Forgot your password?
typodupeerror
Security Businesses IT Apple

Worm Threat Forces Apple To Disable Software? 201

Posted by Zonk
from the batten-down-the-hatches dept.
SkiifGeek writes "After the debacle that surrounded the announcement and non-disclosure of a worm that targets OS X, the vulnerability in mDNSResponder may have forced Apple to remove support for certain mDNSResponder capabilities with the recently released Security Update 2007-007. 'Seeming to closely follow the information disclosed by InfoSec Sellout, Apple's mDNSResponder update addresses a vulnerability that can be exploited by an attacker on the local network to gain a denial of service or arbitrary code execution condition. Apple goes on to identify that the vulnerability that they are addressing exists within the support for UPnP IGD... and that an attacker can exploit the vulnerability through simply sending a crafted network packet across the network. With the crafted network packet triggering a buffer overflow, it passes control of the vulnerable system to the attacker. Rather than patching the vulnerability and retaining the capability, Apple has completely disabled support for UPnP IGD (though there is no information about whether it is only a temporary disablement until vulnerabilities can be addressed).'"
This discussion has been archived. No new comments can be posted.

Worm Threat Forces Apple To Disable Software?

Comments Filter:
  • by Anonymous Coward on Friday August 03, 2007 @12:17PM (#20102701)
    Come here Apple fanboys-and-girls. Lunch is served.
    • Re: (Score:3, Funny)

      by teknopurge (199509)
      I wonder who wrote the UPnP spec - perhaps they are the ones at fault? (*cough*BILL GATES' University of chair-throwing throwers*cough*)
      • Re: (Score:3, Informative)

        by BuhDuh (1102769)

        I wonder who wrote the UPnP spec - perhaps they are the ones at fault? (*cough*BILL GATES' University of chair-throwing throwers*cough*)

        I don't think the issue is the spec, it's the asinine cute features that M$ decided to implement. Like UPnP, BHO, etc etc. Maybe we should follow Apple's example, and eliminate all vulnerabilities by disabling the TCP/IP stack?

        • Re: (Score:2, Funny)

          by joeytmann (664434)
          GO APPLETALK!
        • Re: (Score:2, Informative)

          by teknopurge (199509)
          Looks like Apple just followed Wikipedia [wikipedia.org]:

          Problems with UPnP * UPnP uses HTTP over UDP (known as HTTPU and HTTPMU for unicast and multicast), even though this is not standardized and is specified only in an Internet-Draft that expired in 2001. [1] * UPnP does not have a lightweight authentication protocol, while the available security protocols are complex. As a result, many UPnP devices ship with UPnP turned off by default as a security measure.

        • Re: (Score:3, Informative)

          by Nullav (1053766)
          You mean like how MS crippled the stack in SP2 by lowering the cap on half-open connections to 10 to slow worm propagation? (I know there are times when a solution isn't always immediately obvious, but I'd rather not have my OS force me to live in a bubble.)
          • What I loved about M$ crippling the stack was that if you do the math/iterations, any worm could still propagate within 60 seconds or so making the move ineffective at best.
    • by fermion (181285) on Friday August 03, 2007 @03:58PM (#20106229) Homepage Journal
      This is what should happen. Fix it, or remove the feature, or at least make it optional. This is what Apple normally does. It does not ship with all ports open and sharing on.

      I hope this indicates a return to sensibility at Apple. Lately they are trying so hard to be like MS, that the security has suffered. Can't turn off HTML in email is at the top of my security vulnerabilities.

    • by LKM (227954)
      Why do the Apple haters have to turn every /. article about Apple vulnerabilities into a braindead hatefest? It makes the discussions useless and unreadable. Please stop. thanks.
  • News at 11... (Score:5, Insightful)

    by maztuhblastah (745586) on Friday August 03, 2007 @12:20PM (#20102747) Journal
    Researchers find hole, act like 1337 733ns about it. Company can't be sure that they've fixed hole, so they temporarily disable the reportedly-vulnerable function.

    Yawn.
    • UnPlug n Play
    • Re: (Score:2, Informative)

      by owndao (1025990)
      Yawn, truly. If one reads the Apple patch notes they say quite plainly:

      mDNSResponder CVE-ID: CVE-2007-3744 Available for: Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the Mac OS X implementation of mDNSResponder. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by removing UPnP IGD support. This issue does not affect systems prior to Mac OS X v10.4.

      If one reads the entire note there were other, more noteworthy, bugs addressed rather than one that would take great care to craft and would have to be deployed on your LAN. Also, the derogatory terms used to refer to people who have an operating system preference are reminiscent of my three year old calling someone "poopie butt." Save us all.

  • I'm not opposed to temporarily disabling functionality to fix something potentially disastorous. However, I do hope Apple doesn't make it a practice of just turning things off once exploits are found. Turn it off, patch it, then re-enable it is fine by me.
    • by Rosyna (80334) on Friday August 03, 2007 @12:39PM (#20103057) Homepage

      I'm not opposed to temporarily disabling functionality to fix something potentially disastorous.
      There are three options when implementing UPnP:

      1. Implement it to Microsoft's spec.
      2. Implement it correctly (by choosing a direction in places the spec contradicts itself or real implementations).
      3. Implement it securely.

      Choose only one.

      I do not think it is possible to implement UPnP securely and have it based on the spec. Also, the specific code they removed existed only for legacy NAT traversals and may not even be needed any more.
      • by frdmfghtr (603968) on Friday August 03, 2007 @01:41PM (#20104037)

        I'm not opposed to temporarily disabling functionality to fix something potentially disastorous.

        There are three options when implementing UPnP:

        1. Implement it to Microsoft's spec.
        2. Implement it correctly (by choosing a direction in places the spec contradicts itself or real implementations).
        3. Implement it securely.

        Choose only one.

        I do not think it is possible to implement UPnP securely and have it based on the spec. Also, the specific code they removed existed only for legacy NAT traversals and may not even be needed any more.
        Is this the same UPnP capability that the FBI recommeded disabling [pcworld.com] in any Windows environment due to security issues quite some time ago?
        • by sokoban (142301)
          Yes, it is. mDNSresponder has had numerous security problems in the past, but Apple has more or less just been playing "whack-a-mole" with the vulnerabilities. Hopefully, this will lead to some real fixes in the underlying code. When I heard about the whole infosec sellout thing, first thing I did was to disable mDNSresponder in the terminal. It's pretty trivial to do, and if you have something that NEEDS UPnP to function, you can always manually install the previous version or whatever.
          • by Tony Hoyle (11698)
            mDNSResponder is primarily for Rendezvous/Zeroconf/whatever it's called this week. That's what OSX uses itself and is what is implemented in printers etc. If they've hacked in UPNP capability (rather a shame, as Rendezvous is a far nicer protocol) then it's no surprise you get issues.
  • Um, so ? (Score:5, Insightful)

    by Space cowboy (13680) * on Friday August 03, 2007 @12:22PM (#20102785) Journal
    Apple find a vulnerability (before the worm is announced, according to TFA), and remove that vulnerability in their next security update.

    I'm guessing there's a regular scheduled security update process in Apple. If you can't fix it in time for the next patch-release, isn't is *better* to temporarily disable it ? I really doubt it's a permanent removal of the feature - they're just being responsible.

    Simon.
  • ITS A LIE (Score:3, Funny)

    by Conor Turton (639827) on Friday August 03, 2007 @12:23PM (#20102799)
    I'm sorry but the article must be a lie. The Apple fanboys assure me that there's no risk of vulnerabilities. Therefore, the article is wrong - it does not exist.
  • OT but... (Score:2, Informative)

    by Anonymous Coward
    I often wonder why the British (and now some Americans) say "Apple go on to identify..." Apple is ONE company. Shouldn't that be the singular "Apple goes on to identify"? If it were both Apple and Microsoft than indeed it would be "Apple and Microsoft go on to identify".

    Yes, Apple is made up of many people; but my car is made up of many parts. You don't say "my car need gas" do you?

    This perplexes me, can someone explain it? Sorry if it's completely OT (except that this (to me) error is in the blurb).

