Macintosh Genuine Advantageā„¢

See “Mac OS X Server Firewall Serial Hole:”

…What they haven’t noticed yet is Mac OS X Server 10.4 overrides an explicit administrator firewall security setting to keep its copy protection functional.

OSXS 10.4’s “Server Admin” lists “Serial Number Support” on UDP port 626 under its firewall pane, with an option to turn it off. You can, in fact, block that port with the UI. And it will work for a little while.

However, serialnumberd will eventually notice this and re-enable UDP port 626 itself. This results in a disparity where Server Admin’s UI says you have port 626 disabled, but it’s clearly active in the “Active Rules” pane.

I promised not to comment. I think it’s still fair to link.

DaveG On Apple Security Advisory

warm-and-fuzzy-boots.jpgSo if you have a Mac, you really want to open software update now. You can read about Apple Security Update 2006-0003 after you’ve installed it and the Quicktime patch. In “Apple Security Update RoundUp,” DaveG explains:

So, in short, without the latest update, OS X is secure as long as you don’t look at any movies, images, websites, zip files, flash content or email messages.

Snarkiness aside, I like that a number of these vulnerabilities appear to have been found internally (assuming that is what uncredited vulnerabilities mean).

He also says “That’s around 35 vulnerabilities in one day!” Why the ‘around?’ As I explained in “Counting In Computer Security,” that counting can be tricky.

One final comment. For comparison, Microsoft shipped three patches this month, covering roughly 5 vulns (CVEs). Apple shipped 2 patches, covering roughly 35. I feel so warm and fuzzy.

Apple’s Message

come-fuck-me-boots.jpgOver at Security Curve, Ed Moyle has some good thoughts on “the Gigantic ‘Bull’s Eye’ on Apple’s Forehead:”

Now, I don’t know about you but I haven’t seen this kind of hubris since Oracle’s “unbreakable” campaign. Remember that? I do. I remember that at one point in time, most researchers ignored Oracle and pretty much left it alone… Then Oracle stepped up on the soapbox shouting “we’re unbreakable”, only to find themselves getting the kind of scrutiny from hackers usually reserved for new flavors of Mountain Dew.

I don’t think the current threat is that bad. I also don’t think that Apple is ready for the sort of onslaught that’s taught such harsh lessons to Microsoft and Oracle.

So Apple, please think about those shoes you’re wearing. Think about the message you’re sending, because teenage boys will respond.

(Image from istock photo.)

Time to Patch

Brian Krebs has a long article, “Time To Patch III: Apple,” examining how long it takes Apple to ship security fixes:

Over the past several months, Security Fix published data showing how long it took Microsoft and Mozilla to issue updates for security flaws. Today, I’d like to present some data I compiled that looks at Apple’s performance on this front.

It’s a good thing no one has any technology that would help a researcher understand exactly the changes that a patch makes. Because if they did, they could sure read those Linux patches and learn a lot about Apple vulnerabilities.

I’m Sure I Don’t Want to Continue

are-you-sure-you-want-an-alternative.jpg
When I try to drop files in the Trash, the Finder gives me this awful[1] dialog box. I really don’t want to delete files immediately, and am not sure why it wants to. Does anyone know what I do to fix this?

[1] It’s awful for two reasons: First, it gives me no advice on what’s causing this, or what I can do to fix it, and second, it uses “OK/Cancel,” rather than “Delete/Keep/Adjust Trash Settings.”

[Update: Ok, its not awful. It’s comprehensible, but not up to Apple’s usual standards. Also, according to “Prevent local files from being deleted immediately” on MaxOSXHints, if you delete ~/.Trash, this can happen. I seem to recall using the command ‘srm -rf ~/.Trash/’ yesterday, and could it’s conceivable that I forgot the trailing slash. Now while it makes perfect sense that ‘rm foo’ and ‘rm foo/’ are different, its an odd interaction between the UNIX side of OSX and the pretty bits.]

Your Apple-Fu Is Impressive!

patched-mac.jpgYesterday, DaveG posted “When OSX Worms Attack” Its some good analysis of the three Apple Worms:

Safari/Mail Vulnerability: Far more interesting. This is a serious vulnerability that needs to be fixed. If you are Mac user, I would at the very least uncheck ‘Open Safe Files’ in Safari preferences. I don’t understand why Apple isn’t advising people on this better. This vulnerability is public, trivial to exploit, and we are at the 7 day mark.

