Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Ancient flaws leave OS X vulnerable?
ZDnet ^ | 25 January 2006 02:11 PM | Munir Kotadia

Posted on 01/26/2006 3:25:15 PM PST by Salo

OS X contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago, according to a security researcher credited with finding numerous bugs in Apple's increasingly popular platform.

Neil Archibald, senior security researcher at software security specialists Suresec, told ZDNet Australia that as Apple's market share increases, OS X will come under more scrutiny by security researchers, who he believes will find plenty of "low-hanging bugs".

Archibald, who has already discovered a number of security vulnerabilities in OS X, speculates that should Apple's market share continue to increase, users of the platform could actually end up less secure than users of other platforms such as Microsoft Windows or Linux.

"The only thing which has kept Mac OS X relatively safe up until now is the fact that the market share is significantly lower than that of Microsoft Windows or the more common UNIX platforms.… If this situation was to change, in my opinion, things could be a lot worse on Mac OS X than they currently are on other operating systems, regarding security vulnerabilities," said Archibald.

Archibald said his opinion is justified because Apple does not use software auditing tools to scan enough of its software. These types of tools have been heavily employed by Microsoft since the company launched its Trustworthy Computing initiative, in order to discover simple coding mistakes that could allow, for example, buffer overflow errors.

"The code that Apple uses in its applications and libraries is relatively under-audited, which leaves a lot of low hanging bugs.… Some of the security vulnerabilities we've seen during research on OS X were fixed on most other operating systems 10 to 15 years ago," said Archibald.

To prove his point, Archibald gave a number of examples.

In August last year, Apple patched the "dsidentity" bug, which was discovered by Archibald and affected OS X versions 10.4.x up to 10.4.2.

This "trivial" bug, according to Archibald, could easily have been exploited to grant a non-privileged user with admin rights and allow that user to create and remove "root" user accounts.

"Bugs like this require a simple glance over the code to notice and are long dead on other operating systems.… When we spoke to Apple on the phone about this issue, the security team had never even heard of the application, and burst out laughing at the simplicity of the vulnerability," said Archibald.

He also described another recently patched flaw in OS X's memory allocator that could allow certain applications to overwrite any file on the system and gain root privileges.

Another vulnerability described by Archibald could allow memory corruption and hand control of a process over to an attacker: "At the time of writing, the vulnerability remains unpatched. However Apple is aware it exists."

Software auditing is not the only thing Apple underutilises, according to Archibald, who also criticised the manner in which the Mac maker deals with security researchers that discover vulnerabilities.

"In my experience -- which is also the experience of some of my peers -- Apple has been very slow to respond to reported security vulnerabilities. It expects security researchers to wait indefinitely to release the vulnerabilities and offers no incentive for them to do so," said Archibald.

Apple's impressive security record is likely to be tarnished if the company continues to grow its market share while undervaluing security researchers and not properly auditing its code: "During the small time Suresec researchers spent auditing Mac OS X, many vulnerabilities like this turned up. Suresec is currently aware of many bugs which exist by default in the latest version of Mac OS X, on both the Intel and PPC Architecture."

Apple refused to comment on Archibald's views. A spokesperson for Apple told ZDNet Australia that the company is "not going to comment on what other people say about Mac OS X".

"There's a lot of information on Mac OS X security on our Web site and we've done a great deal to ensure Mac OS X is a stable and secure platform for our customers, large and small," the spokesperson added.


TOPICS: Business/Economy; Technical
KEYWORDS: apple; fud; osx; security
Navigation: use the links below to view more comments.
first previous 1-2021-4041-58 last
To: Swordmaker

I am running 10.4.4 and don't remember being asked to approve the download. Perhaps I set a preference in a way I should not have. I have also downloaded quite a few freeware widgits and other apps from Version Tracker and the Mozilla/Firefox websites. Is it possible that something I installed requires being a user to function? Some that come to mind are Automator and Quicksilver. I disable the strangers and I have trashed Quicksilver.

Thanks.


41 posted on 01/27/2006 1:22:41 AM PST by Mind-numbed Robot (Not all that needs to be done needs to be done by the government.)
[ Post Reply | Private Reply | To 40 | View Replies]

To: Salo
OSX's bugs are insignificant compared to Windows. I'm not even running an anti-virus program on my Mac Mini. The firewall is good but I've backed it up with Intego's NetBarrier X and I'm pretty secure when I surf online. To install software on Apple on OSX, a user needs to OK it first. There are no exploits to run malware on an Apple machine. As far as security goes, you don't really have to worry about it and I don't think that's likely to change if the market grows. Linux doesn't get viruses and malware either. No UNIX based OS in existence has faced that problem.

(Denny Crane: "I Don't Want To Socialize With A Pinko Liberal Democrat Commie. Say What You Like About Republicans. We Stick To Our Convictions. Even When We Know We're Dead Wrong.")

42 posted on 01/27/2006 1:29:44 AM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Mind-numbed Robot
You should have typed in a password when you set up Mac OSX. You can skip and you probably did but the need for a password keeps stuff from being installed on OSX that you don't want. The reason malware can't embed itself in OSX is there's no registry to write to. Every program goes in the Applications Folder and unless on comes with a dedicated installer/uninstaller, you normally drag the icon out of the virtual mounted drive and drop it in the App Folder and it will auto-install. When you want to get rid of it, you drag the icon out to the Trash, drop it in the can and click Empty Trash Can. *Poof* its gone forever!

