Businessweek Archives

More Security Worries for the Mac?


AMD CEO Hector Ruiz Digs Apple, Kinda |

Main

| Keep Experimenting, Apple

March 06, 2006

More Security Worries for the Mac?

Arik Hesseldahl

How secure is your Mac? Perhaps less so than most would like to believe. Last month a Swedish Mac enthusiast site set up a Mac Mini as a Web server and invited the whole hep world of hackerdom to try and take it down by gaining remote root access in order to prove the Mac’s superiority on the security front. As reported here by ZDNet’s Australian outpost, the competition was over after 30 minutes. A hacker who asked only to be identified as “gwerdna” said he used “unpublished exploits” to gain root access to the machine. (For those who don't know -- root is the highest level of access you can get on a Mac or any Unix-based computer. Once you've achieved root access, there is nothing you can't do -- good or bad -- on that computer.)

At least a few security experts I’ve heard from today are speculating that this might have been an old vulnerability that has more to do with Free BSD – the Unix variant that forms the software underpinning of Mac OS X – than with Mac OS X itself.

This news is coming on the heels of a kerfuffle a few weeks ago – one which I thought was completely overblown -- involving some Trojans and worms that targeted the Mac. Those were no big deal. Word of flaws in the Mac’s armor that could give an attacker root access? That’s something else entirely.

11:31 AM

Security

TrackBack URL for this entry:

http://blogs.businessweek.com/mt/mt-tb.cgi/

While it appears that root access might have been cracked, all that really exists is a report with NO VERIFICATION.

Of course in the world of the paranoid and those looking for the playing field to level, this is monumental.

Does this mean that this is to be ignored? Of course not. But until a method is shown, how can Apple fix the purported hole that allows this to happen? What is the wisdom in hiding the method? The only plausable on is to think it may not exist.

In other words, Where's the PROOF baby!

Posted by: DC at March 6, 2006 01:24 PM

In response to the woefully misleading ZDnet article, Mac OS X hacked under 30 minutes, the academic Mac OS X Security Challenge has been launched:

http://test.doit.wisc.edu/

The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). Yes, there are local privilege escalation vulnerabilities; likely some that are "unpublished". But this machine was not hacked from the outside just by being on the Internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

Almost all consumer Mac OS X machines will:

1.) Not give any external entities local account access,

2.) Not even have any ports open,

3.) In addition to the above, most consumer machines will also be behind personal router/firewall devices, further reducing exposure.

The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac Mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open. Email das@doit.wisc.edu if you feel you have met the reqiurements, along with the mechanism used. The mechanism will then be reported to Apple and/or the entities responsible for the component(s).

Mac OS X is not invulnerable. It, like any other operating system, has security deficiencies in various aspects of the software. Some are technical in nature, and others lend themselves to social engineering trickery. However, the general architecture and design philosophy of Mac OS X, in addition to usage of open source components for most network-accessible services that receive intense peer scrutiny from the community, make Mac OS X a very secure operating system. There have been serious vulnerabilities in Mac OS X that could be taken advantage of; however, most Mac OS X "vulnerabilities" to date have relied on typical trojan social engineering tactics, not genuine vulnerabilities. The recent Safari vulnerability was promptly addressed by Apple, as are any exploits reported to Apple. Apple does a fairly good job with regard to security, and has greatly improved its reporting processes after pressure from institutional Mac OS X users: Apple is responsive to security concerns with Mac OS X, which is one of the most important pices of the security picture.

The "Mac OS X hacked under 30 minutes" story doesn't mention that local access was granted to the system. While local privilege escalation exploits can certainly be dangerous - and used in conjunction with things like the above Safari exploit - this isn't very informative with regard to the general security of a Mac OS X machine sitting on the Internet.

Contact information/media inquiries:

Dave Schroeder

University of Wisconsin

das@doit.wisc.edu

+1 608 265-4737

Posted by: Dave Schroeder at March 6, 2006 01:44 PM

It should be noted (as it was on Slashdot) that the competition gwerdna participated in gave all the participators local ssh access to the machine in question, which changes the impact of this event quite a bit.

Posted by: Preston at March 6, 2006 01:49 PM

It looks like the Mac was set up so that any guest could set up an account via SSH. Essentially, you are then a local user. This is not unlike leaving the keys in the car ignition, leaving the car unlocked, and leaving it in a dark alleyway. Stupid. It takes some effort to get to this stage from a Mac configured out of the box.

It also appears that the hack was conducted within the same network, and not from public internet space. Just goes to show what interest there is in Mac OS X though.

Posted by: Ian Halstead at March 6, 2006 02:12 PM

Spate of recent Mac security stories signal that Microsoft, others getting nervous:http://macdailynews.com/index.php/weblog/comments_opinion/8795/

Posted by: Judge Bork at March 6, 2006 02:30 PM

Don't panic (yet). The "cracked" Mac was hardly a normal configuration. The owner had installed "fink", which enables standard Unix software (including the source of the vulnerability?) to be ported and installed on OS X, AND had the machine was set up to enable remote users to set up accounts on it! I'm not saying that OS X is invulnerable, but this "challenge" was, as somebody put it, more like leaving a car parked on the street with the keys in the ignition.

Posted by: RetiredMidn at March 6, 2006 02:30 PM

It sounds to me like the Microsoft F.U.D. machine is operating in high gear in preparation for the introduction of a gutted Mac OS X wannabe, Windows Vista.

The only Vista I see is the one between Mac OS X and Windows Anything (WA). Keep trying Microsoft.

Posted by: Choops at March 6, 2006 04:54 PM

I'm still concerned yet. Mac OS X still seems so mych more secure than XP, even if it's due in part to a smaller market share and a smaller target. IN the 12 months I've had my iBook, not a single infection, malware, or even 1 crash!

Chrishttp://amateureconblog.blogspot.com/

Posted by: Chris Meisenzahl at March 7, 2006 06:29 AM


Video Game Avenger
LIMITED-TIME OFFER SUBSCRIBE NOW
 
blog comments powered by Disqus