Of iSync Protector, and why no one really cares
Minoki released a small utility that fixes the iSync local root exploit I've talked about a few times.
From a cursory glance, it basically does the terminal commands I gave back in a prior post, which means you'll have to rerun it every time you repair permissions and such.
Still, if you're not inclined to enter terminal commands, or keep them around to reenter them, and don't sync to a Symbian cell phone, this could well be for you. The site isn't in English, but it looks as though they have an English localization in the .app and Google can translate the site easily enough.
I keep getting asked about this exploit, and most of it isn't pretty... this one is really starting to touch a nerve with some people for reasons I don't quite understand yet. Some of them seem to think I've let Apple off too easy, some seem to think I may have some idea of what the hold up might be to cause it to go unfixed.
I've really said all I know about it and what might be causing this to go unfixed for months, or why it wasn't included in 10.3.8 or in the most recent security update, but I suppose I haven't said why I haven't shaken my fist in anger at Apple over it.
When it comes to why there's been no fix after this long from Apple, or why what fix they have missed both patch windows, it really could be any number of reasons. The problem isn't those reasons, it's that we have no idea of what's going on, let alone when to expect the fix or even that they're working on it. We can assume they know about it and it'll now hopefully be in 10.3.9, but we don't really know.
We don't know because enough people just don't really care about security on the Mac because there hasn't really been 'digital pearl harbor' on the platform. About the closest we've come is the LaunchServices exploit, which was potentially incredibly damaging and dangerous, but for reasons I've gone into great detail before never really took off.
Pundits and long-time Mac users generally just don't truly get it, because their frame of reference has been so co-opted by not having to deal with it. The discussion is purely taking what you know or want to be true and working backwards, and anything else is really just foreign.
Their frame of reference has been co-opted to such a degree that their mental equation is always going to be missing variables, and always going to come out a bit off, and leads pundits and users who aren't stupid to say some really stupid things regarding security on the Mac platform.
This isn't fear-mongering or bashing. Whenever there is a security hole , and it's unpatched, you're playing russian roulette, and the Mac has a hell of a lot more empty chambers than other platforms in other situations. If you've used a Mac for a long time you're just not going to care as much if you know there's a bullet in the chamber, let alone what's being done to get it out. If all you've ever known is the click, you're really not mentally prepared for the bang.
Out of all the normal Mac users, the vast majority who email me asking questions about these types of things are those who have come over from Windows, and while they may not understand the specifics they understand the danger. The vast majority of long-time Mac users give me a hard time for theoretically scaring people about something that they're sure is being fixed and isn't really an issue because there's no worm or trojan in the wild actively exploiting it.
Real developers do get it and care, because they understand the specifics of how these things work, and that there's no magic barrier from malicious code on the Mac, but developers are generally the last ones to really be heeded.
The press doesn't get it because their readers don't get it, and they aren't going to spend time on something most users aren't really that concerned about or clamoring for updates on. Most Mac users just don't even know the vulnerability is there, let alone that it hasn't been patched, and a huge percentage of those who may have seen it here or somewhere else promptly forgot about it not long after. Users don't know because they haven't been told, and a website with drunk in the name prolly isn't how they should be finding out about it.
What we ask of Apple won't make a difference, and we'll be in the dark until sites and magazines with the word "Mac" somewhere in their title are actually asking Apple what's going on. If the Mac press thought their readers were really worried about security, they would do so. Conversely, If Apple thought enough users really cared about what was going on, what the problem was, and what the damn ETA for the fix was, they'd come out and say it.
It wasn't long ago that Apple didn't really have obvious channels for security problems, let alone following up on them, and didn't even really specify details of what was being fixed when they did release patches. Apple didn't change how they did some things because it was the 'right time' to finally start doing it or because they had some epiphany. They were getting hammered for it and being asked uncomfortable questions, and the cost of not doing it was higher than the cost of doing it.
