lucky13

Apple’s Leopard lasts ‘30 seconds’ in hack contest:

“It might have taken eight minutes to sit down and open the computer but, when the competition started, 30 seconds later, it was over,” said Miller….Competitors in the hacking race were allowed to choose either a Sony laptop running Ubuntu 7.10, a Fujitsu laptop running Vista Ultimate SP1 or a MacBook Air running OS X 10.5.2.

“We could have chosen any of those three but had to make a judgement call on which would be the easiest and decided it would be Leopard,” Miller said.

Miller further elaborated, “I use a MacBook all the time and that’s what I used in the contest to attack the MacBook Air. I like Macs. That’s the reason I went for it; it’s in my best interest for them to be as secure as possible.”

Meanwhile, the Fujitsu with Vista (and Vista’s SP1) remained unscathed until late in the day yesterday when Adobe Flash was installed. Shane Macauly, who with the collaboration of Dino Dai Zovi pwned the Mac in last year’s pwn2own, used a new Flash 0day exploit to claim the Fujitsu and $5000.

Readers of my blog know I’m a proponent of flashblock and other extensions for Firefox (and Seamonkey) that help users whitelist trusted sites. Flash has proven susceptible to malevolence too many times to be allowed to run promiscuously, if at all. FWIW, I only use flash temporarily — install it, use it, remove it; so I use it only as needed — for dealing with youtube content.

A rocky Windows trek for Apple’s Safari browser

The first problem for Safari 3.1, Apple’s new Web browser for Windows, was how it arrived on people’s computers. Last week millions who were only marginally connected to Apple — because they’d downloaded iTunes — were prompted to “update” to Safari, even though they’d never expressed an interest in the thing.

The article goes on to compare it to “Microsoftian bundling” [sic], notes the problems (since “fixed”) with Apple’s EULA for this browser they’re sneaking onto people’s computers, and mentions the chronic issues with crashes and security advisories. The concluding sentence says it all: “But this was supposed to be the best browser in the world.”

Not if it comes from Apple.

Windows users with iTunes beware! Apple has opted you in to install their vulnerable Safari browser on your computer with iTunes updates. You must click the Safari update box off before updating iTunes if you don’t want to install Safari.

PWN to OWN Day Two: First Winner Emerges!:

They were able to exploit a brand new 0day vulnerability in Apple’s Safari web browser. Coincidentally, Apple has just started to ship Safari to some Windows machines, with its iTunes update service. The vulnerability has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Apple who is now working on the issue.

So if you update iTunes and install Safari, you’re getting this exploitable code on your computer.

I may have more information about the nature of the exploit tomorrow.

EDIT/UPDATES:

1. The exploit Charlie Miller used to win the coveted Macbook Err involved a telnet exploit via privilege escalation from a malformed/malicious link. Reportedly. We’ll find out when Apple gets around to fixing it. Which brings me to another point…
2. Before anyone dismisses my objections to Apple’s requirement that users opt-out of installing Safari when updating iTunes, look at Secunia’s new advisory. Note that it’s highly critical. Safari is buggy and vulnerable in OSX. It’s even worse in Windows.

Mac OS X first to fall:

In the first attempted attack in the PWN2OWN contest, a security analyst breached the defenses of Apple’s Mac OS X using a bug in the Safari browser and won $10,000 as well as the computer that he compromised.

Charlie Miller, principal analyst with Independent Security Evaluators and the researcher who found some significant flaws in Apple’s iPhone last summer, compromised the Apple MacBook Air in less than a minute. While he refrained from describing the flaw, SecurityFocus learned that the issue affected the Safari browser. Contest officials said that the MacBook Air was running the latest version of Mac OS X, version 10.5.2 or “Leopard.”

Told ya the Mac would get pwned first. That Fujitsu with Vista should be just as easy  to pwn if it has Safari for Windows. Not because Windows sucks (sorry, haters, but Microsoft deserves big props for taking security seriously) but because Apple does and Safari is not Microsoft code.

Why did Apple try to push its browser onto Windows PCs? | Technology | The Guardian:

It turns out that not only would having iTunes (which demands QuickTime) lead to your being “offered” a new browser for your machine, but Safari would bring along with it another piece of Apple fun, called “Bonjour for Windows” - an Apple-developed method of auto-discovering services on the local network. (Adding iTunes also brings in its wake a slew of iPod services, even if you haven’t got an iPod.)

One of the charges leveled against John Lilly by the Mac fanbois is that he’s afraid of losing money to Apple. The Guardian has it right: turn it back around on Apple and their quest for money.

“But it’s still quite a leap from updating existing software to installing entirely new stuff.”

That’s the real issue here. People take Microsoft to task for their verification and update systems. Why are more people not calling Steve Jobs out for being the scumbag he is or ranting against Apple for installing new, entirely different software when users update one particular piece of software?

Apple’s Safari browser likened to malware:

Mozilla chief executive John Lilly has lambasted Apple for its use of iTunes to offer the Safari web browser to Windows users, saying the technique “borders on malware distribution practices” and undermines the security of the Internet.”What Apple is doing now with their Apple Software Update on Windows is wrong,” Lilly wrote on his personal blog. “It undermines the trust relationship great companies have with their customers, and that’s bad - not just for Apple, but for the security of the whole web.”

The problem is Apple now includes Safari as a default download for Apple Software Update. ASU is a bloated piece of shit that runs 24/7 if you let it. You get it when you install QuickTime or iTunes on a Windows PC. When Apple releases these super-sized patch sets for their vulnerable software — and make no mistake, Apple’s code is third-rate and very insecure — it now includes updates for software many users either don’t have or don’t care to have.

Rather than installing iTunes when you get an iPod, consider any of the many alternatives. Many of them are either free or inexpensive, nearly all of them are much less resource-intensive and probably less buggy as a result. WinAmp can be used to sync/manage an iPod.

Edit: Lilly’s blog is here. He’s since defended himself against attacks by the Mac fanbois. The most salient points he made, though, were these:

Apple has made it incredibly easy — the default, even — for users to install ride along software that they didn’t ask for, and maybe didn’t want. This is wrong, and borders on malware distribution practices.

It’s wrong because it undermines the trust that we’re all trying to build with users. Because it means that an update isn’t just an update, but is maybe something more. Because it ultimately undermines the safety of users on the web by eroding that relationship. It’s a bad practice and should stop.

I don’t mind being presented opt-in choices. I resent having to opt-out of things like this. As buggy as Safari for Windows has proven to be thus far, and given Apple’s subtleties when it comes to threat severities, they should be ashamed for making this kind of choice for users and potentially installing their browser on computers unless users actually select to do so instead of making that choice for less attentive and less diligent users.

On the heels of a recent attempt to plug the leaky sieve known as OSX, Apple has released another update for almost 90 vulnerabilities. Half affect open source packages, the rest are native OSX bugs.

Apple issues mega-monster security update:

Apple Inc. Tuesday issued a record-breaking security update that patched nearly 90 vulnerabilities in both its own code and the third-party applications it bundles with its Tiger and Leopard operating systems….

Unlike other operating system vendors, Apple doesn’t rate the vulnerabilities it patches. A large number of the fixes Tuesday, however, were accompanied by Apple phrasing — “arbitrary code execution” — that signals the bug could be used by attackers to infect a Mac with malicious code. In others’ ranking systems, vulnerabilities like that are typically classified as “critical” threats.

OSX is a critical threat. If you own a Mac, install Linux or even Vista. It’s safer.

Mozilla fixes 10 Firefox flaws, half seen as ‘critical’:

Mozilla also patched potential identity leaks, spoofing bugs and cross-site scripting vulnerabilities in 2.0.0.13. But the fix that caught Storms’ eye was detailed by 2008-18, a fix for LiveConnect, a feature that harks back to Firefox’s predecessor, Netscape Navigator. LiveConnect lets Java applets call a Web page’s embedded JavaScript, or JavaScript access the Java runtime libraries, and it is used by both Firefox and Apple Inc.’s Safari 3 browser.

“Sun has updated the Java Runtime Environment with a fix for this problem. Mozilla has also added a fix to LiveConnect to protect users who don’t have the latest version of Java,” Mozilla said in the advisory.

