Will Apple release a 10.2.8 security patch in response to @Stake's security flaws?

Posted:
in macOS edited January 2014
http://www.atstake.com/research/advi...2003/#102803-1



There are three sucurity flaws cited in OSX. Apple's response has benn 'upgrade to 10.3'



The anti-Mac IS staff at my company is jumping all over this. THe head (up-his-ass) IT security guy just sent out an email ...



Quote:

Three security flaws have been found in Apple's 10.2 operating system. Apple's response as of this date, in violation with industry security standards, is to require customers to purchase at a price of over $100 the new point version 10.3 to fix the bug. I've been watching a thread on bugtraq about this.



A summary of the vulnerabilities are as follows:



1) Buffer overflow, Denial of Service attack, by entering long command strings.



2) Confidentiality attack. Remote users can read/replace files. An option would have to be enabled (disabled by default) to exploit this one.



3) A flaw that produces insecure binaries after applications installed makes it possible that users with file access, can replace other's files and gain advanced privileges as a result.



Since the OS is multi-user, many of the vulnerabilities assume that more than one user per machine, which is not necessarily the case at XXXX, but it does give the possibility that if an attacker does gain just regular account access the bar to higher access has been lowered.



What has been discussed is that Apple has not published a product life cycle map, so users are in the dark. Also, this bug release coincides with Apple's launch of the new 10.3 OS. Many people like to wait a while to see if a new OS is stable before upgrading.



Cheers,




I think Apple is making a poor decision by not patching 10.2. We will not be upgrading to 10.3 for a month or so. In the mean time, the IS staff is exploiting these problems and will use it to bolster their case that Macs should be limited to the graphics folks. Several key executives are considering Macs and this will be a serious blow.



Will Apple patch 10.2.8?
«1

Comments

  • Reply 1 of 23
    kedakeda Posts: 722member
    http://www.atstake.com/research/advi.../a102803-3.txt



    The first item is the most serious since there is no manual fix available.



    I have taken the recommended actions on items 2&3.
  • Reply 2 of 23
    cowerdcowerd Posts: 579member
    These are all LOCAL USER security issues. Not remote. If your MIS department can't wrap their head around that then maybe its time for a new MIS department.
  • Reply 3 of 23
    jlljll Posts: 2,709member
    Apple's response as of this date, in violation with industry security standards, is to require customers to purchase at a price of over $100 the new point version 10.3 to fix the bug.



    Huh? Apple hasn't issued a response yet.
  • Reply 4 of 23
    jlljll Posts: 2,709member
    Quote:

    Originally posted by Keda

    n the mean time, the IS staff is exploiting these problems and will use it to bolster their case that Macs should be limited to the graphics folks.



    And they limit Windows machines to the janitors? Was it 65 holes last month?
  • Reply 5 of 23
    @stake doesn't deserve Apple's attention. They fire a guy for citing MS security problems and then issue this "warning"? Gimme a break. Seems a little too convenient.
  • Reply 6 of 23
    kedakeda Posts: 722member
    I sent a 'Reply All' email back to the guy and picked apart his email. Besides, I have taken all the steps the Apple recommended. On top of that, root and SSH are disabled on all these Macs. I don't see how any would-be hackers could access the computers if they wanted to.



    Oh well. Thr funniest part of all this is that I'm the one doing Mac support and fend off our ranting IS staff. I'm a Multimedia Specialist who has no formal traingin in support. But since IS refuses to touch any Macs, I got the job. LOL. Next time they want a media piece done, I should just refuse on the grounds that I don't support that department.
  • Reply 7 of 23
    kedakeda Posts: 722member
    BTW, I'd still like to see Apple release a fix for this type of thing. They are making (slow)strides into corporate America. Apple needs to be seen as a responsive company.
  • Reply 8 of 23
    A response from Apple-X.net:



    Quote:

    New Security Holes In OS X? Not Really

    Posted by: DaveG on Oct 29, 2003 - 06:58 PM

    Mac___



    @Stake Issues Advisories For OS X





    Computer security firm @Stake released three advisories Wednesday for Mac OS X. The following are the advisories. 1)"Systemic" flaws in the way OS X handles files and directories. 2) A kernel-level vulnerability that does not affect default installations. 3) A buffer overflow condition that "might" be remotely executable. Hmmm, kind of vague here, aren't they? Let's take a look, shall we?



    Starting at the beginning, the "Systemic" flaws in the way OS X handles file permissions. What flaws? OS X uses unix file permissions, just like other *nix flavors. At the least, if this was true, there would be reports of the same thing in at least other BSDs. The advisory on this topic is basically saying that since files are often distributed with weak permission, they are vulnerable to overwriting. Well, duh! Come on now, this is like mentioning that if you don't lock your car door, then it is more likely to be stolen. We all know that. The comment is actually aimed more at applications that are installed. While I will admit that applications are often not installed with optimal security settings in an OS X world, that's not a fault in OS X. It's a fault in the way a vendor packages the application. Another thing missing here is that a user with administrator privileges can adjust said settings to make application installs safer. And as an aside, most applications on Windows are installed with even weaker security, and a fair few other OSes have weak installs with some of their apps as well. Again, it all comes down to the packaging of the application, not a fault in the OS.



    Now the second "advisory", A Kernel-Level vulnerability that does not affect default installations. Let's get a little more specific on this one. What they mean is that if CoreFiles is installed and enabled, then a local user may be able to overwrite and read files created by other users and processes. Core files is basically a cache and as a rule is not, nor should be enabled. What core files does is write process information to the /cores directory on your box. It sets the permissions as read-only for the root users, however, the directory is world writable. This, by the way, is not even a potential problem with 10.3 (Panther). There are a few possibilities here for users who have interactive shell access to your box, but once again, this is NOT enabled by default and really shouldn't be turned on at all. This is used primarily for development and application debugging, so there is NO REASON to enable it in a production environment. Another aside, if you turn on debug and/or caching processes in any OS, you open yourself up to many possible security issues, hence the fact that smart developers and admins only allow this on development or testing boxes, not on machines that are meant to be used in a production environment or by "end users".



    The last so called advisory, a buffer overflow condition that "might" be remotely executable. What do you mean might? You don't test this crap before proclaiming to the world that there's a major security hole in an OS? To be a bit more specific on this hole, what they are talking about is that it might be possible to cause the kernel to overflow with obscenely long arguments to the command interpreter. They do not specify the actual range of arguments that will cause this crash, only that it is a very narrow range. Until I see more valid data regarding this, I will not buy into it. However, once again, they do not appear to be able to reproduce this in 10.3, so it could very well have been a core issue with the bsd underpinnings of OS X, but who knows, they also may have been making it up or just had a buggy testing box. Unless the release example code, it's kind of hard to validate this kind of thing. Yet one more aside. Most command interpreters can be hosed at one point or another by cramming too much data into their arguments field. That's just the nature of the beast. I personally have never had this problem with OS X, but it is a valid possibility. However, this is something that either needs local access or a very poor service on the box that launches other programs without first validating the arguments passed. This was the reason so many cgi scripts left systems wide open for attack. Once again, no good admin will leave such services/programs available on a box that allow such overflows and as far as I know, unless end users are installing poorly written 3rd party services on their box, this is a non-issue. However, installing poorly coded third party programs can cause security holes on ALL OSes, especially if they run as root, which by default, is disabled in OS X.



    Those who keep up on security will remember that back in Sept. Dan Greer, a (then currently) exec at @Stake was fired for taking part in a security analysis of MS Windows operating systems for the government. More specifically, he was fired because he pointed out the lack of security in Windows OSes. @Stake is a contractor for Microsoft, so it's not too surprising that they used their immense weight to have the poor guy fired, however, thanks to his report and the constant news of new Viri, Worms and Trojans attacking MS OSes, more people are recognizing the major holes that persist year after year and version after version in their products. There have been more conversions to Macs by Windows users in the last year than at any other point in the last 8 years or so, and there is a LOT of discussion going on in various technical forums about good reasons to make the switch, so it appears there may be more momentum building for people wanting to switch. My personal belief is that these "Advisories" are nothing more than an attempt to make Macs appear in a less appealing light to potential switchers. Good luck though, compared to the rash of constant advisories on MS software, it would take a major landslide of new issues on the Mac to come anywhere near the holes in Windows. Cheap attempt to slander OS X or legitimate worries? Personally, I would tend to think the first, especially with the fact that none of these "holes" in OS X can be found in Panther (which is still getting the last wrinkles worked out) and no example code has been shown for these vulnerabilities to be seen by others of the security community. "Proof of Concept" code is a pretty standard practice when announcing security holes in software, that way others can validate your find as well as work towards a fix in a more accurate way. @Stake used to provide such code back in the day. Interesting that they are not doing so now, isn't it. Well, in the end, you have to decide what you think for yourself. I just hope this has given you a more balanced perspective to make the decision from.

    --DaveG



  • Reply 9 of 23
    smirclesmircle Posts: 1,035member
    Actually, I must say the IT guy is partially right. As a Unix vendor, Apple should do much more to support previous versions of their system. It bugs me that they do nothing to fix security holes in an OS release merely one year old. I have yet to see any competitor treating their customers so badly (including the evil empire).
  • Reply 10 of 23
    How does anybody know that Apple isn't working on a fix?
  • Reply 11 of 23
    eugeneeugene Posts: 8,254member
    Nobody knows. It is perfectly reasonable for Apple to release updates to different branches of the OS piecemeal. 10.3 is substantially different enough from 10.2.



    http://www.oisafety.org/process.pdf



    Section 7.4 should justify Apple's move. I also don't think it's Apple's fault the bug was publicized. @Stake asked for a solution, Apple provided one, but they shouldn't have moved on it yet.
  • Reply 12 of 23
    Quote:

    Originally posted by Keda



    The anti-Mac IS staff at my company is jumping all over this.




    It would make sense. They're just looking out for their jobs. Bad software warrants their existance. They need that patch money. However aggravating it is.
  • Reply 13 of 23
    kedakeda Posts: 722member
    Here's a little anecdotal story about our IS staff and Macs.



    A few years ago, our building was undergoing some renovations. One Tuesday morning, the network started crashing, and crashing HARD. IS kicked into high gear and started trying to patch things up. This went on for almost two days until the executives decided that outside consultants should be brought in.



    For another day these "experts" worked w/our IS staff to find a solution. By the time they went home at night, they were perplexed and still no solution had been found.



    Then, out of the blue, this same IS staffer who sent the security email sent another email to the entire company. This one said that the problem had been sussed out. It was the Macs. Apparently (according to him) AppleTalk had brought the network crashing down around us.



    Well, I'm no network guy but I was skeptical. Nonetheless, we took quick action to eliminate AppleTalk. We quickly installed DAVE and spent the money needed. Thousands of dollars later, we still didn't have a network.



    By now it was the weekend and most of the company went home. But IS stayed. When Monday rolled around, we had a network again. Good IS work had clearly won the day.



    Well, not exactly. After publicly discrediting Macs and spending tons of money, it turned out that a workman had accidentally put a nail through a critical network wire and caused a short. Nothing was ever said about the incident and it quietly disappeared as everyone enjoyed the functioning network.



    So, this email about the 'alert' is just another move against Macs. IMO, of course.
  • Reply 14 of 23
    tidristidris Posts: 214member
    Quote:

    Originally posted by MacsRGood4U

    How does anybody know that Apple isn't working on a fix?



    This article suggests Apple won't fix it in Jaguar.



    http://news.com.com/2100-7355-5098688.html?tag=nl
  • Reply 15 of 23
    shetlineshetline Posts: 4,695member
    Quote:

    Originally posted by Tidris

    This article suggests Apple won't fix it in Jaguar.



    http://news.com.com/2100-7355-5098688.html?tag=nl




    Quote:

    From the above article:

    However, Apple apparently doesn't intend to fix the flaws in previous versions of the software: Apple's Security Updates Web page doesn't list fixes for the flaws in Mac OS X 10.2 and earlier.



    The fact the the updates aren't yet listed on a particular web page is hardly tantamount to Apple saying that they refuse to update 10.2. Talk about going out of your way to find fault and invent problems.



    Besides, despite the fact that people with an axe to gring with Apple are making a lot of noise and fuss over these issues, these security holes are fairly minor, and a person needs to already have legit access to your computer to exploit these flaws.



    Compare these flaws to just one of Microsoft's recent security holes where merely going to a web site could infect your computer with whatever kind of code the web site's creator wanted send to your computer... there is no comparison.



    Windows people complaining about Apple's security flaws is like having a 400 lb. man, with food stains all over the front of his clothes, catching a trim athlete sneaking a cupcake, then sneering and saying through a mouthful of greasy pepperoni pizza, "You see! You're just as bad as I am! Worse! I never eat cupcakes!"
  • Reply 16 of 23
    tidristidris Posts: 214member
    Quote:

    Originally posted by shetline

    The fact the the updates aren't yet listed on a particular web page is hardly tantamount to Apple saying that they refuse to update 10.2. Talk about going out of your way to find fault and invent problems.



    This whole issue could be cleared in an instant by Apple saying they will fix it. Instead they choose to remain silent. What is there to gain by staying silent? If Apple is going to release a Jaguar fix I would think the decision must have been made months ago.
  • Reply 17 of 23
    mcqmcq Posts: 1,543member
    Quote:

    Originally posted by Tidris

    This whole issue could be cleared in an instant by Apple saying they will fix it. Instead they choose to remain silent. What is there to gain by staying silent? If Apple is going to release a Jaguar fix I would think the decision must have been made months ago.



    And it is cleared.



    http://maccentral.macworld.com/news/.../31/jaguarfix/



    Quote:

    Apple will fix security flaws in Jaguar

    By Jim Dalrymple [email protected]

    October 31, 2003 12:35 pm ET



    Apple Computer Inc. said in a statement given to MacCentral on Friday that the company would be fixing security flaws uncovered in Mac OS X Jaguar by Cambridge, MA-based security research firm @Stake earlier this week.



    Some have speculated that Apple would not update the older Jaguar operating system since the release of Mac OS X Panther on October 24, 2003, but Apple has put that speculation to rest.



    "Apple's policy is to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible," Apple said in a statement given to MacCentral. "The shipment of Panther does not change this policy. Apple has an excellent track record of working with CERT and the open source community to proactively identify and correct potential vulnerabilities."



    Panther, Apple's latest operating system, was not affected by the security issues outlined by @Stake -- the flaws only affect Mac OS X 10.2.8 and lower.



    The three advisories are Long argv[] Buffer Overflow; Systemic Insecure File Permissions; and Arbitrary File Overwrite via Core Files. @Stake lists the severity of the advisories as being "high." More information on each of the reported security issues are available in our earlier coverage.



  • Reply 18 of 23
    Happy Halloween everybody!!!!!
  • Reply 19 of 23
    tidristidris Posts: 214member
    Quote:

    Originally posted by MCQ

    And it is cleared.



    http://maccentral.macworld.com/news/.../31/jaguarfix/




    Excellent!!!!
  • Reply 20 of 23
    Do you think we could get the Jaguar "prebinding bug" fixed at the same time? Jaguar 10.2.9 anyone?
Sign In or Register to comment.