Network News

X My Profile
View More Activity

More Mac OS X Flaws Identified

Apple is doing a lot of security patching of late, and it looks like its employees may be working overtime just to address some of the flaws founds by one security researcher.

Tom Ferris, a hacker and researcher from Mission Viejo, Calif., posted on his Web site Thursday evening information about seven separate security vulnerabilities he found in different Mac OS X digital image formats.

Ferris included proof-of-concept exploit code for all of the flaws in his advisories, though he insists the code is little more than the most basic example to demonstrate precisely where the problems reside. Some of the flaws he found are merely denial-of-service glitches, meaning an attacker could use them to cause hiccups or lockups for targeted Mac systems. But in an interview earlier today, Ferris told me that a number of the bugs could almost certainly be exploited to allow attackers to run programs of their choice on vulnerable Mac systems.

Ferris said he's been told by the folks at Apple that the bugs will be fixed in "the next security release," which -- at the rate Apple has been releasing updates lately -- could be quite soon. Still, it has taken Apple nearly four months to fix these problems. Ferris said he first notified Apple of the flaws in early January, and that Apple still is working on fixing at least seven other serious security bugs he found in iTunes and Quicktime after just a few hours of poking around the programs.

"When you think about how many millions of people bought iPods last year ... finding bugs in applications like that has a huge impact," Ferris said.

Ferris's work is the latest indication that the security community is starting to take a much closer look at potential vulnerabilities in OS X.

"Apple is basically becoming a bigger target because researchers are realizing the potential impact is higher than it was before because more people are using it," Ferris said. "Plus, OS X is Unix-based and a lot of researchers and hackers started out on UNIX- and Linux-based systems finding bugs, so for them it's like being back home again."

By Brian Krebs  |  April 21, 2006; 2:23 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft to Re-Issue Windows Security Patch
Next: MS Office Flaws Ideal Tools for Targeted Attacks

Comments

What, no Windows vs. Mac sniping? Come on, people, get with it!

Posted by: S. H. | April 21, 2006 5:47 PM | Report abuse

Be it Linux, Apple, Winows; the faults in all these operating systems ans associated software make one wonder about the suitability of those work on them. I recall working a computer systems manufacturer that had the good sense to give all peple without a track recored of real-life software experience an aptitude test. I was surprising how many people who wanted work failed the test. Even more surprising was the number of Computing Science graduates who failed in comparison to those doing maths and physics. Maybe the world is trying to produce more software than there are people with the right aptitude to make a good quality job of it.

Posted by: Anonymous | April 22, 2006 5:24 AM | Report abuse

What comes around, goes around.

Posted by: MotorolaMac | April 22, 2006 1:50 PM | Report abuse

Ferris is a retard if he thinks that causing an OS X application to crash allows "attackers to run progams of their choice." Typical FUD from a joker who is trying to drum up business.

Posted by: Mac | April 22, 2006 7:25 PM | Report abuse

Another interesting story regarding Mac OS X security...

http://www.zdnet.com.au/news/security/soa/Mac_OS_X_hacked_under_30_minutes/0,2000061744,39241748,00.htm

As with Linux, security through obscurity is quickly becoming untrue. Fortunately, there are enough devotees of these systems to monitor for such flaws. The lead time between discovery-to-patch release is growing shorter - except for this example of Apple's latency.

These vulnerabilities - and the fact that people are beginning to take more of an interest in exploiting them - should be considered evidence that these systems are gaining in popularity.

Posted by: Anon... | April 22, 2006 7:37 PM | Report abuse

The complex interaction of subcomponents of an operating system can not always be predicted by the people who design the subcomponents. Just because I design a gear doesn't mean that I will be aware that the gear can be easily dislodged with a hammer when the machine is in operation. Now try and comprehend the entire machine and it's possibility for failure. Sometimes it takes the machine being built for flaws to become obvious. Software verification is a difficult field.

I remember the mailbox directory flaw in older versions of UNIX. If the directory had write permissions enabled for the entire directory you could create a phony mailbox. A symbolic link (shortcut) could be made from the mailbox to the password file. You then would copy the password file and insert your own admin password in your copy of the file. You then mail the password file to the phony mailbox which forwards it to the actual password file. The password file can only be overwritten by an admininistrator, but the postmaster routine runs as an administrator. Voila!New password file installed by a regular user. This of course was obvious to all of us before we even released a single piece of UNIX code.

This is not like placing low quality tires on a heavily loaded SUV. That component interaction is more obvious than my software example. Build a machine, then kick it, and see how it breaks. Hire someone else to kick the machine and see how it breaks. But hiring someone else who has the correct analytical bias to test your software and break it may be outside your corporate control. How long did it take for people to realize that Lawn Jarts might be dangerous and not just fun? There are too many product reliability issues to simulate in this email.

Posted by: Eduardo | April 22, 2006 8:03 PM | Report abuse

>Apple is basically becoming a bigger target because researchers are realizing the potential impact is higher than it was before because more people are using it...<
Yup, according to IDC, Apple's USA First Quarter 2006 market share catapulted all the way up to 3.7%.

Their worldwide market share is somewhere below that of (who?) Fujitsu/Fujitsu Siemens.

It's safe to say that the overwhelming majority of iPods are used with Windows computers.

From a market share standpoint, I don't see why a virus/worm writer would bother with Apple-OSX.

Posted by: John Johnson | April 23, 2006 11:59 AM | Report abuse

This blog entry is very scant on details and heavily weighted towards the word of the security researcher. Here's the deal. After a cursory analysis, none of the flaws detailed by Ferris allow an attacker to execute code with root access privileges. So in the worst case you could lose your personal files which only require standard or administrator's access privileges. Access to important system files requires root access. Hell, even as an administrator of my own machine (which is OSX default installation mode) I CANNOT do something boneheaded like delete the system folder. Root access is disabled by default on 99.9% of OSX boxes out there as your average user has no idea how to turn it on and would have no need to do so even if they did know. No, hackers will probably not be able to take over your lovely OSX machine or render it inoperable with these exploits. So the important lesson from this boys and girls is backup your data. We live in a scary world where people don't mind destroying your precious personal files for fun and profit. You should backup your data regardless of the machinations of weasels using Ferris' "exlpoits" (obligatory eyeroll). So, our OSX boxes are probably safe and will continue to work into the forseeable future. Yawn. Wake me if Ferris finds something dangerous.

Hell why did I even bother. Must be gas....

Posted by: MrX | April 23, 2006 6:06 PM | Report abuse

This is actually good for the Apple world because Apple and their users having been living in a bubble for a long time. Especially when they think the OS is not vulnerable to anything. Wrong. making the GUI shiny and pretty does nothing to enhance the security.

Posted by: Anonymous | April 23, 2006 8:39 PM | Report abuse

This is basically what I just interpreted:

Blah blah blah blah blah blah blah - blah blah blah blah blah blah blah blah blah blah blah blah blah

[Ferris stated that because Apple sold millions of iPods, that his findings will have a huge impact]

Blah, blah blah blah blah blah blah blah,blah blah blah blah blah blah blah blah blah.

Whatever.

Look, take some time Mr. Krebs, to kindly remove your lips from the Microsoft logo on Ballmer's backside long enough to at least call up another source to compare research when you write an article. You basically write this article from the standpoint that you are nothing more than a boy who ALSO cried "wolf!"

First off, about 90% of iPods are attached to WINDOWS mahcines. Second, what do these flaws have to do with an iPod? Nada, zip, zero, nothing. The problems that he highlights don't allow hackers to tap into iPods, so why even bring them up?

Moving on... If these flaws were so severe, why didn't Ferris actually commit to making a TRUE proof-of-concept and demonstrate the hijack of a machine? Easy. Because as Mr. X (another poster) already pointed out, the flaws described DO NOT allow the average Mac OS X box to be seized.

Look, you may or may not be a journalist who happens to be "in bed" with Microsoft, so I apologize for the earlier comment. However, please do take the time and make sure that you don't sound that way. eWeek and the rest of the so-called "enterprise technology" rags that are out there are bad enough, we don't need this sort of thing becoming commonplace in the Post as well.

