Your Apple-Fu Is Impressive!

patched-mac.jpgYesterday, DaveG posted “When OSX Worms Attack” Its some good analysis of the three Apple Worms:

Safari/Mail Vulnerability: Far more interesting. This is a serious vulnerability that needs to be fixed. If you are Mac user, I would at the very least uncheck ‘Open Safe Files’ in Safari preferences. I don’t understand why Apple isn’t advising people on this better. This vulnerability is public, trivial to exploit, and we are at the 7 day mark.

Just a bit over a day later, Apple ships APPLE-SA-2006-03-01, with about 21 CVE marked vulns, and two extra “security enhancements.” Some of it is confusing, for example, “Authenticated users may cause an rsync server to crash or execute arbitrary code” I understand neither the ordering or the lack of specificity.

“Crash” is what happens when I write exploit. “Execute arbitrary code” happens when DaveG writes exploits. So what’s happening? Is it “there’s an overflow, and we’re not sure if you can turn it into run code, and we fixed it?” That’s ok. No, I take it back. That’s great! I don’t want to have to prove that I can execute an overflow to see it fixed. Preemptive fixing is a great plan. If that’s what’s happening, please keep it up, and then please brag about it.

(Image stolen from the F-Secure blog.)

Second OSX Proof of Concept

Today we got a sample of rather interesting case, a Mac OS X Bluetooth worm that spreads over Bluetooth.

OSX/Inqtana.A is a proof of concept worm for Mac OS X 10.4 (Tiger). It tries to spread from one infected system to others by using Bluetooth OBEX Push vulnerability CAN-2005-1333.

Via F-Secure. I feel weird linking a CVE to not-MITRE. F-Secure’s full description explains that the code expires, and isn’t in the wild.

LEAP.A Mac Trojan

There seems to be a trojan out for the Mac. See New MacOS X trojan/virus alert, developing…. There’s some interesting tidbits:

6a) If your uid = 0 (you’re root), it creates /Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
6b) If your uid != 0 (you’re not root), it creates ~/Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
7) When any application is launched, MacOS X loads the newly installed “apphook” Input Manager automatically into its address space

Name is from F.Secure. See my “The Approaching Apple OSX86 Security Nightmare” for my prior thoughts. If any reader has an archived copy, I’d like one so I can do some analysis.

First thought: It’s not attacking that nice, secure, BSD Unix base, but the Apple-designed parallel bits that help make the Mac so beautiful, usable, and extensible.

[Update: Second thought: there’s a lot of Mac-specific code here. Its not simply a port of a UNIX trojan.]
[2nd Update: The wording above implies a contrast between secure and usable; I meant only to acknowledge Apple’s longstanding focus on making a polished product.]

What Software Do I Like?

delicious-library-beta.jpgIn a comment on “Software Usability Thoughts: Some Advice For Movable Type,” Beau Smith asks “What Mac software do you like?”

That’s a tough question for three reasons: First, there’s enough decent software (consistent, attractive, discoverable) that the bad stuff can generally be avoided. Secondly, I’d like to choose examples which are either free or cheap, because I think that’s more useful, than, say, commenting on Excel. Thirdly, Apple has an excellent set of “Human Interface Guidelines,” which seemingly most developers have read. The HIG really create a floor for what Mac developers tend to do, and the Mac faithful crush anything that falls near or below that floor. As I’m writing this, I’m reminded of a vignette in the Ars Technica review of Delicious Library:

This is a splash screen for a beta—something that will never be seen by more than a handful of people. Note the bullet hole, the magic marker graffiti, the scratched-out slogan, the haphazardly placed logo sticker.

Linux users, think about this image the next time you download a release version of a product without a comprehensive sample configuration file or with “cosmetic” bugs. Windows users, think about this the next time you see a poorly drawn 16-color icon or toolbar graphic in a multi-hundred dollar commercial software package.

That said, I’d like to discuss two apps a little bit: iCal, which ships with the OS, and “Notational Velocity.”

I like ical quite a bit. It took a little exploration to get used to, and some things didn’t work quite as I wanted. For example, I wanted recurring todo items to help remember to pay bills. Almost as good, I use recurring “all day” appointments in a finance category. I use the same sort of thing to manage travel information. It works quite well for me.

Notational Velocity is useful because of how small and fast it is, and how well searching works. Now that I have a program that implements incremental search, I find not having it in other places to be a lack. It’s that useful.

More than any particular feature, I appreciate the effort that goes into making something look easy.

Quicktime WMF like Vulns on OSX and Windows

The folks at eEye and Fortinet have identified a variety of image based heap overflows that allow for arbitrary code execution on both OSX and on Windows. Also an article on news.com.com claims that the patch initially caused some issues for some users on both platforms, that have been addressed now. Seems that poor implementation of image formats isn’t limited to just Microsoft. Any guesses to how long before we see malware for these vulns?

