Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security flaw

M

macmacmacr

macrumors regular
Original poster
Dec 23, 2014
152
5
I am using Yosemite 10.10.5 using a non-admin account and using the application called TOR 5.02 (secure web browser) sha 256: bc76e4d1a0b9deab144b199aba8d98fb508ec8858e5efacf942eb38f9d92a08e



The application TOR which is for the most part a secure version of Firefox, was able to automatically update and install a new version of TOR 5.04 without me authorizing the installation or entering the administrator password. TOR 5.02 downloaded a file called Torbrowser.app.zip.



This never occurred with previous versions of TOR and since it bypass the operating system I am interested in knowing what the possible flaw that would allow this to occur. It appears to be an elevated priviledge.
 
CoastalOR

CoastalOR

macrumors 68040
Jan 19, 2015
3,032
1,151
Oregon, USA
TOR is about anonymity which is not the same as security. It will not protect you from malware for example. I have not used it, but check to see if there is a Preference setting that allows checking for updates.
Here are some links that discusses what it does and does not do:
http://www.theguardian.com/technology/2013/nov/05/tor-beginners-guide-nsa-browser
http://lifehacker.com/what-is-tor-and-should-i-use-it-1527891029
http://www.pcworld.com/article/2686467/how-to-use-the-tor-browser-to-surf-the-web-anonymously.html
 
R

Ritsuka

Cancelled
Sep 3, 2006
1,464
969
Why would it need to be authorised to update itself? An application runs with the same permission as your user (if it's not sandboxed) so it can do whatever you can, if your user has the permission to modify the app the app itself has got it too.
 
M

macmacmacr

macrumors regular
Original poster
Dec 23, 2014
152
5
Ritsuka said:
Why would it need to be authorised to update itself? An application runs with the same permission as your user (if it's not sandboxed) so it can do whatever you can, if your user has the permission to modify the app the app itself has got it too.
Click to expand...
That is not the case with Firefox. when a new version is ready to install and even though I install it it still requires my O.S. admin password to complete the installation. This is the case for all my apps on Yosemite.
 
M

macmacmacr

macrumors regular
Original poster
Dec 23, 2014
152
5
CoastalOR said:
TOR is about anonymity which is not the same as security. It will not protect you from malware for example. I have not used it, but check to see if there is a Preference setting that allows checking for updates.
Here are some links that discusses what it does and does not do:
http://www.theguardian.com/technology/2013/nov/05/tor-beginners-guide-nsa-browser
http://lifehacker.com/what-is-tor-and-should-i-use-it-1527891029
http://www.pcworld.com/article/2686467/how-to-use-the-tor-browser-to-surf-the-web-anonymously.html
Click to expand...
This is not about the application TOR but the fact it installs an update automatically without my interaction. I must enter my Admin password for any application to install. This should of been corrected in the security update 10.10.5. see http://www.intego.com/mac-security-blog/yosemite-zero-day/
 
R

Ritsuka

Cancelled
Sep 3, 2006
1,464
969
It all depends on the permissions of the app. Remove your user from the write permission of the app if you don't want it to replace itself.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom