Technical Tidbits

I just received a notice from Cert about an advisory for an Apple Mac OS X vulnerabilty.  You know that software and computer that doesn’t need anti-virus because it’s so secure? Yeah! Those guys! (And yes, I’m in one of my smart a** moods today!)

The systems affected are:

• Apple Mac OS X versions prior to and including 10.4.11 (Tiger) and 10.5.4 (Leopard)
• Apple Mac OS X Server versions prior to and including 10.4.11 (Tiger) and 10.5.4 (Leopard)

Apple has released a security update for those computers that are so secure and never have any issues with security here: http://support.apple.com/kb/HT3137

But I’m sure the majority of Mac users won’t need this because after all, they are already secure.

The security update fixes several vulnerabilities that Mac users don’t really have.  The Cert Advisory claims that:

Attackers could exploit these vulnerabilities to execute arbitrary code, gain access to sensitive information, or cause a denial of service.

Among the list of fixes listed at Apple, we see the following vulnerabilities being fixed:

• Viewing a document containing a maliciously crafted font may lead to arbitrary code execution.
• Multiple vulnerabilities exist in ClamAV 0.92.1, the most serious of which may lead to arbitrary code execution.
• A person with access to the login screen may be able to list user names
• A local user may obtain the server password if an OpenLDAP system administrator runs slapconfig.
• An attacker with access to the local network may cause a denial of service.
• Viewing a maliciously crafted TIFF, PICT, or JPEG image may lead to an unexpected application termination or arbitrary code execution. (Is unexpected application termination another name for a crash? No, it can’t be! Everyone knows Mac’s don’t crash!)
• Files may be accessed by a local user who does not have the proper permissions.
• A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks.
• A user may log in without providing a password.
• A person with access to the login screen may be able to change a user’s password.
• mDNSResponder is susceptible to DNS cache poisoning and may return forged information.
• Multiple vulnerabilities exist in OpenSSH versions provided with Mac OS X v10.4.11 and Mac OS X v10.5.4, the most serious of which allows a local user to control another user’s X11 session.
• A local user may obtain the PPP password.
• Users may be misled into believing their passwords are stronger than they are.
• Authenticated users may have unexpected remote access to files and directories.
• Backing up a system with Time Machine may lead to the disclosure of sensitive information.
• Videoconferencing with a malicious user may lead to an unexpected application termination or arbitrary code execution.
• A remote attacker may cause persistent JavaScript injection on a Wiki server.

Welcome to the REAL world Mac users! The real world PC users are familiar with where nothing is taken for granted in terms of security.

You know what? You folks are looking more and more like a PC in terms of security! I’m sure glad I didn’t spend big money on your really secure machine that doesn’t need Antivirus because it’s SO secure! DANG! That would’ve really ticked me off!

And for those of you who are wondering why I’m being such a smart a**, you have no idea how many times I’ve been told in our courses that Apple Mac users don’t need to know about security because their machine is so secure it doesn’t even need Antivirus. And if I had a dollar for every Mac user in my security courses that have told me that the sales staff at the Mac store have told them this is so, I wouldn’t be looking at employment options right now!

In fact, if all PC and Mac users would realize that security is THEIR responsibility, I’d sell out every one of our courses we’ve offered during our Anniversary special! Am I in a bad mood? Yes I am. And the reason? Because I’m sick and tired of people telling me that nothing is every going to happen to them until it does. And then they come crying to me to fix their computer after the hack or malware attack, or the identity breach!

In fact, just this week, I had two family members inform me their identity has been breached! Which p*sses me off even more! This is what I teach! But not even my own family thinks it will happen to them after they hear me talk about it! But that’s a conversation for tomorrows blog entry.

Go update your MAC!

written by Admin \\ tags: apple, leopard, Mac, mac os x, mac security, mac vulnerabilities, pc security, Security, tiger

On June 9, I posted the first article that seemingly went unnoticed called: Apple Mac Arrogance or Pure Stupidity?

However, on June 25, a reader Matthew left the following comment:

This sounds like the typical advice of a ’security expert’ (read - antivirus software consultant). Can you tell me what the actual incidence (percentage) of Mac OS X users who, despite keeping their system fulling updated have been hit with a virus?

Well, I answered Matthew with a link to a site where he could check out the stats himself and closed with the comment, “How many viruses or vulnerabilities does it take to bring down a Mac? Only one.”

As fate would have it, evidence has been called to my attention that supports what I said back on June 9th. The funny thing is, it was written on March 28th by Gunter Ollmann on IBM’s Frequency X Blog. (Our marketing director found it while getting some statistics for our anniversary project.)

Gunter is reporting on the BlackHat Amsterdam conference that was going on at the time, and rather than summarize what he says, I’ll just quote him directly because he put it so eloquently!

In essence, with their “0-day Patch” metrics, they managed to show just how far Apple is trailing Microsoft in security patch responsiveness – in fact, after inspecting their graphs, Apple appears to be trending entirely in the wrong direction; more vulnerabilities, longer patching times, more 0-days, etc. – not the sort of thing we expect from a well known software vendor.

While I think that there are quite a few reasons why this is probably so, I’d be inclined to say that Apple’s biggest problem appears to be that they treat every new vulnerability as a potential PR disaster rather than an opportunity to visibly reinforce their work in securing their customers. In recent times this has most critically been reflected in the way Apple works with security researchers (e.g. I’m yet to find a single security researcher that has had any positive things to say about their dealings with Apple’s security team).” (Source: http://blogs.iss.net/archive/AppleCrumble.html)

Gunther also includes earlier in the post a link to the full report given that day by Stefan Frei and Bernard Tellenback titled “0-day Patch – Exposing Vendors (In)Security Performance” which turns out to be a BIG eye opener!

So for all the arrogant Mac users, and those who might just be oblivious to all this, I suggest you take a time out during your next “forced reset” (or in Windows terms, Crash) and give that a read!

And so I add to my previous comment to Matthew, “How many vulnerabilities does it take to bring down a Mac? Just one. And it looks like the ones are adding up!”

I rest my case.

Debbie Mahler,
Antivrus Software Consultant and Security Professional

PS A thank you to Gunter Ollmann, Stefan Frei and Bernard Tellenback for their information!

And a special PS to Matthew: Your statement in your comment that read, ‘This sounds like the typical advice of a ’security expert’ (read - antivirus software consultant).’ is slightly in error. Despite the garbage you find out on the web from affiliate marketers posing as “wanna be” security professionals on blogs trying to hawk their wares to the unsuspecting public, I really am a Security Professional. We are not affiliates with Trend Micro nor Symantec, we are Partners. A fact I guess I need to be more vocal about in the future. So thank you for pointing out where my marketing weaknesses are! You’re an angel!

written by Admin \\ tags: apple, apple security, Mac, mac os x, mac security, mac vulnerabilities, Security, vulnerabilities

Over the past several months, I’ve heard from students and clients about how the Apple/Mac store personnel tell them how secure Mac’s are compared to PCs. So secure says one of my PC Security students that she boasts not using any antivirus software or security tools!

I received one of my many security update summaries for last week and something interesting caught my eye that made me think back to this student. The summary listed 7, yes 7, vulnerabilities in Apple/Mac software.

Of course I reported on the issue with safari here: http://mice.org/blog/microsoft-advisory-blended-threat-windows-and-safari/

But there were six others disclosed just last week that included not only the MAC OS X Server but the OS X Operating System also.

These are also beginning to sound a lot like Microsoft flaws!

Here they are:

Unspecified vulnerability in AppKit in Apple Mac OS X before 10.5 allows user-assisted remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted document file, as demonstrated byopening the document with TextEdit. (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1028)

Integer overflow in the CFDataReplaceBytes function in the CFData API inCoreFoundation in Apple Mac OS X before 10.5.3 allows context-dependent attackers to execute arbitrary code or cause a denial of service (crash) via an invalid length argument, which triggers a heap-based buffer overflow. (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1030)

Integer overflow in ImageIO in Apple Mac OS X before 10.5.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG2000 image that triggers a heap-based buffer overflow. (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1574)

Unspecified vulnerability in the Apple Type Services (ATS) server in Apple Mac OS X 10.5 before 10.5.3 allows user-assisted remote attackers to execute arbitrary code via a crafted embedded font in a PDF document, related to memory corruption that occurs during printing. (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1575)

Mail in Apple Mac OS X before 10.5, when an IPv6 SMTP server is used, does not properly initialize memory, which might allow remote attackers to execute arbitrary code or cause a denial of service (application crash), or obtain sensitive information (memory contents) in opportunistic circumstances, by sending an e-mail message. (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1576)

Unspecified vulnerability in the Pixlet codec in Apple Pixlet Video inApple Mac OS X before 10.5.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file, related to “multiple memory corruption issues.” (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1577)

This page at Apple’s site: http://lists.apple.com/archives/security-announce/2008//May/msg00001.html also lists these items and a few more, but in all of their descriptions they call a crash an unexpected system shutdown. Ummmmm, Apple folks? Here’s a heads up for you - that’s called a CRASH!

The question remains: Are Apple Mac users that arrogant to believe they are immune to flaws purely by virtue that they are running a Mac? Or, are they purely THAT STUPID?

Linux users know better than to believe their OS is infallible! Windows users have learned from experience that they are not infallible — REPEATEDLY!

So Mac users, which is it? Arrogance or stupidity? Because it’s obvious you aren’t immune!

And to the young lady in my course that doesn’t use AV software on her MAC, I’d suggest you get one immediately!

written by Admin \\ tags: apple, apple video, application crash, crash, image, Mac, mac crash, mac mail, mac os x, mac video, mail, os, os x, os x server, osx, pdf, safari, safari browser, server, text, text document, video, vulnerabilities, vulnerability