Congratulations, Apple
Posted by: bigbolshevik in I don't need to worry about it, Other computers/OS'esI’m happy to report that earlier today, Apple released a new package of updates, containing one for the local root exploit I’ve been incredulously reporting for the last few months.
The security update looks acceptable; it disables scripting support for “system processes”. A little nitpicky thing here; I’d love to know if “system processes” are defined by Apple, or if they are defined by the presence of the setuid flag.
If the latter, then your system will remain safe. If the former, the exploit can be opened up again by any third party program that decides it needs to run as root without authentication. From the wording, I believe fortunately it is the better of the two options.
Another little nitpick: The discovery of the flaw is credited to one person, but it has been reported to Apple by many people.
Yet another little nitpick: Why did this take so long to fix? More importantly, why was it introduced in the first place by allowing cross-privilege scripts AND for one program to tell another to run a shell script? I still cannot understand why the “Run shell script” Applescript command exists, without using the phrase “kludgy hack around the security system”.
It’s good that Apple has finally closed this hole, as it now might be a while before we see more trojans (and finally worms) for the Macintosh platform. Mac users are safe for a little while. But the fact that this, and many other embarrassing design problems, existed in the Mac OS doesn’t fill me with any confidence.
Also, on the same security update, a fix for the “PPP passwords being stored unencrypted in a world-readable file”. On the surface, you’d think “That’s not so bad - a system that still requires PPP is probably a home system or in a small business with only a handful of users”. I’d agree to an extent, but there are two more important factors:
1. People tend to use one password for everything. I do, even though I know I shouldn’t. An attacker who gains this password could have the keys to the whole computer. Let the keylogging commence!
2. Any programmer should treat passwords, no matter what they’re used for, with respect for privacy. It should just be automatic.
Ubuntu copped a lot of flak years ago about unwittingly storing the first user’s first password in a cleartext world-readable file. They were right to cop flak over that. But this OS X security update has come and gone with remarkably little fanfare. Yeah it’s great that they’re fixing flaws, but maybe if there was a bit more of a fuss about these schoolboy errors, Apple could educate their programmers a bit better or improve QA?
Entries (RSS)