MacDailyNews - Where Mac news comes first

opps....

Flaws? All that Tim Gaden “reported” was not to open any unsolicited or suspicious files. I suppose that if intelligence or common sense cannot be your web guide then at least activate a little paranoia or cynicism regarding files that were not requested or are suspect.

Oh my, how the number of "exploits" in OSX continues to grow. Whatever shall I do? Will Vista save me from this unsecured morrass of code-slop Apple has foisted upon me, the gullible Macolyte cult member? Fool that I was to open my wallet whilst bedazzled by the pretty white plastics and Steve Jobs' RDF! Mayhaps Norton or Macaffee can rescue my delicate heinie from the perils sent me by mal-code-tents? Tell me secundia, what must I do to be safe?



Hope that was half as fun for you to read as it was for me to write. Weeks of reading idiotic posts finally got the better of me.

Apple will fix it pronto, unlike some companies that take WEEKS or MONTHS to even acknowledge they have a bad issue. coughMICROSOFTcough.

"Five of the flaws identified by Ferris relate to how Mac OS handles various image file formats--including BMP, TIFF and GIF, according to his security advisories. Another flaw involves the way OS X decompresses Zip archives. Additionally, Ferris claims to have found several bugs in Apple's Safari browser."

"The image flaws are the scariest ones, giving an attacker multiple methods of compromising a host," Ferris said. "They can be exploited to execute arbitrary code very easily and were not hard to find."

A flaw that can execute arbitrary code very easily is considered a MINOR flaw?

I love the 30,000 RPM spin of MDN. The story has been out now for days and posts that referenced it were deleted off MDN. Finally, some goofy little blog posted a suitably downplayed headline that MDN could use without getting knocked off the "invincible" throne.

Pathetic.

These assholes are doing everthing in their power to create a 'threat parity' with that of Windows XP. Reporting threats for OS X is now chic, its 'the story' for technology journalists, its the new challenge to see who can out dramatize who, to see who can wordsmith perfectly an article that creates unwarranted attention to sell whatever it is this assholes are trying to sell.

These people MUST BE HELD ACCOUNTABLE for this chicken shit journalism. They are lying ass dogs, and getting away with it.

I'll tell you what's pathetic. The friggin virus writers, even the ones that work for the anti-virus companies. Surely, they could have by now inflicted some "Blaster, I love You, Zotob, Botox" like virus on the Mac. It's been what, 5 years since Mac OS X has been released. Still, nothing.

Yeah, some vulnerabilities are found but you have to ask yourself, "why haven't they been successful in exploiting the OS". Hmmmm, could it be that the design of OS X actually takes someone with true skills to attack it. Not something your average script kiddie can do.

Go ahead Wintrolls, tell me how the low market share is the reason that no one has successfully attacked the OS. Believe me now and listen to me later, the one virus writer that is successful would garner huge fame from the virus writing community. Don't you think?

It could be another 5 years before something happens on a large scale that would harm the OS. On the other hand it may never happen because Apple is very proactive with security.

Good try "Wooooo".

This “report” is less about an inherent flaw of OS X than realization that security is a constantly moving target that requires due diligence. Until operating systems can identify all malware and destroy it before you are aware of its existence, we will have to exercise common sense and prudence concerning unsolicited or suspicious files, or visiting websites that you cannot guarantee are benign.

Ideally, Apple would be able to prospectively consider all forms of malicious code and develop the means to identify it, isolate it, and neutralize it. However, this is a daunting and time-consuming task. Realistically, it is best for Apple to consider how malware is used to cause harm and strengthen security where the greatest danger exists. This is essentially triaging real and potential attacks and organizing time and resources appropriately. With each bit of malware, released Apple has the opportunity and responsibility to develop and enhance countermeasures.

Still, one has to draw the line between poorly written code that can be repeatedly and successfully attacked, and the foolishness of the user on the keyboard. Apple’s most profound efforts to provide a secure environment are futile if the user is irresponsible.

Wooo, love the spin:

Is it known that arbitrary code sequestered in an ostensibly benign file can be installed externally on a machine without the user or administrator first giving permission? Wouldn’t deleting all unsolicited and suspicious files also delete arbitrary code?

theMacDude:

Maybe “Wooo’s” concerns and comments are based on his experience with the average Wind-blows user. This will Microsoft's message when or if Vista is released, "Security? It's not our problem, it's your gullibility."

I agree that the weakest link in security is the user, BUT, buffer overflows that can cause arbitrary code execution is quite serious considering the amount of images we all deal with on a day to day basis.

I don't think this one can totally be considered "becareful where you get those images from", because as stated - we ALL deal with tons of images day in and day out (i.e. Web Pages). I don't dismiss the concept of "becareful where you get those images from", because that is all part of safe computing practices, but this issue needs to (and hopefully will) be fixed ASAP. As far as getting unsolicited images in email - I ALWAYS keep the preference pane turned off (I hate it anyway). If the message isn't from somone I know, it is instantly deleted - attachment or not.

Now, as far as the Safari exploits with which he had the sense not to disclose to the public at large, I can't comment on as I don't know what they are. Still ANY browser exploit is a serious issue (think IE6 for Windows - STILL to this day being patched!). I've started using Camino (not out of fear of Safari exploits) but because it's fast and it's really, really good - renders twice as fast as Safari (un-scientific claim, but it is faster) and has some cool features that I like. It's Open Source so it is an ongoing project, but it is based on the Gecko rendering engine that is also found in Firefox. No RSS - yet. It's also made from the ground up to be first and foremost a Mac app (unlike a Firefox "port"), so it integrates well and is native Cocoa. Anyway...........

If buffer overflows are known to allow arbitrary code to execute, what can be done to prevent overflows or prevent execution should overflow occur?

Amazing how Apple will patch things ASAP and Microsoft takes FOREVER to fix them. Wonder if it is perhaps OS X's source code is nice, and readable, and not some kludge like Window's code most likely is......

Yeah-Yeah-Yeah. Take two aspirins and call me in the morning.

"Apple will fix it pronto, unlike some companies that take WEEKS or MONTHS to even acknowledge they have a bad issue."

Uh, read the links. These problems were reported to Apple around the beginning of the year--four months ago. Only one was fixed.

What is the purpose of these so-called security companies broadcasting flaws in software? These people seem less concerned about the end user and more interested in making it more effortless for crackers to make life more difficult for the rest of us.

Mac Users finally has to admit there's a flaw in their computers....

Windows is not so perfect after all. Suckers!

I'm very disappointed in Apple, in fact I'm not buying any of their hardware or getting anything for anyone until a proven track record of security is re-established.

I won't live with constant security threats like Windows users do. If I have too I might as well take advantage of all the software available on the Windows platform.

Listen Apple, and listen well, I buy tens of thousands of dollars of your hardware and very influential, no "reality distortion field" works with me.

Right now your company has fallen into "both operating systems are insecure, might as well get a PC" category. Enjoy it.

MDN took my post out compaining about Intellitext. They must have a bunch of money coming in wtih this pop-up box technology that's just like spambots in Windows, but it's built into the web page!

MDN, stop this evil! And stop censoring criticisms!

My preference is to not have any java while reading my script. *cough*

Thanks Andrew. Glad I could get in my daily laugh. Whenever I need a good laugh, I can always trust in your posts on MDN.

Mac OS X
Currently, 1 out of 69 Secunia advisories, are marked as "Unpatched"
in the Secunia database.

Linux Kernel 2.6.x
Currently, 14 out of 79 Secunia advisories, are marked as "Unpatched"
in the Secunia database.

Windows XP Pro
Currently, 27 out of 131 Secunia advisories, are marked as "Unpatched"
in the Secunia database.

Need to say more?

Rick, do you really think that list really makes a difference?

