back to article Another root hole in OS X. We know it, you know it, the bad people know it – and no patch exists

If you're using OS X Yosemite, watch out for malware exploiting a new way to take complete control of your Mac. A vulnerability has been found in Apple's operating system that allows ordinary software on the computer to gain all-powerful root privileges, allowing dodgy apps to install new programs, create users, delete users, …

  1. JLV

    So... Apple, here's your chance to look a little better than you have recently and actually patch appropriately and with alacrity on all OSX releases that are purportedly in at least security support mode (Mountain Lion according to Wikipedia).

    I.e., upgrading to El Capitan is not an appropriate security patching approach.

    1. Anonymous Coward
      Pint

      I think he's made a fine start and given the fact this is all in plain sight....

      Ahem. I've said it before but page 0 (Moto 68k vector table, relocatable on later 680x0's) on the Amiga with Commodore supplied, free, Enforcer software running tagged this crap. This ain't new technology Apple!

      Guess he can drink, Italy and all - - - >

    2. Charlie Clark Silver badge

      upgrading to El Capitan is not an appropriate security patching approach

      Especially as it's still in beta, ie. explicitly not designed for general use and with appropriate disclaimers.

      If someone can come up with a remote code exploit then I think there are good grounds for legal action as this sort of bug should have been caught by static code analysis. Has Apple got something like Coverity in use? I suspect it won't come to much: people still seem to be more than happy to hand their money over to Apple for the latest shiny, shiny.

  2. werdsmith Silver badge

    Todesco said he reported the bug to Apple's engineers, and went public on Sunday by uploading the exploit code to GitHub because he felt he "had to."

    "had to...., make a name for himself. "

    And why not. Good work by the lad, I think he'll go far.

    OSX, on the face of it, is becoming a bit of a cullender of an OS, after years of trading on its robustness it's also approaching laughing stock status.

    1. Anonymous Coward
      Anonymous Coward

      Steve Jobs was good at marketing , enough said.

      1. Alan Brown Silver badge

        Perhaps Jobs was, but until ~2008 the best thing about advising users to use a Mac was that everything "Just Worked" with no fardling around required.

        Between the increasing number of severe bugs, high price, short hardware life (especially desktop systems) and the issue that successive versions of OS/X being steadily more broken as far as interoperability is concerned, that advice is no longer a good idea.

    2. Shades

      A classic case of trading on security through obscurity. Thanks to the dullards* that are forever posting pictures of Michael Kors watches, D&G accessories, bottles of "champagne" (that a French tramp would turn his nose up at) on a night out, and their latest car - you get the idea - the shiny is a little less obscure and the chickens are coming home to roost for Apple.

      *Otherwise known as Weekend Credit-Card Kings/Queens

      1. Dan 55 Silver badge

        The BSD part of OS X is quite robust, there's probably very few exploits if you stick to POSIX. The open source software they use in userland often takes a while to be updated, or they may stop updating it altogether if they don't like the licence (e.g. SMB when it changed to GPL3). Their own homespun libraries seem to be pretty poor.

    3. Anonymous Coward
      Anonymous Coward

      uploading the exploit code to GitHub because he felt he "had to."

      "Apple may not have noticed the post" is a poor excuse. He should have given Apple a sensible amount of time to fix it.

      The number of people who will know to install SUIDGuard or whatever will be miniscule compared to the number now at risk from this public flaw. i.e. 100% of black hats now know about the flaw, 0.00001% of potential victims. Still we should be genuinely grateful he didn't sell it to Hacking Team.

      1. slv138

        Re: uploading the exploit code to GitHub because he felt he "had to."

        "0.00001% of potential victims"

        Surely more than one of their customers must know?!

      2. Alan Brown Silver badge

        Re: uploading the exploit code to GitHub because he felt he "had to."

        "He should have given Apple a sensible amount of time to fix it."

        This kind of bug is trivial enough to find that the blackhats most likely already have it and severe enough that the world needs to know about it.

        There's a long history of vulnerabilities being passed to the authoring companies, which then ignore it for years. Apple is in that camp, as was Microsoft for a very long time.

        In such cases there is no point in giving them a notification period as they won't bother doing anything with it. There is _zero_ legal requirement anywhere in the world for researchers to provide a grace period - and when companies like Volkswagon take researchers to court to keep vulnerabilities under wraps instead of actually issuing fixes, there are strong arguments not to bother.

    4. JLV

      I agree. Good of him to find the bug, but he should have been responsible, notified Apple discreetly and given them some time to respond. Then the thing might have been patched before it became widespread knowledge to crackers.

      If Apple hadn't responded then they would have faced had the additional charge of being slackers at acknowledging security disclosures. So even more of a feather in his hat, in a way.

      As it is, he may burn his rep with his approach. Whether you like Apple or not, this wouldn't be something cool to have done to your own OS of choice.

      And, agree with you and some other posters. It is frustrating that Apple fairly consistently manages to poke holes into a BSD, systems that are almost a byword for security robustness.

      In a way, I almost wish that they did get a massive actual breach, not just vulnerability, that would motivate them to actually take security a lot more seriously. And, also, shut the trap of my fellow fanbois customers who think that nothing can ever go wrong with a Mac. Way too complacent, both.

      MS's security, if not its reputation, actually benefited from the aftermath of some of the massive worms of the late 90s / early 00s, like Melissa and Blaster.

      1. admiraljkb

        @JLV - actually, given that this appears to be a open barn door security bug, I think he may have been right to disclose it immediately. He probably is NOT the first person to find it, and the other folks (ala govt's, black hats, and criminal orgs) that have found it have either started using it and managed to stay under the radar, or were keeping their powder dry waiting for a good opportunity.

        Something to keep in mind - how long did the exploits that allowed for Flame and Stux remain unpatched while they were surreptitiously used by different global spy agencies? Security researchers either didn't find them, or it they did, they were forced to keep quiet on it. From here on out for the white hats, immediate disclosure may actually be the best way to go, since you have to assume you aren't the first to discover it when there are some much better funded grey/black hats looking for this type of paydirt exploit. It also prevents gag orders and any NDA complications if you just disclose it immediately.

    5. anonymous boring coward Silver badge

      El Capitan is positively flying on my very old Mac Mini. Never felt more responsive. Seems very solid as well. Core 2 Duo.

    6. Sebby

      I don't think it was proper for him to disclose if he had intended to do the "Responsible" disclosure dance.

      But that's OK, because I believe in full disclosure anyway. Really, it's about time, else this industry isn't going to improve. And dealing with Apple security is a PITA, so yeah, he probably did himself and the world a favour, by exposing the increasing mediocrity and simultaneously saving himself a lot of headache.

      Notable is that many of these security holes are seemingly appearing in Apple's later (perhaps less well-tested) code, and are being fixed in subsequent (but beta) builds. The shiny-shiny is where all the work is going now. :(

  3. ratfox
    Paris Hilton

    My first reaction was also "How can it be possible to do something useful out of a NULL pointer?"

    Not that I'm knowledgeable about OS programming, but it seems unlikely that dereferencing a NULL pointer would have any legitimate use…

    1. Dan 55 Silver badge
      Boffin

      In C/C++, NULL is an address like any other, it's 0. What usually happens is that you can't dereference a NULL pointer (read the value at address 0) because that address is not mapped to any RAM so the CPU throws a segmentation fault and the OS stops the program. What most people forget is that this is NOT C/C++ stopping you shooting yourself in the foot, NULL is just a #define for 0.

      So as C/C++ doesn't stop you and if that address (or rather, the first 65536 addresses which is the first memory page) IS mapped to an area of RAM then you CAN dereference the NULL pointer. So if a badly-written OS or Kernel routine just merrily dereferences pointers without checking if they're NULL beforehand and you control the value at address 0 or you don't but it's random, then that can be used as part of an exploit.

      So what I guess happened is that the NULL pointer got passed to a kernel routine, when running in kernel mode the first page was mapped to an area of RAM, and the routine itself doesn't check for NULL pointers.

      Looking at the guy's blog by the way, it seems IOKit is a bit of cowboy job.

      1. Brewster's Angle Grinder Silver badge

        x86 code pages are typically 4KiB -- so its only the first 4096 bytes that need to be mapped.

        And C++11 onwards has a genuine nullptr (of type std::nullptr_t) although it still ends up referencing address zero in any real situation.

      2. Someone Else Silver badge
        Facepalm

        @Dan 55

        Dan, you are, of course, correct. The main thing is how in the fscking world would any part of the 0 page be mapped? Any reasonable OS that manages memory mapping (including OSes found on low-level embedded devices, like VxWorks, eCos, etc.) maps the address space around address 0 to cause a seg fault (or whatever Windows calls it; Lord knows it couldn't call it the same thing the rest of the world calls it...). I guess that may exclude OSX from the set of "reasonable OSes"?

