New privilege escalation exploit discovered in OS X Yosemite, also affects just-released 10.10.5

124

Comments

  • Reply 61 of 92
    knowitallknowitall Posts: 1,648member
    Quote:

    Originally Posted by NolaMacGuy View Post





    wrong. this is not validating security by obscurity. SBO isn't sound and doesn't make a system secure. OS X is a good OS because of its software, not because it's not yet popular enough.



    there have been few to no viruses (virus, not malware) in the wild on OS X. this is because of how it was built. OS X has more users than ever, and Apple has a huge target on its back -- yet still no viruses. previous Mac OS System versions had actual viruses targeting them in the wild, despite far, far fewer users than OS X.



    again -- the only myth is the concept of security by obscurity.



    Aaaand Apple had viruses before it had Mac OS X.

  • Reply 62 of 92

    Todesco Tweeted:

    Quote:

     'Todesco says that the vulnerability may have been mitigated in OS X El Capitan, due to its new “rootless” security feature' - so inaccurate


  • Reply 63 of 92
    rob53rob53 Posts: 3,010member

    http://www.pcworld.com/article/2971772/security/italian-teen-finds-two-zeroday-vulnerabilities-in-os-x.html

     

    "Todesco, who said he does security research in his spare time, said he notified Apple of the problems “a few hours before the exploit was published.”"

     

    There's a lot more info in this posting about the 18 year old Italian who says he found two vulnerabilities, not just one. He also provided a patch for at least one of them so we can stop ragging on him for announcing it without telling Apple first (which he did but not with the normal amount of time).

     

    ----from Luca via GitHub

    NULLGuard: This prevents binaries lacking __PAGEZERO from running.

    Among other things, it fixes tpwn and renders a ton of bugs unexploitable.

    note: some older binaries (10.4?) could also be affected, but I haven't yet encountered a non-malicious binary lacking PAGEZERO.

     

    @Mojo66 Are you ready to compile Luca's NULLGuard and see if it actually disables the original vulnerability?

  • Reply 64 of 92
    auxioauxio Posts: 2,500member
    Quote:

    Originally Posted by rob53 View Post

     

    There's a lot more info in this posting about the 18 year old Italian who says he found two vulnerabilities, not just one. He also provided a patch for at least one of them so we can stop ragging on him for announcing it without telling Apple first (which he did but not with the normal amount of time).


     

    Exactly what I figured -- it's a young developer who is just learning the right way to go about things.  But I'm sure no one here has ever made a mistake while growing up and learning the conventions of the world. /s

  • Reply 65 of 92
    nolamacguynolamacguy Posts: 4,758member
    Of course it does.  The comment does nothing to prevent or identify trolls, as you suggest it does.

    That is, you say, "and yes, indentifying this nutso behavior does help to mitigate it, because the trolls are identified as trolls, negating their concern-troll smokescreen narratives."  I totally agree with that!  Pointing out a troll comment *after the fact* for someone who might not recognize it otherwise is what you're talking about, but the comment in question doesn't identify anything.  Rather, it just says that trolls are coming.

    I disagree, obviously. trolls are less likely to put on their "Im very concerned" concern-troll masks when that narrative has already been described in posts preceding theirs. further, I don't believe doing so changes the tone (whatever that means). in fact the only people it could bother are trolls or contrarians, really.
  • Reply 66 of 92

    I am not sure that this kid did the right thing, but he did post a simple bit of code that allows this to be fixed.  I was wondering if anyone would be willing to post a "how to" for patching your own machine.  I am less leary of adding this bit of code then putting a whole new beta version of OS X on my iMac.  He also pointed out that the code will help with other exploits.  You should take the good with the bad. He posted the exploit too soon, but he vulnerability looks pretty easy to fix and he posted a fix as well.  The only reason he has not posted an easier fix that does not require command line is he lacks an Apple developer certificate.  

  • Reply 67 of 92
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by deb2319 View Post

     

    So the danger is not that someone outside can get into your machine: the danger is that anyone who has physical access to your machine can take it over.


    Isn't that always the case?

     

     

    Quote:

    Originally Posted by Mr Squid View Post

     



    No, this exploit does not require physical access to the computer. 


    Don't you have a firewall? I don't know about you but I don't allow FTP or SSH to my machines from outside of my network.

  • Reply 68 of 92

    I found a bit of code from another Mac developer that added on Todesko's idea to his code.  I did get it to run on my computer and it hung on the restart.  Seems to be working now, so either I am safer or I am worse off because my computer may become unstable.  So far it looks good.  I naively did the install because of how short Todesko's code appeared to be.  Here is the link to the developer that added Todesko's hack to his compiled code:  http://suidguard.com/stories/index.html

    The developer is Stefan Esser.  If anyone has information about him I would appreciate knowing about him.  I "assume" I can roll back timemachine and get to my system file before the changes were made.  

     

    Anyway it seems to be working so far with no bad side effects.  

  • Reply 69 of 92
    knowitallknowitall Posts: 1,648member
    Apple need to stop this NOW!

    The Italian developer needs get a call from the lawyers at Apple and let him know that he might be getting a bill from anyone who will be affected by his public disclosure of the bug.

    There are consequences to every action. Publishing something publicly and putting people at risk is a criminal act - just ask Edward Snowden.

    I missed the /s flag.
    Don't blame the messenger, blame Apple for not fixing this preemtively.
  • Reply 70 of 92
    Quote:

    Originally Posted by mstone View Post

     

    Isn't that always the case?

     

     

    Don't you have a firewall? I don't know about you but I don't allow FTP or SSH to my machines from outside of my network.




    I can't remember: What's the standard system's setting when you unbox and setup your mac regarding the firewall?

