Why the new exploit isn't a huge deal


Stepwise ran a story yesterday that revealed if you're using OS X users sitting at the machine could gain root access to certain applications without being root. Of course some people are really overstating the problem, Apple will be getting bad press about this (if they haven't already) and some see that this isn't a huge deal. This is because:

a) even before this news came out, if you were sitting at the machine - you could get root access to everything anyway. Just reboot by CD, and reset the root password. Voila! BTW all *nix variants have this *feature*

b) previous versions of Mac OS had NO WAY of preventing users from administrating your machine. We've lived with it for years people - suddenly it's the worst security risk? I don't think so.

c) This is a desktop access exploit only - this can't be exploited through remote server access.

I'm not saying this should never be fixed, but it isn't the big security exploit that people are making it out to be. The full stepwise story is here:
I agree... this isn't a major problem, since, as you said, it can only be exploited while at the computer itself.

So no one should get too worried about this problem.
I never pay too much attention to local exploits- if the person is AT your computer, she or he can physically manipulate the system- disconnect drives, network, fake network- all kinds of nastiness that, honestly, I don't protect myself against because my data isn't that important.

My big problem with this is the sillyness of the glitch. I fear it is far too indicative of what beasts may underlie osX's candy-coated finish: real security problems that aren't immediately apparent and can cause real compromises.

Of course- I have more faith in Darwin- the open source underbelly- since open source development tends to expose more problems and create (hopefully) sturdier code. I'm particularly concerned with parts of the proprietary portions of the OS that are accessible from the command line. I feel these areas would be the most exploitable because they are the least public and therefore more likely less scrutinized by people fixing problems. Of course- because they are the least documented portions of the OS, their obscurity also works in our favor by hiding them from the people creating problems.

At least we're not relying on IIS :)
it depends on what you mean by local. The traditional meaning of a local exploit is that it can be affected from a shell on the box (if someone ssh's into your machine using a regular user account). There are lots of well known local exploits for other operating systems, and they're usually buffer overflow exploits on suid programs.

What you're really talking about is physical access, and yes, all Unix variants allow you to reset the root password if you boot from a CD. Which is why all real systems rely on smart firmware to disable booting from CD, and physical locks on the machines for more security.

I'd say frankly that this is hardly an "exploit," you don't have to download and compile anything to exploit the problem. This is just a bug. A more serious one than most, admittedly, but it's just a bug.

This is ONE security flaw that is unexploitable unless you are AT the machine itself. I'm sure Apple has extensively tested their new operating system through and through for security flaws that could be exploited remotely -- security has always been one of the Mac's benefits, and Apple surely doesn't want to lose this with OS X.

Think about it... would you rather use Windows and rely on Microsoft to plug up the security holes? They STILL haven't gotten it right with their newest operating system WinXP, from what I've heard.

So sit back and relax... even though it is possible, most of the things that create security flaws in UNIX are turned OFF by default in OS X (web sharing, remote root access, etc.) so that it can't be used unless you turn it on locally first.

Don't worry, the security of the Mac will still be quite good with UNIX, even if it DOES have a command line.

Oh, and if you're worried about local access, use Startup Security, a shareware program that allows you to configure your Mac's firmware to require a password on startup before ANYTHING else loads.

As to Jadey and AdmiralAK... yeah, I love my avatar too. :D I realized when I made my first one that magnification was set to the highest setting, so to make it easier and more legible I made magnification go to half-of-max, and then took the screen shot. I had to add some blank icons right next to the Finder icon, though, otherwise you'd probably see DockRestarter or System Preferences in the avatar as well, and I don't want that. ;)

But the words ARE clearer, aren't they? :p
Well, I admit, I couldn't manage to get a TOTALLY blank icon for the icons next to the Finder, but I went with 1 pixel icons.

If you look closely, you can see that 1 pixel of my avatar to the left of the Finder is a slightly less colored blue -- it's there, albeit not noticable unless you know it's there... and no, it's not a dust speck -- it clearly moves when I scroll the window.

Hmm... now that I think about it, Apple has been putting some really subtle easter eggs in OS X.... 1st it was the 'bill gates' in the terminal that returns 'OK? Kill gates?' (still there by the way!)... then there was the "what's my skill at chess" joke... enter that exactly into the terminal (without the double quotes of course) and you'll get the response 'Unmatched ' '. ;)

Now there's this 'No Windows' thing! Notice that Windows is captialized... if Apple was REALLY talking about the Finder windows, it wouldn't have been capitalized.

