Leopard and Snow Leopard flaw exploited in proof of concept, real-world tomfoolery surely coming soon
By Tim Stevens 
posted January 13th 2010 9:05AM
posted January 13th 2010 9:05AM
Look at you, all cuddled up with your Leopard install, sipping on a steamy hot cocoa, watching the snow fall outdoors, and thinking you don't have a care in the world. We hate to break it to ya but you do have a care, a big one, thanks to a proof of concept hack exploiting a buffer overflow in MacOS 10.5 and 10.6. The flaw has been known about since June, but only now has it been proven to work on Cupertino's latest, and a very straightforward code example of how to use it has been posted online. You know what that means: watch out for those e-mail attachments. Interestingly, the flaw is also said to possibly exist in the PS3 as well, which could make for a very interesting spring -- cocoa or no.
{puts on shades}
Sounds like Snow Leopard has gotten a little frostbitten...
@untitled YEAAHHHHHHHHHHHHHH!!!!!!
CRAP...engadget you made me spit my coco all over my nice thin glossy screen!!
@untitled Working as intended
@untitled im not bothered as i only bring the mac out of the cupboard on special occasions and when the odd guest arrives.
@untitled
Yeah, but you still have to download it, decompress the zip file, double click on the disc image to mount it, run the installer, put in your password, accept it, quit the installer, unmount the disc image and then save it someplace or throw it into the trash and empty it.
I don't see many people adopting this yet until they come with a truly easier way to hack my computer.
@Steve Miller team coco reporting in
@Blackstar
How's the bubble life?
@Mr Smiley
yep just like every other virus out for OS X.
Oh wait.
@Blackstar And there you go... I'm still sipping my cocoa and hugging my MacBook Pro. Engadget Mac bashing is ridiculous - comparing a proof of concept attack with the millions of malware and viruses that exist on Windows. Plus one that requires all these steps to actually infect OS X... whatever... pfff!
@Banesmagic
You're right using 'Engadget' and 'Mac bashing' in one sentence IS ridiculous.
@Banesmagic There is SOOOO much mac bashing in there... I just apparently can't see it :D But ya... sounds like you fit the mac persona pretty well :P
@Banesmagic When did the comparison came in the article? I can't find it.
@untitled
http://farm4.static.flickr.com/3042/2684975202_4f32a09a73_o.jpg
@Banesmagic
You know the figure head of Engadget, Josh, uses a MacBook lolol
@Banesmagic
Yet the Apple computer always seems to be the first one to get hacked at that hacker demonstration.. Funny that.
@untitled
There is such a Mac bias on Engadget!
Where's the PC virus news, damnit?
@(Unverified) haha
i wonder why engadget never photoshops Jobs like they do Ballmer...
@untitled
ITS A TRAP!
@Blackstar
Yeah! Its so much easier on my Windows PC!
I have to download the zip file, decompress it, run the installer, press accept on UAC (putting the password in if i'm on a limited account, people would throw even more of a fit if this was required even on admin accounts), and go through the whole install! Its SO easy!
A trojan is a trojan and NO OS is immune to human stupidity.
@untitled
Where's your Jobs now?
@Mr Nuclear I know I wish they'd report on Windows viruses more. I wish they'd report more often that the sky is blue too.
It isn't really news to report a Windows exploit because there are a lot of them. I'd also argue that you have a higher likelihood that your average tech dumbass is using a Windows machine also, but whatever.
And what about Conficker? That got lots and lots of press.
@Blackstar Safari will do the unzipping automatically once you download it. It will also run start an install program for you. Yes a password is necessary to complete, but there are plenty of people willing to provide one because they just don't know any better.
I LIKE THIS! HERE I COME ENGADGET EDITORS WHO USE A MAC!!!
@revoltracers http://www.engadget.com/editors/
might come in handy for your BCC field :P
@revoltracers
So what you are admitting to, is that you a script kiddy pretending you a fearsome hacker when all u got is copy/paste
@Cy Starkman
I think he is talking about the picture.
looks like patching season came early
@jerm - after the iSlate of course. Wait, what? You could open email attachments with the PS3? Whhhaaat?
It's been known about since June? Wow... look at all the havoc it's caused since then.
@trainwrecka Actually is the issue has been known about since June and Apple couldn't be bothered to make a patch, it speaks volumes about just how much they care about your security. Or perhaps their ability to address the issue.
@Ch3m1kal More likely, that Apple knew it wasn't out yet, and that it was, up to this point, no threat. So they worked on more important issues. Apple has proven over and over again they are up to the task. As the fact that no Mac has ever been compromised that wasn't the user being a total idiot. (Yeah, some Mac users are not the sharpest sticks in the bundle.)
Get over it. Until one single Mac is compromised by this worm, there is no threat. And Apple knows their business way better than you do. They've been through this.
And if such hair-on-fire articles were to run about Windows and LInux, every time something like this came up for those OSs, there wouldn't be any space left for other news.
@Leicaman I agree, Mr Lens
@Ch3m1kal
What's the fuss. I tried the proof of concept from the linked site and it didn't barf for me mac 10.5.8
bash-3.2$ cat overflow.c
#include
#include
int main ()
{
char number[] = "0.1111111111...11", *e;
double weed = strtod(number, &e);
printf("grams = %lf\n", weed);
return 0;
}
bash-3.2$ gcc -o of overflow.c
bash-3.2$ ./of
grams = 0.111111
bash-3.2$
@Leicaman
As the fact that no Mac has ever been compromised that wasn't the user being a total idiot.
@Leicaman
You mean like working on Win7 bootcamp support they promised would be available by the first of the year? http://reviews.cnet.com/8301-13727_7-10423148-263.html?part=rss&subj=news&tag=2547-1_3-0-20
@Phen Same applies to Windows computers these days son...
Rant: fooking comment system
@NohOne1
Don't be stupid. Win 7 works fine in Boot Camp. Yes, I am running it myself. Are you? No don't bother answering that question, we both know the answer.
@Jack
Ahhh yes, I am stupid because Apple promised me Win7 compatibility for Mac, and yet, they did not provide it. I am the stupid one for saying that Win7 compatibility is coming, when, obviously, it is not needed. I am the stupid one, for changing a document on the Apple web site, because when I did not meet the goal, I need to cover that up so I can save face.
No, I do not run Win7 on either of my Macs. I have dedicated PCs for that.
BTW, I did not give you permission to respond to me. You said you would ask first.
@Leicaman you expect the regular MAC users to know exactly when their MAC's are compromised, wake up dude, and smell the cocoa already.
@NohOne1
And you appear to be ignoring the fact that Win 7 IS compatible with the Mac. Did you miss that part? Want me to say it a third time to be sure?
Win 7 IS compatible with the Mac. So yes, you are the stupid one here. Also, you don't appear to understand sarcasm, so next time I'll be clearer about pointing out why you're being stupid.
But go ahead, say something else about Win 7 not being compatible with the Mac. I mean how dumb you look at this point really depends on how far you're willing to go with this whole "I don't read very well" thing.
@Jack
If it is compatible with the Mac, then why is Apple working on a software update to Boot Camp to support Windows 7: http://support.apple.com/kb/HT3920
If Apple themselves say they are working on compatibility, then, while what is there may work, but Apple has decided it does not work as it should.
But, you know, I am too stoopid to be talking as gooder as yous, or somein.
@NohOne1
You're right, I don't actually have Win 7 running in Boot Camp with no problems.
Oh wait, yes I do. My experience is > your badly misinformed assumptions. Far be it from you to actually try something before claiming it doesn't work though, right?
The update Apple is working on is to further support Win 7, not to make it work. Wasn't that obvious from the fact that Win 7 does, in fact, work in Boot Camp?
And yes, you are too stupid to be talking. Go back to the peanut gallery and punch yourself in the nuts a few times. Bad troll! Bad!
@GN1 If you do not have enough education to know the difference between what a Mac is and a MAC is then do not expect any one to take anything you say about this seriously. Assclown!
@Jack
Just to add to this. I'm running Windows 7 just fine with Parallels and Boot Camp as well. I know many people who do. The compatibility issues are minor...such as the fans sometimes coming on at full throttle despite the lack of heat.
@NohOne1
Windows 7 works fine on my Macbook with the exception of battery life. That's why Apple need to get the new drivers out.
In fact it works so well I can't remember when I last booted into OS X to be honest.
@Jack
Yeah, I mean it works swimmingly what with the daily, repetitive hardfreezes and crashes- I mean- *ahem* Golly Bootcamp is swell, silly me and my minor issues. Excuse me while I go choke again.
Sincerely,
Lemon Unibody Macbook Pro [subject to XP/Vista/7 Bootcamp]
@MarkAnderson
Yeah we believe you.
@Facepalm
Uh huh. So it works fine for me and everybody I know who is running Win 7 in Boot Camp, but not you. Yeah, I'm sure it's the Mac's fault.
@Facepalm So Windows is working normally for you then? :D