Month of Apple Bugs - First Bug Unveiled 240
ens0niq writes "The first bug (a Quicktime rtsp URL Handler Stack-based Buffer Overflow) of the Month of Apple Bugs has been unveiled — as previously promised — by LMH and Kevin Finisterre. From the FAQ: 'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"
Re:At this rate (Score:5, Insightful)
Is this true? (Score:4, Insightful)
Is Apple as bad as MS when it comes to fixing security flaws? Is there really a need to show how "insecure" OS X is? Or is this more a "your going to start listening to security experts when they have something to say or else..." type situation. I did read the FAQ but they really don't show any evidence to prove why this is a good thing, how this will improve OS X security, or how Apple has been unwilling to fix flaws in the past.
They could be 1000% right, but on the surface I just don't see anything which either confirms or denies their theory. It would be nice to at least read some sort of history of how Apple has interacted with Security researchers in the past.
Plain wrong! (Score:1, Insightful)
Re:good thought but I wonder (Score:5, Insightful)
It's more like finding a bank vault open and shouting out, "Hey, everyone, this bank has left its vault open with your money in it."
Re:good thought but I wonder (Score:5, Insightful)
-Eric
These people read their own press releases (Score:3, Insightful)
Re:good thought but I wonder (Score:5, Insightful)
Next a Bad guy may not have the key, but once he knows the key is missing he will start looking around for the guy who found the key and take it away from him. It is more like the key is hidden under the welcome mat. And the guy found it one day then blabbed about it to everyone even outside the apartment.
As a land lord myself I know, some jobs can't be done right away. Some things espectially changing all the locks takes time including finding the residence and giving them the new key before they leave. so you can change their locks. Also the time to fix all the locks, dealing with people who think there lock should be replaced first, others who love their lock so much they don't want to change it. Some people creek in fear when the land lord knocks figuring they will evict them with a blink of an eye. (even though it is expensive to leave a room vacent)
Re:Apple Vs. Security Researchers (Score:5, Insightful)
Apple has had poor relations with security researchers for years.
Actually, Apple has had pretty good interactions with security researchers in general, in my experience. Being a huge PR magnet, however, they also manage to attract showboaters trying to capitalize on the popularity they can get by behaving in a less than reasonable manner. The wireless exploit you cite, for example, turned out to be hype about a problem that affected no mac in its default state, but Apple responded to it even though they were never contacted with the details of the supposed exploit and did fix several issues they found during a review of the wireless drivers they ship. Apple has done a pretty reasonable job of patching easily exploitable/wormable problems very quickly and they don't seem to be ignoring problems reported to them. One of my coworkers found a local exploit (low risk) and reported it through Apple's Website. The fix was in the next security update and even credited him. It seems like pretty good relations with the security researcher community to me.
As for the month of Apple bugs. It is more of the same. Sure these guys could report Apple bugs to the normal channels and they'd be fixed fairly quickly and overall security would benefit. That, however, won't make the news. So instead of reporting bugs when found, these guys are intentionally delaying releasing that info to both Apple and the public. Apple isn't pressured to quickly fix bugs if they don't even now what those bugs are. The public isn't served by bugs being fixed more quickly. Users aren't served by bugs being released to the public for possible mass exploitation without Apple ever being given a chance to patch their machines. The end result is decreasing the overall security or computing. It serves no one except the researchers who are showboating and being irresponsible.
Re:I have a dumb question..... (Score:4, Insightful)
The reality distortion field you cite is warping your perspective. Apple is actually not particularly litigious compared to most companies their size. To my knowledge they've never sued anyone for publicizing bugs. They don't even normally go after publications that intentionally publicize their trade secrets unless they admit having obtained those secrets from an insider Apple does not know the identity of, and in the one case of that, they sued only for the name of the informant, not for any damages against the publication. The thing is, the litigation they do enegage in, is often highly publicized, making it seem as though they are very litigious.
So to answer your question, if they have a reasonable grasp on reality, no they aren't worried about being sued.
Re:I'm afraid you are incorrect, sir. (Score:5, Insightful)
I really don't see how you can paint apple in to a bad place with this, secureworks created a lot of hype while disclosing nothing to anyone, Apple took the initiative and at their own expense researched the issue and fixed potential problems they found, none of which has a known exploit. None of this validates what secureworks did, it is possible it's the bug they supposedly found but it's also possible they faked the whole thing.
