What interests me more is the comment about rootless in 10.11. "Rootless is designed to restrict third-party applications from modifying certain parts of the system -- even if they are running as root -- in a manner similar to the more aggressive sandboxing in iOS." I see this as affecting every single system utility application, many of which aren't available on the App Store because they need to act as root to do their job.
I'm running El Capitan Public Beta with rootless enabled and I can run the system utilities I used in Yosemite (caffeine, Paste, Macs Fan Control, BetterTouchTool and even homebrew). Utilities that modify system apps (like TotalFinder) don't work because they inject code in one of the protected system folders — not every system folder is protected though, like /usr/local, and Apple will move third-party folders currently residing in protected system folders to /usr/local. Also, Apple-signed apps are special and can modify system folders. Besides, you can turn rootless off. For more information, read this thread.
Is your comment is some kind of defensive shield magic? For who? Help me understand why your kind of comment is posted. It says that criticism of Apple in any form should be considered enemy fire.
Maybe he is afraid that someone like me posts a comment that "Apple is clearly dropping the ball on this by apparently not having a dedicated team on security and should step up its efforts by assigning a group of hackers to test the (new) software they release"
Thanks for testing it. Did you have to be root/admin in order to compile it or was it able to escalate your non-admin privileges to root?
Now what can you do with it? How do you get someone to install or compile it on their Mac and run it? (from article "who relies on a combination of attacks"). Any idea what this combination would be? Even though I didn't complete my original sentence, I know what root access gives you but I'd still like to understand how delivery of this package would grant someone root access on someone else's Mac. I'd guess 99% of Mac users set themselves up with admin privileges (instead of creating an admin user then non-admin users for everyday use--Apple needs to fix their setup procedure to get people to not use the first account (admin) for everything) anyway so getting onto their Macs gives them just about everything without needing root privileges.
I'm with digitalclips on this one. Not notifying the software author first, and giving them some time to release a patch before public disclosure, is pure asshattery, in my opinion.
My guess is that since it was going to be patched in El Capitan, he is going for his 15 minutes now. If Apple ignored his find that's one thing, but not even giving them the time to fix it or making them aware of the exploit seems like he is trying to get attention.
First class prat for not reporting this first to Apple, it's only common sense to give the vendor time to produce a fix before going public With a vulnerability - it's not as though you don't still get the glory for finding the problem in the first place.
It's a bit of an exaggeration to call it a 'zero day exploit' though, it has yet (as far as we know) to be exploited. A proof of principle app from a (supposedly) responsible researcher is not an exploit.
Good advice from rob53 too: don't do your usual work in an Admin account, save that for system maintenance that needs Admin privilege.
No, this exploit does not require physical access to the computer. All it requires is for a user to run a script (which may be hidden within an application) that contains the exploit. If the bad guy tricks me into running his script then my machine is compromised.
Thanks for testing it. Did you have to be root/admin in order to compile it or was it able to escalate your non-admin privileges to root?
Now what can you do with it? How do you get someone to install or compile it on their Mac and run it? (from article "who relies on a combination of attacks"). Any idea what this combination would be? Even though I didn't complete my original sentence, I know what root access gives you but I'd still like to understand how delivery of this package would grant someone root access on someone else's Mac. I'd guess 99% of Mac users set themselves up with admin privileges (instead of creating an admin user then non-admin users for everyday use--Apple needs to fix their setup procedure to get people to not use the first account (admin) for everything) anyway so getting onto their Macs gives them just about everything without needing root privileges.
No elevated privileges were required to compile.
Exploit scenarios are for example malware which seeks to take over full control of the machine in order to scan corporate networks or implant itself into the UEFI.
Whether the infected account is set up as an admin account or not doesn't matter for this kind of exploit. Contrary to Windows, a user account created by the system preferences on a Mac is always non-root . The setting "allow user to administer this computer" just adds the account to /etc/sudoers. To gain root privileges, you still have to enter a password.
If you tell the public first, aren't you telling the company/author at the same time?
I can't see why it's a bad thing to tell everyone as soon as possible,
unless you think it would spoil the tea and crumpets, gentleman's handshake atmosphere
we all expect in tech...
You'd also be telling the black hats. Common sense would dictate it is essential to notify the software developer first, be that Google, Microsoft or Apple etc..
If you tell the public first, aren't you telling the company/author at the same time?
I can't see why it's a bad thing to tell everyone as soon as possible,
unless you think it would spoil the tea and crumpets, gentleman's handshake atmosphere
we all expect in tech...
