This is a different class of attack than that. The attacker doesn't need physical access to your Mac. In fact, the attacker doesn't have to be personally attacking your machine at all. You could simply download a game, or some other innocuous looking app, and that app could change the Mac's system date, and ***WHAM*** you're rooted.
I don't think an application can gain root privilege if it was not launched as root, in which case this would not work.
um really. this is a "trolling for ad clicks" FUD-laced article maybe? Because, first of all, referring to this as a "security flaw" is kind of a misnomer. It sort of COULD be a security window, but only IF you are already an administrator, and only IF you've used 'sudo' on the machine before (giving yourself root access), and only IF you have physical or remote access to…. wait, I get it, so these "vulnerable" machines are mostly at risk of their OWNERS "hacking in" and potentially doing malicious stuff to themselves at the root level. *GASP* I see now….. ooh, yeah. That's a scary-bad security flaw there!!
Really, it's kind of like saying, "Since I'm an administrator AND I can set myself to be root user, what we have here is… a Security Flaw!!!!"
Silliness.
Oh and then this, "Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings." (FUD Alert!)
You really need to add the words "by default" in there, like, "…by default, OS X does not require a password to change these clock settings."
But, as evidenced in the Date & Time image you used for illustration, there's a LOCK at the bottom of the pane that says, "Click the lock to prevent further changes."
How about... *click* … So much for "Macs being especially vulnerable…"
It's a bit like the Safari "security flaw", where Safari ships with the setting "open 'safe' files after downloading" set to ON by default.
Another one: *click* solved.
So here's your new article which I have rewritten liberally:
There is a very remote possibility that a minor "flaw" in the way Unix operates could open your computer to "attack" in extreme and very narrow circumstances. To remove any danger of this, password protect your Date & Time settings by clicking the lock to its closed position after making any changes.
(… insert a paragraph of historical backstory here…)
Done!
Awfully short article, but I think it's far more honest….
um really. this is a "trolling for ad clicks" FUD-laced article maybe? Because, first of all, referring to this as a "security flaw" is kind of a misnomer. It sort of COULD be a security window, but only IF you are already an administrator, and only IF you've used 'sudo' on the machine before (giving yourself root access), and only IF you have physical or remote access to…. wait, I get it, so these "vulnerable" machines are mostly at risk of their OWNERS "hacking in" and potentially doing malicious stuff to themselves at the root level. *GASP* I see now….. ooh, yeah. That's a scary-bad security flaw there!!
Really, it's kind of like saying, "Since I'm an administrator AND I can set myself to be root user, what we have here is… a Security Flaw!!!!"
Silliness.
Oh and then this, "Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings." (FUD Alert!)
You really need to add the words "by default" in there, like, "…by default, OS X does not require a password to change these clock settings."
But, as evidenced in the Date & Time image you used for illustration, there's a LOCK at the bottom of the pane that says, "Click the lock to prevent further changes."
How about... *click* … So much for "Macs being especially vulnerable…"
It's a bit like the Safari "security flaw", where Safari ships with the setting "open 'safe' files after downloading" set to ON by default.
Another one: *click* solved.
So here's your new article which I have rewritten liberally:
There is a very remote possibility that a minor "flaw" in the way Unix operates could open your computer to "attack" in extreme and very narrow circumstances. To remove any danger of this, password protect your Date & Time settings by clicking the lock to its closed position after making any changes.
(… insert a paragraph of historical backstory here…)
Done!
Awfully short article, but I think it's far more honest….
Yeah it's pretty sad to see that this was parroted by a few Apple news sites without any mention of this obvious fix.
Apple is beginning to sour for me. The keyboards on the iDevices are simply terrible. Auto correcting when none is needed, and now lag. Not getting the Apple TV update that was announced a couple of days ago (Australia). Surely with their pile of cash they can fix these problems. iOS 7 looks far too android for me from what I have seen, I hope they change it.
I don't think an application can gain root privilege if it was not launched as root, in which case this would not work.
An app isn't *supposed* to be able to gain root privilege if it's not launched as root, but the whole point of this vulnerability is that it bypasses that particular restriction. All a malicious app has to do is to run a few command lines:
1. Change the clock date using the systemsetup command-line tool
2. Relaunch itself, or launch some shell script, or do anything it wants really, as root using sudo
Not exactly easy to hack, if someone gets admin access the first time, just drop a payload via USB drive or something and get a rootkit going already there and then, why bother with this hack.
Hardly a stop-the-presses security flaw, but Apple should be more proactive addressing all security issues if it wants to avoid the kind of snarky comments this guy makes.
Not a troll thank you, how about stopping the left side of your brain from reflexing and think for a change.
These are legitimate concerns and I can list many more. To simply bury your head in the sand is the wrong thing to do. Apple could licence the Blackberry virtual keyboard (at least try to). So you see mr. Smarty pants, I have mentioned a possible solution, what have you done? Simply wasted cyber bits on your personal attack.
Interesting, but also does not explain enough. This is just saying, if you get root access to OS X you can do anything you want? That's kind of the idea with sudo. Place a line in the sudoers file for whoever you are logged in as when you want to use the sudo command.
Caution, if someone has admin access, they can break in and get admin access!
Admin and root are not the same. OS X, like Linux Ubuntu, doesn't expose to the users a permanent root account for security reasons. This is why they have a 'sudo' command when you want to invoke temporary root privileges for lesser users such as an admin.
I agree with other users that this hack is a tall order but Apple must patch any and all security bugs ASAP. Never underestimate the enemy.
It's so they can get attention, since anyone that posts an article with the word APPLE in it, is going to be hit with lots of views.
You're talking of HD Moore here. He doesn't need attention, he's already a security rock star. It's like saying Apple needs to ask Samsung for design cues.
If the guys from Metasploit, who are quite obviously WAY better than anyone on these forums, think there is an issue, I believe them.
How critical it actually is, is for Apple to decide. Instead of personal attacks on the probity of the hackers, it could have been said that the security mindset may make people put more emphasis on security fixes than is reasonable for a company to devote time to, which is an industrial decision (and a human analysis line of thought).
Why is it that people here, instead of just taking the fact there seems to be an exploitable flaw, that will get solved when Apple decides it is necessary, attack the security specialist? He did not create the flaw, and it is his business to find these flaws. Security-critical businesses would much rather know about a flaw they can't fix and adapt their business flows than discover years afterwards that important information has been flowing to, say, China... or another US company, anywhere it shouldn't be flowing to, because they relied on the supplier telling them "the system is secure".
Note that Metasploit contains many more Windows exploits than Mac exploits... and has for years already. Just check it for yourself :
Admin and root are not the same. OS X, like Linux Ubuntu, doesn't expose to the users a permanent root account for security reasons. This is why they have a 'sudo' command when you want to invoke temporary root privileges for lesser users such as an admin.
I agree with other users that this hack is a tall order but Apple must patch any and all security bugs ASAP. Never underestimate the enemy.
If you have admin access, you have a password that you can use to SUDO, anyway. Very, very, very few people actually have multiple passwords and accounts on their machines. Every single person I know (with one exception) operates with a single password - and all their files are accessible at any time.
If you have admin access, you have a password that you can use to SUDO, anyway. Very, very, very few people actually have multiple passwords and accounts on their machines. Every single person I know (with one exception) operates with a single password - and all their files are accessible at any time.
Companies operate under different rules than individuals, and they're more likely to be targeted by evildoers to steal business information or plain money(not that botnets or other types of wrongdoing would pass on non-business, not my point )
Comments
Quote:
Originally Posted by Durandal1707
This is a different class of attack than that. The attacker doesn't need physical access to your Mac. In fact, the attacker doesn't have to be personally attacking your machine at all. You could simply download a game, or some other innocuous looking app, and that app could change the Mac's system date, and ***WHAM*** you're rooted.
I don't think an application can gain root privilege if it was not launched as root, in which case this would not work.
Quote:
Originally Posted by muppetry
I don't think an application can gain root privilege if it was not launched as root, in which case this would not work.
I guess that's why they're talking about "attackers" and not "maliciously crafted applications".
um really. this is a "trolling for ad clicks" FUD-laced article maybe? Because, first of all, referring to this as a "security flaw" is kind of a misnomer. It sort of COULD be a security window, but only IF you are already an administrator, and only IF you've used 'sudo' on the machine before (giving yourself root access), and only IF you have physical or remote access to…. wait, I get it, so these "vulnerable" machines are mostly at risk of their OWNERS "hacking in" and potentially doing malicious stuff to themselves at the root level. *GASP* I see now….. ooh, yeah. That's a scary-bad security flaw there!!
Really, it's kind of like saying, "Since I'm an administrator AND I can set myself to be root user, what we have here is… a Security Flaw!!!!"
Silliness.
Oh and then this, "Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings." (FUD Alert!)
You really need to add the words "by default" in there, like, "…by default, OS X does not require a password to change these clock settings."
But, as evidenced in the Date & Time image you used for illustration, there's a LOCK at the bottom of the pane that says, "Click the lock to prevent further changes."
How about... *click* … So much for "Macs being especially vulnerable…"
It's a bit like the Safari "security flaw", where Safari ships with the setting "open 'safe' files after downloading" set to ON by default.
Another one: *click* solved.
So here's your new article which I have rewritten liberally:
There is a very remote possibility that a minor "flaw" in the way Unix operates could open your computer to "attack" in extreme and very narrow circumstances. To remove any danger of this, password protect your Date & Time settings by clicking the lock to its closed position after making any changes.
(… insert a paragraph of historical backstory here…)
Done!
Awfully short article, but I think it's far more honest….