I'll tell you what hackers do, they look for Mac's on the internet constantly and store this list of IP addresses and other data on them.

While they are doing this they are also looking for vulnerabilities and sharing what they find with other hackers.

What they find out is in active use for months or even years before a white hat happens to come across the exploit and notifies Apple. Then it's up to several months before Apple issues a patch.

In the meanwhile your Mac is being used in a botnet or for some other purpose. Mac's have been found to be used in botnets and my machine was hacked as well.

What Apple needs to do is do what the black hats do, run software that tests every possible outcome and condition to stress the OS to find the breaks. Apple doesn't do that and there was a article from a security expert that stated the same, this is why Mac OS X has all the flaws it does.

Maybe Steve Jobs thinks that if hackers can attack Mac OS X that attention will be paid to it and market share will grow.

Maybe the exploits are know by Apple but makes users force upgrade.

Who the fsck knows, but Mac's have not a really large amount of things going for it right now except security over Windows. blow that and Apple might as well start selling Vista pre-installed.

When Mac's attack!

http://blog.washingtonpost.com/securityfix/2006/03/when_macs_attack.html

Andrew, for someone with such a proud name, you're a lame brain.

So arbitrary code could be executed... and do WHAT exactly?? Keep in mind, such code would still be subject to normal privileges!

I am so sick of Chicken Littles on this forum. And I'm so sick of Andrew/MacDude.

I have Intego's NetBarrier and Virus Barrier installed on my computers.

I don't open any attachment that I'm not expecting.

I'm wary, but not paranoid...if we start freaking out about our own computers being used as a botnet or some such, let's just shut them all down and go back to the IBM Selectric days (wonder how my typing speed is on that old monster)...

No operating system is perfect (unless, maybe, Jesus went into programming or something), but I've had less than one-eighth of the headaches my father-in-law has had with his Windows computers.

I'm not a big Ronald Reagan fan, but he said one line that applies to many situations: "Trust, but verify."

Andrew (MacDude),

Looks like you didn't read the article carefully. The problem is not with OS X. It's with PHP. Only if your running a server facing the internet with an outdated piece of PHP code would you be vulnerable. So, there was at least 1 Mac with outdated code and the author leads with it. Looks like he was looking for hits. What is 1 out of 12 million users? Very small, no?
Remember, Web sharing is off by default, and many, if not all Mac users don't have it enabled and facing the internet.

Good try though.

Andrew, thanks for giving us something to laugh at.

Shit for brains!

Whoaa, Apple is quaking in their boots, Andrews not buying. Time to get busy and see if we can get his business back.....ahhhahhhahaahah

Pea head loser!

Why do you bother?

Do you think ANYBODY cares?

Your psycho pseudo techo ramblings are so lame-oh (I would have said "turd like" but I didn't want to offend Turd Ferguson

MDN... I owe you an apology.

I've been one of the posters complaining about all of the boot camp articles.... but after today I'm gonna shut up about it.

My buddy came by today. A die hard windows user. You know the kind, takes every opportunity to email me any joke, article, or piece of negative Steve Jobs info he runs across on the net or about all things apple. A great guy, just miss-informed in the computer world.

Wellllll.... he came by today to watch the game. While he was here he complained about his nice and fairly new Dell Tower being dead, (and the horrible customer service he got on the phone last night), and his nice new Gateway laptop giving him trouble, (ditto on the bad customer service). He needed to finish a movie last night for his church to use this morning (using Vegas and Windows Movie Maker) and couldn't get it done in time because of all of the struggles he was having.

Since we email windows/mac insults to each other back and forth, I send him references from MDN about all things Mac, recently about Boot Camp. He referenced this in our conversation about his troubles and what to do to fix it.

We took his data, imported it into iMovie 06 on my 20" iMac G4, finished his project in just over an hour and burned his DVD. He can use it next week. In the course of our conversation I informed him about the speed increases in the new intel macs being 2 generations above the G4 performance he was seeing. He also asked me if the whole "xp on a mac thing" was for real.

