With the newest Java update (Java 2 Standard Edition 5.0 Release 4) Java 5 is finally the default VM on the Mac:
After installing J2SE 5.0 Release 4, J2SE 5.0 becomes preferred over Java 1.4.2, which will still be installed on your Mac. Applications run with J2SE 5.0 unless they specifically request Java 1.4.2
No need for hacks like this anymore.
As I always forget how to enable Java 5 as the default VM/JDK on OS X I thought I should document it here.
First you need Java 5. Apple does not ship it with Tiger, you need to download it from connect.apple.com after a free registration. After you install it, the Java 5 JDK is available but is not configured as the default VM.
In order to archive this, open the Java Preferences application in /Applications/Utilities/Java/J2SE\ 5.0/. There you can set the VM version for applets in the browser and other Java programs.
But the default JDK on the command line is still Java 1.4.2. If you also want Java 5 as your default command line Java JDK, you need this trick. In /System/Library/Frameworks/JavaVM.framework/Versions there is a symlink called CurrentJDK that controls which JDK is used.
# cd /System/Library/Frameworks/JavaVM.framework/Versions
# sudo rm CurrentJDK
# sudo ln -s 1.5 CurrentJDK
Now if you test it on the command line you get Java 5:
# java -version
java version “1.5.0_05”
Java™ 2 Runtime Environment, Standard Edition (build 1.5.0_05-81)
Java HotSpot™ Client VM (build 1.5.0_05-48, mixed mode, sharing)
Apple recently released security update 2005-007 that fixed many serious vulnerabilities.
Detailed information about some of the vulnerabilities were now released on full-disclosure.
Suresec released a short paper that describes the buffer overflows in ping and traceroute and the tool dsidentity that allows any user to add or delete accounts.
Kevin Finisterre how also reported the issue with dsidentity to apple has some more information on this:
DMA[2005-0818a] – ‘Apple OSX dsidentity privilege abuse’
Author: Kevin Finisterre
Vendor: http://www.apple.com/bluetooth/
Product: ‘Mac OSX 10.4’
References:
http://www.digitalmunition.com/DMA[2005-0818a].txt
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2508
http://www.suresec.org/advisories/adv5.pdf
Description:
After roughly one hour of beating on the freshly released OSX 10.4 I found that /usr/sbin/dsidentity allows any user on the system to add accounts to Directory Services. Passwords can easily be set at the time of account creation, and the newly created account can be used to login to the OSX gui. Due to the lack of shell the account is limited in nature, however once you have logged into the gui accessing a shell is trivial.
To add an account simply use the following command line and then you can now login as RickJames with the password isapimp.
CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -a RickJames -s isapimp -v
After logging in as RickJames open Safari and type file:///bin in the address bar. Double click on bash. Ignore the warning about not being authorized, and then click cancel when asked to close the application. Voila Now you have a working bash shell as RickJames.
To remove an account from Directory Services use the following.
CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -r CharlieMurphy -v
If you rally want to piss off someone’s Directory Services try the following.
CrunkJuice:~ kevinfinisterre$ /usr/sbin/dsidentity -a `perl -e ‘print “A” x 29000’`
(lather, rinse, repeat)
Work Around:
Install 2005-007 update or just rm -rf /usr/sbin/dsidentity
http://www.apple.com/support/downloads/
Sidenote:
Neil Archibald of Suresec LTD also reported this issue to apple at the same time I did.
http://www.suresec.org/advisories/adv5.pdf outlines extra detail about this issue with
regard to the use of getenv() calls.
Timeline associated with this bug:
05/25/2005 reported to apple.
05/26/2005 followup to auto ticketing system #9116351
08/03/2005 AppleSeeds!
08/17/2005 Security Update 2005-007 v1.1
Further the was a XSS vulnerability in Mac OSX 10.4.0 Weblog Server.
A good comment on Apple’s patch policy can be found a the drunkenblog.
Apple just released OS X 10.4.2 that includes a Widget Manager. There has been some criticism because there was no way to deactivate or deinstall a widget from the Dashboard or another GUI tool. Apple now introduces the Widget Manager to address these issues.
