Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Remote Root Exploit in Mac OS X
carrel.org ^ | 11/26/03 | William Carrel

Posted on 11/26/2003 1:31:31 PM PST by general_re

click here to read article


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-79 last
To: ThinkDifferent
You *must* have access to the same subnet as the target. You can't attack a random Mac on the Internet with this technique. The main threat seems to be for the Starbucks wireless user.

Not just Starbucks. Any LAN/WAN environment that has Macs connected to it that uses DHCP -- which is nearly all of them.
61 posted on 11/27/2003 6:35:28 PM PST by Bush2000
[ Post Reply | Private Reply | To 56 | View Replies]

To: HAL9000
Settle down, Thomas. There are no reports that anyone in the real world has been attacked with this exploit. The patch will be available in a few days, after it has been tested.

I'm not troubled in the least, Hal. But, then again, I don't use a Mac ... so there's no need for worry. ;-p
62 posted on 11/27/2003 6:36:37 PM PST by Bush2000
[ Post Reply | Private Reply | To 58 | View Replies]

To: BureaucratusMaximus

63 posted on 11/27/2003 6:58:43 PM PST by Petronski (I'm *NOT* always *CRANKY.*™)
[ Post Reply | Private Reply | To 44 | View Replies]

To: Bush2000
Yeah, you have other bugs to worry about. :)
64 posted on 11/27/2003 7:04:50 PM PST by Liberal Classic (No better friend, no worse enemy.)
[ Post Reply | Private Reply | To 62 | View Replies]

To: Bush2000
No, Mr. 2000, read Apple's instructions in Reply #60.

You are claiming much more than you know. Which is apparentlyh not much!
65 posted on 11/27/2003 7:08:34 PM PST by Swordmaker
[ Post Reply | Private Reply | To 61 | View Replies]

To: Bush2000
Oh, by the way, just how many CRITICAL security issues were announced for your Windows system this year???

I've lost count.

I've made a lot of money fixing and patching them for my Windows clients, though.
66 posted on 11/27/2003 7:11:11 PM PST by Swordmaker
[ Post Reply | Private Reply | To 62 | View Replies]

To: Bush2000
"Repeat after me: "OSX is se-currrrrrrrrrrrrrrrrrre....." BWAHAHAHAHAHAHAHAHAHAHAHAHA!"

He's getting slow, it took 5 posts for him to show up.

Bill from Nutley,
Apple user since 1987
67 posted on 11/27/2003 7:27:45 PM PST by njmaugbill
[ Post Reply | Private Reply | To 6 | View Replies]

To: Swordmaker
Oh, by the way, just how many CRITICAL security issues were announced for your Windows system this year???

Changing the subject won't sweep this under the rug, Mac fanboy.

But since you raised the issue, I could care less. My box has never been exploited. It's locked down so tightly that you simply wouldn't be successful attacking it. And that's without applying security updates regularly.
68 posted on 11/27/2003 8:20:16 PM PST by Bush2000
[ Post Reply | Private Reply | To 66 | View Replies]

To: Bush2000
Changing the subject won't sweep this under the rug, Mac fanboy.

Again, Windows Fanboy, you run true to type... insulting people who choose something different than you do. How do you treat people who drive a different make of automobile?

Additionally, no one is changing the subject. We are discussing computer security and the RELATIVE merits of two platforms. No matter how you cut it, the Windows vulnerabilities are far greater than OS-X's vulnerabilities.

My box has never been exploited. It's locked down so tightly that you simply wouldn't be successful attacking it. And that's without applying security updates regularly.

My computer has never been exploited either... and that is without "locking it down so tightly." When I learned of this security issue, I evaluated, found it would apply only to a VERY MINISCULE number of Mac users ( and certainly not to me ), I assigned it the very low priority that Apple also assigned it.

But since you raised the issue, I could care less.

Then WHY do you post in every one of these threads???

"Quite frankly, Scarlet, I think you DO give a damn."

To paraphrase another writer, "Methinks the Bush2000 protesteth too much!"

