jspokes

Q: CVE-2015-1130 - Protection on Mountain Lion

So Apple has been alerted to a serious OSX security flaw that so far they have only fixed in Yosemite.

 

About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004 - Apple Support

 

What can we do to protect our usage on Mountain Lion when apple haven't fixed known security problems?

 

I can't update to Yosemite. Far too many driver, application and music productions related issues. Sure Gatekeeper asks if we want to Open untrusted applications, but I've certainly got a number of applications that are not digitally signed and necessary for what I do.

MacBook Pro, OS X Mountain Lion (10.8.5)

Posted on Apr 10, 2015 3:23 PM

Close

Q: CVE-2015-1130 - Protection on Mountain Lion

  • All replies
  • Helpful answers

Previous Page 2 of 3 last Next
  • by jspokes,

    jspokes jspokes Apr 14, 2015 2:12 AM in response to MadMacs0
    Level 1 (0 points)
    Apr 14, 2015 2:12 AM in response to MadMacs0

    OK, you got my curiosity burning, so i spent around an hour looking through these. Let me say it is not appropriate or prudent to details all my findings. This is exactly what malware writers do looking for vulnerabilities. It is not easy and shouldn't be easy finding out this information. I am comfortable that:

     

    • Many vulnerabilities were introduced in 10.9.5, therefore earlier versions are safe. They were then fixed with the release of 10.0.
    • Some key ones like the famous Bash aka Shellshock bugs had specific updates for quite old systems as they were deemed major threats
    • Some vulnerabilities go back a long way, but in most cases their impact is low so only newer systems were fixed. This is fair enough. At least the last few O/S version were patched.
    • The periodic combo updates like Security Update 2014-004 (Mountain Lion) address many of these issues.

     

    The difference with this one is that its a major vulnerability in very recent O/S versions that Apple need to fix quickly. I'd like to give Apple benefit of the doubt and hope they will fix this.

  • by iamsudo,

    iamsudo iamsudo May 25, 2015 6:07 AM in response to jspokes
    Level 1 (1 points)
    May 25, 2015 6:07 AM in response to jspokes

    Is there any way to eventually block this type of attack as a user. I mean, for example, in the case of bashdoor I could apply the patch or install another shell myself. Or, are we just dependent on Apple fixing the bug?

  • by SN101,

    SN101 SN101 Jun 1, 2015 6:33 PM in response to John Caradimas
    Level 1 (0 points)
    Jun 1, 2015 6:33 PM in response to John Caradimas

    I agree. Especially the fact that they are still selling Lion 10.8 for $19.99 without revealing to the customer that the product they are buying has a bug.

  • by SN101,

    SN101 SN101 Jun 1, 2015 6:36 PM in response to teepareep
    Level 1 (0 points)
    Jun 1, 2015 6:36 PM in response to teepareep

    So why are they still selling OS X 10.8 without even revealing to the customer that what they are buying has bugs?

  • by MadMacs0,

    MadMacs0 MadMacs0 Jun 1, 2015 7:07 PM in response to SN101
    Level 5 (4,791 points)
    Jun 1, 2015 7:07 PM in response to SN101

    Every operating system in the world for sale today contains dozens if not hundreds of vulnerabilities, many of which are a more serious threat than this one.  And as far as "bugs" are concerned that would have to be measured in the thousands.

     

    Note that there still have not been any reported exploits found for this one.

  • by SN101,

    SN101 SN101 Jun 1, 2015 7:22 PM in response to MadMacs0
    Level 1 (0 points)
    Jun 1, 2015 7:22 PM in response to MadMacs0

    This type of reasoning doesn't deserve a response.

  • by MadMacs0,

    MadMacs0 MadMacs0 Jun 1, 2015 7:33 PM in response to SN101
    Level 5 (4,791 points)
    Jun 1, 2015 7:33 PM in response to SN101

    Yes, it is certainly difficult to argue with the facts, isn't it.

  • by SN101,

    SN101 SN101 Jun 1, 2015 8:25 PM in response to Bill in Santa Cruz
    Level 1 (0 points)
    Jun 1, 2015 8:25 PM in response to Bill in Santa Cruz

    I concur.

  • by iamsudo,

    iamsudo iamsudo Jun 2, 2015 1:40 AM in response to MadMacs0
    Level 1 (1 points)
    Jun 2, 2015 1:40 AM in response to MadMacs0

    Fact is, Apple knows about it and it's not a simple bug and they have the resources to patch the flaw. And they keep selling it.

  • by MadMacs0,

    MadMacs0 MadMacs0 Jun 2, 2015 2:12 AM in response to iamsudo
    Level 5 (4,791 points)
    Jun 2, 2015 2:12 AM in response to iamsudo

    Nobody is disputing that but I'm sure they know about all of these, as well Apple » Mac Os X » 10.7.5 : Security Vulnerabilities.

     

    And FYI, the score for CVE-2015-1130 is 7.2 but is not listed.

