Stefan Mileschin

MacOS was vulnerable for all that time

Fruity cargo-cult Apple has repaired a bug which has been in its operating system for 20 years.

In 1999, Apple released a slew of new features with Mac OS 9, calling it "the best internet operating system ever." The idea was to unlock the full potential of the turquoise iMac G3—the Internet Mac!—released in 1998.

Joshua Hill found a modem configuration bug that's been in Apple operating systems for two decades. In those days ,Apple did not have to worry about security. Few people were buying its computers and hackers were only really interested in computers which had access to serious data. If any bugs were found, Apple fanboys repeated a mantra that there "were no bugs in Apple gear and it was too secure to be hacked."

Hill told Wired the flaw was serious and could have potentially been exploited by an attacker to get persistent, remote root access to any Mac, meaning full access and control.I t would have been harder to do since 2016's macOS Sierra (though still not technically impossible) to exploit in practice.

Hill said: "But it is an extremely fun bug to work on. I had been playing with some of this stuff when I was a very young kid—my very first hack when I was 12 years old. I used some of my old tricks to find which places would be vulnerable basically."

The original version of the attack simply took advantage of a service Apple used to offer called Remote Access. Essentially, you could call up your computer from a phone or another PC, and control it remotely without even needing to enter a username or password. Ah, the '90s. Hill and a friend (the one who swapped a modem for the Han Solo trading card) would go to each others' houses nearly every day because they were the only two kids at their school in Lexington, Kentucky, who had Macs. Hill realised that he could use Remote Access to secretly connect their two computers, and would be able to call into his friend's machine from afar and "have some fun."

Hill got his chance to perform the physical access attack while his friend was in the shower. The next day, he pretended to be sick, so he could stay home while his buddy was at school, and both sets of parents were at work. "I dialled in and I added a couple of additions to the novel he had been writing," Hill said.

https://fudzilla.com/news/48827-appl...ars-to-fix-bug