main

Attack code out for Apple flaw

Hurmoth   on 29 June 2006 - 19:59 · 37 comments & 13848 views

Advertisement (Why?)
Attack code that exploits a flaw in Apple Computer’s Mac OS X was publicly released Wednesday, increasing the urgency to patch.

The code's arrival comes just a day after Apple made an update available for its operating system. The malicious program takes advantage of a locally exploitable vulnerability in an operating system component called "launchd".

"Attackers may exploit this issue to execute arbitrary code with elevated privileges," Symantec said in a security alert to customers that was updated on Thursday.

Kevin Finisterre, a security researcher at Digital Munition, created the exploit. Earlier this year, Finisterre created the Inqtana worm, which targets Mac OS X and spreads using an 8-month-old vulnerability in Apple's Bluetooth software. His actions are in part to demonstrate that Apple software is notunbreakable, he has said.

View: The Full Article @ CNET News.com




Post a comment · Send to friend Comments · There are 37 additional comments
(1 reply) #1 Gary_Player on 29 Jun 2006 - 20:13
So... does this have to be over bluetooth or is it just an exploitable problem with the bluetooth software?
#1.1 Xavien on 29 Jun 2006 - 20:31
i believe from what i read of it, it is a exploitable flaw within the bluetooth software, that allows a malicious program (aka a virus) to run code unrelated to the bluetooth software at a higher priviledge level then normal user priviledges (aka the same sorta thing Windows has to deal with).
#2 Solarix on 29 Jun 2006 - 20:25
8 month old vunerability, wow.
(6 replies) #3 reidtheweed01 on 29 Jun 2006 - 20:25
Good job avoding the word virus.
#3.1 Xavien on 29 Jun 2006 - 20:28
yep virus indeed.

Microsoft, Vulnerability = Critical Flaw opens way for Virus!
Apple, Vulnerability = Malicious program could take advantage of flaw.

i will say no more.
#3.2 The Grasshopper on 29 Jun 2006 - 20:40
that is true reidtheweed01 and Xavien hit the nail on the head!
#3.3 Kushan on 29 Jun 2006 - 20:46
I was about to say the same thing. Even Apples flaws have to have a different name....
#3.4 darkpuma on 29 Jun 2006 - 20:48
well said.

-added-
about what was just said...

apple flaws are called worms! *wink, wink*
#3.5 virtorio on 29 Jun 2006 - 21:15
I always distinguished a difference between proof-of-concept code, created by a researcher, to prove the obvious (code written by humans can never be 100% safe) and a program (virus) with the intent to steal data, damage data, create annoyance or havoc by some guy in his mothers basement.
#3.6 Stunna on 29 Jun 2006 - 23:16
Quote - darkpuma said @ #3.4
well said.

-added-
about what was just said...

apple flaws are called worms! *wink, wink*


haha I like that one.
(6 replies) #4 Elendil on 29 Jun 2006 - 20:51
Well, it obviously can't be a virus. I heard an Apple ad on tv a day or two ago and they said that only PCs have them.
#4.1 darkpuma on 29 Jun 2006 - 21:00
ahahahahahahahahahhaaa
#4.2 npe on 29 Jun 2006 - 21:01
LOL... your statement about the ad makes my day
#4.3 MrCobra on 29 Jun 2006 - 21:23
Thanks for that. LOL. :p
#4.4 slimy on 29 Jun 2006 - 21:48
lmao good call, completely forgot about that ad :p
#4.5 Chugworth on 29 Jun 2006 - 22:10
Well I guess Apple will pull their latest wave of stupid advertisements now. The ones with two people representing PC and Mac.

Man I can't stand Apple's commercials.
#4.6 Jon on 30 Jun 2006 - 08:45
Their adverts / commercials are incredably childish, and bordering on slander IMO.

Go watch Mikko Hyponnen in the F-Secure 1st half of 2006 Security Review video, he clearly states 4 OS X viruses have now been discovered. And they don't even sell an OS X product

It's amazing how pedantic OS X users will be about the catagorisation of malware in order to protect their supposed perfect track record. There was an interesting discussion on bugtraq recently about using 'number of vulns in a product' to assess it's security, the conclusion was (IIRC) that "0 vulns != secure", by a long shot.
(5 replies) #5 aristotle-dude on 29 Jun 2006 - 21:35
The exploit for this "proof of concept" was patched in the 10.4.7 patch released earlier.

Last edited by aristotle-dude on 29 Jun 2006 - 21:41
#5.1 ineedsleep on 29 Jun 2006 - 22:07
Thank you. I'm glad someone finally mentioned this.
#5.2 UnnDunn on 29 Jun 2006 - 22:14
And? Lots of MS flaws get patched before exploits are released. Doesn't stop the Mac faithful from crowing about them though.
#5.3 virtorio on 29 Jun 2006 - 22:31
Quote - UnnDunn said @ #5.2
And? Lots of MS flaws get patched before exploits are released. Doesn't stop the Mac faithful from crowing about them though.

As I recall there are usually more actual Windows users "crowing" about Windows flaws than Mac users.
And usually not over proof of concept code like this.
#5.4 NeoTrunks on 29 Jun 2006 - 23:26
Quote - aristotle-dude said @ #1
The exploit for this "proof of concept" was patched in the 10.4.7 patch released earlier.


So, that means we have nothing to worry about then? I love not having to worry .
#5.5 QuarterSwede on 01 Jul 2006 - 14:49
Quote - NeoTrunks said @ #5.4
Quote - aristotle-dude said @ #1
The exploit for this "proof of concept" was patched in the 10.4.7 patch released earlier.


So, that means we have nothing to worry about then? I love not having to worry .

Amen brother. Windows users just don't get it.
(3 replies) #6 thefunkymunky on 29 Jun 2006 - 23:25
As mentioned previously. All these exploits have been recently patched with the OSX 10.4.7 patch and the iTunes 6.0.5 update.

Quote -
From MacRumors.com

According to News.com, security researcher Kevin Finisterre at Digital Munition has released "attack code" to the public that can locally exploit the launchd daemon.

"Attackers may exploit this issue to execute arbitrary code with elevated privileges," Symantec said in a security alert to customers that was updated on Thursday.

The code affects Mac OS 10.4.0 - 10.4.6 (excluding the recently released 10.4.7 and 10.3.. The same researcher also created a proof-of-concept Bluetooth exploiting worm earlier this year. According to News.com, his actions are in part to show that Apple software is not unbreakable.

Also mentioned in the article is that iTunes 6.0.5 is quietly patching an AAC parsing flaw.
Parsing a maliciously-crafted AAC file could cause iTunes to terminate or potentially execute arbitrary code. iTunes 6.0.5 addresses this issue by improving the validation checks used when loading AAC files
.
#6.1 aristotle-dude on 30 Jun 2006 - 02:44
What I find interesting is that this guy keeps on taking the time to create these proof of concept exploit and then we see Symantec all over this. Does anyone else get the impression that this guy is a hired gun and that Symantec is paying him to do it?

Could it be that a lot of viruses are being created at the request of anti-virus vendors? I personally would never install a Symantec product on my mac as it could potentially screw it up worse than any virus every could.
#6.2 NeoTrunks on 30 Jun 2006 - 05:26
Quote - aristotle-dude said @ #6.1
What I find interesting is that this guy keeps on taking the time to create these proof of concept exploit and then we see Symantec all over this. Does anyone else get the impression that this guy is a hired gun and that Symantec is paying him to do it?

Could it be that a lot of viruses are being created at the request of anti-virus vendors? I personally would never install a Symantec product on my mac as it could potentially screw it up worse than any virus every could.


I think it works like this: Apple's engineers find a flaw. They patch it up, release that patch to all users. That same day, Joe Schmoe hears about this, and looks into that flaw that was patched up. Then starts to spread news about a security vulnerability.

In other words, no piece of software is perfect. But it's up to the software engineers to stay on top of their code and fix whatever holes they find.
#6.3 Jon on 30 Jun 2006 - 08:37
That may happen in *some* cases, but not all.

You'll find an identical situation for many windows vulns, which is why the window between a patch being released, and POC appearing is shrinking rapibly. All a smart coder needs to do is analyse the actions of the patch, and they have a damn good chance of finding the flaw.

That certainly isn't an 'angelic like behaviour only found in the Mac world' as you seem to think.

Also, in reponse to aristotle, it's perfectly normal for VXrs to have a contact to which they forward interesting code first. F-Secure were also heavily involved in the original bluetooth worm release, I don't think there's the conspiracy you'd like to think there to be honest!
#7 Croquant on 30 Jun 2006 - 01:33
Later, an Apple spokesman was quoted as saying "D'oh!"
#8 yudi_lks on 30 Jun 2006 - 02:14
Hahaha, that's funny
#9 [bear] on 30 Jun 2006 - 04:00
Sorry guys 10.4.7 is not vulnerable to this. I love having this easy life.
(1 reply) #10 C-M on 30 Jun 2006 - 04:35
i love the 9329 people that come flocking to the words "apple, flaw"
#10.1 reidtheweed01 on 30 Jun 2006 - 06:19
Are you serious.

They are about 20 comments, have you not seen the number of comments when something bad is in the news about microsoft.


Its at least 100
(1 reply) #11 LTD on 30 Jun 2006 - 06:41
A proof-of-concept virus (we'll call it a flaw, why not) . . . . that has *already* been patched.

And Windows fanboys *still* have nothing to gloat over.

Folks, when it comes to security, OS X is still superior to Windows by an order of magnitude. Deal with it.
#11.1 Jon on 30 Jun 2006 - 08:39
Most Windows POC code is released after the patch. It's called responsible disclosure.

Releasing a patch and installing a patch are two different things. If Apples were actually popular in Enterprise environments, you'd see far more hastle resulting from this vulns. But they aren't, so you could argue they really are playing the security through obscurity game
(1 reply) #12 wicker_man on 30 Jun 2006 - 07:22
Quote -
Kevin Finisterre, a security researcher at Digital Munition, created the exploit.

Now, why the hell would you create this and make it a public release, irrespective of a system your exploit is for? How different is Mr. Finisterre from some student whou would've made the same thing and release it and be visited by FBI afterwards because it damaged business systems?
I think thouse type of 'security experts' should take a walk from the industry because their job is to inform companies of vulnerabilities in their software, not piping their 'research' all over the internet like buttholes...
#12.1 Jon on 30 Jun 2006 - 08:42
Occasionally VXrs and vuln. researchers take extreme measures and break standard procedures (ie: sensible disclosure) if they are constantly banging their heads against a brick wall.. for example if Apple were ignoring the issue, took too long to patch, etc. This may well be one of those cases.
#13 wicker_man on 30 Jun 2006 - 09:45
Is it justifiable though for the end-user security? I think I'd rather have a vilnerability that no one knows about than the one that has been posted online for people to take advantage of it.

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)