Netgear WGPS606 and Mac Printing

I recently bought a Netgear WGPS606 ‘print server.’ It’s a nifty little device with a 4 port 100mbs ethernet switch, a wireless bridge, and an LPD print service. I needed each of those as part of reconfiguring my office space, and here it was in one little package.

It turned out to be something of a bear to configure, and tech support has not been very helpful. I finally got it all working. A bunch of technical details and gripes are after the break.

Continue reading

My Software is Mine.

People often become emotionally entangled with the software they use. It’s not a geek-only thing, although geeks often become more entangled with a broader range of the software they use. Normal people speak of “My Excel is screwed up,” or feel bad that their Sony CD has messed things up for them.

One of the reasons that people become enraged by spyware is the interference with what ought to be a private space. It is, after all, called a personal computer, and peope extensively personalize them. An important and worrisome trend is your computer responding to commands from outsiders. Recently, AOL added two “buddies” to my buddy list on AIM. What the hell? It turns out that AIM synchronizes buddy lists with the mothership, and that there are good reasons for this. (Thanks to Len for explaining that to me.) But it was deeply offensive, and the Pebble and the Avalanche has a good analysis in “Putting the ‘Mess’ in Instant Messaging: AOL Makes a Big Mistake.

Another instance of this is web sites that think you should write your password on paper instead of a nice, semi-secure, encrypted keystore like KeyChain. (Hello, Citibank!)
JWZ, who knows a thing or two about browsers, offers suggestions for fixing this bug in Safari in <form autocomplete=”yes, dammit”>. [Update: fixed link.]

Macs and Sony’s Rootkit

[Update: Welcome Wired readers! If you enjoyed Bruce Schneier’s article on who’s responsible for security flaws, please explore a little. The economics of security and privacy issues are an ongoing theme.]

sony.jpg
It wasn’t a plan that I was going to slag Apple this week. Really, I’m fond of my Mac, I’m just tired of claims that it’s somehow über-secüre. Now it comes out that Sony has licensed technology from SunnComm to rootkit your Mac. It’s harder for Sony to install, because (unlike a PC) they need you to authorize the installation. It’s possibly less damaging than on the PC, but we don’t yet know what the two kernel extensions do. The Unofficial Apple Weblog suggests that they’ll be disassembled, and I hope they’re right.

Comments in “Unintended consequences of DRM” suggest that the password is important, and while it is, I’m not sure how many people won’t just type their password on demand.

Previous posts about Apple security have been: “Kudos to Microsoft, Brick-brats to Apple” and “The Approaching Apple OSX86 Security Nightmare.”

Kudos to Microsoft, Brick-brats to Apple

MS05-038 and MS05-052 contain a number of defense-in-depth changes to the overall functionality of Internet Explorer. These changes were done mostly for security reasons, removing potentionally unsafe functionality and making changes to how Internet Explorer handles ActiveX controls.

As a result of these changes that we made for security sake, for a limited amount of customers some pages may not load as expected. We’ve published sone guidance on this further detailing the changes and how customers can resolve this if they are experiencing problems. We also updated the bulletins to make sure people have the right references to roll back the changes if they need to go back to the less secure state.

So writes Stephen Toulouse in the Microsoft Security Response Center blog. It’s really hard to make these sorts of choices, and I think that Microsoft deserves notice for making them, and making them in (what I think is) the right way.

Looking in from the outside, it’s clear that the “app compat” issue weighs heavy in decision making. Microsoft has been listening to their customers, who, after years of investing in the Microsoft stack, don’t want it to break. You know it gets lots of attention when they shorten those words — for example, this presentation by Tony Chor of IE (4.8mb ppt). But at times, app compat is going to have to break for security reasons.

When you do break app compat, that’s no reason to make consumers pay. That’s exactly what Apple is doing with the slew of high-priority Quicktime fixes that came out last week: They’re not producing a Quicktime 6 fix. Now, if you paid for Quicktime Pro, you have a choice. You can either pay again, or accept that random Quicktime video can execute arbitrary code. Given that Apple’s browser, Safari, comes with plugins enabled, and that those plugins include Quicktime, your browsing the web with Apple’s default settings can lead to a compromise. Apple’s fix? Pay us $20, again. I think that’s the wrong way to treat customers.

Actually, to be completely fair, its unclear if these issues affect Quicktime 6 or not. Apple’s Software Update is suggesting an update. The complete message I’m shown is:

QuickTime 7.0.3 delivers several important bug fixes, primarily in the areas of streaming and H.264 video. QuickTime 7 Pro users also gain the ability to create video and audio files that can be played back on compatible iPods. This update is highly recommended for all QuickTime 7 users.