69 posted on 11/27/2003 9:01:37 PM PST by Swordmaker
[ Post Reply | Private Reply | To 68 | View Replies]

To: Petronski
LMAO...you got it....that's it.
70 posted on 11/28/2003 6:16:43 AM PST by BureaucratusMaximus (if we're not going to act like a constitutional republic...lets be the best empire we can be...)
[ Post Reply | Private Reply | To 63 | View Replies]

To: Swordmaker
We are discussing computer security and the RELATIVE merits of two platforms.

No, actually, you're the one who wants to bring up Windows. Nearly everybody else is discussing OSX here.

My computer has never been exploited either... and that is without "locking it down so tightly." When I learned of this security issue, I evaluated, found it would apply only to a VERY MINISCULE number of Mac users ( and certainly not to me ), I assigned it the very low priority that Apple also assigned it.

Good thing you're not using your Mac in a corporate LAN/WAN environment. Because if you were, you're vulnerable.

Then WHY do you post in every one of these threads???

Ask yourself the same question when you visit Windows-related threads.
71 posted on 11/28/2003 10:26:16 AM PST by Bush2000
[ Post Reply | Private Reply | To 69 | View Replies]

To: Bush2000
No, actually, you're the one who wants to bring up Windows. Nearly everybody else is discussing OSX here.

Intelligent discussion requires that both parties have some knowledge or experience of the topic discussed; you do not have ANY experience with OS-X. On the other hand, I have extensive experience on both platforms which makes me more qualified then you to have an opinion. You have repeatedly spouted nonsense about this issue. For example, you very first post on this thread, which I quote:

"Repeat after me: "OSX is se-currrrrrrrrrrrrrrrrrre....." BWAHAHAHAHAHAHAHAHAHAHAHAHA!"

Now THAT is really intelligent discourse. Your second post end with your first slur on THIS thread:

"The Mac bigots tend to ignore bad news.

Of course, you Windows bigots are always extremely polite? Strange, just one reply later you insult a person YOU invited to the party who very politely requested you remove him from your ping list: "I'll bet you don't want to be pinged. Ignorance is bliss."

Next. we find you actually responding in a proper discussive manner... but that doesn't last long... at the next post we have youi agreeing with mere speculation that is contrary to the facts and ending with another: " BWAHAHAHAHAHAHAHAHAHA!" of glee. I think we see you real motive for participating in these threads.

Now returning to your last posting:

"Good thing you're not using your Mac in a corporate LAN/WAN environment. Because if you were, you're vulnerable. "

First, someone on this hypothetical corporate LAN/WAN would have to have malicious motives to damage a corporate asset... and then decide he only wanted to attack the Macs on that environment (perhaps someone who is a Windows bigot?) and then to do it ONE COMPUTER AT A TIME.. Add the chance that once the work around was known, the corporate IT guys would not have bothered to change to two minor settings on the at risk computers, which will STILL work on the network normally with those settings changed.

No, Bush2k, this is not a real big worry in the Mac world.

Am I concerned? Yes. Am I worried? No.

My point in asking about the number of critical security issues in Windows has to do with your obsession with the few that may occur in OS-X. Consider Luke 6:41:

Why do you see the speck that is in your brother's eye, but do not notice the log that is in your own eye?

The relative numbers of security issues on Mac OS-X and on Windows are equivalent to the speck and log referred to in Luke, Work on your LOG and let the Mac users worry about their SPECK!

72 posted on 11/28/2003 2:47:11 PM PST by Swordmaker
[ Post Reply | Private Reply | To 71 | View Replies]

To: Swordmaker
Intelligent discussion requires that both parties have some knowledge or experience of the topic discussed; you do not have ANY experience with OS-X.

Bzzzzzt! Wrong. I know BSD. You lose.

Of course, you Windows bigots are always extremely polite?

Straw argument. The issue wasn't politeness. It was ignoring bad news.

First, someone on this hypothetical corporate LAN/WAN would have to have malicious motives to damage a corporate asset...

