-
All replies
-
Helpful answers
-
Jun 16, 2015 5:57 AM in response to MadMacs0by WZZZ,OK, I read all that almost two months ago. Even the latest version of RootPipeTester tells me that 10.10.3 is fixed.
I'm not totally certain that I trust RPTester--no idea what criteria it uses to make its determinations, and I don't know enough to read through the open source in order to determine if it's drawing the correct conclusions per OS. It tells me that my 10.8 isn't vulnerable, but what do I really know? (It seems that almost every week there's some new POC vulnerability found--it's all just too whack-a-mole). Since nothing new has been forthcoming since Kvarnhammer's latest on 5/28, I'm just about ready to throw my hands up and ignore the whole thing. Even if 10.10.3 has really been patched, I'm not ready to upgrade--my 10.8 is doing just fine, and from what I've seen and heard about 10.10, I'll avoid it until maybe 10.11 fixes most of what's wrong in it, the way 10.8 fixed 10.7. And if RPTester is correct, I'll be worse off with 10.9, for which I saved the installer.
Although I have a lot of respect for the blogger who posted that last article, we only have his word that it didn't work. He correctly didn't publish any details and nobody else seems to have come forward to verify his assertions, including Apple. If it was a "miserable failure" I certainly would have thought we'd see somebody else or an actual threat exist by now, so I think that may be overstated. There hasn't been an update to CVE-2015-1130 to indicate anything other than it's fixed in 10.10.3.
It took Apple from last November until April to roll out a "fix", so I'm not at all surprised that we haven't heard anything from Apple on this. Not only haven't we heard of anyone on 10.10.3 getting hit, AFAIK we haven't heard about anyone on any other OS getting hit. As for this non-fix-patch just being fiction, if you read through this, including the comments, there's some additional confirmation that Apple's patch was lame--not that I am able to understand any of the analysis of the Objective-C that is presented there. I have no idea if we will ever see this exploit actually executed in some major way in the wild. My guess is only in very narrowly targeted situations--it needs to be combined with a remote code execution exploit in order to work. I don't think that's so easy to pull off, except maybe by way of spear phishing or some malicious payload on some "free" download. So the usual caveat about what you download applies more than ever. If it ever does get into the wild in some form of mass distribution, I don't think it's going to hit anyone who is even slightly educated about security practices on the Internet.
(Actually, according to some, it's already been seen in the wild, but only in a very limited way: "There is malware from 2014 that was already exploiting this vulnerability. Found by noar, the following sample contains the exploit code for both Mavericks and older versions. It uses the exploit to activate the Accessibility API. See, we don't even need to wait for new malware, it was already being exploited in the wild. The malware sample is described by FireEye, but they totally miss the zero day there. They just lightly describe the result but not the technique.")
Don't get me wrong, if it's really still a vulnerability I also want it fixed and I don't think this is just FUD, but it could be. The blogger is employed in an IT security service, so he does have a monetary interest in this.
I don't think Wardle was spreading FUD. His background in security is really unimpeachable and I don't see any monetary interest in this for him, or anything to gain in spreading FUD, except maybe irreparable damage to his reputation, should it be proven to be FUD. Since you seem to think it's a possibility, other than his resume getting another credit, please describe how that would benefit him in a monetary way.
But this discussion is about non-Yosemite users which, from everything I know today, is a more serious issue. At least 40% of Mac users seem to be vulnerable to the flaw that was originally found.
Of course, with everything said, and whether or not this exploit ever sees some form of mass distribution, I would prefer that Apple patch older OSs. It's pure evil that they refuse.
-
Jul 4, 2015 1:14 AM in response to WZZZby MadMacs0,WZZZ wrote:
This is certainly a vulnerability, and even Apple's fix included in 10.10.3 is apparently a miserable failure.
So it's apparently all better now:
APPLE-SA-2015-06-30-2 OS X Yosemite v10.10.4 and Security Update
2015-005
OS X Yosemite v10.10.4 and Security Update 2015-005 are now available
and address the following:
Admin Framework
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A process may gain admin privileges without proper
authentication
Description: An issue existed when checking XPC entitlements. This
issue was addressed through improved entitlement checking.
CVE-ID
CVE-2015-3671 : Emil Kvarnhammar at TrueSec
Admin Framework
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.3
Impact: A non-admin user may obtain admin rights
Description: An issue existed in the handling of user
authentication. This issue was addressed through improved error
checking.
CVE-ID
CVE-2015-3672 : Emil Kvarnhammar at TrueSec
Admin Framework
Available for: OS X Yosemite v10.10 to v10.10.3
Impact: An attacker may abuse Directory Utility to gain root
privileges
Description: Directory Utility was able to be moved and modified to
achieve code execution within an entitled process. This issue was
addressed by limiting the disk location that writeconfig clients may
be executed from.
CVE-ID
CVE-2015-3673 : Patrick Wardle of Synack, Emil Kvarnhammar at TrueSec
-
Jul 4, 2015 5:10 AM in response to MadMacs0by WZZZ,Yeah, I saw that. And I think both Wardle and Kvarnhammar are saying it's fixed now, both in 10.9 and 10.10. But leaves me still wondering if 10.8 was left out, or if it didn't need it to begin with, which the rootpipe tester seems to think is the case. And Apple, to their everlasting credit, didn't do anything about Logjam, except in 10.10, where the fix for the D-H SSL3 vulnerabilities is system wide. They left Safari in all lower versions still vulnerable, and nothing for those OSs.