A recently detected Mac OS X Trojan horse program exploits a flaw in Apple Remote Desktop Agent (ARDAgent) to load itself as root and take control of vulnerable machines. The malware has numerous capabilities, including keystroke logging, opening ports in the firewall to evade detection, taking pictures with the built-in camera and turning on file sharing. Users can protect their systems by removing ARDAgent from its normal location and archiving it. A second Trojan affecting Macs pretends to be a poker application and tries to gain secure shell access to vulnerable machines.
SC Magazine
Computer World
The Register
[Editor's Note (Pescatore): Since Apple's market share at enterprises will double in 2008, this item and the Safari patches points out that Apple needs to make progress in its secure development life cycle, and enterprises must factor the cost of patching Apple PCs into the acquisition costs or in the costs of letting users use their own Macs for company business.
(Skoudis): The underlying vulnerability here is an old-fashioned SUID root program called ARDAgent that attackers can trick into running code on their behalf as root in a local privilege escalation attack. SUID root programs aren't inherently evil -- a normal system needs several of them for day-to-day operation. But if SUID programs aren't carefully designed and implemented, they could lead to this kind of attack. To get an inventory of all SUID root programs on a Mac or Linux system, you could run: "find / -user 0 -perm -4000". I'm sure attackers are searching for other Mac programs with similar flaws.]
This, and the Safari on Windows fiasco, shows that Apple is not inherently better than Microsoft at software and system design. Obviously Apple started from a more solid base when they decided to use BSD as the basis of the new operating system, but when one looks at the software they have implemented on top of that base one sees that they have a ways to go. SUID programs have been developed for a long time on Unix and there are reams of papers on how to do it securely. Apple have no excuse for getting it wrong.
0 comments:
Post a Comment