I think we're in trouble...

[cradom]

First OSX Bootkit Revealed - Slashdot

From the article:

"Hudson's bootkit takes advantage of a vulnerability in how Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update. In these cases, the flash is left unlocked, allowing an Option ROM, or peripheral firmware, to run during recovery mode boots. It then has to slip past Apple's RSA signature check. Apple stores its public key in the boot ROM and signs firmware updates with its private key. The Option ROM over Thunderbolt circumvents this process and writes its own RSA key so that future updates can only be signed by the attacker's key. The attack also disables the loading of further Option ROMs, closing that window of opportunity."

 

[harryb2448]

Once again the joy of a bootable USB thumb drive with operating system installed.

 

[chas_m]

How often do you plug in Thunderbolt devices that you didn't purchase from a legit vendor?

Or, alternatively, how often do you let people come in while you're signed in to your computer and let them plug in unknown Thunderbolt devices?

Because those are the only two vectors of attack. So if that number is any higher than once, you're just asking for trouble. If it is once or lower, then you're completely safe.

 

[vansmith]

The Option ROM over Thunderbolt circumvents this process and writes its own RSA key so that future updates can only be signed by the attacker's key. The attack also disables the loading of further Option ROMs, closing that window of opportunity."

This is the dangerous part - it's not just the control but the ability to continue circumvention.

I'm sure the response of many ardent supporters will be that this is a proof of concept and that it requires physical access (thus minimizing the importance of the exploit) but nonetheless, it's clear that more work is being done (and thankfully so) to poke away at the notion that OS X is infinitely more secure than everything else. Honestly, the more this happens, the better it is for us the users.

 

[Dysfunction]

If I have physical access to your machine, I PWN it. Period. It does not matter which vendor, or operating system.

Secure your computers, this (btw) has always been the case.

 

[cradom]

I predict this will not be a good year for Apple: Glitch In OS X Search Can Expose Private Details of Apple Mail Users - Slashdot
I'm finding things everywhere.

 

[vansmith]

I'm finding things everywhere.

Absolutely agreed. While I think that headline for that article is sensational (I'm not sure I'd call my OS version and IP address a private detail), it does point to a bug that ought to be fixed quickly.

General rant: Most of these complaints seem to be levied at both OS X and iOS. iOS, from where I sit, hasn't decreased in quality significantly (in fact, I think it's improved) but OS X has lost its exceptionalism. To this day, Handoff remains extraordinarily flaky, AirDrop works if the sun is at a perfect 60° angle to where I am and only then and AirPlay is possessed. These features on iOS though work wonderfully. Methinks that Apple has put too high a priority on iOS.

 

[cptkrf]

General rant: Most of these complaints seem to be levied at both OS X and iOS. iOS, from where I sit, hasn't decreased in quality significantly (in fact, I think it's improved) but OS X has lost its exceptionalism. To this day, Handoff remains extraordinarily flaky, AirDrop works if the sun is at a perfect 60° angle to where I am and only then and AirPlay is possessed. These features on iOS though work wonderfully. Methinks that Apple has put too high a priority on iOS.

Agreed. This year I have seen Win XP bsod's on OSX for the first time, required Win 98 like reboots to fix something and such like stuff. I am afraid that sales is overiding engineering in the post Jobs Apple.

 

[vansmith]

I had my machine slow to a crawl last night converting video files which normally didn't happen with Mavericks. This is another issue in my list of things that I've come to terms with. In fact, I've come to terms with the idea that this is par for the course with Yosemite until the wrinkles get ironed out (if at all). I wonder if this is why I'm using my iPad more often now as iOS has, in my opinion at least, only gotten better on the whole (especially now that Office is available for it).

Don't get me wrong - I still think OS X is great...it's just not better to the same extent that it used to be.

 

[dbm]

iOS 8 was a huge change as we all know, and I recall stories at the time reporting that the OSX team had been co-opted into helping out the iOS team so the launch schedule could be met.

I think we are seeing those chickens come home to roost now, with the under-resourced Yosemite showing some chinks in its armour. I'm sure it will stabilise, or next year's release will be much better at the very least.

But iPhones and iPads are Apple's gateway products, so I can understand why they have been prioritised.

 

[chas_m]

If I have physical access to your machine, I PWN it. Period. It does not matter which vendor, or operating system.

Secure your computers, this (btw) has always been the case.

This is what I've been saying, The USB exploit this is built off of has been around for a long time (since, well, USB came around). Physical access to a machine has always equalled the possibility of compromised security since before the first keylogger was invented.

I'm saying that this is really nothing new, and that it doesn't really affect most users. If you're in an office, dealing with sensitive information, obviously then this affects you more than the rest of us, and precautions should be taken.

As I've always said in my Mac computer classes for going on 20 years now -- whether you work for the CIA or you just have nosey relatives in your home, it's a sound idea to have an automatic logout that requires a password to re-enter if you routinely step away from your computer.

 

[Dysfunction]

As I've always said in my Mac computer classes for going on 20 years now -- whether you work for the CIA or you just have nosey relatives in your home, it's a sound idea to have an automatic logout that requires a password to re-enter if you routinely step away from your computer.

Mine are all set to require login on screen on, screensaver halt, and wake. Also have hot corners set up for two of those 4. Then again, when I would find coworkers who didn't lock their Unix machines I would do things like..


echo "logout" >> .login

Or just change their runlevel to 6.