Security notes: sudo and OS X, more reasons you should not use Java

Busy week for security. There is growing consternation over a blended exploit in the OS X sudo utility (1.6 and later, which applies to all Macs from at least 10.4 up, including Intel Macs through 10.8.4) that can be abused to give a logged-in attacker root privileges. sudo is a tool that allows allowed users (on OS X, that's anyone who is an administrative user) to achieve root privileges without knowing what the root password is, and from there can do any task, nefarious or necessary. This exploit takes advantage of a well-intentioned sudo convenience where if you've authenticated already within a certain period, usually a few minutes, it won't ask you for the password again. Let's also combine this with the knowledge that OS X does not require root privileges to set the date and time of the machine, either from System Preferences or using the systemsetup CLI tool. Did you figure out the flaw yet? If you set the clock to a time period sufficiently back in the past, and the user you are attacking, impersonating or sitting down at their machine has ever successfully run sudo from the Terminal before, you can become root as often as you like because their credentials will not have "expired." This means you can merrily install malware, snoop on their files, force them to use the metric system, copy their Michael Bolton album boxed sets, etc. Just because you don't use the Terminal doesn't mean you're not vulnerable; if they can get on your system and run applications, even remotely, they can exploit this hole.

How to fix it? Well, you could build and install a new sudo, but here's a better idea: force sudo to always make you enter your password, which is just more secure in the first place. In the Terminal, type sudo visudo, enter your password, and in the configuration file add this line: Defaults timestamp_timeout=0

Save the file and exit the editor. Test it with back-to-back sudo bash commands. You should always be asked for a password. Now it doesn't matter what the clock is set to; you won't give away the store. I've tested this on 10.4 and 10.6; I see no reason why it won't work on 10.5, 10.7 or 10.8. 10.3 and earlier users, if sudo -V says a version that is 1.6 or later, you are also vulnerable. This may be fixed in a future 10.6 update, but really, this is just a safer way to use a tool that can be very dangerous if misconfigured.

Also, if it's [a day in the week ending in -day], it's time for another Java exploit. In the MITRE security note, they say "Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox," which, because Larry Ellison is a turdbucket, almost certainly means that this vulnerability can escape the Java sandbox. That also means that this is a cross-platform privilege escalation, because the sandbox runs platform-independent code, and Java 1.5 is already known to be vulnerable and will never be updated for Power Macs. If you are running Java applets on any version of PowerPC OS X, you need to surrender your power cord, now.

On BaselineCompiler progress, we are now passing 87 tests so far and slowly getting to phase 4. Also, our friend at Tenfourbird found a methodjit bug and created a fix that we will take for 17.0.9 and 22.0.2 (if there is one) (issue 239). Thanks, t_mrc!