October 3, 2006
Exploit does not put the “X” in “Mac OS X”
Posted Oct. 3, ’06, 8:00 AM PT by Dan Moren
Category | Security
I’m not sure I even understand why this was a story. It’s merely yet another set-piece in the continuing production of “Macs are not Invulnerable” (music by Andrew Lloyd Webber). The headline, “Exploit released for Mac OS X flaw,” is not inaccurate, but it does commit the sin of omission, though it’s quickly rectified in the first paragraph:
The code takes advantage of a weakness in core parts of Mac OS X and could let a person with limited privileges gain full system access. Apple provided a fix for the error-handling mechanism of the kernel last week, but the exploit appears to have been authored before then. [Emphasis added]The researcher who was credited by Apple for discovering the flaw says that the exploit was apparently written before the problem was patched, though it didn’t appear until this past weekend.
I’ve braced myself for the call of trumpets heralding the latest act of this full-cast song and dance extravaganza, and while I’m hoping against hope that every major news organization will not pick this up by the end of the week, I’m ready with my “break-in case-of-emergency hot air defense kit.”
Let’s count the ways this exploit is nothing to worry about:
1. The user must be logged in (locally or remotely) for it to function. Assuming you have good firewall security, strong passwords, and trust your family members and/or co-workers, the risk is pretty minimal.
2. The exploit, as it was released, did nothing more than prove that it had gained access to the root account, what’s termed as “privilege escalation.” Worrying? Yes; privilege escalation should always be a source for concern, but in this case, it’s heavily mitigated by #1.
3. Oh yeah, Apple has a patch available.
Look, the usual boilerplate applies: no operating system is completely invulnerable. One should always practice safe computing (strong passwords, don’t open unknown attachments, patch regularly). But as for this latest “exploit,” there’s no need to get your kernel in a twist.
3 Comments
Leave a comment
Recent Entries
About MacUser
MacUser is your source for news, info, and opinion about Apple, the Mac, and the iPod. Our dedicated team of bloggers covers everything that is relevant to Mac users — and, okay, some stuff that’s not quite relevant, but is still a lot of fun.
Subscribe/RSS
- Blog Posts
- Blog Comments
- Podcast (RSS) (iTunes)
Tip us off!
- Email: macuser [at] macuser [dot] com
Recent Comments 
- the truth on iPod touch users get second classed again with the omission of new Maps features
- James Katt on Apple levels DMCA on iPodhash project
- AdamC on Apple levels DMCA on iPodhash project
- sf addict on Ch-ch-ch-ch-changes afoot at MacUser
- Paul Norton on iPod touch users get second classed again with the omission of new Maps features
- me on iPod touch users get second classed again with the omission of new Maps features
Categories
- Apple (234)
- Advertising (162)
- Events (235)
- Huh? (182)
- Humor (259)
- News (148)
- People (258)
- Rivals (405)
- Speculation (167)
- Steve Jobs (172)
- Stores (206)
- Apple TV (58)
- Business (451)
- Games (143)
- Geekery (460)
- Hardware (935)
- Accessories (79)
- Intel Macs (162)
- Ihnatko (18)
- Internet (463)
- Legal (244)
- MacUser (95)
- Macalope (8)
- Money (177)
- Music (344)
- Podcasting (100)
- Photography (74)
- Security (246)
- Software (1544)
- Updates (538)
- Tips (352)
- Troubleshooting (189)
- Video (403)
- Windows (219)
- iPhone (199)
- iPod (602)
- iPod Accessories (96)
- iPod Software (61)
- iTunes (128)
- iTunes Store (443)
Archives
- November 2008 (92)
- October 2008 (138)
- September 2008 (151)
- August 2008 (177)
- July 2008 (175)
- June 2008 (171)
- May 2008 (185)
- April 2008 (234)
- March 2008 (217)
- February 2008 (215)
- January 2008 (239)
- December 2007 (169)
- November 2007 (164)
- October 2007 (187)
- September 2007 (167)
- August 2007 (195)
- July 2007 (152)
- June 2007 (223)
- May 2007 (243)
- April 2007 (286)
- March 2007 (288)
- February 2007 (250)
- January 2007 (266)
- December 2006 (244)
- November 2006 (293)
- October 2006 (307)
- September 2006 (250)
- August 2006 (268)
- July 2006 (288)
- June 2006 (293)
- May 2006 (297)
- April 2006 (351)
- March 2006 (366)
- February 2006 (110)
- January 2006 (107)
- December 2005 (23)
Mac Publishing Sites
Links
Well, full disclosure works both ways. Plain and simply, one can translate the exploit into the following warning: once a user logs in to your machine -- in a computing workgroup or remotely -- he can take over the machine and do whatever he chooses. The vulnerability applies to those with OSX versions prior to 10.4 -- there's a bunch of 'em out there -- and to those who haven't applied the latest patches -- probably, fewer.
Attachments have not much of anything to do with this, although that advice is of course good.
"nothing more than prove that it had gained access to the root account"
uhhhhh... that's pretty much the most one can possibly do.
This exploit has been used on shared hosting mac os x servers, where hackers have ssh limited accounts.
They got root access on those servers.
But that's not the only 0-day tool used actually...