blah. But when it happens to a Mac, the postings go something like "It's no big deal..", "This has been fixed..", whatever.
Give me a break
Every OS is susceptable to attacks and as the popularity of Macs increase you will see more things like this. Nothing is perfect. Use what you like but get off your high horses and I'll get of my soap box.
I won't call it an exploit, or a vulnerability at this point, because it wasn't used to do anything bad yet... and the operable word is yet. So that leaves OSX with a total of 3 worms, and 1 trojan..that we know about.
If recent studies are to be beleived the internet has a user population of 84% Windows and 3.7% OSX. (see other Cnet article on Apple growth slowing.) That means people looking for attention, or looking to defraud, or just out to cause chaos, are going to focus on the largest possible impact.. the 84%. It's not wonder you hear about security vulnerabilities every week in windows, it's the target! It's also been around in it's current kernel incarnation for nearly 5 years.
But as OSX popularity grows those who wish to do damage will pay more and more attention to it. The recent slew of "We're immune to that because we're better than everyone else" commercials has probably caused a significant increase in the number of people looking for exploits.
Why? It's like telling a jewel theif, "I bet you can't steal this jewel!" They'll try, and they'll succeed.
My personal advice to Apple users, get use to hearing about vulnerabilites, torjans and exploits, and stop beleiveing the propaganda about how immune you are, and start practicing "safe computing"
First step, fix the one flaw in every operating system... the user.
There have been ZERO exploits to OSX so far, and at this point in the game it's probably too late for any serious outbreak to ever occur. Launchd among 70 other differences, make OSX the most secure operating in massive use today.
Marketshare doesn't really matter, OSX is just as exposed to the network as Windows machines, the best minds in the business have tried and tried to crack OSX. It can't be done, the proof is in the facts. No Viruses or Spyware, or Trojans have affected OSX. Only a few issue with some bundled apps, but none have touched OSX.
Apple does all the Virus, Spyware, etc protection inside the OS, while Microsoft doesn't understand programming enough to do it internally, so they rely on 3rd parties, making the their OS far less secure than it should be.
If you want a trouble free, virus free, rock solid, fast OS, with a much better software library than Windows, Apple's Macs are by far the best computing device you can purchase.
There have been ZERO exploits to OSX so far, and at this point in the game it's probably too late for any serious outbreak to ever occur. Launchd among 70 other differences, make OSX the most secure operating in massive use today.
Marketshare doesn't really matter, OSX is just as exposed to the network as Windows machines, the best minds in the business have tried and tried to crack OSX. It can't be done, the proof is in the facts. No Viruses or Spyware, or Trojans have affected OSX. Only a few issue with some bundled apps, but none have touched OSX.
Apple does all the Virus, Spyware, etc protection inside the OS, while Microsoft doesn't understand programming enough to do it internally, so they rely on 3rd parties, making the their OS far less secure than it should be.
If you want a trouble free, virus free, rock solid, fast OS, with a much better software library than Windows, Apple's Macs are by far the best computing device you can purchase.
I really think that the market share idea is illogical. If I were a person writing malware for fun, profit or attention, I would definitely try to write a mac virus, et al for the simple reason that it would be NEWS!. Writing windows malware is nothing particularly special, but you get your name in lights (at Cnet anyway) if you successfully booger up a bunch of macs.... but we should practice safe computing... to keep from transfering infections to our windows brethren....
--- by the way im not bothering because I've learned how shady these stories have become, and how false they are. It seems when it comes to Apple, there truly is a bias to regurgitate old stories as new, and manufacture false information ---
is this the same contest winner who claimed to hack a mac in 30 seconds, but had to have local, or user privelages to do so?
IF THIS IS TRUE, SHAME, SHAME AND CONTINUED SHAME ON CNET!
You do realise that in a world of multiuser servers this is a pretty significant issue right? Also, considering how pathetic most people make their passwords brute forcing a limited roll account and then bootstrapping it with a root kit is a problem.
THE DIFFERENCE IS THAT WINDOWS VIRUSES' MALWARE AND THE LIKE ACTUALLY DO DAMAGE, SCREW UP COMPUTERS, WASTE TIME, WASTE MONEY, AND RUIN THE COMPUTING FUN... SO FAR, MAC MALWARE IS JUST A CURIOSITY AND SOMETHING FOR WINDOWS FOLKS TO FEEL GOOD ABOUT.... WHICH IS WHY I SWITCHED TO MAC A YEAR AGO... AND LIFE (AND COMPUTING) IS GOOD....
The company says that manufacturing facilities in Shenzhen and Chengdu, China, will be inspected by a group "dedicated to ending sweatshop conditions in factories worldwide."
A group calling itself Evil Shadow Team reportedly hacked into Microsoft's online store in India, stealing usernames and passwords of the site's customers.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
The space agency powers down its last System Z machine, years after IBM stopped selling them for the mathematical calculation jobs for which NASA originally bought them.
deal. You give a hacker physical access to a box running nearly
ANY OS, and he'll get in eventually. Thus the reason physical
security of a box is important as well.
osX disk to change the password, console access is a bit harder but
additional safety measures are always needed for critical operations
with untrusted logins.
It's not a big deal only because it's got a patch available to fix it which is likely to be installed on any system connecting to the net regularly.
This kind of exploit is also often used in conjunction with a remote code exploit to do actual damage. Typical use of a computer (whether it be OS-X, Windows, Linux or whatever) should always be performed ONLY as a user with limited priviledges with the root/administrator account only being used to install software and make certain configuration changes. This greatly limits the ability of any malicious code from remote exploits from actually doing any damage. However if you combine a remote exploit with a priviledge elevation exploit, a malicious hacker can then get around standard good computing practises.
Long story short, priviledge elevation flaws are probably the second most serious type of flaws after remote exploits. Good on Apple for fixing this one, but this should serve as a warning that *NO* OS is free from security flaws.
the system? That's like saying an emailer in your local post office is
able to bypass your spam filters.
There are some hacks reported in this story, but none appear to be
in the software...
the system? That's like saying an emailer in your local post office is
able to bypass your spam filters."
No, it's not the same (your analogy doesn't even make sense,) and yes, a local exploit from a trusted user from a remote location is serious.
Can you quantify this statement? Put some context in it? Even the article you linked to doesn't quantify the statement.
Let me just say that in my opinion, if you think that OSX is "secure", you are sadly mistaken. No OS is secure. There will always be vulnerabilities in their code. I also don't think of OS X as the "most secure" Operating System. It's hard to compare because of the amount of users that Windows has compared to OS X. For now, it's probably the safest Operating System to use because it's not widely exploited. But, the more users OS X gains, the more hackers and exploiters that will be looking at OS X.
semantics, it is also wrong. A "flaw" is anything that does not
work as intended. It does not need to cause any type of lock up,
shut down, or hiccup. If My OS occasionally types the "a" key
whenever I try to open Photoshop, that is a flaw. If it displays the
colour red instead of yellow, that is a flaw.
And of course companies that make OSes are responsible for
damage control. Especially when the foundational mind set that
underlies the product allows for this exploitation in the first
place. They made the product. It's use makes one vulnerable to
damage, in ways not intended by the user, and not a foreseeable
outcome of its use. This is the definition of product liability.
EVERYONE (even us Mac-users) to take security seriously. Hardly
anyone I know that uses a Mac has any additional security
protection on their computers. Most of them recoils at the thought
of it.
Anyhow, there was a flaw. Apple fixed it. But, it did exist. That's
proof enough to get secure.
The last thing we need are masses of Mac users poking around in system preferences changing settings in the hope of making things more secure.
It remains important that vulnerabilities be found and patched regardless of settings but it is also helpful to be aware of the nature of these exploits. Leaving unneeded services turned off is your first level of defense. Second, always have a least two user profiles, one with administrator privileges and one without. Make the non admin user your usual login. With OS X that is not a problem (it is how my Mac configured) and just login with admin privileges if you are installing software. Finally there is physical security. Don't hand your iBook over to a bald guy with a goatee wearing a black turtleneck at Starbucks. More could be said but that should usually be sufficient.
protection on their computers."
And I bet that most people you know do NOT have their machine
set up for remote access, with multiple accounts set up for people
they do not trust to use the machine. As such, this "vulnerability"
does not affect them, and they are perfectly safe in their current
computer practices.
Think of it this way... Would you have unprotected sex with a hooker? Didn't think so. Don't leave your computer unprotected either.
Some of the other vulns mentioned in the security update sound far more serious to me, like the buffer overflow in JPEG2000 decoding.
The only interesting thing about this vuln is that the code to prevent it has been present in the kernel for a long time, but had been disabled (#if 0) for unknown reasons.
account is disabled? I mean, will the attacker still be able to gain
root privileges? I ask this becasue, that's how most Mac desktops
and notebooks are configured by default.
Unix, Mac, OS2, Novell, VMS, etc. can all be cracked if you can access the console. And of course the only requirement to crack most Windows computers is that it is turned on.
things. For clarification please read the comment by Duin - the
creator of the expoit - in the talkback.
involved, I don't see why anyone would take anything you had to
say with any degree of seriousness.
user to already have an account on a machine is not a big deal. Is
that all you have? HAHAHAHAHAHAHA
'Doze box in '95 and it made Vista crash in 2007" schtick" these
Gates sycophants suck up to!
:)
Give me a break
Every OS is susceptable to attacks and as the popularity of Macs increase you will see more things like this. Nothing is perfect. Use what you like but get off your high horses and I'll get of my soap box.
No one said Macs were invulnerable, that'd be stupid, nothings perfect.
article, maybe someone would care about your soapbox.
But that's life!
If recent studies are to be beleived the internet has a user population of 84% Windows and 3.7% OSX. (see other Cnet article on Apple growth slowing.) That means people looking for attention, or looking to defraud, or just out to cause chaos, are going to focus on the largest possible impact.. the 84%. It's not wonder you hear about security vulnerabilities every week in windows, it's the target! It's also been around in it's current kernel incarnation for nearly 5 years.
But as OSX popularity grows those who wish to do damage will pay more and more attention to it. The recent slew of "We're immune to that because we're better than everyone else" commercials has probably caused a significant increase in the number of people looking for exploits.
Why? It's like telling a jewel theif, "I bet you can't steal this jewel!" They'll try, and they'll succeed.
My personal advice to Apple users, get use to hearing about vulnerabilites, torjans and exploits, and stop beleiveing the propaganda about how immune you are, and start practicing "safe computing"
First step, fix the one flaw in every operating system... the user.
Nothing could be further than the truth. OSX uses Launchd, so it's impossible for a program to spread on OSX systems.
<a class="jive-link-external" href="http://en.wikipedia.org/wiki/Launchd" target="_newWindow">http://en.wikipedia.org/wiki/Launchd</a>
There have been ZERO exploits to OSX so far, and at this point in the game it's probably too late for any serious outbreak to ever occur. Launchd among 70 other differences, make OSX the most secure operating in massive use today.
Marketshare doesn't really matter, OSX is just as exposed to the network as Windows machines, the best minds in the business have tried and tried to crack OSX. It can't be done, the proof is in the facts. No Viruses or Spyware, or Trojans have affected OSX. Only a few issue with some bundled apps, but none have touched OSX.
Apple does all the Virus, Spyware, etc protection inside the OS, while Microsoft doesn't understand programming enough to do it internally, so they rely on 3rd parties, making the their OS far less secure than it should be.
If you want a trouble free, virus free, rock solid, fast OS, with a much better software library than Windows, Apple's Macs are by far the best computing device you can purchase.
Have a good day.
-
Nothing could be further than the truth. OSX uses Launchd, so it's impossible for a program to spread on OSX systems.
<a class="jive-link-external" href="http://en.wikipedia.org/wiki/Launchd" target="_newWindow">http://en.wikipedia.org/wiki/Launchd</a>
There have been ZERO exploits to OSX so far, and at this point in the game it's probably too late for any serious outbreak to ever occur. Launchd among 70 other differences, make OSX the most secure operating in massive use today.
Marketshare doesn't really matter, OSX is just as exposed to the network as Windows machines, the best minds in the business have tried and tried to crack OSX. It can't be done, the proof is in the facts. No Viruses or Spyware, or Trojans have affected OSX. Only a few issue with some bundled apps, but none have touched OSX.
Apple does all the Virus, Spyware, etc protection inside the OS, while Microsoft doesn't understand programming enough to do it internally, so they rely on 3rd parties, making the their OS far less secure than it should be.
If you want a trouble free, virus free, rock solid, fast OS, with a much better software library than Windows, Apple's Macs are by far the best computing device you can purchase.
Have a good day.
-
<a class="jive-link-external" href="http://www.microsoft.com/technet/security/advisory/926043.mspx" target="_newWindow">http://www.microsoft.com/technet/security/advisory/926043.mspx</a>
/P
person writing malware for fun, profit or attention, I would
definitely try to write a mac virus, et al for the simple reason that it
would be NEWS!. Writing windows malware is nothing particularly
special, but you get your name in lights (at Cnet anyway) if you
successfully booger up a bunch of macs.... but we should practice
safe computing... to keep from transfering infections to our
windows brethren....
--- by the way im not bothering because I've learned how shady
these stories have become, and how false they are. It seems
when it comes to Apple, there truly is a bias to regurgitate old
stories as new, and manufacture false information ---
is this the same contest winner who claimed to hack a mac in 30
seconds, but had to have local, or user privelages to do so?
IF THIS IS TRUE, SHAME, SHAME AND CONTINUED SHAME ON
CNET!
a pretty significant issue right? Also, considering how pathetic most
people make their passwords brute forcing a limited roll account
and then bootstrapping it with a root kit is a problem.
need to be an advantage.
I suppose folk like you walk to work on their hands just for the
sake of it!!!
need to be an advantage.
I suppose folk like you walk to work on their hands just for the
sake of it!!!
LIKE ACTUALLY DO DAMAGE, SCREW UP COMPUTERS, WASTE TIME,
WASTE MONEY, AND RUIN THE COMPUTING FUN... SO FAR, MAC
MALWARE IS JUST A CURIOSITY AND SOMETHING FOR WINDOWS
FOLKS TO FEEL GOOD ABOUT.... WHICH IS WHY I SWITCHED TO
MAC A YEAR AGO... AND LIFE (AND COMPUTING) IS GOOD....
that little "caps lock" button on the left of your keyboard. Use it.
Have a nice day!
Click on Keyboard & Mouse
Click Modifer Keys
Select No Action to the right of Caps Lock
You Caps Lock key is now disabled, and everyone on the Internet is
happy. ;)