Flaw Found in Apple Bug-Fix Tool 168
eldavojohn writes "The Month of Apple Bugs (MOAB) is well under way with a startling bug released Monday. From the description: 'Application Enhancer (APE) is affected by a local privilege escalation vulnerability which allows local users to gain root privileges.' APE is the same software used to deploy fixes during 'The Month of Apple Fixes' (MOAF). I know it's confusing but MOAB came first and MOAF was a developer's answer to the bugs — after all, the purpose of posting bugs is to have them identified, confirmed and eradicated. The article talks about potential remote root access by an intruder. Note that this is third party software that all of the bugs seem to be stemming from. I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards."
Personally I think (Score:2, Insightful)
I might be missing something, but.... (Score:3, Insightful)
Re:I might be missing something, but.... (Score:2, Insightful)
Re:Story at 11 (Score:5, Insightful)
Re:Story at 11 (Score:5, Insightful)
Look, while they have included some legitimate bugs it's pretty obvious the project is flailing around somewhat, given that it's only the 10th of "MOAB". In addition to the APE flaw, they've included a VLC flaw and an OmniWeb flaw - neither of which is part of OS X nor installed on any stock Apple box. Additionally they've included a PDF flaw, which isn't even specific to OS X! That's just plain silly.
Re:Story at 11 (Score:5, Insightful)
I don't know about you, but if some one found a bug in Windowblinds, or some other Windows skinning app, and said it was MSFT's fault then I would be suspicious too.
Also there is a bug in VLC. how is a VLC player bug that is also found in the windows and linux versions an "apple" bug.
If it's an apple product by all means go for it. But no one blames MSFT for bugs in Lotus Notes.
Re:Story at 11 (Score:4, Insightful)
I guess it depends if the purpose of publishing the bugs is to fix OS X, or whether it's to educate Apple users that just because you use OS X, you are not immune; it's possible (probable?) that somewhere on your system there will be vulnerabilities.
If you think that is the purpose of the MOAB then you're very, very optimistic, perhaps naive. The purpose is to gain publicity for a few, unscrupulous researchers. They've done this before with other vendors and even agreed to cancel one such project after being paid off. Apple users who know anything about security know there is the potential for security flaws, but they also know the potential is much less than if they are running Windows. Apple users and potential Apple who don't know anything, may be confused by this into thinking that OS X is no more secure than Windows and hence stay with Windows. The simple message "use a mac and you're unlikely to suffer from worms and viruses" is true and simple enough for most people. Complicating the message with, "but if you're using some third party utility, or even some included utilities there is the possibility someone could write a worm, but tso far no one has and they are unlikely to do so in the near future" is way too complex.
At minimum, it's a reminder that whilst OS X is more secure than Windows XP natively, it is not immune from vulnerabilities.
Finding vulnerabilities and not reporting them to the vendor or making them public until it will get you the most press, is detrimental to security and does more to help black hats than it does to help users. Trying to obscure and complicate the simple message that mac==more secure than windows, likewise is detrimental to overall security. The only thing this project is really accomplishing is publicity for themselves at the expense of everyone else. These guys are anti-security researchers. If they aren't willing to behave ethically, they can rot.
Wow! (Score:2, Insightful)
So, when Apple does it, it's OK, but when Microsoft does it, they've obviously made a flawed system and deserve to be beaten about the head with an office chair?
I know this is
Re:Story at 11 (Score:3, Insightful)
No, the price of using a computer is to patch it and not run untrusted software.
Bullshit. That's like saying the purpose of forks is to eat vegetables, and if some forks happen to create a toxic substance when they touch other substances, it is not a concern. People want to run untrusted binaries, because the majority of binaries people run are untrusted to some degree or another. When malware is common, it makes sense to make sure that untrusted binaries are restricted by default.
It does not matter what OS you are using. If you tell people they are invincible because they have a Mac or use linux, you are doing them a disservice. You are also lying to them.
Yeah, now show me one example of a person with any authority seriously saying macs are invincible... just one. Apple doesn't say that. I've never seen a security researcher, or even sensationalist papers say that. If you do a Google search for "mac invincible" you find one blogger asking if Macs are invincible and one article explaining that your statement is a classic strawman argument.
I tell people that Macs or anything but windows are safer because less people care to attack them.
