Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Strange Bug Plagues Apple OS

News is spreading rapidly about a serious flaw affecting Apple's latest Operating System, Snow Leopard (OS X 10.6), first being made public in early September on Apple's Discussion boards. The timing for this widespread coverage is unfortunate, given the massive patch release from Microsoft with their October Security Bulletins this week.

The difficult-to-reproduce bug apparently can only be triggered on systems that have been upgraded from Leopard (OS X 10.5) and which had the Guest account active prior to the upgrade being carried out. It appears that the bug, though it is very much real, is difficult to reproduce reliably. What is common to affected users is a user having logged into the Guest account, logging out, and then returning to another account, at which point it is discovered that the home directory of the non-Guest account has been wiped clean, as the Guest account is meant to be.

It has been suggested that the error may be tied to how the system cleans up following use of the Guest account, which is designed to wipe itself clean following each use. The suggestion is that this wiping process is not triggered properly and so activates next time the user logs into a non-Guest account and it results in the wiping taking place not only in the Guest account but also others.

Initial reporting suggested that for the bug to be triggered the user would have been forced to reboot due to a system freeze in the Guest account, though reports from other affected users provided examples where merely attempting to log into the Guest account was sufficient to wipe the home directories.

From the different reports on the bug it seems likely that there is an issue with the logout / account wipe actions that are scheduled to take place following the Guest account logout. It may be something such as a race condition, where the command to clean the Guest home directory is racing against a command with higher privileges and occasionally gets to slip in under the higher privilege set and executes against more than just the Guest account. This would explain why it has been difficult to reproduce reliably. It may be a buffer overflow, where the command to erase is overflowing into the memory space of a higher privileged application. If memory randomisation (ASLR or the like) is being used by the buggy processes, it could also explain why reproduction of the flaw is so difficult - being able to reliably overwrite the higher privileged memory space is much harder than without randomisation.

So far the bug has slipped through the initial OS release as well as the first update (10.6.1). Apple have acknowledged the presence of the bug and are working on addressing it, though with rumours of 10.6.2 being available soon, it isn't certain whether a fix will make it into this update.

Backing up regularly is very beneficial, however backing up to an Apple Time Capsule might be as risky as using the Guest account on Snow Leopard. Time Capsules have had troubles recently with possible overheating situations leading to hard drive and power supply failures that are resulting in sudden death of the devices. Concerned users should ensure they back up regularly and avoid use of the Guest account where possible.

15 October 2009

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.