        1. Dan 55 Silver badge

          Re: @Dan 55

          I've had tonnes of segmentation faults on OS X so I guess the first page is mapped only when it's executing a kernel function, which is a bit of a failure in itself.

          I'm not sure why I thought a page on x86 was 64K... Probably a memory access error.

      3. AndrueC Silver badge
        Boffin

        In C/C++, NULL is an address like any other, it's 0. What usually happens is that you can't dereference a NULL pointer (read the value at address 0) because that address is not mapped to any RAM so the CPU throws a segmentation fault and the OS stops the program.

        If only it was that simple :)

        The reasons and mechanism for getting an exception varies by machine, by OS and whether or not you're talking about virtual address space, kernel address space or physical RAM address. I think you can read from address zero from user mode code on Windows, but not write to it. NB: I could be wrong there. I'm a C# developer these days so can't easily do a test.

        Also NULL is not always 0. The standard for modern C++ says it should be but in older systems it can be something else.

        http://stackoverflow.com/questions/2960496/why-is-null-0-an-illegal-memory-location-for-an-object

        The whole thing is rather murky and nutty. Thankfully with languages like C# and Java it's a lot less important than it used to be.

  4. Charlie Clark Silver badge

    Where not to publish exploits

    From GitHub's T&Cs

    You shall defend GitHub against any claim, demand, suit or proceeding made or brought against GitHub by a third-party alleging that Your Content, or Your use of the Service in violation of this Agreement, infringes or misappropriates the intellectual property rights of a third-party or violates applicable law…

    While this is a glaring exploit that Apple should fix as quickly as possible, publishing the source on GitHub is not the wisest action as GitHub will work hand-in-hand with "third-parties". Not sure if the exploit is covered by DMCA but I'm sure Apple's lawyers are sure to be able to find something and then you get to pay not only their costs but GitHub's as well.

    1. Anonymous Coward
      Anonymous Coward

      At least the patch lives in a better place

      I'm not sure why articles keep referring to the SUIDguard GitHub location whereas the simple clicky install DMG (properly signed) just lives on the guy's website*.

      Simple install, and it warns you properly upfront that, unlike other updates' this one needs a reboot as it's a kernel extension.

      I have emailed the author for a checksum on the SUIDGuardNG-106.dmg file, though, it pays to be cautious. I'll post it here if I receive an answer, but I imagine the guy's swamped right now.

      *: as far as I can check

      1. Anonymous Coward
        Anonymous Coward

        Patch checksum page

        This may be a better place to download SUIDguard from (just had an email from the author):

        https://www.suidguard.com/stories/download.html

        It also has the checksums listed.

        Cheers.

  5. Matthew 17

    will sound like a fanboi but...

    the last time one of these showed up it was patched in about 3 weeks from notification. This chap has just gone public straight away, not cool.

    Anyway it would be difficult to engineer this exploit to run the script automatically, I doubt anyone will encounter it in the wild and there will be another patch along shortly.

    1. Anonymous Coward
      Anonymous Coward

      Re: will sound like a fanboi but...

      there will be another patch along shortly.

      Just install SUIDGuard and you're OK as it addresses the issue at kernel level. I'm disappointed that Apple didn't pick that one up in their patch. Let's see how long it takes for this to get addressed - I agree with you that it is uncool to post an exploit without giving Apple a chance to address this.

  6. Anonymous Coward
    Anonymous Coward

    Problem? really?

    Like many Apple owners, my retina iMac is there to look good on my glass unibond desk, my iPad is my first-class cabin accessory du jour, my MacBook is for those few times I find myself in an artisan house of the bean and need to be seen typing something, and my iPhone is for being patronising to the nanny when she can't keep Eli and Ivorie (both named after a successful hunting trip in SA) controlled and away from me.

    So as I rarely need to actually switch any of this stuff on (indeed my iMac still hasn't got past asking me what language is best for me, even though it can hear me speaking loud and clear), security is rarely a problem. I think this is yet another example of the techies blowing something up out of all proportion for a grubby pay rise and I'm not fooled.

    1. Anonymous Coward
      Anonymous Coward

      Re: Problem? really?

