Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why you shouldn't freak out about this week's scary-sounding Mac exploits

Glenn Fleishman | Aug. 7, 2015
One set of researchers explains how a modification to your Macintosh's boot-up firmware can persist undetectably and spread through peripherals to other computers. Another researcher's work from a month ago is found in the wild, installing adware through a hidden escalation in user privileges. Both sound terrible, but neither is quite what it seems.

cat mac flickr wendy seltzer
FLICKR: WENDY SELTZER

One set of researchers explains how a modification to your Macintosh's boot-up firmware can persist undetectably and spread through peripherals to other computers. Another researcher's work from a month ago is found in the wild, installing adware through a hidden escalation in user privileges. Both sound terrible, but neither is quite what it seems.

De-escalate your privilege, buddy

A month ago, a security researcher who has found previous flaws in iOS, Stefan Esser, documented a problem in OS X about which he didn't warn Apple in advance. Starting in Yosemite, OS X allowed software to log errors to an arbitrary file. Esser discovered that this could be used maliciously to write to files that only a root user should be able to. He took that weakness to demonstrate how one might escalate privileges, allowing a regular user without administrator or root access to run any software he or she wishes.

I didn't cover this back when it was announced for three reasons: First, I'd prefer to not give attention to researchers who opt out of following the industry standard of revealing zero-day (immediately exploitable and unpatched) security flaws to the company or organization responsible for updating the software. This is unavoidable when it's severe enough, because people need to be informed about risks and mitigations.

Revealing zero-days injures end users at the expense of making a point about one's frustration with a firm, or for those who simply don't care, it demonstrates a lack of ethics about one's actions. If the motivation is disgust with Apple or another company's responsiveness to security flaws, I've seen other researchers just as effectively make the point by disclosing 60 days or several months after an initial flaw goes unpatched if the software maker is truly avoiding the problem. This was the case with NetUSB in May, a flaw that affect millions of routers, and which only some affect companies chose to act on.

My second reason: To exploit this flaw, one has to have a way to run software as a local user. This requires a separate zero-day that acts as a trigger, or relying on the naiveté of a user who installs software from random sites--not from Apple or known third-party developers.

The flaw isn't insignificant: it's truly dangerous and severe. But because exploiting it almost certainly requires users to engage in behavior that is already extremely risky, a privilege escalation isn't per se more severe than them installing software from download sites, via torrents, or through other untrusted sources and using an administrator password when prompted.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.