Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Flaw Found in Apple Bug-Fix Tool

ScuttleMonkey posted more than 7 years ago | from the month-of-bug-creation dept.

Security 168

eldavojohn writes "The Month of Apple Bugs (MOAB) is well under way with a startling bug released Monday. From the description: 'Application Enhancer (APE) is affected by a local privilege escalation vulnerability which allows local users to gain root privileges.' APE is the same software used to deploy fixes during 'The Month of Apple Fixes' (MOAF). I know it's confusing but MOAB came first and MOAF was a developer's answer to the bugs — after all, the purpose of posting bugs is to have them identified, confirmed and eradicated. The article talks about potential remote root access by an intruder. Note that this is third party software that all of the bugs seem to be stemming from. I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards."

cancel ×

168 comments

MOAB = Massive Ordnance Air Blast Bomb (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17542770)

Stolen from:
http://www.globalsecurity.org/military/systems/mun itions/moab.htm [globalsecurity.org]

MOAB - Massive Ordnance Air Blast Bomb

The GBU-43/B is large, powerful and accurately delivered. high explosive. The GBU-43/B Massive Ordnance Air Blast Bomb [MOAB] weapon is a 21,000 lbs total weight GPS-guided munition with fins and inertial gyro for pitch and roll control. MOAB is a guided bomb which delivers the 18,700 lb BLU-120/B warhead bomb with KMU-593/B GPS/INS. The MOAB is the largest-ever satellite-guided, air-delivered weapon in history [not the largest ever, but the largest satellite guided]. The 21,600-pound MOAB is an improved replacement for the unguided 15,000-pound BLU-82 Daisy Cutter. It is 30 feet long with a diameter of 40.5 inches. The warhead is a blast-type warhead. It was developed in only nine weeks to be available for the Iraq campaign, but it was not used in combat.

(much more in article)

Re:MOAB = Massive Ordnance Air Blast Bomb (1)

Protonk (599901) | more than 7 years ago | (#17544242)

This isn't necessarily off-topic, although it would benefit from an explanation that the new acronym used in the article and the story may be confused by those in the weapons industry for something else....for about 5 seconds.

A HA! (5, Funny)

Thansal (999464) | more than 7 years ago | (#17542838)

I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards.


I see it now. This entire MOAB thing is just there to tout how great and secure Apple Products are, and that the only bugs possible HAVE to come from 3rd party software!

It is all a plot by Jobs!

A PLOT I TELL YOU!

[/psycho]

Re:A HA! (1)

Overly Critical Guy (663429) | more than 7 years ago | (#17546250)

Really, though, this is lame. Another third-party bug? Pointing out third-party bugs is great, but this was touted as a month of Apple bugs to point out insecurities that needed to be fixed in Apple software. Widening that to third-party bugs is a little disingenuous and misleading.

Story at 11 (1, Troll)

teratogenicbenzene (887723) | more than 7 years ago | (#17542870)

So, this is the best MOAB has to offer? A security bug in a third-party "enhancement"?

This is scaremongering at its best. Nothing to see here, move along.

Re:Story at 11 (0)

Anonymous Coward | more than 7 years ago | (#17543316)

And Quicktime. And Finder.

The Reality Distortion Field seems to be operating at peak effiency however. Your illusions are still quite secure.

Re:Story at 11 (5, Insightful)

paulpach (798828) | more than 7 years ago | (#17543352)

So, this is the best MOAB has to offer? A security bug in a third-party "enhancement"?
No, the best they have to offer are vulnerabilities in quicktime [info-pull.com] , iPhoto [info-pull.com] , Disk Management [info-pull.com] , Finder [info-pull.com] which are apple products. Why CNet and slashdot chose to report on this particular vulnerability, which to many is the least important in the list, is a mistery to me.

Re:Story at 11 (5, Insightful)

93 Escort Wagon (326346) | more than 7 years ago | (#17543626)

"No, the best they have to offer are vulnerabilities in quicktime, iPhoto, Disk Management, Finder which are apple products. Why CNet and slashdot chose to report on this particular vulnerability, which to many is the least important in the list, is a mistery to me."

Look, while they have included some legitimate bugs it's pretty obvious the project is flailing around somewhat, given that it's only the 10th of "MOAB". In addition to the APE flaw, they've included a VLC flaw and an OmniWeb flaw - neither of which is part of OS X nor installed on any stock Apple box. Additionally they've included a PDF flaw, which isn't even specific to OS X! That's just plain silly.

Re:Story at 11 (1)

Lunar_Lamp (976812) | more than 7 years ago | (#17543850)

I guess it depends if the purpose of publishing the bugs is to fix OS X, or whether it's to educate Apple users that just because you use OS X, you are not immune; it's possible (probable?) that somewhere on your system there will be vulnerabilities. I know as a Linux user I find it very easy to think "I don't need to be very aware of security because I use Linux". At minimum, it's a reminder that whilst OS X is more secure than Windows XP natively, it is not immune from vulnerabilities.

Re:Story at 11 (3, Insightful)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17544186)

I guess it depends if the purpose of publishing the bugs is to fix OS X, or whether it's to educate Apple users that just because you use OS X, you are not immune; it's possible (probable?) that somewhere on your system there will be vulnerabilities.

If you think that is the purpose of the MOAB then you're very, very optimistic, perhaps naive. The purpose is to gain publicity for a few, unscrupulous researchers. They've done this before with other vendors and even agreed to cancel one such project after being paid off. Apple users who know anything about security know there is the potential for security flaws, but they also know the potential is much less than if they are running Windows. Apple users and potential Apple who don't know anything, may be confused by this into thinking that OS X is no more secure than Windows and hence stay with Windows. The simple message "use a mac and you're unlikely to suffer from worms and viruses" is true and simple enough for most people. Complicating the message with, "but if you're using some third party utility, or even some included utilities there is the possibility someone could write a worm, but tso far no one has and they are unlikely to do so in the near future" is way too complex.

At minimum, it's a reminder that whilst OS X is more secure than Windows XP natively, it is not immune from vulnerabilities.

Finding vulnerabilities and not reporting them to the vendor or making them public until it will get you the most press, is detrimental to security and does more to help black hats than it does to help users. Trying to obscure and complicate the simple message that mac==more secure than windows, likewise is detrimental to overall security. The only thing this project is really accomplishing is publicity for themselves at the expense of everyone else. These guys are anti-security researchers. If they aren't willing to behave ethically, they can rot.

Re:Story at 11 (1)

laffer1 (701823) | more than 7 years ago | (#17544604)

No, the price of using a computer is to patch it and not run untrusted software. It does not matter what OS you are using. If you tell people they are invincible because they have a Mac or use linux, you are doing them a disservice. You are also lying to them.

I tell people that Macs or anything but windows are safer because less people care to attack them. I tell them that they must run software update and every two versions of Mac OS they must upgrade. (Apple stops patching after 2 releases) There are many bad things I can say about microsoft, but they do provide patches for a much longer period. Covering 1 or 2 products with back patches is a lot of work, but with the windows release cycle you get 5-6 years of patches! With Mac OS X you get 2 to 3 years of patches. You can argue all day long about how that isn't important on Mac desktops, but after administering an OS X server, I can tell you its very important!

I have talked a few people into using open source software since they can not afford to buy new software constantly. Staying current isn't cheap and with Mac OS X you often need to buy upgrades to get software to work in new versions of the OS. This is true with Adobe software and to a lesser degree with other applications.

Re:Story at 11 (2, Insightful)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17545250)

No, the price of using a computer is to patch it and not run untrusted software.

Bullshit. That's like saying the purpose of forks is to eat vegetables, and if some forks happen to create a toxic substance when they touch other substances, it is not a concern. People want to run untrusted binaries, because the majority of binaries people run are untrusted to some degree or another. When malware is common, it makes sense to make sure that untrusted binaries are restricted by default.

It does not matter what OS you are using. If you tell people they are invincible because they have a Mac or use linux, you are doing them a disservice. You are also lying to them.

Yeah, now show me one example of a person with any authority seriously saying macs are invincible... just one. Apple doesn't say that. I've never seen a security researcher, or even sensationalist papers say that. If you do a Google search for "mac invincible" you find one blogger asking if Macs are invincible and one article explaining that your statement is a classic strawman argument.

I tell people that Macs or anything but windows are safer because less people care to attack them.

That is a fine message to spread, but if the paper is reporting, "30 bugs in Macintosh computers in a month demonstrate they are not secure," what do you think the average Windows user will take away from that headline? Do you think they will correctly derive from that headline that if they get a mac the chances of them getting malware are almost zero, or do you think they will take from that that it does not matter if they have a mac or a Windows machine, they are still going to get malware? Do you think it makes people more or less likely to be infected with malware, considering it may well dissuade people from moving to both Mac and Linux machines?

The poorly named MOAB is dropping vulnerabilities one after another intentionally spread out, with no prior notification in such a way that Apple either has to wait for all of them, or commit to not fixing some of them right away simply because of the time necessary for development and QA cycles. Can you think of a better way to encourage malware without actually creating exploit code yourself? Further, they're intentionally delaying releasing vulnerabilities they have found to the public, increasing the window for exploitation. Why? It gets them more press that way and a truly cynical person might say because it is the best way to encourage malware based upon their bugs so that they can get more press as they talk about how they discovered the hole first and were right about how Apple would get hacked. It is utterly irresponsible.

Re:Story at 11 (0)

Anonymous Coward | more than 7 years ago | (#17545178)

OMG. Now I know this is slashdot, but could people read the article in question. OK, OK, I know that's asking too much here. How about reading the first page http://projects.info-pull.com/moab/ [info-pull.com] , OK, yeah that sure is a lot of reading. How about just the text that is all in Bold so hopefully you won't miss it. Yeah, yeah, not enough time in the day. How about just reading bolded point 3 out of 9 points. Oh yeah, going off the forum page is too much work. well here it is for you...
 
  Are Apple products the only one target of this initiative?
Not at all, but they are the main focus. We'll be looking over popular OS X applications as well.


I'd explain that couple of sentences too, but I'm tired of zealotry about Mac's on Slashdot. It is another OS, pure and simple, like all other OS's out there security should be scrutinized. It's the zealots own fault for attracting attention in the bad manner for claiming such lofty security, of course someone is going to look at it. The moab is a over the top in it's presentation, but that's about it. I've also heard (but could be wrong) that they are starting with the most trivial bugs first, if that is the case, than wait until after the 30th then come back and say "is that it?", than it will actually mean something. maybe you'll be right, maybe you'll be wrong, but now seems hardly the time to speculate about everything they have found.

Re:Story at 11 (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17545618)

What they write on their Web page is pretty irrelevant when they create a project called "Month of Apple Bugs." To blatantly rip off The Simpsons, "...for every dollar of Krusty merchandise you buy I will be nice to a sick kid. For legal purposes sick kids may include hookers with a cold."

It's the zealots own fault for attracting attention in the bad manner for claiming such lofty security, of course someone is going to look at it.

This such such a tired and sad implicit assumption. Who on Slashdot has ever claimed that OS X was some super secure solution, or immune to malware? Lots of people tout it as secure, but that is because the most common OS that sets the measure is Windows. Compared to Windows, OS X is very secure and that message should be repeated as much as possible until the average person on the street knows it, in order to motivate people to switch and Microsoft to solve the problem.

The moab is a over the top in it's presentation, but that's about it.

Who cares about the presentation. I'm concerned about security. The guys running this obviously aren't worried about the security of users because they are compromising that security in order to make money. If I wanted to make most users less secure what would be a good way? First, I'd spread misleading press that convinces them OS X and other OS's (like that umm, Linkus OS, my cousin mentioned) are no more secure that Windows. Next, I'd search out vulnerabilities in the most common OS that is not regularly compromised, and try to encourage malware authors to write malware for them. A good way to do that would be to not inform the vendor before I released the vulnerabilities, so they don't have a chance to fix them. Then, I'd release them spread out over a long period of time, so that they can't do a development/QA cycle until all of them are released, unless they want to commit to not fixing some of them, thus maximizing the amount of time between publication and patch.

These guys are not responsible security researchers and they're maximizing their press coverage at the expense of everyone else. Nothing was stopping these guys from quietly finding a bug a day for a month, and immediately informing the relevant vendor, and then announcing afterwards what they had done after the vendors had a short time to fix the bugs. The only problem would be they would not get as much press coverage and the chances of a worm being created and spread would be less, thus making it less likely they can ride that short bus to more press coverage.

The fact that you see nothing wrong with this means either you haven't thought it through, you don't have any idea what responsible handling of vulnerabilities is, or you don't care about security at all and are just reacting emotionally because you don't like people talking about OS X being secure and ignoring whatever your favorite OS is. P.S. your favorite OS sucks.

