Some updates on Mac OS X Security.
OS X developers know that in Objective-C it is possible to dynamically change the mapping of any function at runtime (Objective-C Categories/MethodSwizzling). Together with the fact that bundles in the InputManagers directory will be loaded in every application you get a nice way to modify user programs.
Braden Thomas published two proof-of-concept bundles that (mis)use this process to attach itself to every email send through Apple Mail or send itself in iChat. I have not tried it yet, but the two “features” of OS X / Objective-C are known so I except this to function as stated. In my opinion Objective-C Categories should be disabled somehow as this feature is commonly not in use and very dangerous as shown by Braden Thomas.
The MacHackers (part of CCCBerlin) published a presentation about Mac OS X Kernel Insecurities. The presentation is about information leaks, buffer overflows and Darwin security. Very informative.
Further they published a german presentation about GPG on Mac OS X
I will end this post with a personal discovery.
I installed VirtualPC 7 on my PowerBook and saw a new security feature of 10.4 Tiger. VirtualPC installs a StartupItem in /Library/StartupItems (like a shell script in /etc/rc.d/ for you Unix folks). On Panther installer scripts often place StartupItems with insecure permissions. As these scripts are executed by root on system startup this is very dangerous. A malicious user could modify a script to bind a root shell on a port or create a SUID shell somewhere. Technically this is not Apple’s fault as the third-party installed should set the right permissions.
With 10.4 Tiger Apple checks the StartupItems directory for unsecure permissions. I just found out after rebooting my PowerBook after installing VirtualPC:
Yes, good old Microsoft installs a StartupItem that is group writable. No further comment on this. But good to know that Apple is now checking for this kind of vulnerabilities.
