
Swedish hacker finds 'serious' vulnerability in OS X Yosemite - drewjaja
http://www.cso.com.au/article/558684/swedish-hacker-finds-serious-vulnerability-os-x-yosemite/
======
roeme
If I could, I would kick the guys responsible¹ for the disclosure in the ass.
Why? We now have a youtube video with shitty music (proving essentially
nothing), some scaremonger articles with a lot of prose around very few
interesting bits, and most importantly, a friggin' hashtag. And of course, a
name for the vuln.

But nothing, absolutely nothing, on how to protect myself as an ordinary user.
The only thing I was able to infer from the craptastic video is that the user
they're escalating from is member of the "admin" group, i.e. not a "Standard
User" but an "Admin" in OS X lingo.

Among other things, the most obvious difference to regular Accounts is that
"Admin" users can use sudo by default, but no clue whatsoever is exploited
here. Some pipe-fu with sudo? Or a stupid setting by apple allowing "admin"
group members doing dangerous things without (re-)authentication?

In closing, best make sure you're using OS X as a "Standard" User, not
"Admin". In my experience, it's quite painless.

Edit: > _" Normally there are 'sudo' password requirements, which work as a
barrier, so the admin can't gain root access without entering the correct
password. However, rootpipe circumvents this," he says._

This at least hints at the possibility that said exploit does not work from a
standard user. So there's that...

¹most likely not the researchers themselves, but some "CEO" or other suit-
level.

~~~
gioele
> In closing, best make sure you're using OS X as a "Standard" User, not
> "Admin". In my experience, it's quite painless.

It reminds me of the old suggestion given to Windows users and derided by OS X
users.

~~~
snowwrestler
It was derided by everyone because for years, it was difficult to use Windows
as an unprivileged user because so many consumer apps assumed every user
account had admin permissions.

Microsoft broke this chain of bad decisions in Vista--which itself resulted in
the much-derided flood of UAC warnings.

------
canadev
After this past year with all of its vulnerabilities, I feel so uncomfortable
when I really consider it. I make online payments at least a few times a week
using my credit card. I log into my web based email multiple times per day.

I feel so naked.

Has anyone who uses brew and other dev stuff tried running Mac OS as a user
account? Does it work out well?

~~~
andrewchambers
The real question is why don't credit cards and bank transactions have two
factor auth, or one time tokens. Someone shouldn't be able to steal money just
by hacking one account or getting one number.

~~~
ersii
In Sweden, all cards that are issued are forced to use that "Verified by" Visa
and Mastercard "SecureCode" program for two-factor authentication. Merchants
can turn it off, but then they're liable for misuse - so plenty of places have
it on by default.

Some banks, require that you use the token generator you've gotten to log on
and manage your bank account while most other use a seperate password for the
Verified by Visa/Mastercard SecureCode thing.

~~~
olov
I don't know if it's really fair to call Verified by Visa two-factor
authentication as your card number is just another string (that can be
replicated). With Verified by Visa you go from one to two "passwords".

~~~
ersii
It adds a "something you know" (password, PIN/Password to your token
generator) factor to the "something I have" (The card, with numbers on front
and back) factor, so I would say it's fair to call it two-factor
authentication.

~~~
olov
I beg to disagree. The credit card is "something you know" just as much as
"something you have", because when used on the web it is just a (copyable) 23
digit number. Whether you remember the number or look it up in your wallet is
no different than whether you remember your password or store it on a post-it.

Other things "you have" in popular 2FA solutions are quite different, for
instance your mobile phone number identity (for SMS) or your Google
Authenticator.

------
geetee
If I'm reading this correctly, I find it surprising that Apple does not have a
bug bounty program.

------
gojomo
I suspect he shouldn't have even said this much, before the agreed-upon full-
disclosure date.

~~~
bsaul
Completely agree. Just saying that a vulnerability exists is a big thing,
because it motivates hackers to search for it. I seriously doubt it will take
more than until january for another personn to find it.

~~~
zyx321
Especially since he narrowed it down so much. Gaining a root shell by piping
something into sudo that causes it to skip asking for a password? That's what
I took away from the article, and it certainly sounds like a plausible attack
vector. Scary stuff!

------
dguido
Welcome to the club? PrivEscs exploits are becoming more common as sandboxes
increase in popularity. Windows had a few such bugs exploited by real
attackers as zerodays in the last month (check CrowdStrike and FireEye blogs).
I don't think this is news. It is simply a matter of effort whether an
attacker will escalate privileges to root or kernel, it depends on the value
of the data they are after.

~~~
pjmlp
This was bound to happen.

Attacking just Windows was just a consequence of it being the most widespread
consumer OS.

~~~
Cowicide
I recently worked with a specialized team that assisted some high-profile,
quasi-governmental entities in comprehensively assessing the current state of
Mac OS security. Based upon that and other vectors, I've got some info that
may or may not be of interest to yourself and others here.

If you're implying this new exploit and perhaps the other high-profile malware
issues in more recents years is indicative of hacker interest due to surging
Mac OS market share, I'm not sure that's entirely correct.

Outside of Apple iOS (mobile), Mac OS X (desktops and laptops) market share
hasn't risen relatively that much over the past decade or so. And, in recent
times, even the peak is only a few percentage points higher than it's been for
many years.

When Mac OS market share was lower back in its Mac OS 9 days, there were far
more widespread, problematic malware issues (viruses, trojans, etc.) that were
propagating fairly well in the wild (by Apple's standards). That scenario
proves that hackers were interested in Mac OS devices even when the Mac OS
market share was lower than it is today.

Since the 90's, Macs have hovered around approximately 1 in 10 (give or take)
of all computers in the United States with a customer base of a predominately
higher income demographic. In other words, one may very well get more money
out of a smaller subset of Mac users than a larger group of typical Windows
users. Therefore, Macs have always been a target for a subset of hackers that,
er... "specialize" in that kind of scenario.

In other words, while Mac OS market share may play some minor role in hacker
interest in the platform overall in recent times, there hasn't been a huge
surge in market share that would account for some radically increased hacker
interest.

The reason malware was drastically reduced on the Mac platform since it
switched from OS 9 to OS X (based upon a flavor of UNIX) was because of the
superior security Mac OS X afforded the platform compared to Mac OS 9. That's
why even as market share gradually climbed, overall Mac OS malware dropped
dramatically for most of the past decade until more recent years.

I think the relatively small increase in malware (compared to Mac OS 9) for
Mac OS X in the last few years is due to the fact that over time hackers are
more likely to find exploits the longer they poke and prod at an OS. Also,
over time, Apple programmers are increasingly likely to make mistakes here and
there as time and piles of code goes on.

And, perhaps Apple is slipping in quality in regards to security for various
reasons since their resources have been somewhat distracted with iOS devices
in more recent years. Plus, over time, the amount of hackers, hacking skills,
knowledge and tools have been increasing and improving quite drastically
worldwide especially more so in recent years.

On top of those issues, there's been more attention brought to Apple via an
iOS halo effect from iPads and iPhones that perhaps plays into more hacker
interest in the Mac OS. I also suspect that the abundance of high-profile
Apple commercials over the years has perhaps influenced some hacker
perceptions that the Mac OS platform is more ubiquitous than it really is.
And, the icing on the cake is perhaps more disgruntled hackers and hacktivists
who are increasingly disillusioned or even hostile with the Apple brand for
various reasons over the years.

But, as far as purely Mac OS X market share goes, there really hasn't been
that large of an uptick to prod properly educated hackers to take much more
interest than they did a few years ago or even a decade ago overall based upon
market share alone.

------
vinhboy
Interesting. So does anyone actually run their OS X from a non-admin user? Are
there any permission problems that arises?

~~~
PhantomGremlin
I've _always_ run as non-admin, what OS X calls a Standard user.

When I first started doing this (about 10 years ago) I ran into some problems
if I attempted to authenticate from a standard user to an admin user when
trying to do sys admin stuff. I'd get weird permission errors.

So now when I want to do admin stuff like install software, I don't attempt it
as a standard user. I simply log in to the admin account and install from
there. Also I always log in to admin account when doing software updates such
as for Firefox.

If you adopt this mindset it's really very simple to stick to it, and it's
hardly much of an inconvenience. At least not for me, I'm not installing
software every day.

Also when I'm about to visit a dodgy website or run some suspect software I
log in to the Guest user account. That doesn't protect against local root
escalation, but at least it's something. Then when I log out, I hopefully
leave my problems behind.

Finally I maintain yet another account solely for accessing my financial
sites. That way if my day-to-day account gets compromised, I still have a
modicum of protection.

I really should use a separate machine solely for financial transactions. But
I don't. I doubt if even 1% of people do. Any old machine should work, no
matter how slow, because it's not used very often.

~~~
mosselman
Thanks for the info, trying it too.

The most cumbersome thing for now seems to be running `sudo` in terminal, but
then again, how often do you really need to?

~~~
newscracker
If it's cumbersome, you could always edit the sudoers file to make things
easier (although it's not a great idea if you're not using it often). If you
do that, then you would have the best of both worlds - being able to sudo on
terminal from your standard account (with or without password, as desired)
while also using it with lower privileges for all GUI applications.

------
hellbanner
So if you're an admin you can do admin-y things..

~~~
TheLoneWolfling
No. If you're an admin you can do root-y things, is what this exploit
provides.

There's a difference.

> Normally [...] the admin can't gain root access without entering the correct
> password. However, rootpipe circumvents this

~~~
hellbanner
Thank you.

------
cratermoon
Does it have a clever name a cool logo yet? If not, then it's not a real
vulnerability.