    -mcgre
    • Re: (Score:3, Informative)

      by Space cowboy (13680) *
      Companies are generally considered to be plural entities in "real" English [grin]. I suppose we put a higher value on a collection of humans compared to a collection of metal parts...

      If you prefer, consider mentally replacing "Apple" with "the people who work at Apple"...

      Simon
      • by cHiphead (17854)
        In the US corporations are give status as a legal 'entity' not 'entities', ergo there does exist a tolerable bit of logic to use singular in this case.

        Cheers.

           
        • by delire (809063)

          In the US corporations are give status as a legal 'entity' not 'entities'
          Correct, and while they have similar legal rights as individuals they have a gazillion times the power. A recipe for disaster but that's a story for another day.

          Recommended reading [thecorporation.com].
      • You have to be kidding. Just because a company represents plural people, doesn't mean you treat it as plural. I herd of buffalo is many buffalo, but it is a single herd.

        You remind me of the soulless boogers that treat the word "data" as plural ("The data are coming from the internet").
    • cf. police

      it hearkens back to the day when a company was just that, a company. nowadays, the most important thing about a company is that it is a legal entity, not that it consists of people. but i shouldn't get started on that...
  • by zariok (470553) on Friday August 03, 2007 @12:24PM (#20102815)
    So an "apple" is threatened by a "worm"... you don't say.

    • by IgLou (732042)
      I really thought this story was going to be about bioengineering and not computing. I think one aspect of my reality blurred somewhere.
  • Hmmm... (Score:3, Interesting)

    by catdevnull (531283) on Friday August 03, 2007 @12:24PM (#20102831)
    Isn't mDNSResponder and Open Source package ported for OS X?

      http://developer.apple.com/opensource/internet/bon jour.html [apple.com]

    Is Apple the developer of mDNSResponder or are they just using it?
    • Re:Hmmm... (Score:5, Informative)

      by shawnce (146129) on Friday August 03, 2007 @12:35PM (#20103021) Homepage
      An Apple employee (Stuart Cheshire [stuartcheshire.org]) is one of the authors of the RFC(s) related to mDNS [multicastdns.org], etc.

      mDNSResponder originated from Apple.
      • by shawnce (146129)
        I should note that UPnP was in many ways a parallel effort by Microsoft and others.
    • The ZeroConf standards began life when Apple started switching from AppleTalk to IP for networking. There were a few things that IP couldn't do that AppleTalk could, so they started working on a way of implementing them on top of IP. These were submitted to the IETF, and approved. They implemented them in mDNSResponder and branded them 'Rendezvous.' One trademark lawsuit later, they re-branded them as 'Bonjour.' They also released the mDNSResponder code under a permissive license, to encourage the adop
  • by Night Goat (18437) on Friday August 03, 2007 @12:26PM (#20102857) Homepage Journal
    Hey Zonk, how about using more reputable sources than one guy's blog for your links? I know they were picked by the submitter, but linking only to a blog and then putting a question mark after the headline is sketchy. I can't put much faith in the article if I can't be sure that it's not just a blogger talking out of his ass.
  • Although I can understand the "secure-by-default" ethos, it would seem to me that some people could leave the vulnerable service active because they only use their computer in firewalled physical LAN environment. Does this update come with a new preference panel entry to reenable this mDNS service?
  • by Opportunist (166417) on Friday August 03, 2007 @12:31PM (#20102945)
    I mean, it was a given that, given increasing market share, Apple becomes interesting for malware. No system is 100% secure.

    But at least they decided that it's better to disable the feature and minimize the damage to the net as a whole (and yes, even if you don't have an Apple, a worm damages you by clogging your tubes with packets trying to spread itself). MS decided that it's better to keep the insecure service up and running 'til it can be addressed.

    Question for 100: Still getting sober/blaster packets? I do.
    • Re: (Score:3, Insightful)

      by GWLlosa (800011)
      The reason Apple disables features where Microsoft doesn't has more to do with their target audience than any kind of company 'ethos'. If MS advises people that vulnerabilities exist with and , and proceeds to disable them, actual businesses that rely on features and will be very upset and potentially out a pile of money. Instead, MS advises of the vulnerability, so that these businesses can instead rely on their IT guy hardening the system against the vulnerability (seal the appropriate port on the fi
      • Would be news to me that MS cares whether a company using its product suffers productivity loss.

