from the bbbbut-all-the-unit-tests-passed! dept.
Ars Technica is reporting that Google's wrath at Microsoft about its security problems is extending to Apple. Google has identified and is now releasing details on three zero-day exploits in MacOS X here, here, and here.
At first glance, none of them appear to be highly critical, since all three appear to require the attacker to already have some access to a targeted machine. What's more, the first vulnerability, the one involving the "networkd 'effective_audit_token' XPC," may already have been mitigated in OS X Yosemite, but if so the Google advisory doesn't make this explicit....
The security flaws were privately reported to Apple on October 20, October 21, and October 23, 2014. All three advisories appear to have been published after the expiration of the 90-day grace period that Project Zero gives to developers before making reports public.
As a heavy MacOS X user and one who is pretty savvy about such things, I know that Macs are not invulnerable, but two of these I find worrisome. Google might also feel the same way given that they are a Mac shop, eschewing MS Windows because of its well-known security problems.
(Score: 3, Interesting) by frojack on Friday January 23 2015, @08:21AM
Google is a Mac shop? I thought it was a Linux shop. At least in the server stacks....
But my main point is that if these companies start finding fault with each other's systems, hopefully before the NSA does, maybe we all gain.
Especially when some companies sit on bugs thinking no one will ever find them.
But its still odd that Google is doing this and refusing to fix security bugs in Android that is still running on a lot of phones.
No, you are mistaken. I've always had this sig.
(Score: 2) by TheRaven on Friday January 23 2015, @10:12AM
Google is a Mac shop? I thought it was a Linux shop. At least in the server stacks....
Walk around a Google campus and you'll see a lot of MacBook Pros and even Mac Pros on the desks. There are an increasing number of Chromebooks too, but a good proportion of the engineers have Macs. They don't use them on the back end systems, but you'll find them on a large proportion of desks (not sure if it's still true, but they used to give engineers the choice of a Mac or a Linux box).
But its still odd that Google is doing this and refusing to fix security bugs in Android that is still running on a lot of phones.
Google employees don't use old Android phones, so bugs in old Android versions don't affect Google.
sudo mod me up
(Score: 2) by morgauxo on Friday January 23 2015, @02:23PM
Nah, Google hires creative people. Everyone knows that creative people HAVE to have Macs. Somehow human creativity only works on a Mac even though they are running the same program (Photoshop) regardless of what the OS and hardware are. You just can't be creative without Apple... and Adobe.
(Score: 0) by Anonymous Coward on Friday January 23 2015, @09:13PM
Does Photoshop run on Linux? I think they stopped letting their employees have the option of using Windows some years ago (barring special cases).
(Score: 2) by tibman on Friday January 23 2015, @03:51PM
It is certainly responsible for google to be reporting these issues. Public disclosure creates incentive to fix the bugs as well. I have the feeling that the NSA uses a lot of other people and organizations to build their exploits. Since these three bugs are now public, anyone can use them (including the NSA) against unpatched machines.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by Nerdfest on Friday January 23 2015, @04:34PM
I've heard that yo actually need to get special approval to get a Windows machine, although that could be a myth.
More on topic, it's a little sad that Apple couldn't get these patched in 90 days. They have a *very* limited set of hardware to support, unlike Microsoft. They seem to have not improved their security stance as much as they need to with their increasing target surface.
(Score: -1, Flamebait) by Anonymous Coward on Friday January 23 2015, @10:03AM
Ahh this old rag headliner. It was always about CEO preference and nothing else. Employees can choose whatever they want. Most have more than one. The admin tools for mac was terrible so we have had to make new ones at great expense. You even managed to get the "well-known security problems" equivocation in. You know why Windows problems are well known? Its a big target, with large market share and lots of IP made and stored within. OSX just isn't as compelling a security target. There isn't even a decent enterprise mac server.
So much for being savvy about such things.
(Score: 2) by mendax on Friday January 23 2015, @10:29AM
Hmmm... walk into a Starbucks one of these days. I spend a lot of time there. I see a lot of Macs on tables there.
I was not aware we were having a penis measuring contest.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 0) by Anonymous Coward on Friday January 23 2015, @11:05AM
AC isn't 'measuring dicks', he's just being one.
(Score: 0) by Anonymous Coward on Friday January 23 2015, @11:37AM
What IP do those soy-mocha-frappa-cinno sippers have in their fashion accessories ... I mean Macbooks? At best some Photoshop or some other graphic design files?
(Score: 2) by MichaelDavidCrawford on Friday January 23 2015, @06:50PM
most of the money in television actually is in the advertisements.
Entertainment is a big business. Go visit West LA sometime. There are acting schools on every streetcorner.
How many employees does Apple have? They had 11,000 when I worked there in 1996. Now it's ten times that.
I don't see many linux boxen at the wifi spots. I don't even see many windows machines anymore.
Mostly I see apple logos.
I'm not your typical Apple Fanboi; I just installed Linux Mint Cinnamon 17.1 on my Xeon box. Sometime soon I'm going to install it on my Retina Display MacBook Pro as well. I've grown weary of Apple for many reasons but one thing I do not do, is denigrate the achievements it really has made.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Friday January 23 2015, @07:04PM
What is your message? That you like macs and they have market share with end users that like using computers in public? That does not refute the point being discussed. That is, there is little of significant value for attackers within OSX based systems. Just because people like macs, that they are used in public places, or that you believe they should be respected does not change the fact that there are juicier targets.
(Score: 2) by MichaelDavidCrawford on Friday January 23 2015, @08:45PM
It runs CentOS and is locked-down pretty good. If you wanted to jack my server, the most-effective way would be to lift my server's ssh public key off my Mac.
I understand that's roughly what happened to Sony - they didn't crack a server directly, rather they obtained an admin password.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Friday January 23 2015, @10:17PM
Again, what is your point? An example as to why you think your particular mac is less secure than your linux-based server is not compelling. How does your opinion on your own system disrupt the point that macs have less of value on them than other systems, thus get less scrutiny?
(Score: 2) by MichaelDavidCrawford on Friday January 23 2015, @11:10PM
While it is common for servers to use Linux, BSD and Windows Server editions, it is uncommon for them to be administered by those systems.
It's quite common for Linux admins to use Macs. Consider Slashdot's Rob Malda, for instance.
The best way to crack a secure system, is to crack an insecure system that is somehow trusted by the secure one. For that reason it is unreasonable to expect a server to be secure unless all the boxen that are used by its admins are provably as secure as the server is.
Given that that's generally not the case - it should be but is not, and is not commonly recognized to be the case - a Mac with nothing on it but the applications that come bundled is quite likely a high-value target.
All you need is a keystroke recorder, a stick, and an unwary admin who leaves his Mac logged in when he steps out for a coffee.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Friday January 23 2015, @04:38PM
You were the one that whipped your dick out. It is not a contest to point out how small it is.
(Score: 0) by Anonymous Coward on Friday January 23 2015, @04:41PM
If you spent less time in starbucks and more time in a server room you would understand what is meant by calling something a compelling target. Who cares about hipsters checking facebook and writing blog posts in public? The real money is elsewhere.
(Score: 2) by MichaelDavidCrawford on Friday January 23 2015, @06:25PM
... via Radar at http://bugreport.apple.com/ [apple.com]
I worked for Apple on two occasions, once as a contract programmer the other as a "White Badge Employee". My bug reports are generally respected. Even when I screw up, Apple's engineers thank me for taking the time to isolate what ultimately turns out to be my bug.
Apple has patched its kernel several times in response to my reports.
But in the case of this security hole, the bug was immediately closed with the comment that "It's not a bug it's a feature, end of discussion".
Given that and the poor track record of developers in general - not just Apple, but many others - of refusing to fix bugs, I resolved never to report a bug again, and I didn't for over three years, despite that I found many that I would otherwise have been able to write minimal test cases for, with detailed regressions.
Eventually I griped about this on an Apple list (Cocoa-Dev I think). An apple engineer responded right away that I should email it to their security team, rather than file the bug through the usual channel, that being Radar.
I have not done so yet, but I will. I have resume filing bugs.
The actions of but one person can be quite significant: piss me off, and I won't file kernel bugs anymore.
Treat me with respect, and you'll get minimal test cases with full regressions.
And no I won't tell you what the security bug is. I've never heard of it in the wild. I expect this bug appears on other platforms; I'll be filing a report with CERT as well.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Saturday January 24 2015, @12:01AM
Lennart Poeterring gags in 3... 2... 1...