With the newest Java update (Java 2 Standard Edition 5.0 Release 4) Java 5 is finally the default VM on the Mac:
After installing J2SE 5.0 Release 4, J2SE 5.0 becomes preferred over Java 1.4.2, which will still be installed on your Mac. Applications run with J2SE 5.0 unless they specifically request Java 1.4.2
No need for hacks like this anymore.
Airscanner released a security advisory about a iTunes 6.0 shared music Denial of Service/Spoofing/Flooding/Abuse vulnerability.
From the advisory:
Risk Level:
Low: Denial of service (Shared Music anonymous forced disconnect) and list abuse attacks are both merely annoying to iTunes users.
Medium: Shared Music lists from various users can be renamed and swapped, thus creating an environment in which you can’t be sure to whom you are connecting.
Summary:
iTunes is a popular service allowing you to play music, buy music, download music, share music, create playlists, etc.; it includes a video player and other features: http://www.itunes.com
The iTunes Shared Music feature allows users on a network to create playlists from songs on their computer and to share them on the network. When you create a new list and enable sharing, other iTunes users will see your lists under the Shared Music list, unless they change their preferences from the default settings. We discovered that it is possible to create spoofed Shared Music entries, to rename existing entries, to disconnect existing entries, and to re-initiate existing lists. We can also kill an existing stream without authorization via an anonymous packet.
Workaround:
Disable ‘Look for shared music’ option under the Sharing tab in Preferences.
There is also a Flash demo here.
With Apple becoming more and more popular, security researchers are more interested in OS X applications.
...and Apple’s software is not very helpful. If I try to restore it with the iPod Software Updater, I’m being told to restore it?
This iPod is my first piece of Apple hardware that made it over one year without a repair. I already started to wonder if product quality is again on Apple’s agenda.
Apple recently released security update 2005-007 that fixed many serious vulnerabilities.
Detailed information about some of the vulnerabilities were now released on full-disclosure.
Suresec released a short paper that describes the buffer overflows in ping and traceroute and the tool dsidentity that allows any user to add or delete accounts.
Kevin Finisterre how also reported the issue with dsidentity to apple has some more information on this:
DMA[2005-0818a] – ‘Apple OSX dsidentity privilege abuse’
Author: Kevin Finisterre
Vendor: http://www.apple.com/bluetooth/
Product: ‘Mac OSX 10.4’
References:
http://www.digitalmunition.com/DMA[2005-0818a].txt
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2508
http://www.suresec.org/advisories/adv5.pdf
Description:
After roughly one hour of beating on the freshly released OSX 10.4 I found that /usr/sbin/dsidentity allows any user on the system to add accounts to Directory Services. Passwords can easily be set at the time of account creation, and the newly created account can be used to login to the OSX gui. Due to the lack of shell the account is limited in nature, however once you have logged into the gui accessing a shell is trivial.
To add an account simply use the following command line and then you can now login as RickJames with the password isapimp.
CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -a RickJames -s isapimp -v
After logging in as RickJames open Safari and type file:///bin in the address bar. Double click on bash. Ignore the warning about not being authorized, and then click cancel when asked to close the application. Voila Now you have a working bash shell as RickJames.
To remove an account from Directory Services use the following.
CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -r CharlieMurphy -v
If you rally want to piss off someone’s Directory Services try the following.
CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -a `perl -e ‘print “A” x 29000’`
(lather, rinse, repeat)
Work Around:
Install 2005-007 update or just rm -rf /usr/sbin/dsidentity
http://www.apple.com/support/downloads/
Sidenote:
Neil Archibald of Suresec LTD also reported this issue to apple at the same time I did.
http://www.suresec.org/advisories/adv5.pdf outlines extra detail about this issue with
regard to the use of getenv() calls.
Timeline associated with this bug:
05/25/2005 reported to apple.
05/26/2005 followup to auto ticketing system #9116351
08/03/2005 AppleSeeds!
08/17/2005 Security Update 2005-007 v1.1
Further the was a XSS vulnerability in Mac OSX 10.4.0 Weblog Server.
A good comment on Apple’s patch policy can be found a the drunkenblog.
When I downloaded the new episode of the DrunkAndRetired podcast in iTunes I discovered that iTunes can also download non-mp3/AAC RSS enclosures like PDFs.
