Old unpatched OS X security flaw can give attackers root access to Macs

24

Comments

  • Reply 21 of 70
    muppetrymuppetry Posts: 3,331member

    Quote:

    Originally Posted by Durandal1707 View Post



    This is a different class of attack than that. The attacker doesn't need physical access to your Mac. In fact, the attacker doesn't have to be personally attacking your machine at all. You could simply download a game, or some other innocuous looking app, and that app could change the Mac's system date, and ***WHAM*** you're rooted.


     


    I don't think an application can gain root privilege if it was not launched as root, in which case this would not work.

  • Reply 22 of 70
    vl-tonevl-tone Posts: 337member

    Quote:

    Originally Posted by muppetry View Post


     


    I don't think an application can gain root privilege if it was not launched as root, in which case this would not work.



    I guess that's why they're talking about "attackers" and not "maliciously crafted applications".

  • Reply 23 of 70


    um really. this is a "trolling for ad clicks" FUD-laced article maybe? Because, first of all, referring to this as a "security flaw" is kind of a misnomer. It sort of COULD be a security window, but only IF you are already an administrator, and only IF you've used 'sudo' on the machine before (giving yourself root access), and only IF you have physical or remote access to…. wait, I get it, so these "vulnerable" machines are mostly at risk of their OWNERS "hacking in" and potentially doing malicious stuff to themselves at the root level. *GASP* I see now….. ooh, yeah. That's a scary-bad security flaw there!!


     


     


    Really, it's kind of like saying, "Since I'm an administrator AND I can set myself to be root user, what we have here is… a Security Flaw!!!!"  


     


    Silliness.


     


     


    Oh and then this, "Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings." (FUD Alert!)


     


    You really need to add the words "by default" in there, like, "…by default, OS X does not require a password to change these clock settings."


     


    But, as evidenced in the Date & Time image you used for illustration, there's a LOCK at the bottom of the pane that says, "Click the lock to prevent further changes."


     


    How about...   *click* …  So much for "Macs being especially vulnerable…"


     


     


    It's a bit like the Safari "security flaw", where Safari ships with the setting "open 'safe' files after downloading" set to ON by default.


     


    Another one: *click* solved.


     


     


    So here's your new article which I have rewritten liberally:


    There is a very remote possibility that a minor "flaw" in the way Unix operates could open your computer to "attack" in extreme and very narrow circumstances. To remove any danger of this, password protect your Date & Time settings by clicking the lock to its closed position after making any changes.


     


    (… insert a paragraph of historical backstory here…)


     


    Done!


     


    Awfully short article, but I think it's far more honest….

  • Reply 24 of 70
    vl-tonevl-tone Posts: 337member

    Quote:

    Originally Posted by tribalogical View Post


    um really. this is a "trolling for ad clicks" FUD-laced article maybe? Because, first of all, referring to this as a "security flaw" is kind of a misnomer. It sort of COULD be a security window, but only IF you are already an administrator, and only IF you've used 'sudo' on the machine before (giving yourself root access), and only IF you have physical or remote access to…. wait, I get it, so these "vulnerable" machines are mostly at risk of their OWNERS "hacking in" and potentially doing malicious stuff to themselves at the root level. *GASP* I see now….. ooh, yeah. That's a scary-bad security flaw there!!


     


     


    Really, it's kind of like saying, "Since I'm an administrator AND I can set myself to be root user, what we have here is… a Security Flaw!!!!"  


     


    Silliness.


     


     


    Oh and then this, "Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings." (FUD Alert!)


     


    You really need to add the words "by default" in there, like, "…by default, OS X does not require a password to change these clock settings."


     


    But, as evidenced in the Date & Time image you used for illustration, there's a LOCK at the bottom of the pane that says, "Click the lock to prevent further changes."


     


    How about...   *click* …  So much for "Macs being especially vulnerable…"


     


     


    It's a bit like the Safari "security flaw", where Safari ships with the setting "open 'safe' files after downloading" set to ON by default.


     


    Another one: *click* solved.


     


     


    So here's your new article which I have rewritten liberally:


    There is a very remote possibility that a minor "flaw" in the way Unix operates could open your computer to "attack" in extreme and very narrow circumstances. To remove any danger of this, password protect your Date & Time settings by clicking the lock to its closed position after making any changes.


     


    (… insert a paragraph of historical backstory here…)


     


    Done!


     


    Awfully short article, but I think it's far more honest….



     


    Yeah it's pretty sad to see that this was parroted by a few Apple news sites without any mention of this obvious fix.

  • Reply 25 of 70
    muppetrymuppetry Posts: 3,331member
    vl-tone wrote: »
    muppetry wrote: »
    I don't think an application can gain root privilege if it was not launched as root, in which case this would not work.
    I guess that's why they're talking about "attackers" and not "maliciously crafted applications".

    Right - hence my response to Durandal1707, who raised the issue of applications rather than local attackers.
  • Reply 26 of 70
    hftshfts Posts: 386member
    Apple is beginning to sour for me.
    The keyboards on the iDevices are simply terrible. Auto correcting when none is needed, and now lag.
    Not getting the Apple TV update that was announced a couple of days ago (Australia).
    Surely with their pile of cash they can fix these problems.
    iOS 7 looks far too android for me from what I have seen, I hope they change it.
  • Reply 27 of 70
    muppetry wrote: »
    I don't think an application can gain root privilege if it was not launched as root, in which case this would not work.
    An app isn't *supposed* to be able to gain root privilege if it's not launched as root, but the whole point of this vulnerability is that it bypasses that particular restriction. All a malicious app has to do is to run a few command lines:

    1. Change the clock date using the systemsetup command-line tool

    2. Relaunch itself, or launch some shell script, or do anything it wants really, as root using sudo

    3. There is no step three.
  • Reply 28 of 70
    sockrolidsockrolid Posts: 2,789member


    Originally Posted by AppleInsider View Post



    ... the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.


     


    Trivial workaround:


     


    1. System Preferences -> Security & Privacy -> Require password <interval> after sleep or screen saver begins.


     


    2. System Preferences -> Sharing -> un-check Remote Login.


     


    3. There is no step three.

  • Reply 29 of 70
    sockrolidsockrolid Posts: 2,789member


    Originally Posted by hfts View Post



    Apple is beginning to sour for me. ...


     


    Classic "concern troll."  Nice job.

  • Reply 30 of 70
    tallest skiltallest skil Posts: 43,399member

    Originally Posted by hfts View Post


    Apple is beginning to sour for me.


     


    Good for you; stop lying.

  • Reply 31 of 70
    murmanmurman Posts: 159member
    Not exactly easy to hack, if someone gets admin access the first time, just drop a payload via USB drive or something and get a rootkit going already there and then, why bother with this hack.
  • Reply 32 of 70
    robogoborobogobo Posts: 378member
    Caution, if someone has admin access, they can break in and get admin access!
  • Reply 33 of 70
    Hardly a stop-the-presses security flaw, but Apple should be more proactive addressing all security issues if it wants to avoid the kind of snarky comments this guy makes.
  • Reply 34 of 70
    hftshfts Posts: 386member
    sockrolid wrote: »
    Classic "concern troll."  Nice job.
    Not a troll thank you, how about stopping the left side of your brain from reflexing and think for a change.
    These are legitimate concerns and I can list many more. To simply bury your head in the sand is the wrong thing to do. Apple could licence the Blackberry virtual keyboard (at least try to). So you see mr. Smarty pants, I have mentioned a possible solution, what have you done? Simply wasted cyber bits on your personal attack.
  • Reply 35 of 70
    hftshfts Posts: 386member
    Good for you; stop lying.
    **** me, you again. Can you get lost.
  • Reply 36 of 70
    Interesting, but also does not explain enough. This is just saying, if you get root access to OS X you can do anything you want? That's kind of the idea with sudo. Place a line in the sudoers file for whoever you are logged in as when you want to use the sudo command.
  • Reply 37 of 70

    Quote:

    Originally Posted by robogobo View Post



    Caution, if someone has admin access, they can break in and get admin access!


    Admin and root are not the same. OS X, like Linux Ubuntu, doesn't expose to the users a permanent root account for security reasons. This is why they have a 'sudo' command when you want to invoke temporary root privileges for lesser users such as an admin.


     


    I agree with other users that this hack is a tall order but Apple must patch any and all security bugs ASAP. Never underestimate the enemy.

  • Reply 38 of 70
    lightknightlightknight Posts: 2,312member

    Quote:

    Originally Posted by drblank View Post


    It's so they can get attention, since anyone that posts an article with the word APPLE in it, is going to be hit with lots of views.  



    You're talking of HD Moore here. He doesn't need attention, he's already a security rock star. It's like saying Apple needs to ask Samsung for design cues.


    If the guys from Metasploit, who are quite obviously WAY better than anyone on these forums, think there is an issue, I believe them.


    How critical it actually is, is for Apple to decide. Instead of personal attacks on the probity of the hackers, it could have been said that the security mindset may make people put more emphasis on security fixes than is reasonable for a company to devote time to, which is an industrial decision (and a human analysis line of thought).


    Why is it that people here, instead of just taking the fact there seems to be an exploitable flaw, that will get solved when Apple decides it is necessary, attack the security specialist? He did not create the flaw, and it is his business to find these flaws. Security-critical businesses would much rather know about a flaw they can't fix and adapt their business flows than discover years afterwards that important information has been flowing to, say, China... or another US company, anywhere it shouldn't be flowing to, because they relied on the supplier telling them "the system is secure".


     


    Note that Metasploit contains many more Windows exploits than Mac exploits... and has for years already. Just check it for yourself :


    Metasploit.

  • Reply 39 of 70
    jragostajragosta Posts: 10,473member
    nano_tube wrote: »
    Admin and root are not the same. OS X, like Linux Ubuntu, doesn't expose to the users a permanent root account for security reasons. This is why they have a 'sudo' command when you want to invoke temporary root privileges for lesser users such as an admin.

    I agree with other users that this hack is a tall order but Apple must patch any and all security bugs ASAP. Never underestimate the enemy.

    If you have admin access, you have a password that you can use to SUDO, anyway. Very, very, very few people actually have multiple passwords and accounts on their machines. Every single person I know (with one exception) operates with a single password - and all their files are accessible at any time.
  • Reply 40 of 70
    lightknightlightknight Posts: 2,312member

    Quote:

    Originally Posted by jragosta View Post





    If you have admin access, you have a password that you can use to SUDO, anyway. Very, very, very few people actually have multiple passwords and accounts on their machines. Every single person I know (with one exception) operates with a single password - and all their files are accessible at any time.


    Companies operate under different rules than individuals, and they're more likely to be targeted by evildoers to steal business information or plain money(not that botnets or other types of wrongdoing would pass on non-business, not my point ;) )

Sign In or Register to comment.