Fixes for Apple make ... security bugs
Ironically, it was discovered that the security hole in the tool itself was used to overcome imperfections in applications running on Apple computers.
' Month of Apple Bugs ' is a research project that advocates during January 2007, and will find a security error for software used on Apple computer platforms every day. On Monday, members of this group announced they had found a fatal flaw in a tool to fix the vulnerability fixed by the group.
The software is Application Enhancer (APE for short), this is the tool that ' Month of Apple Fixex ' tool uses to "cover" the patches immediately when a security error is detected.
APE is a third-party software developed by Unsanity with the purpose of 'strengthening and re-evaluating' the operating mechanism of applications running on Apple computers. In particular, APE will download plug-ins containing executable code into active applications.
Month of Apple Fixes uses this software to "patch up" the holes discovered by the Month of Apple Bugs project. When the application runs, the patches will enter the application itself to search for the error codes and 'fill in' as soon as the vulnerability is discovered.
However, on Monday this month Month of Apple Bugs announced a gap in the APE itself. This vulnerability allows users in the personal machine to gain root access privileges into the system, thereby changing the entire operating mechanism.
To do that, either reorder the APE binary, or replace it. According to Month of Apple Bugs, APE's binary system is implemented by original privileges (highest level - Root). This file can be written as other files in the same storage (/ Library / Frameworks), so the above loophole will be used to increase the level of system access privileges.
Landon Fuller, an open source programmer and project manager of Month of Apple Fixes, who always uses APE in his work, said that invasion of remote systems could also happen. According to his comments on personal blogs, APE's vulnerability can be combined with remote invasion to gain root access from an administrator account without user interaction. There are also a number of other invasions that may occur due to the right to change admin data in other folders.
Month of Apple Bugs said that users should not use Application Enhancer software anymore. The organization affirmed that APE 'is still flawed, not only because of the error in this particular case '.
However, Mr. Fuller responded by emphasizing the argument that it was only a theoretical hole, according to him, taking such remote access is unnecessary. Any APE exploit must be combined with another remote occupation to be effective, but it is enough to justify the remote control of a machine's mechanism. count.
Also in his blog, Mr. Fuller admitted: ' The APE vulnerability is real - so an administrator account on the computer can also get the original access transmission by changing the APE settings without any Just confirm the user.
If not exploited remotely, this error can also be used in conjunction with a remote mining behavior to gain higher access privileges. However, it is enough to gain remote access to your important personal database . '
Do Duong
- Apple fixes 26 Mac OS X security bugs
- Apple fixes Wi-Fi for Mac OS X
- Apple fixes deadly errors in Safari
- Apple bit 54 software security errors
- OpenOffice fixes three security bugs
- Apple patches new 'deadly' for QuickTime
- Microsoft fixed a series of bugs for Vista
- Netscape fixes browser security errors
- Apple patches serious security in QuickTime
- Apple upgraded bug fixes for Mac OS
- Mozilla patched a series of product security bugs
- Adode will issue monthly fixes