[CharlesS]

Gah, I just tried it, and you're right. Okay, that's bad.

All this time, I had thought you needed to use sudo when repairing permissions with diskutil (and why on earth shouldn't RP be something you should need to authenticate for, anyway?)

[Chuckit]

This is, however, a good reason not to use an admin account for everyday use — this exploit is only possible if the user is in the admin group.

[Person Man]

Originally Posted by Chuckit 

This is, however, a good reason not to use an admin account for everyday use — this exploit is only possible if the user is in the admin group.

Yes, but Apple defaults to creating the first user as an admin, so it should still be fixed regardless.

[JKT]

MOAB-07-01-2007: OmniWeb Javascript alert() Format String Vulnerability

These people can't even identify the software that the bug is in and they obviously don't have a clue about the software they are reporting on. This is identified as an OmniWeb issue (later clarified as being a WebKit issue - but they don't know why Safari doesn't suffer from it... that'll be because OmniWeb uses a newer version of WebKit and KJS you dummies).

FWIW, this was fixed within a few hours by OmniGroup but the MOAB bunch haven't had the courtesy to update their website to inform people of this yet.

[Horsepoo!!!]

The daily quotes are grade school level humor...how old is LMH again? 12?

[Horsepoo!!!]

LMH has just informed me that he's an idiot and that he doesn't know the difference between Apple and Mac OS X apps. He told me that all of you should stop spending time on his website because he has no more actual Apple bugs to report.

[Hal Itosis]

It's a thin line between love and hate, huh?
Horsepoo!!! I do believe you're jealous.

[Person Man]

Um... the last several moab bugs have been all disk image issues. Can't the guy come up with anything better?

[Angus_D]

AppleTalk panic. Sigh.

[Person Man]

Originally Posted by Angus_D 

AppleTalk panic. Sigh.

He sure likes finding things that are only exploitable for denial of service...

He's either holding out on releasing the really big guns, or he hasn't found any yet.

[Tee]

At least one of MOABs is in the wild.

Do any of the Mac scanners detect it...?
Nope.

Keep on believing that there is no Mac malware...
And when your machine gets compromised and some hacker uses it commit crimes and everything traces back to you - you will gladly take the responsibility because 'there is no Mac malware' so you must be the hacker then...

[wingdo]

Originally Posted by Tee 

Keep on believing that there is no Mac malware...
And when your machine gets compromised and some hacker uses it commit crimes and everything traces back to you - you will gladly take the responsibility because 'there is no Mac malware' so you must be the hacker then...

I know that wasn't directed at me but .....

Never said there was no Mac malware nor did I ever say we are 100% secure. I am not sure how long LMH and his friend have been sitting on some of these bugs waiting to get a list of 30 or so to post, but I am surprised at how relatively inoffensive most of these hacks are. Yes, a couple of them concern me, but for the most part I find that there could be a lot worse out there.

I think most of us agree that one of the Mac's best strong points for anti-virus / anti-malware is the small market share we hold. That and the fact most businesses run Windows, and the real "fun" is in crippling businesses.

[Horsepoo!!!]

Originally Posted by Tee 

At least one of MOABs is in the wild.

Which one? Most of the MOABs are local exploits that may cause kernel panics. More than half of them are related to DMGs...if you only download trusted disk images, LMH is out of a job.

I've known a number of OpenGL apps a few years ago that caused kernel panics. Whoopteedoo...you lose whatever you working on if you didn't think about saving your file. This is a far cry from losing *everything* on your HD due to some remote exploit or unknowingly giving access to your files to a hacker.

And don't get me going on the AppleTalk one...sheesh...what next? A Sherlock exploit?

[Chuckit]

Originally Posted by Tee 

At least one of MOABs is in the wild.

Do any of the Mac scanners detect it...?
Nope.

Oh no, if I keep opening this disk image that panics my computer, that could really be a problem!

[Hal Itosis]

$ 2>/dev/null find -x / -type f -user 0 -not -group 0 -perm -4130 -print0|xargs -0 ls -Gold
-rwsrwxr-x 1 root admin - 54388 Jan 31 2006 /Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool
-rwsrwxr-x 1 root admin - 57336 Mar 24 2005 /Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy
-rwsrwxr-x 1 root admin - 23172 Jan 31 2006 /Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool


Nod if you can hear me.

[Person Man]

Originally Posted by Hal Itosis 

$ 2>/dev/null find -x / -type f -user 0 -not -group 0 -perm -4100 -perm +022 -print0|xargs -0 ls -Gold
-rwsrwxr-x 1 root admin - 54388 Jan 31 2006 /Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool
-rwsrwxr-x 1 root admin - 57336 Mar 24 2005 /Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy
-rwsrwxr-x 1 root admin - 23172 Jan 31 2006 /Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool


Nod if you can hear me.

Yes, we hear you. Apple will most likely fix the permissions, probably via a security update that will fix all the MOAB bugs, once they've all been disclosed.

[Chuckit]

What Apple really needs to do is find some way not to have everybody running as admins all the time. It seems silly to have a "normal" user be something you have to specially set up.

[Big Mac]

Apple probably thinks most people will be confused by having to create two users on initial setup. It would be good for the Setup Assistant to provide such an option, though.

[Horsepoo!!!]

Jeebus...no Jan 16 exploit? LMH must be scrounging for something but can't find anything. My guess is he'll post something pathetic in the middle of the night and call it MOAB-16-01-2007.

I feel somewhat unsatisfied to go to bed without a Jan 16 exploit.

[Hal Itosis]

I would count #15 as three myself.

What if there were a total of 200
admin-editable setuid executables
(which diskutil kindly refurbishes)?
Would you count them as 1 vector?

Even if he stops today, he has shown
Apple's take on "security" for the joke
that it is. (I would expect some heads
should roll in that department).

Your focus on LMH earns you an
honorary Apple Apologist award.

[Horsepoo!!!]

I would count #15 as 30. 10 for each app. No, wait...32. 12 for the first 2 and 8 for the last one, because I bet there are more people that use Keychain Access and Activity Monitor than ODBC Admin.

Originally Posted by Hal Itosis 

Your focus on LMH earns you an
honorary Apple Apologist award.

Thanks! I'm stoked. That almost counts as 2, right? Because being an AA means that I'm an Apple bug that may be exploited to escalate permissions.

Grand total of 34 exploits for #15.