If I could, I would kick the guys responsible¹ for the disclosure in the ass. Why? We now have a youtube video with shitty music (proving essentially nothing), some scaremonger articles with a lot of prose around very few interesting bits, and most importantly, a friggin' hashtag. And of course, a name for the vuln.
But nothing, absolutely nothing, on how to protect myself as an ordinary user. The only thing I was able to infer from the craptastic video is that the user they're escalating from is member of the "admin" group, i.e. not a "Standard User" but an "Admin" in OS X lingo.
Among other things, the most obvious difference to regular Accounts is that "Admin" users can use sudo by default, but no clue whatsoever is exploited here. Some pipe-fu with sudo? Or a stupid setting by apple allowing "admin" group members doing dangerous things without (re-)authentication?
In closing, best make sure you're using OS X as a "Standard" User, not "Admin". In my experience, it's quite painless.
Edit:
> "Normally there are 'sudo' password requirements, which work as a barrier, so the admin can't gain root access without entering the correct password. However, rootpipe circumvents this," he says.
This at least hints at the possibility that said exploit does not work from a standard user. So there's that...
¹most likely not the researchers themselves, but some "CEO" or other suit-level.
This is rich. Instead of "kicking the guy in the ass" for disclosing his findings, I'd recommend kissing his ass for disclosing this responsibly. If he wouldn't have, you, me, and many other people would be in a lot of trouble now, wouldn't we? And while we're at it, you might be interested in finding out how things like "full disclosure" and "responsible disclosure" came about in the first place. Spoiler alert, you may not like the answer.
"[...] nothing, absolutely nothing, on how to protect myself as an ordinary user." Really? He gave you two tips, didn't he? Make sure your default account doesn't have admin rights and use FileVault. He obviously can't tell us why FileVault helps without risking our safety. That's clearly not nothing.
After this past year with all of its vulnerabilities, I feel so uncomfortable when I really consider it. I make online payments at least a few times a week using my credit card. I log into my web based email multiple times per day.
I feel so naked.
Has anyone who uses brew and other dev stuff tried running Mac OS as a user account? Does it work out well?
The real question is why don't credit cards and bank transactions have two factor auth, or one time tokens. Someone shouldn't be able to steal money just by hacking one account or getting one number.
Yes. Everyone at Matasano runs from a standard user account. It's not a big deal at all. Nor is it a concession to insecurity on OS X; it's been Matasano's policy for almost a decade, and they inherited it from earlier companies, because not doing all your work from an admin account just makes sense.
Completely agree. Just saying that a vulnerability exists is a big thing, because it motivates hackers to search for it.
I seriously doubt it will take more than until january for another personn to find it.
Welcome to the club? PrivEscs exploits are becoming more common as sandboxes increase in popularity. Windows had a few such bugs exploited by real attackers as zerodays in the last month (check CrowdStrike and FireEye blogs). I don't think this is news. It is simply a matter of effort whether an attacker will escalate privileges to root or kernel, it depends on the value of the data they are after.
I've always run as non-admin, what OS X calls a Standard user.
When I first started doing this (about 10 years ago) I ran into some problems if I attempted to authenticate from a standard user to an admin user when trying to do sys admin stuff. I'd get weird permission errors.
So now when I want to do admin stuff like install software, I don't attempt it as a standard user. I simply log in to the admin account and install from there. Also I always log in to admin account when doing software updates such as for Firefox.
If you adopt this mindset it's really very simple to stick to it, and it's hardly much of an inconvenience. At least not for me, I'm not installing software every day.
Also when I'm about to visit a dodgy website or run some suspect software I log in to the Guest user account. That doesn't protect against local root escalation, but at least it's something. Then when I log out, I hopefully leave my problems behind.
Finally I maintain yet another account solely for accessing my financial sites. That way if my day-to-day account gets compromised, I still have a modicum of protection.
I really should use a separate machine solely for financial transactions. But I don't. I doubt if even 1% of people do. Any old machine should work, no matter how slow, because it's not used very often.
There are absolutely no problems with using a non-admin user account. Just better isolation, better security and a few inconveniences.
Using a standard user account was one of the things I started with on OS X after being used to the "user must be administrator" paradigm that's deeply entrenched in the Windows world for a very long time. Before Windows Vista came up with some way of UAC (User Access Control), being an administrator user on a Windows system was the least painful way to use the system. This style is still propagated even today in several companies with the latest versions of Windows.
The philosophy about being a non-admin user also ties into the UNIX-ness of OS X, and in all * NIX systems the recommendation is always to use a standard account and switch to a superuser/root account only when needed within a specific terminal for a specific task and exit out as soon as that work is done. When people on * NIX joke about "rm -rf /", there are people who remember the wounds of such experiences from real life when running as root (fortunately, I didn't have to learn from experience). :)
The "annoyances" for a standard user on OS X are that installing applications into /Applications or unlocking panels in System Preferences (if it has been configured to be that way) needs administrator credentials. And it's also required if one fancies getting into system (or protected) directories and wants to move/delete/rename/add files.
On the terminal, when needed, I switch from the standard user to the administrator account and then use sudo. It is indeed a little more cumbersome than providing sudo privileges to the standard user account, but it's not often that I need this and I don't find this inconvenience as a big waste of time.
On a lighter note, using a * NIX system as an administrator user all the time seems dirty, just like using a Windows system as a non-admin user does. :P
P.S.: Couldn't figure out a way to escape and type an asterisk followed by a non-whitespace character for the * NIX references.
I've run my OS X machines from a non-admin user for at least 5 years. I do developer-y type stuff like SSHing into Linux servers with key authentication, running a local web development environment (MAMP), installing brew applications from the command line, editing my /etc/hosts file, etc.
