Three weeks from a major Apple announcement... it's open FUD SEASON
Mostly FUD as it has to do with a buffer overflow in a non-execute area...
Mac OS X Security vulnerability FUD rehash Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 01/09/2010 2:44:18 AM PST by Swordmaker
The vulnerability is a variant of an issue raised last summer.
Proof of concept exploit code was posted today by a security researcher at SecurityReason to demonstrate a vulnerability in versions 10.5 and 10.6 of Apple's Mac OS X operating system.
The vulnerability is a potential buffer overflow error arising from the use of the strtod function Mac OS X's underlying Unix code. It was first reported by researcher Maksymilian Arciemowicz last June.
SecurityReason's advisory describes a flaw in the libc/gdtoa code in OpenBSD, NetBSD, FreeBSD, and MacOS X, as well as Google Chrome, Mozilla Firefox and other Mozilla software, Opera, KDE, and K-Meleon. SecurityReason's advisory rates the vulnerability's risk as "high" and claims that the flaw can be exploited by a remote attacker.
A spokesperson for SecurityReason wasn't immediately available to characterize the likelihood that this vulnerability could be exploited.
The vulnerability was addressed in FreeBSD and NetBSD last last summer.
And shortly thereafter Google and Mozilla, among other vendors, did the same.
But Apple apparently has not yet updated its software to incorporate the fix.
Apple did not immediately respond to a request for comment.
In their respective predictions for 2010, computer security companies Symantec, Websense, and Zscaler all said that they foresaw more attacks being directed at Macs and other Apple devices this year.
To some extent, such predictions represent wishful thinking. But Mac users should give some thought to security, if only in terms of using the built-in Mac OS X firewall and exercising caution in the Web sites they visit and the e-mail messages they open.
Some of the most serious security issues computer users face have to do with Web software and cross-platform software, like Adobe's Acrobat and Acrobat Reader.
Data is a company's most important asset, yet it's also the easiest to lose. In our new report, you'll find out where sensitive data is going unencrypted and what's holding IT back from adopting encryption end to end. Download the report here (registration required).
However, the data heaps and stacks on Mac OS X are non-execute memory locations... which may explain why it is a low priority vulnerability for Apple. If vulnerability cannot DO anything... put it on a fix someday list when the other more important stuff has been handled.
How is this a "variant?" It's exactly what was reported about last June. No changes, nothing new.
You can always tell that it's within three weeks of a major Apple event when the Pundits start dusting off old Apple vulnerabilities and start publishing them as FUD articles.
Three weeks from a major Apple announcement... it's open FUD SEASON
Mostly FUD as it has to do with a buffer overflow in a non-execute area...
If you want on or off the Mac Ping List, Freepmail me.
Sounds like a prison break where the inmates tunnel into the prison court yard rather than outside the walls.
Same ol, same ol it seems to me. Reality remains that unless you execute some extreme steps and open your OS X up completely and post a roadmap to your machine...not much gonna ever happen to it.
Barring some change in the cosmic balance, a new Mac Mini becomes the new studio computer in 3 days!!!
Peace :)
I believe Apple stopped providing security updates for OS X Tiger last month. That, coupled with all the problems Mediacom (my ISP) has bestowed upon it’s customers, plus the failure of my iBook’s tracking pad have made my Internet experience rather painful for the last month or so...
Sure, it's not a screaming emergency, but that's no excuse for Apple to leave it unaddressed this long:
The vulnerability was addressed in FreeBSD and NetBSD last [sic] last summer.It's just plain stupid on Apple's part to not address something that opens them to this kind of FUD article. The facts are correct as stated: The vuln was known long ago, other BSDs corrected it long ago (including FreeBSD, the basis for OS-X), and Apple should have done so, period. Screaming high priority? No. But it's very foolish from a "PR" point of view to stand around with one's pants around one's ankles like this.
> Three weeks from a major Apple announcement... it's open FUD SEASON
True, and more will follow. Nevertheless, Apple is in the wrong on this one, and for no apparent reason other than foolishness.
What is the absolute WORST CASE senario if this remains un-fixed in OS X? The vulnerability is in a nonexecutable memory location - thus it cannot do anything at all. As someone else posted - put it on the list for “some day” just fore the principal of it. But I see no grand hurry.
I have to say that when it comes to long-term product support, Microsoft wipes the floor with Apple. That plus there’s no clear Apple lifecycle policy, while Microsoft has a clear policy for all operating systems.
Apple had better start doing that if they want to get more into the enterprise. An enterprise that buys software wants to know exactly how long it will be supported.
Apple letting a known vuln sit around -- for six months after it was fixed in the sources of the OS they use as a foundation -- is inexcusable security policy, and worse PR policy. If their reaction was "oops we missed that", okay, put it in the list of stuff to get done. But "we don't consider that worth fixing", when other respected groups did, is arrogant and unwise, and gets the anti-Apple tech writers all warm and juicy.
I understand quite well that the vuln is not exploitable as things stand today (non-exec memory); that's the only reason it's not a black eye for Apple, but merely an embarrassment.
Fixing security vulns is part of my professional job (I'm Director of System Admin at my company), and I have to make decisions like that every week, and sometimes I let non-critical things wait. But we're not Apple, with tons of anti-Apple writers laying in wait.
I say again, it's not mainly a technical problem. Rather, it was mostly stupid PR to leave this proto-FUD for the tech writers to find and trumpet.
