Flaw Found in Apple Bug-Fix Tool

eldavojohn writes "The Month of Apple Bugs (MOAB) is well under way with a startling bug released Monday. From the description: 'Application Enhancer (APE) is affected by a local privilege escalation vulnerability which allows local users to gain root privileges.' APE is the same software used to deploy fixes during 'The Month of Apple Fixes' (MOAF). I know it's confusing but MOAB came first and MOAF was a developer's answer to the bugs — after all, the purpose of posting bugs is to have them identified, confirmed and eradicated. The article talks about potential remote root access by an intruder. Note that this is third party software that all of the bugs seem to be stemming from. I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards."

A HA!

[Thansal]

I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards.

I see it now. This entire MOAB thing is just there to tout how great and secure Apple Products are, and that the only bugs possible HAVE to come from 3rd party software!

It is all a plot by Jobs!

A PLOT I TELL YOU!

[/psycho]

Re:

[Overly Critical Guy]

Really, though, this is lame. Another third-party bug? Pointing out third-party bugs is great, but this was touted as a month of Apple bugs to point out insecurities that needed to be fixed in Apple software. Widening that to third-party bugs is a little disingenuous and misleading.

Starting to get annoyed

[Steve Cowan]

Every few weeks another exaggerated headline of another Apple security "hole" is posted. In every case, closer examination reveals that the hole really isn't a hole at all, and it requires physical access to the machine, etc.

From TFA:

"The vulnerability is real--it is possible for a local administrator account on the computer to gain root access, without any user confirmation, by replacing pieces of Application Enhancer's installation," said Fuller in his blog. "While this cannot be exploited remotely, it c

Well, well, well

[Anonymous Coward]

What do you have to say for yourselves now, Apple fanboys? With this glaring bug, coupled with the other devastating bugs, it now is clear that your smug castle is crumbling. Maybe it's time to give the rock-solid Vista another chance, no?

Re:

[Xugumad]

I dunno, I'm not sure paranoid and twitchy is an improvement in OS terms :)

(Vista really does seem terrified that someone else might be touching your computer)

Windows comes with his bug pre-exploited.

[argent]

Hell, Windows depends on this bug. The bug is... Apple left parts of /Library writable. Microsoft requires that every user have write access to parts of the system file tree to handle things like printing and web-page caching. Instead of fixing that, they've added a subsystem to monitor it and undo changes to system files... and of course there are viruses that use that subsystem to hide in so they get put back after they're removed by AV tools.

But more importantly, in Windows everyone runs as a member of L

Personally I think

[0racle]

Note that this is third party software that all of the bugs seem to be stemming from. I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards.

Personally I think that the reason most/all of the bugs released are 3rd party apps and not OS X itself is that the people running the project are to lazy to try and find some actual Apple bugs.

Errr...

[WalterGR]

Note that this is third party software that all of the bugs seem to be stemming from.

So far MOAB has released 2 bugs for QuickTime, 1 for iLife, 1 for DiskManagement/diskutil, and 1 for Finder.

Re:

[jellomizer]

5 Bugs on 4 Apple products, 3 of these products that come default with the OS. 2 of these products are Core to the OS. and only one of these products a User can't use a mac without. 10 Days in. That is still darn good. The point is all these 3rd party apps that are being added to the list to make Macs look insecure, give me an Open BSD system, then install some 3rd party apps, misconfigure Open SSH, and bang it is not as secure as it use to be. I was expecing by this point to be 20-30 bugs found just on

Re:

[e4g4]

2 of these products are Core to the OS

Well, not exactly. Since you didn't say which, I'm going to assume that you mean 2 of the following 3: Quicktime, Finder, and DiskManagement.framework. Quicktime is just an app with a set of codecs and some plugins (all removable). Finder is just an app, and while the method for doing so is not GUI accessible, you can in fact turn it off and use something else (i.e. the terminal, or PathFinder). DiskManagement.framework is just an API for easier/higher level access (higher than say mount or umount) to d

Re:

[jellomizer]

Well I did mean Finder and Disk Manager. Finder is the general tool used to manage the UI. It may not be a kernel module or irreplacable. But to keep OS X OS X Finder is a Core Application. It runs after boot automaticly code is there to make it difficult to throw it away, It is core for a GUI OS. The DiskManager while not as nessary as Finder is still and important tool for maintaing the OS. As well used for basic OS Work such as burining ISOs, creating Disk Images. A lot of things that OS X wants you do

Re:

[TheSkyIsPurple]

And also note that the OS is supposed to be secure, which means 3rd party stuff shouldn't be leaving the entire OS exposed like this without the user doing something very stupid and intentional.

I don't by the 3rd party thing as an excuse... and I AM an Apple fanboi

Instead ...

[Salvance]

Rather than just tell people not to use APE, Landon Fuller (who reported this bug on his blog [bikemonkey.org]), should have written an APE SHell Investigative Tool to help people find and fix this error.

Technology needs more catchy acronyms

MOAB

[dr_strang]

Does that make it the Mother Of All Bugs?