  • Reply 71 of 92
    foggyhillfoggyhill Posts: 4,767member
    No excu
    rob53 wrote: »
    http://www.pcworld.com/article/2971772/security/italian-teen-finds-two-zeroday-vulnerabilities-in-os-x.html

    "Todesco, who said he does security research in his spare time, said he notified Apple of the problems “a few hours before the exploit was published.”"

    There's a lot more info in this posting about the [SIZE=16px]18 year old[/SIZE] Italian who says he found two vulnerabilities, not just one. He also provided a patch for at least one of them so we can stop ragging on him for announcing it without telling Apple first (which he did but not with the normal amount of time).

    <p style="color:rgb(51,51,51);margin-bottom:16px;">----from Luca via GitHub

    NULLGuard: This prevents binaries lacking __PAGEZERO from running.

    Among other things, it fixes tpwn and renders a ton of bugs unexploitable.

    note: some older binaries (10.4?) could also be affected, but I haven't yet encountered a non-malicious binary lacking PAGEZERO.</p>

    <p style="color:rgb(51,51,51);margin-bottom:16px;"> </p>

    <p style="color:rgb(51,51,51);margin-bottom:16px;"><a data-huddler-embed="href" href="/u/172380/Mojo66" style="display:inline-block;">@Mojo66</a>
     Are you ready to compile Luca's NULLGuard and see if it actually disables the original vulnerability?</p>
    Right... So he's good enough to find security bugs at 18 but moronic enough to not know about security orgs and protocols that existed since he was pissing his pants. He's a cretin. This is not a small boo boo, vut a major f- up.
  • Reply 72 of 92
    Quote:
    Originally Posted by Macnewsjunkie View Post

     

    The developer is Stefan Esser.  If anyone has information about him I would appreciate knowing about him. 


     

    http://www.hardened-php.net/stefan_esser.24.html

     

    Here he writes about the DYLD_PRINT_TO_FILE Local Privilege Escalation Vulnerability:

    https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html

     

    In the article from the 07.07. he says "At the moment it is unclear if Apple knows about this security problem or not, because while it is already fixed in the first betas of OS X 10.11, it is left unpatched in the current release of OS X 10.10.4 or in the current beta of OS X 10.10.5." From this I take it that he did not inform Apple prior to publishing this.

  • Reply 73 of 92
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by WonkoTheSane View Post

     



    I can't remember: What's the standard system's setting when you unbox and setup your mac regarding the firewall?




    Off.

     

    I use SonicWall and I am on static IP with ethernet, although if you use just about any WiFi router, they are by default, pretty secure.

  • Reply 74 of 92
    foggyhillfoggyhill Posts: 4,767member
    I
    I am not sure that this kid did the right thing, but he did post a simple bit of code that allows this to be fixed.  I was wondering if anyone would be willing to post a "how to" for patching your own machine.  I am less leary of adding this bit of code then putting a whole new beta version of OS X on my iMac.  He also pointed out that the code will help with other exploits.  You should take the good with the bad. He posted the exploit too soon, but he vulnerability looks pretty easy to fix and he posted a fix as well.  The only reason he has not posted an easier fix that does not require command line is he lacks an Apple developer certificate.  
    'm sure fracking grandma will appreciate applying an untested patch... Or do you think he actually bought the dozens of machines required to do the patch. He must be an idiot savant for sure.
  • Reply 75 of 92

    There is a correct way of doing things. There is a procedure for notifying Apple about security issues.

     

    Both have been ignored and the guy publicly posted a 'how to' to the world.

     

    If you feel that it's your 'right' to publicly post security breaches then it should also be the 'right' of people affected by his publication to be compensated.

  • Reply 76 of 92
    mariomario Posts: 348member

    Mavericks is vulnerable too.

  • Reply 77 of 92
    plovellplovell Posts: 819member
    Quote:

    Originally Posted by SolipsismY View Post



     
    Quote:

    Originally Posted by rob53 View Post



    All I'm reading is that the exploit would allow something.




    If you have access to root don't you then have access to all everything?

    Not with El Capitan, but it is correct for Yosemite.

  • Reply 78 of 92
    solipsismysolipsismy Posts: 5,099member
    plovell wrote: »
    Not with El Capitan, but it is correct for Yosemite.

    Interesting and thanks. I'm not quite certain how rootless works yet but I hope to get a good understanding over the coming months.
  • Reply 79 of 92

    No he did not test the code on multiple boxes, but the code itself is very simple.  On a well written operating system like OS X it should not be a problem.  It maybe a problem, but I have not seen any on my iMac (21.5-inch, Mid 2010).  I am not using this for secure operations like credit card processing.  It is my email and web browsing box at work.  I did not apply his code because it was not compiled.  I used the other link I listed above.  The code hung just after finishing installing.  I restarted the machine and it seems to be working fine.  My next question is how can I test if it worked without attempting to execute malware code?   

     

    His suggested fix sounded really simple and easy to do.  I am not sure why Apple has not done this.  There must be some reason somewhere or simple corporate paranoia.  Either way it will soon be fixed with the newest OS update next month.  I don't search the dark parts of the web or install anything non commercial on my machine, except for this one patch.  So we shall see how it all turns out.  

  • Reply 80 of 92
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by SolipsismY View Post





    Interesting and thanks. I'm not quite certain how rootless works yet but I hope to get a good understanding over the coming months.



    Since most Macs are single user machines, the end user password is actually the root password in many cases. Because of this, Apple has placed restrictions on what that user can do. Only Apple signed code can do certain things like write files inside /System and some other directories. Third party code is also restricted. People type in their password all the time without giving a second thought to the fact that an application is requesting permission to do something and by typing in your password you are essentially giving that third party app root privileges.

Sign In or Register to comment.