www.ssontech.com Forum Index www.ssontech.com
SynthEyes Camera Tracker Forum
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Leopard's Giant File-Sharing Security Hole

 
Post new topic   Reply to topic    www.ssontech.com Forum Index -> Russ's Rants
View previous topic :: View next topic  
Author Message
ssontech
Site Admin


Joined: 16 Mar 2005
Posts: 610
Location: Valley Forge, Pennsylvania
PostPosted: Mon Feb 11, 2008 11:59 am    Post subject: Leopard's Giant File-Sharing Security Hole Reply with quote
Be forewarned that Apple has chosen to introduce a giant security hole into Leopard. If you turn on Windows SMB sharing on a Leopard Mac, and log into it using an account with administrative privileges, presto, Apple gives you a magic share to every disk drive on your machine, with no warning, and no way to turn it off. No matter how you configure your sharing---to share just the smallest and most inconsequential folder---Leopard exposes your entire hard drive to all comers with the right credentials. From a different machine, just enter \\your-machine-name and you'll see 'Macintosh HD' complete with all your mounted volumes. Whoops! Have fun!

Before you start blaming it on Windows, this is not a Windows feature. It is a security breach that Apple has expressly opened into the open-source Samba package that Apple uses. I repeat, it is not a feature of Windows or Samba, Apple has opened this hole with its own unseen and uncontrollable patch.

Apple has attempted to pooh-pooh this as a threat, by observing that you need to present a valid admin login to access the entire drive, and if you have that access, you could walk up to the machine and take it over anyway. But of course this is a stupid argument, the problem with this hole is that they have completely destroyed your physical security, making your machine a target for anyone with access to your network connection. That might be a direct connect to the internet, or an intranet in a company.

This hole is just so 1970s, a total head-in-the-sand posture by Apple to a basic security issue. By presenting such a fat target for attack, they invite a cottage industry to start firing up their Mac password cracking tools --- it's open season, with your entire machine as the prize. If it takes 3 months to crack, who cares? And this is exactly the kind of complete vulnerability that tends to get combined in unexpected ways with other vulnerabilities to cause a major problem.

If this was a problem in Windows, I'd be sitting through another annoying Apple commercial about it.
Back to top
View user's profile Send private message Visit poster's website
ssontech
Site Admin


Joined: 16 Mar 2005
Posts: 610
Location: Valley Forge, Pennsylvania
PostPosted: Mon Sep 15, 2008 8:33 pm    Post subject: Reply with quote
Took a while, but the latest round of Apple security updates have addressed this vulnerability --- at least by warning you about the issue. It's good to hear that these issues are addressed.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    www.ssontech.com Forum Index -> Russ's Rants All times are GMT - 4 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group