Apple is not going to tell us what's going on with this vulnerability, what the holdup is, or what the ETA for a fix is, because the press isn't asking them about it and reporting "no comment" everywhere.
The press isn't going to ask them about it, because users and pundits just don't really care all that much; they've just heard too many clicks when the trigger has been pulled. It's a non-story on all sides, and will probably be rolled into 10.3.9 and mentioned in a footnote when reported on various Mac sites.
That's just the cycle of how this is going to work, and shaking one's fist isn't going to do it. It's not going to change until enough things in the Mac market change that there's not a click when that trigger gets pulled. Then you'll have your story, and then we'll be better informed about the vulnerability that follows the one that went bang.
Posted by drunkenbatmanApril 04, 2005, at 09:08 AM
Comments (16)
Posted by: Phelps at April 4, 2005 09:55 AM
Every time I see a security bulletin I'm going to hear a click now. Great. (Grin) For a "non-story", you wrote a lot about it. And bashed the known world while you did it. You really are an asshole, but don't ever change. :-)
If you google for isync vulnerability no other Macintosh websites show up so I guess you are within your rights... I do not see an answer to your problem. Is it fair to blame Apple for not talking if no one is asking?
Posted by: Jay Contonio at April 4, 2005 11:50 AM
Come on, do you actually think someone at Apple is saying "Never mind this exploit, no one really cares about Mac security". No. I'm sure, like you said in your previous post, that fixing this might disable some other feature and it is taking them quite a bit of time to figure it out.
iSync in Tiger is going to be quite different and I am betting that the hole won't be there. Maybe once they announce Tiger and post 10.3.9 this will all be pointless conversation, but until then, don't start saying that Apple doesn't care about it's users or their security. Look how fast every other security hole has been fixed.
Posted by: klimas at April 4, 2005 11:59 AM
The situation seems sort of reminiscent of how Mac users viewed the command line before OS X. The party line was "Command lines are for Unix weenies." Now it's "Security advisories are for Windows chumps." Give it five years...
Posted by: sickwe at April 4, 2005 12:36 PM
Bloggers will be the death of the web. Get a fucking clue!!! This is information geeks want. The target market for Apple machines are NOT geeks. A "normal user" does not care about this crap, they just want to know it will be fixed and that the fix does not break what they had. They purchase a Macintosh so they do not have to deal with this, Apple does it for them.
Posted by: Fester Pitch at April 4, 2005 12:45 PM
I've really said all I know about it and what might be causing this to go unfixed for months, or why it wasn't included in 10.3.8 or in the most recent security update, but I suppose I haven't said why I haven't shaken my fist in anger at Apple over it.
DB, you told me via email that it involves "mrouter" and that the software Apple is using may not be software they have written and that could be the problem. Any more word on that?
Posted by: Chris at April 4, 2005 08:40 PM
Hey db, did you report it to http://bugreporter.apple.com?
Posted by: Ben Liong at April 5, 2005 01:30 AM
I agree with you that the general Mac population just doesn't care or have no awareness about security, and that is largely because they'd been trained not to. Whatever hole there is software update would sort itself out, and Mac OS X would be secured again.
Right till now, except for this iSync hole, this seems to be true. bugs are fixed quickly and security holes are blugged. We are however entirely on Apple's mercy. In the windows world, lots of people, including security experts, test the OS for holes, simply because it's so widely used. Windows very rarely come out ahd admit they have a security hole without some hacker getting to it first. I think it takes time to build these kind of concern for the Mac world. True there are people like yourself looking, we just need more people doing that.
Given the half open sourced nature of OSX, I do believe it's relatively easier to fix whatever is found to be broken or bad.
And let's admit it, Apple, Microsoft, Sun and all these companies building OS will never come out and say there is a hole in the OS before they have a fix for it.
Posted by: drunkenbatman at April 5, 2005 01:57 AM
Hey db, did you report it to http://bugreporter.apple.com?