Re:and now Apple (Score:5, Insightful)
Microsoft is not performing due diligence and is quite frankly not giving customers what they want. They routinely sit on publicly announced bugs for long periods of time and according to people I know who have worked there less than half of the security holes they find internally are prioritized high enough to be fixed. No one is happy worms are destroying computers, but some people are happy to see MS getting bad publicity because of their actions.
Now comes the fun, if a bug is reported to Apple how long do they get to fix it? Who will determine when enough time has passed?
Well, I believe the last serious security hole reported to them was fixed in 10 days, which is pretty good turn around for development and QA. OS's can be evaluated based upon the nature of the vulnerability, risk, and duration of exposure. For something like this, if it is easily reproducible, under normal circumstances, a couple of weeks seems reasonable. If they are constantly getting new vulnerabilities once a day, it may be longer since they might need to prioritize based upon those. Think of this from the developer's standpoint. If these guys are trying to make OS X less secure, they picked a good way. Thanks jackasses.
They haven't a big enough installed base to get the "Average user" which Microsoft has to both sell to and suffer with.
What do you mean? Apple has lots of novice users including the very young and very old attracted by their reputation for ease of use. How many people on this forum do you suppose convinced their grandparents or parents to get a mac?
When they do penetrate the "Average user" market and get into double digits of popularity then they attract attention they don't want.
There is plenty of motivation for hackers to attack OS X right now. The reason it does not happen is not the lack of motivation, but the difficulty/convenience of so doing. Smaller market share makes propagation more complex. Increased scrutiny makes exposures shorter. Many worm authors have a very windows-centric knowledge base. All of these factors may mean as OS X's market share goes up, worms become more common, but to attribute this to motivation is a mistake.
Do not under estimate the creativity and capability of the hackers out there.
I know people on both ends of the security spectrum. I'm not too worried about OS X becoming bug ridden as market share increases. In fact, I think both Windows and OS X security will increase as OS X's market share increases. The problem of security is one of motivation, but not of the motivation of malware authors, but of OS vendors. Apple needs to keep customers happy to maintain market share. Thus, if malware becomes a problem for their users they will fix it or lose money. Right now Microsoft has no such motivation, so their attention to security has been spotty at best. They don't significantly lose money when users suffer from security problems. Increasing OS X's market share might motivate them to improve security. Anyone who argues that MS or Apple is doing all they can has not been paying attention.
Re:No problem! (Score:2, Insightful)
One comment I have had (which I doubt will be approved as a comment on the blog, since - other than technical posts - lmh only seems to accept congratulatory comments), and which I am curious to have feedback on is this, below, which was in response to lmh saying:
It's a matter of time to see this getting abused in the wild. Hopefully, due to exploits being released for every critical issue, the usual 'not a problem' claims will vanish (unless the guy is a total retard).
lmh,
Of course there will be exploitable issues. It's only a matter of time to see *any* issue being "abused" in the wild. What's curious to me is you're speaking of, for instance, this rtsp issue like it's something manifestly new or unique (I know it's a "new" issue itself; that's not what I'm saying). We've seen issues to date that have allowed arbitrary code execution by a user just, for example, visiting a malicious web page. And then, Apple fixes the issue. What more do we want or expect?
I know you and others are on this kick of wanting to "prove" that Mac OS X is "insecure". But I don't know what it proves, exactly. That all large software projects and operating systems have bugs? No reasonable person says that Mac OS X is invulnerable or has no bugs. That would be absolutely ludicrous. And ordinary users don't understand anyway, even when you show them something like this.
What people do understand is machines getting hit with malware on a routine basis, or getting owned completely from remote in an automated fashion, with no user interaction whatsoever, which, as I'm sure you're aware, has happened numerous times, often with far-reaching consequences of downtime, data loss, cleanup and remediation, and recovery, on the "other" desktop platform.
The real bottom line today and ever since Mac OS X was released is this: has the Mac OS X userbase to date, or will it realistically in the future based on past performance, be affected either:
1.) in absolute numbers, or
2.) as a percentage of the total userbase
on a greater scale (or anywhere NEAR) anything we've seen affect the Windows platform?
I guess I'm curious with what your exact beef is: is it ordinary users (correctly) thinking that Mac OS X is [insert some amount here] more secure, from a practical perspective, than Windows?
