Mac fans! Don't run any old guff from the web: Malware spotted exploiting OS X root bug The amusing vulnerability in Apple's OS X that grants administrator-level access to anyone who asks is being exploited in the wild by malware. Yeah, malware exists for Macs, this isn't the 1990s. Anyone logged in to a vulnerable OS X computer, or any software running on it, can use the security hole to gain the same privileges …
There was a time when Mac OSes went relatively unscathed because they were a tiny fraction of the market and nobody bothered with them. Now they are becoming more popular we discover that they are as safe as chocolate biscuit on a meeting table.
This post has been deleted by its author
We have a root exploit that wont get fixed on <= Mavericks. And now another one that is what, getting fixed next release? Trying to one-up MS? They may have tons of holes (even getting less so, perhaps), but usually they do try to fix the big ones as they happen. Not "next release".
FU Apple.
This post has been deleted by its author
Agreed it needs fixing, whether it does time will tell.
There are some ways to mitigate the problem with the security options available, only allowing signed apps to install, unless of course the user bypasses them. Or perhaps I misunderstood the problem.
As far as old machines being obsolete, I suppose it comes down to how old, my Mid 2007 iMac runs Yosemite without problems, no reason for it not to run 10.11.
This post has been deleted by its author
Signed apps may not be such a good idea In my case. I get a lot of open source macports apps and the occasional non-macports non-appstore apps. I have signed apps turned off because it has often bugged me in the past for these.
In fact, searching for "macports signed apps" got me nothing relevant so I'm really not sure where macports stands. I assume firmly in the unsigned camp, due to certificate costs. Thoughts? Homebrew?
As to obsolete HW commentards, my 2011 mbp would run latest and greatest just fine, thank you. Not an excuse for Apple to drop the ball so clumsily. I usually wait at least 6-8 months before upgrading. Let others blaze trails.
I bought Apple because I didn't trust Windows security, did trust BSD and partially because I was too lazy to tweak Linux installs. Can't be the only one with this profile who is feeling let down by Apple's behavior.
The only reason I "upgraded" from perfectly decent Mavericks to unstable Yosemite was to close the security hole that Apple claimed was "too hard" to fix in all but the latest version of OS X. And now what? Do they only fix critical security flaws in new releases? Do I wait, or update to a beta and make my laptop even more unstable? (Rhetorical question)
There are plenty of people out there who will happily click their way through any installation without giving it a second thought. This is leaving them exposed.
Apple's OS update policy is inexcusable. It's not "too hard", they just want to force everyone to upgrade to get the latest versions of Apple ecosystem bloat.
As soon as they saw that it was taking them too long to fix the dynamic linker so it worked as in 10.11, they should have pushed out a fix which disables the logging functionality completely, i.e. nobble an if in the source code. They could then make it work properly for the next OS subrevision (10.10.5).
Two weeks and still counting ain't good enough, especially for something which doesn't affect the end user in any way whatsoever.
So I have to actively download it, click on it to install it and then type in my password for it to work... so not like it's triggered by receiving an MMS that I can't do anything about it. Sure the potential risk is high but chances are remotely low for anyone with half a brain/not downloading from torrent sites.
It'll need to somehow be made into a browser based exploit, because no one is using Flash let alone Java on their Mac (or anything else) anymore.
If you do there are so many security holes in those pieces of trash that need weekly patching you couldn't further reduce your security if you posted your password on Facebook and Twitter!
"It'll need to somehow be made into a browser based exploit, because no one is using Flash let alone Java on their Mac (or anything else) anymore."
Citation needed. (I can counter the claim of "no one" because I know of two local companies that are Mac-based and who do have Flash installed*)
"If you do"
...you are proving DougS wrong, because he just said "no one" does in the same post? :p
"there are so many security holes in those pieces of trash that need weekly patching you couldn't further reduce your security if you posted your password on Facebook and Twitter!"
This I can't disagree with!
* As a relevant aside, I know that one of them recently paid someone to remove some malware from one of their computers, though I don't know the full details: I do stuff for them, but it's not IT related - I don't do Macs.
At our shop we've been cleaning up malware installations for months now - lots of users download and install MacKeeper, others get Geneio and its search toolbar variants, and occasionally the odd logmein install as recommended by 'techs' over the phone - most of it is poor user practice, but there was a time when downloading the latest Jave from Oracle's official website would get Geneio piggybacked, and of course users get the constant 'update Flash' messages. It's not a new problem, and it looks like it's going to be a permanent issue. Keeps us in business at least.
But Macs are marketed at those without half a brain as "it just works".
I see your point and agree that the exposure to those who read here is minimal to the point of non-existence, but someone's mom or granny is going to do exactly what is required because they've been told they are safe with their Apple computer.
We are surely past the days when it was appropriate to be unquestioningly uncritical of Apple just because it's Apple.
Apple should have fixed or mitigated this problem very soon after discovery.
After saying that the Gatekeeper does give some protection against this and mom and granny probably don't know how to bypass it, but I agree that is not good enough and security problems should be fixed much quicker.
>someone's mom or granny is going to do exactly what is required because they've been told they are safe with their Apple computer.
Someone will but I suspect many, if not most, Mac users exist mostly within whatever was set up for them. "Needing to download and install stuff is what Windows and Linux people do."
Besides, the security hole is handy. I don't really trust my daughter's educational establishment to manage her MBA properly. Turns out, I was right... ;) ... and now at least timemachine works...
"Besides, the security hole is handy. I don't really trust my daughter's educational establishment to manage her MBA properly. Turns out, I was right... ;) ... and now at least timemachine works..."
I thought that subverting the security model to make software "work properly" was a windows paradigm.
I'm not sure what your point was. I said we should not be hand-waving away the problem because it involves Apple and poses a real risk.
The granny and mom example was chosen because the elderly pretty much just want to "talk" to now-distant friends and see pictures of the kids and the tool of choice is Facebook aka clicky heaven. If you gave your elderly parent a Mac so you could forget the IT support angle, my point is that you need to be on your guard.
There was no schadenfreude involved, simply the observation that there is a real risk involved and those saying there isn't have their heads in the sand. The auto-response in these situations is no longer appropriate in the general case.
As for my contention that Apple markets to the "idiot brigade", well, blame those adverts from the 1996 where they had a bloke on camera saying that with his windows computer he had to dismantle it to install a printer.
So I have to actively download it, click on it to install it and then type in my password for it to work...
Yeah, makes me feel safe, too, especially as otherwise reputable software has never been hijacked or forcibly re-purposed by an outside entity. It's a flaw that can be exploited. It should be fixed on all affected machines. Claiming that it is too hard to patch or that it is not that dangerous only makes me question the agenda of the person making the statement as they obviously don't have my best interests at heart.
OK root escalation is a problem for multi user machines, but seriously: if I install a dodgy piece of software, giving an admin password to do so, and the end result is that dodgy software is running on my computer then there is exactly nothing anyone can do about this. A good AV might have warned me before installing the software, but the OS really has no way of keeping an installer running with a user password from installing things.
"... and using an environment variable that can be set by an unprivileged user. What were they thinking of?"
Kittens, fluffy kittens, lots of fluffy kittens. Cool, fluffy kittens. Lots of cool, fluffy kittens. "I'm a cool, fluffy kitten and the day job gets in the way of my cool, fluffiness ... damn I'm hip"
Come on ACs: hit the down arrow .... with your cool, fluffy kitten paw. The one with a mouse in it. Go on, stroke it .... mmmm crappy, white plastic thing but soooo reassuringly expensive. *purr* *purr*
Cheers
Jon
PS The toxoplasmosis might be kicking in ...
and his unrelenting demand for perfection on all levels. Being unreasonably demanding seems to be a valid ingredient of leadership to run a company like Apple.
“This isn't good” just doesn't motivate the troops like “You’re fired unless otherwise indicated, if not you can bask in glory on your own time. Consider yourself destroyed if you mess up”.
(Of course this is not to say that there haven't always been issues, or that there ever won't be.)
The point that the average end-user who only walks the beaten path is still not as likely to be affected does matter - I see some irony in that most malware I've seen can only be /avoided/ by being an expert: on a Mac, one needs to be a bit of an expert to install it.
That said the excuses are just too lame, and the reaction too slow, and it seems to be the error is at a conceptual level in the approach to programming. The priority seems to be to direct users to the channel (store)
Victims first have to be tricked into downloading and opening a disk image file, running the installer app inside, and clicking through OS X's are-you-sure-you-want-to-run-untrusted-things-from-the-internet warnings.
If matters get that far, the mark is a candidate for a Darwin Award, and is victim of something far worse than a malware attack.
So why exactly do older versions need a patch?
That said, I agree that Yosemite was "not entirely successful" on the stability front, but having to choose between "known kinda flakey" Yosemite and "Lord only knows but the track record has been not so good" El Capitan, I'm torn.
I agree that Snow Leopard (10.6 for non-Mac folks) was the last mostly harmless version. It's been quite a while since I clicked on UPDATE without hearing the Jaws theme
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