That is a fine message to spread, but if the paper is reporting, "30 bugs in Macintosh computers in a month demonstrate they are not secure," what do you think the average Windows user will take away from that headline? Do you think they will correctly derive from that headline that if they get a mac the chances of them getting malware are almost zero, or do you think they will take from that that it does not matter if they have a mac or a Windows machine, they are still going to get malware? Do you think it makes people more or less likely to be infected with malware, considering it may well dissuade people from moving to both Mac and Linux machines?
The poorly named MOAB is dropping vulnerabilities one after another intentionally spread out, with no prior notification in such a way that Apple either has to wait for all of them, or commit to not fixing some of them right away simply because of the time necessary for development and QA cycles. Can you think of a better way to encourage malware without actually creating exploit code yourself? Further, they're intentionally delaying releasing vulnerabilities they have found to the public, increasing the window for exploitation. Why? It gets them more press that way and a truly cynical person might say because it is the best way to encourage malware based upon their bugs so that they can get more press as they talk about how they discovered the hole first and were right about how Apple would get hacked. It is utterly irresponsible.
Re:Errr... (Score:1, Insightful)
No, "effect" is a verb AND noun. As is "affect." Look 'em up.
Re:The problem isn't really 3rd party apps (Score:3, Insightful)
Re:Summary to date... (Score:3, Insightful)
Apple's default permissions on that directory are plain wrong. APE is just an example application that proves the point.
This is just wrong. The framework file is installed by a third party application, which sets the permissions. Giving administrators the right to set permissions is a design choice, and arguably a bad one, but it is not a bug in and of itself.
I think the real problem here is that the MOAB deniers are woefully ignorant of the problems.
Deniers? What the project isn't happening? I'm pissed because the MOAB is being conducted in an unethical way that decreases the security of the general populace in order to benefit the people running it. Your claim that I am ignorant, is, in itself ignorant. Take a look at my posting history.
I think it's great. I also work in the security field and I have done so for the past 5 years. I've been aware for the past 2 years that OS X is a horrendously insecure OS.
Gee, what a coincidence. I too am a long time worker in the security industry. OS X is horrendously insecure, if compared to a locked down server or ultra secure workstation solution. Compared to the average Linux desktop, it is very similar. It has different problems, mostly from Apple's new features and integration with existing code bases, but it benefits from active, motivated updates, and some of the best handling of the HCI portion of the security problems.
It's a consumer workstation. As a consumer workstation, its security is "good enough" for the average user. Sure an expert directly attacking it can probably break in, just like the average linux desktop. But it is "good enough" because the current level of security does not cause any problems for the average user, who are rarely if ever compromised.
If the Mac pundits just admitted the problem exists and took steps to secure their OS they'd get the two thumbs up.
Please. Apple does a very good job of working with the security community and fixing issues. My coworker submitted a bug a short time ago, they fixed it in a little more than a week and gave him credit. They're also proactive doing security audits and introducing new features like workable encryption for user accounts, mandatory access controls, dtrace, and application signing. They fix any real bug that is reported to them.
They blame the MOAB guys, or they start from an ignorant understanding of the issues and claim that the faults aren't faults.
I blame the MOAB guys because their disclosure is about as irresponsible as you can get. Intentionally providing a vendor who acts in good faith with no advance notice and intentionally spacing public disclosure to make development/qa cycles have the longest possible time between disclosure and patch. Imagine you're working on a product and security researchers announce one bug they already know about every few days. You can start a cycle and it won't get the next several bugs or you can wait a whole month. Either way your users are swinging in the wind. It's like they're intentionally trying to open big enough window for a worm to work. If you really are a person in the "security field" then you must be pretty clueless.
Part of fixing the problem is admitting that the problem exists.
Apple admits to and thanks those who submit bugs to them. I've never heard of them trying to cover one up. Who are they trying to convince to fix things?
I'm extremely surprised that nobody has released a security manager or lockdown tool for OS X.
Have you ever looked?
Sorry, but I wouldn't trust a security person with your attitude or ignorance anywhere near my boxes. Good luck with your career.
Better start looking for spyware in /Library (Score:3, Insightful)
Re:InputManagers in general (Score:2, Insightful)
Not quite... InputManager only works with Cocoa applications, as the CocoaDev page you cited mentions, and class posing will only work with parts of applications written using Objective-C classes.
APE uses mach_inject and mach_override to actually patch new code into applications loaded into memory. This works at the kernel level and thus is framework and language agnostic.