Apple has released Mac OS X 10.5.8. “The Mac OS X v10.5.8 Update is recommended for Mac OS X v10.5 Leopard users and includes general operating system fixes that enhance the stability, compatibility and security of your Mac. For detailed information about the security content of this update, please visit this website.” It’s in Software Update, so update away!
Fixes a problem whereby users can read files that other users are downloading in Safari. Howler!
Fixes a problem where users can still run programs using multi-touch gestures even when the screen is locked. Howler!
And lots of “maliciously crafted file” vulnerabilities fixed.
Indeed. I think its time, or somewhat past time, for *BSD, Linux, and other POSIX OSes to clearly distance themselves from MacOSX. When the malware tsunami hits Apple’s platform, the effect (and the bad publicity) are going to be devastating.
Having a relatively small desktop market share, and having little malware affecting you does not mean that you would be as affected by it as the largest player if your market share were higher. But by the same token, it does not mean that you would not be affected so. It all depends upon how well prepared you are. And innocent and naive MacOS appears to be staggering into a bad part of town with its billfold halfway out of its back pocket and a target painted on its back.
Edited 2009-08-06 03:44 UTC
Snow Leopard will finally have the hardening and stack-protection tricks and the like that Vista and other Unixes do. Currently, although Leopard has some of these, they seem to be only halfway implemented with some exceptions (such as sandboxing daemons). These are some of the lesser-known features of Snow Leopard, Apple doesn’t advertise them yet – probably because they don’t want people to realize how insecure Leopard is by comparison.
I think that’s about right!
I’m the only one who’s touching my own MacBook but just to be safe I did install iAntiVirus and MacScan. When I used BeOS, I had “security through obscurity” because the common “teenager hacking software” doesn’t understand BeOS. By now, the Mac OS has a large enough market share to be vulnerable. Very vulnerable.
It’s funny, the guy who sold my Mac (that is, who did the administrative operations after I already had decided upon buying a Mac) actually had the nerve to claim Macintoshes are not vulnerable to viruses and such (even after Apple already admitted this to not be true). I’m sure this will happen all over, and I wonder how many lawsuits will be filed by people who were told the exact same thing but actually believed it.
I don’t actually run an antivirus, viruses per-se aren’t the main malware vector for Macs and they take up a lot of resources. Even on Windows, signature-based virus scanning is not very effective anymore even where viruses are a threat. What I do is harden my system as much as possible, by running an ipfw firewall (you can use a graphical front end to it like NoobProof or Waterroof) and little snitch, and using Firefox with the NoScript plug-in rather than Safari. (Which does more than just selectively filter javascript domains.)
I also run a program that scans versiontracker to see if my programs are up to date, as well of course as regularly running Apple Update for important things like Quicktime, Safari (even if you don’t use Safari, quite a few other programs do! The situation’s not as crazy as IE on Windows, but a lot of programs do use WebKit to display HTML and the like; as well as the Dashboard, etc…) and the OS updates.
If I was *really* concerned about security I’d also dump Mail.app in favor of Thunderbird or better yet Mutt or the like, but Mail.app is such a good mail program to use in Leopard that I can’t bear to be without it’s usability. Maybe I’ll give Thunderbird a try when they finally release a more native-interface release version like Firefox 3 is.
yes the virus and malware storm which has been promised for years and has yet to arrive.
Yes no OS is perfect or immune, however thanks to its bsd unix underpinning it greatly reduces the surface of attack.
Not that much really. Malware today isn’t about “rooting” machines, it’s about reading private data and run botnets. Neither of those are really addressed by standard POSIX security measures.
Why would BSD want to distance itself from OSX, which itself is BSD
Actually, to be specific, OS X is not a member of the BSD family. It shares a userland with FreeBSD for the most part as well as most of the FreeBSD networking stack, but in many other ways (the kernel, drivers, launchd, etc) it is as different from a BSD–or any traditional UNIX for that matter–as it is possible to be. Being POSIX compatible it is certified as a UNIX, but underneath and around that there are a lot of differences.
Linux and BSD applications — because this is an application problem — have the very same bugs.
It’s an easy bug to write. Just use a temporary file to store the file download, and it will by default be world readable.
That makes me wonder, why are temporary files created world readable by default? Having the /tmp folder be world readable and writeable makes perfect sense, but not the files within it. It strikes me that having the most restrictive permissions be the default on temp files would be the best way to go, and if a program for whatever reason needs other perms they could be specified. Either that, or have a user-specific temp folder with very restrictive perms and store any app-generated user-specific temp files there instead of where everyone can get at them.
It looks like they aren’t necessarily. They’re created with the user’s default umask which seems to be world and group readable on many systems. Protecting the files is left up to the home directory permissions which are usually limited to user-only.
This permissive umask makes it easy for users to copy or link files into shared directories without using chmod after.
A good solution would be to set the user’s TMPDIR environment variable to “/tmp/$USER” or “/home/$USER/tmp” and create this directory. Many functions will respect this variable. For the rest go through other tmpfile code and fix it up. Putting the directory in /tmp would be better if /tmp is mounted with special options such as being tmpfs.
