There’s been tonnes and tonnes of words written about the RM My Mac competition, which saw a Mac mini compromised within hours of being placed online. Most of it has been unremitting garbage, either with news stories that miss out essential facts, or puff-pieces that try and claim that it’s not actually an issue (Leander, what has the fact that it was on a wireless network got to do with it? Stop drinking the Kool-Aid man!)
The best summary is, perhaps unsurprisingly, at Ars Technica.
However, one thing that everyone seems to have missed out troubles me. The hacker used a local privilege escalation technique to gain root access from a normal account. This means that the same technique is open to any malware writer – which means that there’s a method by which you could write a serious Mac OS virus that not only self-propagates, but which can compromise your entire machine, and all accounts on it. Any software technique that can be used by a local user can also be used by a locally-running application.
How serious this is depends on the method that the hacker used, and what the exact set up of the Mac mini was. The author of the rm my mac page notes only that:
It runs a default install of Mac OS X Tiger, plus fink and some decent versions of Apache, MySQL and PHP. Software Update recently updated it to Mac OS X 10.4.5 and fixed some security issues.
This could mean that the issue is with the particular versions of Apache, MySQL and PHP installed, or with Fink. But it could also be with OS X, in which case this is a much more serious issue that many are making out. Until we know more about the methods used, we can’t say for sure – but either way, it’s a worry.