Is it Apple's type/speed/thoroughness of response to security issues, once reported or revealed?
Is it Apple (again, correctly, from a practical perspective) insinuating the level of security on comparison to Windows in its commercials?
Is it Apple's legacy code, which is rife with various opportunities for exploits?
What would possibly be more productive here, and what you also didn't answer in the FAQ, is what precise actions you think Apple should be taking to remedy, for example, bugs that it is not aware of.
Should it create new teams specifically to do code audits and find vulnerabilities proactively?
Should it make public comment on security issues before it has provided a patch or fix?
Should it provide more granular separate fixes and workarounds more quickly for individual issues, instead of waiting to roll them into the next security or OS update?
Also helpful would be some kind of outline of what you believe Apple is doing *wrong*, right now, on the security front.
And yes, I could make my own list. But I'm more curious about what you think. I'm also curious whether you recognize that, while there is still a long way to go, Apple has indeed greatly improved its response to security issues in direct response to complaints and feedback it has received from the enterprise/institutional community (e.g., via Apple University Executive Forum and MacEnterprise.org)? As a direct result, Apple started making detailed reports (at last far more detailed than they were before) of each issue addressed or fixed, links to (or creates) advisories where
Occam's Razor (Score:3, Insightful)
So please explain to all of us why we have no viruses on the Mac yet, even with some tens of millions of fairly homogoneous computers around (same OS, same patches, much of the same hardware) in a world where botnets of even just a hundred thousand nodes bring in real money. There is financial incentive enough for the macs to have viruses and spyware, yet they do not.
Perhaps you should instead apply Occam's Razor, and think that if in fact any given OS sees fewer attacks than another, it is actually more secure.
Of course there are holes in OS X, any reasonable Mac users realizes this. But we also know we have yet to see any real exploits in the wild. So far this effort is not really doing anything about that situation either way, if you'll read below you'll find this first proof of concept exploit does not even work!
Re:Apple Vs. Security Researchers (Score:2, Insightful)
Let me just say, FUCK YOU. Seriously. And no, this is not a troll, but feel free to rate this down otherwise.
I am a Windows developer for my employer, but do most of my work off a Mac running VPC or now Parallels. When I first started doing this, I had to buy my own machine because my employer didn't feel the need to give in to my concerns. Now, half my staff do the same thing (and I run my old office).
Every so often, one of us finds a hole in the Mac, and there are proper channels to go through. Occasionally we get notes back thanking us, other times, we don't. I don't expect to be notified each and every time.
And then we have researchers like the ones that found the supposed wifi hole. That required both computers to be synch'd together. And a script to be running on the second 'hacked' computer. And a dozen of other things where even the researchers admitted that with these perfect conditions, they could only gain access once in 100 times -- and that they needed the script running on the other machine because they needed something to target that they knew was going to be resident in memory. And even duplicating this in a clean room, experts were unable to replicate what the researchers had done to the point they STILL think its only theoretical and that the original folks had faked the test.
And then the researchers state they did it purely because they wanted to put a cigarette out in the eyes of the 'smug mac users'.
So yeah, we don't have perfectly secure machines, no one does. If the original 'researcher' had been honest and upfront about the nature of the problem and left the politics out, there would have been a LOT less He Said She Said BS. It started with the researchers before Apple or anyone else had a chance to respond. Oh yeah, that Johnny Cache is SUCH a rebel...couldn't even prove his metal and then blamed Apple for keeping him down, all the while most other security researchers are actually THANKED by Apple publicly for finding flaws.
So again, Fuck You as I respond to a trollish post in a like manner...
Re:At this rate... IE cop out (Score:3, Insightful)
I guess that depends on your defenition of third party. To me, neither IE nor Quicktime are not third party applications as they are made by the same company. The differentiation that you may be looking for is whether these are core system applications or optional (secondary) applications. While both bundled are with the OS, MS has constantly said that IE is a part of the OS and cannot be removed. Quicktime and Safari can be uninstalled on a Mac. The question whether IE should be tied to the OS is another debate.
Wait. (Score:3, Insightful)
Re:Jesus dude. (Score:3, Insightful)
Where the hell did I say Windows is more secure than OS X?