The Widget Manager is Widget itself. You can use it like any other Widget by clicking on it or dragging it to the Dashboard. Further there is now a new button besides the ”+” button for the Widget Board.
The Widget Manager will list every installed Widget (System and user installed in ~/Library/Widgets) and will show you if it is an Apple shipped one or not. 3rd party Widget are marked by a red sign. Further you can deactivate each Widget.
3rd party Widgets can be deinstalled by clicking on the red graphic:
UPDATE:
If you double-click on a new downloaded Widget, you are asked if you want to install it:
When the Widget starts you are asked if you want to keep or delete it.
There were some issues with Apple’s Dashboard like auto-installation and the absence of controls for deinstallation and management. EGO Systems, Inc released a Widgets Preference Pane for Mac OS X. This Preference Pane enables you to see and deactivate all Widgets on the system as well as set ACL permissions on the Widget folders in order to prevent installation. You can also change the Dashboard self graphic and completely disable Dashboard.
You can download it here. The software software is donationware and is provided without license or warranty of any kind.
Apple should have shipped something like this in Tiger.
UPDATE:
It seems like Build 8C40 (10.4.2) now includes a Widget Manager accourding to thinksecret.com.
According to this mail on full-disclosure, Safari’s behavior can be seen as a Denial of Service attack on your proxy server if you configure a proxy PAC file in Tiger’s System Preferences.
Safari tries to fetch the PAC file many times for each page browsed. That can lead to a high load on your proxy, presumably leading to a crash if many browsers are configured to use the PAC file.
UPDATE:
See a follow-up mail on full-disclosure for more information.
You probably all know it so I will not tell the story again, Apple switched to the Intel CPU.
At first I was shocked. The rumors were old and the same each year so I did not believe them. I did not like the idea of having the Intel CPUs in Mac because of the better design of the PowerPC CPU and because of fear of the transition (apart from favoring AMD and their Opteron over the Pentium 4).
After seeing the keynote and reading some early comments I began to accept and think of it as something good for the Mac community. The Intel Pentium M processor is a very fast and cool processor compared with the G5 or even the G4. Steve Jobs said that they looked at the “Performance per Watt” ratio of the PowerPC and the Pentium and missing a faster PowerBook myself it could follow the rationale. As a UNIX OS compiled with GCC and Darwin already working on x86, there is no Problem to migrate OS X to x86. In fact OS X boots on x86 since its beginning.
With Rosetta and the Transition Kit, getting most applications to work on both PowerPC and x86 within a year seems doable. So I began to develop a kind of pleasant anticipation and looked forward to faster and cheaper Macs.
Now, after reading some more comments and thinking more about the transition, I more and more dislike it.
With the transition, diversity is shrinking but diversity is a good thing for security. How many people do you know who can write PowerPC shellcode/assembly and how many do you know that write some for x86? Porting vulnerabilities is getting easier.
Mac OS X will get access to such wonderful things like Trusted Computing and DRM built into the CPU.
Porting is also not as easy as Apple told us. Objectve-C will behave annoyingly different on Intel than it did on PowerPC due to GCC/Pentium (division by zero and sending messages to nil).
Further it will strengthen many opensource developers in their believe that the the opensource world is Linux/x86. Already many wannabes write code that assumes x86 (and Linux). This will not ease the life of maintainer of “exotic platforms” like OpenBSD/Sparc or NetBSD/arm.
So I went from shock, to anticipation to displeasure. Always fun, the WWDC keynotes.
Some updates on Mac OS X Security.
OS X developers know that in Objective-C it is possible to dynamically change the mapping of any function at runtime (Objective-C Categories/MethodSwizzling). Together with the fact that bundles in the InputManagers directory will be loaded in every application you get a nice way to modify user programs.
Braden Thomas published two proof-of-concept bundles that (mis)use this process to attach itself to every email send through Apple Mail or send itself in iChat. I have not tried it yet, but the two “features” of OS X / Objective-C are known so I except this to function as stated. In my opinion Objective-C Categories should be disabled somehow as this feature is commonly not in use and very dangerous as shown by Braden Thomas.
