On Jul 30, 2013, at 2:42 AM, Michael Crawford < email@hidden> wrote: A while back, I stumbled across a way to root my own box by opening a
specially-crafted document with a widely-used program.
Do you literally mean that opening the document allows malicious code to run with root privileges? How is that possible when the app itself isn't running as root? (Yeah, the app might be using the Authorization APIs, but even those would require the user to enter their password before anything bad could happen.)
Of course, running malicious code "merely" with user privileges is bad enough. It's like that recent xkcd strip pointed out — it's perverse that the OS gives device drivers greater security than your email or your Facebook session, which are actually a lot more sensitive.
Rather than fixing just this one specially-crafted document exploit, I
propose to assist the community in fixing a great many exploits.
Great idea, but writing an email about debugging isn't going to fix a lot of apps. It might work better if you had a popular blog or ran well-attended seminars or something, but even that's not going to reach that many people, or make the ones it reaches much better programmers. Nothing personal; it's just unrealistic.
One small thing that I do think is having a significant effect is the security-related warnings in Clang, especially the ones that type-check printf-style format specifiers and that notice non-constant format strings. Apple once did an analysis of a whole bunch of OS X app vulnerabilities, and at least half of them stemmed from stupid mistakes with sprintf or +stringWithFormat:. (The Clang static analyzer is probably having a good effect too.)
—Jens |