You were responding in a thread discussing the relative security of Windows and OS X and whether or not market share was the only factor. You then made the statement, "Sonny, I write device drivers for a living, on Linux and on Mac. I assure you, the Mac isn't more secure." Since that was the first mention of Linux, I, and probably most other readers assumed the first sentence was a statement of your credentials while latter comment was regarding OS X and Windows. You were thus modded as flamebait, but perhaps you should have been modded as offtopic, depending upon your intention. Then I argued that, "Apple does respond to security concerns on their platform, while MS has little motivation to do so" to which you responded with, "MS releases security patches and updates even more frequently than Apple." If you weren't addressing my point, what were you trying to say?
Work on that reading comprehension, would you?
Having worked as both an editor and a professional author, I can assure you my reading comprehension is fine. Perhaps you should work on your writing skills a little and try to express complete thoughts if you want people to understand what you really mean?
Re:No problem! (Score:2, Insightful)
BZZZZZZZZZZZZT.
This is so wrong... OSX was derived from NeXTStep and they have not made any profound changes to the security model - oh yeah, they haven't actually made any changes to the security model. As such OSX is based on the same lame bullshit security model as Unix always has been.
Now, if they had taken on capabilities-based security, or some other such concept, then maybe they'd actually be in a 20th century mode. As such, we're still puttering around somewhere between the middle and end of the nineteenth.
Re:Do you feel better now? (Score:4, Insightful)
And I think you're mistaken if you believe that marketshare directly reflects the security of a platform. The number of users has little to do with the number of exploitable bugs in it or architectural flaws. More existing bugs might be found in more popular platforms but that doesn't prove that more exist that just aren't found in other platforms. Windows is less secure because it simply wasn't a design factor when most of it was built, that and MS went out of their way to do things differently than how existing systems like UNIX did.
Re:No problem! (Score:5, Insightful)
That was not a virus - that was a trojan (pretty huge difference if you know what the differences are!) And read through the final analysis of the work [ambrosiasw.com] the user actually had to do to contract it.
Also, we are talking about OS X viruses not "legacy" viruses that in practice no-one will be catching since almost no-one uses Classic anymore. It's been years since OS X even shipped with OS 9.
Not really. Have you forgotten things like auto-installing widgets?
Which they fixed pretty quickly, as noted....
Apple being behind other BSD systems in patching old exploits?
Apple being behind in patching SSH, Apache?
Which don't matter as much since they come turned off by default (and still didn't see any exploits for OS X in the wild)...
Uh... You need to know stuff to write a windows virus too.
Not really, there is a lot more template material online on how to do so, and a number of Windows viruses in the past have been simple variants of existing worms and viruses.
Not according to Norton, F-secure and McAfee.
You're wrong. Care to provide any links as to why you think you're right?
Uh, again no. Give me some decent examples at least.
IE. Forgot about the elephant in the room again?
I don't know... Most of the security techniques Apple uses were developed back in the early 90s...
Oh, they were developed way before that - which is why it is so tragic Microsoft could not even be bothered to do that much until now.
However, the OS in my opinion is far from being a 21st century mind set in general. I mean, look at some of the stupid stuff we have todo.
Where we have to open a console and type
defaults write com.apple.finder AppleShowAllFiles TRUE
True there is no UI to modify some defaults like that. But anyone who wants to see ALL files in Finder is probably also going to be pretty familiar with the shell and not really mind editing XML files. Frankly I have never enabled Finder in that manner as if I want to be messing with files Finder cannot see by default, I greatly prefer to be using Terminal anyway.
What makes it an advanced OS is that you have a layer that is easily configurable by most users, and then a more advanced layer that is easily adjustable through a few means. The situation is still better than what Windows offered, where you had to basically write TweakUI to get at some settings that could not simply be activated in a text file at least OS X comes with means to modify every setting in the system, even if some are not behind GUI's.
Heh, or we could the simple things that have always worked well... Exploits against the user. Just send them a e-mail with a
Yes that would work - but Mail would warn the user about running it, and the default security level most people run at would prevent it from getting as far into the system as most rootkits are. That is the reason OS X is more security, because of the very old concept of defense in depth applied across the OS, not because any one layer is invulnerable to attack!
Writing viri for any platform is dead simple if you are going to rely on the user to propagate it. But Windows has a million examples of stuff that needs no user even clicking on OK to run off and do its thing. That is another difference. That and of course, the fact that today there are no OS X viruses in the wild. Not just a few, but zero - despite many people such as yourself who think it would be easy to write one and would like to see one just to show up Mac users.