Category: Macintosh

On The Curious Incident Lately in Apple v. Maynor and Ellch

maynor-and-ellch.jpgSo John Gruber, who has written quite a bit on the whole did-they-didn’t-they spat between Apple and Dave Maynor and Jon Ellch, offers up “An Open Challenge to David Maynor and Jon Ellch,” offering them a Macbook if they can root it.

I’d like to mention something that hasn’t happened lately. By not happening, it seems to have not drawn attention to itself. After a war in which gallons of ink were spilled, and every utterance by Apple, Maynor, and Secureworks were analyzed by Talmudic scholars, there’s silence.

What might be the cause of such silence? Are Apple and Maynor finally talking? (In my personal experience of trying to learn more about security issues with Apple products, Apple ignores questions. They ignored questions when I name dropped. They ignored questions when I mentioned things like being an editorial board member at the CVE project.)

So one possible interpretation of events is that there was serious mis-communication, and the parties involved are now having interesting discussions.

If that’s the case, then Gruber is trying to pour gasoline on a fire that others are trying to extinguish.

After I wrote this, Jon Ellch posted to DailyDave, that post was covered in, “Johnny Cache breaks silence on Apple Wi-Fi exploit,” and that story was picked up by Slashdot.

[Update: Rob Lemos has a short article, “MacBook Controversy continues with Challenge” at SecurityFocus.]

Macintosh Genuine Advantage™

See “Mac OS X Server Firewall Serial Hole:”

…What they haven’t noticed yet is Mac OS X Server 10.4 overrides an explicit administrator firewall security setting to keep its copy protection functional.

OSXS 10.4’s “Server Admin” lists “Serial Number Support” on UDP port 626 under its firewall pane, with an option to turn it off. You can, in fact, block that port with the UI. And it will work for a little while.

However, serialnumberd will eventually notice this and re-enable UDP port 626 itself. This results in a disparity where Server Admin’s UI says you have port 626 disabled, but it’s clearly active in the “Active Rules” pane.

I promised not to comment. I think it’s still fair to link.

DaveG On Apple Security Advisory

warm-and-fuzzy-boots.jpgSo if you have a Mac, you really want to open software update now. You can read about Apple Security Update 2006-0003 after you’ve installed it and the Quicktime patch. In “Apple Security Update RoundUp,” DaveG explains:

So, in short, without the latest update, OS X is secure as long as you don’t look at any movies, images, websites, zip files, flash content or email messages.

Snarkiness aside, I like that a number of these vulnerabilities appear to have been found internally (assuming that is what uncredited vulnerabilities mean).

He also says “That’s around 35 vulnerabilities in one day!” Why the ‘around?’ As I explained in “Counting In Computer Security,” that counting can be tricky.

One final comment. For comparison, Microsoft shipped three patches this month, covering roughly 5 vulns (CVEs). Apple shipped 2 patches, covering roughly 35. I feel so warm and fuzzy.

Apple’s Message

come-fuck-me-boots.jpgOver at Security Curve, Ed Moyle has some good thoughts on “the Gigantic ‘Bull’s Eye’ on Apple’s Forehead:”

Now, I don’t know about you but I haven’t seen this kind of hubris since Oracle’s “unbreakable” campaign. Remember that? I do. I remember that at one point in time, most researchers ignored Oracle and pretty much left it alone… Then Oracle stepped up on the soapbox shouting “we’re unbreakable”, only to find themselves getting the kind of scrutiny from hackers usually reserved for new flavors of Mountain Dew.

I don’t think the current threat is that bad. I also don’t think that Apple is ready for the sort of onslaught that’s taught such harsh lessons to Microsoft and Oracle.

So Apple, please think about those shoes you’re wearing. Think about the message you’re sending, because teenage boys will respond.

(Image from istock photo.)

Time to Patch

Brian Krebs has a long article, “Time To Patch III: Apple,” examining how long it takes Apple to ship security fixes:

Over the past several months, Security Fix published data showing how long it took Microsoft and Mozilla to issue updates for security flaws. Today, I’d like to present some data I compiled that looks at Apple’s performance on this front.

It’s a good thing no one has any technology that would help a researcher understand exactly the changes that a patch makes. Because if they did, they could sure read those Linux patches and learn a lot about Apple vulnerabilities.

I’m Sure I Don’t Want to Continue

When I try to drop files in the Trash, the Finder gives me this awful[1] dialog box. I really don’t want to delete files immediately, and am not sure why it wants to. Does anyone know what I do to fix this?

[1] It’s awful for two reasons: First, it gives me no advice on what’s causing this, or what I can do to fix it, and second, it uses “OK/Cancel,” rather than “Delete/Keep/Adjust Trash Settings.”

[Update: Ok, its not awful. It’s comprehensible, but not up to Apple’s usual standards. Also, according to “Prevent local files from being deleted immediately” on MaxOSXHints, if you delete ~/.Trash, this can happen. I seem to recall using the command ‘srm -rf ~/.Trash/’ yesterday, and could it’s conceivable that I forgot the trailing slash. Now while it makes perfect sense that ‘rm foo’ and ‘rm foo/’ are different, its an odd interaction between the UNIX side of OSX and the pretty bits.]

Your Apple-Fu Is Impressive!

patched-mac.jpgYesterday, DaveG posted “When OSX Worms Attack” Its some good analysis of the three Apple Worms:

Safari/Mail Vulnerability: Far more interesting. This is a serious vulnerability that needs to be fixed. If you are Mac user, I would at the very least uncheck ‘Open Safe Files’ in Safari preferences. I don’t understand why Apple isn’t advising people on this better. This vulnerability is public, trivial to exploit, and we are at the 7 day mark.

Just a bit over a day later, Apple ships APPLE-SA-2006-03-01, with about 21 CVE marked vulns, and two extra “security enhancements.” Some of it is confusing, for example, “Authenticated users may cause an rsync server to crash or execute arbitrary code” I understand neither the ordering or the lack of specificity.

“Crash” is what happens when I write exploit. “Execute arbitrary code” happens when DaveG writes exploits. So what’s happening? Is it “there’s an overflow, and we’re not sure if you can turn it into run code, and we fixed it?” That’s ok. No, I take it back. That’s great! I don’t want to have to prove that I can execute an overflow to see it fixed. Preemptive fixing is a great plan. If that’s what’s happening, please keep it up, and then please brag about it.

(Image stolen from the F-Secure blog.)

Second OSX Proof of Concept

Today we got a sample of rather interesting case, a Mac OS X Bluetooth worm that spreads over Bluetooth.

OSX/Inqtana.A is a proof of concept worm for Mac OS X 10.4 (Tiger). It tries to spread from one infected system to others by using Bluetooth OBEX Push vulnerability CAN-2005-1333.

Via F-Secure. I feel weird linking a CVE to not-MITRE. F-Secure’s full description explains that the code expires, and isn’t in the wild.

LEAP.A Mac Trojan

There seems to be a trojan out for the Mac. See New MacOS X trojan/virus alert, developing…. There’s some interesting tidbits:

6a) If your uid = 0 (you’re root), it creates /Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
6b) If your uid != 0 (you’re not root), it creates ~/Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
7) When any application is launched, MacOS X loads the newly installed “apphook” Input Manager automatically into its address space

Name is from F.Secure. See my “The Approaching Apple OSX86 Security Nightmare” for my prior thoughts. If any reader has an archived copy, I’d like one so I can do some analysis.

First thought: It’s not attacking that nice, secure, BSD Unix base, but the Apple-designed parallel bits that help make the Mac so beautiful, usable, and extensible.

[Update: Second thought: there’s a lot of Mac-specific code here. Its not simply a port of a UNIX trojan.]
[2nd Update: The wording above implies a contrast between secure and usable; I meant only to acknowledge Apple’s longstanding focus on making a polished product.]