(Denny Crane: "I Don't Want To Socialize With A Pinko Liberal Democrat Commie. Say What You Like About Republicans. We Stick To Our Convictions. Even When We Know We're Dead Wrong.")

43 posted on 01/27/2006 1:39:01 AM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 41 | View Replies]

To: goldstategop

Thanks. Now I do remember having to enter a password to install apps sometimes. However, with others I just drag them to the apps folder without a password (I think). Is it possible that some of the apps that control workflow, I guess they are setting up macros based on my mouse clicks, etc., have to establish themselves as a user to operate?


44 posted on 01/27/2006 1:53:04 AM PST by Mind-numbed Robot (Not all that needs to be done needs to be done by the government.)
[ Post Reply | Private Reply | To 43 | View Replies]

To: Mind-numbed Robot

Try Little Snitch, pref pane program.
http://www.obdev.at/products/littlesnitch/index.html


45 posted on 01/27/2006 4:14:28 AM PST by bwteim (Begin With The End In Mind)
[ Post Reply | Private Reply | To 41 | View Replies]

To: Terpfen

I dont know.... Hi my name is Bill and imma Mac User :)


46 posted on 01/27/2006 6:42:26 AM PST by joesnuffy (A camel once bit our sister.. but we knew what to do.. we gathered rocks and squashed her!)
[ Post Reply | Private Reply | To 36 | View Replies]

To: savedbygrace

Good one.


47 posted on 01/27/2006 7:10:56 AM PST by sarasota
[ Post Reply | Private Reply | To 9 | View Replies]

To: Revel

Creative types love that imagery.


48 posted on 01/27/2006 7:15:01 AM PST by sarasota
[ Post Reply | Private Reply | To 27 | View Replies]

To: bwteim

Thanks. I had Little Snitch installed awhile back but it kept going off so mush I finally trashed it. I'll try it again.


49 posted on 01/27/2006 8:00:24 AM PST by Mind-numbed Robot (Not all that needs to be done needs to be done by the government.)
[ Post Reply | Private Reply | To 45 | View Replies]

To: joesnuffy
When you've swallowed the cult's line long enough you can only function in denial...

Spoken like a true worshipper of Bill Gates.....

50 posted on 01/27/2006 4:57:13 PM PST by TheBattman (Islam (and liberalism)- the cult of Satan and a Cancer on Society)
[ Post Reply | Private Reply | To 5 | View Replies]

To: sarasota
Creative types love that imagery.

Please, tell us more about these "creative types".

- SlowBoat407
Video Producer
Writer
Graphic artist
Mac User

51 posted on 01/27/2006 5:01:38 PM PST by SlowBoat407 (The best stuff happens just before the thread snaps.)
[ Post Reply | Private Reply | To 48 | View Replies]

To: brownsfan

What is your definition of "hobbyist friendly"? No - it's just about impossible to build a "Mac" from scratch. But on the other hand, over the years of being a Mac owner, I have done everything from cooling modifications, to HD replacements, case modifications, processor upgrades, processor overclocking, etc. Maybe not what you meant - but I have done all I ever cared to with my computers....


52 posted on 01/27/2006 5:02:23 PM PST by TheBattman (Islam (and liberalism)- the cult of Satan and a Cancer on Society)
[ Post Reply | Private Reply | To 19 | View Replies]

To: proxy_user

I suspect that most OS X security flaws involve the hacker gaining physical access to the computer, or for the user to install a trojan of some kind.

In terms of personal computing, if the hacker has physical access to your computer you have other more serious problems.


53 posted on 01/27/2006 9:19:28 PM PST by coconutt2000 (NO MORE PEACE FOR OIL!!! DOWN WITH TYRANTS, TERRORISTS, AND TIMIDCRATS!!!! (3-T's For World Peace))
[ Post Reply | Private Reply | To 3 | View Replies]

To: SlowBoat407

It's just an opinion, not a solicitation for weekend homework.


54 posted on 01/28/2006 3:27:05 PM PST by sarasota
[ Post Reply | Private Reply | To 51 | View Replies]

To: sarasota

Please explain your comment. I'm afraid I don't understand. If you have something against "creative types", you'll have to be a little more clear about what it is that bothers you.


55 posted on 01/28/2006 4:05:30 PM PST by SlowBoat407 (The best stuff happens just before the thread snaps.)
[ Post Reply | Private Reply | To 54 | View Replies]

To: SlowBoat407

Good Lord, no, I don't have anything against creative types. While I consider myself one but lack the skills to create on my iBook, I would never purchase a system that isn't Apple. My daughter is the truly creative one in the family--I'm still in the paper/pencil/pen era! My reference was to an ad (which I haven't seen, alas), speculating that it would appeal to the more creative individuals which I think is Apple's target audience? I have have overstated my case and certainly didn't mean any disrespect. :o)


56 posted on 01/29/2006 6:09:55 AM PST by sarasota
[ Post Reply | Private Reply | To 55 | View Replies]

To: Salo

Ancient flaws? Sounds like Jobs used code he found in hieroglyphics from an Inca tomb.


57 posted on 01/29/2006 6:15:39 AM PST by TC Rider (The United States Constitution © 1791. All Rights Reserved.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Revel

They've targeted women and mothers who make the biggest decisions regarding house-hold purchases....single women and single moms especially.


58 posted on 01/29/2006 6:15:45 AM PST by mdmathis6 (Proof against evolution:"Man is the only creature that blushes, or needs to" M.Twain)
[ Post Reply | Private Reply | To 27 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-58 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson