Wake Up: Ludum Dare 37 Entry Mac OS
Apple is doing a lot of security patching of late, and it looks like its employees may be working overtime just to address some of the flaws founds by one security researcher.
Tom Ferris, a hacker and researcher from Mission Viejo, Calif., posted on his Web site Thursday evening information about seven separate security vulnerabilities he found in different Mac OS X digital image formats.
Ferris included proof-of-concept exploit code for all of the flaws in his advisories, though he insists the code is little more than the most basic example to demonstrate precisely where the problems reside. Some of the flaws he found are merely denial-of-service glitches, meaning an attacker could use them to cause hiccups or lockups for targeted Mac systems. But in an interview earlier today, Ferris told me that a number of the bugs could almost certainly be exploited to allow attackers to run programs of their choice on vulnerable Mac systems.
Ferris said he's been told by the folks at Apple that the bugs will be fixed in 'the next security release,' which -- at the rate Apple has been releasing updates lately -- could be quite soon. Still, it has taken Apple nearly four months to fix these problems. Ferris said he first notified Apple of the flaws in early January, and that Apple still is working on fixing at least seven other serious security bugs he found in iTunes and Quicktime after just a few hours of poking around the programs.
'When you think about how many millions of people bought iPods last year ... finding bugs in applications like that has a huge impact,' Ferris said.
Ferris's work is the latest indication that the security community is starting to take a much closer look at potential vulnerabilities in OS X.
'Apple is basically becoming a bigger target because researchers are realizing the potential impact is higher than it was before because more people are using it,' Ferris said. 'Plus, OS X is Unix-based and a lot of researchers and hackers started out on UNIX- and Linux-based systems finding bugs, so for them it's like being back home again.'
Hey, After a long time mac user I have waited patiently fot hte new mac pro, but the entry model specs and price are as you know a no go. I need to find the right build for my first hackintosh, but it seems that there are no 'full compatible parts lists' as I thought there would be. There is tony86 but they only reference to specific vendors (for example I couldn't find any Noctua CPU fans in. Most run on Linux and Mac OS X, and most also run on fairly modest PCs; in fact, I’ve spent more time gaming on my now 2011 Macbook Air in the last year than I have on any other system. I’m sure I’ll want to play another big-budget graphical powerhouse eventually, and I’m not yet sure what I’ll do about that. Gender: female Race: White Birthday: 7/17/1966 (54 years old) Street: 2237 Carter Street City, State, Zip: Coulterville, Illinois(IL), 62237 Telephone: 618-758-1236 Mobile: 708-200-1871. MEGATON has now been updated with Linux 64-bit and Mac OS X ports.-To run the Linux port, you need to install libsfml with your packet manager.-To run the Mac OS port, right click (or hold down CTRL and left click) on the app and choose Open and confirm that you want to run a third-party application.
By Brian Krebs April 21, 2006; 2:23 PM ET
Categories: Latest Warnings
Save & Share: Previous: Microsoft to Re-Issue Windows Security Patch
Next: MS Office Flaws Ideal Tools for Targeted Attacks
What, no Windows vs. Mac sniping? Come on, people, get with it!
Posted by: S. H. April 21, 2006 5:47 PM Report abuse
Be it Linux, Apple, Winows; the faults in all these operating systems ans associated software make one wonder about the suitability of those work on them. I recall working a computer systems manufacturer that had the good sense to give all peple without a track recored of real-life software experience an aptitude test. I was surprising how many people who wanted work failed the test. Even more surprising was the number of Computing Science graduates who failed in comparison to those doing maths and physics. Maybe the world is trying to produce more software than there are people with the right aptitude to make a good quality job of it.
Posted by: Anonymous April 22, 2006 5:24 AM Report abuse
Posted by: MotorolaMac April 22, 2006 1:50 PM Report abuse
Ferris is a retard if he thinks that causing an OS X application to crash allows 'attackers to run progams of their choice.' Typical FUD from a joker who is trying to drum up business.
Posted by: Mac April 22, 2006 7:25 PM Report abuse
Another interesting story regarding Mac OS X security...
As with Linux, security through obscurity is quickly becoming untrue. Fortunately, there are enough devotees of these systems to monitor for such flaws. The lead time between discovery-to-patch release is growing shorter - except for this example of Apple's latency.
These vulnerabilities - and the fact that people are beginning to take more of an interest in exploiting them - should be considered evidence that these systems are gaining in popularity.
Posted by: Anon... April 22, 2006 7:37 PM Report abuse
The complex interaction of subcomponents of an operating system can not always be predicted by the people who design the subcomponents. Just because I design a gear doesn't mean that I will be aware that the gear can be easily dislodged with a hammer when the machine is in operation. Now try and comprehend the entire machine and it's possibility for failure. Sometimes it takes the machine being built for flaws to become obvious. Software verification is a difficult field.
I remember the mailbox directory flaw in older versions of UNIX. If the directory had write permissions enabled for the entire directory you could create a phony mailbox. A symbolic link (shortcut) could be made from the mailbox to the password file. You then would copy the password file and insert your own admin password in your copy of the file. You then mail the password file to the phony mailbox which forwards it to the actual password file. The password file can only be overwritten by an admininistrator, but the postmaster routine runs as an administrator. Voila!New password file installed by a regular user. This of course was obvious to all of us before we even released a single piece of UNIX code.
This is not like placing low quality tires on a heavily loaded SUV. That component interaction is more obvious than my software example. Build a machine, then kick it, and see how it breaks. Hire someone else to kick the machine and see how it breaks. But hiring someone else who has the correct analytical bias to test your software and break it may be outside your corporate control. How long did it take for people to realize that Lawn Jarts might be dangerous and not just fun? There are too many product reliability issues to simulate in this email.
Posted by: Eduardo April 22, 2006 8:03 PM Report abuse
>Apple is basically becoming a bigger target because researchers are realizing the potential impact is higher than it was before because more people are using it...<
Yup, according to IDC, Apple's USA First Quarter 2006 market share catapulted all the way up to 3.7%.
Wake Up: Ludum Dare 37 Entry Mac Os Update
Their worldwide market share is somewhere below that of (who?) Fujitsu/Fujitsu Siemens.
It's safe to say that the overwhelming majority of iPods are used with Windows computers.
From a market share standpoint, I don't see why a virus/worm writer would bother with Apple-OSX.
Posted by: John Johnson April 23, 2006 11:59 AM Report abuse
This blog entry is very scant on details and heavily weighted towards the word of the security researcher. Here's the deal. After a cursory analysis, none of the flaws detailed by Ferris allow an attacker to execute code with root access privileges. So in the worst case you could lose your personal files which only require standard or administrator's access privileges. Access to important system files requires root access. Hell, even as an administrator of my own machine (which is OSX default installation mode) I CANNOT do something boneheaded like delete the system folder. Root access is disabled by default on 99.9% of OSX boxes out there as your average user has no idea how to turn it on and would have no need to do so even if they did know. No, hackers will probably not be able to take over your lovely OSX machine or render it inoperable with these exploits. So the important lesson from this boys and girls is backup your data. We live in a scary world where people don't mind destroying your precious personal files for fun and profit. You should backup your data regardless of the machinations of weasels using Ferris' 'exlpoits' (obligatory eyeroll). So, our OSX boxes are probably safe and will continue to work into the forseeable future. Yawn. Wake me if Ferris finds something dangerous.
Hell why did I even bother. Must be gas....
Posted by: MrX April 23, 2006 6:06 PM Report abuse
This is actually good for the Apple world because Apple and their users having been living in a bubble for a long time. Especially when they think the OS is not vulnerable to anything. Wrong. making the GUI shiny and pretty does nothing to enhance the security.
Posted by: Anonymous April 23, 2006 8:39 PM Report abuse
This is basically what I just interpreted:
Blah blah blah blah blah blah blah - blah blah blah blah blah blah blah blah blah blah blah blah blah
[Ferris stated that because Apple sold millions of iPods, that his findings will have a huge impact]
Blah, blah blah blah blah blah blah blah,blah blah blah blah blah blah blah blah blah.
Whatever.
Look, take some time Mr. Krebs, to kindly remove your lips from the Microsoft logo on Ballmer's backside long enough to at least call up another source to compare research when you write an article. You basically write this article from the standpoint that you are nothing more than a boy who ALSO cried 'wolf!'
First off, about 90% of iPods are attached to WINDOWS mahcines. Second, what do these flaws have to do with an iPod? Nada, zip, zero, nothing. The problems that he highlights don't allow hackers to tap into iPods, so why even bring them up?
Moving on... If these flaws were so severe, why didn't Ferris actually commit to making a TRUE proof-of-concept and demonstrate the hijack of a machine? Easy. Because as Mr. X (another poster) already pointed out, the flaws described DO NOT allow the average Mac OS X box to be seized.
Look, you may or may not be a journalist who happens to be 'in bed' with Microsoft, so I apologize for the earlier comment. However, please do take the time and make sure that you don't sound that way. eWeek and the rest of the so-called 'enterprise technology' rags that are out there are bad enough, we don't need this sort of thing becoming commonplace in the Post as well.
Unbelievable.
Posted by: Mr. Smith April 24, 2006 6:17 AM Report abuse
Security Fix is harder on Microsoft than any other company. To say that Brian Krebs lips are attached to Ballmer's backside is ludicrous.
I know experienced Mac users that have not had antivirus or firewall software installed because they thought the Mac was nearly immune to these attacks. Lack of evidence is not evidence of lack. Just because they hadn't been attacked doesn't mean they never will be. If this serves as a wake-up call for Apple and its adherents, that can only be for the good.
As to 'only' losing all your personal information... what do you think computers are for? Isn't losing all of your documents, tax files, resumes, jpegs of the kids, and hundreds of other types of files a serious issue?
Sheez! Mac apologists.
Posted by: WiJO April 24, 2006 9:56 AM Report abuse
Brian is no Windows mouthpiece. He's registered plenty of criticism of the Windows world and has had many complimentary things to say about the Mac. I've been a dedicated Mac user since 1987, and I think he's been extremely fair and evenhanded through all the OS controversy of late.
Posted by: Randy April 24, 2006 11:49 AM Report abuse
The issue here is anything can be hacked.
Let US figure out how to protect ourselves by giving us such information. If it is really true we need to fix the OS or adopt the patches etc.
I have no real axe to grind - I use windows (as little as possible - but I help my wife who absolutely needs to run it) and macs both at home and work. I need to 'know the info' and this column does that as well as anything.
If the author is really truthfully wrong - you have corrected him with your comments...if we macophiles (my bias) are smug for the wrong reasons - we will stand corrected and we hope Apple will do what it can.
But really - we are in the same boat with all the windows users - we can't stand to be complacent. Humans are resourceful and will enjoy the temptation of messing with all the rest of us. But I dare say the thought of getting locked up certainly puts the damper on my mischievous quotient. But I am old and 'wiser' and the youg and foolish or motivated by hate or whatever are a potentially scary lot.
Keep up the great column
Posted by: johng April 24, 2006 7:26 PM Report abuse
Brian - I've used Mac OS X for a year; Windows & DOS for more than 10 years. I'm evaluating GNU/Linux on a trial basis.
All of them certainly have their place. Regarding security, none are bulletproof.
My wildest guess is Windows is the most breakable (in terms of data theft & system compromise) of the 3 platforms I've been on; but it sure is cheap with gobs of software available. This is what I use currently.
I've had some of the most enjoyable computing experiences on Mac OS X ; but I have too many Windows programs/files to make the switch. And I didn't like that Palm Desktop & Yahoo messenger were given short shrift on the Mac. I dropped a lot of money on this platform in the one year I've had it; but it was an enjoyable computing experience.
GNU/Linux - I can't comment on it yet; but it sure is promising - almost all the software is free.
Thanks for allowing others to post their opinions on this site; please keep up the good work.
Posted by: Poch April 25, 2006 1:20 PM Report abuse
You Apple fanboys need to grow up, noone has said anything bad about Apple, it's just a story about a guy who finds problems, reports them and they are being fixed. I don't understand why your so defensive over something so small.
Brian, great article, keep up the good work.
Posted by: amazed April 26, 2006 9:56 AM Report abuse
I'm not even in the same league as those who's posts I just read. I know very little about computers, Mac or otherwise. The only reason I found and read these posts today was through doing a site seach for virus/trojan test/fix software. I own a mac os x and as of late it has begun acting alot like my windows system did right before it right before it crashed. Fortunately, I know enough to not just go clicking these so-called 'free fix'links and start downloading 'spyware' eliminators. I saw a friend do it and I swear the software he downloaded to 'fix' his problem gave him more problems then wanted money to fix them. So I thought to get a little information first. I understand now that up to this point my mac has been considered somewhat immune, if you will, to the trojan/virus problem. It will be interesting to see the outcome of this safe or not safe controversy and all I can say is my usually trouble free mac must be having some gender issues'cause its sure acting alot like windows.
Posted by: J.Mercurio September 8, 2006 12:12 PM Report abuse
Wake Up: Ludum Dare 37 Entry Mac Os 11
The comments to this entry are closed.