Skip to content

I’m local, and I’m malicious!

[Note: The following isn't a slam on Apple's security policies, nor am I chiding them for fixing a security hole. I merely found the description of one particular hole and its related fix somewhat funny, so I thought I'd have a bit of fun with it. Read the following as nothing more than a poor attempt at humor after a long day spent writing about security issues...]

Given the relative seriousness of the Leap-A malware/trojan (I put together a pretty straightforward Q&A page for Macworld, too), I thought the following look at the lighter side of security was worth sharing today!

One of the things included in the recent 10.4.5 update (and yes, I've already updated the OS X release dates chart) was a security update for the kernel. Specifically, this update fixed the following exploit:

A malicious local user may trigger a system crash by invoking an undocumented system call. This update addresses the issue by removing the system call from the kernel.

Now don't get me wrong, I think patching security holes is a Very Good Thing. However, in this case, I have to question both the danger of the hole as well as the quality of the related fix. Let's look at the 'hole' and 'fix' in more detail. First, consider malicious, which derives from the word malice. According to Merriam-Webster, malice is the "intent to commit an unlawful act or cause harm without legal justification or excuse." So whomever this person is, they're not around to help you out.

Next, local user. This means the person is directly connected to your Mac. They may be seated directly in front of it, or perhaps they have connected remotely via ssh or telnet. Either way, they've successfully logged into your Mac. This means that they're either someone you trust (you need better friends!) who has an account on your machine, or they're a hacker who has figured out a valid username and password and used that info to log in. So now we have a malicious local user, with some level of access to your Mac.

So just what is this malicious local user going to do now? According to the security notice, they're going to trigger a system crash. That's right. They've gone through all this trouble to gain access to your machine, and now they're going to invoke an undocumented system call and bring the machine down. (If they're physically local, pulling the power cord would do the same thing, and probably cause more damage in the process.) Granted, a crash is never a good thing, but consider this malicious individual again. They're here to cause harm. Probably as much harm as they possibly can. And given that they're logged into your machine, they can probably cause a lot more harm than a simple reboot. File deletion, creating evil symbolic links, installing a keystroke logger, etc. There are a lot of things they could do that are much farther up the 'cause harm' scale than a simple crash.

But nonetheless, we don't need to worry about this particular security issue any longer. Why not? Because Apple fixed it! Yes indeed, they sure did. They fixed it by removing the system call from the kernel. "Hey Doc, my arm hurts!" 'No problem, I'll have that arm off of there in a jiffy!' I'll certainly sleep more soundly tonight, knowing that some malicious local user won't be able to use an undocumented system call to crash my machine!

Security issues are important. They really are; I think today's dialog about Leap-A was good for the Mac community. And I think closing security holes quickly and effectively is also a Very Good Thing, as I stated above. But still, I couldn't resist having a bit of fun with the nature of this particular hole and the related fix.

Tags:

5 thoughts on “I’m local, and I’m malicious!”

  1. Wow. I'm really surprised to hear you sounding so cynical about the hole that was plugged here. An important facet of computer security is that most substantial security breaches involve multiple security flaws. And a corollary to that assertion is that the logic of "fixing something that already requires a hacker to be logged into your machine is pointless" is flawed.

    Also, if I'm reading this right, a local non-admin user can invoke whatever undocumented system call this is and bring down the system. THAT'S SERIOUS!!! You talk about all the other things a user could do once they're logged into your system, but a non-admin user logged into your system remotely should be able to do no harm whatsoever to anything outside of their own home folder. To be able to bring down the system is a huge security hole and Apple did the right thing to plug it, IMO.

  2. I think Apple is being disingenuous and you're missing the real point.

    An out of control app shouldn't be able to bring your machine down. That's what Apple is patching here, no matter what spin they put on it.

    The risk isn't the scenario you paint. The risk is some piece of software trying to access this undocumented function, and bringing about a kernel panic.

  3. I think you both took me way too seriously :). I realize it was an important issue to fix, and that chains of holes can cause problems, etc.

    But here's the thing ... this is someone who has already managed to login to your machine. If they did so remotely, you have bigger issues than a simple crash, even if they're logged in as a non-admin. I mean, seriously, if someone took the trouble to connect, they're interested in more than crashing your box.

    And if they're physically local ... well, let's just say that if I have physical access to someone's Mac and I'm malicious, I will always have in my possession an OS X system disk. With that, and physical access, there are no limits on what I might be able to do to your machine.

    So on the risk scale, I just found it somewhat low. I also thought the wording was funny, as I pictured this mean-looking guy, sitting in front of a Mac, looking over his should as he maliciously crashes your machine. Since I spent so much of yesterday working very seriously on a piece of software that had potentially much wider security implications (even if it didn't take advantage of an OS X security hole), I thought I'd have a bit of fun with this particular fix.

    Apparently I should have been more clear about my intent -- just to have a bit of fun to blow off some steam. Nothing more, nothing less. Sorry to make anyone have thought that I do not take security issues seriously. I do, and I'm very glad Apple patches every hole they find, as quickly as possible. I'll add another note to the beginning of the story to make this even clearer.

    Thanks for the feedback;
    -rob.

  4. "But here’s the thing … this is someone who has already managed to login to your machine"

    It's not just people that call this undocumented function, it's software. Maybe someone put in a call to it in a piece of dubious shareware that you downloaded... so it's you that inadvertently brings your machine down.

    Also, removing undocumented functions is not the same as amputating your arm.... more like removing your appendix when you get appendicitis.

  5. The description is likely to be reported as a crash because no root exploits were discovered or reported. In general you shouldn't just assume that a crash report has no further consequences. Remember it is in Apple's best interests to downplay the severity and since it is patched, there is little risk in doing so. If a unauthenticated user can bring down the system, it is likely that more controlled exploits are also possible. When seen in the light of the recent Oompa-Loompa trojan, you can see the danger.

Comments are closed.