Mac worm rumors swirl; Dai Zovi ships unofficial Mac OS X patch

Mac worm rumors swirl; Dai Zovi ships unofficial Mac OS X patch

Summary: Amidst unconfirmed rumors that anonymous hackers have created a worm that exploits an unpatched code execution flaw in Mac OS X (Intel), a team of researchers have come up with a way to completely disable a buggy portion of the Mac code base.

SHARE:

Amidst unconfirmed rumors that anonymous hackers have created a worm that exploits an unpatched code execution flaw in Mac OS X (Intel), a team of researchers have come up with a way to completely disable a buggy portion of the Mac code base.

Led by Mac security guru Dino Dai Zovi (of CanSecWest MacBook hijack fame), the researchers have created a third-party patch that removes the uPNP code from within mDNSResponder, the Bonjour system service that implements Multicast DNS Service Discovery for discovery of services on the local network.

Davi Zovi worked with his former employers at Matasano Security on the patch after looking at the worm claim and the recent mDNSResponder patch (and Bonjour exploit) affecting that portion of the Mac OS X code.

[ SEE: Ten questions for MacBook hacker Dina Dai Zovi ]

"If I were to guess about the vulnerability linked to the worm claim, I'd say it's in uPNP. I won't be surprised if there are others looking hard at that piece of code to find holes," Dai Zovi said in a telephone interview.

The patch, which is buyer-beware (and unsupported), does not fix a specific vulnerability. Instead, it removes the LegacyNATTraversal code from mDNSResponder. Hackers consider mDNSResponder the primary client -> server attack surface on Mac OS X.

Matasano president Dave Goldsmith, a former @Stake researcher who has found/reported numerous Mac OS X vulnerabilities over the years, said that portion of the code contains lots of unbounded memory copies and a history of overflows and memory smashing bugs.

"This patch will hopefully prevent a certain code path from getting executed. No one knows for sure if there's a vulnerability there but we think this (patch) could potentially stop some bad code from getting called," Goldsmith said by telephone.

"The LegacyNATTraversal code is 1994-style C code," Goldsmith said. "[There are known bad programming practices lurking in that particular file."

On Matasano's blog, Goldsmith warns that the patch is buyer-beware.

Standard disclaimers about this patch apply (including: may do nothing, may protection you form current/future vulns, may cause mDNSresponder to not work, may break support contracts). Also, this patch is unsupported, which is why I didn’t give step by step instructions on how to apply it.

In any event, Dai Zovi said the patch isn't for non-technical Mac users. "There's an opportunity for someone to make it more user-friendly but, right now, it's not something the average user can use," he said.

His advice to Apple: Rewrite the entire uPNP code base.

"It's a feature that's there for a reason but that entire bit of code needs to be rewritten. There are too many (potential) dangers there," he added.

Topics: Apple, Hardware, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

41 comments
Log in or register to join the discussion
  • This flaw means nothing to me .

    Do you want to know why ? Read this excerpt from the story:

    Amidst unconfirmed rumors that anonymous hackers have created a worm that exploits an unpatched code execution flaw in Mac OS X (Intel), a team of researchers have come up with a way to completely disable a buggy portion of the Mac code base.


    Like the excerpt says , (Intel) only . Guess what , more power to the PPC Macs . I'm beginning to wonder if all these issues that have arisen lately has to do with Intel based Macs ?
    The_Nutty_Zealot
    • Means nothing to me either

      Since I don't use a warmed up 70s OS like OS X.

      I think you missed the bit about the buggy legacy code. Ah well, denial is a state Mac users are used to.
      tonymcs@...
      • Like usual you are an idiot .

        This only affects Intel based Macs , had you had read the story properly/thoroughly , you would not have missed it . Instead focus on the fact that Internet Explorer and Windows still have the issue of the URI that Microsoft has been sitting on since 2004 idiot . That's a worldwide problem :

        Mozilla patches Firefox; tells users to avoid IE

        http://blogs.zdnet.com/security/?p=387

        Mozilla patches Firefox, slams door on IE zero-day bug
        We fixed our end, says Mozilla, but IE is still buggy

        http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027289&intsrc=hm_list

        I loved this excerpt from the story the most :

        "However, I can still automatically launch a wide range of external applications from Internet Explorer and provide them with arbitrary command line arguments, [including] AcroRd32.exe (Adobe Acrobat PDF Reader), aim.exe (AOL Instant Messenger), Outlook.exe, msimn.exe (Outlook Express), netmeeting.exe, HelpCtr.exe (Windows Help Center), mirc.exe, Skype.exe, wab.exe (Windows Address Book) and wmplayer.exe (Windows Media Player), just to name a few," Larholm wrote.