Important Notice to QuickTime Pro Users
Installation of QuickTime 7 will disable the QuickTime Pro functionality in prior versions of QuickTime, such as QuickTime 5 or QuickTime 6. If you proceed with this installation, you must purchase a new QuickTime 7 Pro key to regain QuickTime Pro functionality. After installation, visit www.apple.com/quicktime to purchase a QuickTime 7 Pro key.

Apple really should make this easier. Following reporting by Dawn Kawamoto, it seems that Secunia claims 6.x is vulnerable.

Brick-brat 1: No mention of security. Brick-brat 2: No comment about the widely deployed QT6, other than “We break license key compat.” brick-brat 3: Telling your customers they can either be insecure, pay up, or lose functionality. That’s the wrong point on the app-compat scale. If Microsoft were doing this, people would be foaming and sputtering.

The Approaching Apple OSX86 Security Nightmare

chased-mac.jpgIn the midst of an excellent long article on how the Wine Windows emulation layer will interact with OSX86, (“I invite you to wine“), Wil Shipley writes:

When you can run Windows apps on Mac OS X, you’ll still be protected by Mac OS X. Viruses are going to be dead. D-E-D. Ok, yes, there are certain kinds of pseudo-viruses (the kind where they trick dumb people into running them) that will still exist, but even those will NOT be able to infect the whole system, because even you don’t have access to the whole system. The worst that’ll happen is your personal account will get messed up, and you’ll have to nuke it and create a new user. And then learn not to open mail messages that say, “Free PRON, just launch the executable!”

These sorts of claims are common and misguided. As Apple becomes more popular, and moves to X86, attacks on MacOSX will increase dramatically in their frequency and virulence.

There are three design choices that Apple has made differently than Microsoft that offer quite a bit of security. The first is that Apple has no equivalent of ActiveX. That means that it’s much harder to get the web browser to execute arbitrary code for an attacker when the intended victim is on OSX than when the victim is on Windows. The second is that while the default user is in the “admin” group, the admin group is not extremely powerful. The third is that, often, to install software, you need to type your password. That’s because the admin group is not powerful enough for some important install types. Usually. For some install types. Not other times. And that ‘not other times’ will be the path that attackers use. It’s the path that you use dragging apps from a dmg (disk image) to /Applications.

The default permissions on both /Applications and /Library are (0775, root:admin). [Typo corrected.] Neither is sticky.[1] So what does that mean? Well, the first thing it means is that an attacker can likely write to anything under either directory (or replace it with a modified copy.) So Shipley’s advice, “The worst that’ll happen is your personal account will get messed up,” is incorrect. Because your personal account can drop malware into /Applications or /Library and destroying your old account won’t get rid of it. I’m not an expert on what’s in /Library, or how it interacts with (the more tightly permissioned) /System/Library, but it seems likely that infection of /Applications would be, at best, time consuming, to clean up.

I should mention, I don’t mean to pick on Mr. Shipley, I’m just using him as an archetype. His claim is correct: There are parts of the OS that you don’t have direct access to, but it’s also misleading, because there are important parts that you can change.

I believe that /Library/StartupItems/ will be started before a user logs in. That’s a fine place for some malware to live. Now, that malware will want additional privileges. Having just updated Flash, which is loaded in all my browsers, it didn’t ask for a password. I’m guessing that you can hook the finder from /Library, but not the actual filesystem (as seen by unix commands like ls.) For those privileges which a subset of malware (rootkits) will want, you’ll need to become root. And that’s harder, but I fully expect that more of the SetUID programs on the system will have issues. When I say more, at least CVE-2003-0088 had a very simple mistake (AusCERT’s archive of the advisory.) Now, that was a while ago, but since DaveG left @Stake, I don’t know how much attention is being paid to the 25 or so setuid apps on the system that appear to be from Apple.

I do know that the attention paid to them will go up dramatically when OSX86 becomes available. There are several things that will drive that. The first is that more people will have machines that can run the OS. (Apple’s DRM systems to ensure that their code only runs on their machines will fall like leaves. Remember, the people who find new problems read disassembled machine code for fun.) So, more people with more machines. Those people will have better analysis and disassembly tools. Tools that have been honed for years. That’s the second thing. The third thing is that comments like Shipley’s cause researchers to want to find problems, to “show those Mac users.” The final driver of increased attention will be that there will be more Macs to attack.

Now, that increased attention is going to be turned against an OS that hasn’t evolved to resist it. It’s not going to be pretty. My researcher colleagues who have poked at MacOS have had quite rude things to say about it. Apple’s response to the dmg issue wasn’t impressive. Apple’s security issues with Dashboard widgets were an embarrassment. I hope that Apple has used the interval wisely. But I suspect that Apple and the faithful are in for an unpleasant surprise.

[1] I wasn’t sure if I’d adjusted those, so I checked:

% ls -ld /Applications/ /Library
drwxrwxr-x  57 root  admin  1938 31 Oct 17:27 /Applications/
drwxrwxr-x  47 root  admin  1598 25 Sep 15:24 /Library

You can validate that these are shipping permissions with the ‘lsbom’ (ls Bill Of Materials) command:

% lsbom /Library/Receipts/Essentials.pkg/Contents/Archive.bom | grep './Library'
% lsbom /Library/Receipts/BaseSystem.pkg/Contents/Archive.bom | grep './Applications'

(I’m told that /Library is sticky in 10.4, which is a fine improvement.)

Apple Security Update 2005-08

There’s a new security update from Apple, for both 10.3.9 and 10.4.2. If you browse the internet, or read email, you need it. I’m getting really annoyed at Apple’s update mechanisms. Not only the agreeing to a new license as part of the update, but the awful way in which they’re arranged. The technical data on this update is in “About Security Update 2005-008.”

The very first issue, (CAN-2005-2747) is appropriately ordered: it’s an overflow in GIF interpretation in a (10.4) system library used by Safari. Then there are 2 mail issues, which I don’t rate as critical, a malloc local privilege escalation, and only then are we told about CAN-2005-2747, a buffer overflow in Quickdraw manager, which several important apps rely apon. Yesterday, I stopped reading before number five, thinking we were into local system attacks.

Added 24 Sept: It’s a shame that a company known for usability can’t make these things usable. See also “All Mac Browsers are crap.”

Anyway, time to update.

Command-Q Getting Me Down

The Mac’s Terminal.app is way too easy to quit; it seems to absorb any command-Q typed near it, even if the menubar is showing you that you’re in another app. (This may be an interaction with the preference FocusFollowsMouse.) Anyway, having just lost a bunch of terminals with useful data in them, I went and found this MacOSXHints page, which gives me:


defaults write NSGlobalDomain NSUserKeyEquivalents '{"Quit Terminal" = "@$Q";}'
terminal-menu-framed.jpg

The post’s author, SAO, states that you need to do this from xterm, with terminal quit. That is incorrect (at least on 10.3.9). I ran that, quit and restarted terminal, and it worked great.

More on Opera

It has a lot to recommend it, but there are a number of niggling annoyances:

  • Saved pages are poorly named. (Safari gives the page a name based on its title; Opera uses the filename, often “index.html.”) Since I save a lot of web pages, this is an issue.
  • Cookie management doesn’t seem as good as Safari with PithHelmet
  • The way it chooses what tab to display after you close a tab feels wrong.
  • View Source opens the source in TextEdit.app…which interprets HTML, meaning you just get the page, rendered again. It turns out that that’s one of a lot of ways that Opera feels like what it is, a port of a Windows program, rather than a Mac app.
  • Another of those is that the Mac’s built-in spell checker is not available as you type in, say, a blog comment form; nor are the Mac typing shortcuts (the emacs ones, like control-a, control-n, control-k) available. Opera is the second app where they don’t seem to work, the other being MS Office.
  • Selecting text is PC like in Opera: A single click on a URL would often select a word. So I’d find myself fighting to move the insertion point. And oddly, editing in the URL bar was always slow.

There are a lot of nice things to recommend Opera as well, and I’m glad for the opportunity to try it, before heading back to Safari. One tip to the Opera folks: Offer a 30 day, ad-free trial. The ads were too distracting and annoying for me to even trial your browser before this.

Switching back is also hard. Some of the keyboard shortcuts (splat-N in particular) are, after the switch, more natural in Opera, where it gives you a new tab, not a new window.

Impressions of Opera

operalogo.gif
Having taken advantage of Opera’s offer (still valid for a few hours!) I must say, I’m impressed. Opera is snappy in a way that Safari (with all the plugins I’ve added) is not. There’s some small bits of things not working as I expect, things that should be controlled differently*, as I move, but there are two big issues that are causing me to consider not moving.

The first is ad management. Safari, by itself, does no better than Opera at this, but Safari has PithHelmet, which does an excellent job of helping me not connect to sites I don’t want to see, and also adds per-site configuration of things like Javascript.

The second is Mac Keychain integration. The Mac has a very nice system for storing and managing passwords, encrypted with your login password, or other password. Opera doesn’t seem to support this. I have literally hundreds of passwords stored in Keychain, and getting them all out and into Opera will be a pain.

It remains to be seen if Opera’s speed is enough to overcome these two hurdles. If anyone has suggestions for either, I’d love to hear them.

[* things that should be controlled differently: One example is skin management: Selecting a radio button for “download new skins” is clear enough, but going and getting new skins should be a different control.]