      Like many Apple owners

      Sorry to fuel your jealous rage but I also have a Bentley with baby seal leather seats.*

      Speak for yourself. For me it's a tool that allows me to do my job with efficiency, and as a Windows convert I enjoy every day that I actually get work done instead of having to wait for yet another anti-virus update and security patch, and without having to fight an UI that is sold as innovation, but only qualifies as that if you're either very drunk, on very dangerous drugs or are a marketing droid trying to flog this stuff to the natives.

      In addition, I can run commercial tools which do not exist for a Linux desktop, and LibreOffice fills our office needs just fine.

      So, even with the current exposure I reckon we're still well up on a Windows platform, still run considerably less risk and still can get on with the day job.

      * No, I haven't. I like to go clubbing but we've run out of seals (to paraphrase Canadian comedian Stewart Francis).

    2. Roo
      Windows

      Re: Problem? really?

      That was a quality bit of satire, have an upvote.

    3. Charlie Clark Silver badge

      Re: Problem? really?

      I, too, very much enjoy working on MacOS. I don't, however, see why this means Apple can somehow afford to be so lax when it comes to patching software. This is why I don't trust them with the Posix stuff.

      This is the list that MacPorts presented me with this morning. I just wish that Apple did this for me.

      ---> Updating the ports tree

      The following installed ports are outdated:

      freetds 0.91.103_0 < 0.91.103_1

      gettext 0.19.5_0 < 0.19.5_1

      lame 3.99.5_0 < 3.99.5_1

      libedit 20140620-3.1_0 < 20140620-3.1_1

      llvm-3.5 3.5.2_4 < 3.5.2_5

      lzip 1.16_0 < 1.17_0

      nano 2.4.2_0 < 2.4.2_1

      ncurses 5.9_2 < 6.0_0

      python26 2.6.9_2 < 2.6.9_3

      python27 2.7.10_2 < 2.7.10_3

      python32 3.2.6_1 < 3.2.6_2

      python33 3.3.6_4 < 3.3.6_5

      python34 3.4.3_4 < 3.4.3_5

      python35 3.5.0rc1_0 < 3.5.0rc1_1

      readline 6.3.003_0 < 6.3.003_1

      texinfo 6.0_0 < 6.0_1

      1. Anonymous Coward
        Anonymous Coward

        Re: Problem? really?

        I don't, however, see why this means Apple can somehow afford to be so lax when it comes to patching software.

        I don't think they are lax - that myth is peddled every time it takes more than a New York minute to receive a patch after someone discovers a bug.

        For a start, if you're so desperate for a mitigation, one already exists (SUIDguard) so if it troubles you a lot, go and installs this. In this context it is worth pointing out that the fact that it's BSD under the hood permits a heck of a lot of quick fixes if required. It took but 3 hours from Shellshock being published to someone writing an interim macports patch for bash - it's your choice if you want to install something like that from what is in essence a less trusted source (SUIDguard is at least properly signed).

        However, if you want the official patch you also have to accept that Apple has to test this so it doesn't do a Microsoft* when they roll this out globally, and that does take time. I must admit I find the constant whinging rather interesting because it doesn't seem to come from people that actually *use* OSX to get work done.

        * bork the system with a defective patch

  7. Unicornpiss
    Meh

    Using page zero...

    Has been done on the 65xx and 68xx (and beyond) processors since the mid 1970s. It was (and is) a useful way to extend a processor's registers to more than you would ever need. Not a new concept. Exploiting this... apparently not new either.

    But not to denigrate Apple or anyone else, when you have millions of lines of code and a rushed development schedule, any company is going to miss flaws, and no company can delay release for a year while they painstakingly test every possible avenue of exploitation. Not and remain relevant. So people can cry "They should have known!" over and over whether it's Apple, Android, MS, or any platform, but this is going to keep happening ad infinitum. It's how quickly and gracefully the vendors and partners react that we should be watching.

    1. Mephistro
      FAIL

      Re: Using page zero...

      Back then I wrote a few assembler programs both for MOS 6502 and Motorola 68000*. The dangers of misusing NULL pointers were well known back then, and palliative measures were described in most books regarding assembler programming. I seem to recall some big C programming books (K&R perhaps?) also discussed these issues.

      Finding this kind of FAIL in a modern OS is like learning that in some first world hospital the surgeons don't wash their hands before operating patients.

      * Disclaimer: I haven't written a single line of assembler in almost ~30 years, so the situation may have changed, but still...

