Monday, March 23, 2009

Before: My current POV on Mac security

Before what? Before I read this article on Mac security:

Mac OS Xploitation
by Dino A. Dai Zovi

When (more likely than 'if') I have changed my POV after reading it, I'll post an 'After'. I find this sort of thing amusing. Consider me eccentric.

One of the places I hang out on the net is the MacEnterprise list. It is run by the Mac OS X Enterprise Deployment Project. I've cross-posted between here and there previously. Here is my post this evening to the list:

On Mar 16, 2009, at 03/16, 2:12 PM, Allan Marcus wrote:

This paper is from the author of the Mac Hacker's Handbook . It's rather scary and concludes . . .

The conclusions were fairly standard "Mac OS X is scary insecure!" stuff. Before reading the article, here was my reply:

I'm going to give it a read through as I am interested in Mac security.

But I have to give a few bits of perspective from my current POV. I know I'll get contentious arguments to the contrary, but here goes anyway:

1) This sort of article, in part, amounts to FUD (Fear, Uncertainty and Doubt). It is extremely rare to find articles with a full explorative comparison between UNIX (which is what Mac OS X actually is, legally, officially, etc), Mac OS X (meaning the other stuff Apple put on top of UNIX), Linux and Windows. Empirically, Windows is the single least secure commercially available operating system on the planet. There are plenty of people who have a stake in its success, despite this blatant problem. Therefore, it is extremely popular among them and the people who believe their con-job to FUD every other OS at every opportunity. The result is chaotic disinformation leading to stagnation, aka the status quo. I don't believe you have to take a 'political' or 'religious' stance to understand that this is the case.

2) And yet the seemingly endless barrage of FUD, initiated in August 2005 by none other than Symantec, has done nothing but *GOOD* for Mac OS X. All the FUD mongers and earnest, honest security experts out in the field have driven Apple out of their security slumber. Apple's resulting attention to Mac OS X security has increased exponentially. This is one reason I value competition in the marketplace. It keeps the competitors awake and innovative. Does this mean Apple is in high gear to make Mac OS X security impenetrable? I don't think so. But I do believe they are now serious and alert.

3) Apple's most insecure program is QuickTime. Mac OS X has its problems, but QuickTime has been Apple's security bane. If you go through the list of security fixes since December 2006, when this problem became blatantly clear over at MySpace, you'll find this assertion to be correct. Microsoft has gotten slammed for its poor multimedia code. But QuickTime has had its share of very similar problems, without getting nearly as much attention.

4) I don't care what OS you talk about. Buffer overrun problems are consistently the horror of programming to this day. I like to slam Microsoft for still using ye olde DOS memory management under the hood. But programmed memory management messes are just as prevalent everywhere else. From my limited coding education, I have to point to the now antiquated programming languages we have to use. Remember how Java was supposed to have solid memory management, among other miraculous safety features? Forget it.

5) Despite what gets thrown about in the FUD mongering chronicles, the fact remains that Microsoft have perpetrated some outrageously insecure code. Examples: JScript remains one big reason 'JavaScript' is insecure these days. ActiveX scripting is another Microsoft 'Welcome Hackers!' security hole made for the Internet. Vista is not entirely immune to either of these lousy technologies.

6) There never was such a thing as 'Security By Obscurity' for Mac. It's a total myth, and no one foisting the myth has ever presented a sane argument in their favor. Anyone can do the math. We currently have eight (8) Mac OS X Trojan horses. That is the full extent of Mac OS X malware in the wild at this moment. We have a market share that is maybe 1/10th that of Windows. So how come Windows has a massively disproportionate number of malware in the hundreds of thousands, with thousands more every year? There is something more going on here than Macs having 1/10th or less market share. That's a big 'DUH' in my estimation.

So I say, Bring On The FUD!

Despite the fact that every single piece of current Mac OS X malware requires social engineering methods to break into a Mac, that does not mean other methods are not possible. There is plenty of evidence to the contrary. There is no harm to the Mac platform whatsoever by striking fear of security breaches into hearts of its users. It just makes the platform that much stronger. Just don't go out and buy rubbish anti-malware programs from the FUD meisters. Equally, don't count on the freeware to cover your butt. For example, I've totally given up on Clam providing any relevant protection for Mac OS X. It's not happening. Instead we currently have to train users to not fall for social engineering tricks, while keeping up with security updates and watching Mac OS X relevant security news. If a time comes to use anti-malware programs for particular situations, so be it. Right now I'd turn to Sophos and Intego for the best quality solutions.

Please remember, this is just my personal limited POV. Obviously, gather in many more perspectives and make the best educated security decisions you can for your situation.

Thank you for reading my blether-fest,



Friday, March 20, 2009

Pwn2Own Browsers Hacked: IE 8, "Safari" and "Firefox"

This time of year is now one of traditional contention. It's time for Pwn2Own at CanSecWest. It is a fun contest held among security experts to crack the chosen subjects for each year. This year a selection of web browsers was used.

Of course after the contest there is lots of snickering and gossip. But for better or worse, what exactly happened at the contest is rarely revealed, meaning that the specific cracks used are not allowed to be published so they can be provided to the programmers of the cracked software for consideration and patching.

Questionable aspect of this year's contest: Windows 7ista was used in PC testing. It's in beta.

Losers so far this year:

1) "Safari" for Mac. I use quotes as I have not been able to find what version was used. Presumably it is the latest public release, and not the version 4 beta. It was cracked within 2 minutes. How cracked? Unstated. My speculation: That hell hole known as "JavaScript" which these days includes JScript, a holey mess perpetrated by Microsoft. Apple have consistently had JavaScript security problems, starting with QuickTime in 2006 over at MySpace.

2) "Firefox". Again I use quotes as I have not found the version number. Neither do I know which platform, which may well mean both Mac and PC. How cracked? Unstated.

3) Internet Explorer 8.0. This browser was JUST released. Oops. It should have stayed in beta. Again, specifics of the crack have not been made public.

For further details, keep an eye on the Security Watch blog at PC Magazine and the TippingPoint DVLabs blog. You can also follow TippingPoint's Twittering. The contest will conclude later today (Friday, 2009-03-20).

Thursday, March 12, 2009

Mostly Harmless: Adobe Updater Requests Administrative Privileges!!!

Consider me profoundly ticked off at Adobe. This is the last straw for me regarding their Adobe Updater program. It has now been DELETED off my computer, and I suggest you do the same.

I really hope I am being alarmist about what Adobe just tried to pull on me and I get lots of letters ranting at me about my foolishness. But I believe what I just witnessed on my Mac has tipped Adobe into the Evil Zone.

Back Story:

For the last several years it has been at times hell-on-Earth updating Adobe programs via the Internet. I have never, ever seen a more diabolically BAD system for updating programs. I've written to them about it several times as have hundreds of other people.

So this past year Adobe figured out they had a PR problem and offered professionals the opportunity to describe the problems with Adobe's update system. Hundreds of people again contacted Adobe. So everything is going to get all better now. Right?

Adobe wants to rule your Mac:

Tonight I got notification from good old that Adobe Reader version 9.1 had been released. It is a critical update that plugs some very bad security holes. Everyone should update ASAP. So of course I did the update.

As per usual, stupid Adobe couldn't do just one simple update, they had to ask me again and again for permission to install stuff. Among the added rubbish was yet another version of Adobe Updater. Clearly, nothing has been improved in Adobe's idiotic updating system over the Internet.

Then came the very-very last step: A box requesting my password, for a SECOND TIME, allowing Adobe Updater to have ADMINISTRATIVE PRIVILEGES, forever!

Stop and consider that a second. An application asked me if it could always have administrative privileges to do whatever it wanted to my computer at any time. IOW Adobe Updater was asking if it could rule my computer. This is called evil. (OK, now you can tell me I'm paranoid. But I don't think so!)

My response:

I canceled the request.

And for good measure I DELETED Adobe Updater from my computer.

Then I wrote the following to Adobe:

I just installed Adobe Reader 9.1 for Mac OS X.

Why did Adobe Updater ask me for my password so it could run, at will, with Administrative Privileges?

This is profoundly insecure, DANGEROUS and a bad idea in ALL situations.

As a result I CANCELED this privileges request. I also took Adobe Updater and ERASED IT from my computer. Adobe Updater will remain erased from my Macintosh computer until such time as Adobe explains itself regarding this DANGEROUS request. It had better be good. I will be publishing my disgust regarding your privileges request on the Internet and in computer user group newsletters this coming week.
And so I have. And if (a big if) Adobe get off the arrogance kick and actually respond, I'll let you know and share what they say. You can start holding your breath . . . NOW.

Until then:

Clutch your Mac firmly to your breast. Adobe are coming to take it away.