|Home » Learning Curve » Red Hat Diaries
Without Explicit Authorization
It's not an April Fool's joke. Reprinted from Radsoft.net.
A story breaking at Rixstep.com for the past week threatens to reach fever pitch: after all the news and talk about the hundreds of thousands of Windows viruses, the undetectable Zeus trojan and botnets, and the millions upon millions lost each day to small and medium businesses, the Unix people - above all the Apple people - seem to sit smugly on the sidelines and laugh.
And yet it turns out Apple's OS has gaping holes that don't even require hacking. Anyone can walk in off the street and own any Apple machine anywhere.
What happened to Apple's 'rock solid foundation'? And their taking security seriously?
No sign of either anymore. Is Mac OS X a professional system?
Rixstep noticed something wrong with the recent 4.0.5 update to Apple's Safari web browser. Ostensibly in anticipation of getting hacked to bits at CanSecWest. (And they were still hacked.)
The 4.0.5 download worked in different ways on different platforms. On Apple's older 10.5 Leopard, users had to 'authenticate' as always to install the all-important WebKit in protected system areas. (Yes this is the way Unix works and it's good.)
But users of Apple's latest and greatest 10.6 Leopard didn't have to authenticate. They had the exact same files to install; they needed to access the same protected areas; yet they weren't required to authenticate.
Authentication (to 'escalate' to 'root' or the system's 'superuser') is necessary to gain write access to system areas owned and protected by that same superuser. In both installs, files were written to the same areas on disk - both owned and protected by the superuser.
In the one case the Safari update indicated it needed user authorisation as always; in the other case - Apple's most recent operating system Snow Leopard - no such authorisation was asked for or required.
The same thing happened back in 2006. OS X users began noticing that updates from third party vendors were able to modify protected areas without explicit authorisation. The matter reached the ears of Apple and was supposedly remedied in a security update after the turn of the year. Mac users were mollified.
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: When installing software as an Admin user, system privileges may be used without explicit authorization
Description: Admin users are normally required to authenticate before executing commands with system privileges. However, the Installer allows system privileges to be used by Admin users when installing certain packages without requiring authentication. This update addresses the issue by requiring authentication before installing software with system privileges.
No one questioned how such a thing was possible in the first place until now. And Apple's current software update mechanism does the same thing as before: it installs software with system privileges without explicit authorisation.
Rixstep hunted down a number of suspect system modules - a software update 'daemon' and a curious program buried in a framework used by the system installer. Apple are 'rooting' their own users' machines without explicit authorisation..
Apple CEO Steve Jobs has already admitted his people have full control over all iPhones in existence - that Apple can go into any iPhone anywhere and add, modify, and delete files at whim without explicit authorization.
Jobs has claimed they have never used this power and likely never will. But it looks like they have a different attitude towards their Unix-based desktops and laptops.
Given the presently hopeless future of Windows as a connected Internet system, it's natural for users to consider switching to something safer. And Unix - in general - is a lot safer. But given Apple's repeated disregard for the most elementary principles of system security and user integrity, their Mac OS X can hardly be recommended.
Apple really cooked the April Fool's goose on this one. They're the ones who already over three years ago pointed out that 'without explicit authorization' is a Bad Thing. They could have worded it some other way. They could have called it 'unexpected escalation to root'. Or anything. But they used the magic words - they described exactly what they're doing again today.
Coldspots: The Strange Case of Safari 4.0.5
Coldspots: Security Update 2006-007