      1. Admiral Grace Hopper

        Re: Using page zero...

        Hefty dose of nostalgia at the mention of 6502 assembler, thank you. I rarely got that close to the metal again, but it was an excellent grounding in efficient programming practice.

        1. Anonymous Coward
          Anonymous Coward

          Re: Using page zero...

          Hah! Luxury! (etc).

          I was hand coding a 6303 in those days to mess around with the deeper code inside the PSION Organiser II. I never had any formal training in programming, so I sort of had to make things up as I got along, the whole idea of an assembler to write code was something I stumbled on *much* later :).

    2. Charlie Clark Silver badge

      Re: Using page zero...

      But not to denigrate Apple or anyone else, when you have millions of lines of code and a rushed development schedule…

      Let's extrapolate from your argument and substitute Boeing or Toyota for Apple and "thousands of rivets" for "lines of code". Do you think the argument still holds up? When the batteries in the 787 started to catch fire did Boeing say it was the pressure of time? Did Toyota say it "could have happened to anyone" when a fault in a pedal was discovered?

      It's not as if there aren't tools that can help find this kind of error. Sure, you can't expect to pick up every bug but what about the backports? This has been fixed in the beta, so it is known about, but the fix has not been backported.

      Liability in the software industry needs to get stricter. If something buggy gets released because some manager decided that testing could be skipped then the manager needs to be held accountable.

      1. tfoale

        Re: Using page zero...

        Null pointer dereferencing is one of the SANS Top 25 programming errors every organization should be catching.

    3. Anonymous Coward
      Anonymous Coward

      Re: Using page zero...

      In the 6502 architecture page zero accesses were faster than other pages, that is why back then this techniques made sense. In the x86 architecture, there is no such faster access. In real mode, the lowest RAM addresses are used by interrupt vectors. In protected mode, they are addresses like everything else - after all they can be mapped anywhere in real RAM. Usually a good OS should not map addresses usually used by invalid pointers, so they will trigger a processor fault that can be caught and returned to the caller as an error/exception.

      The kernel may map some memory to fixed addresses for simplicity, but in doing so it needs to actively protect it, and avoid addresses that can be easily "spoofed".

    4. Anonymous Coward
      Anonymous Coward

      Re: Using page zero...

      "millions of lines of code and a rushed development schedule, any company is going to miss flaws"

      They can afford to slow down and do a proper job! Well in theory, the problem is too many script kiddie developers around nowadays....but there are a few tools that can help fill this gap.

      Not only that, but Apple and others need to be held accountable and prosecuted / sued for negligence if and when it arises.

      1. Alan Brown Silver badge

        Re: Using page zero...

        "the problem is too many script kiddie developers around nowadays"

        The $DIRECTOR at $DAYJOB describes it as "the kind of programming error made by children in bedrooms" and isn't afraid to say so to suppliers.

        They may get upset, but using that kind of term seems to sink in.

        Of course the largest flock of such people seem to work on large government projects and in telcos.

  8. Anonymous Coward
    Anonymous Coward

    OS X security?

    It's now clear that Mac's much vaunted security advantages are simply down to their inconsequential market share rather than anything inherently superior about the operating system. Security through obscurity with nobody up till now bothering to waste their efforts focusing on such a small target.

    This is all the more lame considering Apple started with a clean slate, OS design-wise, at the beginning of the millennium.

    1. Anonymous Coward
      Anonymous Coward

      Re: OS X security?

      This is all the more lame considering Apple started with a clean slate, OS design-wise, at the beginning of the millennium.

      That "clean slate" was actually an operating system first released in the 1980s, and containing large quantities of code from the late 1970s. Unix -> BSD -> Mach -> NeXTSTEP.

      1. Anonymous Coward
        Anonymous Coward

        Re: OS X security?

        "That "clean slate" was actually an operating system first released in the 1980s, and containing large quantities of code from the late 1970s. Unix -> BSD -> Mach -> NeXTSTEP."

        Of course it's well known than OS X is derived from Unix. The point is Apple had the opportunity to start afresh but their eventual solution contained vulnerabilities that could've and should've been anticipated in the year 2000. Instead we got a deluge of hollow boasting in their marketing material about how Macs "just work" and never get viruses etc.

        1. Anonymous Coward
          Anonymous Coward

          Re: OS X security?

          Mac's by and large do 'just work' and a security flaw != virus. But hey, you are another internet genius telling the world what should be done. Tit.

          1. Anonymous Coward
            Anonymous Coward

            Re: OS X security?

            "Mac's by and large do 'just work' and a security flaw != virus. But hey, you are another internet genius telling the world what should be done. Tit."

            I'm sure the average Joe Apple user will be mightily relieved that their Mac was attacked via an OS security vulnerability rather than a virus. You're arguing over semantics - the net result is the same to the user.

    2. Anonymous Coward
      Anonymous Coward

      Re: OS X security?

      It's now clear that Mac's much vaunted security advantages are simply down to their inconsequential market share rather than anything inherently superior about the operating system.

      Honestly, *please* put some effort into trolling. Use CAPITAL letters, or say "Bill Gates was right", swear, dream up some conspiracy theories, anything to make this more than a lame attempt to dump some uninformed comment. Please?

    3. Anonymous Coward
      Anonymous Coward

      Re: OS X security?

      Security through obscurity with nobody up till now bothering to waste their efforts focusing on such a small target.

      Yes, sure. That's why Apple is now clocking more money than the GDP of an average 3rd world country, but without the bribes. Dream on.

      1. genghis_uk

        Re: OS X security?

        I am not sure that profit is really the issue.

        According to stats on El Reg in June, OSX market share is roughly equivalent to Windows XP - way behind Win7 and even the well loved Win8.

        If you are going to target an exploit which would you aim for?

        1. Anonymous Coward
          Anonymous Coward

          Re: OS X security?

          I am not sure that profit is really the issue.

          According to stats on El Reg in June, OSX market share is roughly equivalent to Windows XP - way behind Win7 and even the well loved Win8.

          If you are going to target an exploit which would you aim for?

          I'm confused. You're saying that OSX isn't that prevalent (ergo less exposed/targeted), yet still berate it for not immediately releasing patches? I clearly need a lot more alcohol before I can follow that logic.

        2. TheVogon

          Re: OS X security?

          "If you are going to target an exploit which would you aim for?"

          OS-X - they have after all already demonstrated that they are rich and gullible by buying Apple!

          However I guess hackers can't yet be bothered with such a small market share.

      2. Anonymous Coward
        Anonymous Coward

        Re: OS X security?

        "Yes, sure. That's why Apple is now clocking more money than the GDP of an average 3rd world country, but without the bribes. Dream on."

        Apple made its profits from flogging iThings like iPods, iPhones and iPads. Its market share of desktop computers and laptops, where you'll find OS X, remains negligible compared to Windows machines.

    4. Hans 1

      Re: OS X security?

      >It's now clear that Mac's much vaunted security advantages are simply down to their inconsequential market share rather than anything inherently superior about the operating system.

      How many vulns like this are found in Windows EVERY MONTH ?? Sadly, more than one, as reveals the need for a monthly patch day. Now, with the gazillion pre-historic susbsystems they keep in Windows, that is hardly a surprise.

      Security-wise, MAC OS X has very few of these, however, they still have not learned the lesson of patching early, a luxury, since there are so few.

      Mac OS, however, has other issues. They use a gazillion OpenSource software, and they do not always keep that up-to-date ...

      1. Anonymous Coward
        Anonymous Coward

        Re: OS X security?

        How many vulns like this are found in Windows EVERY MONTH ??

        Ah, you've decided to feed the troll. Yawn. Oh well.

        1. TheVogon

          Re: OS X security?

          "How many vulns like this are found in Windows EVERY MONTH ??"

          Fewer than in OS-X - which is currently on well over 2000 as per NIST and Secunia.

  9. DelM

    The no-access guard page

    And back in the glory days of [Open]VMS, we had the no-access guard page. The first 512 bytes of your process was not readable or writable - at least for user processes - and so you always quickly saw these problems during run time. Or, if you didn't catch them except in a corner, they just caused your (user level) app to die.

    Memories...

  10. Anonymous Coward
    Anonymous Coward

    OMG! A pranksters could install Windows 10 on your Mac. The horror, the horror.

  11. Anonymous Coward
    Anonymous Coward

    Null pointer dereference

    While it sounds great in theory to make page zero no access so dereference attempts fail, it breaks too much software written by lazy programmers. HP-UX had a compiler option that would cause an inaccessible page to be mapped to page zero for this purpose, but surprisingly often when I enabled it on any open source software of any complexity it would seg fault. I submitted patches for some where I found the cause by using the core dump etc. but my patches weren't always accepted...

    I actually had the guy in charge of one open source package (can't remember what it was, but was one of the GNU utilities) tell me it was not important to fix since the default on all systems was to allow dereferencing page 0 and reading 0s. Apparently by enabling that option on HP-UX I was compiling it incorrectly! I hope he sees this bug, and realizes how stupid his attitude was.

    1. Alan Brown Silver badge

      Open source - not always shallow (but sometimes the people are)

      "I actually had the guy in charge of one open source package ... tell me it was not important to fix "

      I had something similar happen when I reported issues with Bind 20 years ago.

      Within 18 months skiddies and spammers were heavily exploiting the problem and it _STILL_ hasn't been fixed.

      Summary:

      The RFCs for DNS state that IPv4 addresses are dotted quad decimal numbers (as does the documentation)

      Bind does no syntactic checking of a config file's A record, translating 0xx as octal, 0x as hexadecimal and allows use of a single number or fewer than 4 sets (ie: 0xccddeeff is the same as 0xcc.0xdd.0xee.0xff is the same as 204.221.238.255 is the same as 3437096703 or 031467367377)

      It commonly shows up when admins zero-pad IP addresses in the config files to human readability - bind will translate 123.012.034.254 as 123.10.28.254 and things start breaking for obvious reasons.

      To make matters worse the bind libraries do the same thing, so if a spammer uses the same formats in their spam URLs it does a good job of obscuring where the mothership is.

      I pointed out 20 years ago that the RFCs were pretty clear and that either the code or the RFC should be changed so that things match and got shouted down by a bunch of open source advocates screaming that it works as designed and is supposed to be that way.

      This issue is _still_ there....

  12. Si 1

    Considering OSX ships by default with a block to prevent execution of anything not downloaded from the App Store I'm not sure how much of a problem this would be. Tricking people into downloading an app off the web would be pointless because OSX would simply not run it. It wouldn't even prompt for an admin password like Windows, it just behaves like you never even clicked on the app.

    Of course that does leave room for nefarious apps being allowed onto the App Store by Apple but that would require the developer to pay for a developer account, pass Apple's certification tests (which could well catch an app giving itself admin privileges) and then you'd need people to actually want to download the app.

    Unless Apple promote the app on the App Store homepage it would probably sit in some corner of the App Store being ignored like 90% of the other apps on there... Bit of a storm in a teacup methinks...

    1. Dan 55 Silver badge

      The block is smoke and mirrors that works by checking the filename metadata before launching it. It's no protection against a browser, Java, or Flash exploit.

      1. Fitz_

        ...which is where your browser sandbox comes in, and why Apple block old versions of Flash and Java.

        1. TheVogon

          "which is where your browser sandbox comes in"

          Which Safari isn't the greatest at. It is hacked first pretty much ever year on Pwn2own.

  13. Anonymous Coward
    Anonymous Coward

    Security through obscurity

    Oh my. Methinks Apple needs to rethink this whole security through obscurity approach. It clearly isn't working.

    1. anonymous boring coward Silver badge

      Re: Security through obscurity

      Ridiculous comment. They don't have any such approach.

    2. Anonymous Coward
      Anonymous Coward

      Re: Security through obscurity

      Oh my. Methinks Apple needs to rethink this whole security through obscurity approach. It clearly isn't working.

      For reasons of economy and saving myself time I refer you to an earlier comment.

  14. Nanners

    Everyone knows it

    and yet it's not a problem and never has been. Apple is so very frustrating for these "security experts." I truely do feel for them.

  15. AustinBaze

    Kind of a dick move releasing the exploit code at the same time he notified Apple.

  16. Spaceman Spiff

    Well, Linux and most Unix systems will segfault if you try to write to page 0. Since OSX is based upon BSD Unix, I don't know if that behaves similarly. Apparently not.

    1. Daniel B.
      Boffin

      This is expected behavior when trying to write to page 0 ... from userspace. The way I understood this vuln, the NULL pointer makes it way down to kernelspace calls, and there is where the writing occurs.

  17. Rick Giles
    Linux

    Huh?

    Apple makes an OS for computers, TOO?!?

  18. Mpeler
    Coat

    eX OS?

    Yosemite Falls...

  19. Howard Hanek
    Alien

    Vogons

    Well, I for one am thrilled that so many Vogon poets have found suitable employment.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like