Come mitigare CVE-2015-1130 (Hidden Backdoor with Root) a causa della mancanza di supporto Apple?

6

Questo è relativo a CVE-2015-1130 , alias API backdoor nascoste per i privilegi di root in Apple OS X . Sembra che Apple abbia rifiutato di risolverlo su OS X 10.9 e precedenti. Emil Kvarnhammar , colui che ha segnalato questa vulnerabilità agli stati Apple:

Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older.

Ho una macchina OS X 10.8.5 e una macchina OS X 10.9. Non posso aggiornare nessuno dei due computer a causa di requisiti esterni al mio e al controllo di Apple.

In assenza del sistema operativo di patching Apple prima del 10.10, come possiamo attenuarlo su macchine OS X 10.8 e OS X 10.9?

    
posta jww 10.04.2015 - 20:18
fonte

2 risposte

3

Direi che semplicemente non è possibile.

A quanto pare, ci sono voluti mesi di sforzi da parte di Apple per chiudere questa porta. Hanno chiesto espressamente al reporter di tenere a lungo il periodo di embargo dell'annuncio accettato, al fine di dare loro il tempo sufficiente per risolverlo prima che diventasse pubblico. Dicono che il motivo per cui non si esegue il back-porting ai sistemi operativi precedenti è l'enorme quantità di sforzo richiesto.

Se non possono farlo, dubito che chiunque altro possa farlo.

Se potrebbe essere leggermente mitigato da qualsiasi azione da parte tua, sono abbastanza sicuro che ci sarebbero stati consigli da loro in merito.

    
risposta data 11.04.2015 - 11:53
fonte
-1

Questa non è una mitigazione, ma può aiutare a risolvere il problema.

Di seguito è la denuncia presentata con la FTC. Altri dovrebbero prendere in considerazione la possibilità di presentare una denuncia, nel tentativo di risolvere il problema. Apple può evitare utenti come te e me, ma avranno tempi più duri con agenzie come la FTC.

I reclami possono essere archiviati con l'FTC utilizzando l'Assistente reclami per Servizi Internet, Shopping online o Computer .

I purchased a MacBook Pro in 2012. It was customized and cost approximately $3,500. The MacBook runs the OS X 10.8.5 (Mountain Lion) operating system.

Apple's OS X operating systems recently suffered a major security defect known as a vulnerability in computer security. The security defect CVE is CVE-2015-1130 (cf., https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1130), and its also known as Hidden Backdoor with Root. "Root" is a term for having full administrative control over a computer; and when a bad guy "gets root" its like prison inmates acquiring a master key to a prison.

It appears Apple has refused to fix the security defect in OS X 10.9 and below. According to the researcher who discovered and reported the issue "Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older" (cf., https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/).

I feel Apple deceived me when they claimed OS X 10.8 was the "safest and most secure" [sic] operating system. In reality, Apple's software had this security defect dating back to at least 2011. In fact, Apple still claims the entire OS X family is safe and secure though we know its not (cf., https://www.apple.com/osx/what-is/security/).

I also feel Apple failed in their obligation to warrant their defective product. I understand security bugs happen. But when they do, they are usually promptly fixed. It is not the case with Apple and CVE-2015-1130.

OS X 10.9, 10.8, 10.7 and 10.6 are generally considered "contemporary" and make up approximately 55% of the OS X market share. OS X 10.9 and 10.8 have a 35% market share. (cf., http://www.intego.com/mac-security-blog/os-x-market-share-statistics-1-in-5-macs-still-unsupported/).

And a counterpoint in case it arises during debate: I don't want to upgrade to OS X 10.9. There's too much iCloud integration. I don't trust iCloud or putting a Keychain in the iCloud, so I don't accept the risk. Also, I don't want to be a beta tester for new features.

If Apple claims I agreed to upgrades through [generally obscene] Terms of Service forced upon me, then they are wrong. There was no "meeting of the minds" and no "manifestation of assent" (cf., Zappos.com Inc., Customer Data Security Breach Litigation (MDL No. 2357), U.S. District Court, District of Nevada). And at the time I purchased the MacBook, OS X 10.9 did not exist. So its a stretch to claim I agreed to an upgrade for a non-existent operating system.

Apple is clearly deceiving us (the consumers) when representing the product, failing to meet its obligations to us (the consumers) by warranting the product, and we (the consumers) need the FTC's help here.

The remedy I demand is a patch for the defective operating system. A patch is what every other major operating system manufacturer provides. I'm not interested in a refund of my money because I need the MacBook on occasion for both personal use (play the music and movies from my iTunes library) and professional use (iPhone/iPad development).

    
risposta data 13.04.2015 - 06:48
fonte

Leggi altre domande sui tag