Re: Mac OS X hacked under 30 minutes
- From: Derek Currie <derekcurrie@xxxxxxxxxxxxxxx>
- Date: Tue, 07 Mar 2006 14:04:39 GMT
In article <1141689194.457581.18020@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
"Super Spinner" <Pepe.Smythe@xxxxxxxxx> wrote:
The main problem is that Mac OS X has (apparently many) flaws that
allow a user with local, non-admin, non-root access to elevate his
privileges to admin and to root without needing to enter admin or root
passwords.
Sorry, but this has NOT been proven. All we have is a cracker's tale
about how he got enough access to the machine to remove and change
files. He proved N O T H I N G. We are all in an uproar about a story,
not any verifiable security hole. If at such time as the hacker gwerdna
reveals his 'undocumented' method for cracking the machine, and someone
verifies that it actually works, will we know if he REALLY did it.
Science requires reproducible methods and data. Where there are no
methods there is no science.
That means that any local program (e.g. trojan, virus,
whatever) could do the same.
IF the security flaw actually exists, that is.
Many people tried to dismiss the Mac OS X
exploits that have been found in the last two weeks by saying, "It only
works if you're running as root" (which wasn't true, but let's assume
it was for the sake of argument), or "It only works if you're running
as admin", or "If you're not running as admin, then it only works if
you enter an admin password".
The fact is that many people don't bother to actually READ. Andrew Welsh
has the definitive and detailed description of how the particular
exploit you are referring to actually works. More facts about it are
teased out in the discussion thread that follows it. You can find it at:
<http://www.ambrosiasw.com/>
With privilege escalation flaws, all of
those mitigating qualifiers become irrelevant.
COULD become irrelevant, and as pointed out at the Wisconson.edu site,
the hacker requires having an ssh accessible user account.
Any piece of malware
can use these flaws to elevate its privileges to admin/root behind the
user's back, if that's what's required in order for the malware to to
its dirty work.
Again, COULD use these flaws, if they exist, which has NOT been proven.
Science must rule in these situations. Otherwise all this chatter turns
out to be nothing but ignorable FUD (Fear, Uncertainty and Doubt).
Share and Enjoy,
:-Derek
--
Fortune Magazine, 11-29-05: What's your computer setup today?
Frederick Brooks: I happily use a Macintosh. It's not been equalled for ease
of use, and I want my computer to be a tool, not a challenge.
<http://www.fortune.com/fortune/print/0,15935,1135298,00.html>
[Frederick Brooks is the author of 'The Mythical Man Month'. He spearheaded
the movement to modernize computer software engineering in 1975]
.
- Follow-Ups:
- Re: Mac OS X hacked under 30 minutes
- From: Edwin
- Re: Mac OS X hacked under 30 minutes
- References:
- Mac OS X hacked under 30 minutes
- From: melmontemm
- Re: Mac OS X hacked under 30 minutes
- From: OldCSMAer
- Re: Mac OS X hacked under 30 minutes
- From: Super Spinner
- Mac OS X hacked under 30 minutes
- Prev by Date: Re: Suggestions on Mac newsreaders that don't suck
- Next by Date: Re: 10.4.5 has so many bugs...
- Previous by thread: Re: Mac OS X hacked under 30 minutes
- Next by thread: Re: Mac OS X hacked under 30 minutes
- Index(es):
Relevant Pages
|
