CVE-2015-1130 - Protection on Mountain Lion

Is there any way to eventually block this type of attack as a user. I mean, for example, in the case of bashdoor I could apply the patch or install another shell myself. Or, are we just dependent on Apple fixing the bug?

I agree. Especially the fact that they are still selling Lion 10.8 for $19.99 without revealing to the customer that the product they are buying has a bug.

So why are they still selling OS X 10.8 without even revealing to the customer that what they are buying has bugs?

Every operating system in the world for sale today contains dozens if not hundreds of vulnerabilities, many of which are a more serious threat than this one. And as far as "bugs" are concerned that would have to be measured in the thousands.

Note that there still have not been any reported exploits found for this one.

This type of reasoning doesn't deserve a response.

Yes, it is certainly difficult to argue with the facts, isn't it.

I concur.

Fact is, Apple knows about it and it's not a simple bug and they have the resources to patch the flaw. And they keep selling it.

Nobody is disputing that but I'm sure they know about all of these, as well Apple » Mac Os X » 10.7.5 : Security Vulnerabilities.

And FYI, the score for CVE-2015-1130 is 7.2 but is not listed.

Well, it bothers that Apple put resources, for example, in overhauling the UI (a UI that was far better than any other OS, IMO) instead of patching these vulnerabilities. And that's idiotic.

And not only that, they went ahead and announced this vulnerability bug that is still un-patched within Lion OS to the world after they patched it in Yosemite 10.10.3. in April. 2015. Apple was informed about it in Oct. 2014, but kept it a secret.

I believe under disclosure law, a seller has an obligation to disclose a known fault within a product they are selling to a customer. Especially the fact that they thought it was bad enough to keep it a secret from the public until they fixed it in Yosemite.

Let me start by saying that I'm not defending Apple in any way and agree with most of what has been said here, lest my comments be misinterpreted.

SN101 wrote:

And not only that, they went ahead and announced this vulnerability bug that is still un-patched within Lion OS to the world after they patched it in Yosemite 10.10.3. in April. 2015.

I don't believe there was ever an official announcement. The person that discovered the vulnerability reported that they had been told by Apple that it was too hard to patch in previous versions. So probably true, but here say none-the-less.

Apple was informed about it in Oct. 2014, but kept it a secret.

That is standard practice in the industry and I don't recall that Apple has ever officially commented on a security vulnerability until it's fixed. No reason to make things easier for exploiters.

I believe under disclosure law, a seller has an obligation to disclose a known fault within a product they are selling to a customer.

You may be right, but I'm no authority on consumer protection laws, especially when they are different in every country. It would make most sense to me to declare end-of-life to an OS on the day the last developing engineer is pulled from the project and stop selling it on that same day. For many years they have left it to consumers to figure out when an OS was obsolete, although the rule of thumb was never more than the current and one previous. That all seemed to change with the lingering popularity of Snow Leopard, although it continued to be offered for sale for years after the last Security Update was released. The rest of the industry seems to follow a policy of formally establishing end-of-life support dates, so I have never been able to figure out why Apple is reluctant to do so.

I'm sure you can easily find an law firm that would be glad to help you launch a class action suit against Apple for selling Lion with a known fault, but you would have to purchase it first and presumably prove that you were somehow harmed by their lack of disclosure.

Everyone reading this thread should have a look at

https://github.com/sideeffect42/RootPipeTester

https://github.com/sideeffect42/RootPipeTester/blob/master/README.md

This is certainly a vulnerability, and even Apple's fix included in 10.10.3 is apparently a miserable failure.

On the other hand, unless there is direct physical access to the machine (and then who needs some kind of backdooor, anyway), it requires remote code execution. And that's not something easily accomplished---unless done through trickery, a.k.a social engineering.

WZZZ wrote:

Everyone reading this thread should have a look at

OK, I read all that almost two months ago. Even the latest version of RootPipeTester tells me that 10.10.3 is fixed. Although I have a lot of respect for the blogger who posted that last article, we only have his word that it didn't work. He correctly didn't publish any details and nobody else seems to have come forward to verify his assertions, including Apple. If it was a "miserable failure" I certainly would have thought we'd see somebody else or an actual threat exist by now, so I think that may be overstated. There hasn't been an update to CVE-2015-1130 to indicate anything other than it's fixed in 10.10.3.

Don't get me wrong, if it's really still a vulnerability I also want it fixed and I don't think this is just FUD, but it could be. The blogger is employed in an IT security service, so he does have a monetary interest in this.

And yes, the impact assessment is only 7.2 which, although high, is not as big a concern as a similar threat that does not require physical access.

But this discussion is about non-Yosemite users which, from everything I know today, is a more serious issue. At least 40% of Mac users seem to be vulnerable to the flaw that was originally found.

OK, I read all that almost two months ago. Even the latest version of RootPipeTester tells me that 10.10.3 is fixed.

I'm not totally certain that I trust RPTester--no idea what criteria it uses to make its determinations, and I don't know enough to read through the open source in order to determine if it's drawing the correct conclusions per OS. It tells me that my 10.8 isn't vulnerable, but what do I really know? (It seems that almost every week there's some new POC vulnerability found--it's all just too whack-a-mole). Since nothing new has been forthcoming since Kvarnhammer's latest on 5/28, I'm just about ready to throw my hands up and ignore the whole thing. Even if 10.10.3 has really been patched, I'm not ready to upgrade--my 10.8 is doing just fine, and from what I've seen and heard about 10.10, I'll avoid it until maybe 10.11 fixes most of what's wrong in it, the way 10.8 fixed 10.7. And if RPTester is correct, I'll be worse off with 10.9, for which I saved the installer.

Although I have a lot of respect for the blogger who posted that last article, we only have his word that it didn't work. He correctly didn't publish any details and nobody else seems to have come forward to verify his assertions, including Apple. If it was a "miserable failure" I certainly would have thought we'd see somebody else or an actual threat exist by now, so I think that may be overstated. There hasn't been an update to CVE-2015-1130 to indicate anything other than it's fixed in 10.10.3.

It took Apple from last November until April to roll out a "fix", so I'm not at all surprised that we haven't heard anything from Apple on this. Not only haven't we heard of anyone on 10.10.3 getting hit, AFAIK we haven't heard about anyone on any other OS getting hit. As for this non-fix-patch just being fiction, if you read through this, including the comments, there's some additional confirmation that Apple's patch was lame--not that I am able to understand any of the analysis of the Objective-C that is presented there. I have no idea if we will ever see this exploit actually executed in some major way in the wild. My guess is only in very narrowly targeted situations--it needs to be combined with a remote code execution exploit in order to work. I don't think that's so easy to pull off, except maybe by way of spear phishing or some malicious payload on some "free" download. So the usual caveat about what you download applies more than ever. If it ever does get into the wild in some form of mass distribution, I don't think it's going to hit anyone who is even slightly educated about security practices on the Internet.

(Actually, according to some, it's already been seen in the wild, but only in a very limited way: "There is malware from 2014 that was already exploiting this vulnerability. Found by noar, the following sample contains the exploit code for both Mavericks and older versions. It uses the exploit to activate the Accessibility API. See, we don't even need to wait for new malware, it was already being exploited in the wild. The malware sample is described by FireEye, but they totally miss the zero day there. They just lightly describe the result but not the technique.")

Don't get me wrong, if it's really still a vulnerability I also want it fixed and I don't think this is just FUD, but it could be. The blogger is employed in an IT security service, so he does have a monetary interest in this.

I don't think Wardle was spreading FUD. His background in security is really unimpeachable and I don't see any monetary interest in this for him, or anything to gain in spreading FUD, except maybe irreparable damage to his reputation, should it be proven to be FUD. Since you seem to think it's a possibility, other than his resume getting another credit, please describe how that would benefit him in a monetary way.

But this discussion is about non-Yosemite users which, from everything I know today, is a more serious issue. At least 40% of Mac users seem to be vulnerable to the flaw that was originally found.

Of course, with everything said, and whether or not this exploit ever sees some form of mass distribution, I would prefer that Apple patch older OSs. It's pure evil that they refuse.