We went to my business to check out the 20" intel core duo, 2 gb ram, with windows xp loaded onto it.
.
.
.
.
.
.

He freaked.... seriously..... he absolutely freaked out.

Straight to the apple store, bought the 20" iMac, his other computer stuff is going on ebay tomorrow. He's buying 2 gig of ram from Memory to Go.com. This is the last person I would have EVER, EVER expected to switch. To put it mildly... Hell is seriously frozen over tonight. It was Boot Camp that did it.

Here's a direct quote... "it's not Windows I'm afraid of letting go of, it's all of the windows software I've got that I don't want to have to re-buy or convert over. I can't afford to spend those kind of bucks at the same time I'm buying a new computer. Now I don't have to do that."

MDN... my apologies. Boot Camp me to death.

Nice story, Jim.

Artisticulated, yup. I had a good time reading it.

Justme2, I also use Intego's stuff. In spite of Intego's PR problem a while back, I think these two products are very good.

Guess that's it.

So arbitrary code could be executed... and do WHAT exactly?? Keep in mind, such code would still be subject to normal privileges!

Uh, as long as there is a process running (and there is code that don't even show up as a top process too!) that's malicious, it WILL get root access eventually. Naturally I can't state how, but it just takes longer that's all.

I have Intego's NetBarrier and Virus Barrier installed on my computers.

About the worst thing you can do is run/install a application to run as root, including anti-malware software. Why? the flaws the application and Apple makes changes to the OS all the time which exposes more flaws if the code is not what's expected.

I give you three examples, McAfee "Virex", Symantec "Norton AV" and the famous Sony cd rootkit.

ClamXav doesn't require root access and flags malware just fine. Why? Because those "other" commercial software have a sinister side to them, or just plain incompetance.

I don't open any attachment that I'm not expecting.

Good for you.

I'm wary, but not paranoid...if we start freaking out about our own computers being used as a botnet or some such, let's just shut them all down and go back to the IBM Selectric days (wonder how my typing speed is on that old monster)...

Actually I hear the typing speed on some of those old electric typewritters is better than the squishy Apple keyboards.

I'm not a big Ronald Reagan fan, but he said one line that applies to many situations: "Trust, but verify."

I like Little Snitch myself, try it, you'll be shocked how many programs contact the internet regularly without permisssion.

Looks like you didn't read the article carefully. The problem is not with OS X. It's with PHP....

<i>Shadowserver founder Nicholas Albright said he and his crew have found at least 20 variants of the <b>same Perl script that can be used to open back doors on OS X systems</b> running vulnerable Web applications.</i>

http://secunia.com/advisories/17922/

Yea I RTFA, did you? It's a combination of two flaws, 20 in Mac OS X "perl script" and any flaw in the web application used to get to it.

>Amazing how Apple will patch things ASAP and Microsoft takes FOREVER to fix them.

Well, these bugs were reported to Apple at the beginning of the year, and only one out of seven has so far been patched. Not exactly a lightening response. These vulnerabilities are as bad as they get, too - the ability to run arbitrary code is *not good*. The only thing protecting us at the moment is the famous "security by obscurity"...

>.So arbitrary code could be executed... and do WHAT exactly?? Keep in mind, such code would still be subject to normal privileges!

Use your imagination Lord Robin. Code with normal privileges can do all sorts of interesting things. Delete all your user files. Log your key strokes and password entries. Email information back to base. Harvest your address book for spam. Randomly corrupt your plist files so applications keep crashing. I don't know, there's a gazzillion things I can do that would render your machine unstable and insecure. Face reality - MacOS X is not invulnerable.

Here's the details on these "minor flaws":

When processing a malformed .tiff image file, the LZWDecodeVector() function does not properly parse the malformed data causing the application which it was opened with to crash. This issue is within the core .tiff parsing engine making Preview, Finder, QuickTime, and Safari potential attack vectors for this issue.
- This issue was silently fixed by Apple in update 10.4.6.

BOMArchiveHelper is the default archive file handler in Mac OS X. It runs as a service that does not have a GUI interface. It is invoked when double clicking on a archived file. A heap overflow vulnerability exists within BOMArchiveHelper which allows for an attacker to cause the application to crash, and or to execute arbitrary code on a targeted host.
- This vulnerability was to Apple on 2/21/2006. No patch is available at this time.

Multiple vulnerabilities exist within Safari 2.0.3 (417.9.2) and all prior versions which causes the application to crash, and or may allow for an attacker to execute arbitrary code.
- Currently no patches have been released for these vulnerabilities.

A heap overflow vulnerability exists when processing .bmp files which causes the application to crash, and or may allow for an attacker to execute arbitrary code on the targted host.
- Currently no patches have been released for this vulnerability.

A heap overflow vulnerability exists when processing .gif files which causes the application to crash, and or may allow for an attacker to execute arbitrary code on the targted host.
- Currently no patches have been released for this vulnerability.

When processing a malformed .tiff image file, the _cg_TIFFSetField () function does not properly parse the malformed data causing the application which it was opened with to crash. This issue is within the core .tiff parsing engine making Preview, Finder, QuickTime, and Safari potential attack vectors for this issue.
- Currently no patches have been released for this vulnerability.

When processing a malformed .tiff image file, the PredictorVSetField () function does not properly parse the malformed data causing the application which it was opened with to crash. This issue is within the core .tiff parsing engine making Preview, Finder, QuickTime, and Safari potential attack vectors for this issue.
- Currently no patches have been released for this vulnerability.

... and remember guys, every time you visit any web site, your computer is opening image files that could be installing arbitrary code on your computer. That includes the ad images on this page. Better pray that security by obscurity really does work, because it's the only line of defence left until Apple get round to patching these.

Hey, I hope you guys would be as forgiving of Microsoft as you are of Apple, if Windows was reported as having seven vulnerabilities allowing arbitrary code execution.

It's the same physcology at work, I hear it from Windows users all the time.

"No code is perfect"

"You just have to make sure you don't do *list two dozen things here* and do this *list a dozen things here* when you get a new computer.

Lets see now what we have to do to make Mac OS X secure?

1: Software update immediatly upon hooking to the internet.

2: Don't open any emails or attachments from unknown sources.

3: Don't run any program from untraceable sources as it could install a malicious program seeking root entry or be a trojan and wipe your files.

4: Don't download any files like zips, Quicktime files or what not because of the meta data exploit will run code.

5: Don't visit any sites you can't trust or click any links you don't trust because a few dozen Safari exploits will run code.

6: Install and use a non-root enabled anti-malware program to clean/check the incoming files you get from others, especially PC users because their machines may instantly be *owned* and the files maliciously sent from their address book.

7: Enable Mac OS X firewall to maximum settings and watch the log files.

8: Run a port scan occassionally to see if your ports are open when System Preferences says their not.

9: Stay glued to the internet for the latest "bad news" and latest exploits so you can take correcttive action.

10: Stay on top of applications because they are full of exploits which in turn can take over your Mac.

11: Read "Securing Mac OS X" to learn how to keep your machine secure from physical as well as internet attacks.

Holly cow, it's not that different from a Windows box, and they got more software!!!

I'll part with this.

When people drive cars, do they need to be a mechanic to keep them running?

So why does Mac users have to be computer mechanics to keep their machines running?

This minor security flaw wouldn't be the fact that half the Mac is now occupied by XP by any chance would it?

You know what I would do if I was Steve Jobs right now?

Everytime a exploit occurs and it was traced to a particular programmer, I would cut the persons toe off and feed it to them for lunch.

Then when there was no more toes I would start on the fingers and eventually they won't be able to code for anyone and the world would be a better place.

