Daniel Bachfeld

Summary of the Month of Apple Bugs

The Month of Apple Bugs (MoAB) is over, and aside from all of the discussion about the way the material was presented, the important question concerns just what insights it provided into the security of Mac OS X.

As promised, the initiators of the Month of Apple Bugs, Lance M. Havok and Kevin Finisterre, published a hole in Mac OS X or an application for it every day. In the process, they provided all of the components that an attacker needs to take over an Apple computer. Whilst in most cases the victims still need to interact, Mac users are also curious and, like everyone else, click on links that look interesting or download files from the internet. For example, the MoAB started off with an exploit demonstrating how a hole in QuickTime can be used to inject and execute malicious code in systems via specially prepared websites. The next day, the initiators demonstrated a similar flaw in the VLC player that was also related to additional Mac OS X functions and third-party applications.

While some Mac users did not fail to point out that the malicious code only ran with user rights and was therefore not able to do much harm, attackers would nonetheless be able, for example, to delete documents or send spam e-mails with such rights. In addition, Havok and Finisterre published several local privilege escalation holes that could be used to gain root privileges. These holes, in particular, revealed some considerable vulnerabilities in the way Mac OS X issues rights for paths and files. For instance, system programs can be exchanged not only if you are a member of the admin group, but also with restricted user privileges; likewise, arbitrary programs could be saved and then launched by the system's setuid programs. Such flaws have been quite rare in older operating systems like Windows and Linux for several years now. These elementary flaws indicate that Mac OS X was not seriously designed as a multiuser system and that a clear delineation of user accounts was apparently not an important design goal.

While most of the privilege escalation vulnerabilities are new, it is even more disconcerting that the most critical of them has been known for some time. Users do not even have to be a member of the admin group to get root privileges by manipulating the InputManager. More than a year ago, the Leap.A OS X worm exploited this loophole to launch itself automatically with root privileges. Apple has yet to remedy this problem.

Indeed, Apple did not seem to have much to say about MoAB. The only patch that the company has provided concerns the hole in QuickTime. Apple has not provided patches or workarounds for the vulnerabilities in the processing of DMG images (which can also cause data losses) or for the holes in iChat, AppleTalk, QuickDraw, and other system components. To make things worse, Apple has not even informed its users about the problems as Microsoft does when a hole becomes known but no update has yet been provided. Instead, Landon Fuller's MoAB Fix Group was formed to provide unofficial patches or at least some ideas about workarounds.

But now that MoAB is over, there is no reason to expect specially prepared websites to be popping up everywhere or for e-mails to be sent more often with viruses for Mac OS X. The number of Apple systems being used is probably just too small for authors of viruses to be interested in writing trojans and spyware for them. Nonetheless, MoAB managed to demonstrate impressively that well targeted attacks can be quite successful, if need be. Apple now has its work cut out for it if it wants to work off this list of flaws and provide updates both for the holes and the design errors. And if Apple does not do so, MoAB will not have served its purpose of increasing the security of MacOS X in the long term -- but then Apple is to blame.