Unbelievable.

Posted by: Mr. Smith | April 24, 2006 6:17 AM | Report abuse

Security Fix is harder on Microsoft than any other company. To say that Brian Krebs lips are attached to Ballmer's backside is ludicrous.

I know experienced Mac users that have not had antivirus or firewall software installed because they thought the Mac was nearly immune to these attacks. Lack of evidence is not evidence of lack. Just because they hadn't been attacked doesn't mean they never will be. If this serves as a wake-up call for Apple and its adherents, that can only be for the good.

As to "only" losing all your personal information... what do you think computers are for? Isn't losing all of your documents, tax files, resumes, jpegs of the kids, and hundreds of other types of files a serious issue?

Sheez! Mac apologists.

Posted by: WiJO | April 24, 2006 9:56 AM | Report abuse

Brian is no Windows mouthpiece. He's registered plenty of criticism of the Windows world and has had many complimentary things to say about the Mac. I've been a dedicated Mac user since 1987, and I think he's been extremely fair and evenhanded through all the OS controversy of late.

Posted by: Randy | April 24, 2006 11:49 AM | Report abuse

The issue here is anything can be hacked.

Let US figure out how to protect ourselves by giving us such information. If it is really true we need to fix the OS or adopt the patches etc.

I have no real axe to grind - I use windows (as little as possible - but I help my wife who absolutely needs to run it) and macs both at home and work. I need to 'know the info' and this column does that as well as anything.
If the author is really truthfully wrong - you have corrected him with your comments...if we macophiles (my bias) are smug for the wrong reasons - we will stand corrected and we hope Apple will do what it can.
But really - we are in the same boat with all the windows users - we can't stand to be complacent. Humans are resourceful and will enjoy the temptation of messing with all the rest of us. But I dare say the thought of getting locked up certainly puts the damper on my mischievous quotient. But I am old and 'wiser' and the youg and foolish or motivated by hate or whatever are a potentially scary lot.

Keep up the great column

Posted by: johng | April 24, 2006 7:26 PM | Report abuse

Brian - I've used Mac OS X for a year; Windows & DOS for more than 10 years. I'm evaluating GNU/Linux on a trial basis.

All of them certainly have their place. Regarding security, none are bulletproof.

My wildest guess is Windows is the most breakable (in terms of data theft & system compromise) of the 3 platforms I've been on; but it sure is cheap with gobs of software available. This is what I use currently.

I've had some of the most enjoyable computing experiences on Mac OS X ; but I have too many Windows programs/files to make the switch. And I didn't like that Palm Desktop & Yahoo messenger were given short shrift on the Mac. I dropped a lot of money on this platform in the one year I've had it; but it was an enjoyable computing experience.

GNU/Linux - I can't comment on it yet; but it sure is promising - almost all the software is free.

Thanks for allowing others to post their opinions on this site; please keep up the good work.

Posted by: Poch | April 25, 2006 1:20 PM | Report abuse

You Apple fanboys need to grow up, noone has said anything bad about Apple, it's just a story about a guy who finds problems, reports them and they are being fixed. I don't understand why your so defensive over something so small.

Brian, great article, keep up the good work.

Posted by: amazed | April 26, 2006 9:56 AM | Report abuse

I'm not even in the same league as those who's posts I just read. I know very little about computers, Mac or otherwise. The only reason I found and read these posts today was through doing a site seach for virus/trojan test/fix software. I own a mac os x and as of late it has begun acting alot like my windows system did right before it right before it crashed. Fortunately, I know enough to not just go clicking these so-called 'free fix'links and start downloading 'spyware' eliminators. I saw a friend do it and I swear the software he downloaded to 'fix' his problem gave him more problems then wanted money to fix them. So I thought to get a little information first. I understand now that up to this point my mac has been considered somewhat immune, if you will, to the trojan/virus problem. It will be interesting to see the outcome of this safe or not safe controversy and all I can say is my usually trouble free mac must be having some gender issues'cause its sure acting alot like windows.

Posted by: J.Mercurio | September 8, 2006 12:12 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company