Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Story of a Simple and Dangerous OS X Kernel Bug

timothy posted more than 5 years ago | from the chink-in-the-armor dept.

Bug 230

RazvanM writes "At the beginning of this month the Mac OS X 10.5.8 closed a kernel vulnerability that lasted more than 4 years, covering all the 10.4 and (almost all) 10.5 Mac OS X releases. This article presents some twitter-size programs that trigger the bug. The mechanics are so simple that can be easily explained to anybody possessing some minimal knowledge about how operating systems works. Beside being a good educational example this is also a scary proof that very mature code can still be vulnerable in rather unsophisticated ways."

Sorry! There are no comments related to the filter you selected.

1? (-1, Offtopic)

bennomatic (691188) | more than 5 years ago | (#29249401)

frist psot?

Re:1? (-1, Offtopic)

geoffrobinson (109879) | more than 5 years ago | (#29249429)

You have the first psot I've ever seen.

Re:1? (-1, Offtopic)

bennomatic (691188) | more than 5 years ago | (#29249475)

Yeah, I'm kind of ashamed, but it's so rare to get here before anyone else, and I had nothing useful to say.

Re:1? (-1)

Anonymous Coward | more than 5 years ago | (#29249491)

Please read [goatse.fr] this guide on appropriate first post content.

4 fscking years (-1, Flamebait)

should_be_linear (779431) | more than 5 years ago | (#29249403)

no wonder for sotware lonely nerds living in parents basement are doing in their free time... oh wait...

Re:4 fscking years (4, Funny)

Anonymous Coward | more than 5 years ago | (#29249909)

Oh look, I think it's trying to communicate, perhaps we can find a translator. Does anyone speak yiddiotish?

Age is irrelevant, resistance is futile. (4, Insightful)

girlintraining (1395911) | more than 5 years ago | (#29249431)

"Beside being a good educational example this is also a scary proof that very mature code can still be vulnerable in rather unsophisticated ways."

Since when did the age of code become a metric for evaluating its trustworthiness? Code should only be trusted after undergoing in-depth analysis by people with training and experience in information security. Code should also be written with security in mind from the beginning. The story of this kernel bug is simple and goes like this: "I was in a hurry."

Re:Age is irrelevant, resistance is futile. (3, Informative)

Idiot with a gun (1081749) | more than 5 years ago | (#29249467)

I believe the implied meaning of this is "in the absence of exhaustive security analysis, a code's age/maturity is one of the better indicators of its security". While I'm not particularly sold on this notion myself, it does bear a lot of semblance to the idea that code can be proven "secure" if it stands after a multitude of random attacks, which is basically one of the tenets of OSS.

A million monkeys with typewriters....

Re:Age is irrelevant, resistance is futile. (4, Insightful)

Secret Rabbit (914973) | more than 5 years ago | (#29249553)

Well, assuming that the code is actively (and properly) maintained, then that isn't a bad metric. Essentially, it's because any security flaw is the result of a bug. It's just a bug that can be exploited. So, if the code is maintained properly, then bug fixes will be continuous and as such, reduce the number of exploitable bugs.

Good metric, yes. Absolute metric, no.

"""... which is basically one of the tenets of OSS."""

And where did you hear that? Because, I never have and I've been around for a while.

Re:Age is irrelevant, resistance is futile. (4, Insightful)

johanatan (1159309) | more than 5 years ago | (#29249671)

Essentially, it's because any security flaw is the result of a bug. It's just a bug that can be exploited. So, if the code is maintained properly, then bug fixes will be continuous and as such, reduce the number of exploitable bugs.

It depends on your scope of consideration. Design flaws are not 'bugs' in the traditional sense of the word (i.e., implementation-related). However, if you expand your scope to include design specs then your statement is true. There do exist though exploits of perfectly-implemented but imperfectly-designed code.

Re:Age is irrelevant, resistance is futile. (1)

Jurily (900488) | more than 5 years ago | (#29250063)

There are also cases where this just isn't true. See malloc [itworld.com] .

Re:Age is irrelevant, resistance is futile. (4, Funny)

Kjella (173770) | more than 5 years ago | (#29249617)

Well... I think that depends a lot on the reason why it's old code. I've met my share of code with the warning "There be dragons!".

Re:Age is irrelevant, resistance is futile. (4, Interesting)

Jurily (900488) | more than 5 years ago | (#29250071)

I've met my share of code with the warning "There be dragons!".

The word "fuck" in the comments is a much better metric. If it's more than one for the same function, it's time to pay attention.

Re:Age is irrelevant, resistance is futile. (3, Insightful)

_Sprocket_ (42527) | more than 5 years ago | (#29249661)

While I'm not particularly sold on this notion myself, it does bear a lot of semblance to the idea that code can be proven "secure" if it stands after a multitude of random attacks, which is basically one of the tenets of OSS.

I'm pretty sure that's not a tenet of OSS. If someone is pushing that as a tenet, then they really need to pay closer attention to history. A history of resilience is a nice metric - but it's not "proof" that code is bug-free rather just that nobody has found a given bug or made it public. People who get caught up in vulnerability counts forget that the real metric is response to a given vulnerability.

One tenet you hear bandied about is "given enough eyeballs, all bugs are shallow." Criticism tends to revolve around whether enough eyeballs have been put to any particular piece of code. Although one could argue that it's not just the number of eyeballs - but whether said eyeballs have the training to look for particular kinds of bugs that might not show up in normal use of the given code. None of that has anything to do with the frequency of attack.

Re:Age is irrelevant, resistance is futile. (1)

ClosedSource (238333) | more than 5 years ago | (#29249713)

You're right and it's worth remembering that some bugs will cause incorrect behavior on a cycle that is so long that our Sun will go nova before it shows up.

Re:Age is irrelevant, resistance is futile. (1)

Hognoxious (631665) | more than 5 years ago | (#29250493)

Since when are age and maturity synonyms?

Re:Age is irrelevant, resistance is futile. (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29249679)

The prison niggers appreciate those crackers in Apple be making iphones. Now we know we have whitey looking after iphones and we look to take white chicks up the ass. It be the best thing to run a train on a chubby low self esteem white chick, fucking her pussy and asshole all night long. It is almost as good as tapping some puerto rican ass, but that shit is tighter and when that bitch get violent (PR chicks always do) we just duct tape that mouth shut while we take turns cumming in that ass over and over. Mexican bitches be the best cause you can run up on a bitch with a fat ass in broad daylight and run a pimp train on that bitch in her anus and that immigrant husband won't do shit. When we got some gay ass niggers who want to fuck some male asshole, we just run up on a mexican man, who they gonna report. Sometimes we just abduct the bitch to our projects apartment for the week and fuck the shit out of her, until we get tired of that bitch. White bitches are more fun though, sometimes when the bitch is chubby and horny enough we just fuck her through for 2 weeks and come back in another week cause her fat ass is ready for more. Smack bitches with a 10 inch cock. I once raped this indian chick, she was mad weak, so i got my boys to run a train on her that lasted 3 days. She looked like frosty the snowman after we all got done with cumming on her. She got that shit so hard she must of spit cum for a month. I recently visted her and punched her in the face before I got inside that ass again. We be abnormal.

Re:Age is irrelevant, resistance is futile. (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29250275)

...appreciate those crackers in Apple be making iphones....

I noticed you used the word "crackers" instead of "hackers". Interesting.

Steve Jobs here (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#29249443)

Listen, Jack! I will make my it my morning ritual to poop in your cereal and piss in your OJ you lying sack of worthless doorknobs! My OS is the best OS there is and nothing you say can change that!

Yours,
Steve "Got Me My Liver from a Chinese Convict" Jobs

But it's not Windows! (3, Funny)

ynososiduts (1064782) | more than 5 years ago | (#29249445)

I call fake. It's OS X! It's bullet proof! Steve Jobs would not let this happen! Macs are immune to crashes! Et cetera!

Re:But it's not Windows! (1)

davmoo (63521) | more than 5 years ago | (#29249563)

Dammit, I was going to post that!!

Re:But it's not Windows! (1)

BikeHelmet (1437881) | more than 5 years ago | (#29249591)

Macs have a history of having far less vulnerabilities than Windows.

But now they're catching up with Microsoft in that, as well as average patch time! :D

Less vulnerabilities? Yeah, right! (4, Informative)

benjymouse (756774) | more than 5 years ago | (#29250165)

Macs have a history of having far less vulnerabilities than Windows.

From IBM research: IBM Internet Security Systems X-Force® 2008 Trend & Risk Report [ibm.com]

Look under "most vulnerable operating system". Yes, right at the top, for several years going sits OS X. It actually consistently experiences 3 times the number of vulnerabilities compared to Vista.

You can also do some secunia digging yourself. It shows the same tendency even in the raw data.

OS X may be less exploited but it has far more vulnerabilities. On top of that OS X lacks many of the anti-exploit mechanisms found in both common Linux distros and in Windows Vista.

Vulnerabilities does not have much to do with exploits. A single vulnerability may leads to several independant exploits. Many vulnerabilities will pass unexploited. The difference is incentive. And if pwn2own has showed us anything it certainly confirms this. Macs have consistently been the first to fall, literally within seconds.

Re:But it's not Windows! (1, Flamebait)

bonch (38532) | more than 5 years ago | (#29249605)

Same could be said for Linux! Right? Right? Being open source makes it invulnerable?

Re:But it's not Windows! (5, Informative)

tagno25 (1518033) | more than 5 years ago | (#29249853)

Same could be said for Linux! Right? Right? Being open source makes it invulnerable?

No, it being open source means that the vulnerabilities can be fixed quicker than 2+ years.

Linux has had more known vulnerabilities than Windows, but that is because people can see the source and find the vulnerabilities. It has also had more fixed vulnerabilities and currently has less valid vulnerabilities than Windows.

Re:But it's not Windows! (2, Informative)

Architect_sasyr (938685) | more than 5 years ago | (#29249997)

Re:But it's not Windows! (1)

JustinRLynn (831164) | more than 5 years ago | (#29250097)

Yes, but the issue in this case isn't in the amount of time the bug is exploitable -- it's all about the amount of time it goes from known to fixed. In the bug you cite's case that patch time was zero since the patch was announced with the bug. You just can't do that with closed source software unless you're the original developer. DNDTR [tvtropes.org] .

Re:But it's not Windows! (1)

TrancePhreak (576593) | more than 5 years ago | (#29250217)

Because the first thing someone does when they find a vulnerability is to report it. They wouldn't want to sell it for $100K or so to the top bidder.

Re:But it's not Windows! (2, Insightful)

characterZer0 (138196) | more than 5 years ago | (#29250501)

With Windows, there are two groups of people looking for bugs: Microsoft employees who do not want to admit to the bug and who will hide the fix in a service pack who knows how many months later, and those looking to exploit.

In Linux, in addition to those being paid to work on it such as RedHat employees and those hoping to exploit it, you have volunteer kernel hackers and users as well, to whom it is beneficial to release a patch immediately.

Re:But it's not Windows! (1)

JustinRLynn (831164) | more than 5 years ago | (#29250519)

Thank you, this is exactly the argument I would've posed. Please also note that the moment it starts appearing in the wild everyone with access to that source code is going to be on a witch hunt for the bug. The number of people with the source code is much greater and those people are more motivated since they're actually the ones experiencing its affect.

Re:But it's not Windows! (0)

Anonymous Coward | more than 5 years ago | (#29250067)

Isn't Darwin the open source OSX kernel?

Re:But it's not Windows! (0)

Anonymous Coward | more than 5 years ago | (#29250105)

What's an invalid vulnerability?

Re:But it's not Windows! (0)

Anonymous Coward | more than 5 years ago | (#29250239)

one that is a designed bug, but looks line a vulnerability (AKA a back door)

Re:But it's not Windows! (0)

Anonymous Coward | more than 5 years ago | (#29249709)

Queue cries of all the butt-hurt Microsoft fanbois.

Re:But it's not Windows! (5, Insightful)

Daniel Dvorkin (106857) | more than 5 years ago | (#29249741)

You know, at this point there are probably about a thousand times as many people whining about this supposed attitude on the part of Mac users than there are Mac users actually displaying it.

Re:But it's not Windows! (5, Insightful)

e2d2 (115622) | more than 5 years ago | (#29249789)

They're an easy target because they stress this in their advertising thus bringing it on themselves. Why have pity for them? Their ads are smarmy so getting a little in return is all in good fun. It's ridiculous to think that any computer is perfect, that's why we point and laugh.

Re:But it's not Windows! (5, Funny)

Bromskloss (750445) | more than 5 years ago | (#29249927)

You know, at this point there are probably about a thousand times as many people whining about this supposed attitude on the part of Mac users than there are Mac users actually displaying it.

But that's perfectly in order, isn't it? There have been many more people complaining that Hitler was a bad guy than there has been Hitlers.

(*knock, knock*
- Who's there?
- Godwin.)

Re:But it's not Windows! (-1, Flamebait)

arbiter1 (1204146) | more than 5 years ago | (#29250121)

With windows having most the market flaw's get found quick, with mac not having no where near as much and fact most people will go after the OS they have most chance to infect as many as possible, this is what will happen. There is probably a lot more nasty flaw's like this hidden in the Mac OS that are still not known. Kinda nice to knock these mac nut's down a peg.

Re:But it's not Windows! (0)

Anonymous Coward | more than 5 years ago | (#29250577)

With windows having most the market flaw's get found quick, with mac not having no where near as much and fact most people will go after the OS they have most chance to infect as many as possible, this is what will happen. There is probably a lot more nasty flaw's like this hidden in the Mac OS that are still not known. Kinda nice to knock these mac nut's down a peg.

How can you read a bunch of other people's posts that use simple terms like mac nuts and flaws - then go ahead and repeat those terms in your own post complete with the liberal application of completely unnecessary apostrophes?

What exactly is going on in your head when you do this? Enquiring minds want to know!

Doesn't cause panic on 10.3.9 (5, Interesting)

noidentity (188756) | more than 5 years ago | (#29249449)

Sadly I couldn't get my Mac OS X 10.3.9 (PowerPC) machine to panic with the C code.

Re:Doesn't cause panic on 10.3.9 (0)

Anonymous Coward | more than 5 years ago | (#29249505)

RTFI

covering all the 10.4 and (almost all) 10.5 Mac OS X releases.

Re:Doesn't cause panic on 10.3.9 (4, Informative)

noidentity (188756) | more than 5 years ago | (#29249629)

I did read the blog posting, and it says "The oldest kernel I was able to test the problem was Darwin 8.0.1 which corresponds to Mac OS X 10.4 'Tiger'." I figured I'd post a result on an earlier one, so shove it.

Re:Doesn't cause panic on 10.3.9 (-1, Troll)

Anonymous Coward | more than 5 years ago | (#29249905)

Sadly you're a cunt.

Re:Doesn't cause panic on 10.3.9 (1)

noidentity (188756) | more than 5 years ago | (#29250191)

Perhaps, but I did read something first. True, I could have read the official Apple version that listed the affected versions. The blog author could have updated his post as well, considering that he did update it to note that Apple credited him in the security fix (ego takes priority I guess, heh).

Re:Doesn't cause panic on 10.3.9 (0)

Anonymous Coward | more than 5 years ago | (#29250559)

I can remember finding something very similar to this in SunOS 4.1.x. A certain invalid parameter to fcntl() would always lead to a panic, but the panic wasn't immediate, it would always occur about 10 minutes after making the call.

MACFAGS TOLD... (-1)

Anonymous Coward | more than 5 years ago | (#29249459)

...in two lines of Python.

Re:MACFAGS TOLD... (-1)

Anonymous Coward | more than 5 years ago | (#29249595)

lol, butthurt TOLD mods.

I read (4, Insightful)

Runaway1956 (1322357) | more than 5 years ago | (#29249535)

Alright, I read TFA. I read the earlier slashdot article. I even googled around a little bit. What I find is, an obscure little bug, if exploited locally, enables a user to crash his machine. What I don't find is an exploit that makes use of this bug.

Am I missing something?

I suppose that I could accomplish something similar on my current Ubuntu installation. If I thought it made a difference, I could install a few other flavors of Linux and try doing something like that. But, why?

MS astroturfer's posts above are noted. And, I also note that MS bugs are routinely exploited, locally and remotely. The unwarranted superiority complex looks pretty pathetic, doesn't it?

Re:I read (5, Insightful)

Thantik (1207112) | more than 5 years ago | (#29249571)

It's not the fact that it is local exploit code, it's the fact that local and remote exploits and the line between them are being blurred every day. TFA mentioned being able to write memory in 8-bit pieces, ANYWHERE in kernel memory. That's pretty dangerous if you ask me.

Re:I read (2, Informative)

Sir_Lewk (967686) | more than 5 years ago | (#29249865)

local and remote exploits and the line between them are being blurred every day

Citation please? The line between local and remote seems to be pretty concrete and fine to me.

Re:I read (1)

TapeCutter (624760) | more than 5 years ago | (#29249939)

"The line between local and remote seems to be pretty concrete and fine to me."

Indeed, for those having trouble spotting it, it's the line with the flashing green light next to it.

Re:I read (1)

palegray.net (1195047) | more than 5 years ago | (#29249981)

You're missing the point. The line between local and remote vulnerabilities is indeed being blurred these days, given the rise in network services running on workstations (instead of just servers). Add in the fact that even on servers application-level vulnerabilities can be greatly exacerbated by the potential for kernel exploits. This was neatly illustrated with the recent Linux kernel vulnerability, which essentially turned every remote exploit that allowed arbitrary code execution into a kernel exploit. I happen to work for a company that has an extremely large Linux deployment across several datacenters; while not a cause for panic, these issues are becoming harder to concretely classify as the difference between workstation and server becomes blurred and people deploy increasingly complex application setups on servers.

Re:I read (0)

Anonymous Coward | more than 5 years ago | (#29250047)

The only difference is that to take control with a local exploit you need a bug in another program that the user is running. On servers this could services like apache. On desktops this could be the browser, a media player or a instant messenger.

If you feel safe because it is only a local exploit you are a moron. As soon as you have any interaction with unknown systems a local exploit isn't any less dangerous.

Re:I read (1)

Architect_sasyr (938685) | more than 5 years ago | (#29249589)

Am I missing something?

Possibly. An active exploit might not be available, it may still be in the underground, or we may be dealing with a series of code flaws that resemble the old tenets of CISCO fame - "We're unexploitable, all you can do is cause DoS". It might just be we have to wait for someone to turn around and go "oh really" before an active exploit can be retrieved from a crash.

Re:I read (4, Informative)

emurphy42 (631808) | more than 5 years ago | (#29249597)

The relevant part is:

The problem is the data in the buggy case is whatever we give as a third parameter in the fcntl code. Considering that the 8 bytes are controlled by the user it means he can write that amount of information anywhere in the kernel memory!

followed by an example of actually doing it and proving that it worked (not a particularly malicious example, but it seems enough proof of concept to me).

I don't think you understood (5, Informative)

pathological liar (659969) | more than 5 years ago | (#29249627)

What are you, a Linux kernel dev? ;)

The bug lets you write arbitrary, user-controlled bytes into kernel space. The first thing that comes to mind is that you could change the current process' priv structure in memory. Now you're root. Or why not use it to hook syscalls, or do really whatever you want? You're in ring0, go nuts.

It's far more than just a DoS.

Re:I read (3, Insightful)

Overunderrated (1518503) | more than 5 years ago | (#29249669)

So your argument is that even though the bug exists, it's okay because no one took the time to massively exploit it? you do realize that if OSX had anywhere near the market share of windows, this would've been exploited years ago, right? i accept that 'security through obscurity' is perfectly valid, but you need to recognize it for what it is.

Re:I read (3, Insightful)

Runaway1956 (1322357) | more than 5 years ago | (#29249683)

Yeah, I've read this "market share" argument used as a defense for shoddy MS code time and time again. That just doesn't cut it.

Mac has a presence in the business world. If it were as buggy as MS, crackers would be launching fishing expeditions for vulnerable Macs, so that they could gain access to company networks.

What I asked for were examples of exploits, or reasons why this bug were really dangerous. Posts before yours are attempting to put things into perspective. Please, no more lame defenses of from MS astroturfers - there are enough of those even before you arrive at my question.

Market share, indeed. Remind me that the next time I want a cheap padlock, I should purchase a no-name lock. Since it has no market share, burglars won't try to pick it or break it.

Re:I read (4, Insightful)

nmb3000 (741169) | more than 5 years ago | (#29249825)

Mac has a relatively tiny presence in the business world.

Fixed that for you.

What I asked for were examples of exploits, or reasons why this bug were really dangerous.

And a bunch of people already pointed out that this bug gives you write-access to the kernel's memory. That's bad, privilege escalation bad.

Market share, indeed. Remind me that the next time I want a cheap padlock, I should purchase a no-name lock. Since it has no market share, burglars won't try to pick it or break it.

That's funny, because I recall seeing all sorts of instructions on how you can open MasterLock(TM)(R) and (ALL THAT) combination locks. They were so detailed, they would even specify which serial numbers of which models were vulnerable to which cracking techniques. And yet, I never saw any instructions for opening the Wal-Mart special RandomBrand of padlock.

Market share does matter when it comes to investing time and money into exploiting flaws in a product. To say it is the only factor in operating system security is false, but saying it doesn't matter at all is just as wrong.

Re:I read (5, Insightful)

node 3 (115640) | more than 5 years ago | (#29250367)

Market share does matter when it comes to investing time and money into exploiting flaws in a product. To say it is the only factor in operating system security is false, but saying it doesn't matter at all is just as wrong.

No one is saying that it's not a factor. On the other hand, there are countless people who make the reverse mistake and state that Macs don't have exploits solely due to market share.

This is easily debunked by:

1. IIS exploits.
2. Linux exploits (Linux market share is to Macs as Mac market share is to Windows)
3. Mac apps. People still write apps for the Mac, why not viruses?
4. There are plenty of viruses for the classic Mac OS.
5. There are tens of millions of Mac users. Even though Windows has hundreds of millions, tens of millions is still a large and lucrative group to attack.

The key isn't that Mac OS X is flawless or too low of a market share, it's that Windows is so easy to exploit. Design decisions made decades ago are still impacting Windows today. If you look at the typical Mac OS X bug and the typical Windows bug, you'll see that the Mac bugs tend to be very Unix-like in nature, that they are some part of the system can be tricked into crashing by being passed data in a specific way. Many a Windows bug is not due to getting something to crash, but by using some feature in a way that tricks it to allow unwanted things to happen.

Re:I read (0)

Anonymous Coward | more than 5 years ago | (#29250485)

I'd argue that most malware for windows doesn't really use exploits. It is installed with some pirated software, codec, screen safer or other garbage.

Re:I read (0)

Anonymous Coward | more than 5 years ago | (#29250489)

" Linux exploits (Linux market share is to Macs as Mac market share is to Windows"

Eh?!?

Linux has up to 20% market share while there are NO MACS used a public servers.
Name onle ONE Linux exploid which was open fore 4 years.

Re:I read (1)

Macthorpe (960048) | more than 5 years ago | (#29250603)

How about 7? [slashdot.org] I didn't even have to leave this story to find the link.

A tip for the future - try not to get so worked up that someone may be attacking your precious Linux that you can't even spell 'for'.

Re:I read, therefore I am (0)

Anonymous Coward | more than 5 years ago | (#29250463)

And yet, I never saw any instructions for opening the Wal-Mart special RandomBrand of padlock.

Those locks can be opened by sneezing. Only the person who buys them would need instructions.

Re:I read (4, Insightful)

beuges (613130) | more than 5 years ago | (#29249953)

The bug is really dangerous because it allows userspace to write anywhere to kernelspace. Yes, it's a local-only exploit, so the attack surface isn't that large. Or is it? How many pieces of software do you have running on your system right now that may contain vulnerabilities? It would be trivial for a skilled hacker to find an exploit in some arb application, with the payload being an exploit of this particular issue. So your local-only exploit has a remote entry-point from any other piece of software thats running on your system.

Local-only exploits are only less dangerous than remote exploits if your system has no contact with other systems. When you expose your system to others, all of your local exploits become remote exploits the moment any piece of software that you run has a remote exploit. Recently there have been a number of reports of vulnerabilities in common applications like Firefox, and Adobe doesn't have a particularly great security track record either. Ideally, a vulnerability in one of these applications would only be able to run code as the user, or attack the user's home directory. Except since you can now modify any address in kernel space, you can craft code that tells the kernel your userid actually has root permissions, in which case you now have complete control over the whole system.

Every kernel-level exploit is *really dangerous*. Marketing people will try to play it down by saying that since its local-only, it's not that bad, so that they can carry on making dumb 'im a pc, im a mac' adverts and patting themselves on the back. But all they're doing is lulling their userbase into a false sense of security.

Re:I read (2, Insightful)

benjymouse (756774) | more than 5 years ago | (#29250307)

Yeah, I've read this "market share" argument used as a defense for shoddy MS code time and time again. That just doesn't cut it.

So you think that an attacker thinks he must exploit each platform proportional to the market share?

Or do you believe that each attacker randomly chooses a platform to specialize in proportional to market share. Or do they keep a list with number of slots according to each OS's market share?

Consider this:

  1. Imagine you were on a shooting range. You can shoot for two different targets, one labelled "OS X" and the other one "Windows"
  2. One "OS X" target is 3 times larger than the other (OS X has 3 times the vulnerabilities compared to Windows) and is thus easier to hit.
  3. Each time you hit "OS X" you get $10.
  4. Each time you hit "Windows" you get $200.
  5. You have 12 shots.

Now, if the targets were 10 ft in front of you and both easily hit, how would you spend your 12 shots? Would you aim 3 shots that the smaller target and 9 shots at the larger target because that seems the fair thing to do? Or would you just shoot all 12 shots at the smaller target and go home with $2400? I know what the typical person would do.

Only when you move both targets so far back that both of them gets pretty hard to hit would any sane person consider spending any rounds on "OS X".

Attackers chose target platform based this simple economics. As long as Windows has 15 - 20 times (worldwide) the market share of OSX and as long as the limiting factor of attacks is time (the actual creation of an exploit), the attackers are going to target Windows each and every time. Only if they cannot find any exploitable vulnerabilities in Windows will they invest in another platform.

Oh, and what about Apache you say? Apache has 2 times the market share of IIS (roughly). Why isn't Apache attacked exclusively for the same reason. The difference here is that these targets are pretty distant; both Apache and IIS are pretty tight. Neither Apache nor IIS5, 6 and 7 has seen successful widespread attacks directly at the server. Neither Linux nor Windows are vulnerable at the network level anymore, especially not when behind a firewall as *all* webservers are nowadays.

The shooters have simply given up (for the time being) and went to another shooting range with better odds. BothApache and IIS has seen widespread attacks against vulnerable applications running on top of the servers. Here you could certainly argue that attackers has a preference for PHP and ASP.Ancient.

Re:I read (0)

Anonymous Coward | more than 5 years ago | (#29249711)

The market share thing is always dragged up in these instances... Given that Microsoft (and the rest of the non-Apple world) seem to drag out how Macs are more expensive, wouldn't it make sense to attempt to write something that goes after these so-called well-off users? They must have plenty of cash lying around if they so frivolously throw their money away on Macs....

Re:I read (0)

Anonymous Coward | more than 5 years ago | (#29249851)

The unwarranted superiority complex looks pretty pathetic, doesn't it?

OSX: 4% (5 out of 132) are marked as unpatched
http://secunia.com/advisories/product/96/?task=advisories

Windows 2008 Server: Currently, 0% (0 out of 40) are marked as unpatched.
http://secunia.com/advisories/product/18255/?task=advisories

Unwarranted astroturfing? Wake up from your dream land.

Re:I read (1)

Alef (605149) | more than 5 years ago | (#29249955)

From Apple's summary of the bug:

Description: An implementation issue exists in the kernel's handling of fcntl system calls. A local user may overwrite kernel memory and execute arbitrary code with system privileges. This update addresses the issue through improved handling of fcntl system calls. Credit to Razvan Musaloiu-E. of Johns Hopkins University, HiNRG for reporting this issue. [Emphasis mine]

If you have the ability to alter kernel memory at an arbitrary place, you can accomplish pretty much anything. An exploit could for instance modify some critical kernel data structure, or replace a function pointer or return address, thus allowing the exploiter to inject code and make the kernel run it in privileged mode.

Re:I read (1)

pv2b (231846) | more than 5 years ago | (#29250329)

From my understanding of the blog post, the hole described by the blog post allows you to write a data structure containing the window size into any arbitrary kernel memory location.

The information about terminal window size etcetera comes from the teletype. I'm sure that it wouldn't be too difficult to write an exploit which basically implemented a "stub" teletype which had most features unimplemented except one that returns a fake window size - allowing you to write arbitrary data to kernel memory.