Re:Story at 11 (1)

elrous0 (869638) | more than 7 years ago | (#17546054)

Compared to Windows, OS X is very secure and that message should be repeated as much as possible until the average person on the street knows it, in order to motivate people to switch and Microsoft to solve the problem.

One of the biggest security advantages the OS X has is that Apple has such a small market share that hackers/malware and adware coders/etc. don't bother to mess with it. If everyone switched, then you would lose that advantage and OS X would end up just as much a malware/virus/trojan/exploit target as XP and Vista.

Be glad your little OS flies under the radar. You should pray it stays that way. If it ever becomes widely adopted like a real OS, it will only cause you grief.

-Eric

Re:Story at 11 (1)

larkost (79011) | more than 7 years ago | (#17546948)

While that is probably true (there is little to no way of checking, so we have to admit that it is a guess), it misses the very important point that many of Microsoft's problems with security have been through really bad design decisions. The whole idea of letting email run scripts is just bad from the get-go, and that is exactly what Outlook was designed to do. Since then they have been trying to keep that functionality for the few corporate users who rely on it, while putting the majority of us who don't at major risk.

Re:Story at 11 (4, Insightful)

peragrin (659227) | more than 7 years ago | (#17543846)

so out of 10 days in this month so far only 4 have been Apple security bugs. So far 40% have been holes that are apple's fault.

I don't know about you, but if some one found a bug in Windowblinds, or some other Windows skinning app, and said it was MSFT's fault then I would be suspicious too.

Also there is a bug in VLC. how is a VLC player bug that is also found in the windows and linux versions an "apple" bug.

If it's an apple product by all means go for it. But no one blames MSFT for bugs in Lotus Notes.

Re:Story at 11 (2, Interesting)

paulpach (798828) | more than 7 years ago | (#17544090)

If it's an apple product by all means go for it. But no one blames MSFT for bugs in Lotus Notes.
from the faq on the first page [info-pull.com]

3. Are Apple products the only one target of this initiative?

Not at all, but they are the main focus. We'll be looking over popular OS X applications as well.

So they are not blaming apple anywhere in their site or implying this vulnerability is apple's fault at all. Where did you get that idea? This is not a project to destroy or harm apple, quite the opposite, it will help them in the long run.

Re:Story at 11 (0)

Anonymous Coward | more than 7 years ago | (#17544532)

Then why call it the Month of Apple Bugs? By the virtue of the name they've chosen, they imply all vulnerabilities are Apple's fault. If they don't want to do so, surely smart researchers can come up with a name that does not imply all bugs stems from Apple? I don't buy the explanation, it's more like a cover your ass disclaimer.

Re:Story at 11 (2, Funny)

Moofie (22272) | more than 7 years ago | (#17544552)

"Where did you get that idea?"

Um, from the title of the "project", which is "Month Of Apple Bugs". Golly, how could I possibly have been mislead?

Re:Story at 11 (2, Interesting)

BorgCopyeditor (590345) | more than 7 years ago | (#17544582)

So, the title "Month of Apple Bugs" doesn't imply anything? Yes, you could take it to mean "bugs that infect applications developed for use on the operating system running on most computers made by Apple," but that's just not as sexy, is it? If a similar project were called "Month of Microsoft Bugs" and mostly targeted 3rd party apps, I wager people would more quickly see the problem.

Re:Story at 11 (1)

Overly Critical Guy (663429) | more than 7 years ago | (#17546364)

So they are not blaming apple anywhere in their site or implying this vulnerability is apple's fault at all. Where did you get that idea?

In the title, which isn't "Month of Bugs, Some of Which Are In Mac Software."

Re:Story at 11 (1)

iluvcapra (782887) | more than 7 years ago | (#17544122)

DOS ain't done until Lotus won't run? [slashdot.org]

Of course in that case, from MSFTs perspective that was a feature, not a bug.

Re:Story at 11 (2, Funny)

profplump (309017) | more than 7 years ago | (#17545228)

While there are some valid bugs listed, the Disk Management one basically says "anyone in the admin group can arbitrarily set file permissions". I don't know about you, but given that the admin group has, by design, unrestricted access to `sudo` I wouldn't consider their ability to set file permissions in a convoluted way a very serious security threat.

The report talks about the ability to change permissions and then use those changed permissions to run programs as root. Maybe it's just me I'm pretty sure it would be easier to just type `sudo su` followed by your password. Follow that with `rm -f /var/log/asl.log` and you'll even delete the evidence.

Re:Story at 11 (4, Informative)

profplump (309017) | more than 7 years ago | (#17545376)

Upon further investigate, the Finder vulnerability is also pretty weak. It's at least got the potential to allow code execution (but not privilege escalation) and I agree that it's sloppy programming that should be fixed.

But their report says that in trying to expliot the flaw their DMG failed validation test done before mounting the image and that they were therefore unable to create a working exploit. The rest of their report is based on the assumption that they could manipulate parts of the DMG file and bypass the validation already in place, without any real indication of how that might happen.

Re:Story at 11 (1)

Overly Critical Guy (663429) | more than 7 years ago | (#17546288)

But this was supposed to be a month of Apple bugs. Not third-party bugs.

Why CNet and slashdot chose to report on this particular vulnerability, which to many is the least important in the list, is a mistery to me.

Because journalism is a business, and that means it isn't concerned with relevant truths; it wants "storylines" that will generate interest and therefore revenues. It's a cute storyline for them that the application enhancer used to patch bugs has a bug. Hence, it gets reported and others don't.

Re:Story at 11 (2, Informative)

Rosyna (80334) | more than 7 years ago | (#17543418)

This is scaremongering at its best. Nothing to see here, move along.

I disagree with "at its best". The example "exploit" installs what basically amounts to a rootkit. So, in other words, this security "researcher" is distributing malware that gives him access to anyone's computer that accesses it. Since when do real security researchers distribute malware? More information is in the comments here [unsanity.org] .

Not to mention he posted this thing with nothing but malice. It was done because Landon Fuller refused to work with LHM. LHM wanted to keep the bugs from the developers and said as a condition of such working together, that Landon Fuller must not tell anyone else about the bugs.

Re:Story at 11 (1)

Goaway (82658) | more than 7 years ago | (#17543608)

Basically, LMH is a thin-skinned and borderline psychotic attention whore. He pretends he "does it for the lulz", but he's really lashing out at anybody who doesn't worship him for his l33t sk33lls, and posts incomprehensible rants about everybody who disagrees with him.

