New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus Advice and insight from world-class Apple enthusiasts Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
Schweb's Lounge Forum for general conversation, chit chat, or most topics that don't fit in another forum.

OS 10.4 - Mac OSX Bug


Post Reply New Thread Subscribe

 
Thread Tools
Liam

 
Liam's Avatar
 
Member Since: Aug 15, 2006
Location: Abu Dhabi, United Arab Emirates
Posts: 483
Liam has a spectacular aura about

Liam is offline
Sorry if already posted...

http://news.bbc.co.uk/1/hi/technology/6187302.stm
QUOTE Thanks
KoDorSean

 
KoDorSean's Avatar
 
Member Since: Jun 03, 2006
Location: Denver Colorado
Posts: 2,374
KoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant future
Mac Specs: 2.4 GHz intel core 2 duo MBP, iPhone 5, iPad 3

KoDorSean is offline
Quote:
Originally Posted by Liam View Post
interesting, ill stay away from .dmg


I was on the M-F honor roll for month : May 2007
QUOTE Thanks
cazabam

 
cazabam's Avatar
 
Member Since: Jun 06, 2006
Posts: 1,153
cazabam is a glorious beacon of lightcazabam is a glorious beacon of lightcazabam is a glorious beacon of lightcazabam is a glorious beacon of lightcazabam is a glorious beacon of lightcazabam is a glorious beacon of light
Mac Specs: MacBook 2.0GHz White, 512MB RAM, 60GB HDD

cazabam is offline
I don't think there's a reason to shun .dmg entirely (after all, most software is packaged in .dmg these days). However, I will be vigilant about where the .dmgs I use are from!
QUOTE Thanks
Jem

 
Member Since: Aug 16, 2006
Posts: 245
Jem will become famous soon enough

Jem is offline
I like the bit in the BBC article that states:

Quote:
Apple has yet to provide a fix for the DMG bug though a workaround is known which should stop computers falling victim.
And then doesn't elaborate at all on the workaround...
QUOTE Thanks
D3v1L80Y

 
D3v1L80Y's Avatar
 
Member Since: Feb 02, 2004
Location: PA
Posts: 12,459
D3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond reputeD3v1L80Y has a reputation beyond repute
Mac Specs: MacBook

D3v1L80Y is offline
Quote:
Originally Posted by kodorsean View Post
interesting, ill stay away from .dmg
That wouldn't be a wise thing to do... in fact, it would be a little silly IMO.
As was stated, the vast majority of downloadable software (shareware, freeware) for Mac OS comes in the .dmg format.
The article never elaborates on what this "code bug" is or does, nor does it describe what a "vulnerable" machine entails. It really doesn't say much of anything, really.
The most important line of the article I find is this:
Quote:
Originally Posted by Article
The bug has only been proved to work under laboratory conditions. No cases of it being exploited in the wild are known and no users are thought to be at risk.
The second-most important line is this:
Quote:
Originally Posted by Article
It urged users to avoid downloading DMG files, which bear a .dmg suffix, from unknown sources.
The bolded suggestions should be more or less common sense, anyway.:black:

__________________________________________________
Posting and YOU|Forum Community Guidelines|The Apple Product Cycle|Forum Courtesy

mac: a waterproof raincoat made of rubberized fabric
MAC: a data communication protocol sub-layer, also known as the Media Access Control
Mac: a brand name which covers several lines of personal computers designed, developed, and marketed by Apple Inc.

QUOTE Thanks
Zoolook

 
Zoolook's Avatar
 
Member Since: Sep 24, 2006
Location: Brooklyn, New York
Posts: 2,751
Zoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud of
Mac Specs: 15" MacBook Pro, i7 2.66Ghz, 8GB RAM, 512GB SSD; iPad 3, iPhone 5

Zoolook is offline
I like the replies so far, I don't think there is any need for panic.

1stly, a whole bunch of stuff as to happen before there is any serious risk. You have to download a .dmg from an untrustworthy source. Then after executing it and mounting the new files, your machine is potentially vulnerable or unstable. So between you executing the .dmg and any restart someone has to attack your machine, meaning getting around your firewall, knowing your IP address etc.

Secondly, even with the most secure OS in the world, you cannot account for user flaws. Whenever people download shareware or freeware and want to install it and the OS asks for the root password, people happily give it. ANY of these programmes could potentially be dangerous and open the system's back door to intruders.

In the land of the blind, the one-eyed man is stoned to death.
- Joan D. Vinge

QUOTE Thanks
KoDorSean

 
KoDorSean's Avatar
 
Member Since: Jun 03, 2006
Location: Denver Colorado
Posts: 2,374
KoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant futureKoDorSean has a brilliant future
Mac Specs: 2.4 GHz intel core 2 duo MBP, iPhone 5, iPad 3

KoDorSean is offline
Quote:
Originally Posted by D3v1L80Y View Post
That wouldn't be a wise thing to do... in fact, it would be a little silly IMO.
As was stated, the vast majority of downloadable software (shareware, freeware) for Mac OS comes in the .dmg format.
The article never elaborates on what this "code bug" is or does, nor does it describe what a "vulnerable" machine entails. It really doesn't say much of anything, really.
The most important line of the article I find is this:The second-most important line is this:The bolded suggestions should be more or less common sense, anyway.:black:
I should have been more clear, my mistake. Ill stay away from .dmg when downloading from unknown sources.


I was on the M-F honor roll for month : May 2007
QUOTE Thanks
Aptmunich

 
Aptmunich's Avatar
 
Member Since: Mar 09, 2004
Location: Munich
Posts: 9,075
Aptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant futureAptmunich has a brilliant future
Mac Specs: Aluminium Macbook 2.4 Ghz 4GB RAM, SSD 24" Samsung Display, iPhone 4, iPad 2

Aptmunich is offline
The workaround is to turn off the 'open "safe" files after downloading' option in safari.