Now, I'm no kernel hacker, I frighten easilly at the sight of X86 assembler, but I'm sure that - once you can actually write arbitrary data to kernel memory - you can get root in pretty short order. I don't know - the most straightforward way to me would sound like just munging the process table.

Wow (-1, Troll)

Anonymous Coward | more than 5 years ago | (#29249541)

WoW! a vulnerability in an OS, now thta is news worthy

Mature code? (5, Insightful)

Casandro (751346) | more than 5 years ago | (#29249611)

I'm sorry, but what has MacOSX to do with mature code? Code is mature when it has lasted for _decades_ and no significant bug has been found. MacOSX is just your average kernel. OK, there are _much_ worse around, but that doesn't make OSX any better.

What _really_ is a shame that it took them 4 years to fix it.

More precisely (2)

Casandro (751346) | more than 5 years ago | (#29249635)

...no significant bug has been found, but the code has regularly been reviewed.

Re:Mature code? (1)

blackraven14250 (902843) | more than 5 years ago | (#29249641)

By your definition, there is hardly any mature code out in userland. Adding features means you will create bugs, and since users crave features, there won't ever be a full set of software (app, os, daemon, etc) labeled mature by your definition, and only a small number of code segments that would be unchanged over a decade, let alone multiple decades.

Re:Mature code? (2, Insightful)

Casandro (751346) | more than 5 years ago | (#29249681)

Yes precisely, there is very little mature code. That's why you still have buffer overruns and other security critical bugs.

New features don't have to mean that old code will be changed or made more insecure. There are many attempts at making computer systems modular so adding one piece of code will add a lot of new features to unchanged programmes. The oldest concept incorporating it is the UNIX concept where you have lots of small single-purpose programs which you can connect via pipes to serve any more complex purpose. Each of those programs can easily be made mature. So you reduce the problem to a bit of managable code to string those programs together.

Other concepts are found on object oriented operating systems (even in MacOSX) where Applications typically are just connections between stock objects. If those stock objects are made out of mature code, you get stable software.

Re:Mature code? (1)

treat (84622) | more than 5 years ago | (#29249889)

By your definition, there is hardly any mature code out in userland.

Of course not.

Name a nontrivial example of mature code in wide use anywhere today.

Not a single legacy system. Not a few lines of code in a huge application or OS. An actual complete mature application in use today. Name one.

It doesn't take quibbling over the definition of mature for this to be readily apparent. If you're finding bugs in it yourself, if bugs aren't fixed because there are higher priority bugs to fix - it isn't mature!

I'm a Mac (-1, Flamebait)

Overunderrated (1518503) | more than 5 years ago | (#29249645)

So this means we can take those idiotic commercials off the air, right?

Re:I'm a Mac (5, Funny)

Daniel Dvorkin (106857) | more than 5 years ago | (#29249767)

So this means we can take those idiotic commercials off the air, right?

When there's as much malware for OS X as there is for Windows, sure.

Okay, I'll make it easy. When there is a tenth as much malware for OS X as there is for Windows, sure.

Hmmm, this isn't working. When there's a hundredth as much ... um, no, that doesn't work either.

A thousandth -- no, damn.

You get the idea. Or maybe you don't.

Re:I'm a Mac (1, Flamebait)

mwvdlee (775178) | more than 5 years ago | (#29249891)

http://www.google.nl/search?q=malware+mac [google.nl] says it all. Now get those ads off the air.

Re:I'm a Mac (0)

Anonymous Coward | more than 5 years ago | (#29250621)

No, it doesn't "say it all".

I can use Google to search for alien abduction, doesn't mean it's some sort of widespread occurrence.

you faiL 1t (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29249667)

and piss cocktail. Is wiped oof and

summary (5, Informative)

Trepidity (597) | more than 5 years ago | (#29249699)

Despite its relative obviousness, it took me a bit of reading there to figure out what the cause of the bug was, since I was rusty on my Unix system calls, so here's a short summary.

ioctl(2) is essentially a way of specifying system calls for drivers without actually making a system call API, so drivers can register their own calls in a more decentralized way. A call to ioctl(fd, cmd, args, ...) on a special/device file 'fd' gets routed to the driver that owns 'fd', which handles the command. The arguments might be values, or might be pointers to locations in which to return data.

fcntl(2) provides a way to perform operations on open (normal) files, like locking/unlocking them. It has the same parameters as ioctl(), except that there's always a single integer argument.

One way of implementing fcntl is essentially like ioctl -- find who owns the fd, and pass the cmd along to the relevant driver. But, Apple's code did this even for the operations on special devices normally manipulated via ioctl, so you could basically do an ioctl via fcntl. But, this bypasses some of the arg-checking that ioctl does, since fcntl always has one integer argument. So an easy exploit arises: call an ioctl that normally takes one pointer argument to assign something to. ioctl would normally check that the pointer is valid (something the caller is allowed to write to) before writing to it in kernel mode. But you can pass in any memory location at all as an integer via fcntl's argument. Voila, you get data written to arbitrary locations in memory. As an added bonus, some calls let you manipulate what data gets written--- the example exploit uses a "get terminal size" ioctl, so you can vary what gets written by changing your terminal size.

Re:summary (1)

FearForWings (1189605) | more than 5 years ago | (#29249901)

A good summary of the exploit.

Admittedly I don't have experience with either function but..
What I don't understand is why TIOCGWINSZ, or almost any TTY call, can be used from fcntl(2)?
Also, why didn't OS X throw an exception when fcntl(2) tired write outside the program's memory?

Re:summary (1)

weicco (645927) | more than 5 years ago | (#29249947)

Also, why didn't OS X throw an exception when fcntl(2) tired write outside the program's memory?

I understood that the actual writing happened in kernel, not in userland. In kernel you can do some nasty things like write stuff to almost anywhere you like.

Make summaries more informative (5, Insightful)

Bromskloss (750445) | more than 5 years ago | (#29249715)

The mechanics are so simple that can be easily explained to anybody possessing some minimal knowledge about how operating systems works.

So then do so in the summary!

Oh god (5, Funny)

clarkkent09 (1104833) | more than 5 years ago | (#29249727)

This article presents some twitter-size programs that trigger the bug.

Ok, I get libraries of congress and olympic-sized swimming pools, but twitter is a new one. Is it used for measuring how long a program is or how pointless it is?

Re:Oh god (1)

e2d2 (115622) | more than 5 years ago | (#29249803)

A twitter-size program is defined as .00001 football fields or .00002 747s, which of course can be converted to Hiroshima bombs as .00000000001

Re:Oh god (1, Funny)

Anonymous Coward | more than 5 years ago | (#29249815)

You forgot 'or how dangerous it is?'.

Re:Oh god (5, Funny)

Anonymous Coward | more than 5 years ago | (#29249843)

The comparison was simply to (successfully) annoy those of us who are /still/ ignoring everything we can about twitter. I briefly considered checking wikipedia to see how small that was, but there were some kids on my lawn.

Re:Oh god (1)

Trepidity (597) | more than 5 years ago | (#29250055)

if u no abt txt its the same

Re:Oh god (1)

jack2000 (1178961) | more than 5 years ago | (#29250229)

Twitter? What twitter? Who is this twitter you speak off.
You strange kids, an hour ago they were asking for a book of faces.

AND DON'T STEP ON THE GRASS!

Hahhah... kernel bug... LOL (0)

Anonymous Coward | more than 5 years ago | (#29249881)

The author might be correct about bug exist. But he is totally lost about operating systems and kernels.

Calls Darwin as the kernel and Mac OSX as OS. Can someone explain then what is the Mach microkernel on the XNU?

Darwin is OS development version. XNU + Apples own compililation tools and configurations. The XNU is the OS of the Mac OS X. It is the OS what is microkernel-based. (Marketed as so called "hybrid kernel").

The XNU OS microkernel is the Mach. The XNU is not kernel, it is the OS. Darwin is not the kernel, it is the XNU OS Apples compiliment tool.

When author talked about kernel, I really tought "here is wiseman" but then he started talking about Darwin as kernel, what would be the Mach in the Darwin (XNU).

Re:Hahhah... kernel bug... LOL (0)

Anonymous Coward | more than 5 years ago | (#29250671)

"Darwin" is actually the word used for describing all of OSX's kernel space, which actually is not at all a microkernel - they basically took mach and added all the other stuff to make it into a monolithic kernel, calling it XNU.

XNU plus drivers is Darwin.

Still get the kernel panic on Tiger (5, Interesting)

ygslash (893445) | more than 5 years ago | (#29249967)

Even after the recent security update on Tiger, I still get a kernel panic with the Python code supplied in TFA:


import termios, fcntl
fcntl.fcntl(0, termios.TIOCGWINSZ)

Yeah, I'm planning to upgrade to Snow Leopard soon, after having skipped Leopard. But has Tiger already been abandoned to this extent?

Re:Still get the kernel panic on Tiger (1)

Bananenrepublik (49759) | more than 5 years ago | (#29250127)

Think of it as a feature: it's faster than pulling the plug.

Well then (0)

Anonymous Coward | more than 5 years ago | (#29249979)

Just buy a PC already.

mo8d do3n (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#29250149)

we don't sux0r as fucking confirmed: t*he deal with you words, donj't get

Hunt the Link (1)

mike260 (224212) | more than 5 years ago | (#29250183)

This article presents some twitter-size programs that trigger the bug.

Out of interest, what's the justification for linking to the article on "programs that trigger the bug" and not in the blindingly obvious place ("This article")?
I ask because it seems to be in-line with some kind of brain-dead in-house Slashdot linking style, and I'm curious to know the reasoning behind it.

mature code ? ah! (0)

Anonymous Coward | more than 5 years ago | (#29250579)

mature code ? MacOS ? give me a break. it's not mature with respect to security, it's always features, features, features.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?