“An exploit for one of the 15 vulnerabilities patched by Apple on Friday has been posted to a malware Web site, Symantec said Monday,” Gregg Keizer reports for TechWeb.
“The code, which has appeared on the ‘milw0rm‘ site, exploits a bug that Apple Computer identified within the operating system’s kernel,” Keizer reports.
“‘The exploit payload executes /usr/bin/id, and as such would need to be replaced with a more useful payload to be used effectively,’ noted Symantec in an alert to customers of its DeepSight threat system,” Keizer reports.
Keizer reports, “Apple patched the flaw in the Mac OS X 10.4.8 upgrade it rolled out on its download site and made available via automatic update on Friday.”
Full article here.
MacDailyNews Take: This is not the first time time malware for already-patched systems (for Mac, Mac OS X, Windows, Linux, etc.) has appeared – and it certainly won’t be the last. In related news, a Mr. J. Sixpack of East Bumfsck, Ohio, solved last week’s NY Times crossword puzzle just days after The NY Times published the answers. Congrats!
Note to Mac OS X users: run Software Update or click the related article below for links to update your systems. Note to all personal computer users: keep your system up-to-date and do not download, install and run software from untrusted sources.
Related article:
Apple releases Mac OS X Tiger 10.4.8 – September 29, 2006
Another quick recommendation:
Always use the COMBO updater to bring OS X up-to-date. It may not be released at exactly the same time as the “Delta,” but experience shows that it is wise to wait for it.
When it DOES appear, you can always get it here:
http://www.apple.com/support/downloads/
That’s nothing, I picked the winner of last year’s SuperBowl within mere minutes of it’s conclusion.
~M
“That’s nothing, I picked the winner of last year’s SuperBowl within mere minutes of it’s conclusion.”
Mozfan, you’re good, I saw the game twice and my guys lost both times…..
mw: slowly, as it’s slowly starting to sink (in)
Midlothian
experience shows? how so?
That’s what I love about Software Update; it takes care of everything right away, and doesn’t make a move without your knowing what’s going on.
Speakiing of which, can someone tell me why my Software Update isn’t coming up when it finds new software (as in automatically)? I have it set for daily in the prefs, and my sister’s G3 has the same setup, and hers comes up right away.
It’s not a big deal but it’s been on my mind for awhile.
OzzysCross101,
Toss out Software Update’s prefs file: “com.apple.SoftwareUpdate.plist”
(in User/Library/Preferences). Run Software Update and set you desired preferences. It should work then – sounds like you may have a corrupted prefs file.
Mac OS X isn’t perfect, but it sure is closer to perfections than any other OS available.
I’m still waiting to find out what happened to Apollo 13.
I was thinking the same thing, Mattyg. I wonder if the Combo Updater theory is the same kind of voodoo as repairing permissions.
MDN – the exploit code posted on milw0rm allows for execution on 10.3 systems! Apple didn’t patch that last Friday, just 10.4.
Thanks Fred. I tried that before, but I think that I deleted the prefs for Software Update from the system on my external at the time.
If there’s an app that doesn’t work, first try deleting the prefs; usually that does the trick. That’s what I love (also) about OS X. And if something quits twice, it give you the “Try Again” choice, thus deleting the old preferences and making new ones. It’s a smart system, and worlds more efficient than anything else out there.
MW: My Software Update works!
Hmmm… said “I wonder if the Combo Updater theory is the same kind of voodoo as repairing permissions.”
Well, I use Software Update and have never had problems after an update.
But I do run permissions repair before and after updates.
Guess what? Several permissions were changed after the update to 10.4.8. So I think running it was justified.
@”Hmmm…”
sometimes if your system has a piece missing/damaged, the combo updater will fix the issue, whereas the delta updater will not. let’s say i haven’t had any issues using the combo updaters exclusively.
i also repair permissions occasionally, but not religiously every time i update the OS. it has fixed some problems i’ve had on the Macs at work.
