Re: [Fed-Talk] OS X Hacked in 30 Minutes - The Truth
Re: [Fed-Talk] OS X Hacked in 30 Minutes - The Truth
- Subject: Re: [Fed-Talk] OS X Hacked in 30 Minutes - The Truth
- From: Billy Lenox <email@hidden>
- Date: Wed, 8 Mar 2006 10:08:22 -0600
Here is the test results of the link I las sent out on this subject.
http://test.doit.wisc.edu/
On Mar 8, 2006, at 9:57 AM, Michael Dinsmore wrote:
While the original story failed to discriminate between a local and
remote exploit, that an attacker can use local privilege escalation
to gain root is an issue for anyone that maintains servers with
discrete groups of users with different permission levels.
I maintain servers with fileshares that have information on them
that I don't want available to all of the users, and I have a
limited pool of users. Were I to be managing hundreds or thousands
of users, with different categories of access and differing data
sharing needs, the existence of a local privilege escalation attack
would be a serious issue and not be minimized. Were I to be asked
for a recommendation for a server to serve that many users, I would
have to consider if OS X Server is the best choice--or if an OS
that does work with that scale of untrusted users is a better
choice afterall.
I do realize the distinction between a local and a remote exploit,
and an untrusted and a trusted user. But the apparent availability
of this exploit requires that I treat all of my users as equal on
the server--and I am depending solely on their ignorance of it to
protect the data to which they should not have access.
If Apple wants to be only in the consumer space, and sell
workstations, the test was unreasonable as it was not configured as
a consumer device.
However, it was configured more like a Server, and Apple does sell
a server OS. Due to the success of the attack, one must question
the security of the Server OS for untrusted users.
You could argue that the Server OS does not possess the same
weakness that allowed access on the Client OS, but we can not be
sure of that until the exploit is published; and I doubt that's
true anyways, as the OS versions are similar enough in the probable
attack vectors.
The presentation of the attack was ill-informed; but the success
of such an attack is worrisome.
IMO, we're seeing more articles on this for two reasons, probably:
1) Apple's increasing profile, so every reporter wants to be the
one to "burst the bubble" and get the security story scoop.
2) AV vendors want to sell to a growing demographic that they
currently don't have much access to, and are in danger of being
squeezed out of their current market by the OS vendor's
incorporation of AV functionality.
I don't think this is a "vast Microsoft conspiracy" with paid-for
stories, as I have a hard time believing that MS cares much about
Apple's 3.5% marketshare threat, or believes that the Enterprise
consumer has other choices than itself. Apple has to get into
double digits at least before it is on MS's radar.
On Mar 8, 2006, at 9:23 AM, Richard A. Kilcoyne wrote:
Make no mistake -- this 30-minute hack business was a ridiculous
exercise. While Apple should be concerned that a hacker was able
to gain access to this computer through a local account privilege
elevation exploit, it's not a scenario that you'd see penetration-
tested very often.
--
email@hidden
Michael Dinsmore--Macintosh Specialist
Contractor for Digicon, supporting the
National Human Genome Research Institute/NIH
lan--301 402 7408 }{ desk--301 435 6161
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden