The Story of a Simple and Dangerous OS X Kernel Bug 230
Posted
by
timothy
from the chink-in-the-armor dept.
from the chink-in-the-armor dept.
RazvanM writes "At the beginning of this month the Mac OS X 10.5.8 closed a kernel vulnerability that lasted more than 4 years, covering all the 10.4 and (almost all) 10.5 Mac OS X releases. This article presents some twitter-size programs that trigger the bug. The mechanics are so simple that can be easily explained to anybody possessing some minimal knowledge about how operating systems works. Beside being a good educational example this is also a scary proof that very mature code can still be vulnerable in rather unsophisticated ways."
Doesn't cause panic on 10.3.9 (Score:5, Interesting)
Still get the kernel panic on Tiger (Score:5, Interesting)
Even after the recent security update on Tiger, I still get a kernel panic with the Python code supplied in TFA:
import termios, fcntl
fcntl.fcntl(0, termios.TIOCGWINSZ)
Yeah, I'm planning to upgrade to Snow Leopard soon, after having skipped Leopard. But has Tiger already been abandoned to this extent?
Re:Age is irrelevant, resistance is futile. (Score:5, Interesting)
I've met my share of code with the warning "There be dragons!".
The word "fuck" in the comments is a much better metric. If it's more than one for the same function, it's time to pay attention.
Re:Mature code? (Score:5, Interesting)
Re:Less vulnerabilities? Yeah, right! (Score:2, Interesting)
In the report (page 40, or rather; page 44. Was it really that hard to refer to a page?) it talks about number of disclosed vulnerabilities. There a re few things wrong with that list:
1) IBM's own OS is at the bottom. As they built the report, one should start questioning that. I'm ignoring "Others.".
2) It's the number of DISCLOSED vulnerabilities. I wouldn't be surprised if most of those fully-closed OSes (really just 1 of them) fixes a lot of stuff they don't disclose
3) It's the NUMBER of vulnerabilities. Actual severity of these vulnerabilities is completely ignored. Proper vulnerability analysis also takes into account the chances of these vulnerabilities actually being exploited and their impact.
My privately built OS has tons of vulnerabilities but I don't disclose them. Can I be on the bottom of that list too please? My friends OS has tons of glitches in it and he's disclosing them (like when a dinosaur logs in, and is positively authenticated, one can take over the entire system! ohnoes that's a vulnerability...... if dinosaurs still roamed the earth, that is). His OS should be on top, because clearly any dinosaur can exploit it, so it must be insecure.
Finder (Score:3, Interesting)
You can find a major privilege escalation hole in Finder quite easily :
http://ask.metafilter.com/131473/Does-this-create-a-local-root-exploit-for-Mac-OS-X-using-Finder
Finder isn't setgid but may access any gid!
Re:Less vulnerabilities? Yeah, right! (Score:5, Interesting)
Re:But it's not Windows! (Score:3, Interesting)
Last numbers I saw said there were 78 people actively working on the Linux kernel, and not all of these full-time
Where did you get that? LWN's development statistics for 2.6.31 [lwn.net] (subscriber-only for the next few days) say that there were 1,146 distinct developers whose patches got accepted into this particular minor release (i.e., over the last three months or so). The stats for 2.6.30 [lwn.net] (publicly viewable) show 1,125. Granted, most of these are probably touching only a tiny portion of the code and might only get a few changesets accepted, but they could still fairly be described as "actively working on the Linux kernel" (even if far from full-time). Also, there are an untold number of people who "actively work on the Linux kernel" but don't submit their patches, or submit them but don't get them accepted.
So maybe there are 78 people working on the Linux kernel according to some very specific, narrow definition, but you should really provide the definition if you're going to throw around such small numbers.
For what it's worth, I doubt that either Apple of Microsoft devotes anywhere near the man-hours to their kernels as get devoted to the Linux kernel. But a lot of the extra man-hours that Linux get contribute to extreme specialization, like dozens of supported CPU architectures [wikipedia.org] (Windows: 3, Mac: 1), dozens of supported filesystems (Windows, Mac: But I'm not a kernel hacker or anything close to one, so take this post with a grain of salt.