Doesn’t matter. If security is a concern, tmp files should not be created with the default umask but should be created with the most restrictive permissions possible unless explicitly specified otherwise. That simple.
I would modify that to just “tmp files should not be created with the default umask but should be created with the most restrictive permissions possible”.
I think that the actual problem here is the “If security is a concern” part. That shouldn’t be the exception. It should be the rule. It’s hard to think of a time that a tmp file should be world readable.
A temporary pipe or socket, perhaps, in some specific cases. But not regular tmp files. On my Ubuntu box my umask is the standard 0022. I just ran /bin/mktemp and it properly created a file in /tmp with 600 permissions. I’ve just spot-checked my /tmp tree and there are no files with read or write permission for ‘other’. (Which comes as no surprise.)
That Apple can’t get this right is disgraceful, and rightly should make us wonder what other elementary blunders they are making elsewhere.
Perhaps someone with MacOSX would like to run:
find /tmp -type f -perm /o=r
and report their results. (Does MacOSX use /tmp?)
On Fedora /tmp files come out with the user’s umask.
Ubuntu/Debian is probably the only Linux distro that does chmod 600 tmp file creation.
Nice try. But no. I just spot checked RHEL4 (based on Fedora Core 3) and Fedora 8. mktemp always creates files with mode 600. And there are no files in /tmp which have read permission for ‘other’.
Please point me to a version of Fedora that acts as you claim. And yes, barring that, I am calling you a liar.
Edited 2009-08-07 20:00 UTC
Then you are a moron, an idiot, an impolite person, and other bad names.
From a Fedora 5 system:
-rw——- 1 jbriggs jbriggs 81202 Aug 6 15:53 build-test-errors.zo2671
srwxrwxr-x 1 btiemessen btiemessen 0 Sep 5 2007 catsock
-rw-rw-r– 1 cblaise cblaise 13685 Aug 7 09:56 cblaise.cvsactiveCollabCache
-rw-rw-r– 1 erempillo erempillo 4199 Aug 7 00:17 erempillo.cvsactiveCollabCache
drwx—— 2 jbriggs jbriggs 4096 Aug 6 15:42 gconfd-jbriggs
srwxrwxr-x 1 jbriggs jbriggs 0 Jun 15 09:58 gnome-system-monitor.jbriggs.2299393145
-rw-r–r– 1 jbriggs jbriggs 4946506 Aug 6 15:58 j1
-rw-rw-r– 1 jbriggs jbriggs 23567 Aug 6 15:15 j2
As you can see, some files are 600, others are not. It depends on what tool creates the tmp file, doesn’t it? Did you think mktemp is the only tmpfile tool in the world? Here I thought you were claiming Ubuntu made all /tmp files mode 600.
I just went to check a friend’s Ubuntu system. It also has world-readable files in /tmp. So much for that theory of yours.
I suppose its my fault for believe you were claiming Ubuntu had some fancy magic in /tmp to keep file permissions set to mode 600 when actually all you were claiming is that one particular shell tool creates mode 600 files in /tmp
Nope. Just calling you on the falsehood you were presenting.
Let’s look at your FC5 “example”. The relevant lines are:
srwxrwxr-x 1 btiemessen btiemessen 0 Sep 5 2007 catsock
-rw-rw-r– 1 cblaise cblaise 13685 Aug 7 09:56 cblaise.cvsactiveCollabCache
-rw-rw-r– 1 erempillo erempillo 4199 Aug 7 00:17 erempillo.cvsactiveCollabCache
srwxrwxr-x 1 jbriggs jbriggs 0 Jun 15 09:58 gnome-system-monitor.jbriggs.2299393145
-rw-r–r– 1 jbriggs jbriggs 4946506 Aug 6 15:58 j1
-rw-rw-r– 1 jbriggs jbriggs 23567 Aug 6 15:15 j2
The sockets we can dispense with first. There are valid reasons for sockets to have those permissions. (We can go into that in more detail if you insist.)
As to the ActiveCollab cache files… ActiveCollab is a proprietary, commercial product, and certainly not part of Fedora or Fedora Extras. Third party programs are free to shoot themselves in the foot in /tmp just as anywhere else. Although in this case, it’s possible that this is exactly what the app programmers intended… activecollab being a collaboration tool, after all. It would make more sense to have an ‘activecollab’ group and grant the necessary access via group membership. But that’s the vendor’s problem.
It’s hard to say much about j1 and j2 without knowing what created them. Any idea where they came from? I think we can be pretty certain, up front, that they were not created by any programs that are part of the distro. (Based upon the file names, in addition to the insecure permissions.)
You need to supply details to back that up. (Keeping in mind the above discussion, of course.) Especially considering that the details you presented regarding your Fedora claim don’t stand up to scrutiny.
I find that doubtful. My original post was quite clear, and it would be somewhat difficult to interpret in that way.
