Three flaws discovered in Mac OS X
The company released three advisories this morning. The first details "systemic" flaws in the way OS X handles file and directory permissions, while the second details a kernel level vulnerability that does not affect default installations of the operating system. The third involves a buffer overflow condition that may be remotely exploitable.
Controversially, Apple has not yet released patches for the security issues. @Stake has advised Mac users to upgrade to the latest Apple operating system, which is not vulnerable to the flaws. The operating system, OS X 10.3, or Panther, is priced at $129 (£76).
According to the first advisory, some applications are installed on Mac OS X systems with insecure file permissions, so "many of the files and directories that compose various applications are globally writable". The problem with that, according to @Stake, is it allows attackers with limited access to the system to replace program files with files of their choice, thus obtaining "additional privileges from unsuspecting users, who may run the replaced version of the binary [file]".
"These Trojan binaries would escalate the privileges of the attacker to the privileges of the unsuspecting user who ran them," it explains.
The second issue identified by @Stake, which only affects non-default installations, may allow attackers to steal authentication details of other users on a system they have restricted access to.
"In the event a system is running with core files enabled, attackers with interactive shell access can overwrite arbitrary files, and read core files created by root owned processes. This may result in sensitive information like authentication credentials being compromised," the advisory reads.
@Stake's research director, Chris Wysopal, told ZDNet Australia that there's no technical reason a freely downloaded patch can't be released for earlier versions of the operating system. "The file permission problem is pretty serious," he said. "This is only a local [vulnerability] but is bad in environments where Macs are shared, such as colleges and libraries."
"People who admin Macs in these environments should check for globally writable apps using the command we give in our advisory. If they don't the attackers surely will," he added.
In the case of the insecure file permission issue, the workaround formulated by @Stake involves manually reviewing and adjusting directory permissions using Unix commands. Wysopal concedes the workaround may not be easy enough for novice users.
"The file permission issue could be worked around by someone who understood Unix file permissions, [but it's] somewhat technical," he said.