Apple is really becoming sneaky and devious with their humor... what next, a subtle graphic of the "windows" of the Windows logo being smashed in the iTunes visualizer? :D
I'm sure Apple has extensively tested their new operating system through and through for security flaws that could be exploited remotely -- security has always been one of the Mac's benefits, and Apple surely doesn't want to lose this with OS X.

I'm not sure of this. Apple is fairly new to the unix variant game and I don't have the kind of faith in their testing that I might in, for instance, OpenBSD. The proprietary portions of OS X have not undergone the scrutiny of the public eye and the OS X hasn't been on the market long enough for me to believe the systems are secure.

I'm trying to not be antagonistic here, I'll admit I was a little put off by your tone. From some of your responses it looks like you barely read my post. I stated specifically that I wasn't concerned about the local hole.

That security has been a benefit of Macintosh has been a byproduct of its relative simplicity. OSX is IMMENSELY complex, by comparison. I worry that security has not been as high on Apple's priority list since it's never been an issue in the past. I just find myself concerned that this could portend further and more serious 'glitches'. I would -love- to be proven wrong- but I fear only time will tell.
Sorry if my tone put you off .dev.lqd. I didn't mean to have it come out that way, but I guess it did. I know you weren't worried about this hole, but you were worried about the fact that this could allude to more security flaws, and that's what I was trying to address.

You are right in the fact that the relative simplicity of the Mac OS compared to OS X makes it that much easier to gain security holes. And again you are right that Apple could have glossed over security because of the security of the MacOS in the past. I put more faith in Apple though, because, as I said, I know they know that security is one of the main things going for the platform, and they surely don't want to go the way of Microsoft and patch their operating system all the time because of security flaws that get uncovered.

However, lets compare OS X and WinXP for a sec here (yeah, I'm going out on a limb). From what I hear, WinXP, which hasn't even been released, already has some serious security flaws uncovered, whereas Apple released their newest operating last September (albeit in beta form) and only now has a security flaw been discovered, and it isn't so bad after all.

Let's also look at the nature of the bug.. it requires the user activation via the Apple menu. This means that it couldn't be activated remotely because it still requires the use of the recent items menu. What I'm getting at is that it's a flaw in the GUI, not in the underbase of UNIX -- Apple hasn't failed to plug up a hole, they just inadvertently allowed applications root access by using the recent items menu (I know this sounds weird and that it has twisted logic, but do you kind of see what I'm saying?). Instead of leaving a gaping hole open that hackers could exploit, there's a small bug in the user interface that allows root access. So I don't think there will be any larger security flaws. But, as you said, only time will tell.

I'm pretty confident that Apple has done a good job looking at security, and it's no problem if you disagree with me. I just think it would be hazardous if Apple did this, and they know that, so they didn't do it.

(I apologize in advance if I have the same tone as my last post, but I'm a real Mac advocate, so it sometimes comes out inadvertently.)
I think the main place this will be an issue is in a lab setting, where with OS X admins can finally make a pretty hack-proof Mac by using the real multiple users in OS X and now the nifty free firmware password utility on the 10.1 CD to prevent booting off of a CD, but in these environments there isn't likely to be anything on the local machine except the same apps on every other machine, which could be easily replaced. Even so, you can't downplay the significance a root exploit could have in certain settings, so if you have a workplace that stores sensitive files on OS X machines you had better start locking you screen.

I think the interesting thing here will be to see if now that there is finally a semi-serious exploit in Apple software if they will release an update very quickly and publicise the fact that everyone needs to download it and make it update automatically via Software Update. I think this can be an opportunity for Apple to show how much more they are committed to security than a certain other OS manufacturer...
I notice many posts about not being able to empty the trash.

my guess is those people who have that problem are big on using the recent items in the apple menu or possible the Services menu.

The problem here is

no password required if you open one of those admin apps (setuid). no pass reqired. and the next thing you do is open an app with the recent items. that application will open as owned by root.

now make a file in a new folder in your home directory...

that folder is owned by root with read only for everyone else. now trash the folder....
if you can...

Personally people who are sole users of these machines behind closed doors have little to worry about.

sure... changing the password from the startup disk, that is detectable intrusion since the password can not be set back.

not needing any password to get root access is a big problem.

The business users won't adopt this system with a problem like that and MIS guys are weaned on a steady diet of Bill Gates Pap and grow up as mac haters anyway.

Anyway, the problem will be fixed.

with the terminal you can soon see the user is root, but other applications need a red shadow border if the owner is root.

