Mac OS X flaw raises serious concerns

Mac OS X flaw raises serious concerns

Summary: An unpublished security vulnerability in Apple's Mac OS X operating system that first came to light after a hacking competition has sparked concern in the user community. Mark Borrie, IT security manager at New Zealand's University of Otago, said the vulnerability could cause potential difficulties.

An unpublished security vulnerability in Apple's Mac OS X operating system that first came to light after a hacking competition has sparked concern in the user community.

Mark Borrie, IT security manager at New Zealand's University of Otago, said the vulnerability could cause potential difficulties. He manages a total of 12,000 desktops, including nearly 5,000 Macs.

As reported by ZDNet Australia on Monday, the flaw surfaced when a hacker, going by the name 'gwerdna', won a Mac OS X contest recently. The vulnerability allows users -- with local access -- to escalate their privileges to a point where they can perform various unauthorised acts such as delete files or directories, install applications and bypass restrictions imposed by the machine's administrator.

Borrie said he had previously come across vulnerabilities in OS X that lets an attacker create a local account, which if combined with the unknown vulnerability, could allow an unauthorised user to gain complete control of the computer.

"We have also seen in the past quite a few exploits where somebody breaks in through a standard service. People are thinking ... they can't do anything with that because it has no privileges. But once they have that access they can use the vulnerability to get root [access]," he told ZDNet Australia.

James Turner, security analyst at Frost & Sullivan Australia, agreed the issue was serious since unauthorised users could potentially bypass security controls.

"People should not be able to access data that they are not authorised to access. Being able to change account privileges by hacking a system's vulnerabilities is not a legitimate way of getting around the authentication issue," said Turner.

Gwerdna has so far declined to provide complete details of the flaw. Commenting on the contest, he said, "As far as I'm aware, Apple does not know about the exploit or bugclass used to own this box.... A so called zero-day exploit if you wish."

Such backdoors are not exclusive to Apple boxes. Neal Wise, a partner at Sydney-based security consultancy, said administrators have had to deal with privilege escalation problems on Unix- and Windows-based systems for a number of years.

-You want to give people the least privilege they need to do their job. Linux and Unix systems have always suffered from 'root or not root' issues.

-I remember around 15 years ago where you could access the help menu in (Silicon Graphics) SGI systems and get root from it. This is a real issue and applies to all systems -- not just Unix but Windows systems too," Wise said.

New Mac hack challenge
In response to the ealier contest, Dave Schroeder, a senior systems engineer at the University of Wisconsin, has given hackers until Friday to break into his Mac.

Schroeder is asking hackers to alter the home page hosted on a Mac mini that is running Mac OS X 10.4.5 with the latest security updates. The system has two local accounts, and has SSH and HTTP open. "A lot more than most Mac OS X machines will ever have open," Schroeder said on his Web site.

Secure Shell, or SSH, is used for logging into and executing commands on a networked computer, and HTTP, or HyperText Transfer Protocol, is the method used to transfer information on the Web.

Schroeder deemed the contest won by gwerdna as "too easy".

"The original challenge allowed any users to have local accounts to access the machine via SSH," Schroeder said in an interview via e-mail. "This is an important distinction, because if you have local -- or physical -- access to a computer, you have a very distinct leg-up in terms of the ability to escalate your privileges."

Early media reports on the first competition did not call out the fact that attackers were given local access to the system. This irked Schroeder, moving him to launch his own challenge. "The original article left readers with the impression that a Mac OS X machine could be easily hacked into just by being connected to the Internet," he said.

Still, the previous contest was a real challenge, Schroeder said. "Assuming it is genuine, it represents an as-yet-unknown local privilege escalation that would allow any local user to gain root-level access," he said. This could be a serious issue for any setting with shared machines, such as schools, he said.

The person who does successfully hack Schroeder's Mac mini is requested to send him an e-mail describing the attack. Schroeder plans to report that to the appropriate software vendors and will post results after the close of the challenge, he said.

When contacted, gwerdna said he was unlikely to take part in the challenge since he wasn't willing to reveal his techniques to Schroeder or Apple.

"I don't particularly care for reporting issues to Apple. Additionally, this box sounds like a honeypot ... not worth losing any exploit code to a bunch of .edu people," gwerdna told ZDNet Australia yesterday in an e-mail interview.

Despite several attempts, Apple Australia was unavailable for comment .

CNET's Joris Evers contributed to this report.

Topics: Apple, Hardware, Operating Systems, Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • An unpublished, unknown exploit?...

    ...that this "gwerdna" isn't sharing with anyone? Has anyone else verified ANY of this? And now the infamous Mac hacker won't attempt the new competition by Schroder. The honeypot remark is a cover - he knows that an actual secured server, with a professional sysadmin behind it is waaaay out of his league.
  • New competition even more pointless as original

    So this guy is only running OpenSSH and Apache. Who in their right mind is going to waste a completely valuable vulnerability in either of these services (which would give them access to much more interesting hosts other then some mac users desktop) just to silence a mac fanboy? No one.

    Btw why is the care factor so high about mac vulnerabilities in general? It's not like they are used for anything important. More valuable vulnerabilities come out on other operating systems all time. Mac security is easily 10 years behind and easy pickings, not to mention boring. Get over it.
  • 0days

    how do you think software bugs get fixed? the software vendor most likely didn't find the issues, someone reported it the software vendor (in this case, apple).

    it means that he, or someone he knows, has done some auditing, found some exploitable bugs, and, apparently, decided to keep it private, as opposed to disclosing it to the vendor.

    they obviously put a lot of work into this, and decided to keep their work private. they are most likely under no obligation to share details with you, or tell the vendor (as its their intectuall property.)

    The whole rant about them not sharing is moot, they owned the box, defaced the webpages, and clearly have root on the box.. despite all the apple fan boys saying that root account etc is disabled.

    Have any of you guys seen the idiots page btw? It probably bears repeating:

    whomever decided to make that page up is very funny, and I tip my hat off to him/them.

    seems that apple has a heap of local privilege escalation bugs. combined with auto download an execute bugs in safari and, macs are ownable..
  • macos 0day for sale

    Remote vulnerability in default osx service mdnsresponder.

    For Sale, Highest Bidder.

  • Correction of contact email address.
  • I work for apple

    I work for Apple

    So I am really getting a kick out of your reply.

    Some of you losers are very good at making it sound like you know what you are talking about.

    But trust me.... You don't.

    I think you just want to make yourself sound smart, when in reality you dont know what you re talking about.

    This is how bad info gets passed around.

    If you dont know about the topic....Dont make yourself sound like you do.

    Cuz some zdnetters believe everything they hear
  • ZDnet - "we make the news".

    Another quiet day on the IT news front?

    I for one, really wouldn't mind if ZDNet wasn't constantly being updated with new 'stories' every hour. A mere five or so quality articles per day would be enough to keep me visiting.

    But lately I wonder if this website is so desperately hungry for material, that they're now scraping the top of the barrel.

    Many articles are so feather-light in content and heavy on vacuous nothing-speak, that they're clearly being padded out with speculation and heresay rather than information.

    Take this common sentence-starter for instance:

    "Some users are concerned...."

    (or similar variations thereof)

    What does this mean? It's just a language device that isn't fixed to a tangible bit of information and cannot be easily falsified - therefore it can be shaped to fit the tone of any story.

    The number of people who are actually 'concerned' need only be between 2 and 6.5 billion (the population of the planet), for such a statement to be 'true'. But so what? Without significant figures, references or examples, it carries no weight.

    It all comes across like the minutes of a meeting from a bird watcher's club, during winter: "One person reported seeing a frozen feather on a branch last week...some people think it may have been from a sparrow....others do not."

    Nothing to report, and nothing to say - but we'll say it anyway.

    Meanwhile, the author of the site offering the hacking challenge says he has set it up in response to the "woefully misleading ZDnet article".