I haven't, but the security bulletins mentioned it as having being reported to Apple... either way, I'm going to hope to God that Apple has someone reading BugTraq. :)
I don't think it's a problem of Apple not knowing, or not caring, and my problem isn't that there's an exploit nor that something is holding it up (which I'm not going to guess on), it's that we really have no idea of what's going on and it would just be guestimating on several possible problems.
All we know is that it was discovered on January 12th 2005, released publically on the 26th, and it's now April 5th, 2005.
Posted by: Sandy at April 5, 2005 02:57 AM
I'm sure I'm at the very low end of tech-know-how among your readers, the common user. (Bear with me, people.) I freely admit that Mac users are lazy and unmotivated when it comes to security. However, it is a concern because it's not kosher to be passing on viruses to your customers when trading MS attachments.
Yet, when I've tried to be proactive, and actually done some research reading the Apple forums, I find that for every anti-virus brand software out there, there are multiple warnings to steer clear because it's not very stable with the Mac platform. Add in anecdotal horror stories and swearing upon sacred documents from users "never to put another Norton app on their hard drive."
If I remember correctly, during the latest episode, within the last couple months, Virex, the software offered at .Mac, had withdrawn their latest version due to bugs. Not entirely comforting.
It gives one pause. Does it follow that we also won't have attention to dependable anti-virus software until a "bang" issues from the trigger pull?
Add to this that the only time I've experienced a "kernel panic" on this Powerbook, (new last fall), was during the same timeframe as the updating of the virus software. I still have Norton, but I have to confess, I've stopped the last two live updates.
What's the best bet for trouble free virus protection for the ordinary user? (I don't iSync so the above doesn't apply. Please forgive the slightly off topic twist. At least I'm considering the need to dodge bullets. :)
Posted by: steve at April 6, 2005 12:10 AM
There are continual news releases from virus companies trying to get Mac users to purchase their products, so they've numbed the kneejerk reactions to some extent.
I don't think it is that users don't care... more that they can't do anything about the result, so why waste effort getting upset over things they have no control over?
I think it's harder, but not difficult, to have virus infections on OS X... but when they start happening, so what? All we can do is software update regularly, and keep backups (which we should do anyway).
Windows users have years of experience with virus infections, so having them on Apple will degrade the experience but it's not the end of the world.
Posted by: Dominik Fusina at April 7, 2005 02:45 AM
Thanx to you and for your article.
Just a smal thing : it's not "Miniko", but "Minoki". ;)
Have a good day.
And comments on "iSync Protector" are the welcome (potential problems ? does english localization work correctly ? etc...)
Posted by: Chris at April 7, 2005 04:04 AM
All we know is that it was discovered on January 12th 2005, released publically on the 26th, and it's now April 5th, 2005.
And that's the crux of the matter, isn't it?
I believe there are some inherent design choices that make OS X less susceptible to various forms of trojans and exploits. The 'single tool, single task -- working together, but discrete' approach of UNIX and Mac OS X makes a lot of sense.
However, these bugs need to be fixed promptly. From what I understand of the bug, this is a case of not doing some bounds checking on a command-line parameter, correct? Is it unreasonable to expect that this very very minor fix could be applied and tested and released within a 1-month timeframe?
Posted by: jdb at April 16, 2005 04:55 PM
Well 10.3.9 is out an from the description it doesn't look like this is fixed.
It is fixed on tiger by the fact that the Sync Bundles have been moved or eliminated altogether. I couldn't find mRouter anywhere on my machine nor could I find symbian.
I can't easily test the 10.3.9 fix to really find out since I'm running the latest pre-release of tiger.
Posted by: Diggory Laycock at April 20, 2005 05:55 AM
Looks like they've fixed it:
http://docs.info.apple.com/article.html?artnum=301326
It's hard to report a non-story.
"In other news today, Microsoft has once again allow the sun to set without endorsing Firefox as the browser of choice. When will they change their tune?"
On the other hand, you're doing a good job of bringing some publicity to the hole, so hopefully something good will happen soon. It would be nice if Apple were more open though…