Re:Story at 11 (0)

Anonymous Coward | more than 7 years ago | (#17544412)

Nothing but malice? That could be true, but at least they're pointing out incompetant "developers" who get very, very simple things wrong. That seems like a useful thing to do regardless of the motivation behind it.

Re:Story at 11 (1)

ResidntGeek (772730) | more than 7 years ago | (#17543472)

That's a good point. Everyone knows that people target only the operating system. No self-respecting hacker would ever attack a third-party tool to gain access to a system, right?

Re:Story at 11 (1)

egomaniac (105476) | more than 7 years ago | (#17543514)

That's a good point. Everyone knows that people target only the operating system. No self-respecting hacker would ever attack a third-party tool to gain access to a system, right?

So it would be fair to declare a "Month of Microsoft Bugs" and then reveal bugs that Microsoft had nothing to do with?

Re:Story at 11 (1)

644bd346996 (1012333) | more than 7 years ago | (#17546196)

Bad example. Nobody would need to look beyond MS branded products. A better example would be a "Month of Java Bugs" where half of the bugs were from Azureus and Eclipse.

While I agree that MOAB is not doing particularly well, VLC, Omniweb, and APE are all extremely common. The PDF bug is very dangerous, because PDF is so pervasive to the Aqua UI that almost any application could be the entry point.

Re:Story at 11 (1)

Goaway (82658) | more than 7 years ago | (#17543682)

It's attention whoring. And reading his blog, LMH seems to have quite the unstable personality, given to going on off on incomprehensible rants about those who disagree with him or refuse to acknowledge his greatness, thinly veiled as flippant ironic "lulz".

Re:Story at 11 (2, Informative)

Jeremy Erwin (2054) | more than 7 years ago | (#17543702)

The Month of Apple Bugs intended to identify 31 security problems in Apple Software. The Month of Apple Fixes intended to fix those bugs in short order, so that they would not represent as much of a security threat between announcement and release of an official bugfix. Because much of MacOSX is closed source, patched binaries were a means of distributing these fixes. The latest bug was found in the third party tool that was used to patch the binaries at runtime.

Well, well, well (3, Funny)

Anonymous Coward | more than 7 years ago | (#17542880)

What do you have to say for yourselves now, Apple fanboys? With this glaring bug, coupled with the other devastating bugs, it now is clear that your smug castle is crumbling. Maybe it's time to give the rock-solid Vista another chance, no?

Re:Well, well, well (1)

Xugumad (39311) | more than 7 years ago | (#17544020)

I dunno, I'm not sure paranoid and twitchy is an improvement in OS terms :)

(Vista really does seem terrified that someone else might be touching your computer)

Re:Well, well, well (0)

Anonymous Coward | more than 7 years ago | (#17544172)

Vista is paranoid that you are touching your own computer in a way that Microsoft doesn't like...

Re:Well, well, well (1)

Divebus (860563) | more than 7 years ago | (#17545894)

Crumbling? Hardly. The OS has been out for almost 6 years and they can only w00t about 30 bugs. This list probably took many months to figure out where there were probably 3,000 bugs in Windows during the same period.

For the Apple bugs, half of them so far are in 3rd party apps, many require you to install them sitting at the keyboard with the root password and the rest may actually do some damage if the operator can be coaxed into 8 simple steps... and now they probably won't any more. As obtuse as much of this is, it's good that someone is pointing these out so they'll get fixed.

And Vista? Puuullleeeezzz. It has a smaller installed base than BeOS and the exploits are out there already for Vista.

Personally I think (2, Insightful)

0racle (667029) | more than 7 years ago | (#17542892)

Note that this is third party software that all of the bugs seem to be stemming from. I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards.
Personally I think that the reason most/all of the bugs released are 3rd party apps and not OS X itself is that the people running the project are to lazy to try and find some actual Apple bugs.

Errr... (3, Informative)

WalterGR (106787) | more than 7 years ago | (#17542906)

Note that this is third party software that all of the bugs seem to be stemming from.

So far MOAB has released 2 bugs for QuickTime, 1 for iLife, 1 for DiskManagement/diskutil, and 1 for Finder.

Re:Errr... (1)

jellomizer (103300) | more than 7 years ago | (#17543766)

5 Bugs on 4 Apple products, 3 of these products that come default with the OS. 2 of these products are Core to the OS. and only one of these products a User can't use a mac without. 10 Days in. That is still darn good. The point is all these 3rd party apps that are being added to the list to make Macs look insecure, give me an Open BSD system, then install some 3rd party apps, misconfigure Open SSH, and bang it is not as secure as it use to be. I was expecing by this point to be 20-30 bugs found just on the products that comes with OS X and 15-20 bugs on Apples Bonus Products, and perhaps 10-15 holes on 3rd party applications that are actually popular for OS X (Photoshop, Flip for Mac, PageMaker...)

It seems like these guys are straining to find a hole a day, so they go into some marginally popular 3rd party apps to find ways in OS X.

Re:Errr... (1)

e4g4 (533831) | more than 7 years ago | (#17544370)

2 of these products are Core to the OS
Well, not exactly. Since you didn't say which, I'm going to assume that you mean 2 of the following 3: Quicktime, Finder, and DiskManagement.framework. Quicktime is just an app with a set of codecs and some plugins (all removable). Finder is just an app, and while the method for doing so is not GUI accessible, you can in fact turn it off and use something else (i.e. the terminal, or PathFinder). DiskManagement.framework is just an API for easier/higher level access (higher than say mount or umount) to disk management functions like mounting/unmounting, and repairing permissions (where the MOAB bug lies), and frankly, repairing permissions on an OS X machine is simply an automated process for setting permissions on disk should they get out of whack (which pretty much only happens when you let the Quark 6.0 installer stomp all over your system, assigning permissions like a blind sysadmin with digital diarrhea (digital as in 5 digits to a hand)).

Now I'm not saying these aren't bad or problematic, just quibbling with your statement that these are Core to the OS.

Re:Errr... (1)

jellomizer (103300) | more than 7 years ago | (#17545624)

Well I did mean Finder and Disk Manager. Finder is the general tool used to manage the UI. It may not be a kernel module or irreplacable. But to keep OS X OS X Finder is a Core Application. It runs after boot automaticly code is there to make it difficult to throw it away, It is core for a GUI OS. The DiskManager while not as nessary as Finder is still and important tool for maintaing the OS. As well used for basic OS Work such as burining ISOs, creating Disk Images. A lot of things that OS X wants you do. By Core I wan't nessarly talking about Kernel level programs or a program if it was taken away the world will end with now way back. But without Finder and DiskManager so much functionality of your mac is loss that replaceing it or just not using it is not much of an option.

Re:Errr... (1)

TheSkyIsPurple (901118) | more than 7 years ago | (#17543782)

And also note that the OS is supposed to be secure, which means 3rd party stuff shouldn't be leaving the entire OS exposed like this without the user doing something very stupid and intentional.

I don't by the 3rd party thing as an excuse... and I AM an Apple fanboi

Re:Errr... (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17546412)

Grammar tip: "Effect" is a verb. "Affect" is a noun.

No, "effect" is a verb AND noun. As is "affect." Look 'em up.

In Communist Moab (0, Offtopic)

solevita (967690) | more than 7 years ago | (#17542926)

MOAF moabs you.

Or something like that.

Instead ... (5, Funny)

Salvance (1014001) | more than 7 years ago | (#17542930)

Rather than just tell people not to use APE, Landon Fuller (who reported this bug on his blog [bikemonkey.org] ), should have written an APE SHell Investigative Tool to help people find and fix this error.

Technology needs more catchy acronyms

No Wonder Jobs Didn't Talk About OS X Yesterday (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#17543028)

OS X is turning into a security nightmare now that people are turning their focus to the inflated Apple claims about a higher level of security than other operating systems.

Re:No Wonder Jobs Didn't Talk About OS X Yesterday (1)

Divebus (860563) | more than 7 years ago | (#17546424)

Even funnier, Microsoft talks about how secure everything is in Windows. Marketing Machine in Motion. They never seem to talk about tens of thousands of flaws actually exploited in Windows. After 6 years of OS X and 6 years of XP, I'd say the percentages are dramatically in Mac OS X's favor.

MOAB (2, Funny)

dr_strang (32799) | more than 7 years ago | (#17543058)

Does that make it the Mother Of All Bugs?

Re:MOAB (1)

spellraiser (764337) | more than 7 years ago | (#17543104)

Yeah ... guess they'll have to write a bug-fix tool for the bug-fix tool now.

I might be missing something, but.... (2, Insightful)

8127972 (73495) | more than 7 years ago | (#17543076)

Why would anyone who is serious about computer security use a THIRD PARTY app to fix a security issue?

Re:I might be missing something, but.... (2, Insightful)

Anonymous Coward | more than 7 years ago | (#17543174)

You wouldn't. These third-party fixes are being done as an intellectual exercise, not a serious offering.

What you are missing is called CLUE (1)

slyborg (524607) | more than 7 years ago | (#17543938)

The vast majority of the virus scanning/blocking software is THIRD PARTY, as is much of the spyware detection software. For your reference:

http://www.symantec.com/ [symantec.com]
http://www.mcafee.com/ [mcafee.com]

Re:I might be missing something, but.... (0)

Anonymous Coward | more than 7 years ago | (#17544686)

"Why would anyone who is serious about computer security use a THIRD PARTY app to fix a security issue?"

Ask your government IT people who secures MS-Windows for them - it won't be Microsoft.

Sour grapes? (0)

Anonymous Coward | more than 7 years ago | (#17543102)

From reading the article it looks like the people over at MOAB are rather pissed at Landon and this is just being spiteful.

If you use APE you don't mind bugs (-1, Troll)

rbanzai (596355) | more than 7 years ago | (#17543216)

People who use APE dependent apps are already familiar with the bugs that come along with that choice. They shouldn't be surprised or alarmed by this. APE is already one of the first things I check for on an OS X machine that is acting flakey. //just say no to 'haxies' ///they should call them 'crappies'

Re:If you use APE you don't mind bugs (0, Troll)

dogfriend (609723) | more than 7 years ago | (#17543604)

Yes, my initial thought on using APE was: Its very cool of them to patch the bugs, but I'm not going to install APE on my system. A couple of years ago I read some info on APE that outlined how it modifies the system and because of that it is a potential security risk.

The problem isn't really 3rd party apps (-1)

Anonymous Coward | more than 7 years ago | (#17543232)

"Note that this is third party software that all of the bugs seem to be stemming from. I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards."

That is just silly talking. The OS is not secure if badly coded third-party apps (or any badly coded apps) can take down the system or cause security breaches.

Re:The problem isn't really 3rd party apps (3, Informative)

Drizzt Do'Urden (226671) | more than 7 years ago | (#17543380)

So it's Linus' fault if Apache or Sendmail has a security problem?

The software has to be secure from top to bottom. If your PHP app has a security problem, it can do bad things on your machine no mather the OS.

Re:The problem isn't really 3rd party apps (1)

spun (1352) | more than 7 years ago | (#17545442)

It is one of the major jobs of an OS to keep one out-of-control app from hosing your entire machine, whether that app is out of control due to hacking, user error, or other bugs. If your PHP app has a problem on a good OS, the attacker may be able to change files owned by the apache user, while on a bad OS they might undetectably rootkit your machine.

Re:The problem isn't really 3rd party apps (1)

Cervantes (612861) | more than 7 years ago | (#17546000)

"So it's Linus' fault if Apache or Sendmail has a security problem?"

Why not? It's Bills fault whenever a bug on WinTel platforms is found.

MOAB?? (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#17543294)

Why is it every time I hear about MOAB I think about THIS [wikipedia.org] ?

you Fail it (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17543298)

us th3 crourtesy [goat.cx]

slight correction (0)

Anonymous Coward | more than 7 years ago | (#17543330)

'Application Enhancer (APE) is affected by a local privilege escalation vulnerability which allows local users to gain root privileges.'

should be...

'Application Enhancer (APE) is affected by a local privilege escalation vulnerability which allows local ADMINISTRATOR users to gain root privileges.'

Anatomy of the Runtime MoAB Patches (4, Informative)

shawnce (146129) | more than 7 years ago | (#17543362)

From Anatomy of the Runtime MoAB Patches [bikemonkey.org]

------

01:04 Tue, 09 Jan 2007 PST -0800
Anatomy of the Runtime MoAB Patches

Introduction

For the past few days I've been releasing patches for software vulnerabilities in an assortment of Mac OS software. This project was intended to be a technical one, and I've never sat down to explain, in clear terms, how the patches work, what Application Enhancer is, or what the potential risks are in running these patches. I'm also not the first one (not by a long shot) to think of implementing third party patches for unpatched software vulnerabilities, either, and I'd like to discuss those efforts.

Here goes ...

Third Party Patches, Past and Present

Generally speaking, a software vulnerability is usually announced in coordination with a vendor-supplied software update. However, there are cases when a vendor patch is not available for a critical software vulnerability, leaving the user with limited options. Relatively recently, the idea of a "third party patch" has emerged; when a vendor patch is not available, a third party can reverse engineer the software in question and produce a temporary bug fix.

This technique has previously been used for both unpatched Windows and Mac OS X vulnerabilities. In 2006, Alexander Sotirov presented "Hotpatching and the Rise of Third-Party Patches" at the Las Vegas Black Hat conference, and is responsible for implementing two patches for unfixed Internet Explorer vulnerabilities. ZERT (Zero-day Emergency Response Team), who is composed of an impressive array of individuals, "work(s) together as a team to release a non-vendor patch when a so-called '0day' (zero-day) exploit appears in the open which poses a serious risk to the public, to the infrastructure of the Internet or both." On the Macintosh, Unsanity released Paranoid Android, a run-time patch for a critical vulnerability in Mac OS X's document handling. I believe the award for the first third party Windows patch for an unfixed vulnerability goes to Ilfak Guilfanov's December 2005 WMF patch. Guilfanov is the author of the excellent IDA Pro disassembler and debugger.

Risks and Benefits of Third Party Patches

A vendor-supplied update is always preferable to a third party patch. Third party patches are created by reverse engineering the vulnerable code, and are subject to limited testing and potential implementation deficiencies -- like the author of the vulnerable software, patch implementors are human, too. It is always possible that a bug in the patch could result in instability, or potentially expose a new exploit scenario.

On the other hand, a third party patch can provide protection against a critical vulnerability before the vendor is able to implement, test, and release a fix. The decision to use a third party patch should be made after a careful assessment of the vulnerability's risks and your own requirements -- it's never unreasonable to wait for an officially provided vendor fix.

Patching (more) Safely with Application Enhancer

The patches we've provided have all been implemented using Unsanity's Application Enhancer, and are "run-time patches" -- the patches insert themselves into applications at runtime, find the vulnerable code, and apply a band-aid. Nearly all of the patches released so far work by wrapping the vulnerable code and providing additional data validation, rejecting data that would otherwise cause the vulnerable code to malfunction (and thus allow the exploit to succeed). There are other options for implementing run-time patches on Mac OS X, including the open source mach_star -- I've previously used mach_star to implement runtime security patches for software on my own Mac. However, for the purposes of providing these fixes, I decided upon Application Enhancer.

Application Enhancer provides a nice, easy to use GUI for installing Application Enhancer Modules (Haxies), such as the patches we have been providing. It also provides some important features for ensuring the safety of a patch:

Haxie CrashGuard makes sure that critical applications, such as the Finder, are not modified if the APE Module causes a crash.
APE Check helps ensure that incompatible haxies are not loaded into new applications.
Application Enhancer provides useful facilities for locking an APE to specific software version(s).
The use of a runtime patching framework also assures that we can provide patches that meet our own safety requirements:

On-disk files are never modified.
The patches can be removed at any time by clicking the "-" button in the Application Enhancer preference pane.
The patches automatically disable themselves when a new release of the vulnerable software is installed
"Wait!", I hear you saying. What about the latest Month of Apple Bugs issue (MOAB-08-01-2007) in Application Enhancer?

The vulnerability is real -- it is possible for a local administrator account on the computer to gain root access, without any user confirmation, by replacing pieces of Application Enhancer's installation. While this can not be exploited remotely, it could be used in combination with a remote exploit to acquire escalated privileges. However, a remote exploit alone is sufficient to allow an attacker full access to your important personal data.

This issue is part of a larger collection of vulnerabilities that take advantage of the admin-writability of directories in /Library and elsewhere, such as the Apple DiskManagement BOM Privilege Escalation Vulnerability, or the /Library/StartupItems vulnerability fixed in 10.4. In this case, administrators are allowed to write to /Library/Frameworks, and Application Enhancer launches one of its binaries from /Library/Frameworks as the root user. As a work-around, you can change the permissions on /Library/Frameworks.

Conclusion

While I can't promise that I, or other MoAB Fixes members won't make mistakes, I can promise that we'll try our best to mitigate the critical issues as they are released. It's up to you to decide whether to install the patches, or wait for Apple's own patch. And if by some chance a critical error is found in one of our patches, we'll turn around a fix as fast as we can make one.

Please feel free to stop by the MoAB Fixes group with any questions, or send me an e-mail!

Sticking up for APE (5, Informative)

usermilk (149572) | more than 7 years ago | (#17543466)

The vulnerability is that APE installs itself in /Library where its supposed to go. /Library is writable by local admins. So a local admin can replace the APE executable and gain root privileges. Read that again. A local admin can replace the APE binary to gain root access.

A local admin, an effective root user account, can gain root access.

Or they could open up NetInfo Manager and enable the root account and enter in a password of their own choosing and then log into the GUI as root. Or they could open up Terminal and run sudo sh and get a root shell.

This is simple revenge. Rosyna called them trolls [unsanity.org] and linked to an APE fix for one of their bugs. I think Rosyna may be right of the 9 published bugs, 4 of them are not from Apple provided software.

Re:Sticking up for APE (3, Informative)

ioErr (691174) | more than 7 years ago | (#17543880)

The problem is not that a malicious admin can gain root access -- of course he can, as you pointed out. No surprise there.

The problem is rather that a trojan or similar run by a clueless admin can gain root access without the user being prompted for his password. Most Mac home users do use an admin account for day-to-day work, and think that they'll be fine. So the real problem is either that too many Mac users are running as admin, or that admin users have too broad write permissions without using sudo.

Personally I've solved this by using a normal user account that's added to sudoers. I can wreak full havoc on my machine when I want to, without having to log in as my admin account, but can't do so unknowingly (I hope).

Re:Sticking up for APE (1)

Rosyna (80334) | more than 7 years ago | (#17545032)

The problem is rather that a trojan or similar run by a clueless admin can gain root access without the user being prompted for his password.

You do realize there are about 50 brazillion ways to do this, correct?

Either way, as soon as you're running malicious code, you're already screwed. A malicious application does not need to be root to destroy your photos, movies, pornography or other personal documents. You should never run applications from a source you do not trust.

Re:Sticking up for APE (1)

ioErr (691174) | more than 7 years ago | (#17545636)

You do realize there are about 50 brazillion ways to do this, correct?
Indeed, which is why the default configuration for Macs is so troublesome. We may mock Windows users for having to run as admins to get their poorly written software to work, but most Mac users run as admins out of ignorance, because that's just the way the default configuration is. Or was, the last time I installed OS X at least, but I hope I'd heard if things had changed.

Either way, as soon as you're running malicious code, you're already screwed. A malicious application does not need to be root to destroy your photos, movies, pornography or other personal documents.
At least with a non-root the damage is localized to one account. Daddy's porn may be gone, but his daughter's homework (and porn) is still safe inside her account.

You should never run applications from a source you do not trust.
I certainly agree. Too bad people are so trusting, though.

Re:Sticking up for APE (1)

pigwin32 (614710) | more than 7 years ago | (#17545932)

Most Mac home users do use an admin account for day-to-day work, and think that they'll be fine. So the real problem is either that too many Mac users are running as admin, or that admin users have too broad write permissions without using sudo.
This is absolute bollocks. Most Mac home users do *not* use an admin account for day-to-day work. They use the account that was configured when they first turned on their shiny new machine. That account is a normal user account that by virtue of belonging to the admin group has the ability to use sudo. This is exactly the mechanism you have used to solve this problem.

That should be a surprise... (1)

argent (18001) | more than 7 years ago | (#17546848)

The problem is not that a malicious admin can gain root access -- of course he can, as you pointed out. No surprise there.

A malicious application running as an "admin" should not be able to gain root access.

No wonder Apple didn't care that aliases bypass traverse checking. That's a *minor* problem by comparison.

So the real problem is either that too many Mac users are running as admin, or that admin users have too broad write permissions without using sudo.

The real problem is that admin users have too broad write permissions.

Placing the blame in the right place... with Apple (2, Informative)

argent (18001) | more than 7 years ago | (#17546788)

The vulnerability is that APE installs itself in /Library where its supposed to go. /Library is writable by local admins.

Too many words. Let me fix that for you: The vulnerability is that /Library is writable by local admins.

Even if you don't install APE on your system, an attacker who has the ability to execute this exploit can simply drop an input manager or other plugin into /Library and piggyback their way to root on any privileged application.

Apple Bug-Fix Tool? (4, Informative)

Aqua OS X (458522) | more than 7 years ago | (#17543524)

An Apple Bug-Fix Tool? Err, um, no and no.

APE is developed by Unsanity and it's not a "bug fix tool."
It's a third party framework and daemon used for a number of thing.

Perhaps they should have waited (0)

Anonymous Coward | more than 7 years ago | (#17543634)

From what we're starting to see now, January 31 is going to be a long way off. Perhaps they should have waited until February for their Month of Apple Bugs. Less space to fill.

Canary Trap (0)

Anonymous Coward | more than 7 years ago | (#17543674)

Even more interesting LMH ran a canary trap and caught Jason Harris of Unsanity in it.

The canary trap the leak and the mole:

http://applefun.blogspot.com/2007/01/canary-trap-l eak-and-mole.html [blogspot.com]

This is also enlightening reading:

http://rixstep.com/1/1/20070109,02.shtml [rixstep.com]

I wouldn't have used APE before, but you'd have to be out of your tree to use it after this idiocy and shenanigans.

Re:Canary Trap (1)

tbo (35008) | more than 7 years ago | (#17544584)

A selection of quotes from the "Apple Fun" blog:
Thus, if you are bitching on a blog or public forum, or publishing somewhere about our evil "root kit", it's because you are the recipient of stolen property.
OMG! Pwnies!
Not just it isn't a root-kit, but you've been pwned (or caught molesting) by one of the most old tricks ever. Yay!

It sounds like it's written by a mildly clever hacker who is way, way too in love with himself, and has the emotional maturity of a ten year old.

It's hard to cut through all the bragging to figure out what actually happened, but it sounds like LMH was able to determine that Jason Harris of Unsanity was using a script to try to get the next day's bug as early as possible. LMH infers from this that Harris is helping Landon Fuller do the Month of Apple Fixes. The whole thing strikes me as some sort of hacker-dick-measuring contest, rather than a real effort to find or clean up Apple bugs. If LMH was an ethical security researcher, he'd be disclosing the bugs to Apple a couple weeks in advance to give them time to release patches. AFAIK, Apple's got a decent record of responding to security bug tips. They even give credit in the release notes for their patches.

Re:Canary Trap (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17546068)

If LMH was an ethical security researcher, he'd be disclosing the bugs to Apple a couple weeks in advance to give them time to release patches.

If Apple was an ethical company, they would find and close security holes a couple weeks BEFORE SHIPPING THE DAMN SOFTWARE.

AFAIK, Apple's got a decent record of responding to security bug tips. They even give credit in the release notes for their patches.

Gosh, thanks Apple! That's a nice payment for having someone do your work for you!

If Apple wants somebody to "responsibly disclose" their own programming errors, that person better be on Apple's fucking payroll.

responsible disclosure == unpaid work for vendors == no incentive to find bugs before shipping

Though you're right, this whole thing is bullshit dick-measuring.

MOAB guy: Post the bugs + exploits on a plain white page with no further commentary dude. We'll have a lot more respect for you.

Summary to date... (3, Informative)

shawnce (146129) | more than 7 years ago | (#17543756)

Note that this is third party software that all of the bugs seem to be stemming from.


This statement doesn't make sense. The MOAB issues outlined to date have been a combination of Apple and 3rd party issues. See the following break down...

MOAB #1 - Apple issue
MOAB #2 - 3rd party issue
MOAB #3 - Apple issue
MOAB #4 - Apple issue
MOAB #5 - Apple issue
MOAB #6 - Apple and 3rd party
MOAB #7 - 3rd party issue
MOAB #8 - Apple and 3rd party
MOAB #9 - Apple issue

Re:Summary to date... (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17544430)

How is number 8 an Apple issue? It is an overflow in a third party application.

Re:Summary to date... (1)

shawnce (146129) | more than 7 years ago | (#17544708)

Issue #8 [info-pull.com] is not an overflow issue (buffer overrun I assume you mean).

#8 involves APE (Unsanity folks could make some changes to help avoid the issue) however IMHO the core of the issue is with file permissions that Apple has defined for various directories under /Library that Apple recommends 3rd parties install software into. That is why I outlined that it is a 3rd party and Apple issue.

Re:Summary to date... (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17545296)

IMHO the core of the issue is with file permissions that Apple has defined for various directories under /Library that Apple recommends 3rd parties install software into.

The security hole is in APE. The fact that you disagree with Apple's permission choices is pretty irrelevant. OS X does not stop Adobe Acrobat from being installed either, does that mean any hole in that reader is also partially Apple's fault?

Re:Summary to date... (1)

EvanED (569694) | more than 7 years ago | (#17545556)

I don't have enough sysadmin experience to judge, but IF Apple chose poor* permissions, then it is partially their fault.

After all, there seem to be a lot of people on /. who have jumped on MS for not making people run as non-admin before Vista; and what's that besides just choosing a poor set of default permissions?

* You could define poor as "not as strict as reasonably possible"

Re:Summary to date... (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17545680)

After all, there seem to be a lot of people on /. who have jumped on MS for not making people run as non-admin before Vista; and what's that besides just choosing a poor set of default permissions?

There is a difference between a design not being as secure as possible and a vulnerability. I blame Microsoft for both poor security design for the current climate, and for lots of bugs, but I don't confuse the two and claim that because a local program was compromised, that is a bug in MS's OS. MS should provide a way to safely run untrusted binaries (which is a commonly performed task), but that particular bug is not an MS bug.

In this same way, it would be great if Apple ran all applications in a sandbox. That doesn't mean a bug in a third party program on OS X is an Apple bug either.

InputManagers in general (3, Informative)

Lord Grey (463613) | more than 7 years ago | (#17543874)

For those of you who don't know about APE: There exists in the OS X framework this concept of enabling alternate input mechanisms for already-installed applications. The mechanism is the InputManager. A properly-constructed bundle is simply copied to a designated location and the OS will happily load it whenever an application is launched. The bundle is loaded as part of the application, and the bundle has access to the application's internals. Some good information on InputManagers can be found on CocoaDev [cocoadev.com] .

The "designated location" is actually one of several: /Library/InputManagers/ or ~/Library/InputManagers/. In other words, it doesn't take special privileges to make an InputManager bundle active on a given system for a specific user. You do have to have admin privileges to place the bundle into /Library/InputManagers/ so that all applications executed by all users are touched, but that's it.

Objective-C lets objects of one class "pose" as objects from another class. Posing is like dynamic subclassing; method dispatch happens against your class first and then on up to the original class if you didn't implement it or if your method specifically calls the "parent." This is where code injection comes in. You write a new class that poses as some class in the application and intercept the calls; your code starts executing.

Figuring out the application's classes isn't difficult. A free utility like class-dump [codethecode.com] can be used to grab an OS X application's class and data structure definitions, and from there it's easy write your own posing classes. Lots of bugs arising from injected code is due to sloppiness on the part of the programmer, and some of it is due to an InputManager modifying an application's data at the wrong time (which is easy to do, because the application rightfully believes that it owns its data).

I was going to write something about the security issues this entire scheme raises, spelling out how a nefarious programmer could hijack passwords and the like. I'll leave that to your imagination, though.

Shameless plug: While I didn't use APE, I did use InputManager technology in order to create Concierge [bti.net] (a bookmark manager for Safari, in the form of a drawer).

Bugs in apples.. (4, Funny)

FrostyCoolSlug (766239) | more than 7 years ago | (#17543930)

When I find a bug in my apple, I throw it away..

We need more acronymns (1)

cascadingstylesheet (140919) | more than 7 years ago | (#17543984)

I suggest for the next few thing on this topic:

MOSES

BALAAM ;)

Wow! (1, Insightful)

Cervantes (612861) | more than 7 years ago | (#17544748)

" I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards."

So, when Apple does it, it's OK, but when Microsoft does it, they've obviously made a flawed system and deserve to be beaten about the head with an office chair?

I know this is /. , but I have a relatively high user ID, so I just want to be sure I understand the logic...

Re:Wow! (1)

Divebus (860563) | more than 7 years ago | (#17546608)

So, when Apple does it, it's OK, but when Microsoft does it, they've obviously made a flawed system and deserve to be beaten about the head with an office chair?

No, it's not OK when Apple does it, if they actually did it. When Microsoft does it for the 140,000th time, they should get beaten up. It would take decades to talk about all the Microsoft bugs.

Re:Wow! (1)

argent (18001) | more than 7 years ago | (#17546630)

No, this one Apple needs to be nailed to the wall on. Leaving parts of the system writable as admin means that you're a quick framework patch away from being root... which means being in admin is almost as dangerous as being in the Local Administrators group on Windows. Not that that stops anyone from running as Local Administrator on Windows.

http://apple.slashdot.org/comments.pl?sid=216122&c id=17546398 [slashdot.org]

Not to mention Adobe and everyone else who shows up when you run that find command.

Misleading Title - APE is not a bug fixing tool (1)

hobbestcat (473268) | more than 7 years ago | (#17544844)

APE is not a bug fixing tool. APE is a hack to the core of the OS. APE lets you run other hacks to reroute your audio, change the action of menu buttons and things like that.

I thought that the MOAB was going to look at Apple Software not software for Apple computers.

Moo (0, Redundant)

Chacham (981) | more than 7 years ago | (#17545118)

MOAB came first and MOAF was a developer's answer to the bugs

What about MOOF???

Hah, security. (1)

Khyber (864651) | more than 7 years ago | (#17545282)

"I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards." That's about right. *stares long and hard at Javascript and Flash*

APE has a bug??? I'M SHOCKED!!! SIMPLY SHOCKED!!! (0, Troll)

Anonymous Coward | more than 7 years ago | (#17545302)

I'm surprised APE doesn't spontaneously mutate into a backdoor shell on port 6666 SIMPLY THROUGH A COINCIDENCE OF CODING ERRORS.

Seriously, if you're using APE, get it off your Mac NOW.

In the words of Walter Sobchak: (2, Funny)

Night Goat (18437) | more than 7 years ago | (#17545742)

"Fuck it dude, let's go bowling."

Reading that summary as a Mac user, I just can't be bothered to sort all of this out.

mo3 uP (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17546268)

out how to make the volat1le world o7 When I stood for the project faces,

It's not an APE bug, it's a big Apple bug. (4, Informative)

argent (18001) | more than 7 years ago | (#17546398)

The bug is that /Library/Frameworks is group-writable by users in the admin group.

ANY application run setuid, or any framework or plugin used by any application run setuid, could have been used to demo it. It's got nothing to do with APE. This is no different from the many privilege escalation issues in Windows caused by writable executables and system directories.

To tell if your Mac is susceptible to this kind of privilege escalation attack, run this command:

find /Library /System /Applications -perm -022

If there are no results, then your system is probably safe. If there are more than a few results, then you're likely vulnerable.

Try it and see.

mod do38 (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17546538)

again. Ther3 4re
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...