To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/malware/0,3800003100,39162900,00.htm

Mac OS X exploit in the wild
Multiple-user Macs most at risk...

By Joris Evers

Published: Tuesday 03 October 2006

Computer code that exploits a flaw in Apple's Mac OS X was released over the weekend.

The code takes advantage of a weakness in core parts of Mac OS X and could let a user gain additional privileges. Apple provided a fix for the error-handling mechanism of the kernel last week but the exploit appears to have been authored before then.

Dino Dai Zovi, a researcher with Matasano Security who was credited by Apple with discovering the flaw when the patch was released, said: "It appears to have been written well before the vulnerability was fixed. It appears to be a zero-day exploit and may have been distributed before the patch was released."

Apple representatives did not immediately return calls for comment.

Public exploits, while common for Microsoft's Windows, are a rarity for Mac OS X. Dai Zovi said: "More people are looking for vulnerabilities in Mac OS X."

The vulnerability could be exploited by a local attacker or someone with privileges to remotely log on to a machine. Macs that are used by multiple people as well as servers with remote access capabilities are most at risk, experts said. A user with limited privileges could exploit the flaw to possibly gain full system access.

Dai Zovi added: "The risk presented by this exploit is limited by the fact that it can only be exploited by a logged-in user, although the user may also be logged in remotely. The issue is also mitigated by the fact that a patch has already been released."

MacOS X by default checks for updates weekly, which means most Mac OS X systems will not be vulnerable much longer.

The exploit as it was publicly released does not do anything destructive, instead it runs the "/usr/bin/id" utility to show that the user enjoys full administrator privileges.

Matthijs van Duin, creator of the exploit, said: "I can then make it do anything I want. An ill-intended person with at least some skill could modify it to spawn a root shell."

Dai Zovi agreed - a knowledgeable user can easily replace or modify the exploit payload to run a full-access root shell, he said.

Joris Evers writes for CNET News.com