|Home » Industry Watch » Coldspots
The Version Race
Apple keep losing. Do they care?
This all started with a hunt for the globstar in bash after the 10.6 upgrade. It was gone.
The globstar is a feature in latter versions of bash. A double asterisk can be used in scripts for file enumerations to make them recursive. It's rather useful.
The problem is it wasn't available in Leopard either. But it was available for download from a number of sites hosting bash. The presumption was Snow Leopard would finally bring bash up to date. Folly.
A closer inspection of the independently maintained open source components used in Snow Leopard started to feel like one was peering at the inside of Pandora's Box. Although some components are up to date on 10.6 Snow Leopard, an alarming number are not. Some components are at least three years out of date, potentially exposing users to serious vulnerabilities.
Not all these discrepancies mean OS X users will get hit tomorrow. There really isn't much interest in hacking Apple computers. But the risks are there. Here's a sample of what's going on with Apple's 10.6 Snow Leopard.
|Component||SL Version||SL Release Date||Real Version||Real Release Date||Component||SL Version||SL Release Date||Real Version||Real Release Date|
Finding version numbers for open source components isn't always easy. Many display their version numbers with '--version'; others with '-V'; still others with '-v'; and still others have no version number at all. Open source websites are often chaotic - finding release dates for previous releases can be difficult. But there are any number of red flags even in this small sample.
- sqlite3. From the sqlite changelog:
Fix a bug in version 3.6.12 that causes a segfault when running a count(*) on the sqlite_master table of an empty database. Ticket #3774.
Fix a bug in version 3.6.12 that causes a segfault that when inserting into a table using a DEFAULT value where there is a function as part of the DEFAULT value expression. Ticket #3791.
Note that 3.6.12 is the version currently in use on Snow Leopard 10.6.2.
- unzip. From the Info-Zip website:
The Unix port of UnZip 5.52 is reported to have a race-condition vulnerability, whereby a local attacker could change the permissions of the user's files during unpacking. (This has been assigned CVE ID CAN-2005-2475.)
All versions of UnZip through 5.50 have a number of directory-traversal vulnerabilities, and version 5.50 also has a textmode data-corruption bug that affects 16-bit ports such as MS-DOS. See the FAQ page for details.
Note that 5.5.2 is the version currently in use on Snow Leopard 10.6.2.
And having sudo out of date is really asking for it. The 10.5 point releases didn't update it either.
The above is a listing only of 28 sample components. Snow Leopard 10.6.2 systems have hundreds if not thousands of such components - command line utilities and shared libraries both. Charlie Miller made no secret of how he hacked the iPhone so effortlessly - look for possible attack vectors and then compare Apple's versions with the most up to date ones. Then read the change logs.
Apple users won't get hacked tomorrow. It's unlikely at any rate. But with so many open source components included with Snow Leopard and the great majority out of date, it's just a matter of time.