Andrew (spelt "idiot") and Head Check,

Take deep breaths and stop squeeling like 4 year old sheelas.

I have been using OSX for 5 years and never had a security issue of any sort. I am on the internet everday day, business and personal.

Prior to this I used PC's and they made my life a living hell, as someone who works on a lot of documentation. To this day, my friends who are PC users, their lives still are a living hell. One has lost 3 HDD's in 3 years. Then, he bought a new Dell 4 weeks ago and within one day it wouldn't boot due to a nasty virus. He finally realized he should have bought a mac, but for him it was too late.

Apple will "get serious" on security when it becomes a problem. The stark, obvious, blazing, hell anybody can see it, REALITY is that security is NOT a problem - nill, zero, zilch, nothing, nada - for Macs.

So stop, halt, cease and desist from writing your hysterical, farcical, Bill Gates fan boy blather.

I'm sick of coming into a mac forum and having to read this sh*t.

My apologies to everyone else.

"So why does Mac users have to be computer mechanics to keep their machines running?"

Andrew, you are an orifice of vile spewage.

I have NEVER done anything to my PM G4 dual 867 except use it, no OS installs, nothing (yes, I'm still running Jaguar, don't flame me please). Over four years, no problems yet.

If your paranoia helps you justify your existence, more power to ya.

You don't know the history of security flaws. I do.

@LordRobin"I am so sick of Chicken Littles on this forum."

I'm a little late getting back, so I doubt anyone will read this, but....

I was not "Chicken Littling" - just discussing an article that MDN thought was important enough to report. I am not paranoid, Mac OS X IS INHERENTLY more secure than Windows. It's a good thing to report and discuss these topics, they are important and should not be dismissed out of hand. That's all I am trying to say.

@Brad T "The stark, obvious, blazing, hell anybody can see it, REALITY is that security is NOT a problem - nill, zero, zilch, nothing, nada - for Macs......I'm sick of coming into a mac forum and having to read this sh*t."

Brad - First, I'm not flaming ya here. I just want to say that - you are sick of coming to Mac forums and having to hear these kinds of things? MDN felt it worthy of a report, so people responded. It's good to be notified and updated about security issues. I'm not running around saying the sky is falling, but I don't want to ignore possible threats either. Mac users don't have to take a bottle of Xanax each time they turn on their computers as do some Windows users, but we do need to stay informed. Apple has a procedure for submitting possible vulnerabilities in OS X directly to them - so this is obviously IMPORTANT TO APPLE AS WELL.

If the "The stark, obvious, blazing, hell anybody can see it, REALITY is that security is NOT a problem - nill, zero, zilch, nothing, nada - for Macs.", Then Apple wouldn't even bother to have a submission policy nor be concerned about it whatsoever. I'm gad they are...........

Ya know what I would do If I were bill gates right now?

Give all of my money away to charity as fast as possible with my darling wife Melinda trying to make a difference in the world...

... 'cause as soon as Vista finally rears it's ugly head on the planet, Microsoft will become a giant black hole, sucking in upon itself until nothing in redmond exists, except maybe a Chuck-E-Cheese or two.

At that point, everyone and her brother is going to be so pissed at Bill Gates that they won't even take a dime of his 'Monopoly Money' charity, cause they're so pissed at him. (did I already say that?)...

... But it won't matter by then 'cause young Ol' Billy will have sown the seeds and things like the Gates Foundation Childrens Educational Awareness Intervention Centers, won't have much association with the blood money spent to buy such pretty named things.

Really, I'm not kidding... this is what he's doing RIGHT NOW. He's not runing the helm over at Micro$haft, He's pretty smart and knows when to leave the concert before the show ends and miss all of the bumper to bumper traffic heading out from FedEx Field in Washington.

I'm no Bono fan, but it must-a really sucked sharing the cover of time magazine with a bunch of geeks posing as people who care about something other than beating the piss out of any competitor that dares to offer a useful product that might be a good idea that wasn't thought of in Redmond. </rant>