Re:

[spellraiser]

Yeah ... guess they'll have to write a bug-fix tool for the bug-fix tool now.

I might be missing something, but....

[8127972]

Why would anyone who is serious about computer security use a THIRD PARTY app to fix a security issue?

Re:

[Anonymous Coward]

You wouldn't. These third-party fixes are being done as an intellectual exercise, not a serious offering.

Anatomy of the Runtime MoAB Patches

[shawnce]

From Anatomy of the Runtime MoAB Patches [bikemonkey.org]

------

01:04 Tue, 09 Jan 2007 PST -0800
Anatomy of the Runtime MoAB Patches

Introduction

For the past few days I've been releasing patches for software vulnerabilities in an assortment of Mac OS software. This project was intended to be a technical one, and I've never sat down to explain, in clear terms, how the patches work, what Application Enhancer is, or what the potential risks are in running these patches. I'm also not the first one (not by a long shot) to think of implementing third party patches for unpatched software vulnerabilities, either, and I'd like to discuss those efforts.

Here goes ...

Third Party Patches, Past and Present

Generally speaking, a software vulnerability is usually announced in coordination with a vendor-supplied software update. However, there are cases when a vendor patch is not available for a critical software vulnerability, leaving the user with limited options. Relatively recently, the idea of a "third party patch" has emerged; when a vendor patch is not available, a third party can reverse engineer the software in question and produce a temporary bug fix.

This technique has previously been used for both unpatched Windows and Mac OS X vulnerabilities. In 2006, Alexander Sotirov presented "Hotpatching and the Rise of Third-Party Patches" at the Las Vegas Black Hat conference, and is responsible for implementing two patches for unfixed Internet Explorer vulnerabilities. ZERT (Zero-day Emergency Response Team), who is composed of an impressive array of individuals, "work(s) together as a team to release a non-vendor patch when a so-called '0day' (zero-day) exploit appears in the open which poses a serious risk to the public, to the infrastructure of the Internet or both." On the Macintosh, Unsanity released Paranoid Android, a run-time patch for a critical vulnerability in Mac OS X's document handling. I believe the award for the first third party Windows patch for an unfixed vulnerability goes to Ilfak Guilfanov's December 2005 WMF patch. Guilfanov is the author of the excellent IDA Pro disassembler and debugger.

Risks and Benefits of Third Party Patches

A vendor-supplied update is always preferable to a third party patch. Third party patches are created by reverse engineering the vulnerable code, and are subject to limited testing and potential implementation deficiencies -- like the author of the vulnerable software, patch implementors are human, too. It is always possible that a bug in the patch could result in instability, or potentially expose a new exploit scenario.

On the other hand, a third party patch can provide protection against a critical vulnerability before the vendor is able to implement, test, and release a fix. The decision to use a third party patch should be made after a careful assessment of the vulnerability's risks and your own requirements -- it's never unreasonable to wait for an officially provided vendor fix.

Patching (more) Safely with Application Enhancer

The patches we've provided have all been implemented using Unsanity's Application Enhancer, and are "run-time patches" -- the patches insert themselves into applications at runtime, find the vulnerable code, and apply a band-aid. Nearly all of the patches released so far work by wrapping the vulnerable code and providing additional data validation, rejecting data that would otherwise cause the vulnerable code to malfunction (and thus allow the exploit to succeed). There are other options for implementing run-time patches on Mac OS X, including the open source mach_star -- I've previously used mach_star to implement runtime security patches for software on my own Mac. However, for the purposes of providing these fixes, I decided upon Application Enhancer.

Application Enhancer provides a nice, easy to use GUI for installing Applicati

Sticking up for APE

[usermilk]

The vulnerability is that APE installs itself in /Library where its supposed to go. /Library is writable by local admins. So a local admin can replace the APE executable and gain root privileges. Read that again. A local admin can replace the APE binary to gain root access.

A local admin, an effective root user account, can gain root access.

Or they could open up NetInfo Manager and enable the root account and enter in a password of their own choosing and then log into the GUI as root. Or they could open up Terminal and run sudo sh and get a root shell.

This is simple revenge. Rosyna called them trolls [unsanity.org] and linked to an APE fix for one of their bugs. I think Rosyna may be right of the 9 published bugs, 4 of them are not from Apple provided software.

Re:Sticking up for APE

[ioErr]

The problem is not that a malicious admin can gain root access -- of course he can, as you pointed out. No surprise there.

The problem is rather that a trojan or similar run by a clueless admin can gain root access without the user being prompted for his password. Most Mac home users do use an admin account for day-to-day work, and think that they'll be fine. So the real problem is either that too many Mac users are running as admin, or that admin users have too broad write permissions without using sudo.

Personally I've solved this by using a normal user account that's added to sudoers. I can wreak full havoc on my machine when I want to, without having to log in as my admin account, but can't do so unknowingly (I hope).

Re:

[Rosyna]

The problem is rather that a trojan or similar run by a clueless admin can gain root access without the user being prompted for his password.

You do realize there are about 50 brazillion ways to do this, correct?