When you double-click on the small book graphic Preview will open the attached PDF.
Seems nice at first but I do not know what the security implications are (just remember the recent vulnerabilities in Adobe Acrobat). What if you can also attach executable files to RSS feeds and iTunes will open them for you?
The thing is that you do not know what kind of file is behind this symbol, what if Word files are also included?
I have to test this feature with some other enclosures and find out what kind of nice surprises are hidden here…
From http://developer.apple.com/internet/opensource/opensourcescripting.html
If you are considering using Ruby to write web-based applications, you won’t want to miss the Ruby on Rails project. Rails is an open source web programming framework that is rapidly gaining mindshare due to its simplicity and clean design.
At further step to mainstream.
Seen at mir.aculo.us.
There were some issues with Apple’s Dashboard like auto-installation and the absence of controls for deinstallation and management. EGO Systems, Inc released a Widgets Preference Pane for Mac OS X. This Preference Pane enables you to see and deactivate all Widgets on the system as well as set ACL permissions on the Widget folders in order to prevent installation. You can also change the Dashboard self graphic and completely disable Dashboard.
You can download it here. The software software is donationware and is provided without license or warranty of any kind.
Apple should have shipped something like this in Tiger.
UPDATE:
It seems like Build 8C40 (10.4.2) now includes a Widget Manager accourding to thinksecret.com.
According to this mail on full-disclosure, Safari’s behavior can be seen as a Denial of Service attack on your proxy server if you configure a proxy PAC file in Tiger’s System Preferences.
Safari tries to fetch the PAC file many times for each page browsed. That can lead to a high load on your proxy, presumably leading to a crash if many browsers are configured to use the PAC file.
UPDATE:
See a follow-up mail on full-disclosure for more information.
You probably all know it so I will not tell the story again, Apple switched to the Intel CPU.
At first I was shocked. The rumors were old and the same each year so I did not believe them. I did not like the idea of having the Intel CPUs in Mac because of the better design of the PowerPC CPU and because of fear of the transition (apart from favoring AMD and their Opteron over the Pentium 4).
After seeing the keynote and reading some early comments I began to accept and think of it as something good for the Mac community. The Intel Pentium M processor is a very fast and cool processor compared with the G5 or even the G4. Steve Jobs said that they looked at the “Performance per Watt” ratio of the PowerPC and the Pentium and missing a faster PowerBook myself it could follow the rationale. As a UNIX OS compiled with GCC and Darwin already working on x86, there is no Problem to migrate OS X to x86. In fact OS X boots on x86 since its beginning.
With Rosetta and the Transition Kit, getting most applications to work on both PowerPC and x86 within a year seems doable. So I began to develop a kind of pleasant anticipation and looked forward to faster and cheaper Macs.
Now, after reading some more comments and thinking more about the transition, I more and more dislike it.
With the transition, diversity is shrinking but diversity is a good thing for security. How many people do you know who can write PowerPC shellcode/assembly and how many do you know that write some for x86? Porting vulnerabilities is getting easier.
Mac OS X will get access to such wonderful things like Trusted Computing and DRM built into the CPU.
Porting is also not as easy as Apple told us. Objectve-C will behave annoyingly different on Intel than it did on PowerPC due to GCC/Pentium (division by zero and sending messages to nil).
Further it will strengthen many opensource developers in their believe that the the opensource world is Linux/x86. Already many wannabes write code that assumes x86 (and Linux). This will not ease the life of maintainer of “exotic platforms” like OpenBSD/Sparc or NetBSD/arm.
So I went from shock, to anticipation to displeasure. Always fun, the WWDC keynotes.
Some updates on Mac OS X Security.
OS X developers know that in Objective-C it is possible to dynamically change the mapping of any function at runtime (Objective-C Categories/MethodSwizzling). Together with the fact that bundles in the InputManagers directory will be loaded in every application you get a nice way to modify user programs.
Braden Thomas published two proof-of-concept bundles that (mis)use this process to attach itself to every email send through Apple Mail or send itself in iChat. I have not tried it yet, but the two “features” of OS X / Objective-C are known so I except this to function as stated. In my opinion Objective-C Categories should be disabled somehow as this feature is commonly not in use and very dangerous as shown by Braden Thomas.
The MacHackers (part of CCCBerlin) published a presentation about Mac OS X Kernel Insecurities. The presentation is about information leaks, buffer overflows and Darwin security. Very informative.
Further they published a german presentation about GPG on Mac OS X
I will end this post with a personal discovery.
I installed VirtualPC 7 on my PowerBook and saw a new security feature of 10.4 Tiger. VirtualPC installs a StartupItem in /Library/StartupItems (like a shell script in /etc/rc.d/ for you Unix folks). On Panther installer scripts often place StartupItems with insecure permissions. As these scripts are executed by root on system startup this is very dangerous. A malicious user could modify a script to bind a root shell on a port or create a SUID shell somewhere. Technically this is not Apple’s fault as the third-party installed should set the right permissions.
With 10.4 Tiger Apple checks the StartupItems directory for unsecure permissions. I just found out after rebooting my PowerBook after installing VirtualPC:
Yes, good old Microsoft installs a StartupItem that is group writable. No further comment on this. But good to know that Apple is now checking for this kind of vulnerabilities.
Somebody on Full-Disclosure posted that there is a new vulnerability with Dashboard. He describes a malicious Widget that waits until the user uses sudo and than the Widget uses sudo too to get superuser rights.
This is not a “first-class” vulnerability like a buffer overflow or format-string vulnerability. This could happen with any other application on any other Unix. Just remember that Widgets are (or can be) full-featured applications. They run as the local user and therefore have only his rights. But as any other application they can use sudo and the password grace period in /etc/sudoers to obtain root privileges (see timestamp_timeout in the man page).
The only thing that Apple can be “accused” of is that they enabled the password grace option. Disable it if you are paranoid. Do not load and install every Widget on the net just like you do not load and run every application out there.
With 10.4.1 Apple repaired the auto-install feature of Widgets. Now malicious Widgets cannot get on you computer without user-interaction.
If the user behaves stupid, it is not Apple’s fault. But they should remind the user of the possible evil of new downloaded files and they do it with 10.4.1.
After my successful installation on my WRAP I moved on to my PowerBook. Thanks to FileVault and HFS+ case-sensitive I had to reinstall OS X so I left some space for OpenBSD. Mac OS X is my primary workhorse for surfing, mailing and programming but I want to be able to develop and test OpenBSD ports locally.
In order to be able to dual-boot OpenBSD and Mac OS X you have to start with an OS X installation. After booting the Tiger DVD (or Panther CD) choose Disk Utility from the Menu. Partition your hard drive so that the first partition is for OS X. Left some unpartitioned space for OpenBSD. I left 4.5GB. Having a OS X partition as the first one is important as OpenBSD cannot boot alone on macppc. It needs a small HFS/HFS+ or MBR partition. More on the official README.
After finishing the normal OS X install, insert the second OpenBSD CD and reboot. Hold down the “c” key while the machine boots. After a quick glance at the OpenFirmware OpenBSD boots and you are confronted with the installer. If this does not happen, copy the files ofwboot and bsd.rd from macppc directory of the second CD to the root-directory on OS X. owfboot is used to boot OpenBSD because OpenFirmware is not able to boot OpenBSD directly. You need ofwboot on the HFS volume root anyway. bsd.rd is the ramdisk kernel of OpenBSD used for installations. After copying these files boot into OpenFirmware by pressing the keys Option, Command, O, F while booting. In the OpenFirmware command prompt enter:
boot cd:,ofwboot 3.7/macppc/bsd.rd
in order to try to boot from the CD or
boot hd:,ofwboot bsd.rd
in order to boot from the hard disk.
Continue the normal installation routines until you have to partition the drive (remember, I want to dual-boot). So when asked if OpenBSD should use the whole hard drive, or wd0 in my case, enter no. When asked for the labeling enter HSF as we want to be able to boot OS X.
You will get a command prompt from fdisk in order to create a partition. Enter “p” to print the current layout. You will see the MBR, an Apple partition and free space. This is different to Panther. Panther used some hidden partitions for drivers, these must now be incorporated into the Apple partition or be hidden in some other way. The columns length and base are important for us so lets see what they say. They describe on which block a partition begins and how large it is.
In order to create the OpenBSD partition enter “c”. You will be asked for the first sector. Enter the base number for the free space. Next enter the length column value for the length of the partition. When asked for a name for the partition just enter “OpenBSD” for example, this name does not matter.
When you have a look again at the partition table with “p” it should looks exactly like before just the free space should now be labeled “OpenBSD” or whatever name you chose. Enter “w” to write your changes and “q” for quitting this menu and continuing with the install.
The next program that will be launched is disklabel. Now we will be editing the real partitions as what we’ve edited before was known as slices in BSD land. You will see two partitions. Partition i is the HFS partition of OS X and c represents the whole disk. Now it’s time to be careful, because one can enter sectors from the OS X partition for our OpenBSD install and this will destroy OS X. Disklabel will report to you the free sectors but you can easily check it:
Free sectors = total sectors – length of OS X partition – OS X partition base
Now you can divide these free sectors between your partitions. The easiest setup for a second boot machine that is used only for testing and developing is one root partition and swap. But any other schema will do it. Lets say I want 256 MB swap or 524288 sectors (256 * 1024 * 1024 / 512). I have to subtract this number form my free space. What is left can be used for root.
Enter “a” to add a new partition, enter the offset of the root partition is the base from above because the root partition is our first partition of the OpenBSD slice (called OpenBSD partition in the beginning). The length is the calculated free sectors minus the swap sectors. Type is the default 4.2BSD and mount point should be /. Next enter “a” again to add the swap partition. The installer will guess the values right because it knows how many sectors are left. The offset should be the offset of / plus its length and the length of the swap partition should be 52488 sectors.
Press “w” and “q” to write the changes and exit. From now on it’s just a standard OpenBSD installation. Choose the sets and installation media, configure the network and reboot.
Remember that you need the ofwboot file on the OS X volume or OpenBSD will not boot. A normal boot sequence will boot OS X. If you want to boot OpenBSD hold down Option, Command, O, F during the boot and enter
boot hd:,ofwboot bsd
in OpenFirmware. Sometimes you need to enter /bsd instead of bsd. In the official install instructions you will find information how to setup OpenBSD as the default OS so that OpenFirmware normally boots OpenBSD instead of OS X. A detailed howto of an OpenBSD installation on an iBook can be found at bsdcow.net.
UPDATE:
See this post for a simple bootmanager for the Mac.
While upgrading to Tiger I made a backup of all my stuff just by copying my FileVault image over to my FreeBSD server. I than used the Tiger DVD to erase my hard drive, partition it and install Tiger. I was pleased to discover that the Tiger Disk Utility program supported a case-sensiteve filesystem. Unix folks please stop laughing! This was needed in order to use DarwinPorts or Gentoo Mac OS X correctly on the Mac. So I deliberately choose this new format ignoring my fear that this decision was a mistake.
I now know that this was a mistake. Until today I had no problems with this feature. No Cocoa or Unix program complained or mysteriously crashed like with Panther and an UFS filesystem. But today I wanted to re-enable FileVault on my PowerBook and I just got this message:
So you cannot use FileVault on case-sensiteve filesystems. I hope that Apple will change this soon. I now have to decide if I should install again…
Apple’s brand new QuickTime 7 and the underlying Quarz Composerleaks personal information if you view a manipulated .mov film. Information leakage might not be the worst security vulnerability but the leaked information like local usernames, IP address, volume names or OS version can then be used to further exploit the target machine.
Details can be found here along with a demo of the vulnerability.
It was only a matter of time until somebody found out how to misuse Dashboard Widgets.
If you download a Widget with Safari, Safari will install it automatically for you if you do not disable the “Open safe files after downloading” option. Safari will install it into ~/Library/Widgets.
Actually Widgets can get really nasty as there is no way to deinstall them other than deleting the Widget in ~/Library/Widgets. No way to do this out of DashBoard. You can do some bad with Widgets and one guy made a proof-of-concept. Imagine, porn Widgets that automatically load sites and log your password…
DO NOT CLICK ON THIS PAGE unless you have disabled the “Open safe files” feature or you do not use Safari. This page will autoinstall a Widget that can only be removed with deleting it and reboot.
Hopefully Apple will react and change the recent MS-like behaviour of “default-install-without-asking”.
Discussion and more on Slashdot