When you have “daily” selected, it runs every 24 hours form the last time you ran it, whether it was automatically or manually. For example, if you manually did an update at 6pm, it won’t check it automatically until 6pm the next day. You sister’s Mac could be checking the updates automatically at 7am.
After making sure it automatically checks for updates daily, do a manual check at 1am, and you should no longer have that problem. Then go see if you have a life. There is no preferences or auto update for that, you have to do a “Get-a-Life” check manually. I cant imagine anyone so concerned what time of day their Mac does its updates. A 24 hour wait has never been a critical issue with Apple updates.
coolfactor,
MDN – the exploit code posted on milw0rm allows for execution on 10.3 systems! Apple didn’t patch that last Friday, just 10.4.
Did your teachers ever write “does not follow directions well” on your report cards?
MDN wrote, “…Click the related article below for links to update your systems.”
Do so reveals links to patch Mac OS X 10.3 systems.
Sheesh.
Don’t know if anyone else experienced this but after the most recent Apple updates I ran “repair permissions” and Disk Utility. On my 2 Macs after the update I had some HD errors. They could have been there before.?
Disk Utility was able to fix the errors but it was curious that both computers had similar errors/ almost identical errors. I didn’t write them down.
One computer is a PowerMac and one is an Intel Mac laptop.
Uhhh… Does anyone want to explain what exactly this exploit does, and what you would have to do to get attacked? We’ve been through this song-and-dance before, and we usually learn that something ridiculous is required, like download a file, unzip it, open it, and enter your admin password even though you didn’t think you were running a program. This code that gets executed — what privileges does it run with?
In short — what the fsck does it do?!?!?
I get sick of this mentality that the less precisely described an exploit is, the more terrifying its potential. “It can execute arbitrary code! Why, that means it could do ANYTHING!! AAaaaAAaaaAAAAaaAAHH!!” Yeah, well, there are varying degrees of “anything”, some less terrifying than others.
Friday to Monday isn’t anything to crow about. Many users have automatic SWU checks turned off. Crowing is stupid. One day there won’t be a weekend and when a bunch of Macs get hit it will be all over the front page of everything except Apple’s brochures & MDN.
This is a great business model….
1) Wait for a Software Update.
2)Look at the bugs it fixes, and then announce an exploit based on the fix.
3) Tell people they need their software to prevent the exploit.
A vulnerability is one thing, but an actual virus is another. There have been many reports about so called vulnerabilities and yet none have been proven to work in the wild against real OSX machines. So the whole story is mute once again. FUD!
I find a head in the sand attitude on today’s news.
This is actually a serious vulnerability and a shade of things to come to the MacOS. Denying their existence does not make them go away – ask Microsoft
AlexD
Words of wisdom. In the face of fanatics who doubt the reality of your warning.
To combat it, Apple will probably run some clever ads that depict Mac as virus free.
This is a privilige escalation attack for a logged in user.
In other words, a user has run this attack on an unpatched OSX box to achieve ‘root’ priviliges.
Application? This would be a good entrance for a trojan. You’d have to package up a safe-looking .dmg file for ‘solitaire’ or something, and then have this exploit run to achieve ‘root’ power, and then do something nasty in the background (like run a netcat instance or something with a pinger notifier)to allow remote access, or maybe run a keylogger, or something similar.
Is this a problem? Sure. But, it’s easily patchable for tiger users (there’s a 3rd party patch for Panther users) and honestly… it’s no more dangerous than hiding a shell script in an install package.
*yawn*
AlexD and Peterson:
Exactly how is this being denied? It’s already been stated it’s a POTENTIAL problem that was patched last week. And it was also stated above that it’s common knowledge that OS X has vulnerabilities that are patched as they come up. What more do you want?
Hey,
I happen to live in East Bumfsck, Ohio, and I know J. This was quite an achievement for him and I am very proud of him for it.
Looks like you can modify it to do other stuff:
http://shorterlink.org/1148
Ho boy.