|Home » Industry Watch (» The Technological » Hall of Monkeys » Heroes Banquet)
Apple Lion Security Update
Everything's alright. Really it is.
Everything's alright. Really it is. The writing's not on the wall. The sky isn't falling.
OS X - formerly Mac OS X - is the world's most advanced operating system. And the world's most secure. Beating out IBM's zOS and all the rest. And if you believe that? Then stop right here, read no further, so somewhere else. For nothing will help you anyway.
Tomorrow it's been two weeks since the dscl remote root exploit vulnerability was published. And odds are the black hats and the kiddie hats have known about it for much longer. Two weeks is what's normally allowed for a vendor to fix a security vulnerability - especially one of this magnitude. Will Apple make it in time?
The issue of course is the glaring blooper that any process running on a Lion admin account can change passwords without authentication. Change the admin or root password and you have full access to the machine. Michael Evsteen painted a dreary picture of one such scenario a week after his original post.
- User connects to webpage with Java app promising to show boobies if you say 'yes' to the booby shower Java app.
- Java app runs and changes current user password.
- Because the current user is an admin it does the following:
- enables SSH
- sets root user password
- installs client for command and control system
- patches vulnerability
- shows the user good porn
- System becomes part of bot net.
And that's but one scenario. A physical (AFK) interloper can do it at any time. A software download hiding a trojan can do it at any time. And so forth. Short version? Apple OS X 10.7 Lion is toast. Don't want to believe it? Join the ranks of the MacRumors crowd who went into Panic Mode™ when Oompa Loompa hit. What wusses they were.
You can't have it both ways. Either your system is more secure than any other in the galaxy or there is a risk of vulnerability and you have to hold your OS vendor to account.
Forty Years For... ?
There's nothing wrong with the basic game plan. Unix has had forty good years of vetting to become as secure as anyone could reasonably want. The Internet was built on, by, and for Unix. Unix isn't the issue.
Criticise Microsoft for spending billions year after year on pointless research and vacuous spin to keep on marketing an inherently insecure standalone system to the unwashed masses, bringing in the legions of orcs out there to attack and pilfer and bankrupt Windows users - all because they're so afraid the necessary system fixes will jeopardise their precious market hegemony. Microsoft know better but refuse to do the Right Thing™ out of pure greed.
But it's quite another matter at Apple. They don't appear to have a clue. Most of upper management came from NeXT but the beige box lived on the shop floor. Apple started with a system that was inherently secure. A system that had been through the gauntlet, vetted over and over again, a system perfectly capable of connecting in a multiuser Internetted world - and through a series of design decisions based on purist yearning to maintain an indefinable aesthetic based on the good old beige box days (did they ever exist) they brought the security and the safety of their users to the brink time and time again. And now with OS X 10.7 Lion they've sunk to a new nadir. A new all-time low.
All the good programmers were plucked back in 2005 for the iPhone project. The computer OS began to suffer almost immediately and never recovered. Lion shows Apple refusing to let the brighter engineers work on the computer OS again.
The engineers left behind - those not considered good enough for iPhone - have screwed up so many times it can't be counted. They're not even experienced computer users, much less top echelon programmers. And look at their security rap sheet. This in a company forced to use Unix to save their sorry butts - but a company who's done this resentfully, a company adamant about not appreciating Unix or - yes it's true - understanding Unix.
Why even bother with Unix if you're going to reduce it to Windows? Why look to Redmond instead of to Murray Hill and Berkeley?
Look at how they introduced the iPhone with universally exposed passwords and everything running as root. These were the best engineers Apple had to offer? Crashes all over the place on the first iterations? Don't worry about the hardware scandals - look at their abysmal security. And remember that these were Apple's 'best of the best'. And things were far worse back on the computer platform.
Opener was bad. Put the right type of file in an unprotected area of the file system and the box was toast on reboot.
Oompa Loompa was a huge embarrassment. Malware could easily spread from machine to machine.
The protocol hole was no fun - drive by attacks could force stealth downloads to run.
The system login items root exploit was out there for a long time as well.
And so forth.
These weren't weaknesses in Unix - these were idiotic and unnecessary weaknesses introduced by the silly ones in Cupertino who were convinced they had good ideas how to improve Unix - ideas they never bothered vetting.
What No POC?
The idea of creating a 'proof of concept' application for the dscl vulnerability was tossed around here at Rixstep. Surely it's been done many times before. But ultimately the decision was to not bother with it. Why? Because the people with the cerebral franchise to understand already get it and the rest are perspiring profusely to once again deny there's anything wrong. What a silly situation.
Check the comments at Michael Evsteen's blog post. There are some real gems there. There should be a global law that idiots can't comment on computer system security. They're the equivalent of the systematic gamblers - casinos love them. They're the ultimate fools. They think they know what they're doing. The casinos clean them out.
The black hats and the kiddie hats love Maccie eejits who also think they know something. And by being so stupid, they put themselves in danger more than the more cautious freethinkers. Until ultimately they start crying and whining like CoMpX.
Michael Evsteen does have a suggestion though. If you're foolish enough to run that excuse of a personal OS. Change the permissions on dscl to prevent some of the interlopers from getting at you.
$ sudo chmod 100 /usr/bin/dscl
This means dscl will only be executable by root. Root won't even be able to read it or write to it (but could of course change that). But cut Michael some slack for being a bit hyper - with another typical Apple security blooper hanging in mid air, there's more than enough justification for being just a bit jittery. Run that command and only root will be able to run dscl. And as the vulnerability is somewhere in the recesses behind the dscl interface...
No Other Mitigation
It's important to realise there is no other mitigation for the current impasse. OS X 10.7 Lion is toast - it needs a fix. Silly sites such as Cyberstreams like to play down the danger (and thereby win site uniques) but that's a dangerous game indeed. Pushing the same URL for a week to make people drink the Kool-Aid is reprehensible.
You simply are not safe running OS X 10.7 Lion as is - until Apple unequivocally fix the dscl remote root vulnerability issue.
After that they have to deal with the fact the shadow files are exposed. And they have to do this fast - there are a number of really dumb trojans going around.
Tomorrow's the two week anniversary of the public announcement of the dscl vulnerability. Michael Evsteen should perhaps have notified Apple first, given them a chance (two weeks) to fix it, protect users through a bit of security through obscurity. That's the commonly accepted protocol. But whatever - that's water under the bridge. The dscl vulnerability is out there. And Apple have an obligation to fix it. On time. But will they?
Defence in Depth: Cracking OS X Lion Passwords
Rixstep Developers Workshop: Apple: When Closed Systems Don't Work
Rixstep Industry Watch: Opener 3.9
Rixstep Industry Watch: Get Root on 10.5.4
Rixstep Industry Watch: You're Root, Dude!
Rixstep Industry Watch: The Story of Renepo
Rixstep Industry Watch: Got Lion? Get OWNED?
Rixstep Industry Watch: Oompa Loompa Quotes
Rixstep Industry Watch: ARDAgent: Here to Stay?
Rixstep Industry Watch: A Leopard Mail Vulnerability
Rixstep Industry Watch: It's Not New It Starts with 10.2
Rixstep Industry Watch: The Legend of Oompa Loompa
Rixstep Industry Watch: For Apple, This is the Year That Wasn't
Rixstep Industry Watch: 'Huge, Crazy, Ridiculous OS X Security Hole'
Rixstep Learning Curve: Rooting 10.5.4
Rixstep Learning Curve: Apple's Wi-Fi Fallout
Rixstep Learning Curve: Son of Input Manager
Rixstep's The Technological: The Not So Sinister Finisterre
Rixstep's Coldspots: What's Wrong with This Picture?
Rixstep's Red Hat Diaries: Screaming Apple Fanboy Idiots
Rixstep's Red Hat Diaries: Number One at Almost Everything
Rixstep's Hotspots: Leopard: OS Xhumation
We at Apple take security very seriously.
- Apple Inc
I believe that something big is going to happen.
- yankeefan24 on Oompa Loompa
An Apple spokesperson was not immediately available to comment.
- Reuters/CNN Money
It isn't anything. I opened it in Terminal and it did nothing. I checked the logs and the running processes and there was nothing foul going on.
- Phreak.net on Oompa Loompa
This is a very very sad day for the Mac platform. I always hoped that this would not happen in my lifetime. I am almost in shock now. I can't believe this is reality. All because of this bastard with his pics. I am extremely pissed, sad, and scared. This guy needs to pay - this is war IMO.
- CoMpX on Oompa Loompa
It does not exploit any security holes. There are zero Mac OS X viruses. It'll be interesting to see which media organizations, if any, pick up on this and run the incorrect story of the first OS X virus. This is what it's come to: making up a OS X virus where none exists.
- MacDailyNews on Oompa Loompa
Oompa Loompa is actually a combination of all three types of malware. First, it is a Trojan horse - an executable hidden inside a file disguised as a graphic file; then it is a virus, as it replicates to other applications on a user's computer; finally, it is a worm when it sends itself via iChat to other users. OSX/Leap-A: a proof of concept piece of malware. Leap-A is merely an attempt to disguise an executable program as an image in effort to trick the recipient into launching the program. Launching a program in Mac OS X requires the user to enter their password, an indicator that should clue most users into the fact that it is not what it appears to be.
- The Mac Observer on Oompa Loompa
Leap-A is not a virus. It is malicious software that requires a user to download the application and execute the resulting file. Apple always advise users to only accept files from vendors and Web sites that they know and trust.
- Apple Inc on Oompa Loompa
Unless Apple faces up to the security issues its users face, its reputation for making secure operating systems, already damaged by its mishandling of these recently discovered vulnerabilities, will be further tarnished.
- John Leyden, The Register May 2004
The reason security research on OS X is so interesting is that Apple take the injudicious move of branching off from tried and true Unix code to create something they're rather reluctant to call Unix anymore. Unix has had a good thirty years to mature and more researchers inspecting it by an order of magnitude. Apple use a closed source model and they're venturing out into new territory where the risk for exploits grows geometrically. And they're carrying with them legacy ideas from the birth of NeXT which predates the birth of the web. And they don't listen.
- The Technological November 2006