See, there you go again... blaming the Iraq war on Katie Couric.
I don't give two hoots about the personalities involved here.
Those MOAB people don't owe me doodly-squat. I never paid
them dime one. Apple OTOH is where my displeasure rests.

Now that my shell-scripting knowledge is gradually maturing, as I look at
some of the LAME, LAME, practices in the Unix side of these holes... it is
clear that Apple put no effort (NONE) into being security "conscience" with
some of their setups. It's a joke. They (Apple) owe us a lot more than that.
I'm a stockholder [AAPL]. You are probably too. I have invested much green
in their computers, and now iPods. You... probably more.

So how did they get in this position where some snotty-sounding dudes can
just pick them to pieces like this. Simple. They fell asleep at the switch.
You know why the fixes are so long in coming? It ain't gonna be easy to
clear out the cobwebs... that's why.

What about all the Macs with 10.3.8 or less? 10.4.7 or less?
They're sitting ducks... that's what. MOAB didn't create the
problems... they just reported them. Don't like their style?
Well not me either. But that's irrelevant.

We will see how much "fixin'" got done (soon I hope), but if
they (Apple) don't nail it... we'll be hearing more of MOAB's
r e p o r t a g e.

:mad: So be prepared! :D

MOAB #5:
Exploitation conditions:
Privileges for overwriting a BOM inside /Library/Receipts/ are necessary (ex. users in the admin group are allowed to do it).

MOAB #15:
Multiple binaries inside the /Applications directory tree are setuid root, but remain writable by users in the admin group (ex. first user by default in a non-server Mac OS X installation), allowing privilege escalation

MOAB #21
Now THAT one can be done without admin access. But it's a privilege escalation technique that can't be done from a remote machine, so it's not exactly a severe threat.

Let:
A = risk of damage due to exposure to some MOAB-related exploit
N = number of people who might be exposed to this risk (via some malicious web site, etc)

B = risk of damage due to a less-than-fully-tested fix from Apple
M = number of people who would be exposed to this risk (via Software Update)

If Apple estimates that:
A * N
is less than
B * M
then they would likely sit on their proposed fixes until they are sufficiently tested that B becomes small enough to reverse the inequality.
It is quite likely that M is far greater than N

I'm gonna sound like a real dolt here but, i consider myself a fairly strong mac user, but i dont know what 'MOAB' is or stands for...??

:eek: :eek: :eek: !

MOAB=Month Of Apple Bugs and you can read up on it and the unpatched exploits and their free publicly availible proof of concepts (><!) here: http://projects.info-pull.com/moab/ :)

Actually, that's not true. From the point of view of malware, anything running with user-level privileges in an "admin" account doesn't need a password to modify system files, as various MOAB vulnerabilities have demonstrated. So in terms of susceptibility to malware, running as "admin" instead of "root" offers no protection (hence the hidden "trick question" warning in my post 13) i.e. if you're logged in to an "admin" account, you might as well be logged in to "root".

What bothers me (and I suspect Hal Itosis) is why Apple hasn't done anything systematic about it, despite the fact that "Opener" demonstrated how easy it is to get from "admin" to "root" without a password way back in the "Panther" era in 2004. The specific routes exploited by "Opener" were patched, but nothing was done systematically, hence other exploits made possible by the same underlying weakness (sensitive directories writable by admin) were still there ripe for the picking by MOAB over two years later in "Tiger". Will Apple do a thorough audit before Leopard gets out, or will it be another haphazard effort?

Apple seems to have a good security model, but can't get all of their divisions to follow the plan. If it worked like it should, "root" gets to do anything, someone supplying "admin" credentials gets to do anything, but other than "root", no user (including an "admin") gets to modify anything beyond their own files without supplying an "admin" password. If it worked as it should, there would be very little problem with using your default 501 account as your main account. But it doesn't - the system is rife with ways to get from "admin" to "root" without a password, and the result is the sad state of the OS X "admin" account where currently, a legitimate admin user installing legitimate system level software has to punch in a password, but malware installing a rootkit doesn't.

See, there you go again... asking Katie Couric to fix the problems in Iraq.

Macosxhints.com is not a channel to Apple.

I am sure there are links at apple.com and developer.apple.com to work out the issues related to apple software and what they put out to fix security and other problematic issues.

This site, from what I have garnered over the past couple of years is a place to go to/come to to get info on ways to tweak things, work things out, and use the hardware/software to it's potential, not to fix the world or fix the company that sells you the system you are using.

It's an added bonus of some really good people who help people (like me) out and put up with answering a lot of dumb questions (sometimes by me) which have been asked countless times so they don't have to charge people to go their house/place of business to fix problems.

Rant/Gripe/Pay for a full page editorial if you really feel that a company is treating you so poorly, but please stop yelling at the people trying to answer your questions and work out the who/what/when/why when these people don't make the decisions you want made.

well said ...

Thanks for the lucid explanation, bio; I can follow that. Can we agree that the cases of being affected by malware and committing a user error while logged in as root are not equally likely?

I wonder if you can offer me an example of what you consider to be a 'not-haphazard' effort along these lines? And what might be the economic impact associated with that effort, in terms of the end-user cost of a shipping product?

OpenBSD is the closest thing I can think of; but I don't know that it has a widespread following, or much in the way of consumer grade software support.

I recall we spent enormous amounts of effort (and dollars) in the biomedical device industry on software testing and quality assurance while in the FDA approval process. I also recall that hindsight found systematic flaws in that software, even after meeting the rigorous standards that were set to receive that approval. And those items, of course, were not available for $129 at the mall.

Which is why, in balance, I don't feel Apple really does all that bad. And perhaps that is why I have had Macs connected to the Internet with static IP addresses 24/7 since 1995 (we had routed dialup and a Class C subnet then :D ) without having a single one of them compromised. Ever. That's from System 7 through Mac OS 9 through the OS X Public Beta through 10.4.8. And yes, they were all buggy.

So maybe it's a little easier to see my point of view if I don't start yelling 'fire' today, when there are bug reports.

What on Earth are you talking about? I know what macosxhints is
(been coming here half-a-year longer than you). Craig asked me a
question, so I just wanted to let him know how I felt. I also know
something about tweaking things, but thanks for the clarification.

I'm not so much in a huge rush for Apple to release a "fix" as I am
desirous that they start adhering to principles and practices which
would tend to *avoid* snafus like this in the first place.

biovizier seems to be "Open" minded enough to empathize.

Declaring $PATH in scripts is a known secure thing to do (it was in
the early chapters of a book I read called "Classic Shell Scripting").
Either do that, or use full/absolute paths. Looking at MOAB #21 for a
second, I decided to see what else might be vulnerable. I found that
of all things /usr/sbin/periodic has left its $PATH wide open.

(my "#21" link on page 1 helps explain *how* it can be hacked)

Hal Itosis -

You left out the one line of my post which explained what on earth I was talking about.

I followed the other thread about MOAB that you were participating in discussing what can be done now until something is done. That is what I believed the spirit of the board is about. Then again, I don't run the board, just use it and am sure others use it for different reasons.

I'd like to ask those that are upset a question:

How would you like Apple to have patched these holes uncovered by MLH?

The MOAB finished a week ago? Should there have been a patch a day?

All this arguing and complaining is probably what the MoAB wants. That was probably the whole point of it.

Actually, I believe it was mostly about getting some free press to promote their online forums and gaming site, which they plug in bug #31. There sure didn't seem to be a whole lot of interest in helping the Mac user community.

Not soon enough.

Some should have been plugged 3 YEARS ago. Are we supposed to believe
that Apple (the computer designer... not the music merchant) is just now
learning about *all* these issues? Did they really need some Romanian
skrypt-kiddie (whatever) to teach them about group-writable setuid files?

At least they should be 'wheel'... but why writable? Is root not enough?

Absolutely not. I agree with your assessment.

While I agree with the spirit of what MLH was trying to do, I disagree with how it has been carried out him (almost like a dog and pony show), but I am even more disappointed in how the media has glommed onto the story and in some cases blown it way out of proportion.

It's no joke that MLH has uncovered some potentially serious exploitable bugs in the OS. It's also no joke that some of these exploits have little to nothing to do with Apple, other than running on OS X. Will they all get patched? Let's hope so. I expect that they are currently working at top speed getting Leopard out the door. Bug fixes are soon to follow.

I think the biggest problem I have with all of this is how people expected a multi-billion dollar company like Apple to behave any different than any other multi-billion dollar company that puts out a similar product. They got caught after the fact. That's not a novel concept. It's deplorable, but unfortuantely (IMO) common place today.

Actually, it isn't over yet. # 31 is still "coming soon". It is hanging out there like the second shoe! And is their choice of moab as an acronym just a coincidence? Did they name it moab after the GBU-43, the Massive Ordnance Air Blast (MOAB) (also known as the Munitions Ordnance Air Blast and Mother Of All Bombs, which
is touted as the most powerful non-nuclear weapon ever designed! (Thank you Wikepedia).

Neat tie in with Apple’s use of the bomb symbol. Just wondering.
Richard

Precisely that has been my impression all along as well. I really can’t see much in this beyond a clumsy and transparent attempt at some free PR.

[Just need to clear up some misunderstanding here,
which may otherwise spread beyond trumpet_999]:


Looks like you missed the part where the mods moved this thread to the "Coat Room".
It happened yesterday, back on page 1. (We could probably discuss coats if you wish).
I think in here the discourse is more free flowing. A different sort of "tweaking" perhaps.

You still seem to be under some mistaken impression that I'm asking for someone's help!!!
Any questions I've posed in here so far were rhetorical, intended to make the reader think.
Sorry if my maneuvering was unclear. (Any message you wrote to me while assuming I was
seeking 'macosxhints' to answer for Apple was totally off the mark. Oh well, that's over now).

--
[back on topic]
--

Ah, almost sounds like that's a good thing: as long as it's "only" an admin
that can be tricked... then *those* types of vulnerabilities are just dandy.



Same here, right? No problem? Shucks, I'd be surprised if Apple even
bother to patch those either. After all, admin accounts are 100% safe.



Oh, I see... ``severe' ' ``remote' ' threats are the only ones that matter.

As long as *your* Mac is safe, then no one need care about any school,
university, business, government agency, or military computer network.

Teachers, employers, and other "administrators" are never so gullible
as to be taken advantage of by students, disgruntled employees, spies
and so forth. If an admin happens to open a "document" (or a game)
given to them by a coworker or some other "trustworthy" subordinate,
they shouldn't rely on the operating system to provide basic protection
from shell-scripted assaults at well-known weak-points (system files!).

Thus, Apple is fully justified in shipping such marginal designs, because:
there's no severe threat to 6502's setup. (Not from afar anyway).

What does it matter if sensitive data may get copied by other users
in some office scenario, or under classroom / laboratory conditions,
or in any typical professional / industrial / or commercial context ?

The only place a Mac belongs is at home, preferably in the playroom.

Gee, that's nice to know.
I feel much better now.
A thousand thanks.

;)

[kidding]

Since we're just thinking out loud, let's think about how Apple stacks up against the competition when it comes to security.
I'd like Apple to be perfect as much as anybody, if for no other reason than to continue to make Microsoft look bad! (I recognize that I dislike MS more than I like Apple.) The fact is that no OS has ever been 100% secure, and it's highly unlikely that any OS ever will be. The best we can hope for is relative security.

If we were experiencing hoards of compromised Macs being used to attack the internet, or spam our inboxes, then I'd be joining you in your criticism. The fact is, they've got the best security track record out there, and until something happens to change that, it's hard to blame them if closing every potential hole isn't their number one priority. I'm just glad its relatively high on a very large list.