        What will Microsoft do once one of its own products affects the other . ROTFLMAO !!!
        The_Nutty_Zealot
        • Typical fruit...

          (NT)
          fr0thy2.
          • At least a "fruit" has worth

            What's your contribution to society, other than trolling, wasting space and oxygen?

            ...
            MacCanuck
          • I take that...

            to be directed at all users of non-mac system.

            Let's see, my contribution to society is developing fallout simulator applications for nuclear reactors and doing research in the field of retrovirology (which is what my degree is in, dual majored with biochem engineering). I also run a training and consulting firm, and have 15 years of development experience on platforms ranging from solaris to windows and even, yes, OSX.

            What is your contribution? Lemme guess, a degree in graphic or liberal arts, potentially business administration. Work for a design firm making pretty pictures, maybe doing landscapes in the frigid canadian winter?

            If you don't have anything productive to say, don't fan the flames of someone preaching antimac elitism. It's just as bad a promac elitism. Go read the book Code and learn something, your opinion may have merit at that point.
            Spiritusindomit@...
          • actually

            you took that as an opportunity to discuss the many fine points of being... well... you.

            Of course all that intelligence and dedication to a higher cause would be nothing without garbage men and plumbers. Because without them you'd be piled up head high in your own crap. Figuratively, you are anyway. So do try to remember that while you're on that perch looking down at the lowly graphic and liberal artists, and landscapers.

            (btw, I am none of the above... elitism just bothers me a wee bit)
            Badgered
          • Wow!!! Think much of yourself?

            Take a chill pill as you did take that the wrong way.

            You're a tad too sensitive and defensive (along with having a healthy dose of megalomania) as all I was responding to was a typically mindless (bigoted?) anti-Apple/Mac (user) response.

            It's the individual that is worthy of castigation, not any particular group, unless of course you claim to represent all Windows users, you have "buyers doubt & remorse" and/or feelings of inadequacy (wait, definitely not that last one for you).

            You appear to be not much better than drkr2004@ in your condescending description of those you consider to be the great unwashed and unworthy of being in your esteemed presence.

            You forgot to throw in we Mac users are all gay (fruit reference?), have more money than brains... along with being better looking and we don't drag our knuckles.

            Now back to my double orange cr?me frappuccino light blended latte and flower arranging.

            Later darling...

            (sheesh)

            ...
            MacCanuck
          • who is sensitive?

            wow. some that seemed to roll off your fingers a little to easily I might add. <br>
            xuniL_z
          • Every time I see you do this

            It's over a 5 paragraph microsoft beating. If the prior poster had been tearing OS X apart, you would have let that "fruit" statement slide w/o a doubt. <br>
            You claim you are not a troll and try to portray the "voice of reason" but it's a big farce. I've never seen you castigate someone that was putting down an Apple flamer. What did the prior post have to do with the story? What was there about it that you felt the need to "defend the poster's honor"? Did you even read it, or did you see the nic and the word and responded knee jerk. Most likely the case, but you are as much a troll as anyone on here. You are not as vulgar as some, not as mean spirited as some, not as stupid as most, but you still post with zero objectivity.
            xuniL_z
      • re:Means nothing to me either

        You meant to state that Windows users are the ones in a state of denial , including Ballmer & Gates . You bunch of blithering idiots .
        The_Nutty_Zealot
        • Ohhh good one!

          [i]You bunch of blithering idiots.[/i]

          You really got 'em there kiddo! Way to get a zinger in on those useless M$ supporters! YaY for the Mac faithful, we can insult with the best of 'em.
          Badgered
      • At least the fix is available .

        Which is more than I can say for MS C.R.A.P.