That stops dmg's from being accidently downloaded and launched without any user interaction.
QUOTE Thanks
Jem

 
Member Since: Aug 16, 2006
Posts: 245
Jem will become famous soon enough

Jem is offline
Quote:
Originally Posted by Zoolook View Post
I like the replies so far, I don't think there is any need for panic.

1stly, a whole bunch of stuff as to happen before there is any serious risk. You have to download a .dmg from an untrustworthy source. Then after executing it and mounting the new files, your machine is potentially vulnerable or unstable. So between you executing the .dmg and any restart someone has to attack your machine, meaning getting around your firewall, knowing your IP address etc.
Hmmm... how sure of this are you? It sounds to me from the article, that what they are referring to is a buffer overrun style attack, possibly in expanding (if that's what it does) or mounting the dmg file. A cleverly coded buffer overrun can result in pre-defined code being executed directly without any further interaction being required.

You are implying that mounting a dmg could cause some kind of server to be temporarily installed and require someone to actively try to contact you at that moment. If a hacker can manage to run up a piece of code to do this, they can certainly manage to do a bit more than that!

However, it would require a privilege escalation style attack before I'd be overly concerned about it and I don't know of any way of escalating privileges myself under OS X (although my knowledge is not comprehensive enough to state this categorically...)

p.s. Aptmunich - thanks for that on the workaround, I guess that helps a little.
QUOTE Thanks
Zoolook

 
Zoolook's Avatar
 
Member Since: Sep 24, 2006
Location: Brooklyn, New York
Posts: 2,751
Zoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud ofZoolook has much to be proud of
Mac Specs: 15" MacBook Pro, i7 2.66Ghz, 8GB RAM, 512GB SSD; iPad 3, iPhone 5

Zoolook is offline
Quote:
Originally Posted by Jem View Post
Hmmm... how sure of this are you? It sounds to me from the article, that what they are referring to is a buffer overrun style attack, possibly in expanding (if that's what it does) or mounting the dmg file. A cleverly coded buffer overrun can result in pre-defined code being executed directly without any further interaction being required.

You are implying that mounting a dmg could cause some kind of server to be temporarily installed and require someone to actively try to contact you at that moment. If a hacker can manage to run up a piece of code to do this, they can certainly manage to do a bit more than that!

However, it would require a privilege escalation style attack before I'd be overly concerned about it and I don't know of any way of escalating privileges myself under OS X (although my knowledge is not comprehensive enough to state this categorically...)
Well I am not certain at all, and neither is anyone else by the looks of it.

My point really is that any attack that requires the user to double click on something and then results in nothing more than a buffer over run, is hardly a major threat. I must admit I didn't know that some users had Safari set up to automatically execute DMG files as soon as they download.

The bottom line is no OS is entirely secure. If all the hackers and trouble makers who mess up WindowsXP every day turned their attention to OS X, then there might be something to worry about.

In the land of the blind, the one-eyed man is stoned to death.
- Joan D. Vinge

QUOTE Thanks
Jem

 
Member Since: Aug 16, 2006
Posts: 245
Jem will become famous soon enough

Jem is offline
Oh sure, I totally agree, no OS is entirely secure and no doubt as Apple gain market share so they will also gain at least a few exploits. Mind you I wouldn't down play a buffer overrun too much, they can be purposefully exploited to do nasty stuff like erasing files without the user even noticing.

OK they're not going to destroy your entire system but they could do enough to cause regular users serious data loss. My most serious concern would really be if they managed to locate an existing privilege escalation loophole and could exploit that through the buffer overrun. Then your system is broken wide open.

And therein lies one of the major advantages of OS X over Windows, in OS X you don't run as root so malicious code can't easily do much system-level harm without you authorizing it.
QUOTE Thanks
fleurya

 
fleurya's Avatar
 
Member Since: Nov 18, 2006
Location: Anytown, USA
Posts: 4,917
fleurya is a name known to allfleurya is a name known to allfleurya is a name known to allfleurya is a name known to allfleurya is a name known to allfleurya is a name known to allfleurya is a name known to all
Mac Specs: 27" iMac 2.7GHz Core i5, iPhone 4S, 3rd gen iPad

fleurya is offline
Quote:
Originally Posted by Jem View Post

And therein lies one of the major advantages of OS X over Windows, in OS X you don't run as root so malicious code can't easily do much system-level harm without you authorizing it.
Thankfully, Windows Vista will have this kind of required authorization as well. I've run RC 1 and 2 and I was kind of annoyed by always putting in my password, but appreciated the beefed up security.
QUOTE Thanks

Post Reply New Thread Subscribe


« Mac problems | .Mac Account »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

Similar Threads
Thread
Thread Starter
Forum
Replies
Last Post
Mac Songs The mac 13 Switcher Hangout 7 05-06-2010 12:35 AM
Mac Osx Tiger Classic robert Running Windows (or anything else) on your Mac 6 11-27-2006 07:48 PM
Any Viruses or spyware for mac osx tiger 10.4.4? christm Switcher Hangout 3 01-13-2006 11:34 AM
Mac OSX Tiger does not recognize CANON SD450? superbyul Images, Graphic Design, and Digital Photography 5 12-05-2005 11:38 PM
Virtual PC for Mac OSX Able to cope with MMORPG Games? Frozen Flame OS X - Operating System 4 10-09-2005 09:59 PM

All times are GMT -4. The time now is 04:22 PM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?