The MacHackers (part of CCCBerlin) published a presentation about Mac OS X Kernel Insecurities. The presentation is about information leaks, buffer overflows and Darwin security. Very informative.
Further they published a german presentation about GPG on Mac OS X
I will end this post with a personal discovery.
I installed VirtualPC 7 on my PowerBook and saw a new security feature of 10.4 Tiger. VirtualPC installs a StartupItem in /Library/StartupItems (like a shell script in /etc/rc.d/ for you Unix folks). On Panther installer scripts often place StartupItems with insecure permissions. As these scripts are executed by root on system startup this is very dangerous. A malicious user could modify a script to bind a root shell on a port or create a SUID shell somewhere. Technically this is not Apple’s fault as the third-party installed should set the right permissions.
With 10.4 Tiger Apple checks the StartupItems directory for unsecure permissions. I just found out after rebooting my PowerBook after installing VirtualPC:
Yes, good old Microsoft installs a StartupItem that is group writable. No further comment on this. But good to know that Apple is now checking for this kind of vulnerabilities.
Somebody on Full-Disclosure posted that there is a new vulnerability with Dashboard. He describes a malicious Widget that waits until the user uses sudo and than the Widget uses sudo too to get superuser rights.
This is not a “first-class” vulnerability like a buffer overflow or format-string vulnerability. This could happen with any other application on any other Unix. Just remember that Widgets are (or can be) full-featured applications. They run as the local user and therefore have only his rights. But as any other application they can use sudo and the password grace period in /etc/sudoers to obtain root privileges (see timestamp_timeout in the man page).
The only thing that Apple can be “accused” of is that they enabled the password grace option. Disable it if you are paranoid. Do not load and install every Widget on the net just like you do not load and run every application out there.
With 10.4.1 Apple repaired the auto-install feature of Widgets. Now malicious Widgets cannot get on you computer without user-interaction.
If the user behaves stupid, it is not Apple’s fault. But they should remind the user of the possible evil of new downloaded files and they do it with 10.4.1.
Apple’s brand new QuickTime 7 and the underlying Quarz Composerleaks personal information if you view a manipulated .mov film. Information leakage might not be the worst security vulnerability but the leaked information like local usernames, IP address, volume names or OS version can then be used to further exploit the target machine.
Details can be found here along with a demo of the vulnerability.
It was only a matter of time until somebody found out how to misuse Dashboard Widgets.
If you download a Widget with Safari, Safari will install it automatically for you if you do not disable the “Open safe files after downloading” option. Safari will install it into ~/Library/Widgets.
Actually Widgets can get really nasty as there is no way to deinstall them other than deleting the Widget in ~/Library/Widgets. No way to do this out of DashBoard. You can do some bad with Widgets and one guy made a proof-of-concept. Imagine, porn Widgets that automatically load sites and log your password…
DO NOT CLICK ON THIS PAGE unless you have disabled the “Open safe files” feature or you do not use Safari. This page will autoinstall a Widget that can only be removed with deleting it and reboot.
Hopefully Apple will react and change the recent MS-like behaviour of “default-install-without-asking”.
Discussion and more on Slashdot
There was lots of writing about Tiger and Ruby. Tiger ships Ruby 1.8 but without GNU-readline support (e.g. for irb) and without support for C-extensions. Readline was probably left out because of license issues, Tiger has libedit.
Chad Fowler released a nice gem called fixrbconfig that fixes the C-extension issue and Lucas Carlson has written a script that automaticly downloads and uses fixrbconfig and fixes Ruby to use GNU-readline. I do not want to repeat instructions on how to use it.
What I want to say is what to do if you get this error when you execute the fix-ruby-tiger.sh script:
readline.c: In function ‘username_completion_proc_call’:
readline.c:673: error: ‘username_completion_function’ undeclared (first use in this function)
readline.c:673: warning: assignment makes pointer from integer without a cast
make: ** [readline.o] Error 1
do a “sudo rm -rf /usr/lib/libreadline” and re-execute the script. Then you should have Tiger with a Ruby version that is capable of installing C-extensions and uses GNU-readline.
Thanks to Lucas Carlson for helping me with this