Again, some of the silly problems that people are having may have been caused by this.

As it turns out I rarely use the Recent items menu and always select/launch from the dock.

I just have not been able to imagine the origin of some of the "problems" that people report...until now.
I just want to address what I think is an assumed falsehood in regards to open source software development. A few comments here - and hundreds online over the past years have outright said or hinted that open source software is inherently more secure because it is under public scrutiny. This just isn't true. BIND for example had been out for years before it was finally posted on Bugtraq that the version everyone had been using had a very simple security exploit that allowed users to gain root access. The source was there, but that didn't mean anyone was examining it thoroughly. The good thing about open source is that when something is found, there is an army of people available to patch the problem.

I believe OS X is more secure than Windows XP because of this, and also because Microsoft seems to have such a blatant disregard for security issues, I don't understand why anyone would use them in a server or business environment. To me, the PCs strength is a glorified game console. Once you hook that box up to the net, you're vunlerable. OSX on the other hand comes pretty tight, you have to turn on FTP, SSH, and other badies - implementing a firewall is effective and easy to do. However - that does not mean we're not vulnerable simply because the core of the system is Darwin and anybody can take a look-see.
Although primitive there is a way in which this can be expoited remotely in 10.1 via applescript.

Your ssh remote user (those using telnet have only themselves to blame anyway) who has say his own folder on your machine "because he's your friend who gave you that nice Painter 7.0 crack last week" logs in via ssh, starts up vi , writes a nice little apple script that opens netinfo , or even better that print thing, which has no GUI, get's the applescript to open a terminal with a shell script attached e.g. cd/ and rm -Rf and goodbye.

Having said that, I doubt that it will happen, as it's awkward. BUT the seriousness of this lies not in the actual hole itself but in MacOSX. The old MacOS was relatively invulnerable to remote exploits (although there was a version of backhole-orrifice for the Mac) because there was no shell and no concept of the root user. If you got in you could do everything, if you didn't you couldn't, simple. With MacOSX, you have a Unix system underneath along with the shell and all the tools and things that make Unix Unix. In MacOSX you also have an added level of abstraction called Quartz which interacts very closely with the system, as well as the netinfo database. Quartz does add a level of uncertainty into the MacOSX equation, as does netinfo, which has been criticised by some BSD veterans as being too akin to the Windows registry in that it provides a weak link in the Unix chain (it gets cracked and you're in the system). You can bet that as MacOSX becomes more and more popular with mainstream users, there will be more and more attempts to hack it. This is a byproduct of MacOSX and there is nothing wrong with it. What definitely needs to be done is for Apple to address security problems in an open and timely fashion and not rest on it's laurels or deny that the problems are serious. ANY security hole is serious, regardless how big or how small.

It's still not possible for even an AppleScript to exploit this problem. The reason is because you must use the Recent Items menu to open the application and THEN it gains root access. Without the critical Recent Items menu step, the application does not gain root access -- try it: many places like www.macfixit.com have noted this.

Therefore (yeah, I thought of that too :D ), even an AppleScript could not exploit this security hole.. it's just a mistake in the implementation of the UI, not inherent in any underlying code. Unless there's a way to have the pointer move, cluck on the apple menu, scroll down to the Recent Items, and select the app from that menu, nothing bad can come of this, unless the person is physically at the computer itself. And if there WAS a prog that did that, it would look VERY suspicious, and I certainly would force quit the Terminal before it opened.

So there's still nothing to worry about. :)
Originally posted by .dev.lqd

I'm not sure of this. Apple is fairly new to the unix variant game i

I'm just begening with Unix, since it is include in, or bring with, Mac OS X.
But one thing, if I am, guys at Cuppertino aren't, they're working for years on that matter, thaey already tried to include both technologies in the same package some years ago, and believe it or not Microsoft either... just as a response ! It was nearly when they issued Win 95, not really new hu ?

There are still some bugs in OS X, like this trash problem, or other things linked to the permissions... but nothing is more simple to put you as root, as far as it is just a copy paste in the netinfo manager ! But of cousre, do not always log as root, just when needed or when something goes wrong, fix it with the terminal. Even a newbie like me can fix those problems with the terminal and just basic Linux commands.

I think they did not allow common user to log as root for sel-security reason: to avoid mistake involved by the "too much" power of the root in Linux. But I think they knew that responsible users would knew how to become root, just think it like this, If you're wondering about root's questions, you're already considerate as a power user ! I can assure you that my girlfriend as her iMac just doesn't care about root... for them it's just "way" in french (route) mistype....