Re: [Fed-Talk] OS X Hacked in 30 Minutes - The Truth
Re: [Fed-Talk] OS X Hacked in 30 Minutes - The Truth
- Subject: Re: [Fed-Talk] OS X Hacked in 30 Minutes - The Truth
- From: Michael Dinsmore <email@hidden>
- Date: Wed, 8 Mar 2006 10:57:33 -0500
While the original story failed to discriminate between a local and
remote exploit, that an attacker can use local privilege escalation
to gain root is an issue for anyone that maintains servers with
discrete groups of users with different permission levels.
I maintain servers with fileshares that have information on them that
I don't want available to all of the users, and I have a limited pool
of users. Were I to be managing hundreds or thousands of users, with
different categories of access and differing data sharing needs, the
existence of a local privilege escalation attack would be a serious
issue and not be minimized. Were I to be asked for a recommendation
for a server to serve that many users, I would have to consider if OS
X Server is the best choice--or if an OS that does work with that
scale of untrusted users is a better choice afterall.
I do realize the distinction between a local and a remote exploit,
and an untrusted and a trusted user. But the apparent availability
of this exploit requires that I treat all of my users as equal on the
server--and I am depending solely on their ignorance of it to protect
the data to which they should not have access.
If Apple wants to be only in the consumer space, and sell
workstations, the test was unreasonable as it was not configured as a
consumer device.
However, it was configured more like a Server, and Apple does sell a
server OS. Due to the success of the attack, one must question the
security of the Server OS for untrusted users.
You could argue that the Server OS does not possess the same weakness
that allowed access on the Client OS, but we can not be sure of that
until the exploit is published; and I doubt that's true anyways, as
the OS versions are similar enough in the probable attack vectors.
The presentation of the attack was ill-informed; but the success of
such an attack is worrisome.
IMO, we're seeing more articles on this for two reasons, probably:
1) Apple's increasing profile, so every reporter wants to be the one
to "burst the bubble" and get the security story scoop.
2) AV vendors want to sell to a growing demographic that they
currently don't have much access to, and are in danger of being
squeezed out of their current market by the OS vendor's incorporation
of AV functionality.
I don't think this is a "vast Microsoft conspiracy" with paid-for
stories, as I have a hard time believing that MS cares much about
Apple's 3.5% marketshare threat, or believes that the Enterprise
consumer has other choices than itself. Apple has to get into double
digits at least before it is on MS's radar.
On Mar 8, 2006, at 9:23 AM, Richard A. Kilcoyne wrote:
Make no mistake -- this 30-minute hack business was a ridiculous
exercise. While Apple should be concerned that a hacker was able to
gain access to this computer through a local account privilege
elevation exploit, it's not a scenario that you'd see penetration-
tested very often.
--
email@hidden
Michael Dinsmore--Macintosh Specialist
Contractor for Digicon, supporting the
National Human Genome Research Institute/NIH
lan--301 402 7408 }{ desk--301 435 6161
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden