RazvanM writes "At the beginning of this month the Mac OS X 10.5.8 closed a kernel vulnerability that lasted more than 4 years, covering all the 10.4 and (almost all) 10.5 Mac OS X releases. This article presents some twitter-sizeprograms that trigger the bug. The mechanics are so simple that can be easily explained to anybody possessing some minimal knowledge about how operating systems works. Beside being a good educational example this is also a scary proof that very mature code can still be vulnerable in rather unsophisticated ways."
"Beside being a good educational example this is also a scary proof that very mature code can still be vulnerable in rather unsophisticated ways."
Since when did the age of code become a metric for evaluating its trustworthiness? Code should only be trusted after undergoing in-depth analysis by people with training and experience in information security. Code should also be written with security in mind from the beginning. The story of this kernel bug is simple and goes like this: "I was in a hurry."
I believe the implied meaning of this is "in the absence of exhaustive security analysis, a code's age/maturity is one of the better indicators of its security". While I'm not particularly sold on this notion myself, it does bear a lot of semblance to the idea that code can be proven "secure" if it stands after a multitude of random attacks, which is basically one of the tenets of OSS.
Well, assuming that the code is actively (and properly) maintained, then that isn't a bad metric. Essentially, it's because any security flaw is the result of a bug. It's just a bug that can be exploited. So, if the code is maintained properly, then bug fixes will be continuous and as such, reduce the number of exploitable bugs.
Good metric, yes. Absolute metric, no.
"""... which is basically one of the tenets of OSS."""
And where did you hear that? Because, I never have and I've been around for a while.
Essentially, it's because any security flaw is the result of a bug. It's just a bug that can be exploited. So, if the code is maintained properly, then bug fixes will be continuous and as such, reduce the number of exploitable bugs.
It depends on your scope of consideration. Design flaws are not 'bugs' in the traditional sense of the word (i.e., implementation-related). However, if you expand your scope to include design specs then your statement is true. There do exist though exploits of perfectly-implemented but imperfectly-designed code.
While I'm not particularly sold on this notion myself, it does bear a lot of semblance to the idea that code can be proven "secure" if it stands after a multitude of random attacks, which is basically one of the tenets of OSS.
I'm pretty sure that's not a tenet of OSS. If someone is pushing that as a tenet, then they really need to pay closer attention to history. A history of resilience is a nice metric - but it's not "proof" that code is bug-free rather just that nobody has found a given bug or made it public. People who get caught up in vulnerability counts forget that the real metric is response to a given vulnerability.
One tenet you hear bandied about is "given enough eyeballs, all bugs are shallow." Criticism tends to revolve around whether enough eyeballs have been put to any particular piece of code. Although one could argue that it's not just the number of eyeballs - but whether said eyeballs have the training to look for particular kinds of bugs that might not show up in normal use of the given code. None of that has anything to do with the frequency of attack.
You know, at this point there are probably about a thousand times as many people whining about this supposed attitude on the part of Mac users than there are Mac users actually displaying it.
They're an easy target because they stress this in their advertising thus bringing it on themselves. Why have pity for them? Their ads are smarmy so getting a little in return is all in good fun. It's ridiculous to think that any computer is perfect, that's why we point and laugh.
You know, at this point there are probably about a thousand times as many people whining about this supposed attitude on the part of Mac users than there are Mac users actually displaying it.
But that's perfectly in order, isn't it? There have been many more people complaining that Hitler was a bad guy than there has been Hitlers.
Godwin's law talks about the probability of a discussion involving someone being compared to Hitler. You didn't compare someone to Hitler, you compared comparing someone to someone to comparing someone to Hitler. This is not a Godwin, it's a meta-Godwin.
Same could be said for Linux! Right? Right? Being open source makes it invulnerable?
No, it being open source means that the vulnerabilities can be fixed quicker than 2+ years.
Linux has had more known vulnerabilities than Windows, but that is because people can see the source and find the vulnerabilities. It has also had more fixed vulnerabilities and currently has less valid vulnerabilities than Windows.
This bug was in one of the open source parts of the XNU kernel. A third party did find the flaw and, once it was demonstrated to be dangerous, Apple released a fix quickly. I object slightly to the fact that they ignored it for about a year when they thought it was 'only' able to crash the kernel, but maybe they had more pressing issues that they needed to fix. Given that the source is available, under a license which permits both recompilation and distribution of modified versions, this isn't an open versus closed debate, it's a question of how many people bother to look and fix bugs. Last numbers I saw said there were 78 people actively working on the Linux kernel, and not all of these full-time; I expect Apple devotes a similar number of man-hours to XNU, but divided among fewer people.
Look under "most vulnerable operating system".
Yes, right at the top, for several years going sits OS X. It actually consistently experiences 3 times the number of vulnerabilities compared to Vista.
You can also do some secunia digging yourself. It shows the same tendency even in the raw data.
OS X may be less exploited but it has far more vulnerabilities. On top of that OS X lacks many of the anti-exploit mechanisms found in both common Linux distros and in Windows Vista.
Vulnerabilities does not have much to do with exploits. A single vulnerability may leads to several independant exploits. Many vulnerabilities will pass unexploited. The difference is incentive. And if pwn2own has showed us anything it certainly confirms this. Macs have consistently been the first to fall, literally within seconds.
While I agree that there are a lot more security holes in OS X than there ought to be (and you only need one to win pwn2own), I seem to recall reading that study when it came out and being less than impressed with their methodology. They did not weight the types of vulnerability in a sensible way, and they included a number of bugs in components of OS X that have no equivalent bundled with Windows (and several of the most vulnerable ones are not enabled by default), but doesn't include exploit counts for Windows equivalents.
On top of that OS X lacks many of the anti-exploit mechanisms found in both common Linux distros and in Windows Vista.
Not sure about that. OS X has a very advanced sandboxing system, and has since OS X 10.5. This is why the mDNSResponder bug last year was a remote root hole on Linux, Windows, and OS X 10.4 and a DoS on OS X 10.5 and above.
All studies analyzing security vulnerability reports or released patch sets as a measure of OS security simply prove that the researcher is a fucking idiot. It's IMPOSSIBLE to measure security in this way because you are comparing lawn tractors to jet skis. The reasons are basic: everyone that releases an OS has their own way of dealing with reports and patches. The raw data is MEANINGLESS.
It doesn't matter what anti-exploit technology is in the OS because it has been proven time and time again that no matter WHAT the warning, Users hit OK anyway. In fact, studies have shown that even when presented with a dialog that says something like "If you click OK, your computer will be infected by a virus," users STILL click OK 50% of the time. Windows is particularly bad in this regard because it is CONSTANTLY asking permission to do this, that, or the other thing. A typical work day for me I get 100-1000 requests for permission. It's no wonder users click OK all the time.
Due to "OS conditioned" user behavior, NONE of the anti-malware software out there is actually effective at preventing infection. Most can clean it up after the fact (with the drive pulled and scanned from another machine.)
Users also continue to use stupid passwords like "password", "1234", etc. no matter how much training given. Forcing complex passwords just ensures that there will be a postit on the monitor with the password, and a 100x increase in calls to the help desk to reset passwords.
The ONLY measure we REALLY have is subjective, and based on my experience, the reality is that windows users are probably 1000 times more likely to have malware on their systems.
I don't have any good solutions to this problem other than to suggest that we need security technology that actually analyzes a program's behavior, possibly simulating it by running in a mini-secure sandbox before talking to the user about it. Maybe apps could be be checked against a reputation database... Known good could be passed with no prompting thus reducing the amount of warning dialogs to the user. The current situation has proven dire however.
Could that have something to do with the fact that the vulnerability reports for OS X include tons of third party stuff (including Java or things that aren't used by default), that those for Windows don't?
Yes, the severity of the exploits is what matters. I didn't read TFA, but a lot of people keep bringing this up in this thread. If the IBM study doesn't properly address the "magnitude of effect" (i.e. the seriousness of any differences between means or other comparative or inferential statistics), then it is ripe for biased-respresentation. People can pick and choose what they want to say without an accurate discussion of the findings. Raw numbers don't mean crap.
I did read the blog posting, and it says "The oldest kernel I was able to test the problem was Darwin 8.0.1 which corresponds to Mac OS X 10.4 'Tiger'." I figured I'd post a result on an earlier one, so shove it.
Alright, I read TFA. I read the earlier slashdot article. I even googled around a little bit. What I find is, an obscure little bug, if exploited locally, enables a user to crash his machine. What I don't find is an exploit that makes use of this bug.
Am I missing something?
I suppose that I could accomplish something similar on my current Ubuntu installation. If I thought it made a difference, I could install a few other flavors of Linux and try doing something like that. But, why?
MS astroturfer's posts above are noted. And, I also note that MS bugs are routinely exploited, locally and remotely. The unwarranted superiority complex looks pretty pathetic, doesn't it?
It's not the fact that it is local exploit code, it's the fact that local and remote exploits and the line between them are being blurred every day. TFA mentioned being able to write memory in 8-bit pieces, ANYWHERE in kernel memory. That's pretty dangerous if you ask me.
The problem is the data in the buggy case is whatever we give as a third parameter in the fcntl code. Considering that the 8 bytes are controlled by the user it means he can write that amount of information anywhere in the kernel memory!
followed by an example of actually doing it and proving that it worked (not a particularly malicious example, but it seems enough proof of concept to me).
The bug lets you write arbitrary, user-controlled bytes into kernel space. The first thing that comes to mind is that you could change the current process' priv structure in memory. Now you're root. Or why not use it to hook syscalls, or do really whatever you want? You're in ring0, go nuts.
So your argument is that even though the bug exists, it's okay because no one took the time to massively exploit it?
you do realize that if OSX had anywhere near the market share of windows, this would've been exploited years ago, right? i accept that 'security through obscurity' is perfectly valid, but you need to recognize it for what it is.
Yeah, I've read this "market share" argument used as a defense for shoddy MS code time and time again. That just doesn't cut it.
Mac has a presence in the business world. If it were as buggy as MS, crackers would be launching fishing expeditions for vulnerable Macs, so that they could gain access to company networks.
What I asked for were examples of exploits, or reasons why this bug were really dangerous. Posts before yours are attempting to put things into perspective. Please, no more lame defenses of from MS astroturfers - there are enough of those even before you arrive at my question.
Market share, indeed. Remind me that the next time I want a cheap padlock, I should purchase a no-name lock. Since it has no market share, burglars won't try to pick it or break it.
Mac has a relatively tiny presence in the business world.
Fixed that for you.
What I asked for were examples of exploits, or reasons why this bug were really dangerous.
And a bunch of people already pointed out that this bug gives you write-access to the kernel's memory. That's bad, privilege escalation bad.
Market share, indeed. Remind me that the next time I want a cheap padlock, I should purchase a no-name lock. Since it has no market share, burglars won't try to pick it or break it.
That's funny, because I recall seeing all sorts of instructions on how you can open MasterLock(TM)(R) and (ALL THAT) combination locks. They were so detailed, they would even specify which serial numbers of which models were vulnerable to which cracking techniques. And yet, I never saw any instructions for opening the Wal-Mart special RandomBrand of padlock.
Market share does matter when it comes to investing time and money into exploiting flaws in a product. To say it is the only factor in operating system security is false, but saying it doesn't matter at all is just as wrong.
Market share does matter when it comes to investing time and money into exploiting flaws in a product. To say it is the only factor in operating system security is false, but saying it doesn't matter at all is just as wrong.
No one is saying that it's not a factor. On the other hand, there are countless people who make the reverse mistake and state that Macs don't have exploits solely due to market share.
This is easily debunked by:
1. IIS exploits. 2. Linux exploits (Linux market share is to Macs as Mac market share is to Windows) 3. Mac apps. People still write apps for the Mac, why not viruses? 4. There are plenty of viruses for the classic Mac OS. 5. There are tens of millions of Mac users. Even though Windows has hundreds of millions, tens of millions is still a large and lucrative group to attack.
The key isn't that Mac OS X is flawless or too low of a market share, it's that Windows is so easy to exploit. Design decisions made decades ago are still impacting Windows today. If you look at the typical Mac OS X bug and the typical Windows bug, you'll see that the Mac bugs tend to be very Unix-like in nature, that they are some part of the system can be tricked into crashing by being passed data in a specific way. Many a Windows bug is not due to getting something to crash, but by using some feature in a way that tricks it to allow unwanted things to happen.
#1 IIS is a web server. That is a juicy target. It's much jucier than a lot more home OSX machines.
#2 Linux is used very often as a server. Once again, a much much jucier target than some OSX desktop.
#3 They do, just much less of them, as with apps. Less written, less looking, less discovered.
#5 Modern *nixes have pretty much all implemented this feature which OSX has neglected to implement. What else haven't they done right as the other *nixes have?
2. Linux exploits (Linux market share is to Macs as Mac market share is to Windows)
What are some examples of widely-exploited Linux bugs? (Of course there are isolated exploits, but the same is true for Mac. And of course there are very severe security vulnerabilities all the time, but that doesn't mean they're exploited in practice. And of course Linux machines are compromised on a regular basis, but that might be due to weak passwords and such.)
3. Mac apps. People still write apps for the Mac, why not viruses?
Apps have to compete with each other. If a particular niche is filled on Windows but not Mac, then a new Windows-only app will have to compete with the existing apps. A new Mac app won't, so it will get a much larger slice of a smaller pie. On the other hand, twenty different viruses can recruit your computer into twenty different botnets with no problem, as any Windows user should be able to attest. (How often does a virus scan on an infested computer turn up only one virus?)
Besides, the number of apps for Mac is tiny compared to Windows.
4. There are plenty of viruses for the classic Mac OS.
Such as? I'm not doubting you, but I've never heard that claimed before.
5. There are tens of millions of Mac users. Even though Windows has hundreds of millions, tens of millions is still a large and lucrative group to attack.
It's a matter of cost and benefit. If it's three times the effort to write Windows exploits and you get twenty times the victims, there's just no reason to write viruses for Macs. Hackers are usually motivated by money, pure and simple.
Anyway, I don't have any credentials in hacking. So I'll rely on Charlie Miller, who's a professional hacker (security expert). He demonstrated that he knows something about Mac exploits by cracking a Mac in two minutes flat a while back and winning pwn2own. In an interview, he said [tomshardware.com] (emphasis added):
Between Mac and PC, I'd say that Macs are less secure for the reasons we've discussed here (lack of anti-exploitation technologies) but are more safe because there simply isn't much malware out there. For now, I'd still recommend Macs for typical users as the odds of something targeting them are so low that they might go years without seeing any malware, even though if an attacker cared to target them it would be easier for them.
He's far from a Microsoft shill; he works for a security consulting firm and uses a Mac himself.
Uh, you mean like firewalls? Sandboxing? Library Randomization? Protected memory and Execute Disable? Encrypted virtual memory? System heap library checksums? The ability to actually run user accounts as non-admins? FileVault? Disabling root by default? Download screening? Antiphishing technology? Browser page isolation? Minimal outward facing ports and services? Parental Controls?
Those anti-exploitation technologies?
If you read the interview, you would see that he specifically refers to ASLR and the NX bit, at least. OS X apparently only has a very limited version of those, at least compared to Vista (and some Linux builds). Quote [tomshardware.com]:
For the record, Leopard has neither of these features, at least implemented effectively. In the exploit I won Pwn2Own with, I knew right where my shellcode was located and I knew it would execute on the heap for me.
But hey, if you want to believe lists of features rather than the opinion of a professional security expert who was demonstrably able to hack an OS X machine in two minutes and win a high-profile hacking contest, then go ahead.
"...he works for a security consulting firm and uses a Mac himself."
And not Windows and not Linux. Guess that says it all.
Yes, it does, because he said Mac was safer. Less secure — much easier to hack — but safer, because nobody bothers to hack it. Which is exactly my point. I was responding to the great-grandparent, who claimed Windows is easier to hack than Mac, and that obscurity isn't the major reason Macs are safer. The security expert I cited believes exactly the opposite to be the case, that Macs are easier to hack and obscurity is the major reason they're safer. No one disputes that they're safer.
The bug is really dangerous because it allows userspace to write anywhere to kernelspace. Yes, it's a local-only exploit, so the attack surface isn't that large. Or is it? How many pieces of software do you have running on your system right now that may contain vulnerabilities? It would be trivial for a skilled hacker to find an exploit in some arb application, with the payload being an exploit of this particular issue. So your local-only exploit has a remote entry-point from any other piece of software thats running on your system.