I’m claiming much more than that. The default tools (commands and library calls) that any Linux, or for that matter, any self-respecting POSIX OS provides for creating temp files, ignore umask and create only files without world read or world write permissions. Furthermore, all software which is part of the distro acts in the same way, unless there is some very good reason for allowing any expanded permissions. Any variance from that policy is considered a significant security bug and is fixed ASAP.
And frankly, I find your claim that this policy applies to “only one shell tool” to be a bit sleazy on your part, Zan. Or perhaps just remarkably uninformed.
I am certainly *not* claiming that Apple’s MacOSX creates insecure tmp files as standard policy. But I’m starting to get the impression that perhaps you are.
Edited 2009-08-07 21:23 UTC
I am not claiming that insecure temporary files are created by policy.
I am claiming that they are created by default. I claim that this happens whenever a programmer casually creates a temporary file without thinking about security.
How can you deny this?
I went back to recheck what we were arguing about, and just before calling me a liar, you claimed there were no files in /tmp with read permissions for “other.” Obviously there are because I showed you some.
/var/tmp from Mac OS X:
-rwxr-xr-x 1 root wheel 112 Jul 27 11:13 tmp.0.Psvn84
-rwxr-xr-x 1 root wheel 119 Jul 27 11:13 tmp.1.VOVSE2
-rwxr-xr-x 1 root wheel 168 Jul 27 11:13 tmp.2.mF7sC5
-rwxr-xr-x 1 root wheel 173 Jul 27 11:13 tmp.3.ZpQUfk
I do not know what made those, but they look like temporary files. I don’t think I ever claimed it was standard policy, just that it happens. And it does. Look. Insecure temp files.
Selected files from /var/tmp on that Fedora system again:
-rw-rw-r– 1 jbriggs jbriggs 951 Jul 30 14:31 rpm-tmp.95715
-rw-rw-r– 1 jbriggs jbriggs 2726 Jul 30 15:15 rpm-tmp.98214
RPM is a fairly important tool. It is definitely provided with the distribution. So what “falsehood” am I presenting?
See RPM example again.
Interesting how perceptions differ. From my side I regard you as remarkably uninformed. You seem to be intent on denying that insecure temporary files could ever be created by Linux/BSD/OSX programmers. I have much evidence otherwise.
I have never said such a thing. You misunderstood my original post (how, I’m not quite sure) and have been obsessing over the point, despite my having stated quite clearly that apps are free to shoot themselves in the foot, and despite your having admitted yourself that you misunderstood. Where you got this “impossible to create insecure tmp files” idea is a mystery to me.
For review, the original issue is that Safari creates world readable files which contain sensitive information like your bank and/or credit card statements. I said that was inexcusable, and a violation of elementary security practices. You proceeded to defend the practice, as if it happened all the time and everyone did it, when in fact even the Firefox devs are not so negligent.
I do think that the rpm tmp files you list should be 600. But that situation is certainly excusable, as rpm-tmp files are hardly likely to reveal sensitive information, which cannot be obtained more easily with readily available cracking tools like ‘ls’.
Fixes a problem whereby users can read files that other users are downloading in Safari. Howler!
Fixes a problem where users can still run programs using multi-touch gestures even when the screen is locked. Howler!
And lots of “maliciously crafted file” vulnerabilities fixed.
A lot of these, with the exception of the multitouch bug (my Mac mini thankfully doesn’t have that one 😉 ) are in Safari, people concerned about security on OS X use Firefox with NoScript. 🙂 Safari will be noticably more secure in Snow Leopard, tabs will be sandboxed ah-lah Chrome.
Edited 2009-08-06 06:01 UTC
I know that OSX is a BSD certified Unix, but do people really use their Macs as multi-user computers? Maybe for rendering or something but for web browsing? Are they using VNC? Or was this just an obscure bug that didn’t really need fixing because nobody uses OSX like that anyway?
10.5.7 introduced a bug with some USB audio cards, if you have, for example a simple “pen-drive-like” usb audio card to plug in an external microphone, whenever you’re using (Skype, Ventrilo, TeamSpeak, Y!Msgr) with voice, from time to time, your voice will distort and will be impossible for the other party to understand what you are saying.
If you close/reopen the application, this gets fixed instantly (95% of the times); or you can wait somewhere between 10-30 secs and it will “slowly” get back to normal.
I don’t see any mention of this in the patch files, I’m installing right now but I have no hopes.
That’s interesting, for me it was 10.5.6 that had that problem and 10.5.7 which fixed it, even though it wasn’t mentioned as a fix in 10.5.7’s release notes. I haven’t noticed it resurfacing in 10.5.8 at least not so far.
10.5.8 didn’t fix it for me. :S
At least this time it didn´t screw my usb printer driver
I really was small enough just to be a security release. I’d have trouble believing that they’ve fixed anything else of much importance.
I have applications hanging on launch as well as at termination now and the Finder seems to be locked up until another application from the Dock is launched.
I’m still kicking myself for buying Leopard but maybe, the visual unity is enough to make up for the usability problems.
I don’t understand why visual unity is considered such a plus. It just makes it harder to quickly pick out the right windows in Expose