“Some time ago now, in fact in November of 2003, I reported to Apple that it was possible to make the authentication dialog lie about which program was asking for authorisation to do something. This is filed as rdar://3486235, for any Apple employees watching,” Alastair Houghton writes for Alastair’s Place.
Here’s an amusing demonstration:
(the program that did this was definitely not called “Steve Jobs”)
Alastair writes, “Very funny, but quite scary because it means it’s much too easy to trick an end-user into giving a potentially malicious program root privileges. Apple have been widely—and, to my mind, rather unfairly—lambasted for their attitude towards security holes, but in this case I’m sorry to report that the critics are quite correct. I’m sure they’ll fix this now I’ve published it on the Internet, but I really shouldn’t have had to do this; it should have been fixed back in 2003 when it was first reported.”
“Ordinarily I don’t approve of people publishing security holes, because it puts end-users at risk, but this one makes it too easy to trick a user into giving away privileged access to his or her machine, and Apple still haven’t fixed it, over two years after it was reported. It’s also a sufficiently common issue that the comp.unix.programmer frequently asked questions document actually mentions that “it is possible to invoke programs with arbitrary values of argv”, so the fact that you can set argv to whatever you like is hardly an unknown feature, nor is it likely that the black hats don’t already know about this,” Alastair writes.
Full article with more here.
[Thanks to MacDailyNews Reader “MacDoc” for the heads up.]
MacDailyNews Take: Apple needs to get on the ball and fix this yesterday. It’s totally irresponsible to allow such an issue to exist for so long. Trojans are the one real issue that could actually seriously affect Mac OS X security. This should concern all users. If you can trick someone into authorizing an application, there is no protection. This is potentially a huge security problem and Apple should be very ashamed to have let it go uncorrected for so long.
As usual, do not download and/or install files from untrusted sources.
• Introducing the super-fast, blogging, podcasting, do-everything-out-of-the-box MacBook. Starting at just $1099.
• Get the new iMac with Intel Core Duo for as low as $31 A MONTH with Free shipping!
• Get the MacBook Pro with Intel Core Duo for as low as $47 A MONTH with Free Shipping!
• Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.