PDA

View Full Version : Mac OS X + Safari Exploit



Danamania
22nd April 2007, 12:54 AM
No doubt y'all will read about this sooner or later, and I thought I'd jump in with a few bits of sensibility, considering the amount of mac fanboyism dismissing it for various reasons, many of which aren't relevant.

http://news.com.com/2100-7349_3-6178131.html?part=rss&tag=2547-1_3-0-5&subj=news

First off, the original requirements to win prizes in this contest was to remotely hack a Mac connected to a network, with no action required on the Mac side. It's true that this didn't happen, so the rules were relaxed.

Now, plenty of Mac people are getting a bit confused there, and claiming this means lots of security was turned off, and the Mac was purposely left more exposed than it would be in reality - and this doesn't seem to be the case. The change in the rules allowed this new exploit to be triggered by browsing to a site with the vulnerable Mac in default configuration (which is what plenty of real world mac users will be using, even if those of us here don't generally use default configs)

While this is less of a problem than some random person finding your mac on a network and jumping straight in to take over it, it's still an issue. Following a link on a forum to a page that contained the exploit is one simple way of getting people to click on it. Sending them an email with a link in it, etc - getting some number of Mac users to click on a link is pretty easy, even if ensuring one specific Mac user clicks on a link isn't necessarily simple.

According to John Gruber at daringfireball.com, It's probably not related to 'Open "Safe" files' (http://daringfireball.net/) in Safari, something that's caused issues before - and that's one of the most common differences between Safari as default, and as configured by many people. Other sites give the impression it's a vulnerability related to Javascript handling.

If so, then *anyone* using Safari is pretty much vulnerable by clicking on a link somewhere. So what are we vulnerable to?

The exploit is reported to give an attacker user-level access via a shell. That means when you theoretically browse to a URL that contains the exploit, through some bug in Safari the exploit is capable of running shell (terminal) commands on your Mac as your user.

While that's not root level access (full ability over the machine), it's still enough privileges to, for example, delete everything important to you in your user folder, script your email app to tell your boss to go to hell, tell your machine to download another app from somewhere, run it in the background, set it as a login item for your user, and have it constantly working away in the background doing work for the attacker. Whether that's as a spam relay or what, is entirely up to the attacker. User level shells can still do a lot, even if they can't do *everything*.

Another thing they can do is run code to gain root access via a separate vulnerability if it exists somewhere, that may otherwise be inaccessible to someone outside your network.

I'm quite interested in OS X exploits, so I'll be keeping an eye out to find info on how it works & what's needed to trigger it - as that info comes in I'll try to post it in this thread without the hype, and without the overdone apple defence that's already popping up all round the net.

Dana

Edge
22nd April 2007, 01:08 AM
Dana,

What does your description of 'standard configuration' (and what news.com.com describes as 'all Security Updates, but no additional security or settings) actually mean?

There are many of us here for whom security on a Mac means turning on the firewall, opening up the necessary ports, and surfing away. I haven't installed any security software on my Macs for many years, and aside from the firewall and using a non-admin user account, I don't bother myself with it. I'm sure I'm not alone.

Danamania
22nd April 2007, 01:32 AM
Dana,

What does your description of 'standard configuration' (and what news.com.com describes as 'all Security Updates, but no additional security or settings) actually mean?

There are many of us here for whom security on a Mac means turning on the firewall, opening up the necessary ports, and surfing away. I haven't installed any security software on my Macs for many years, and aside from the firewall and using a non-admin user account, I don't bother myself with it. I'm sure I'm not alone.

A standard config is either an install provided on a machine fresh from Apple, or with a fresh new install of OSX. The "no additional security or settings" means nobody's gone and turned firewalls on (or off), changed safari's config away from what a fresh install gives, turned internet sharing on, etc.

Certainly your turning on the firewall like you have is one of those additional security measures - it appears it's not one that'll affect this exploit (though as usual - more info will come in about just what affects the exploit and what doesn't).

According to http://www.cansecwest.com/ the machine also had all security updates installed. The contest seems to have started one day before the most recent security update, but won after the security update was released - but none of those updates were for Safari.

Depending how the vulnerability was triggered, it's possible this particular exploit may be Intel only (and if it is, it doesn't preclude the possibility a PowerPC one could be created too)

Dana

W9cae
22nd April 2007, 01:59 AM
I had posted this in "NEWS" but no moderator posted. hmmmmmmmmmm

HDK
22nd April 2007, 08:55 AM
There's a fair bit of news (http://news.google.com.au/nwshp?ie=UTF-8&oe=UTF-8&hl=en&tab=wn&ncl=1115589154) floating around, but we really need more information.

Arstechnica (http://arstechnica.com/journals/apple.ars/2007/04/21/mac-hacked-for-10000) has a little more technical info. Not much though.

nard
22nd April 2007, 12:41 PM
Latest news is that it's a Java exploit. Other browsers using Java are also affected.

http://www.matasano.com/log/806/hot-off-the-matasano-sms-queue-cansec-macbook-challenge-won/

Sambo
22nd April 2007, 12:54 PM
Well that site seem to tell us to turn all Java off in safari in the security tab. Probably not the worst idea if it's only java exploit.

Danamania
24th April 2007, 11:13 AM
This is turning into a fascinating exploit :) It appears that not only was a Mac found vulnerable to a pretty simple click-n-run exploit to give an attacker access to your machine via a clicked link on a web page, but it's caused by... Quicktime's Java handling. Not only that, Quicktime may very well open the same vulnerability in Windows. Oh how backwards :)

http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/

(from daringfireball.com)

More complex than usual...

New details emerging about Dino’s MacBook finding (don’t you just love vulnerability markets?)

Dino’s finding targets Java handling in QuickTime.

Any Java-enabled browser is a viable attack vector, if QuickTime is installed.

Apple’s vulnerable code ships by default on MacOSX (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability. (Irony!)

Firefox and Safari are confirmed vectors on MacIntel. Users of both browsers are placed at risk by this vulnerability in Apple’s code.

Firefox is a presumed vector on Win32, if Apple’s QuickTime code is installed. Users of Firefox on Windows are presumed to be at risk because of this vulnerability in Apple’s code.

Disabling Java stops the vulnerability.

W2ttsy
24th April 2007, 11:57 AM
of course, disabling java may not be the best solution as some sites still require applets.

im sure apple will put out a fix for this in a timely fashion and the haters will once again be left in the dark ;)

W2ttsy

nard
24th April 2007, 01:04 PM
You can always enable Java if you run across a site that truly needs it.

Danamania
24th April 2007, 02:31 PM
im sure apple will put out a fix for this in a timely fashion and the haters will once again be left in the dark ;)

They will :)

Let's count down the days until it's fixed. The exploit was created April 20th.

Today is April 24th. For 4 days, those of us with Java turned on are only able to trust that of the hundreds of links we must click on each day, that none of them is going to make a right mess of our machines, by the good grace of those who discovered the exploit and aren't making it public, or if they did, the Mac's relative obscurity.

Dana

forgie
24th April 2007, 04:04 PM
I have taken to leaving Java off 24/7... I haven't needed/used it in about 2 years.

Danamania
26th April 2007, 06:28 AM
A little more info, this time about the discoverer of the vulnerability and creator of the exploit itself, Dino Dai Zovi - he touches on how long it took to find/write what was needed:

http://blogs.zdnet.com/security/?p=176

zdnet also link to another piece with info from Dino, regarding the Quicktime/Java issue:

http://blogs.zdnet.com/security/?p=177

and a link to Dino's page with his previously discovered vulnerabilities in OSX:

http://www.theta44.org/research.html

Dana

Danamania
29th April 2007, 05:36 AM
And again - another interview with the creator of the exploit, this time by John Gruber himself.

http://daringfireball.net/2007/04/interview_dino_dai_zovi

One of the interview responses related to security that it would do every mac user well to know, given the amazing number of people who call a user-level shell exploit nothing to worry about:

DAI ZOVI: A remote root exploit is typically much harder to come by than a remote user privilege exploit. However, in general, local user to root exploits are simpler to find than remote user-privilege exploits. So, in general, it is reasonable to assume that once an attacker has local user access to a system, root is not difficult to obtain. One should also point out, that if the user privileges are an admin user, it is possible to write to /Applications/ and /Library/, and this access is quite damaging. On a (primarily) single-user machine like a laptop or desktop, even non-admin user-level privileges are enough for most attacks (reading data, corrupting running applications, etc).

Dana

HDK
29th April 2007, 09:48 AM
What about this Q? There's the usual talk that you should run as a non admin user for extra security, but you still need to have an admin account set up so that your non admin account can function.
So if an attacker gained access to your non admin user account, surely accessing the admin account, and then onto root would not be that hard, considering admin to root is...

in general, local user to root exploits are simpler to find than remote user-privilege exploits.

Is there really much advantage to running a non admin account, except that the attacker may only get to the non admin user level and then get stuck?
I mean Dai Zovi claims to only run as a non admin.... should we be taking this precaution more seriously regardless of the probability of being attacked? I have never run less than admin except for new accounts for my kids etc.

feeze
29th April 2007, 10:24 AM
It depends on the nature of the root exploit.

Running in a non-admin account is just an extra layer of security. It may not be a strong layer, but its still a layer that will help stop simple attacks.

It also provides security against people who might gain physical access to the machine.

There's no 'one size fits all' security solution. Security is a number of steps of precautions. Running in non-admin is one of them.

warren21
29th April 2007, 11:04 AM
Talking of security. I have never turned on the firewall. I have turned off "open safe files" in Safari and put my mac into stealth mode (I've always done this). Do I really need to turn on the firewall? If so how do I know what ports to turn on? I don't know what any of the items mean in the firewall list. Also the firewall disables my transmission app.

g5agogo
30th April 2007, 10:25 AM
On all our set-ups I have only one account set up as admin and that isn't used as a normal user account and is only used for admin purposes. It's only a layer, but it's easy to do and use, so why not?

forgie
1st May 2007, 12:43 PM
There's an interview on MacWorld with the guy who won the prize that makes for interesting reading:

http://www.macworld.com/news/2007/04/30/daizovi/index.php?lsrc=mwtoprss

Interesting to note a lot of knee-jerk commentary from the mac-zealots. Dai Zovi's observation that the new code in Vista is more secure then OSX makes sense. MS have made a few initiatives to try and tackle most of the basic security flaws when programming, whereas AFAIK Apple haven't really got anything like that in place. Apple are relying on the more secure architecture of the OS, but that's really just one piece of the pie. I'd love to see Apple be pro-active about this, but unfortunately I doubt they will.

iSlayer
1st May 2007, 12:59 PM
whereas AFAIK Apple haven't really got anything like that in place. Apple are relying on the more secure architecture of the OS, but that's really just one piece of the pie. I'd love to see Apple be pro-active about this, but unfortunately I doubt they will.

Why fix something thats not broken ?
People can say that OS X is not hacked every day just because it isnt popular enough but we all know thats bullshit. Sure OS X has its flaws but exploiting them is a whole other story.

forgie
1st May 2007, 01:27 PM
Why fix something thats not broken ?
People can say that OS X is not hacked every day just because it isnt popular enough but we all know thats bullshit. Sure OS X has its flaws but exploiting them is a whole other story.
The whole "open safe files" debacle in Safari was much more significant in my mind then people realise.

There is never going to be a torrent of OSX exploits turning macs into botnets, but it would appear that there have been all the pieces required to actually put together an exploit - it's just that no one did it. Maybe it wasn't possible, but that's not the point. It was possible to have a link run a shell script (albeit in user mode). That's scary, and that's dangerous, no matter how you look at it.

I think the Apple has grown a tad complacent on this issue. They patched the "safe executable" flaw at the wrong level - there should be an OS level layer of protection, not an App level layer of protection. It may be something that they had to wait for Leopard for, so maybe my doubts will be nullified when the next cat is released.

Danamania
1st May 2007, 01:32 PM
Why fix something thats not broken ?
People can say that OS X is not hacked every day just because it isnt popular enough but we all know thats bullshit. Sure OS X has its flaws but exploiting them is a whole other story.

I used to think the same, until I popped an exploit on the forum that gained a shell, ran a little code that left a breadcrumb on my server to let me know it'd successfully intruded on someone's machine, and told them about it. In the end it had hundreds of successful hits. Yes, it was only a user level shell, but that doesn't stop inserting a little startup item app to run in the background that checks a base server for spams to send out from time to time, and then proceeds to use the exploited machine's net connection to spam freely.

(while that worked on my test machine here, I didn't stick something like that in the script. A bit too nasty, and helping people clean up afterwards would have taken weeks, if they'd bothered to hang around ATAU afterwards)

I can't think of any reason other little nasties like that didn't appear with that particular exploit, except that so far, OSX is obscure enough that few enough people were interested in doing so. The OS was wide open and nobody took advantage of it - least that I heard of.

Dana

iSlayer
1st May 2007, 02:11 PM
It was still just a safari exploit in the end. Not a system exploit.
Yes there was a secondry issue but tricking users isnt exactly something new. This was just a new and smarter way of doing it and in every app except safari it still required user interaction.
There was an issue for apple to fix in regards to associations and all that but at the same time you have virtually been able to do the same thing albeit not as nicely for years and you still can today.

marc
1st May 2007, 02:35 PM
OSX is obscure enough that few enough people were interested in doing so.
While I think this exploit was (finally) a security flaw that did deserve some attention, surely you don't believe that the only reason we all haven't been malware'd, spyware'd, virused, trojan horsed, hacked, cracked and abused is because no one's using OS X?

Danamania
1st May 2007, 03:04 PM
While I think this exploit was (finally) a security flaw that did deserve some attention, surely you don't believe that the only reason we all haven't been malware'd, spyware'd, virused, trojan horsed, hacked, cracked and abused is because no one's using OS X?

Definitely not, and obscurity doesn't mean "no one's using OS X", it means we're a smaller target (let's take 5% Macs vs 90% Windows) - at a first glance that might sound like OS X should get 5% of the attacks, but the obscurity factors into a whole lot more than just the number of machines out there. Education, for one, is skewed in a more binary sense, where the specifics of an OS taught in the world goes one way or the other. Sure, there are plenty that teach the generics of *ix based systems, but the number of seats with students being widely educated in the workings of OS X is nowhere near 5% of the total. That puts the pool of potential OS X nastycrackers way smaller than market share.

Another binary system that skews things almost totally towards the system with the higher market share is the dollar value vs return of what can be done with an exploit. You can pay someone $20k to knock up an exploit to get into Windows and hit potentially 90% of the population for some benefit (spam servers, DDoS blackmail botnet machines, spyware etc), or pay them $20k to knock up an exploit to get into MacOS to hit 5% of the population for a much smaller return.

Again, that isn't going to mean 5% of the people paying to get their malware on machines are going to go for OSX. Imagine you have 100 people looking for profit, who have the option to pay $20k to go down one road that'll give a return of $900k, or they can pay $20k to go down another road with a return of $50k. The number of people selecting the $50k payoff isn't going to be a direct ratio of 5%.

Obscurity isn't the only part of it, but in various forms it's certainly part. Obscurity in the sense of a small market share multiplied by obscurity in the sense of relatively fewer people with a deep knowledge of the system multiplied by obscurity in the lower value of a successful exploit.

The rest of it lies in Apple having fewer serious vulnerabilities, generally being OK with responses to fix them, a different culture among mac users (a higher level of cameraderie that I think can't be ignored), a bit of respect from many towards a company that offers a viable alternative to windows and does cool stuff - and no doubt many more reasons.

When Panther was out, we had Safari's URL handler vulnerability (exploited) overlapping with the mrouter local privilege escalation to root (also exploited) for more than a month - Use one exploit to gain shell access, use the other to gain root shell access, and the whole system was anyones. Nothing serious came from that either, despite all the info being out there to someone interested enough to do something with it.

The question is - why didn't they?

Dana

marc
1st May 2007, 03:46 PM
The Amiga had viruses (LOADS of them... it might have even been the birthplace of viruses!).
The Atari ST had viruses.
OS 9 had viruses.

...and all had less market share at their peak than OS X does today.

Sure, obscurity means spambots/drones etc won't be targeted at anything but the majority platform, but I don't think it holds any water for most other types of apps that take advantage of security breaches.

forgie
1st May 2007, 03:58 PM
Definitely not, and obscurity doesn't mean "no one's using OS X", it means we're a smaller target (let's take 5% Macs vs 90% Windows) ...
The question is - why didn't they?

Dana
:thumbup: You said pretty much everything that I was going to! I like the cut of your jib! ;)

iSlayer
1st May 2007, 04:01 PM
The Amiga had viruses (LOADS of them... it might have even been the birthplace of viruses!).
The Atari ST had viruses.
OS 9 had viruses.

...and all had less market share at their peak than OS X does today.

Sure, obscurity means spambots/drones etc won't be targeted at anything but the majority platform, but I don't think it holds any water for most other types of apps that take advantage of security breaches.

Spot on.
I dont buy any of the stuff about OS X being not popular enough for people to target. That just doesnt make sense to me. I think there has to be other reasons why OS X has never really been targeted

Danamania
1st May 2007, 05:27 PM
The Amiga had viruses (LOADS of them... it might have even been the birthplace of viruses!).
The Atari ST had viruses.
OS 9 had viruses.

...and all had less market share at their peak than OS X does today.

You're partly right about the Amiga being part of the birthplace of viruses - it was the Amiga scene that popularised the term 'virii', though the earliest use of the term 'virus' goes back to at least 1984, with research on self-replicating programs happening in at least 1980.

Looking back at the operating systems way back then shows some interesting results too, as security can be discounted as a reason for infection since none of the common operating systems of the time (DOS/Windows, MacOS, AmigaDOS and TOS) had any - they were all as bad as one another - but the number of viruses *did* still follow market share up to a point.

Through to 1996, DOS/Windows had over 10,000 viruses, while the closest behind was the lower market share Amiga (under 1,000), followed by everything else. Market share counted there to some level, but the Mac had even fewer, despite a higher market share - security can be discounted as none of those OSs had any - so while market share contributed, it's not the whole story. There's likely a lot of culture behind it too - Amigas were big among the code hacking scene, and the higher numbers of people there compared to masses more professionals & educators using Macs as tools would be my guess for the biggest difference between Amiga and Mac virus numbers. I see it as relative obscurity counted for keeping the Amiga virus numbers down (compared to DOS/Windows) despite the hacky Amiga user culture, and obscurity + user culture counting together to keep MacOS numbers down.

Muddying things a bit is an entirely different dynamic to the purpose of those 20th century viruses. They weren't worth much in cash, and specific infections were created for different reasons than those today. That extra hard binary skewing makes the existing biases between OSs all the stronger.


Sure, obscurity means spambots/drones etc won't be targeted at anything but the majority platform, but I don't think it holds any water for most other types of apps that take advantage of security breaches.

The way I see it, anything that relies upon getting masses of people whoever they are (as opposed to attempting to target specific users) will be skewed towards the majority platform, and that seems to be the majority of malware atm - spambots, botnet drones, spyware, adware, destructo-ware - it's all about the number of people & infected.

Dana

Danamania
1st May 2007, 05:45 PM
There is never going to be a torrent of OSX exploits turning macs into botnets, but it would appear that there have been all the pieces required to actually put together an exploit - it's just that no one did it. Maybe it wasn't possible, but that's not the point. It was possible to have a link run a shell script (albeit in user mode). That's scary, and that's dangerous, no matter how you look at it.

Going back to this post here for a tick - I think the idea being spread around the Mac web that requiring a clicked link to run an exploit is not an issue is, like you implied, pretty underrated.

Malware spreads by what happens on a default system, and the default configuration is a big part of it - but also not the whole story. the default behaviour of sensible people using a machine as it's meant to be used can't be thrown out as irrelevant when looking at the security of an OS as a whole. It's not really relevant for those of us who're really well trained to look for the clues that point to bad links, but we're the minority :).

I also see that using a machine as it's meant to be used ("Click a link on a web page to go to a site") as different to really daft behaviour like opening emails from random senders and purposely running an included app. Hey, we're all used to clicking links on MTAU threads pointing to something interesting - back when I posted the working safari exploit as a test I only needed add 10 more characters to that script to have wiped user directories on hundreds of macs. People didn't do anything stupid by clicking on that link, it was hidden to look like just another file (a jpg I think), though I had the server set up to serve a .zip file instead. Go mod_rewrite!.

Looking back through my history after being online via dialup for just 3 hours, I see 167 entries. At home on DSL I'd not be surprised to see double that - that's 167 sites, pictures, links followed from webpages, IRC and IMs in just 3 hours of browsing. There's no WAY I can safely verify that every one of those links doesn't contain Dino Dai Zovi's unpatched exploit (as just one example), and even if I could, I don't think I could keep it up day after day until Apple release the fix. I have to rely on being aware of the problems out there, and how to prevent them. Knowing that protects me from possible issues.

But that's not the default behaviour of people using OS X.

Dana

marc
1st May 2007, 06:04 PM
Looking back through my history after being online via dialup for just 3 hours, I see 167 entries. At home on DSL I'd not be surprised to see double that - that's 167 sites, pictures, links followed from webpages, IRC and IMs in just 3 hours of browsing. There's no WAY I can safely verify that every one of those links doesn't contain Dino Dai Zovi's unpatched exploit (as just one example), and even if I could, I don't think I could keep it up day after day until Apple release the fix. I have to rely on being aware of the problems out there, and how to prevent them. Knowing that protects me from possible issues.
Absolutely. This is an issue and needs to be addressed quickly.

Let's cut the BS for a while though... OS X (in all it's flavours) is the 2nd or 3rd most used OS in the world. Paint it any way you like, there's enough of a carrot there for the coders.

Time to reminisce: Something wonderful has happened (http://en.wikipedia.org/wiki/SCA_virus) (back from when viruses weren't really nasty)

iSlayer
1st May 2007, 06:06 PM
Let's cut the BS for a while though... OS X (in all it's flavours) is the 2nd or 3rd most used OS in the world. Paint it any way you like, there's enough of a carrot there for the coders.

And as Dana pointed out OS X users are the perfect targets. Very few use virus protection and most just assume that will never get infected with anything

forgie
1st May 2007, 06:28 PM
Let's cut the BS for a while though... OS X (in all it's flavours) is the 2nd or 3rd most used OS in the world. Paint it any way you like, there's enough of a carrot there for the coders.
As danamania very eloquently pointed out, there is a some serious positive feedback going on when it comes to exploit writing. Why would someone with years of experience targetting XP want to target 1/10th or 1/20th of the number of users on a platform that they have no experience with? It's a matter of knowledge investment - at some point, someone will invest their time to start writing and exploiting OSX. Either that hasn't happened yet, because it's not profitable (or they think it's not profitable), or the people who have tried writing exploits have consistently failed. I think it's almost certainly the former. Wide vulnerabilities have been revealed in the last few years that were patched in a matter of weeks, but there were no exploits in the wild. That makes it pretty obvious to me that no one thinks it's worth their time.

When the first wild exploit hits, and it takes Apple several weeks to fix it, I'll be back here to say "I told you so!" :p

Squozen
1st May 2007, 06:28 PM
You'd have to have the malware writers using OS X before this becomes an issue, which rules out most European hackers who simply don't have the money for a Mac, being Communist peasants (apologies to James May).

marc
1st May 2007, 06:50 PM
As danamania very eloquently pointed out, there is a some serious positive feedback going on when it comes to exploit writing. Why would someone with years of experience targetting XP want to target 1/10th or 1/20th of the number of users on a platform that they have no experience with? It's a matter of knowledge investment - at some point, someone will invest their time to start writing and exploiting OSX.
Having no $killz is totally different to an OS being safer by obscurity. And OS X really isn't that different to unix builds that have been around for ages (in that someone who knows how to hack *nix could get up to speed on a Mac pretty quickly).

I don't buy it at all.

(and btw, of course it'll take Apple a few weeks to patch something... they do have to have some quality control. They'd be much worse off sending out a patch that was rushed, then having to patch the patch than waiting a little longer and testing it properly.)


You'd have to have the malware writers using OS X before this becomes an issue, which rules out most European hackers who simply don't have the money for a Mac, being Communist peasants (apologies to James May).
Ummm... osx86project.org (http://www.osx86project.org/).

curientai
1st May 2007, 07:42 PM
Do you guys think the exploit is already around?

How could you tell if your machine has been exploited?

And, what will you guys do to prevent that exploit in the mean time before Apple releases the patch?

g5agogo
1st May 2007, 07:51 PM
To protect yourself before Apple release a patch, in safari preferences uncheck enable java and enable javascript checkboxes. Pretty simple.

curientai
1st May 2007, 07:57 PM
To protect yourself before Apple release a patch, in safari preferences uncheck enable java and enable javascript checkboxes. Pretty simple.

That's cool.

However, is it possible to track that if the machine has been exploited?

marc
1st May 2007, 08:03 PM
Do you guys think the exploit is already around?
There's no known cases of it being used in the wild. The guys who found it were nice enough to not go into details on how it was done. Let's just hope no one else works it out and does something bad with it.

Linux_insidev2
1st May 2007, 08:24 PM
Having no $killz is totally different to an OS being safer by obscurity. And OS X really isn't that different to unix builds that have been around for ages (in that someone who knows how to hack *nix could get up to speed on a Mac pretty quickly).


Being based off unix has nothing to do with it, aside from the same roots it's all down to versions of packages and libraries that apple implement.

For instance, Sony used libtiff in the PSP along with libpng and various other open source libraries (apple use the same ones) and due to flaws in the libraries people are able to hack in that way.

The same hack for either libpng or libtiff was used to make a mac exploit long, long ago.

The parts that make it a unix are the kernel and filetree and various other standards, which are written by apple and not taken from other code. you can't use a FreeBSD kernel exploit on Macos and you can't do it the other way around.

The key is userspace libraries and apps such as libtiff libpng and all the others that apple use, as long as they use these libraries the exploits will be well documented on the net, the fact remains that nobody cares - and userspace hacks usually end up getting you access as the user and not the root or admin user.

The problem with windows is that everybody runs it as administrators, and the filesystem does not accept UNIX CHMOD values.

(btw. i love the new iStat :P)

forgie
1st May 2007, 08:51 PM
To protect yourself before Apple release a patch, in safari preferences uncheck enable java and enable javascript checkboxes. Pretty simple.
AFAIK it's actually just Java, you can leave JS turned on. Java != Javascript. There's not really any reason to keep Java turned on these days anyway, so I just leave it off (and recommend that others do the same). Without JS turned on, a AJAX won't work (that means Gmail/any really interactive webpages except for flash based ones).

Danamania
1st May 2007, 08:56 PM
That's cool.

However, is it possible to track that if the machine has been exploited?

So far, the exploit as it's been demonstrated allows just the first step to causing problems - breaking entry into your machine - and without knowing the details of just how it's done we're all a bit in the dark & don't know if there are tracks left or not.

There's been no indication it's been leaked publicly, and it seems reporting of the problem has gone to Apple quickly & with apparently few people knowing.

Once an exploit like this one has been used to gain entry to a machine, squillions of different scripts or apps are possible - I certainly don't know enough about OS X in its entirety to be able to know every one of those possibilites, so the best thing I can do atm is stay informed, and watch what's popping up on security mailing lists & the like.

Dana

g5agogo
1st May 2007, 09:34 PM
forgie,
You're right according to the available info it seems to be a java exploit and no, java is not javascript.
However, I generally operate with javascript disabled too, and only enable it when I need to, just as a general hardening of the default parameters. I don't find it inconvenient, others may.

Linux_insidev2
1st May 2007, 09:43 PM
So far, the exploit as it's been demonstrated allows just the first step to causing problems - breaking entry into your machine - and without knowing the details of just how it's done we're all a bit in the dark & don't know if there are tracks left or not.

There's been no indication it's been leaked publicly, and it seems reporting of the problem has gone to Apple quickly & with apparently few people knowing.

Once an exploit like this one has been used to gain entry to a machine, squillions of different scripts or apps are possible - I certainly don't know enough about OS X in its entirety to be able to know every one of those possibilites, so the best thing I can do atm is stay informed, and watch what's popping up on security mailing lists & the like.

Dana

Mostly, they will get into your user account and mess a few things up - but won't have the access to modify any system files.

However they could launch a keylogger and potentially catch your admin password when you enter it.

There are exploits they could use after the first one to gain admin access, but it's a lot harder and not usually worth it.

g5agogo
2nd May 2007, 07:43 AM
And Apple have released a Quicktime update and security flaw fix.


http://www.apple.com/support/downloads/quicktime716formac.html

marc
2nd May 2007, 09:56 AM
That was quick. Installed with no issues (yet) here :)

I have Java turned off anyway... just in case!

g5agogo
2nd May 2007, 03:27 PM
Yes, seems to have installed okay here, without problems, too.

I agree marc, that was a quick turnaround from Apple.

Wally
2nd May 2007, 03:54 PM
For instance, Sony used libtiff in the PSP along with libpng and various other open source libraries (apple use the same ones) and due to flaws in the libraries people are able to hack in that way.




Its a shame that Sony didnt notice that exploit :P