Apple says new OS X security exploit not a big deal: discoverers decide to make it a big deal
In, Security glitch exposes OS X account passwords, News.com reports on a newly discovered vulnerability in the way OS X stores username and password info during the login process. The exploit was discovered by the appropriately named Jacob Appelbaum, a San Francisco-area programmer who dropped this “bomb” on Apple February 5th:
“This is a real problem and it needs to be fixed,” said … Appelbaum. He said he disagreed with the company’s [Apple’s] response: “They won’t put it in the latest security update or release a security update just for this issue.”
But like most Mac OS X security “threats” discovered in the past 6 or so years, this one is more or less benign. First, an attacker needs physical access to your computer. That pretty much takes the “scary” factor out of the equation here for me. Second, the person doing this exploit would need to know how to get your data by doing one of the following:
“plugging an iPod into a Firewire port to extract the contents of memory, rebooting the computer and running a memory-extractor over the network or from removable media, or physically ripping out the DRAM chips and inserting them into another computer. (Setting a firmware password can guard against the rebooting-attack threat.)”
Who the hell do you know that is able to do any of those things? Odds are, if someone has your computer, and knows how to do that, then you’re f–ked, any way you slice it. But the reality of anyone knowing how to do that are pretty slim, right? Well, for the next couple months at least.
Making a mountain out of a mole hill
When made aware of this “problem”, Apple’s official response was:
“We’re aware of this locally exploitable vulnerability, and we’re working to fix it in an upcoming software update. While no operating system can be 100 percent immune, Apple has a great track record of addressing potential vulnerabilities before they can affect users.”
Well, Apple has about 2 months to do so. That’s when Appelbaum and his friends will release the EFI memory scraper and other utilities they used to perform the exploit on the web. I’m not sure why they would want to do this. The term “release” implies to me they are not charging for it, so it may simply be for hacker street cred. But the point is, suddenly a lot more people almost as smart as Applebaum, but without his presumably altruistic nature, will have access to the tools to run this exploit, and that’s not good. Here’s hoping Apple takes Appelbaum’s warning seriously in the next couple weeks.
Stop the madness!!! This just might start me smoking again. Just who would be open to this exploit?
He basically told you how you can do it. Ripping out the DRAM isn’t that hard unless you are on a notebook.
these guys can’t be serious… but what I do find serious is that they are putting out the utilities to do the exploit. That to me is a crime… but than again, the must physically have access just makes me laugh. Morons!
So first they must break into my house, office, or car, and then they must steal my laptop, or sit at the scene of the crime with my desktop? Hackers dont tend to be the get off your butt to break and enter sort of type… not for my visa card and a $1000 spending limit.
So, someone, with definite malicious intent towards me, has physical access to my laptop, and instead of just *stealing* it, they go jump through hoops and just get my password? I like security as much as the next guy, but this is indeed making a mountain out of a molehill…
Uhh… if you’re going to type your password, *of course* it has to be stored in memory at some point. Otherwise, how exactly would the computer know what you had just typed in? I think this is Not A Bug.
–Quentin