Security Issues using Homebrew or Macports, malicious binary insertion
Nicholas Papadonis
nick.papadonis.ml at gmail.com
Tue Nov 6 15:14:31 UTC 2018
This article goes into depth on how Homebrew opens OSX to a number of
security issues. I'm curious if a security expert could comment if similar
vulnerabilities exist with Macports.
One vulnerability is a malicious program acquiring the administrators
password. The attack is opened up when Homebrew modifies /usr/local/bin
permissions for r/w by a non-root user. This permission change allows an
installed brew app to modify other binaries in this path, for instance
sudo. Homebrew defaults the path prefix as follows /usr/local/bin:/usr/bin
and therefore the malicious binary can take advantage of this by inserting
another fake malicious binary.
The article is as follows:
https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/
More vulnerabilities here:
https://hackerone.com/homebrew/
The author claims that Macports is more secure because the installed
explicitly uses root privilege during package installation.
Are there any security experts out there that can comment on the security
impact of using Homebrew and Macports? To be more secure should one use all
their Unix applications in a emulated Linux VirtualBox session?
Thanks for any insight you may have.
Nicholas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20181106/58836762/attachment.html>
More information about the macports-users
mailing list