Follow iTWire on Twitter

About iTWire

iTWire is all about technology news, information, jobs and community for the IT and telecommunications industry professional. Subscribe to our free ICT daily newsletter

iTWire and you

Contact , Register , Links , About iTWire , Feedback , Post your jobs , Events , iTWire site map , Start Blogging , MyBlogLog page , Advertise with iTWire , Subscribe to SMS headlines , White Papers
Month of Apple Bugs reveals utility exploit E-mail
by Stephen Withers   
Tuesday, 16 January 2007
Today's Month of Apple Bugs disclosure appears to be the most serious so far.

Featured Whitepaper

5 Best Practices for Smartphone Support
The problem is that various programs in the /Applications folder run as root, yet users in the admin group have sufficient privileges to overwrite them. If that happens, the next time someone - including the malicious user that replaced the file(s) - repairs permissions, the ownership and permissions will be reset to the original state and so the bogus program will run as root.

(Note that we are talking about executable binaries contained within the application bundles, not the entire applications.)

Admin users require write access to the /Applications folder in order to install or update software, but this combination of circumstances (akin to the Application Enhancer vulnerability previously disclosed by MoAB) opens the possibilities for a serious exploit - especially as repairing permissions is a commonly used troubleshooting step.

Once a malicious user or a piece of malware has been able to overwrite one executable that runs as root and then permissions are repaired, the system is compromised as soon as any user runs that program.

LMH describes a scheme whereby a virus-like program could add some code to affected binaries that would be executed before the 'real' program. Since that code runs as root - as does the real program - it can do essentially anything.

A proof of concept is under development by LMH and Gil Dabah, who "intend to release it first to AV companies, before public distribution."

Such code could presumably be used by malicious individuals that have physical access to a system. Those seeking a remote attack would either need to trick users into running a program (ie, a Trojan Horse) or to combine it with a different vulnerability that allows the remote execution of arbitrary code.

MoAB suggests as a workaround the removal of the setuid bit from the DiskManagementTool binary used to repair permissions.{moscomment}

Tags See All Tags


Apple  Macintosh  Malware  Security  Software  Stephen Withers 
Powered By Joomla Tags

Please enable JavaScript in your browser to post your comment!
 
< Next story in category   Previous story in the category >
iTWire user statistics Visitors last 30 days
 694,279
Subscribers 15,210
#1 independent technology news advertise here
  •   *  
  • Search
  • AdvSeach
  • Login
  • Events
  • FreeStuff

- Advertisement -

Featured Whitepapers

...More
1