-
All replies
-
Helpful answers
-
Apr 14, 2015 2:12 AM in response to MadMacs0by jspokes,OK, you got my curiosity burning, so i spent around an hour looking through these. Let me say it is not appropriate or prudent to details all my findings. This is exactly what malware writers do looking for vulnerabilities. It is not easy and shouldn't be easy finding out this information. I am comfortable that:
- Many vulnerabilities were introduced in 10.9.5, therefore earlier versions are safe. They were then fixed with the release of 10.0.
- Some key ones like the famous Bash aka Shellshock bugs had specific updates for quite old systems as they were deemed major threats
- Some vulnerabilities go back a long way, but in most cases their impact is low so only newer systems were fixed. This is fair enough. At least the last few O/S version were patched.
- The periodic combo updates like Security Update 2014-004 (Mountain Lion) address many of these issues.
The difference with this one is that its a major vulnerability in very recent O/S versions that Apple need to fix quickly. I'd like to give Apple benefit of the doubt and hope they will fix this.
-
May 25, 2015 6:07 AM in response to jspokesby iamsudo,Is there any way to eventually block this type of attack as a user. I mean, for example, in the case of bashdoor I could apply the patch or install another shell myself. Or, are we just dependent on Apple fixing the bug?
-
Jun 1, 2015 6:33 PM in response to John Caradimasby SN101,I agree. Especially the fact that they are still selling Lion 10.8 for $19.99 without revealing to the customer that the product they are buying has a bug.
-
Jun 1, 2015 6:36 PM in response to teepareepby SN101,So why are they still selling OS X 10.8 without even revealing to the customer that what they are buying has bugs?
-
Jun 1, 2015 7:07 PM in response to SN101by MadMacs0,Every operating system in the world for sale today contains dozens if not hundreds of vulnerabilities, many of which are a more serious threat than this one. And as far as "bugs" are concerned that would have to be measured in the thousands.
Note that there still have not been any reported exploits found for this one.
-
Jun 1, 2015 7:22 PM in response to MadMacs0by SN101,This type of reasoning doesn't deserve a response.
-
Jun 1, 2015 7:33 PM in response to SN101by MadMacs0,Yes, it is certainly difficult to argue with the facts, isn't it.
-
-
Jun 2, 2015 1:40 AM in response to MadMacs0by iamsudo,Fact is, Apple knows about it and it's not a simple bug and they have the resources to patch the flaw. And they keep selling it.
-
Jun 2, 2015 2:12 AM in response to iamsudoby MadMacs0,Nobody is disputing that but I'm sure they know about all of these, as well Apple » Mac Os X » 10.7.5 : Security Vulnerabilities.
And FYI, the score for CVE-2015-1130 is 7.2 but is not listed.
-
Jun 2, 2015 7:59 AM in response to MadMacs0by iamsudo,Well, it bothers that Apple put resources, for example, in overhauling the UI (a UI that was far better than any other OS, IMO) instead of patching these vulnerabilities. And that's idiotic.
-
Jun 2, 2015 10:48 AM in response to iamsudoby SN101,And not only that, they went ahead and announced this vulnerability bug that is still un-patched within Lion OS to the world after they patched it in Yosemite 10.10.3. in April. 2015. Apple was informed about it in Oct. 2014, but kept it a secret.
I believe under disclosure law, a seller has an obligation to disclose a known fault within a product they are selling to a customer. Especially the fact that they thought it was bad enough to keep it a secret from the public until they fixed it in Yosemite.
-
Jun 3, 2015 12:53 AM in response to SN101by MadMacs0,Let me start by saying that I'm not defending Apple in any way and agree with most of what has been said here, lest my comments be misinterpreted.
SN101 wrote:
And not only that, they went ahead and announced this vulnerability bug that is still un-patched within Lion OS to the world after they patched it in Yosemite 10.10.3. in April. 2015.
I don't believe there was ever an official announcement. The person that discovered the vulnerability reported that they had been told by Apple that it was too hard to patch in previous versions. So probably true, but here say none-the-less.
Apple was informed about it in Oct. 2014, but kept it a secret.
That is standard practice in the industry and I don't recall that Apple has ever officially commented on a security vulnerability until it's fixed. No reason to make things easier for exploiters.
I believe under disclosure law, a seller has an obligation to disclose a known fault within a product they are selling to a customer.
You may be right, but I'm no authority on consumer protection laws, especially when they are different in every country. It would make most sense to me to declare end-of-life to an OS on the day the last developing engineer is pulled from the project and stop selling it on that same day. For many years they have left it to consumers to figure out when an OS was obsolete, although the rule of thumb was never more than the current and one previous. That all seemed to change with the lingering popularity of Snow Leopard, although it continued to be offered for sale for years after the last Security Update was released. The rest of the industry seems to follow a policy of formally establishing end-of-life support dates, so I have never been able to figure out why Apple is reluctant to do so.
I'm sure you can easily find an law firm that would be glad to help you launch a class action suit against Apple for selling Lion with a known fault, but you would have to purchase it first and presumably prove that you were somehow harmed by their lack of disclosure.
-
Jun 15, 2015 3:02 PM in response to MadMacs0by WZZZ,Everyone reading this thread should have a look at
https://github.com/sideeffect42/RootPipeTester
https://github.com/sideeffect42/RootPipeTester/blob/master/README.md
This is certainly a vulnerability, and even Apple's fix included in 10.10.3 is apparently a miserable failure.
On the other hand, unless there is direct physical access to the machine (and then who needs some kind of backdooor, anyway), it requires remote code execution. And that's not something easily accomplished---unless done through trickery, a.k.a social engineering.
-
Jun 15, 2015 4:43 PM in response to WZZZby MadMacs0,WZZZ wrote:
Everyone reading this thread should have a look at
OK, I read all that almost two months ago. Even the latest version of RootPipeTester tells me that 10.10.3 is fixed. Although I have a lot of respect for the blogger who posted that last article, we only have his word that it didn't work. He correctly didn't publish any details and nobody else seems to have come forward to verify his assertions, including Apple. If it was a "miserable failure" I certainly would have thought we'd see somebody else or an actual threat exist by now, so I think that may be overstated. There hasn't been an update to CVE-2015-1130 to indicate anything other than it's fixed in 10.10.3.
Don't get me wrong, if it's really still a vulnerability I also want it fixed and I don't think this is just FUD, but it could be. The blogger is employed in an IT security service, so he does have a monetary interest in this.
And yes, the impact assessment is only 7.2 which, although high, is not as big a concern as a similar threat that does not require physical access.
But this discussion is about non-Yosemite users which, from everything I know today, is a more serious issue. At least 40% of Mac users seem to be vulnerable to the flaw that was originally found.