You'd also be telling the black hats. Common sense would dictate it is essential to notify the software developer first, be that Google, Microsoft or Apple etc..
If you tell the public first, aren't you telling the company/author at the same time?
I can't see why it's a bad thing to tell everyone as soon as possible,
unless you think it would spoil the tea and crumpets, gentleman's handshake atmosphere
we all expect in tech...
I didn't see a /s anywhere here so I'm going to assume this ridiculous comment is genuine?
You don't see why it's a bad thing to tell the hacking community about an exploit - and how to use it - before notifying the company that can close the exploit? Are you serious??? It should be obvious to anyone smart enough to turn on a computer what the difference is and why it's a bad thing.
When someone discovers an exploit, the normal, responsible thing to do is to notify the author (in this case Apple) that you've discovered an exploit - and explain to them that you will be going public with your discovery in 2 weeks? 1 month? 60 days? This puts pressure on the company to do something to mitigate the exploit - so that when its announced, Apple can also announce that they have already created a patch for the problem and everybody is safe and protected. By not giving the author time to analyze the exploit, create a fix or workaround, test the fix and prepare it for distribution - you are giving hackers the ability to use the exploit to compromise, gain access to, or perform many other nefarious actions on a very large number of computers!
But that's no big deal to you, right? You don't own a Mac or you personally are able to protect your system - so who gives a shit about the millions of normal users out there? Do they deserve to get hacked because they're not as smart as you? If so - that would make you as big an a-hole as Todesco!
Todesco should be arrested and charged for doing something so irresponsible. I think people who discover an exploit should be required to notify the author/owner of the software at least 30-days before releasing the details of the vulnerability anywhere else - with possible exceptions for endpoint security companies (they could be notified anytime within the 30-day window). Someone like Todesco, who chooses NOT to do that should be held liable (and prosecuted) for anyone that gets hacked using the exploit anytime during those first 30 days.
Is your comment is some kind of defensive shield magic? For who? Help me understand why your kind of comment is posted. It says that criticism of Apple in any form should be considered enemy fire.
No it doesn't. It says contrarians take the opposite position for the sole purpose of trolling, regardless of how indefensible or illogical that position may be. I see it in the forums all the time as stubborn intransigence, even after being soundly bested in debate.
You'd also be telling the black hats. Common sense would dictate it is essential to notify the software developer first, be that Google, Microsoft or Apple etc..
Sadly, common sense isn't all that common.
To me, the common sense assumption might seem to be that black hats will be figuring it out and/or
hearing about it fairly quickly, anyway...it's what they do, after all...but maybe they're preoccupied instead.
Don’t worry about it. Just keep using common sense when downloading software. Download only from trusted sources and companies like the App Store. Don’t click on anything that promises magical things. If it sounds too good to be true it IS. Like all the other chicken little reports about these things they rarely actually materialize to become a major problem.
Above all don’t listen to the paranoid crowd’s predictions of the Apocalypse. They show up here every time one of these reports gets out, wringing their hands and running around with their hair on fire. Truth is hackers these days are in it for the money. They like attacking corporations where the ROI is highest. Individual’s machines not so much because the data is of limited value. It’s not like the old days where hackers did their thing for the glory of their reputations. Today hacking is a business model.
Wow! There are far too many generalizations in this e-mail. Educating yourself about how the exploit works can help you avoid it and protect yourself until a patch is actually released. Telling people to not worry about it and just use common sense is irresponsible. It's good advice in general - but it doesn't mitigate every possible attack vector and is a lot to remember for the vast majority of users who use their devices as a tool or appliance and doesn't know (or care to know) about the inner workings as much as those of us that work and play in the IT world do.
You say "don't worry about it" and that "these things rarely materialize into a major problem". Well "rarely" does not mean "never" and if someone is concerned enough to ask how to protect themselves, they deserve an answer instead of some patronizing words. If you don't know the answer, then let someone that does handle the reply instead of providing false information to set their minds artificially at ease!
"The truth is hackers these days are in it for the money" is an even more ridiculous statement! *Most* probably are! But definitely NOT all of them! That kind of statement reminds me of a friend that has a friend in law enforcement - and he went around telling anybody that would listen that the cops are doing a blitz on people that fail to stop at stop signs this month. He took that to mean that the cops would ignore all other offenses and got speeding tickets for himself and for 2 of his friends that were dumb (or trusting) enough to believe him! Your advice that hackers are only in it for the money these days is advice of a similar type. I'm sure there are many out there who are doing it to prove themselves, for glory, for a cause they believe in - or maybe they're just "out to get" a specific individual...
My advice is to find out how this exploit works - and until a fix is released by Apple - take extra precautions to avoid becoming a victim.
Most of us will probably not be targeted individually - but if you for some reason did get targeted - what would the hacker have access to that would concern you? If it's a big enough concern for you - consider taking that information "offline" temporarily until this exploit is patched - or add an extra level of encryption to it... And if you do end up getting hacked - and lose something important because of it - considering filing a lawsuit against Todesco for his gross negligence in releasing the how-to for this exploit to the hacking community!
To me, the common sense assumption might seem to be that black hats will be figuring it out and/or
hearing about it fairly quickly, anyway...it's what they do, after all...but maybe they're preoccupied instead.
They might, but they probably wouldn't have in the time it would take Apple to release a fix.
On the other hand, thanks to this jackass they now know exactly how it works and have some time to put it to use before Apple can roll out a fix.
Comments
I've compiled the source code and can confirm that it leads to a root shell from a non-priviliged account:
Originally Posted by rob53
What interests me more is the comment about rootless in 10.11. "Rootless is designed to restrict third-party applications from modifying certain parts of the system -- even if they are running as root -- in a manner similar to the more aggressive sandboxing in iOS." I see this as affecting every single system utility application, many of which aren't available on the App Store because they need to act as root to do their job.
I'm running El Capitan Public Beta with rootless enabled and I can run the system utilities I used in Yosemite (caffeine, Paste, Macs Fan Control, BetterTouchTool and even homebrew). Utilities that modify system apps (like TotalFinder) don't work because they inject code in one of the protected system folders — not every system folder is protected though, like /usr/local, and Apple will move third-party folders currently residing in protected system folders to /usr/local. Also, Apple-signed apps are special and can modify system folders. Besides, you can turn rootless off. For more information, read this thread.
He doesn't need a developer account to be able to do this.
Maybe he is afraid that someone like me posts a comment that "Apple is clearly dropping the ball on this by apparently not having a dedicated team on security and should step up its efforts by assigning a group of hackers to test the (new) software they release"
If you tell the public first, aren't you telling the company/author at the same time?
I can't see why it's a bad thing to tell everyone as soon as possible,
unless you think it would spoil the tea and crumpets, gentleman's handshake atmosphere
we all expect in tech...
I've compiled the source code and can confirm that it leads to a root shell from a non-priviliged account:
Thanks for testing it. Did you have to be root/admin in order to compile it or was it able to escalate your non-admin privileges to root?
Now what can you do with it? How do you get someone to install or compile it on their Mac and run it? (from article "who relies on a combination of attacks"). Any idea what this combination would be? Even though I didn't complete my original sentence, I know what root access gives you but I'd still like to understand how delivery of this package would grant someone root access on someone else's Mac. I'd guess 99% of Mac users set themselves up with admin privileges (instead of creating an admin user then non-admin users for everyday use--Apple needs to fix their setup procedure to get people to not use the first account (admin) for everything) anyway so getting onto their Macs gives them just about everything without needing root privileges.
He doesn't need a developer account to be able to do this.
Maybe not but the topic states that he is a developer.
My guess is that since it was going to be patched in El Capitan, he is going for his 15 minutes now. If Apple ignored his find that's one thing, but not even giving them the time to fix it or making them aware of the exploit seems like he is trying to get attention.
First class prat for not reporting this first to Apple, it's only common sense to give the vendor time to produce a fix before going public With a vulnerability - it's not as though you don't still get the glory for finding the problem in the first place.
It's a bit of an exaggeration to call it a 'zero day exploit' though, it has yet (as far as we know) to be exploited. A proof of principle app from a (supposedly) responsible researcher is not an exploit.
Good advice from rob53 too: don't do your usual work in an Admin account, save that for system maintenance that needs Admin privilege.
No, this exploit does not require physical access to the computer. All it requires is for a user to run a script (which may be hidden within an application) that contains the exploit. If the bad guy tricks me into running his script then my machine is compromised.
Thanks for testing it. Did you have to be root/admin in order to compile it or was it able to escalate your non-admin privileges to root?
Now what can you do with it? How do you get someone to install or compile it on their Mac and run it? (from article "who relies on a combination of attacks"). Any idea what this combination would be? Even though I didn't complete my original sentence, I know what root access gives you but I'd still like to understand how delivery of this package would grant someone root access on someone else's Mac. I'd guess 99% of Mac users set themselves up with admin privileges (instead of creating an admin user then non-admin users for everyday use--Apple needs to fix their setup procedure to get people to not use the first account (admin) for everything) anyway so getting onto their Macs gives them just about everything without needing root privileges.
No elevated privileges were required to compile.
Exploit scenarios are for example malware which seeks to take over full control of the machine in order to scan corporate networks or implant itself into the UEFI.
Whether the infected account is set up as an admin account or not doesn't matter for this kind of exploit. Contrary to Windows, a user account created by the system preferences on a Mac is always non-root . The setting "allow user to administer this computer" just adds the account to /etc/sudoers. To gain root privileges, you still have to enter a password.
From what I read if you upgrade to El Capitan beta you would be.
You'd also be telling the black hats. Common sense would dictate it is essential to notify the software developer first, be that Google, Microsoft or Apple etc..
Sadly, common sense isn't all that common.
You don't see why it's a bad thing to tell the hacking community about an exploit - and how to use it - before notifying the company that can close the exploit? Are you serious??? It should be obvious to anyone smart enough to turn on a computer what the difference is and why it's a bad thing.
When someone discovers an exploit, the normal, responsible thing to do is to notify the author (in this case Apple) that you've discovered an exploit - and explain to them that you will be going public with your discovery in 2 weeks? 1 month? 60 days? This puts pressure on the company to do something to mitigate the exploit - so that when its announced, Apple can also announce that they have already created a patch for the problem and everybody is safe and protected. By not giving the author time to analyze the exploit, create a fix or workaround, test the fix and prepare it for distribution - you are giving hackers the ability to use the exploit to compromise, gain access to, or perform many other nefarious actions on a very large number of computers!
But that's no big deal to you, right? You don't own a Mac or you personally are able to protect your system - so who gives a shit about the millions of normal users out there? Do they deserve to get hacked because they're not as smart as you? If so - that would make you as big an a-hole as Todesco!
Todesco should be arrested and charged for doing something so irresponsible. I think people who discover an exploit should be required to notify the author/owner of the software at least 30-days before releasing the details of the vulnerability anywhere else - with possible exceptions for endpoint security companies (they could be notified anytime within the 30-day window). Someone like Todesco, who chooses NOT to do that should be held liable (and prosecuted) for anyone that gets hacked using the exploit anytime during those first 30 days.
No it doesn't. It says contrarians take the opposite position for the sole purpose of trolling, regardless of how indefensible or illogical that position may be. I see it in the forums all the time as stubborn intransigence, even after being soundly bested in debate.
Originally Posted by digitalclips
Sadly, common sense isn't all that common.
To me, the common sense assumption might seem to be that black hats will be figuring it out and/or
hearing about it fairly quickly, anyway...it's what they do, after all...but maybe they're preoccupied instead.
You say "don't worry about it" and that "these things rarely materialize into a major problem". Well "rarely" does not mean "never" and if someone is concerned enough to ask how to protect themselves, they deserve an answer instead of some patronizing words. If you don't know the answer, then let someone that does handle the reply instead of providing false information to set their minds artificially at ease!
"The truth is hackers these days are in it for the money" is an even more ridiculous statement! *Most* probably are! But definitely NOT all of them! That kind of statement reminds me of a friend that has a friend in law enforcement - and he went around telling anybody that would listen that the cops are doing a blitz on people that fail to stop at stop signs this month. He took that to mean that the cops would ignore all other offenses and got speeding tickets for himself and for 2 of his friends that were dumb (or trusting) enough to believe him! Your advice that hackers are only in it for the money these days is advice of a similar type. I'm sure there are many out there who are doing it to prove themselves, for glory, for a cause they believe in - or maybe they're just "out to get" a specific individual...
My advice is to find out how this exploit works - and until a fix is released by Apple - take extra precautions to avoid becoming a victim.
Most of us will probably not be targeted individually - but if you for some reason did get targeted - what would the hacker have access to that would concern you? If it's a big enough concern for you - consider taking that information "offline" temporarily until this exploit is patched - or add an extra level of encryption to it... And if you do end up getting hacked - and lose something important because of it - considering filing a lawsuit against Todesco for his gross negligence in releasing the how-to for this exploit to the hacking community!
They might, but they probably wouldn't have in the time it would take Apple to release a fix.
On the other hand, thanks to this jackass they now know exactly how it works and have some time to put it to use before Apple can roll out a fix.