Quote:
Originally Posted by tribalogical
um really. this is a "trolling for ad clicks" FUD-laced article maybe? Because, first of all, referring to this as a "security flaw" is kind of a misnomer. It sort of COULD be a security window, but only IF you are already an administrator, and only IF you've used 'sudo' on the machine before (giving yourself root access), and only IF you have physical or remote access to…. wait, I get it, so these "vulnerable" machines are mostly at risk of their OWNERS "hacking in" and potentially doing malicious stuff to themselves at the root level. *GASP* I see now….. ooh, yeah. That's a scary-bad security flaw there!!
Really, it's kind of like saying, "Since I'm an administrator AND I can set myself to be root user, what we have here is… a Security Flaw!!!!"
Silliness.
Oh and then this, "Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings." (FUD Alert!)
You really need to add the words "by default" in there, like, "…by default, OS X does not require a password to change these clock settings."
But, as evidenced in the Date & Time image you used for illustration, there's a LOCK at the bottom of the pane that says, "Click the lock to prevent further changes."
How about... *click* … So much for "Macs being especially vulnerable…"
It's a bit like the Safari "security flaw", where Safari ships with the setting "open 'safe' files after downloading" set to ON by default.
Another one: *click* solved.
So here's your new article which I have rewritten liberally:
There is a very remote possibility that a minor "flaw" in the way Unix operates could open your computer to "attack" in extreme and very narrow circumstances. To remove any danger of this, password protect your Date & Time settings by clicking the lock to its closed position after making any changes.
(… insert a paragraph of historical backstory here…)
Done!
Awfully short article, but I think it's far more honest….
Yeah it's pretty sad to see that this was parroted by a few Apple news sites without any mention of this obvious fix.
Right - hence my response to Durandal1707, who raised the issue of applications rather than local attackers.
The keyboards on the iDevices are simply terrible. Auto correcting when none is needed, and now lag.
Not getting the Apple TV update that was announced a couple of days ago (Australia).
Surely with their pile of cash they can fix these problems.
iOS 7 looks far too android for me from what I have seen, I hope they change it.
1. Change the clock date using the systemsetup command-line tool
2. Relaunch itself, or launch some shell script, or do anything it wants really, as root using sudo
3. There is no step three.
Originally Posted by AppleInsider
... the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.
Trivial workaround:
1. System Preferences -> Security & Privacy -> Require password <interval> after sleep or screen saver begins.
2. System Preferences -> Sharing -> un-check Remote Login.
3. There is no step three.
Originally Posted by hfts
Apple is beginning to sour for me. ...
Classic "concern troll." Nice job.
Originally Posted by hfts
Apple is beginning to sour for me.
Good for you; stop lying.
These are legitimate concerns and I can list many more. To simply bury your head in the sand is the wrong thing to do. Apple could licence the Blackberry virtual keyboard (at least try to). So you see mr. Smarty pants, I have mentioned a possible solution, what have you done? Simply wasted cyber bits on your personal attack.
Quote:
Originally Posted by robogobo
Caution, if someone has admin access, they can break in and get admin access!
Admin and root are not the same. OS X, like Linux Ubuntu, doesn't expose to the users a permanent root account for security reasons. This is why they have a 'sudo' command when you want to invoke temporary root privileges for lesser users such as an admin.
I agree with other users that this hack is a tall order but Apple must patch any and all security bugs ASAP. Never underestimate the enemy.
Quote:
Originally Posted by drblank
It's so they can get attention, since anyone that posts an article with the word APPLE in it, is going to be hit with lots of views.
You're talking of HD Moore here. He doesn't need attention, he's already a security rock star. It's like saying Apple needs to ask Samsung for design cues.
If the guys from Metasploit, who are quite obviously WAY better than anyone on these forums, think there is an issue, I believe them.
How critical it actually is, is for Apple to decide. Instead of personal attacks on the probity of the hackers, it could have been said that the security mindset may make people put more emphasis on security fixes than is reasonable for a company to devote time to, which is an industrial decision (and a human analysis line of thought).
Why is it that people here, instead of just taking the fact there seems to be an exploitable flaw, that will get solved when Apple decides it is necessary, attack the security specialist? He did not create the flaw, and it is his business to find these flaws. Security-critical businesses would much rather know about a flaw they can't fix and adapt their business flows than discover years afterwards that important information has been flowing to, say, China... or another US company, anywhere it shouldn't be flowing to, because they relied on the supplier telling them "the system is secure".
Note that Metasploit contains many more Windows exploits than Mac exploits... and has for years already. Just check it for yourself :
Metasploit.
If you have admin access, you have a password that you can use to SUDO, anyway. Very, very, very few people actually have multiple passwords and accounts on their machines. Every single person I know (with one exception) operates with a single password - and all their files are accessible at any time.
Quote:
Originally Posted by jragosta
If you have admin access, you have a password that you can use to SUDO, anyway. Very, very, very few people actually have multiple passwords and accounts on their machines. Every single person I know (with one exception) operates with a single password - and all their files are accessible at any time.
Companies operate under different rules than individuals, and they're more likely to be targeted by evildoers to steal business information or plain money(not that botnets or other types of wrongdoing would pass on non-business, not my point )