Allow me to be the first to educate you: Most corporate hacks are *internal* jobs. Read When the Hacker is on the Inside.

... and then decide he only wanted to attack the Macs on that environment (perhaps someone who is a Windows bigot?) and then to do it ONE COMPUTER AT A TIME..

A malicious DHCP server doesn't have to target Macs exclusively. Where did you ever get that bogus idea? As for attacking one computer at a time, read about DHCP protocol. general_re does a good job of describing what the malicious server can do -- and it could be catastrophic. Read #47.

Add the chance that once the work around was known, the corporate IT guys would not have bothered to change to two minor settings on the at risk computers, which will STILL work on the network normally with those settings changed.

Any IT guy that would deploy a Mac in a corporate enterprise (I'm still searching for one) probably has no idea what this hack means -- or why it's dangerous -- so I wouldn't put too much faith in these sorts of things. Insider hackers could be working this weekend when the IT guys are stuffing themselves with turkey.
73 posted on 11/28/2003 7:11:19 PM PST by Bush2000
[ Post Reply | Private Reply | To 72 | View Replies]

To: Swordmaker
The relative numbers of security issues on Mac OS-X and on Windows are equivalent to the speck and log referred to in Luke, Work on your LOG and let the Mac users worry about their SPECK!

What do you expect? Practically nobody uses Macs in corporate environments.
74 posted on 11/28/2003 7:12:21 PM PST by Bush2000
[ Post Reply | Private Reply | To 72 | View Replies]

To: Bush2000
What do you expect? Practically nobody uses Macs in corporate environments.

Bush, it is not the number of Macs in corporate environment... I said relative numbers of security issues... not absolute numbers. Nor am I talking about numbers of attacks... just numbers of critical security HOLES.

As to your "knowing" BSD... BIG DEAL. I said you had no experience with OS-X and NOTHING you have said shows that you have. In fact, a LOT you have said indicates you don't know BSD. I recall having a discussion with you about the differences between ROOT and ADMINISTRATOR accesses not too long ago.

Quite frankly, Bush2k, I think you echo a lot of the dis-information you hear without really understanding it...

75 posted on 11/29/2003 12:31:27 AM PST by Swordmaker
[ Post Reply | Private Reply | To 74 | View Replies]

To: general_re
No, I just have to find a wireless user and pretend to be an LDAP server...

Now you just have to find a wireless user who is stupid enought to use no authentication to the DHCP(LDAP) server. IF they are doing that, then they are in a world of hurt to begin with.

76 posted on 11/29/2003 6:45:12 AM PST by SengirV
[ Post Reply | Private Reply | To 57 | View Replies]

To: SengirV
Given how many people like to use open WAPs, whether they're intended to be publicly accessible or not, I'd say I wouldn't have to wait too long for that. It's rather tempting to set up a WAP of my own, and start handing out DHCP leases, just to see how many I can snag - at the very least, it might provide a nasty surprise for the wardriving community ;)
77 posted on 11/29/2003 7:13:09 AM PST by general_re (If God didn't want us to eat animals, he wouldn't have made them out of meat.)
[ Post Reply | Private Reply | To 76 | View Replies]

To: general_re
"I'm not wild about people releasing vulnerabilities before a patch is available, but this does seem to be rather slow in coming...."

If the company knows about the vulnerability, you can bet that its already well known in the underground, so it helps no one to keep it secret, by letting more people in on it someone might come up with a solution faster.
78 posted on 11/29/2003 7:30:08 AM PST by battousai (Coming Soon to an election near you: Pasty White Hillary and the Nine Dwarfs!)
[ Post Reply | Private Reply | To 15 | View Replies]

To: battousai
There is always that kind of tradeoff, unfortunately. At least in this case, the discoverer did let Apple know about the problem before releasing it. That strikes me as somewhat more responsible than simply going public without even the courtesy of a note to the vendor.
79 posted on 11/29/2003 7:42:25 AM PST by general_re (If God didn't want us to eat animals, he wouldn't have made them out of meat.)
[ Post Reply | Private Reply | To 78 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-79 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson