|
I wonder if this post could be more productive perhaps. Is there list somewhere of common concerns for OSX security? Do we have one of those? Perhaps if we have concerns, legitimate ones, we should just send them to Apple. Honestly, they would want to know, what company simultanously has enough resources to find all the bugs they want to quash and actually fix them? I bet they'd like the help.
|
You may want to check out the URL in post #2 of this thread:
http://forums.macosxhints.com/showthread.php?t=56389 |
there are a few security related sites out there
Apple also has itd security announce list <security-announce@lists.apple.com> Im sure if you asked around on the Apple Discussion boards you would get some info on this. also checkout the developer.apple.com side of things |
You probably shouldn't rely on Apple-controlled resources as they openly censor anything they don't like.
Reading Full Disclosure mailing lists will probably be a lot more beneficial. |
Quote:
EDIT: I should add that I have had two relatively minor complaints about the way one of the boards functions expunged. |
Quote:
|
Quote:
I don't know - I hardly ever go to those forums due to the low signal-to-noise ratio there. |
Quote:
|
Quote:
There is a majority of clueless newbies and the occasional advanced fanboy pontificating. People with serious real-life experience will do anything but post to such a thought-policed forum because their contribution will most probably be deleted. They'd much rather hang out in places where "thinking different" is still possible. |
Here's some "signal" for you (while it lasts, anyway):
http://discussions.apple.com/thread....75176&tstart=0 Don't use "admin"! |
Quote:
I can't reproduce the problem that was discussed in that Apple discussions thread. I created a package using PackageMaker that installed a file into /usr/local/bin When I ran this pkg (by double-clicking on it) as an admin user, it asked for my admin password - i.e. it behaved as expected. I have yet to see the security problem that seemed to be the subject of that thread. (This was on 10.4.7) If you can demonstrate a problem, please explain in detail what steps you took. You should also submit your findings to product-security@apple.com |
Well, I put in a report to "product security" (thanks for the suggestion) and apparently it is a "known issue", and is "being addressed"...
In a nutshell, this could be used by a trojan which, if executed in an "admin" account, could write to any part of the the hard drive, with whatever permissions it wants (including setuid root), in the background without requiring any sort of password. Similar to the situation in "Panther" with its "StartupItems" and easy access "hooks", except the current issue isn't restricted to any specific directories. So the moral of the story - same old, same old - don't use an "admin" account for day to day stuff, and it's probably a non-issue. |
i read the thread provided by biovizier on the disscussions.apple site and i have to say that i find this story quite scary. in my opinion this is a big security hole.
i do not know anything about package making, so i am not able to make my on tests, but i believe the people who did. :( i hope apple will address this issue VERY quickly. - edit: Matt Broughton made 3 test packages (one with no Auth, one with AdminAuth and one with RootAuth) that try to install a directory in /usr/local, you can download them here. the NoAuth does not succeed, the one with AdminAuth installs WITHOUT asking for a password. the one with RootAuth asks for a password. |
Installer bug is real: here's a proof-of-concept
1 Attachment(s)
Quote:
http://webpages.charter.net/mbrought...llerChecks.dmg Just in case Apple notices it and the thread goes away, there's an archive of it attached to this post. You should definitely check such installers carefully by using Pacifist or similar tools, it would be perfectly admissible to shout "pwned" if you didn't and the installer did something nasty. Anyway, on an admin account, the AdminAuth.pkg will run the install process as root to create a directory, then a file in /usr/local , chown it to root and all of that without ever asking for authentication. The install log shows admin auth received to install but never asked for it. It should be remembered that the first account created on any Mac +is+ an admin account and it takes extra effort to change that, so everybody and his grandma is at risk here. To delete the directory, I did have to authenticate however. There's also a very interesting summary of this and last years vulnerabilities on OS X here: http://www.viruslist.com/en/analysis?pubid=191968025 |
It seems that Security Update 2006-007 (http://docs.info.apple.com/article.html?artnum=304829) fixes the Installer problem discussed in this thread. (I haven't tested it - I'm just going from the description in the above Apple doc)
|
I can confirm this - "Installer.app" now asks for authentication for installing these types of packages (or one that I had anyway), and more importantly, '/usr/sbin/installer' exits with the error message:
"installer: This package requires authentication to install." So trojans running in an "admin" account will be prevented from running in the background as "root" by this mechanism, at least. |
.
That is good news. :) But I do wonder why it took Apple so long. |
Every system , made by human , can be hacked or destroyed by human.
But Mac is a beauty so that hackers seldom hack it. To a beauty, you hardly let her pain,rite? So dont worry...Mac is always wonderful. |
Quote:
|
Quote:
|
| All times are GMT -5. The time now is 06:52 PM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.