Either way, as soon as you're running malicious code, you're already screwed. A malicious application does not need to be root to destroy your photos, movies, pornography or other personal documents. You should never run applications from a source you do not trust.

Re:

[ioErr]

You do realize there are about 50 brazillion ways to do this, correct?

Indeed, which is why the default configuration for Macs is so troublesome. We may mock Windows users for having to run as admins to get their poorly written software to work, but most Mac users run as admins out of ignorance, because that's just the way the default configuration is. Or was, the last time I installed OS X at least, but I hope I'd heard if things had changed.

Either way, as soon as you're running malicious code, you're already screwed. A malicious application does not need to be root to destroy your photos, movies, pornography or other personal documents.

At least with a non-root the damage is localized to one account. Daddy's porn may be gone, but his daughter's homework (and porn) is s

Good point...

[argent]

Either way, as soon as you're running malicious code, you're already screwed.

Not to minimize the problem (and it IS a real problem) but this is important.

Security is like sex. Once you're penetrated you're fucked.

You should never run applications from a source you do not trust.

Don't forget to turn off "Open 'Safe' Files After Downloading" in Safari.

That should be a surprise...

[argent]

The problem is not that a malicious admin can gain root access -- of course he can, as you pointed out. No surprise there.

A malicious application running as an "admin" should not be able to gain root access.

No wonder Apple didn't care that aliases bypass traverse checking. That's a *minor* problem by comparison.

So the real problem is either that too many Mac users are running as admin, or that admin users have too broad write permissions without using sudo.

The real problem is that admin users have too broad

Placing the blame in the right place... with Apple

[argent]

The vulnerability is that APE installs itself in /Library where its supposed to go. /Library is writable by local admins.

Too many words. Let me fix that for you: The vulnerability is that /Library is writable by local admins.

Even if you don't install APE on your system, an attacker who has the ability to execute this exploit can simply drop an input manager or other plugin into /Library and piggyback their way to root on any privileged application.

I hope you're mixing up your directories.

[argent]

The library folder has to be accessible to applications (and thus the current user) without authentication, because of the Application Support and Preferences directories, which they write to all the time.

They should not be writing to /Library.

They should be writing to ~/Library (that is, the Library subdirectory in your home directory)

Any application that attempts to write directly to /Library without sudo-ing first is broken.

Apple Bug-Fix Tool?

[Aqua OS X]

An Apple Bug-Fix Tool? Err, um, no and no.

APE is developed by Unsanity and it's not a "bug fix tool."
It's a third party framework and daemon used for a number of thing.

Summary to date...

[shawnce]

Note that this is third party software that all of the bugs seem to be stemming from.

This statement doesn't make sense. The MOAB issues outlined to date have been a combination of Apple and 3rd party issues. See the following break down...

MOAB #1 - Apple issue
MOAB #2 - 3rd party issue
MOAB #3 - Apple issue
MOAB #4 - Apple issue
MOAB #5 - Apple issue
MOAB #6 - Apple and 3rd party
MOAB #7 - 3rd party issue
MOAB #8 - Apple and 3rd party
MOAB #9 - Apple issue

Re:

[99BottlesOfBeerInMyF]

How is number 8 an Apple issue? It is an overflow in a third party application.

Re:

[shawnce]

Issue #8 [info-pull.com] is not an overflow issue (buffer overrun I assume you mean).

#8 involves APE (Unsanity folks could make some changes to help avoid the issue) however IMHO the core of the issue is with file permissions that Apple has defined for various directories under /Library that Apple recommends 3rd parties install software into. That is why I outlined that it is a 3rd party and Apple issue.

Re:

[99BottlesOfBeerInMyF]

IMHO the core of the issue is with file permissions that Apple has defined for various directories under /Library that Apple recommends 3rd parties install software into.

The security hole is in APE. The fact that you disagree with Apple's permission choices is pretty irrelevant. OS X does not stop Adobe Acrobat from being installed either, does that mean any hole in that reader is also partially Apple's fault?

Re:

[nathanh]

The security hole is in APE. The fact that you disagree with Apple's permission choices is pretty irrelevant.

It's not a disagreement. Apple's default permissions on that directory are plain wrong. APE is just an example application that proves the point. The actual fault lies with Apple.

I think the real problem here is that the MOAB deniers are woefully ignorant of the problems. They think they can make up for their woeful ignorance with chest-beating. I've been nothing but disgusted with the Mac co

Re:

[99BottlesOfBeerInMyF]

Apple's default permissions on that directory are plain wrong. APE is just an example application that proves the point.

This is just wrong. The framework file is installed by a third party application, which sets the permissions. Giving administrators the right to set permissions is a design choice, and arguably a bad one, but it is not a bug in and of itself.

I think the real problem here is that the MOAB deniers are woefully ignorant of the problems.

Deniers? What the project isn't happening? I'm pis

Re:

[nathanh]

Take a look at my posting history.

I have. And my estimation of your worth has diminished considerably.