Local-only exploits are only less dangerous than remote exploits if your system has no contact with other systems. When you expose your system to others, all of your local exploits become remote exploits the moment any piece of software that you run has a remote exploit. Recently there have been a number of reports of vulnerabilities in common applications like Firefox, and Adobe doesn't have a particularly great security track record either. Ideally, a vulnerability in one of these applications would only be able to run code as the user, or attack the user's home directory. Except since you can now modify any address in kernel space, you can craft code that tells the kernel your userid actually has root permissions, in which case you now have complete control over the whole system.
Every kernel-level exploit is *really dangerous*. Marketing people will try to play it down by saying that since its local-only, it's not that bad, so that they can carry on making dumb 'im a pc, im a mac' adverts and patting themselves on the back. But all they're doing is lulling their userbase into a false sense of security.
I'm sorry, but what has MacOSX to do with mature code? Code is mature when it has lasted for _decades_ and no significant bug has been found. MacOSX is just your average kernel. OK, there are _much_ worse around, but that doesn't make OSX any better.
What _really_ is a shame that it took them 4 years to fix it.
Well, it has lasted for decades, although bugs have been found (which is rather the point, and how something achieves maturity; code doesn't become mature by sitting untested). Mac OS X is a linear descendent of NeXTSTEP. Development is now 25 years old, and some bits of the kernel date back to earlier BSD and CMU Mach projects. Last bits of the kernel I read had comments date-stamped 1997 and these were commenting on modifications to older code.
Yes precisely, there is very little mature code. That's why you still have buffer overruns and other security critical bugs.
New features don't have to mean that old code will be changed or made more insecure. There are many attempts at making computer systems modular so adding one piece of code will add a lot of new features to unchanged programmes. The oldest concept incorporating it is the UNIX concept where you have lots of small single-purpose programs which you can connect via pipes to serve any more c
Despite its relative obviousness, it took me a bit of reading there to figure out what the cause of the bug was, since I was rusty on my Unix system calls, so here's a short summary.
ioctl(2) is essentially a way of specifying system calls for drivers without actually making a system call API, so drivers can register their own calls in a more decentralized way. A call to ioctl(fd, cmd, args,...) on a special/device file 'fd' gets routed to the driver that owns 'fd', which handles the command. The arguments might be values, or might be pointers to locations in which to return data.
fcntl(2) provides a way to perform operations on open (normal) files, like locking/unlocking them. It has the same parameters as ioctl(), except that there's always a single integer argument.
One way of implementing fcntl is essentially like ioctl -- find who owns the fd, and pass the cmd along to the relevant driver. But, Apple's code did this even for the operations on special devices normally manipulated via ioctl, so you could basically do an ioctl via fcntl. But, this bypasses some of the arg-checking that ioctl does, since fcntl always has one integer argument. So an easy exploit arises: call an ioctl that normally takes one pointer argument to assign something to. ioctl would normally check that the pointer is valid (something the caller is allowed to write to) before writing to it in kernel mode. But you can pass in any memory location at all as an integer via fcntl's argument. Voila, you get data written to arbitrary locations in memory. As an added bonus, some calls let you manipulate what data gets written--- the example exploit uses a "get terminal size" ioctl, so you can vary what gets written by changing your terminal size.
This article presents some twitter-size programs that trigger the bug.
Ok, I get libraries of congress and olympic-sized swimming pools, but twitter is a new one. Is it used for measuring how long a program is or how pointless it is?
by Anonymous Coward
on Sunday August 30, @02:29AM (#29249843)
The comparison was simply to (successfully) annoy those of us who are/still/ ignoring everything we can about twitter. I briefly considered checking wikipedia to see how small that was, but there were some kids on my lawn.
"The mechanics are so simple that can be easily explained to anybody possessing some minimal knowledge about how operating systems works."
"...so simple that it can be easily..."
The choice of "some minimal" is a bit questionable too. "some" or "minimal" alone would have been sufficient to convey the meaning. Together, it sounds almost redundant.
"Beside being a good educational example this is also a scary proof that very mature code can still be vulnerable in rather unsophisticated ways."
"Beside" means "next to". "Besides" means "other than".
Not that it really matters. The mainstream news sites can't seem to compose articulate sentences either. Grammar has really gone to crap and it really bugs me that English based news providers can't be bothered to produce fluent English stories.
OMG! A Google search for two words shows up some hits! Most of which appear to say that there are one or two bits of malware for the Mac.
If you watch Apple's ads carefully, they don't claim there is no malware for the Mac. They only imply that it doesn't affect your user experience the same way it does on Windows. I think one of the actual statements goes something like "there aren't hundreds of thousands of viruses." Which is absolutely true.
You may find the commercials annoying (don't you find all commercials annoying?), and they are arguably misleading on other points, but that's not one of them.
No, XNU plus userland is Darwin. Darwin does not contain a number of proprietary drivers including, unfortunately, the entire sound stack.
For GNU types, XNU is equivalent to Linux, Darwin is equivalent to GNU/Linux, OS X is equivalent to Ubuntu (in terms of bundling nomenclature, I make no claims about feature equivalence). Darwin includes the libc, the loader, the init system (Launhcd), the toolchain and so on. XNU is just the kernel, which incorporates a Mach microkernel used as a hardware-abstraction layer and handles the VM subsystem and thread creation, a BSD subsystem which handles providing a POSIX interface to the Mach stuff and all of the other OS services, and IOKit drivers, which provide access to devices.
Age is irrelevant, resistance is futile. (Score:5, Insightful)
"Beside being a good educational example this is also a scary proof that very mature code can still be vulnerable in rather unsophisticated ways."
Since when did the age of code become a metric for evaluating its trustworthiness? Code should only be trusted after undergoing in-depth analysis by people with training and experience in information security. Code should also be written with security in mind from the beginning. The story of this kernel bug is simple and goes like this: "I was in a hurry."
Re:Age is irrelevant, resistance is futile. (Score:4, Informative)
A million monkeys with typewriters....
Parent
Re:Age is irrelevant, resistance is futile. (Score:5, Insightful)
Well, assuming that the code is actively (and properly) maintained, then that isn't a bad metric. Essentially, it's because any security flaw is the result of a bug. It's just a bug that can be exploited. So, if the code is maintained properly, then bug fixes will be continuous and as such, reduce the number of exploitable bugs.
Good metric, yes. Absolute metric, no.
"""... which is basically one of the tenets of OSS."""
And where did you hear that? Because, I never have and I've been around for a while.
Parent
Re:Age is irrelevant, resistance is futile. (Score:4, Insightful)
Essentially, it's because any security flaw is the result of a bug. It's just a bug that can be exploited. So, if the code is maintained properly, then bug fixes will be continuous and as such, reduce the number of exploitable bugs.
It depends on your scope of consideration. Design flaws are not 'bugs' in the traditional sense of the word (i.e., implementation-related). However, if you expand your scope to include design specs then your statement is true. There do exist though exploits of perfectly-implemented but imperfectly-designed code.
Parent
Re:Age is irrelevant, resistance is futile. (Score:5, Funny)
Well... I think that depends a lot on the reason why it's old code. I've met my share of code with the warning "There be dragons!".
Parent
Re:Age is irrelevant, resistance is futile. (Score:5, Interesting)
I've met my share of code with the warning "There be dragons!".
The word "fuck" in the comments is a much better metric. If it's more than one for the same function, it's time to pay attention.
Parent
Re:Age is irrelevant, resistance is futile. (Score:4, Insightful)
While I'm not particularly sold on this notion myself, it does bear a lot of semblance to the idea that code can be proven "secure" if it stands after a multitude of random attacks, which is basically one of the tenets of OSS.
I'm pretty sure that's not a tenet of OSS. If someone is pushing that as a tenet, then they really need to pay closer attention to history. A history of resilience is a nice metric - but it's not "proof" that code is bug-free rather just that nobody has found a given bug or made it public. People who get caught up in vulnerability counts forget that the real metric is response to a given vulnerability.
One tenet you hear bandied about is "given enough eyeballs, all bugs are shallow." Criticism tends to revolve around whether enough eyeballs have been put to any particular piece of code. Although one could argue that it's not just the number of eyeballs - but whether said eyeballs have the training to look for particular kinds of bugs that might not show up in normal use of the given code. None of that has anything to do with the frequency of attack.
Parent
But it's not Windows! (Score:3, Funny)
Re:But it's not Windows! (Score:5, Insightful)
You know, at this point there are probably about a thousand times as many people whining about this supposed attitude on the part of Mac users than there are Mac users actually displaying it.
Parent
Re:But it's not Windows! (Score:5, Insightful)
They're an easy target because they stress this in their advertising thus bringing it on themselves. Why have pity for them? Their ads are smarmy so getting a little in return is all in good fun. It's ridiculous to think that any computer is perfect, that's why we point and laugh.
Parent
Re:But it's not Windows! (Score:5, Funny)
You know, at this point there are probably about a thousand times as many people whining about this supposed attitude on the part of Mac users than there are Mac users actually displaying it.
But that's perfectly in order, isn't it? There have been many more people complaining that Hitler was a bad guy than there has been Hitlers.
(*knock, knock*
- Who's there?
- Godwin.)
Parent
Re:But it's not Windows! (Score:5, Funny)
Parent
Re:But it's not Windows! (Score:5, Funny)
Parent
Re:But it's not Windows! (Score:5, Informative)
Same could be said for Linux! Right? Right? Being open source makes it invulnerable?
No, it being open source means that the vulnerabilities can be fixed quicker than 2+ years.
Linux has had more known vulnerabilities than Windows, but that is because people can see the source and find the vulnerabilities. It has also had more fixed vulnerabilities and currently has less valid vulnerabilities than Windows.
Parent
Re:But it's not Windows! (Score:5, Informative)
Parent
Less vulnerabilities? Yeah, right! (Score:4, Informative)
Macs have a history of having far less vulnerabilities than Windows.
From IBM research: IBM Internet Security Systems X-Force® 2008 Trend & Risk Report [ibm.com]
Look under "most vulnerable operating system". Yes, right at the top, for several years going sits OS X. It actually consistently experiences 3 times the number of vulnerabilities compared to Vista.
You can also do some secunia digging yourself. It shows the same tendency even in the raw data.
OS X may be less exploited but it has far more vulnerabilities. On top of that OS X lacks many of the anti-exploit mechanisms found in both common Linux distros and in Windows Vista.
Vulnerabilities does not have much to do with exploits. A single vulnerability may leads to several independant exploits. Many vulnerabilities will pass unexploited. The difference is incentive. And if pwn2own has showed us anything it certainly confirms this. Macs have consistently been the first to fall, literally within seconds.
Parent
Re:Less vulnerabilities? Yeah, right! (Score:5, Informative)
On top of that OS X lacks many of the anti-exploit mechanisms found in both common Linux distros and in Windows Vista.
Not sure about that. OS X has a very advanced sandboxing system, and has since OS X 10.5. This is why the mDNSResponder bug last year was a remote root hole on Linux, Windows, and OS X 10.4 and a DoS on OS X 10.5 and above.