        Mozilla patches Firefox; tells users to avoid IE

        http://blogs.zdnet.com/security/?p=387

        Blocking (Internet Explorer) drive-by malware downloads

        http://blogs.zdnet.com/security/?p=386

        Symantec puts price tag on anti-botnet tool

        http://blogs.zdnet.com/security/?p=384

        Skeletons in Microsoft?s Patch Day closet

        http://blogs.zdnet.com/security/?p=316

        Microsoft drops 6 bulletins, fixing 11 vulnerabilities

        http://blogs.zdnet.com/security/?p=364

        Microsoft should block that IE-to-Firefox attack vector

        http://blogs.zdnet.com/security/?p=367

        On deck: Critical Microsoft Office, Excel, Windows patches

        http://blogs.zdnet.com/security/?p=354

        German police excuse angry computer user for outburst
        The man tossed his PC out a window in the middle of the night

        http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027278&intsrc=hm_list

        Are Microsoft?s patent lawyers really this dumb?

        http://blogs.zdnet.com/microsoft/?p=557

        Microsoft Xbox Chief Peter Moore: Did he jump or was he pushed?

        http://blogs.zdnet.com/microsoft/?p=583
        The last story here was really good , the X-BOX bursting in flames from casual play , Microsoft takes a 1 Billion dollar loss on that one . Microsoft take my advice , stay out of the hardware business . If the X-Box bursting into flames isn't enough , then ask yourselves , how is your Zune market doing ?!?!?!?

        ROTFLMAO !!!

        In a world without walls & fences , who needs windows & gates?"

        Watch this video on mac vs pc , you'll love it .

        http://www.youtube.com/watch?v=qHO8l-Bd1O4
        Intellihence
        • Wow. You know how to roll out a list

          Where can I get this script? It's the NeutronBomb AppleScript of retorts.
          YinToYourYang-22527499
        • Once again you show your child side...

          ...and ignorance. I feel sorry for Mac users. If you are a representitive of them then they are very bad lot. Last time I checked MS fixes holes albiet not as fast it should but it does. I do belive this was a 3rd party, kind of scary there. You can bitch and moan through all you want. The Day Apple has the guts to step and sell their OS w/o hardware, and support 100's of millions of computers, MS will not have a competitor. They f'd up their business model in the 80's and MS ate their lunch and they have to live with it to this day. Until the above day, they are no more then a boil on the computing world butt. Apple is a very good hardware vendor, their OS is OK. I think Ubuntu's is actually better if it gets more backing - Apple may have a problem and I think MS has a few secrets up there sleeves since Gates left and there is anew head of Windows Development. So through your chilish tantrums and give all Apple/Mac users a bad name - which you do.
          fr0thy2.
          • Correct sociological analysis sir.

            His opinion certainly does reflect every single person who uses the Macintosh. That is why we elected him spokesman and representative of all Mac users at the Mac Cultist congress last February.
            Very astute of you to discover our inner workings. Bravo!
            Tigertank
          • I demand a re-count!!!!

            Pagan jim
            Laff
    • moron

      Do you know WHY it doesn't work? (of course you don't, 'it just works,' it's magic ; ).

      This hack exists because rather than actually rewriting OSX with x86 support, they hacked in a low level processor interpreter that turns risc instructions into x86. The architecture you know as 'power pc' was originally created by Sun, and solaris still does it much much better.

      I love how mac elitists are now subdividing into x86 and risc fragments.

      Now please, continue with your switch commercial ranting.
      Spiritusindomit@...
      • Idiot == you

        Apple has been developing MacOS X on X86 native since 2003. Of course you never
        knew it was developed from NeXTStep which ran exclusively on X86 - the PowerPC
        version is a port. Or that the PowerPC was a joint project of Motorola, Apple and IBM
        and had nothing to do with Sun. Obviously you believe that knowledge is dangerous,
        but ignorance is not.
        ----------------
        Nobody expects the Spanish Inquisition!!
        Imaginos1892
      • Why I love these TalkBacks...

        You can always learn something that you never knew before - no matter how involved you were with the happenings them selves....

        [i]The architecture you know as 'power pc' was originally created by Sun, and solaris still does it much much better.[/i]

        Gee, and here I thought that [url=http://en.wikipedia.org/wiki/PowerPC]this[/url] was the source of the Power PC architecture!
        Freebird54