I blame the MOAB guys because their disclosure is about as irresponsible as you can get. Intentionally providing a vendor who acts in good faith with no advance notice

Your factiness is compelling. Unfortunately the facts disagree with you. Despite your claim that these guys aren't notifying Apple of these bugs in advance, they claim that they have, and I find them a whole lot more convincing t

Re:

[99BottlesOfBeerInMyF]

I'm not going to address your points one by one, because I don't have the time and they don't deserve it. Some of the items you reply to were not even in my post. But I thought I'd address your conclusions.

Apple? I see complacency and rhetoric and outright deception . Then I see ignorant - yes, I think you are ignorant - pundits such as yourself who would attack the messenger rather than admit there's a problem.

Ahh, a problem eh? How many Macs have been compromised this year by worms? Oh yeah that would

No, it's APPLE'S permissions that are wrong.

[argent]

This is just wrong. The framework file is installed by a third party application, which sets the permissions.

% ls -ld /Library
drwxrwxr-x 56 root admin 1904 Dec 27 16:07 /Library
% open -s "Disk Utility"
(pause for repair disk permissions)
% ls -ld /Library
drwxrwxr-t 56 root admin 1904 Dec 27 16:07 /Library
% ls -l /Library
[...]
drwxrwxr-x 4 root admin 136 Sep 12 12:09 InputManagers
drwxrwxr-x 19 root admin 646 Dec 15 12:16 Internet Plug-Ins
[...]
drwxrwxr-x 11 root admin 374 Dec 28 18:45 PreferencePanes
[...]
%

Re:

[99BottlesOfBeerInMyF]

After all, there seem to be a lot of people on /. who have jumped on MS for not making people run as non-admin before Vista; and what's that besides just choosing a poor set of default permissions?

There is a difference between a design not being as secure as possible and a vulnerability. I blame Microsoft for both poor security design for the current climate, and for lots of bugs, but I don't confuse the two and claim that because a local program was compromised, that is a bug in MS's OS. MS should provi

InputManagers in general

[Lord Grey]

For those of you who don't know about APE: There exists in the OS X framework this concept of enabling alternate input mechanisms for already-installed applications. The mechanism is the InputManager. A properly-constructed bundle is simply copied to a designated location and the OS will happily load it whenever an application is launched. The bundle is loaded as part of the application, and the bundle has access to the application's internals. Some good information on InputManagers can be found on CocoaDev [cocoadev.com].

The "designated location" is actually one of several: /Library/InputManagers/ or ~/Library/InputManagers/. In other words, it doesn't take special privileges to make an InputManager bundle active on a given system for a specific user. You do have to have admin privileges to place the bundle into /Library/InputManagers/ so that all applications executed by all users are touched, but that's it.

Objective-C lets objects of one class "pose" as objects from another class. Posing is like dynamic subclassing; method dispatch happens against your class first and then on up to the original class if you didn't implement it or if your method specifically calls the "parent." This is where code injection comes in. You write a new class that poses as some class in the application and intercept the calls; your code starts executing.

Figuring out the application's classes isn't difficult. A free utility like class-dump [codethecode.com] can be used to grab an OS X application's class and data structure definitions, and from there it's easy write your own posing classes. Lots of bugs arising from injected code is due to sloppiness on the part of the programmer, and some of it is due to an InputManager modifying an application's data at the wrong time (which is easy to do, because the application rightfully believes that it owns its data).

I was going to write something about the security issues this entire scheme raises, spelling out how a nefarious programmer could hijack passwords and the like. I'll leave that to your imagination, though.

Shameless plug: While I didn't use APE, I did use InputManager technology in order to create Concierge [bti.net] (a bookmark manager for Safari, in the form of a drawer).

Re:

[TheUser0x58]

Not quite... InputManager only works with Cocoa applications, as the CocoaDev page you cited mentions, and class posing will only work with parts of applications written using Objective-C classes.

APE uses mach_inject and mach_override to actually patch new code into applications loaded into memory. This works at the kernel level and thus is framework and language agnostic.

I stand corrected

[Lord Grey]

You are quite right about APE's implementation. I plead guilty to thinking I knew more about APE's internal structure than I actually do. I have to say, though, that using mach_inject and mach_override to patch code is somewhat scarier than using Objective-C's dynamic dispatching when you take into consideration that APE supports a plug-in methodology.

Thanks for the clarification!

Bugs in apples..

[FrostyCoolSlug]

When I find a bug in my apple, I throw it away..

Re:

[Thumper_SVX]

When I find half a bug in my apple, I usually feel a little nauseous.

We need more acronymns

[cascadingstylesheet]

I suggest for the next few thing on this topic:

MOSES

BALAAM ;)

Wow!

[Cervantes]

" I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards."

So, when Apple does it, it's OK, but when Microsoft does it, they've obviously made a flawed system and deserve to be beaten about the head with an office chair?

I know this is /. , but I have a relatively high user ID, so I just want to be sure I understand the logic...

Re:

[argent]

No, this one Apple needs to be nailed to the wall on. Leaving parts of the system writable as admin means that you're a quick framework patch away from being root... which means being in admin is almost as dangerous as being in the Local Administrators group on Windows. Not that that stops anyone from running as Local Administrator on Windows.

http://apple.slashdot.org/comments.pl?sid=216122&c id=17546398 [slashdot.org]

Not to mention Adobe and everyone else who shows up when you run that find command.

Hah, security.

[Khyber]

"I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards." That's about right. *stares long and hard at Javascript and Flash*

In the words of Walter Sobchak:

[Night Goat]

"Fuck it dude, let's go bowling."

Reading that summary as a Mac user, I just can't be bothered to sort all of this out.

It's not an APE bug, it's a big Apple bug.

[argent]

The bug is that /Library/Frameworks is group-writable by users in the admin group.

ANY application run setuid, or any framework or plugin used by any application run setuid, could have been used to demo it. It's got nothing to do with APE. This is no different from the many privilege escalation issues in Windows caused by writable executables and system directories.

To tell if your Mac is susceptible to this kind of privilege escalation attack, run this command:

find /Library /System /Applications -perm -022

If there are no results, then your system is probably safe. If there are more than a few results, then you're likely vulnerable.

Try it and see.

Re:

[dedazo]

Hookay, I can see this in my MacBook. How do you fix it manually? By resetting the permissions? Won't that break something else?

Anyone got a scratch monkey?

[argent]

I don't know whether resetting those permissions will break anything or not.

I don't have a scratch Mac to test it on, anyone?

More fun...

[argent]

You may not even need to be admin.

Try "find /Library /System /Applications -perm -02". Any files or directories that show up there are world writable.

It's not just "admin", and that shouldn't be root.

[argent]

you're basically telling me that a local admin user can change something in the system to give themselves root privileges?

It's worse, any user on an OSX box can probably give themselves root privileges with a little patience. The default permissions on /Library give any local user write access to an awful lot of files. All you have to do is drop a plugin somewhere under /Library and wait for a priviliged program to launch and execute it.

How is this really any different from simply being an admin? AFAIK, the

Third party software?

[skinfitz]

Note that this is third party software that all of the bugs seem to be stemming from. I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards."

Quicktime, Finder and iPhoto are third party now?

I guess the kernel is also third party by zealot logic then - or at least it will be after they start publishing the kernel level exploits. Kind of like what happens after a proof of concept virus gets announced for OSX - the zealots simp

this makes no sense

[v1]

This is like building a list of windows bugs and submitting a norton product as an exhibit. If this is the week of APPLE bugs, why are we hearing about macintosh software developers? Must be slim pickins in Mac OS X for security holes?? I thought they were going to post some real apple bugs? This is very disappointing, though I suppose it's nice to see they are having this problem.

The description of the flaw is misleading.

[argent]

This is like building a list of windows bugs and submitting a norton product as an exhibit.

This is not a flaw in APE. Any existing plugin or a new plugin could have equally well been used. The flaw is that /Library is writable... and in investigating I've found that even after "fixing permissions" there's an awful lot of /Library that's not just writable by administrators... but by anyone.

Re:Story at 11

[paulpach]

So, this is the best MOAB has to offer? A security bug in a third-party "enhancement"?

No, the best they have to offer are vulnerabilities in quicktime [info-pull.com], iPhoto [info-pull.com], Disk Management [info-pull.com], Finder [info-pull.com] which are apple products. Why CNet and slashdot chose to report on this particular vulnerability, which to many is the least important in the list, is a mistery to me.

Re:Story at 11

[93 Escort Wagon]

"No, the best they have to offer are vulnerabilities in quicktime, iPhoto, Disk Management, Finder which are apple products. Why CNet and slashdot chose to report on this particular vulnerability, which to many is the least important in the list, is a mistery to me."

Look, while they have included some legitimate bugs it's pretty obvious the project is flailing around somewhat, given that it's only the 10th of "MOAB". In addition to the APE flaw, they've included a VLC flaw and an OmniWeb flaw - neither of which is part of OS X nor installed on any stock Apple box. Additionally they've included a PDF flaw, which isn't even specific to OS X! That's just plain silly.

Re:Story at 11

[99BottlesOfBeerInMyF]

I guess it depends if the purpose of publishing the bugs is to fix OS X, or whether it's to educate Apple users that just because you use OS X, you are not immune; it's possible (probable?) that somewhere on your system there will be vulnerabilities.

If you think that is the purpose of the MOAB then you're very, very optimistic, perhaps naive. The purpose is to gain publicity for a few, unscrupulous researchers. They've done this before with other vendors and even agreed to cancel one such project after being paid off. Apple users who know anything about security know there is the potential for security flaws, but they also know the potential is much less than if they are running Windows. Apple users and potential Apple who don't know anything, may be confused by this into thinking that OS X is no more secure than Windows and hence stay with Windows. The simple message "use a mac and you're unlikely to suffer from worms and viruses" is true and simple enough for most people. Complicating the message with, "but if you're using some third party utility, or even some included utilities there is the possibility someone could write a worm, but tso far no one has and they are unlikely to do so in the near future" is way too complex.

At minimum, it's a reminder that whilst OS X is more secure than Windows XP natively, it is not immune from vulnerabilities.

Finding vulnerabilities and not reporting them to the vendor or making them public until it will get you the most press, is detrimental to security and does more to help black hats than it does to help users. Trying to obscure and complicate the simple message that mac==more secure than windows, likewise is detrimental to overall security. The only thing this project is really accomplishing is publicity for themselves at the expense of everyone else. These guys are anti-security researchers. If they aren't willing to behave ethically, they can rot.

Re:

[laffer1]

No, the price of using a computer is to patch it and not run untrusted software. It does not matter what OS you are using. If you tell people they are invincible because they have a Mac or use linux, you are doing them a disservice. You are also lying to them.

I tell people that Macs or anything but windows are safer because less people care to attack them. I tell them that they must run software update and every two versions of Mac OS they must upgrade. (Apple stops patching after 2 releases) There ar

Re:

[99BottlesOfBeerInMyF]

No, the price of using a computer is to patch it and not run untrusted software.

Bullshit. That's like saying the purpose of forks is to eat vegetables, and if some forks happen to create a toxic substance when they touch other substances, it is not a concern. People want to run untrusted binaries, because the majority of binaries people run are untrusted to some degree or another. When malware is common, it makes sense to make sure that untrusted binaries are restricted by default.

It does not matter w

Re:

[laffer1]

Yeah, now show me one example of a person with any authority seriously saying macs are invincible... just one. Apple doesn't say that. I've never seen a security researcher, or even sensationalist papers say that. If you do a Google search for "mac invincible" you find one blogger asking if Macs are invincible and one article explaining that your statement is a classic strawman argument.

Apple, Inc. did suggest that they can't get viruses. View their television ads. http://www.apple.com/getamac/ads/ [apple.com] (V

Re:

[99BottlesOfBeerInMyF]

Apple, Inc. did suggest that they can't get viruses... Since I consider Apple an authority on Apple computers, I think that backs it up.

No, Apple states that they don't get viruses, which is true, to date they have not had any in the wild viruses, with possible exceptions being so obscure and useless as to not really count. If you bought a Mac 5 years ago, the chances that you caught a virus on it are infinitesimal, unlike Windows, to which they are directly comparing OS X. Their commercial may not tell

Re:

[argent]

I tell people that Macs or anything but windows are safer because less people care to attack them.

Also because there are systematic security problems in Windows that are inherently unfixable without breaking working applications.

For example, simply not using Microsoft Office or Internet Explorer (or any other application that uses Microsoft's flawed HTML control or trusts random serialised COM objects... most of which are Microsoft apps) is a more effective anti-virus and anti-spyware solution than just abo

Re:

[Em Adespoton]

The problem here is that it's almost impossible to avoid using Internet Explorer. I had mine locked down tight, and eventually found that I needed to allow ActiveX components to get anything done; some third party software depends on the vulnrable parts of IE being exposed, or it won't function correctly.

Personally, I think the solution to this is for MS to break compatibility with those apps -- after all, they've been breaking compatibility with other apps ever since Windows 2000... Vista kills even mor

Re:

[argent]

The problem here is that it's almost impossible to avoid using Internet Explorer.

It's a LOT easier now than it was when the alternative was Netscape 4, friend. Don't "lock it down tight", just don't use it at all until you actually need to for something that matters (that would be 'you can't get to your bank account without it'... not 'Youtube is screwing up with Firefox').

Of course, as soon as someone finds an attack vector usable with Apple Events, OS X will be the Emperor's new OS.

Indeed. I am not at all

Re:

[Tim C]

it's possible (probable?) that somewhere on your system there will be vulnerabilities

Actually, it's absolutely certain that almost no matter what system you're using there will be vulnerabilities. Just because they haven't been found and exploited doesn't mean they're not there - lack of evidence is not evidence of lack, and all that.

Re:

[99BottlesOfBeerInMyF]

What they write on their Web page is pretty irrelevant when they create a project called "Month of Apple Bugs." To blatantly rip off The Simpsons, "...for every dollar of Krusty merchandise you buy I will be nice to a sick kid. For legal purposes sick kids may include hookers with a cold."

It's the zealots own fault for attracting attention in the bad manner for claiming such lofty security, of course someone is going to look at it.

This such such a tired and sad implicit assumption. Who on Slashdot has

Re:

[elrous0]

Compared to Windows, OS X is very secure and that message should be repeated as much as possible until the average person on the street knows it, in order to motivate people to switch and Microsoft to solve the problem.

One of the biggest security advantages the OS X has is that Apple has such a small market share that hackers/malware and adware coders/etc. don't bother to mess with it. If everyone switched, then you would lose that advantage and OS X would end up just as much a malware/virus/trojan/expl

Re:

[larkost]

While that is probably true (there is little to no way of checking, so we have to admit that it is a guess), it misses the very important point that many of Microsoft's problems with security have been through really bad design decisions. The whole idea of letting email run scripts is just bad from the get-go, and that is exactly what Outlook was designed to do. Since then they have been trying to keep that functionality for the few corporate users who rely on it, while putting the majority of us who don't

Re:

[mstone]

Old meme, long-since discredited.

Yes, there may be network effects to consider when setting the desirability to attack a given platform, but the 'pure market share' idea is just plain bullshit.

Equally tired response #1: webservers -- Apache has the largest market share in httpds, but it lags well behind IIS in exploits.

Equally tired response #2: coefficient of correlation -- If market share is the only metric that matters, what's the CoC for exploitation? It can't be linear (N% market share equals N% of

Re:Story at 11

[peragrin]

so out of 10 days in this month so far only 4 have been Apple security bugs. So far 40% have been holes that are apple's fault.

I don't know about you, but if some one found a bug in Windowblinds, or some other Windows skinning app, and said it was MSFT's fault then I would be suspicious too.

Also there is a bug in VLC. how is a VLC player bug that is also found in the windows and linux versions an "apple" bug.

If it's an apple product by all means go for it. But no one blames MSFT for bugs in Lotus Notes.

Re:

[paulpach]

If it's an apple product by all means go for it. But no one blames MSFT for bugs in Lotus Notes.

from the faq on the first page [info-pull.com]

3. Are Apple products the only one target of this initiative?

Not at all, but they are the main focus. We'll be looking over popular OS X applications as well.

So they are not blaming apple anywhere in their site or implying this vulnerability is apple's fault at all. Where did you get that idea? This is not a project to destroy or harm apple, quite the opposite, it will help them in the long run.

Re:

[Moofie]

"Where did you get that idea?"

Um, from the title of the "project", which is "Month Of Apple Bugs". Golly, how could I possibly have been mislead?

Re:

[BorgCopyeditor]

So, the title "Month of Apple Bugs" doesn't imply anything? Yes, you could take it to mean "bugs that infect applications developed for use on the operating system running on most computers made by Apple," but that's just not as sexy, is it? If a similar project were called "Month of Microsoft Bugs" and mostly targeted 3rd party apps, I wager people would more quickly see the problem.

Re:

[Overly Critical Guy]

So they are not blaming apple anywhere in their site or implying this vulnerability is apple's fault at all. Where did you get that idea?

In the title, which isn't "Month of Bugs, Some of Which Are In Mac Software."

Re:

[iluvcapra]

DOS ain't done until Lotus won't run? [slashdot.org]

Of course in that case, from MSFTs perspective that was a feature, not a bug.

Re:

[profplump]

While there are some valid bugs listed, the Disk Management one basically says "anyone in the admin group can arbitrarily set file permissions". I don't know about you, but given that the admin group has, by design, unrestricted access to `sudo` I wouldn't consider their ability to set file permissions in a convoluted way a very serious security threat.

The report talks about the ability to change permissions and then use those changed permissions to run programs as root. Maybe it's just me I'm pretty sure i

Re:

[profplump]

So what you're saying is "If you run a program that does nasty things while you're logged in as an admin user, that program could gain root privileges, even without your password"

You'd still have to run a program that does nasty things, and that program would still have to be launched with admin privileges. Once you get to that point, it doesn't really matter how the rest of the system behaves -- the best you can hope for is some sort of log. Anything else would prevent you from actually using the system.

Fo

Re:Story at 11

[profplump]

Upon further investigate, the Finder vulnerability is also pretty weak. It's at least got the potential to allow code execution (but not privilege escalation) and I agree that it's sloppy programming that should be fixed.

But their report says that in trying to expliot the flaw their DMG failed validation test done before mounting the image and that they were therefore unable to create a working exploit. The rest of their report is based on the assumption that they could manipulate parts of the DMG file and bypass the validation already in place, without any real indication of how that might happen.

Re:

[Overly Critical Guy]

But this was supposed to be a month of Apple bugs. Not third-party bugs.

Why CNet and slashdot chose to report on this particular vulnerability, which to many is the least important in the list, is a mistery to me.

Because journalism is a business, and that means it isn't concerned with relevant truths; it wants "storylines" that will generate interest and therefore revenues. It's a cute storyline for them that the application enhancer used to patch bugs has a bug. Hence, it gets reported and others don't.

Re:

[SeaFox]

Why CNet and slashdot chose to report on this particular vulnerability, which to many is the least important in the list, is a mistery to me.

Well Application Enhancer is the software being used to apply the temporary bug fixes until the MOAB bugs are actually fixed by their vendors, and now a MOAB bug as been found in the APE software itself. So it's rather like those Microsoft patches a couple months back that while patching their venerabilities as designed created new holes.

Re:

[Em Adespoton]

Kind of, except it would be more like using some third party using a third party created kernel hacking tool to fix patches, only to discover that the kernel hacking tool was insecure.

APE has been known to be an attack vector for years... it's a third party piece of software that lets other third parties make untrusted changes to the OS X kernel using a simple API. There are some really neat things done with it, and there have also been a few really buggy plugins made for it that can mess up the OS. Usi

Re:

[SeaFox]

Using APE to apply bug fixes was just asking for trouble.

The APE hacks were never meant to be permanent, but they were better than nothing. One of the nice things about this "solution" is the underlying code on disk is not changed, so users don't have to do clean installs before they add in the vendor approved patch.

I don't think it's a coincidence that this exploit came out. I'm sure the "researcher" hasn't been too pleased with the efforts to patch every flaw as soon as its released. It's taken quite a bi

Re:

[Rosyna]

This is scaremongering at its best. Nothing to see here, move along.

I disagree with "at its best". The example "exploit" installs what basically amounts to a rootkit. So, in other words, this security "researcher" is distributing malware that gives him access to anyone's computer that accesses it. Since when do real security researchers distribute malware? More information is in the comments here [unsanity.org].

Not to mention he posted this thing with nothing but malice. It was done because Landon Fuller refused to work w

Re:

[Goaway]

Basically, LMH is a thin-skinned and borderline psychotic attention whore. He pretends he "does it for the lulz", but he's really lashing out at anybody who doesn't worship him for his l33t sk33lls, and posts incomprehensible rants about everybody who disagrees with him.

Re:

[Kesh]

Mod parent UP. This one is pretty clear bad-faith exploit on the MoAB folks' part.

Re:

[ResidntGeek]

That's a good point. Everyone knows that people target only the operating system. No self-respecting hacker would ever attack a third-party tool to gain access to a system, right?

Re:

[egomaniac]

That's a good point. Everyone knows that people target only the operating system. No self-respecting hacker would ever attack a third-party tool to gain access to a system, right?

So it would be fair to declare a "Month of Microsoft Bugs" and then reveal bugs that Microsoft had nothing to do with?

Re:

[644bd346996]

Bad example. Nobody would need to look beyond MS branded products. A better example would be a "Month of Java Bugs" where half of the bugs were from Azureus and Eclipse.

While I agree that MOAB is not doing particularly well, VLC, Omniweb, and APE are all extremely common. The PDF bug is very dangerous, because PDF is so pervasive to the Aqua UI that almost any application could be the entry point.

Re:

[Goaway]

It's attention whoring. And reading his blog, LMH seems to have quite the unstable personality, given to going on off on incomprehensible rants about those who disagree with him or refuse to acknowledge his greatness, thinly veiled as flippant ironic "lulz".

Re:

[Jeremy Erwin]

The Month of Apple Bugs intended to identify 31 security problems in Apple Software. The Month of Apple Fixes intended to fix those bugs in short order, so that they would not represent as much of a security threat between announcement and release of an official bugfix. Because much of MacOSX is closed source, patched binaries were a means of distributing these fixes. The latest bug was found in the third party tool that was used to patch the binaries at runtime.

Re:

[Drizzt Do'Urden]

So it's Linus' fault if Apache or Sendmail has a security problem?

The software has to be secure from top to bottom. If your PHP app has a security problem, it can do bad things on your machine no mather the OS.

Re:

[spun]

It is one of the major jobs of an OS to keep one out-of-control app from hosing your entire machine, whether that app is out of control due to hacking, user error, or other bugs. If your PHP app has a problem on a good OS, the attacker may be able to change files owned by the apache user, while on a bad OS they might undetectably rootkit your machine.

Re:

[spun]

Well, privilege defines the difference: if an unprivileged app can be hacked in such a way as to escalate privileges, that is the fault of the OS, no matter what the app did wrong. If it can be hacked only so that a remote user can execute arbitrary commands with the privilege of the process they hacked, that is the fault of the app.

Re:

[Cervantes]

"So it's Linus' fault if Apache or Sendmail has a security problem?"

Why not? It's Bills fault whenever a bug on WinTel platforms is found.

Re:

[tbo]

A selection of quotes from the "Apple Fun" blog:

Thus, if you are bitching on a blog or public forum, or publishing somewhere about our evil "root kit", it's because you are the recipient of stolen property.

OMG! Pwnies!

Not just it isn't a root-kit, but you've been pwned (or caught molesting) by one of the most old tricks ever. Yay!

It sounds like it's written by a mildly clever hacker who is way, way too in love with himself, and has the emotional maturity of a ten year old.

It's hard to cut through all the

It's not an APE bug.

[argent]

http://apple.slashdot.org/comments.pl?sid=216122&c id=17546398 [slashdot.org]

Re:Misleading Title - The bug is not in APE.

[argent]

http://apple.slashdot.org/comments.pl?sid=216122&c id=17546398 [slashdot.org]

Better start looking for spyware in /Library

[argent]

While you're looking at APE, have a look in /Library... maybe you'll be the first to find some spyware hiding in there thanks to all the world-writable files and directories... ... because that's the real problem. They didn't need APE, they could have used their own Input Manager instead. They just picked APE to thumb their nose at Landon Fuller.

Re:

[mstone]

Vocabulary issue, I think.

You're interpreting 'holes' to mean specific vulnerabilities, where the GP would have reasonable grounds for claiming a 'hole' is any vector for exploitation.

Due to the deeply and intricately connected nature of Windows, there are legitimate arguments either way. A buffer-overrun in, say, the PNG codec is a single vulnerability, but there are lots of different attack vectors. One vector would be the web browser. Another would be the email client. A third would be any file that