Apple says new OS X security exploit not a big deal: discoverers decide to make it a big deal - Macenstein

Apple says new OS X security exploit not a big deal: discoverers decide to make it a big deal

In, Security glitch exposes OS X account passwords, News.com reports on a newly discovered vulnerability in the way OS X stores username and password info during the login process. The exploit was discovered by the appropriately named Jacob Appelbaum, a San Francisco-area programmer who dropped this “bomb” on Apple February 5th:

“This is a real problem and it needs to be fixed,” said … Appelbaum. He said he disagreed with the company’s [Apple’s] response: “They won’t put it in the latest security update or release a security update just for this issue.”

But like most Mac OS X security “threats” discovered in the past 6 or so years, this one is more or less benign. First, an attacker needs physical access to your computer. That pretty much takes the “scary” factor out of the equation here for me. Second, the person doing this exploit would need to know how to get your data by doing one of the following:

“plugging an iPod into a Firewire port to extract the contents of memory, rebooting the computer and running a memory-extractor over the network or from removable media, or physically ripping out the DRAM chips and inserting them into another computer. (Setting a firmware password can guard against the rebooting-attack threat.)”

Who the hell do you know that is able to do any of those things? Odds are, if someone has your computer, and knows how to do that, then you’re f–ked, any way you slice it. But the reality of anyone knowing how to do that are pretty slim, right? Well, for the next couple months at least.

Making a mountain out of a mole hill

When made aware of this “problem”, Apple’s official response was:


“We’re aware of this locally exploitable vulnerability, and we’re working to fix it in an upcoming software update. While no operating system can be 100 percent immune, Apple has a great track record of addressing potential vulnerabilities before they can affect users.”

Well, Apple has about 2 months to do so. That’s when Appelbaum and his friends will release the EFI memory scraper and other utilities they used to perform the exploit on the web. I’m not sure why they would want to do this. The term “release” implies to me they are not charging for it, so it may simply be for hacker street cred. But the point is, suddenly a lot more people almost as smart as Applebaum, but without his presumably altruistic nature, will have access to the tools to run this exploit, and that’s not good. Here’s hoping Apple takes Appelbaum’s warning seriously in the next couple weeks.

Comments
6 Responses to “Apple says new OS X security exploit not a big deal: discoverers decide to make it a big deal”
  1. Van Souza says:

    Stop the madness!!! This just might start me smoking again. Just who would be open to this exploit?

  2. Snorrblitz says:

    He basically told you how you can do it. Ripping out the DRAM isn’t that hard unless you are on a notebook.

  3. eyerhyme says:

    these guys can’t be serious… but what I do find serious is that they are putting out the utilities to do the exploit. That to me is a crime… but than again, the must physically have access just makes me laugh. Morons!

  4. odin says:

    So first they must break into my house, office, or car, and then they must steal my laptop, or sit at the scene of the crime with my desktop? Hackers dont tend to be the get off your butt to break and enter sort of type… not for my visa card and a $1000 spending limit.

  5. Nathan says:

    So, someone, with definite malicious intent towards me, has physical access to my laptop, and instead of just *stealing* it, they go jump through hoops and just get my password? I like security as much as the next guy, but this is indeed making a mountain out of a molehill…

  6. Quentin Smith says:

    Uhh… if you’re going to type your password, *of course* it has to be stored in memory at some point. Otherwise, how exactly would the computer know what you had just typed in? I think this is Not A Bug.

    –Quentin

Leave A Comment

ADVERTISE ON MACENSTEIN

Click here to inquire about making a fortune by advertising your game, gadget, or site on Macenstein.