Security alert: Mac OS X authentication dialogs can lie

“Some time ago now, in fact in November of 2003, I reported to Apple that it was possible to make the authentication dialog lie about which program was asking for authorisation to do something. This is filed as rdar://3486235, for any Apple employees watching,” Alastair Houghton writes for Alastair’s Place.

Here’s an amusing demonstration:

(the program that did this was definitely not called “Steve Jobs”)

Alastair writes, “Very funny, but quite scary because it means it’s much too easy to trick an end-user into giving a potentially malicious program root privileges. Apple have been widely—and, to my mind, rather unfairly—lambasted for their attitude towards security holes, but in this case I’m sorry to report that the critics are quite correct. I’m sure they’ll fix this now I’ve published it on the Internet, but I really shouldn’t have had to do this; it should have been fixed back in 2003 when it was first reported.”

“Ordinarily I don’t approve of people publishing security holes, because it puts end-users at risk, but this one makes it too easy to trick a user into giving away privileged access to his or her machine, and Apple still haven’t fixed it, over two years after it was reported. It’s also a sufficiently common issue that the comp.unix.programmer frequently asked questions document actually mentions that “it is possible to invoke programs with arbitrary values of argv[0]”, so the fact that you can set argv[0] to whatever you like is hardly an unknown feature, nor is it likely that the black hats don’t already know about this,” Alastair writes.

Full article with more here.

[Thanks to MacDailyNews Reader “MacDoc” for the heads up.]

MacDailyNews Take: Apple needs to get on the ball and fix this yesterday. It’s totally irresponsible to allow such an issue to exist for so long. Trojans are the one real issue that could actually seriously affect Mac OS X security. This should concern all users. If you can trick someone into authorizing an application, there is no protection. This is potentially a huge security problem and Apple should be very ashamed to have let it go uncorrected for so long.

As usual, do not download and/or install files from untrusted sources.

Advertisements:
Introducing the super-fast, blogging, podcasting, do-everything-out-of-the-box MacBook.  Starting at just $1099.
Get the new iMac with Intel Core Duo for as low as $31 A MONTH with Free shipping!
Get the MacBook Pro with Intel Core Duo for as low as $47 A MONTH with Free Shipping!
Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
Connect iPod to your television set with the iPod AV Cable. Just $19.
iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.

49 Comments

  1. The problem with Apple is that they are too naive

    They allow third party applications to simply require a adminstration password to install software.

    They as for your personal identifing information and then use it everywhere in the machine. Your email address, the name of your computer etc. So when you simply visit a website there is a chance for them to know exactly who you are.

    Then get this, the Apple Discussions cookie in Safari has your complete name and other details in plain text, for any program or website to retreive.

    Then they FAILED to fix the MetaDate file exploit in the last update. I could send a Zipped Quicktime file that will run Terminal and grab all your info and send it out via the internet without your knowledge.

    Lucky few who install programs like Little Snitch and Safe Terminal can reduce their chances.

    But what if I send a malicious MetaFile exploit file to someone with a small app that invokes a fake admin password request?

    THAT’S RIGHT I GOT ROOT YOUR MINE

    Like I said, Apple is naive, they need to hire some criminals to teach them the world is not all goody goody.

  2. This is all lies!!!!
    Macs are immune to everything!
    Total B.S.
    Don´t believe it – just propaganda put out by Windows.
    Notice the timing? Today. Why today? Because in exactly x number of Days Steve, the Lord, will be revealing 10.5 and they want to cause some problems.

  3. Here is a discussion on the matter It’s pretty old too.

    http://episteme.arstechnica.com/groupee/forums/a/tpc/f/8300945231/m/206009245731

    What we need is for Mac OS X to mind the access to root and provide some way to keep apps from asking for it.

    A two way authentication, like Mac OS X providing us with a password so that we know it’s truly Mac OS X asking for the admin password and not a fake.

    But no, when it comes to security, Apple is relying heavily upon Unix and less on it’s own abilities.

  4. Static Mesh:
    Are you trying to get a job at Apple? ” width=”19″ height=”19″ alt=”wink” style=”border:0;” />

    You should send your exploit to a member of the security team via email and see if they fall for it. Have terminal run “the Pink Slip” virus like on that old commercial.

  5. You should send your exploit to a member of the security team via email and see if they fall for it

    I’ve sent many exploits to Apple via their security channels.

    In fact I was the one that exposed the URL Handler exploit, remember that?

    Guess where I found it? Slashdot, exposed to the entire geek community.

    What did Apple do? They denied it for over 6 months and through 2 updates.

    Finally it hit the press and oh then Apple took their heads out of their collective asses and did something about it.

    Now it’s the same with this MetaData exploit and the one of this article, everyone knows of these exploits, so does Apple, but they do nothing.

  6. Ditto what Noraa said. If you could access other cookies, there would already be a lot of exploits of commonly used cookie information from well-known, commonly visited sites – wouldn’t there?

    My understanding of it was just as Noraa sated – but I don’t know that much about the coding and how cookies are read, so I’m just asking.

  7. The important thing to understand is that there is no great way to fix an issue like this.

    The fundamental problem is that a program gets to decide what its name is, and this can be confusing or deceptive. If I write a program and name it “The Federal Government” then the dialog would say “The Federal Government requires that you type your password.”

    I don’t think anybody really wants Apple to establish a regime where they control what each and every program is called, so what else are they supposed to do?

    In the end, the password authorization dialog is only one security layer of many, and where Apple does well is in preventing users from accidentally running programs in the first place. Once you are running a malicious program, it can use your Internet connection or delete all your files without any particular authorization. If the user then makes the unwise decision to authorize a dialog box that comes up without a clear purpose claiming to be the OS or Steve Jobs or whatever, then the program could corrupt the OS or delete files owned by other users. But this is a privilege escalation issue that requires user intervention, and not a serious security risk.

  8. Right now there is a Trojan invading your computer. And we have been using your computer to store porn that people on Windows computers enjoy.
    All those passwords you thought were safe – they are; safely in my computer. Of course I know your Visa card numbers. Check your bill next month I may have bought something – thanks for the present!
    Every keystroke you make I know it.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.