It all works fine. For most things, like software installs and updates, I just get prompted for admin account credentials. For a few things (brew and editing hosts file), I su to my admin account in Terminal, then run the command.
I can't remember the last time I actually logged into my admin account, though.
I do, routinely. I get occasional admin challenge dialog boxes that are easy to deal with. Once in a great while, I'll have an issue with something quite simple, like trying to save a Mail attachment to a folder in Documents, and I get a "can't do this because you don't have permission to write to etc.". Annoying, but happens rarely and so far has always been fixable with a reboot.
[+] [-] roeme|11 years ago|reply
But nothing, absolutely nothing, on how to protect myself as an ordinary user. The only thing I was able to infer from the craptastic video is that the user they're escalating from is member of the "admin" group, i.e. not a "Standard User" but an "Admin" in OS X lingo.
Among other things, the most obvious difference to regular Accounts is that "Admin" users can use sudo by default, but no clue whatsoever is exploited here. Some pipe-fu with sudo? Or a stupid setting by apple allowing "admin" group members doing dangerous things without (re-)authentication?
In closing, best make sure you're using OS X as a "Standard" User, not "Admin". In my experience, it's quite painless.
Edit: > "Normally there are 'sudo' password requirements, which work as a barrier, so the admin can't gain root access without entering the correct password. However, rootpipe circumvents this," he says.
This at least hints at the possibility that said exploit does not work from a standard user. So there's that...
¹most likely not the researchers themselves, but some "CEO" or other suit-level.
[+] [-] teamhappy|11 years ago|reply
"[...] nothing, absolutely nothing, on how to protect myself as an ordinary user." Really? He gave you two tips, didn't he? Make sure your default account doesn't have admin rights and use FileVault. He obviously can't tell us why FileVault helps without risking our safety. That's clearly not nothing.
[+] [-] gioele|11 years ago|reply
It reminds me of the old suggestion given to Windows users and derided by OS X users.
[+] [-] canadev|11 years ago|reply
I feel so naked.
Has anyone who uses brew and other dev stuff tried running Mac OS as a user account? Does it work out well?
[+] [-] andrewchambers|11 years ago|reply
[+] [-] tptacek|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] rcarmo|11 years ago|reply
[+] [-] dguido|11 years ago|reply
[+] [-] geetee|11 years ago|reply
[+] [-] gojomo|11 years ago|reply
[+] [-] bsaul|11 years ago|reply
[+] [-] dguido|11 years ago|reply
[+] [-] pjmlp|11 years ago|reply
Attacking just Windows was just a consequence of it being the most widespread consumer OS.
[+] [-] vinhboy|11 years ago|reply
[+] [-] PhantomGremlin|11 years ago|reply
When I first started doing this (about 10 years ago) I ran into some problems if I attempted to authenticate from a standard user to an admin user when trying to do sys admin stuff. I'd get weird permission errors.
So now when I want to do admin stuff like install software, I don't attempt it as a standard user. I simply log in to the admin account and install from there. Also I always log in to admin account when doing software updates such as for Firefox.
If you adopt this mindset it's really very simple to stick to it, and it's hardly much of an inconvenience. At least not for me, I'm not installing software every day.
Also when I'm about to visit a dodgy website or run some suspect software I log in to the Guest user account. That doesn't protect against local root escalation, but at least it's something. Then when I log out, I hopefully leave my problems behind.
Finally I maintain yet another account solely for accessing my financial sites. That way if my day-to-day account gets compromised, I still have a modicum of protection.
I really should use a separate machine solely for financial transactions. But I don't. I doubt if even 1% of people do. Any old machine should work, no matter how slow, because it's not used very often.
[+] [-] newscracker|11 years ago|reply
Using a standard user account was one of the things I started with on OS X after being used to the "user must be administrator" paradigm that's deeply entrenched in the Windows world for a very long time. Before Windows Vista came up with some way of UAC (User Access Control), being an administrator user on a Windows system was the least painful way to use the system. This style is still propagated even today in several companies with the latest versions of Windows.
The philosophy about being a non-admin user also ties into the UNIX-ness of OS X, and in all * NIX systems the recommendation is always to use a standard account and switch to a superuser/root account only when needed within a specific terminal for a specific task and exit out as soon as that work is done. When people on * NIX joke about "rm -rf /", there are people who remember the wounds of such experiences from real life when running as root (fortunately, I didn't have to learn from experience). :)
The "annoyances" for a standard user on OS X are that installing applications into /Applications or unlocking panels in System Preferences (if it has been configured to be that way) needs administrator credentials. And it's also required if one fancies getting into system (or protected) directories and wants to move/delete/rename/add files.
On the terminal, when needed, I switch from the standard user to the administrator account and then use sudo. It is indeed a little more cumbersome than providing sudo privileges to the standard user account, but it's not often that I need this and I don't find this inconvenience as a big waste of time.
On a lighter note, using a * NIX system as an administrator user all the time seems dirty, just like using a Windows system as a non-admin user does. :P
P.S.: Couldn't figure out a way to escape and type an asterisk followed by a non-whitespace character for the * NIX references.
[+] [-] snowwrestler|11 years ago|reply
It all works fine. For most things, like software installs and updates, I just get prompted for admin account credentials. For a few things (brew and editing hosts file), I su to my admin account in Terminal, then run the command.
I can't remember the last time I actually logged into my admin account, though.
[+] [-] ridgeguy|11 years ago|reply
[+] [-] hellbanner|11 years ago|reply
[+] [-] TheLoneWolfling|11 years ago|reply
There's a difference.
> Normally [...] the admin can't gain root access without entering the correct password. However, rootpipe circumvents this
[+] [-] cratermoon|11 years ago|reply