    In other words: He's only doing it to prove beyond doubt how weak and unworthy of reporting ZDNet's original report was.

    Yet now ZDNet is reporting HIS findings. Everything is news!

    I reckon ZDNet might squeeze 2 or maybe 3 more headlines out of this particular OSX newsflash.

    Then, it'll be back to rattling the cage full of Linux vs Windows zealots for a while.
  • That's a stupid competition

    Most webservers usually have some form of applications running on them, such as phpbb, commerce software, etc.

    Those bugs would affect mac, just as they would linux, iis (windows), freebsd..

    Just putting a static html website is redundant and pointless, and not a true test.
  • Motive for 'gwerdna'?

    So, gwerdna doesn't want to tell anyone, including security experts and Apple itself, about the nature of the (alleged) flaws. And he will not take the new hacking challenge at <>, which requires him to reveal his methodology if successful.

    Well, then what is his motive for remaining silent? Clearly he has no love for Apple or Mac users, or the .edu crowd, but even this doesn't explain why he is keeping quiet. Maybe he is on a power trip. Maybe he is lying about his success. He said he doesn't wish to reveal his "...exploit code..." to the legitimate OS designers at Apple so they could fix the flaws, but what is his gain by not revealing it? The only real advantage to him is if he intends to use any flaws for his own (almost certainly illegitimate) gain, and doesn't want them patched.

    So I am asking gwerdna to publicly state why he will not fully inform Apple about the flaws he exploited, and how he did it.
  • Authopen?

    does any1 know if it was due to a race condition in the authopen binary?

    some people whom know this guy said it was that??
  • haha, "professional" sysadmin

    hey guys

    it turns out this guy isn't so professional afterall, see the updated test page?

    'Yesterday we discovered the Mac OSX "challenge" was not an activity authorized by the UW-Madison. Once the test came to the attention of our CIO, she ended it. The site,, will be removed from the network tonight. Our primary concern is for security and network access for UW services. We are sorry for any inconvenience this has caused to the community.'


    so it turns out this so called professional sysadmin, used his work resources, time and materials, and put his place of work at great risk to prove a point?

    pathetic, he should be ashamed of himself. i'd be surprised if he wasn't severely reprimanded / fired over these "cowboy antics". i know thats what i'd be recommending to hr if any of my subordinates did any stunt like that
  • Anyone else smell the BS?

    The more I find out about this the more I think that Gwerdna and the host of rm-my-mac are competely full of it. I wouldn't be surprised if they were one and the same pathetic loser. I mean just look at the site. It has "hacker wannabe" written all over it. Then there's the fact that apparently rm-my-mac still hasn't been rm'd. In other words if Gwerdna is such a master hacker, why is it he has not totally wiped the Mini? Then his lame excuse for not hacking the U. Wisconsin challenge doesn't hold water either. He didn't have to divulge his method. He should have been able to hack the page and just say screw the rules. Obviously it was just too much for him. The whole thing is probably some 13 year old, pimple faced kid who gets his jollies this way.

    ZDNet, if I were you I'd drop this whole story. It reeks.
  • "Cuz some zdnetters believe everything they hear..."

    Well, they ain't hearin nuttin' from Apple.

    When it comes to addressing the FUD, and presumably its customers' collective peace of mind, Apple can hardly claim to be giving it their best shot.

    If Mr Jobs was polite enough to answer the tech press's calls when they need information, (rather than when he wants to use them as his personal loud hailer) you'd have a point.

    Perhaps you should take your concerns to your employer's corporate affairs department and then come back and tell us all what you think again.
  • trust me.. you dont

    You seem to be using the same collocial and appreviation techniques to that of the common teenager, so forgive me if I don't beleive that you really work for Apple. If you did, I think your argument would consist of more than just repeating the same sentence and writing it differently. "I think you just want to make yourself sound smart, when in reality you dont know what you re talking about. "

    So please don't try to pose as something your not 'cuz' its painfully obvious. (If you really did work for Mac I find it hilarious that this is the best you could come up with. In reality you're insulting what is an alright system)