  • by iamsudo,

    iamsudo iamsudo Jun 2, 2015 7:59 AM in response to MadMacs0
    Level 1 (1 points)
    Jun 2, 2015 7:59 AM in response to MadMacs0

    Well, it bothers that Apple put resources, for example, in overhauling the UI (a UI that was far better than any other OS, IMO) instead of patching these vulnerabilities. And that's idiotic.

  • by SN101,

    SN101 SN101 Jun 2, 2015 10:48 AM in response to iamsudo
    Level 1 (0 points)
    Jun 2, 2015 10:48 AM in response to iamsudo

    And not only that, they went ahead and announced this vulnerability bug that is still un-patched within Lion OS to the world after they patched it in Yosemite 10.10.3. in April. 2015. Apple was informed about it in Oct. 2014, but kept it a secret.

     

    I believe under disclosure law, a seller has an obligation to disclose a known fault within a product they are selling to a customer. Especially the fact that they thought it was bad enough to keep it a secret from the public until they fixed it in Yosemite.

  • by MadMacs0,

    MadMacs0 MadMacs0 Jun 3, 2015 12:53 AM in response to SN101
    Level 5 (4,791 points)
    Jun 3, 2015 12:53 AM in response to SN101

    Let me start by saying that I'm not defending Apple in any way and agree with most of what has been said here, lest my comments be misinterpreted.

    SN101 wrote:

     

    And not only that, they went ahead and announced this vulnerability bug that is still un-patched within Lion OS to the world after they patched it in Yosemite 10.10.3. in April. 2015.

    I don't believe there was ever an official announcement. The person that discovered the vulnerability reported that they had been told by Apple that it was too hard to patch in previous versions. So probably true, but here say none-the-less.

    Apple was informed about it in Oct. 2014, but kept it a secret.

    That is standard practice in the industry and I don't recall that Apple has ever officially commented on a security vulnerability until it's fixed. No reason to make things easier for exploiters.

    I believe under disclosure law, a seller has an obligation to disclose a known fault within a product they are selling to a customer.

    You may be right, but I'm no authority on consumer protection laws, especially when they are different in every country. It would make most sense to me to declare end-of-life to an OS on the day the last developing engineer is pulled from the project and stop selling it on that same day. For many years they have left it to consumers to figure out when an OS was obsolete, although the rule of thumb was never more than the current and one previous. That all seemed to change with the lingering popularity of Snow Leopard, although it continued to be offered for sale for years after the last Security Update was released. The rest of the industry seems to follow a policy of formally establishing end-of-life support dates, so I have never been able to figure out why Apple is reluctant to do so.

     

    I'm sure you can easily find an law firm that would be glad to help you launch a class action suit against Apple for selling Lion with a known fault, but you would have to purchase it first and presumably prove that you were somehow harmed by their lack of disclosure.

  • by WZZZ,

    WZZZ WZZZ Jun 15, 2015 3:02 PM in response to MadMacs0
    Level 6 (13,112 points)
    Mac OS X
    Jun 15, 2015 3:02 PM in response to MadMacs0

    Everyone reading this thread should have a look at

     

    https://github.com/sideeffect42/RootPipeTester

     

    https://github.com/sideeffect42/RootPipeTester/blob/master/README.md

     

    This is certainly a vulnerability, and even Apple's fix included in 10.10.3 is apparently a miserable failure.

     

    On the other hand, unless there is direct physical access to the machine (and then who needs some kind of backdooor, anyway), it requires remote code execution. And that's not something easily accomplished---unless done through trickery, a.k.a social engineering.

  • by MadMacs0,

    MadMacs0 MadMacs0 Jun 15, 2015 4:43 PM in response to WZZZ
    Level 5 (4,791 points)
    Jun 15, 2015 4:43 PM in response to WZZZ

    WZZZ wrote:

     

    Everyone reading this thread should have a look at

    OK, I read all that almost two months ago. Even the latest version of RootPipeTester tells me that 10.10.3 is fixed. Although I have a lot of respect for the blogger who posted that last article, we only have his word that it didn't work. He correctly didn't publish any details and nobody else seems to have come forward to verify his assertions, including Apple. If it was a "miserable failure" I certainly would have thought we'd see somebody else or an actual threat exist by now, so I think that may be overstated. There hasn't been an update to CVE-2015-1130 to indicate anything other than it's fixed in 10.10.3.

     

    Don't get me wrong, if it's really still a vulnerability I also want it fixed and I don't think this is just FUD, but it could be. The blogger is employed in an IT security service, so he does have a monetary interest in this.

     

    And yes, the impact assessment is only 7.2 which, although high, is not as big a concern as a similar threat that does not require physical access.

     

    But this discussion is about non-Yosemite users which, from everything I know today, is a more serious issue. At least 40% of Mac users seem to be vulnerable to the flaw that was originally found.

Previous Page 2 of 3 last Next