Just a bit over a day later, Apple ships APPLE-SA-2006-03-01, with about 21 CVE marked vulns, and two extra “security enhancements.” Some of it is confusing, for example, “Authenticated users may cause an rsync server to crash or execute arbitrary code” I understand neither the ordering or the lack of specificity.

“Crash” is what happens when I write exploit. “Execute arbitrary code” happens when DaveG writes exploits. So what’s happening? Is it “there’s an overflow, and we’re not sure if you can turn it into run code, and we fixed it?” That’s ok. No, I take it back. That’s great! I don’t want to have to prove that I can execute an overflow to see it fixed. Preemptive fixing is a great plan. If that’s what’s happening, please keep it up, and then please brag about it.

(Image stolen from the F-Secure blog.)

Second OSX Proof of Concept

Today we got a sample of rather interesting case, a Mac OS X Bluetooth worm that spreads over Bluetooth.

OSX/Inqtana.A is a proof of concept worm for Mac OS X 10.4 (Tiger). It tries to spread from one infected system to others by using Bluetooth OBEX Push vulnerability CAN-2005-1333.

Via F-Secure. I feel weird linking a CVE to not-MITRE. F-Secure’s full description explains that the code expires, and isn’t in the wild.

LEAP.A Mac Trojan

There seems to be a trojan out for the Mac. See New MacOS X trojan/virus alert, developing…. There’s some interesting tidbits:

6a) If your uid = 0 (you’re root), it creates /Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
6b) If your uid != 0 (you’re not root), it creates ~/Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
7) When any application is launched, MacOS X loads the newly installed “apphook” Input Manager automatically into its address space

Name is from F.Secure. See my “The Approaching Apple OSX86 Security Nightmare” for my prior thoughts. If any reader has an archived copy, I’d like one so I can do some analysis.

First thought: It’s not attacking that nice, secure, BSD Unix base, but the Apple-designed parallel bits that help make the Mac so beautiful, usable, and extensible.

[Update: Second thought: there’s a lot of Mac-specific code here. Its not simply a port of a UNIX trojan.]
[2nd Update: The wording above implies a contrast between secure and usable; I meant only to acknowledge Apple’s longstanding focus on making a polished product.]

What Software Do I Like?

delicious-library-beta.jpgIn a comment on “Software Usability Thoughts: Some Advice For Movable Type,” Beau Smith asks “What Mac software do you like?”

That’s a tough question for three reasons: First, there’s enough decent software (consistent, attractive, discoverable) that the bad stuff can generally be avoided. Secondly, I’d like to choose examples which are either free or cheap, because I think that’s more useful, than, say, commenting on Excel. Thirdly, Apple has an excellent set of “Human Interface Guidelines,” which seemingly most developers have read. The HIG really create a floor for what Mac developers tend to do, and the Mac faithful crush anything that falls near or below that floor. As I’m writing this, I’m reminded of a vignette in the Ars Technica review of Delicious Library:

This is a splash screen for a beta—something that will never be seen by more than a handful of people. Note the bullet hole, the magic marker graffiti, the scratched-out slogan, the haphazardly placed logo sticker.

Linux users, think about this image the next time you download a release version of a product without a comprehensive sample configuration file or with “cosmetic” bugs. Windows users, think about this the next time you see a poorly drawn 16-color icon or toolbar graphic in a multi-hundred dollar commercial software package.

That said, I’d like to discuss two apps a little bit: iCal, which ships with the OS, and “Notational Velocity.”

I like ical quite a bit. It took a little exploration to get used to, and some things didn’t work quite as I wanted. For example, I wanted recurring todo items to help remember to pay bills. Almost as good, I use recurring “all day” appointments in a finance category. I use the same sort of thing to manage travel information. It works quite well for me.

Notational Velocity is useful because of how small and fast it is, and how well searching works. Now that I have a program that implements incremental search, I find not having it in other places to be a lack. It’s that useful.

More than any particular feature, I appreciate the effort that goes into making something look easy.