Parent
Re:Less vulnerabilities? Yeah, right! (Score:5, Insightful)
All studies analyzing security vulnerability reports or released patch sets as a measure of OS security simply prove that the researcher is a fucking idiot. It's IMPOSSIBLE to measure security in this way because you are comparing lawn tractors to jet skis. The reasons are basic: everyone that releases an OS has their own way of dealing with reports and patches. The raw data is MEANINGLESS.
It doesn't matter what anti-exploit technology is in the OS because it has been proven time and time again that no matter WHAT the warning, Users hit OK anyway. In fact, studies have shown that even when presented with a dialog that says something like "If you click OK, your computer will be infected by a virus," users STILL click OK 50% of the time. Windows is particularly bad in this regard because it is CONSTANTLY asking permission to do this, that, or the other thing. A typical work day for me I get 100-1000 requests for permission. It's no wonder users click OK all the time.
Due to "OS conditioned" user behavior, NONE of the anti-malware software out there is actually effective at preventing infection. Most can clean it up after the fact (with the drive pulled and scanned from another machine.)
Users also continue to use stupid passwords like "password", "1234", etc. no matter how much training given. Forcing complex passwords just ensures that there will be a postit on the monitor with the password, and a 100x increase in calls to the help desk to reset passwords.
The ONLY measure we REALLY have is subjective, and based on my experience, the reality is that windows users are probably 1000 times more likely to have malware on their systems.
I don't have any good solutions to this problem other than to suggest that we need security technology that actually analyzes a program's behavior, possibly simulating it by running in a mini-secure sandbox before talking to the user about it. Maybe apps could be be checked against a reputation database... Known good could be passed with no prompting thus reducing the amount of warning dialogs to the user. The current situation has proven dire however.
Parent
Re:Less vulnerabilities? Yeah, right! (Score:5, Interesting)
Parent
Re:Less vulnerabilities? Yeah, right! (Score:4, Insightful)
Parent
Re:But it's not Windows! (Score:4, Funny)
So was I! But my Mac crashed in the middle of my post so someone else beat me to it while I waited for Windows to boot!
So it took Windows over 10 hours to boot?
Parent
Doesn't cause panic on 10.3.9 (Score:5, Interesting)
Re:Doesn't cause panic on 10.3.9 (Score:4, Informative)
Parent
I read (Score:4, Insightful)
Alright, I read TFA. I read the earlier slashdot article. I even googled around a little bit. What I find is, an obscure little bug, if exploited locally, enables a user to crash his machine. What I don't find is an exploit that makes use of this bug.
Am I missing something?
I suppose that I could accomplish something similar on my current Ubuntu installation. If I thought it made a difference, I could install a few other flavors of Linux and try doing something like that. But, why?
MS astroturfer's posts above are noted. And, I also note that MS bugs are routinely exploited, locally and remotely. The unwarranted superiority complex looks pretty pathetic, doesn't it?
Re:I read (Score:5, Insightful)
Parent
Re: (Score:3, Informative)
Citation please? The line between local and remote seems to be pretty concrete and fine to me.
Re:I read (Score:5, Informative)
followed by an example of actually doing it and proving that it worked (not a particularly malicious example, but it seems enough proof of concept to me).
Parent
I don't think you understood (Score:5, Informative)
What are you, a Linux kernel dev? ;)
The bug lets you write arbitrary, user-controlled bytes into kernel space. The first thing that comes to mind is that you could change the current process' priv structure in memory. Now you're root. Or why not use it to hook syscalls, or do really whatever you want? You're in ring0, go nuts.
It's far more than just a DoS.
Parent
Re: (Score:3, Insightful)
Re:I read (Score:4, Insightful)
Yeah, I've read this "market share" argument used as a defense for shoddy MS code time and time again. That just doesn't cut it.
Mac has a presence in the business world. If it were as buggy as MS, crackers would be launching fishing expeditions for vulnerable Macs, so that they could gain access to company networks.
What I asked for were examples of exploits, or reasons why this bug were really dangerous. Posts before yours are attempting to put things into perspective. Please, no more lame defenses of from MS astroturfers - there are enough of those even before you arrive at my question.
Market share, indeed. Remind me that the next time I want a cheap padlock, I should purchase a no-name lock. Since it has no market share, burglars won't try to pick it or break it.
Parent
Re:I read (Score:5, Insightful)
Mac has a relatively tiny presence in the business world.
Fixed that for you.
What I asked for were examples of exploits, or reasons why this bug were really dangerous.
And a bunch of people already pointed out that this bug gives you write-access to the kernel's memory. That's bad, privilege escalation bad.
Market share, indeed. Remind me that the next time I want a cheap padlock, I should purchase a no-name lock. Since it has no market share, burglars won't try to pick it or break it.
That's funny, because I recall seeing all sorts of instructions on how you can open MasterLock(TM)(R) and (ALL THAT) combination locks. They were so detailed, they would even specify which serial numbers of which models were vulnerable to which cracking techniques. And yet, I never saw any instructions for opening the Wal-Mart special RandomBrand of padlock.
Market share does matter when it comes to investing time and money into exploiting flaws in a product. To say it is the only factor in operating system security is false, but saying it doesn't matter at all is just as wrong.
Parent
Re:I read (Score:5, Insightful)
Market share does matter when it comes to investing time and money into exploiting flaws in a product. To say it is the only factor in operating system security is false, but saying it doesn't matter at all is just as wrong.
No one is saying that it's not a factor. On the other hand, there are countless people who make the reverse mistake and state that Macs don't have exploits solely due to market share.
This is easily debunked by:
1. IIS exploits.
2. Linux exploits (Linux market share is to Macs as Mac market share is to Windows)
3. Mac apps. People still write apps for the Mac, why not viruses?
4. There are plenty of viruses for the classic Mac OS.
5. There are tens of millions of Mac users. Even though Windows has hundreds of millions, tens of millions is still a large and lucrative group to attack.
The key isn't that Mac OS X is flawless or too low of a market share, it's that Windows is so easy to exploit. Design decisions made decades ago are still impacting Windows today. If you look at the typical Mac OS X bug and the typical Windows bug, you'll see that the Mac bugs tend to be very Unix-like in nature, that they are some part of the system can be tricked into crashing by being passed data in a specific way. Many a Windows bug is not due to getting something to crash, but by using some feature in a way that tricks it to allow unwanted things to happen.
Parent
Re:I read (Score:4, Insightful)
Some problems with your arguments.
#1 IIS is a web server. That is a juicy target. It's much jucier than a lot more home OSX machines.
#2 Linux is used very often as a server. Once again, a much much jucier target than some OSX desktop.
#3 They do, just much less of them, as with apps. Less written, less looking, less discovered.
#5 Modern *nixes have pretty much all implemented this feature which OSX has neglected to implement. What else haven't they done right as the other *nixes have?
Parent
Re:I read (Score:4, Insightful)
2. Linux exploits (Linux market share is to Macs as Mac market share is to Windows)
What are some examples of widely-exploited Linux bugs? (Of course there are isolated exploits, but the same is true for Mac. And of course there are very severe security vulnerabilities all the time, but that doesn't mean they're exploited in practice. And of course Linux machines are compromised on a regular basis, but that might be due to weak passwords and such.)
3. Mac apps. People still write apps for the Mac, why not viruses?
Apps have to compete with each other. If a particular niche is filled on Windows but not Mac, then a new Windows-only app will have to compete with the existing apps. A new Mac app won't, so it will get a much larger slice of a smaller pie. On the other hand, twenty different viruses can recruit your computer into twenty different botnets with no problem, as any Windows user should be able to attest. (How often does a virus scan on an infested computer turn up only one virus?)
Besides, the number of apps for Mac is tiny compared to Windows.
4. There are plenty of viruses for the classic Mac OS.
Such as? I'm not doubting you, but I've never heard that claimed before.
5. There are tens of millions of Mac users. Even though Windows has hundreds of millions, tens of millions is still a large and lucrative group to attack.
It's a matter of cost and benefit. If it's three times the effort to write Windows exploits and you get twenty times the victims, there's just no reason to write viruses for Macs. Hackers are usually motivated by money, pure and simple.
Anyway, I don't have any credentials in hacking. So I'll rely on Charlie Miller, who's a professional hacker (security expert). He demonstrated that he knows something about Mac exploits by cracking a Mac in two minutes flat a while back and winning pwn2own. In an interview, he said [tomshardware.com] (emphasis added):
He's far from a Microsoft shill; he works for a security consulting firm and uses a Mac himself.
Parent
Re:I read (Score:4, Insightful)
"... lack of anti-exploitation technologies..."
Uh, you mean like firewalls? Sandboxing? Library Randomization? Protected memory and Execute Disable? Encrypted virtual memory? System heap library checksums? The ability to actually run user accounts as non-admins? FileVault? Disabling root by default? Download screening? Antiphishing technology? Browser page isolation? Minimal outward facing ports and services? Parental Controls?
Those anti-exploitation technologies?
If you read the interview, you would see that he specifically refers to ASLR and the NX bit, at least. OS X apparently only has a very limited version of those, at least compared to Vista (and some Linux builds). Quote [tomshardware.com]:
But hey, if you want to believe lists of features rather than the opinion of a professional security expert who was demonstrably able to hack an OS X machine in two minutes and win a high-profile hacking contest, then go ahead.
"...he works for a security consulting firm and uses a Mac himself."
And not Windows and not Linux. Guess that says it all.
Yes, it does, because he said Mac was safer. Less secure — much easier to hack — but safer, because nobody bothers to hack it. Which is exactly my point. I was responding to the great-grandparent, who claimed Windows is easier to hack than Mac, and that obscurity isn't the major reason Macs are safer. The security expert I cited believes exactly the opposite to be the case, that Macs are easier to hack and obscurity is the major reason they're safer. No one disputes that they're safer.
Parent
Re:I read (Score:5, Insightful)
The bug is really dangerous because it allows userspace to write anywhere to kernelspace. Yes, it's a local-only exploit, so the attack surface isn't that large. Or is it? How many pieces of software do you have running on your system right now that may contain vulnerabilities? It would be trivial for a skilled hacker to find an exploit in some arb application, with the payload being an exploit of this particular issue. So your local-only exploit has a remote entry-point from any other piece of software thats running on your system.
Local-only exploits are only less dangerous than remote exploits if your system has no contact with other systems. When you expose your system to others, all of your local exploits become remote exploits the moment any piece of software that you run has a remote exploit. Recently there have been a number of reports of vulnerabilities in common applications like Firefox, and Adobe doesn't have a particularly great security track record either. Ideally, a vulnerability in one of these applications would only be able to run code as the user, or attack the user's home directory. Except since you can now modify any address in kernel space, you can craft code that tells the kernel your userid actually has root permissions, in which case you now have complete control over the whole system.
Every kernel-level exploit is *really dangerous*. Marketing people will try to play it down by saying that since its local-only, it's not that bad, so that they can carry on making dumb 'im a pc, im a mac' adverts and patting themselves on the back. But all they're doing is lulling their userbase into a false sense of security.
Parent
Mature code? (Score:5, Insightful)
I'm sorry, but what has MacOSX to do with mature code? Code is mature when it has lasted for _decades_ and no significant bug has been found. MacOSX is just your average kernel. OK, there are _much_ worse around, but that doesn't make OSX any better.
What _really_ is a shame that it took them 4 years to fix it.
More precisely (Score:3)
...no significant bug has been found, but the code has regularly been reviewed.
Re:Mature code? (Score:5, Interesting)
Parent
Re: (Score:3, Insightful)
Yes precisely, there is very little mature code. That's why you still have buffer overruns and other security critical bugs.
New features don't have to mean that old code will be changed or made more insecure. There are many attempts at making computer systems modular so adding one piece of code will add a lot of new features to unchanged programmes. The oldest concept incorporating it is the UNIX concept where you have lots of small single-purpose programs which you can connect via pipes to serve any more c
summary (Score:5, Informative)
Despite its relative obviousness, it took me a bit of reading there to figure out what the cause of the bug was, since I was rusty on my Unix system calls, so here's a short summary.
ioctl(2) is essentially a way of specifying system calls for drivers without actually making a system call API, so drivers can register their own calls in a more decentralized way. A call to ioctl(fd, cmd, args, ...) on a special/device file 'fd' gets routed to the driver that owns 'fd', which handles the command. The arguments might be values, or might be pointers to locations in which to return data.
fcntl(2) provides a way to perform operations on open (normal) files, like locking/unlocking them. It has the same parameters as ioctl(), except that there's always a single integer argument.
One way of implementing fcntl is essentially like ioctl -- find who owns the fd, and pass the cmd along to the relevant driver. But, Apple's code did this even for the operations on special devices normally manipulated via ioctl, so you could basically do an ioctl via fcntl. But, this bypasses some of the arg-checking that ioctl does, since fcntl always has one integer argument. So an easy exploit arises: call an ioctl that normally takes one pointer argument to assign something to. ioctl would normally check that the pointer is valid (something the caller is allowed to write to) before writing to it in kernel mode. But you can pass in any memory location at all as an integer via fcntl's argument. Voila, you get data written to arbitrary locations in memory. As an added bonus, some calls let you manipulate what data gets written--- the example exploit uses a "get terminal size" ioctl, so you can vary what gets written by changing your terminal size.
Make summaries more informative (Score:5, Insightful)
So then do so in the summary!
Oh god (Score:5, Funny)
Ok, I get libraries of congress and olympic-sized swimming pools, but twitter is a new one. Is it used for measuring how long a program is or how pointless it is?
Re:Oh god (Score:5, Funny)
The comparison was simply to (successfully) annoy those of us who are /still/ ignoring everything we can about twitter. I briefly considered checking wikipedia to see how small that was, but there were some kids on my lawn.
Parent
Still get the kernel panic on Tiger (Score:5, Interesting)
Even after the recent security update on Tiger, I still get a kernel panic with the Python code supplied in TFA:
import termios, fcntl
fcntl.fcntl(0, termios.TIOCGWINSZ)
Yeah, I'm planning to upgrade to Snow Leopard soon, after having skipped Leopard. But has Tiger already been abandoned to this extent?
Love the editing (Score:5, Insightful)
"The mechanics are so simple that can be easily explained to anybody possessing some minimal knowledge about how operating systems works."
"...so simple that it can be easily..."
The choice of "some minimal" is a bit questionable too. "some" or "minimal" alone would have been sufficient to convey the meaning. Together, it sounds almost redundant.
"Beside being a good educational example this is also a scary proof that very mature code can still be vulnerable in rather unsophisticated ways."
"Beside" means "next to". "Besides" means "other than".
Not that it really matters. The mainstream news sites can't seem to compose articulate sentences either. Grammar has really gone to crap and it really bugs me that English based news providers can't be bothered to produce fluent English stories.
Re:I'm a Mac (Score:5, Funny)
So this means we can take those idiotic commercials off the air, right?
When there's as much malware for OS X as there is for Windows, sure.
Okay, I'll make it easy. When there is a tenth as much malware for OS X as there is for Windows, sure.
Hmmm, this isn't working. When there's a hundredth as much ... um, no, that doesn't work either.
A thousandth -- no, damn.
You get the idea. Or maybe you don't.
Parent
Re:I'm a Mac (Score:5, Insightful)
OMG! A Google search for two words shows up some hits! Most of which appear to say that there are one or two bits of malware for the Mac.
If you watch Apple's ads carefully, they don't claim there is no malware for the Mac. They only imply that it doesn't affect your user experience the same way it does on Windows. I think one of the actual statements goes something like "there aren't hundreds of thousands of viruses." Which is absolutely true.
You may find the commercials annoying (don't you find all commercials annoying?), and they are arguably misleading on other points, but that's not one of them.
Parent
Re:4 fscking years (Score:4, Funny)
Oh look, I think it's trying to communicate, perhaps we can find a translator. Does anyone speak yiddiotish?
Parent
Re:Hahhah... kernel bug... LOL (Score:5, Informative)
No, XNU plus userland is Darwin. Darwin does not contain a number of proprietary drivers including, unfortunately, the entire sound stack.
For GNU types, XNU is equivalent to Linux, Darwin is equivalent to GNU/Linux, OS X is equivalent to Ubuntu (in terms of bundling nomenclature, I make no claims about feature equivalence). Darwin includes the libc, the loader, the init system (Launhcd), the toolchain and so on. XNU is just the kernel, which incorporates a Mach microkernel used as a hardware-abstraction layer and handles the VM subsystem and thread creation, a BSD subsystem which handles providing a POSIX interface to the Mach stuff and all of the other OS services, and IOKit drivers, which provide access to devices.
Parent