I’m actually surprised by how little discussion I’ve seen about January’s month of Apple Bugs. For those of you not familiar with the Month of Apple Bugs (MoAB) project, the idea was to post one Apple related bug each day in January 2007. Perhaps one reason for the lack of discussion is that the bug for the 31^st of January has not been released yet. A very ominous title (“Unspecified Kernel Remote Fun”) has been posted but nothing more. People may be waiting to see just how bad these supposed remote exploits are before commenting. However, I’ve been digesting the thirty bugs we do have for a few weeks now and I think I’m ready to share some of my thoughts, even if may have to alter my views a bit when (and if) last bug is finally released.

[tags]Apple, Security, MoAB[/tags]

Before we get into the meat of this article I think it’s important to note that they appear to have had to scrape the barrel a bit to get to 30. Eight of the bugs are in third-party software rather than Apple software. Of those eight two affect Windows and Linux as well as Mac, one affects Windows and Mac, and one of the bugs affecting Window, Linux and Mac is actually a problem with the specification of the PDF standard rather than a software bug.

An Overview

I’m going to start by explaining the different types of bugs there are and how many of each kind we’ve got here. The first thing I want to make clear is that there is a huge spectrum when it comes to the severity of the bugs. Eight of these 30 bugs really are exceptionally minor and nothing more than an annoyance, these are the so-called Denial Of Service (DOS) bugs. They literally result in nothing more than the program in question crashing. Sure, that’s annoying but it’s not really a security problem. At the other end of the spectrum is the ultimate fear, a remotely exploitable bug that can execute any code on your system it wants with root (super user) privileges without any user interaction. This is the kind of dooms-day scenario that allowed the devastating Windows worms of the past like Code Red, SQL Slammer, and Blaster to reek havoc on the web. Thankfully none of the 30 bugs revealed so far are of this severity.

Between these two extremes there are a range of other classes of bug. After the simple DOS bug the next most severe is a bug leading to arbitrary code execution. This means that the attack leads to a program crashing and then running some code that the attacker has injected. This code runs with the privileges of the user who ran the program so the damage that can be done is limited but still potentially very annoying. Loosing all your files would, after-all, be very bad! This is by far the most common type of bug reported in the MoAB with 14 definite Arbitrary Code Execution bugs and another four DOS vulnerabilities that MAY be exploitable for arbitrary code execution. From what I can gather at least 8 of these appear to have been patched at this stage and it’s possible that more have been fixed.

The next level up the scale of badness are privilege escalation vulnerabilities. These are where the bug can let an attacker gain the privileges of the root user without authenticating. On the Mac we have two levels that this can happen at. It can allow users in the admin group who are allowed gain root privileges with their password gain root access without the need for a password, or it can allow users with no admin rights to gain root privileges. The later is definitely more dangerous than the former. There are two bugs which allow admins gain root without entering a password (neither appear to have been patched) and six allowing regular users gain root permission (one definitely patched, not sure about the others). It should be noted that these kinds of bugs have exceptionally little effect on a home computer system because all users who are using the machine are trusted and only users who can log into the machine can exploit these vulnerabilities.

The final factor in determining how bad a bug is is whether or not it can be triggered remotely. I.e., does the attacker have to be logged in to your machine to attack it or not? There are two levels of badness when it comes to remote attacks. Those that require you to do something to trigger the attack (usually visit to a web page), and the more dangerous ones that don’t require you to do anything. The MoAB contained nine remote vulnerabilities that required the user to visit a web page which had malicious JS, malicious videos or a malicious link. For Safari users who have the “automatically open safe files” option turned on there were another five remote vulnerabilities that could be triggered by simply visiting a web page. This is by far the most common type of remote bug that the MoAB has shown up and further supports my argument from yesterday that it is dangerous to browse the web with JS turned on.

There was also one remotely exploitable bug (29) that required no user interaction but it could only be triggered from within the user’s LAN and not form across the internet at large, and Apple have patched this bug. Bug 17 MAY also allow remote code execution and perhaps even with privilege escalation but again only from within the LAN. The description on the MoAB page only says that this may be possible and no proof of concept code is provided. This is one to keep an eye on.

Some particularly Interesting Bugs

• Bug 5 – This bug is interesting because the author claims it is being used in the wild at the moment. I haven’t been able to verify this and it should be noted that this is not a remote exploit so this is not a concern for home users.
• Bug 14 – This bug allows a remote DOS attack and perhaps even code execution, though not with root privileges. This exploit does not require user interaction. It should be noted that as this is related to Apple Talk this is again confined to your LAN but it’s still not nice knowing that anyone on your LAN could cause your Mac to crash at any time! From what I can tell this bug has not been patched.
• Bug 17 – I’ve already discussed this one but I’m mentioning it here again because this is one to keep an eye on.

The Key Points of Note

• Don’t give accounts on your Mac to people you don’t trust. There are exploits available to allow users to gain root access on your machine once you let them in the door.
• Don’t let people you don’t trust onto you LAN. They could crash your Mac.
• If you use Safari, turn off the open to automatically open ‘safe’ file types. This option is a fundamentally bad idea and Apple really should know better. This option should not exist and it should certainly not be turned on by default. This is a lesson Apple should have learned from all the fun we’ve had in the past with MS Outlook executing stuff without users even opening a message. This option turns five otherwise minor problems into more serious problems.
• Browsing the web is dangerous. Videos in particular are a very dangerous with a lot of the remotely exploitable problems affectiong Quicktime, VLC, and Flip4Mac (WMV codec). Browsing with JavaScript (JS) turned off is safer as JS can be used to trigger web-based attacks.
• Apple are quick to fix critical bugs.
• Cross-platform apps can cause problems for everyone regardless of the platform they use. Just because you use a Mac or Linux does not mean you are safe from them. The VLC example (bug 2) really brings this home.
• There are no critical vulnerabilities in the MoAB. The Mac is not perfect and we all should have been aware of that all along. There are problems but they are not severe.

Conclusions

If you are a Mac owner the first thing to note is that there is no need to panic. None of these bugs can hit you from outside your LAN without an action by you. Had even one such bug been found that would have been a big deal and a real test for Apple. One of the reasons that it’s hard to find such bugs on the Mac is that by default there are no services that go out beyond your LAN enabled. If your have no world facing services then you deprive the attacker of their best method of attack. This is one area where the Mac is better than Windows. If you are a home user then you just need to take the following common-sense advice from all this (this advice also applies to Linux and Windows users):

• Keep your machine and your software up-to-date
• Don’t let people you don’t trust near your computer or your LAN
• Don’t browse to dodgy websites
• Don’t download or run anything that is not from a trusted source.