        My guess is that it was simply more convenient to do NOTHING. And this security hole (and disabling it) is far from a product-crippling effect that you describe. More accurately, it would be a bug in Office's Thesaurus and disabling it. Yes, it would inconvenience some people, but it's far from crippling the product into uselessness.
      • Re: (Score:3, Informative)

        by Chang (2714)
        Microsoft has done this with their products before.

        Outlook was plagued by viruses and Microsoft responded by releasing a patch that simply refused to allow the user to open certain types of attachments. There was no override in the original version of the patch.

        http://www.slipstick.com/outlook/esecup.htm [slipstick.com]

        When Exchange 5.5 was targeted by reverse-NDR spam attacks Microsoft shipped a patch that allowed the user to simply turn off non-delivery reports. Unfortunately the patch didn't work as described on many
        • by GWLlosa (800011)
          Each of the links you supplied seems to indicate that the user was able to 're-enable' said features in a relatively straightforward way (although the initial outlook patch was missing this, it was added). Is this the case for the Apple feature in question? I have no idea.
        • by Weedlekin (836313)
          Microsoft also removed some standard capabilities from raw sockets in XP SP2 to make it less suitable as a platform for launching certain types of attacks. Unfortunately, this didn't make it any less vulnerable to somebody who was launching said attacks against XP SP2, but it did manage to disable network security testing such as NMAP, thereby preventing admins from using XP SP2 as a platform for ensuring that networks containing other XP SP2 machines weren't vulnerable to that type of attack in the first p
      • "I mean, imagine the fallout if there was a bug that allowed malformed MS word documents being loaded by Office 2007 to result in security issues, and Microsoft responded by disabling the load feature."

        Apple didn't disable Bonjour, they disabled one of the components of Bonjour. That's not like disabling loading, it's like refusing to load certain files.

        There was a bug that allowed autoexec macros in MS Word documents being loaded by Office 97 to result in security issues, so Microsoft responded by making i
        • by Rosyna (80334)

          Apple didn't disable Bonjour, they disabled one of the components of Bonjour. That's not like disabling loading, it's like refusing to load certain files.
          Actually, it's not even really a component of Bonjour. It just happened to be a service in the mDNSResponder process, which also does Bonjour. Non-Mac OS X mDNSResponder clients do not have this recently disabled UPnP service.
      • I mean, imagine the fallout if there was a bug that allowed malformed MS word documents being loaded by Office 2007 to result in security issues, and Microsoft responded by disabling the load feature.

        Consumers: Computer is patched En Masse, network as a whole is protected.

        Company: Would note that vulnerability disables something they use, so they simply would not deploy the patch. Companies have control over Microsoft patches unless they are very small, and if they are that small they are probably not go
    • Now will Apple disable "Open Safe Files after Downloading" in Safari, or at the very least stop treating SOFTWARE INSTALLERS, ZIP ARCHIVES, and DISK IMAGES as "Safe" files? OK, this isn't a Mack Truck sized hole like ActiveX (you can only drive *small* trucks through it) but it's still vastly dumb.
  • by mcrbids (148650) on Friday August 03, 2007 @12:32PM (#20102969) Journal
    Yes, I understand that there are certainly dissenting opinions here. But (IMHO) the thing that most Slash-bots complain about is that Microsoft will

    A) Pick a feature that's dumb. (like embed a scripting language into an image format, or give a spreadsheet scripting language access to the filesystem)

    B) Choose to preserve the dumb feature in spite of known security problems.

    C) Treat the resulting backlash as a "PR issue" rather than a technical one.

    D) Sometimes, if the backlash gets bad enough, they'll hack in security restrictions in response to specific known implementations that take advantage of the vulnerability rather than fix the vulnerability. EG: fixes that look for a XXX worm trace, rather than fix the thing that XXX worm exploits. (See anti-virus [wikipedia.org])

    Apple is doing the right thing, here, folks! It may or may not be that the feature mentioned is analogous to (A) above. Either way, Apple is chosing security over features, even though features are important.

    • Re: (Score:3, Interesting)

      by Ash-Fox (726320)

      Apple is doing the right thing, here, folks!
      Yes, because disabling support for the standard Internet Gateway Device support which software uses to seamlessly setup port forwarding on NAT systems etc. and having the user do it manually is good.

      Many, many programs use IGD, from Instant Messengers to games.

      Sorry, I cannot agree that it is the right thing.
    • I'm tech savvy to understand everything being discussed but what is the potential impact of Apple's actions? From what I understand they are disabling (temporarily) their support for UPnP. This may affect routers and gateways. Are they disabling a function that is important or something that is barely used or somewhere in between? I've disabled UPnP on my router and Windows PC so would this even affect me?
  • by czmax (939486) on Friday August 03, 2007 @12:40PM (#20103071)
    If you follow the link to the apple security update page there are actually two vulnerabilities associated with UPnP IGD. For one of them apple indicates that "this update addresses the issue by performing additional validation when processing UPnP protocol packets in iChat". For mDNSResponder apple indicates "this update addresses the issue by removing UPnP IGD support.

    Clearly something is unclear since iChat is obviously still using UPnP IGD, likely as a client?

    But why is the mDNSResponder using UPnP IGP anyway? mDNS is for service discovery etc and is basically a competitor to UPnP (I thought). Perhaps there is a way for mDNSResponder to leverage UPnP IGP to broadcast service messages (e.g. bonjour) across a local NAT? If so I've never seen nor heard of this working -- so perhaps what they're disabling is vulnerable code that wasn't doing anything anyway?

    • by jackjeff (955699)
      Acutally I was also wondering what this feature was used for? Anyone knows?

      My guess is that since Apple decided to unilaterally disable the feature (without giving any option to activate it for the mighty or protected folks) it is because it was probably never used.

  • Who wants to bet... (Score:3, Interesting)

    by subl33t (739983) on Friday August 03, 2007 @01:12PM (#20103553)
    ... that the iPhone will be the vector that finally gets Macs infected with a virus/worm that will replicate in the wild?

    I bet there's a secret cabal at Microsoft that is working on this very thing.
  • Now that Apple has disabled uPnP compatibility will the original anonymous extortionist reveal the hole that he claims he didn't want to reveal lest Apple come up with some excuse for not disabling whatever his hole was, or will we hear more FUD from him?
  • Big Loss! (Score:3, Informative)

    by reed (19777) on Friday August 03, 2007 @02:48PM (#20105153) Homepage
    UPnP kind of sucks anyway. Maybe this will get people to move to MDNS-SD, which is simple, straightforward, has several implementations (both open source and not).
    • by DECS (891519)
      For those confused by acronyms and internal names:

      mDNS is Multicast DNS, an standard for resolving host names collaboratively on a local subnet using APIs similar to standard server/unicast DNS. It is half of what Apple calls Bonjour.

      DNS-SD is DNS Service Discovery, which allows devices with shared services to advertise themselves on a local network.

      Together, they provide much of the simple "just works" networking that AppleTalk delivered in 1986: devices discover each other and auto configure without any c
      • by Tony Hoyle (11698)
        Apple is also working on Wide Area Bonjour, which allows a Bonjour-savvy client to register with an external DNS server, authenticate, and obtain DNS location discovery and naming information for services and devices behind a NAT layer.

        Actually they're not just working on it it's live.. if you have a server that provide a service it can register with the global mdns responder and be available worldwide.

        It's the kind of thing that DNS SRV records are designed for (and rarely got used for) except you don't ha
  • Silly Apple, fixing the problems. Don't they know this leaves them open for taunting.

    Knee-jerk PC fanboi: "Oh, I guess Apple isn't so secure after all, huh?"

    Mac-fanboi: "Umm, they fixed a problem with some 3rd-party software before it became an issue."

    Knee-jerk PC fanboi: "Yeah, old Apple finally getting some of what Windows gets."

    Mac-fanboi: "No, they proactively fixed the problem"

    Knee-jerk PC fanboi: "Yep, might as well just use Windows"

    Mac-fanboi: "You do that, then."

Work without a vision is slavery, Vision without work is a pipe dream, But vision with work is the hope of the world.

Working...