I'm not even certain it's a "vulnerability" in OS X. The example Proof of Concept code is apparently non-working on OS X, as some people are reporting that the POC, when run on OS X.6.2, returns:
Program received signal EXC_BAD_ACCESS, Could not access memory.which would be consistent with the non-execute nature of the memory locations of the data stacks and heaps . . . perhaps it's a total non-issue.
Reason: KERN_PROTECTION_FAILURE at address:
If it can't do any damage, IS it a vulnerability? If it can't work, can it be a vulnerability? Look at the actual wording of the article (the stress is mine):
"The vulnerability is a potential buffer overflow error arising from the use of the strtod function Mac OS X's underlying Unix code."
"Potential" is a big word in this context... and with Apple using non-execute memory locations for the data that is at risk for this overflow, it seems to obviate this potential risk. It also seems to me from reading the description of the PoC, that they are assuming that is a threat to OS X because it is in the underlying UNIX code.
It also may have been fixed on one of the Apple patches. Apple mentioned in one of the recent security updated that they had repaired several inconsequential buffer overflows in old code. perhaps this is one of the unnamed burrer overflows.=, and that Security Associates is making the assumption that just because Apple did not address it by name as a "serious" vulnerability, because Apple did not consider it as one, it's still open.
I don't believe that is the case. I can find no reports of OS X support discontinuation. Apple's policy is to support the OS for five years from the release date. That would put the discontinuation next November 2010. Apple has released a Security update for Safari 4 for OS X.4, OS X.5 and OS X.6 in November 2009 which would be consistent with their policies.
For your iBook... try plugging in a standard two button scroll mouse and using it until you can get your laptop repaired.
I think you guys are missing the point.
The strtod() function has a bug -- a software mistake, a flaw, something done wrong -- which allows buffer overrun. Lots of the original Unix library functions had these, because they didn't check for boundary conditions or limit input length or something similar. Those functions, as classic and historic as they are, are insecure, and are not to be used in a secure operating system.
How hard is this to understand? It's a known bug, with a known fix that is not difficult. And there's a working applicable example of the fix in FreeBSD.
The fact that the no-exec feature keeps the bug from being overtly dangerous DOES NOT EXCUSE LEAVING IT THERE UNFIXED. It's stuff like this that justifies the anti-Apple slurs about Apple being arrogant. As an Apple customer, I find that very unfortunate.
Many years ago, a Microsoft spokesman was asked to justify the fact that Windows and Office were shipped with known bugs that could have been fixed, but weren't. The answer was, "Our customers don't want perfection. They want a product that is 'good enough' to use. So that's our criterion. And we think that our software, bugs and all, is good enough for you."
I find Microsoft's haughty attitude offensive, and I am sorry to see that Apple has apparently adopted it.
As I said twice above, the problem is NOT technical. The problem is that Apple paints a big "KICK ME" on their own butt by leaving something like this unaddressed, knowing that anti-Apple tech writers salivate over the possibility of composing headlines like "Mac OS X Vulnerability Goes Unpatched For Months". As above, it's just stupid PR.
I am not sure whether it has, or has not been fixed, Dayglored. Apple stated in one of their last security releases that they had fixed several minor buffer overflows without enumerating or naming them. This particular issue does not work, one way or the other, with the PoC example, so it cannot be tested with what we have at hand.
Apple, being their usual closed mouthed selves, is not talking.
I think, that BSD being fixed, that Apple probably included the fix with the update. It would be too easy not to.
When Windows 98 was released, Windows 95 still had 16,000 unfixed flaws. There were over 12,000 unfixed flaws in 98 when XP was released. Most of those flaws were flaws without consequence. . . but some, obviously, were not. Apple's approach, in this instance, made this flaw inconsequential. Perhaps it was fixed, perhaps not.
The point I am making is that these guys reporting really don't know whether the flaw still exists in OSX.6.2 or not... Their "exploit" fails to execute in OS X. . . but they announce anyway, using mealy mouth words like "potential buffer overflow error," and "But Apple apparently has not yet updated its software to incorporate the fix"? It smacks of not really research the issue to find out if it exists or not. That makes this article almost pure FUD.
“Mac users still on Mac OS X 10.4 (Tiger) systems should be aware that there are no further security or system patches planned for these systems.” Source: www.9to5mac.com
I have a RAD TECH mouse that works fine on my iBook. But still miss the ease of track pad while in truck/airport/etc.
There were so many complaints about the track pads on Apple iBooks that company should have recalled/replaced free of charge.
Then we agree. Apple has the ability to remove their self-applied "KICK ME" sign, simply by stating (on a support forum or news page, or in conversation with a tech writer), "Oh yeah, that one, that was fixed {whenever}."
Until they do, this article, FUD though it may be, still stands unchallenged, which is dumb PR, but entirely their choice.
Onward, to the next pre-tablet FUD (you know it's coming)... :)
That's not confirmed by Apple. Apple has not officially stopped support for Tiger and as of November still issued security updates for Safari for Tiger. . . so until Apple says there will be no more support, or until five years since intro, I wouldn't worry too much.
I would hope you are correct. But as of 5 minutes ago, I’ve had no updates in 2 months. I do not recall a time when I went 2 months without an update of some type...In the last 5 years anyway-that I’ve used my iBook.
OS X.6.2 has not had an update in two months either. The last one was November 4th. There have been a few model specific firmware updates but no general security or software updates since then other than the Java patch of December 3rd.
So, is there anything going on re: updates on Tiger? If so, I’ve missed it.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.