“Here we have Firefox putting out a mitigation step for a bug in Java,” said Storms. “It’s a welcome addition when one vendor can help out another.”

All 10 vulnerabilities were also patched by the SeaMonkey Project, a separate open-source initiative that develops a multifunction browser suite.

The Thunderbird e-mail client, meanwhile, is affected by the five critical flaws listed in 2008-14 and 2008-15. “Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail,” read the first of the two bulletins. “This is not the default setting, and we strongly discourage users from running JavaScript in mail.”

A release date for Thunderbird 2.0.0.13 to fix the flaws has not been set. According to David Ascher, the head of Mozilla Messaging, the e-mailer’s update will follow Firefox’s by “several weeks.” In a post to his blog last week, Ascher cited several reasons why a simultaneous release of Thunderbird and Firefox updates was impossible. “Some of those resource contentions are due to not enough automation for the Thunderbird release process, and some of it is the consequence of not enough people with the right training,” he said.

Ascher defended the lag by noting that while JavaScript is turned on by default in Firefox, it is not in Thunderbird. “We could delay releasing Firefox until Thunderbird was ready, in the interest of mitigating the risk of someone using knowledge from the Firefox release to try and attack Thunderbird users,” said Ascher. “But that would mean leaving over 150 million users vulnerable. So, applying the correct math, we release Firefox security updates as soon as possible, and Thunderbird security updates as soon as possible.”

Nice that the Firefox people can help cover Sun’s asses but not Thunderbird’s.

Firefox update fixes critical security vulnerabilities:

A security vulnerability allows attackers to fake a borderless popup from a background tab using crafted web pages and place it in front of the user’s active tab. This could be used to spoof form elements and phish for data such as login data. Attackers can also circumvent the method used by some websites to protect against cross-site request forgery (CSRF) if server-side protection is based solely on referrer checking, as it is possible to fake the HTTP referrer (MSFA-2008-16). The Mozilla browser may reveal personal data if a user possesses a personal certificate which the browser presents automatically during SSL client authentication. According to security advisory MFSA-2008-17, following the update the browser asks the user before presenting the client certificate when it is requested by a website.

Most of the security vulnerabilities also affect the Thunderbird mail client and the Seamonkey browser suite. The security advisories refer to Thunderbird version 2.0.0.13 and Seamonkey 1.1.9, in which these bugs should be fixed. These versions are not yet, however, being distributed automatically. Firefox users should install the update without delay, as the vulnerabilities can be exploited using crafted web pages to inject trojans.

I was surprised by this when I fired up Windows today and was informed 2.0.0.13 was ready to install. User beware…

CanSecWest Applied Security Conference: Vancouver, British Columbia, Canada:

Three targets, all patched. All in typical client configurations with typical user configurations.You hack it, you get to keep it.

Each has a file on them and it contains the instructions and how to claim the prize. Targets (typical road-warrior clients):

• VAIO VGN-TZ37CN running Ubuntu 7.10
• Fujitsu U810 running Vista Ultimate SP1
• MacBook Air running OSX 10.5.2

My bet is that the MacBook Err is first to go. Not just because it’s a nifty, thin lightweight machine many people crave but because Apple’s security blows. I won’t be surprised if the Fujitsu is last to go unless someone uses an identical expolit in the Apple, much like last year’s vulnerability was cross-platform. Since the Fujitsu will include iTunes, Safari, and QuickTime, I expect whomever pwns the Mac will immediately share the same exploit on the Fujitsu (or vice versa if it’s related to Apple’s insecure software). The rules stipulate one laptop per contestant.

FWIW, my heart would be set on the Fujitsu (on which I’d probably install FreeBSD) even though I’m a diehard ThinkPad fan. I’d take an x300 with its twice-better battery life (not to mention easy battery accessibility) and more USB ports and better connectivity and everything else over the single-battery (you have to disassemble the thing to replace it, which will reportedly take 48 hours at an Apple Store — no carrying spares) MacBook Err and the Vaio and the Fujitsu. Oh yeah, and then there’s the best part of all — the x300 doesn’t come loaded with Mac OSX.

If anyone at Lenovo wants me to review the x300 in a Linux/BSD environment, please contact me. I’d love to see what it can do.