|Home » Learning Curve » Red Hat Diaries
They Don't Give a Shit
'Apple Sweden? Comments?'
A while back a number of security gurus were discussing the Developers Workshop 'Hackers Handbook' series. Not being particularly adept at OS X in particular but adept in security matters in general they didn't know exactly how to react. But they did agree on one thing.
Give it a month, the one of them said. If nothing happens it proves OS X is secure only because nobody gives a shit.
Give it a Month
The month (August) came and went; now it's October; nothing happened.
Nobody gives a shit.
On 17 October 'cubeuser_vol2' at the Swedish security forum 99.se found the series.
'I'm surprised and confused when I read this series about how safe the Mac is today', writes 'cubeuser_vol2'. 'I hope someone who understands OS X security can tell me that this weakness no longer exists, perhaps never existed? Of course I hope Leopard doesn't have this weakness. I hope for the sake of all Mac users that this is not true. But if it's true? Apple Sweden? Comments?'
'cubeuser_vol2' will be waiting a long time to hear from Apple Sweden. If Apple Sweden comment at all it will only be after conferring with home office and getting the exact wording hacked out over a period of days, weeks.
The Headline Syndrome™
'cubeuser_vol2' doesn't suffer from the Headline Syndrome™. He doesn't stop at the headlines and then tell everyone what he 'knows'. He actually - brace yourselves - reads.
And he exhibits that ultimate character trait as he does: he readily admits when he doesn't understand something. That's very rare in the volatile atmosphere surrounding security issues for Apple today.
'I don't want any hateful contributions here', continues 'cubeuser_vol2'. 'I'm hoping those who know their OS X security can speak up and give us 'uneasy' OS X users advice how we can make OS X more secure and tell us which reports are true and which are false.'
'I'm looking for more openness about how secure OS X is and less of the 'platform wars'. I use OS X and I plan to continue using it but I'm always interested in learning more about it and how I can make my computer use safer, faster, and more effective.'
'A reasonable security awareness is part of the concept of safety.'
'Is there anyone to take up the challenge?'
So far no one has taken up the challenge. Give it time, some might way. He only posted yesterday. But 99.se is Sweden's biggest security forum and Swedes are not exactly dumb as the proverbial swede. On the contrary they're often the avant-garde in security and technology issues. Nobody gives a shit - even in Sweden.
To ease a bit of unrest: the only 'weakness' pointed out in the 'Hackers Handbook' series was the 'input managers hole' and this has been fixed in Leopard.
Finally. After being abused by ichatHack, mailHack, safariHack, Oompa Loompa, and the series of PoCs published by Kevin Finisterre. The 'input managers hole' is something both Kevin and this site have been pushing hard to get fixed for a long time. For years.
The status of the MOAB #15 hole is unknown but a careful user such as 'cubeuser_vol2' who doesn't scramble to 'repair permissions' at every twist and turn; who removes everything in /Library/Receipts; and who resets the flawed permissions on the affected SUID root files in /Applications will be safe.
There was nothing new in the 'Hackers Handbook' series. It was already out there. It had been used in ichatHack, mailHack, safariHack, Oompa Loompa, and the series of PoCs published by Kevin Finisterre. All it did was lay it all out so everyone could see - so people would react.
And the reaction of 'cubeuser_vol2' is what it was all about.
The 'Hackers Handbook' 'weakness' is but one of many. Charlie Miller used a completely different approach with his Safari/iPhone exploit - an approach many would say was even easier. Today there's the TIFF exploit at Metasploit and it's still wide open.
Patch it Today
The key to it all is that when you discover a vulnerability you have to patch it. Today. Not tomorrow, not next week, not next year, not after a year and a half as with the Opener hole - but today.
And that's something Apple simply don't do. Speculating in why they don't do this could be the subject of another article and is already the subject of many an article at this site. But figuring out why Apple don't do this is not productive - unless one simultaneously is able to get Apple to start cleaning up their act.
But it's obvious Apple don't give a shit.