 |
Search |
|
|
|
|
Classic 2 Guys |
|
10 Random Stories:
|
|
|
|
Nothing To See Here Folks, Move Along |
|
 Oh no! Alert the Feds! Call the press! Run as if your life depended on it! Slap a moose! Eat a fishstick! Do whatever you do when your life is in mortal peril!
Why, you ask? There's a NEW SECURITY VULNERABILITY FOR OS X!!!! * Shudder *
Ok wait, calm down - it's not really that bad. Plus we don't want the Wintel-types to get all giddy just because they think someone else could actually be suffering almost as much as them.
Let's look at the vulnerability in question. It's called the "Mac OS X cd9660.util Privilege Escalation Vulnerability". The technical explanation from the page is this:
"The vulnerability is caused due to a boundary error in the utility "cd9660.util" when handling input to the probe for mounting ("-p") parameter. This can be exploited to cause a buffer overflow by supplying an overly long, specially crafted string as argument.
Successful exploitation may allow execution of arbitrary code with "root" privileges." And the painful-sounding solution to the problem: "remove the SUID bit".
Huh? Whuzzat? Come Again?
Well, we'll attempt to break down the techno-speak, but keep in mind that this is not a major security flaw nor is it like many Windows issues, as this isn't something that's passed along like a worm or virus. A malicious hacker could compromise your system but the odds are low.
Now, I am by no means a security expert (although I do play one on the Web!), but after doing a very miniscule amount of research, I found out a few things. One is that I don't know what I would ever do without Google (I mean how did we actually get by when we had to look stuff up in books? Pff.). And two, is that the SUID thing is common to all UNIX-based operating systems.
Again, apologies to any security experts out there if I mis-speak (please correct me if I'm wrong), but the gist is that most OS X (or UNIX) programs run under your user ID. If the program needs access to something beyond the scope of what you can do as a user (say mounting an external device), then the program needs a higher level of access. Therefore some programs need to have SuperUser-level access, or SUID. SUID audits are commonly run to make "out of the box" UNIX installs more secure, and the same can be done for OS X, especially for the "cd9660.util" file.
I don't want to go into any more detail here for several reasons (one of which is I don't want to give the wrong command and have people hose their systems), but personally, I wouldn't worry too much about this potential issue. But if you are one of those worry warts or security freaks, then check out this page for more on SUID audits and these two PDF's on the matter.
So calm down, take that towel off your head, quit flinging poop around, and last but not least, tell all your Windows-using buddies that OS X is still an armored tank compared to their Pinto!
|
|
December 17 2003, 9:30 AM EDT, by
 |
Comments:
|
| HTML Samurai |
12/17/03, 4:19 PM EDT |
For those of you that have not heard: Security is good!
|
| stickman67 |
12/18/03, 12:03 AM EDT |
Reminds me of the old joke:
"A man walks into a bar. You would've thought he'd have seen it, wouldn't you."
Well actually, it doesn't remind me of that at all, but I needed a credible segue.
Well, actually, I don't think that segue was credible at all.
And while I think of it, where in the hell is "Syndey"? I've never read about it in my Sydney Morning Herald.
We have three brown chickens.
What does "non sequitur" mean?
And now if you excuse me, I have to take some pills. Nurse, the little pink ones, if you'd be so good.
|
| HTML Samurai |
12/18/03, 9:07 AM EDT |
I found this awesome article on securityfocus.com.
|
| rlhamon |
12/20/03, 1:28 PM EDT |
Wow a fix in three day's ... can't say that Apple don't fix their mistakes.
|
| Jonahan |
12/22/03, 3:00 PM EDT |
Yeah, rlhamon, Apple is definitely on the ball! The buffet of updates lately has me feeling a little stuffed :)
|
This article is archived, so you may not comment on it.
(The good news is there's always the shoutbox, the forums or the contact form if you're socially-inclined at the moment!)
|
|
|
|
Site Links |
|
|
|
|
Deep Thoughts |
|
|
Instead of raising your hand to ask a question in class, how about individual push buttons on each desk? That way, when you want to ask a question, you just push the button and it lights up a corresponding number on a tote board at the front of the class. Then all the professor has to do is check the lighted number against a master sheet of names and numbers to see who is asking the question.
|
|
Around Da Web |
|
| iProng: |
iPhone steals show at CTIA Wireless 2007
|
DLO offers dual cover fashion case for iPod
|
AT&T received 1M inquiries on iPhone
|
| MacDailyNews: |
Ars Technica in-depth review: Apple TV ?impressed all those who touched it?
|
Inside Apple?s Mac OS X 10.5 Leopard Server OS
|
The chips inside Apple TV
|
| Think Secret: |
Adobe Creative Suite 3 pricing revealed
|
|
|
We Like: |
|
|
|
|
Side Projects |
|
Jonahan
- JediPoker.net
- Jonahan.com
- iProng
- MacProng
iKen
Jedbeck
J.P.
|
|
