Slashdot Mirror
Apple Patch Released, But Is It Enough?
entenman writes "Apple Computer's security update train rumbled into the station with fixes for a whopping 43 Mac OS X and QuickTime vulnerabilities. The Security Update patches 31 flaws in the Mac OS X, most of them serious enough to cause 'arbitrary code execution attacks.'" Unfortunately, InfoWorldMike writes "InfoWorld.com reports that Independent researcher Tom Ferris said there were still holes in Safari, QuickTime, and iTunes that he reported to Apple but were not patched in the latest release on Thursday. Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site. He also says he has found new holes in OS X affecting TIFF format files and BOMArchiver, an application used to compress files. He did not provide details about the flaws or proof of their existence."
and there is debate about whether Apple's shift to the same Intel architecture used by Microsoft Windows will change the security posture of Mac systems.
Let's settle this debate.
No.
Changing CPU architectures will have absolutely effect on security.
Switching to Intel will make it easier for game developers to port their code, which will lead to more games available for the Mac. This, combined with the ability to dual-boot to Windows and eventually the ability to run Windows apps through virtualization, makes the Mac platform more appealing to consumers, which will probably lead to an increase in Apple's market share. This could lead to more malware creators taking an interest in the Mac platform, which would lead to more security holes in Mac OS X being exploited (which is not the same as more security holes existing).
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
What purpose would publishing the details on his site serve, other than as a kind of security vulnerability "first post!" type of thing?
E pluribus unum
Good thing I use Microsoft® Windows XP so I don't have to worry about things like this.
I.E Im a giant penis and I would rather expose vulnerabilites that could potentially damage systems rather than wait for the coders at Apple to make sure everything is accounted for and put into a patch that wont effect other things that I didnt forsee.
Its one thing to find holes and tell Apple and people you did, and send the info to Apple. But I am so sick of these people who feel that if said company doesnt respond NOW they are then in the right to exploit said holes and make everyones life misserable.
"Slashdot, where telling the truth is overrated but lying is insightful."
Who exactly is "[i]ndependent researcher Tom Ferris" (and why was independent capitalized in the original quote)? And why should we listen to him?
I'd like to see Apple fix security problems as quickly as possible, but this guy threatening to release exploit information a few days after the first patch to go out after the notification? That seems like they are expecting an awful lot from Apple - certainly they want to take a few weeks to analyze their patch and make sure it doesn't break a bunch of things. Apple should not be forced to make an ill-prepared and possibly buggy patch release due to the threats of this "analyst". If he had given several months of warning I could see the justification, but it looks like he is doing this to get some publicity because he knows Apple won't rush something like this, not to the degree this fellow is demanding.
I work for the Department of Redundancy Department.
Its all about VLC. It sometimes works kinda weird on my mactel but its a pretty good Quicktime replacement.
"Since I hate smug Mac users, let me be the first. . .to say hahahaha hahahaha ha ha ha ha ha hahaha hah ha hahahahahahaha HA!!"
Yeah, us Mac users and our potential vulnerabilities. All the potential data I haven't lost has really cost me.
And smug people suck, no matter what computer they choose.
from the updater notes: " When Safari's "Open `safe' files after downloading" option is enabled, archives will be automatically expanded. If the archive contains a symbolic link, the target symlink may be moved to the user's desktop and launched."
OK, second time this "Open 'safe' files is a lie. WHY THE HELL IS THAT OPTION STILL THERE?" I never trusted that open from the moment I first saw the checkbox. I guess that's why they put "safe" in quotes. Buy our "free" product for only $9.95!
Considering that there has not been one real, severe, in-the-wild, massively spread, substantial, damage-causing virus in the five year history of Mac OS X, I would say yes, the boys and girls in Cupertino are doing just fine. Thank you very much for all your hard work, and all naysaying columnists and pundits can go screw.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site.
Apple will then just have to take him to court like they do with everybody else, won't they?
The way I see it, they probably intend on patching the other problems, but they decided to get a decent amount done, and then release the update. Much like how Microsoft's once-a-month releases could give some time for the vulnerabilities to be taken advantage of (I recall that release cycle, I'm not sure if they are still done anymore though), if they waited for all patches to be done in this case, it may have prolonged the wait by quite a bit longer.
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
Silly person, what's the point in doing the "omg you guyz so biased" karma whore if you're not logged in.
You don't think that NX support within the CPU could help at all?
Sure it's not a complete solution, it is at least another layer of protection to keep users safe and is more than what they had with PPC's... provided they are using it today.
Help Brendan pay off his student loans
I think that this is inevitable. Mac OS X is a desktop OS, desktop customers demand shiny new features and Apple needs to compete with Microsoft in adding such features, otherwise it will fall behind in market share. These new features make for a supremely usable OS, but it means that development is always too fast. Security flaws are invariably human logic errors, and when a lot of new code is written really fast, errors are made. Conversely, take OpenBSD, its pace of development is slow and thorough and due to its comprehensive code audit (which slows development) very few security holes are found in the code. As complexity escalates, so will the number of bugs and until Apple's workforce is replaced with androids (Which I'm sure will have a negative impact on its cool reputation) errors will continue to be made.
Although inevitable, we need not accept that there should be quite as many flaws as there are - Apple is in a uniquely privilege position over microsoft in using the unix permission system and the mature core that mach and FreeBSD provides, it must not become complacent. Increasingly, it appears that Apple is becoming sloppy - There are reports of Apple not using automated bound checking and the such. Such arrogance is inexcusable from any developer, and as Apple's popularity increases poor security will invariably become more of an issue. Its time for Apple to seriously take stock of this issue.
Nothing sucks like a Vax, nothing blows like a PowerMac G4
The standard desktop chips provide it with 256 MB resolution. This is decent. You could make the stack unexecutable this way, and probably the heap too.
On x86, you can reliably execute code that has been freshly written to memory. This is because the CPU invalidates the instruction cache automatically as needed.
PowerPC chips don't do this. If you try to execute something freshly written to memory, you may instead execute the prior data.
He could sell the exploits to:
a. spammers
b. Chinese government
c. US government
d. credit card fraud groups (mafia-like)
e. Israeli government
f. French government
g. Russian government
It all depends: does he like dollars, euros, credit card numbers, whores...?
I think you underestimate the importance of assembly language when coding exploits. There are plenty of crackers out there who know x86 ASM. There are *far* fewer who know PPC ASM.
I think you overestimate the effort required to learn PPC once you know x86. The first assembly language you learn is difficult, especially if it is x86, but for subsequent ones it is far less difficult. After many years of x86 I wrote my first serious PPC code, it beat Apple's MrC compiler quite easily.
I enjoyed today's (semi-relevant) Ctrl+Alt+Del comic
"The unicode stuff in the latest version is working fabulously well. My russian mafia friends are ecstatic."
Perhaps he chose to post AC because anything that goes against groupthink is inevitably modded down? Typically as Troll (Slashdot definition: I disagree with your opinion) or Flamebait (Slashdot definition: I disagree with your opinion)
Slashdot - where whining about luck is the new way to make the world you want.
The truth is the Intel processor is a lot more prone to buffer overflow attacks, which is what most exploits on Windows are based on. This is why the no-execute command was introduced in later chips but OSX doesn't take a lot (if any) advantage of it.
Sorry, but no. The historical problems with x86 are irrelevant. Apple did not ship retail computers with those CPUs. The Core Duo and Solo CPUs support no-execute. The vulnerability does not lie with the CPU, it lies with Apple failing to use that capability of the CPU.
Also don't forget: most hackers have self-assembled Intel/AMD machines... that certainly counts.
Sorry, but again, no. What mischief occurs on these machines is irrelevant to Apple and the Apple market in general. These machines are running a hacked Mac OS X that requires skill beyond that of nearly all PC users and it will likely be a fairly unreliable system as it may break every software update. Having to rely on hacks from a 3rd party is a bit of a security risk itself. Sure it will be loads of fun to get Mac OS X running on a homebrew system, but these system will be novelties and fun topics of conversation, very rarely will they have serious users.
The FAQ says that people frequently get modded insightful just because they seem confident, and apparently you prove them right.
Actually you just proved them right as well.
Now if the SAME people coded a patch AND released the exploit, then I wouldnt feel the way I do. But they arnt, they are just feeling smug in proving something doesnt work while not helping in any wya to address it.
So you don't think letting users know there's a problem is helpful? Nobody should ever say anything, because someone else will exploit the knowledge? More than likely if there's a problem more than one person can find it and it's not just the good guys who find them.
FalconShould there be a Law?
Back in 1999, LinuxPPC decided to mock Microsoft's putting a Windows 2000 machine on the internet to see who would break into it by putting their own up and saying that whoever cracked it first would get the machine.
Their machine had a default install, with default sets of applications.
It took months before anyone cracked the machine. When it was cracked, the hole used to do it was a well-known buffer overflow that had widely known x86 exploits at the time they put the machine up. An Intel machine treated that way would have been instant toast. What took time was that nobody had written a PPC exploit. Therefore none of the automated tools that the script kiddies had would crack the machine.
Sure, for someone knowledgable, it wasn't a hard transition. But the major outside security threat for most of us is not from someone knowledgable, it is from people who are not knowledgable using tools written by people that are. Those people are NOT going to be able to make the transition easily.
It used to be that people would write an application for Windows then recompile for Macs. The result is that the exploit that worked against a Windows version of the application would likely not work on the Mac version. Since there are more Intel machines, odds were pretty good that nobody would get around to writing a Mac version of the exploit for some time. But now the odds are much better that the Windows exploit which the script kiddies are likely to have will work against the same application running on a Mac. Which does make the Mac less secure in practice going forward.
How is responding to an "I'll avoid Quicktime issues by using VLC" post with a brief explaination of why that won't work offtopic? There's a serious lack of reading comprehension skills being shown here.
Well at least they know when to get the cease and desist order out by. It's always nice to have a heads up!
So 100,000 birds in the hand are worth 20 in the bush?
I mean, note the word "potential". There are thousands of vulnerabilities that have been exploited on Windows, and like 20 potential on Macs, and that's equal? The day you'll trade me 100,000 dollars for a chance at 20 bucks is the day I'll toss my Apple in the trash.
> Its one thing to find holes and tell Apple and people you did, and send the info to Apple. But I am so sick of these people who feel that if said company doesnt respond NOW they are then in the right to exploit said holes and make everyones life misserable.
;-)
What do you mean? That he doesn't have the right to disclose what he found? Does his constitutional rights make you sick? Well then I think that YOU are the one with a problem. You should be thanking him for warning Apple. I know many who would have kept it secret and written all kinds of worms just to make fun of fanboys like you, and I guess that's what you're really asking for with your complaints.
Here goes my karma...
Wrong. For example, to exploit buffer overflows, you need to write assembly. More people know Intel assembly than PPC assembly. That makes attacks on Intel Macs more likely than on PPC Macs. This is most definitely "an effect on security."
Wrong. Most modern games contain no or very little assembly code. The chipset doesn't matter when porting games. DirectX would matter, but it's not available on Macs either way.
Eventualy? It's already here, running on my Mac right now.
On XP I have bunch of monitoring and firewalling software. On Mac I only have the knowledge that my OS is bullet proof. Now the second is not valid anymore. Oh my...
Bullshit. Buffer overflows are a software problem and have nothing to do with the CPU. The PowerPC would have been just as vulnerable, when running identical code.
Can a buffer overflow be a cpu as well as a software problem? According to this wiki article NX bit if a cpu designates the data area of memory with an NX attribute then no code can run from within that memory thus proeventing buffer overflows from executing code. If thye have it wrong then maybe you can help them edit this article., well that is if someone else didn't already edit it to give false info.
FalconShould there be a Law?
Any OS or browser which allows any scripting code of any kind not originating on your system to run for any reason is bullshit. Use but you can't abuse.
Please someone, give me a web address that will install spy/crudware without my consent automaticly, show me how, with no user intervention, an unpatched box can be hacked to hell by spamers to use in botnets in under 2 minutes...show me this or shut the fuck up!
I understand that OSX isnt perfectly secure, it has its bugs, so does BSD as a whole, but the holes get FIXED and not denied for months untill the hole is used to destry hundreds of thousands of PCs.
Guess what, security by oscurity is no security. It's the same as if you just had a taller fence. Sure it'll slow them down, but if someone WANTED to exploit a PPC based OS, they would spend the time to learn PPC. So why don't people want to spend the time to exploit PPC? Because 90% of the potential systems to hack is Windows.
They could have waited untill Monday, but Apple acctually released them in a HOLIDAY weekend...Someone (maybe a whole dev group) acctually came in, and got the patches out today, they could have waited till next week, hell, they could have waited till 10.4.7 if they wanted to, they didnt, THAT is what sets them apart from MS
I love it when 13-year-olds post on Slashdot!
I run both and my new MAC has been patched more than my new PC and Adobe alone has released at least twice as many patches this year for my MAC than for my PC.
It's not that there are no vulnerabilities, all complex code contains multiple vulnerabilities, it's that Macs being set up with a user level account as opposed to Windows default admin account are much less liable to being actually exploited. The same can of course be said for most Linux distros which are also set up with a default user level account.
Vista will probably help IF it's ever released and as I read on here on slashot the way Vista handles admin tasks (at least in it's current release state) involves an infuriating number of dialog boxes. I'll stick with my mac for now so I can just get some work done (shrug).
I guess this is what I get for responding to a troll.
Tired of all the isms, don't exploit people as an employer, or a government, mmmmK?
Before Intel, it made no sense to steal Mac OS X because there was no (sensible) gear to run it natively. Now all it takes is a standard PC. There are more tinkerers. This means that move to Intel created, indirectly, a higher security risk
http://revj.sourceforge.net
Not today. Reading Comprehension FTW.
Maybe that's because you're only reading the Apple section of Slashdot.
I read the front page headlines only, and I can promise you that every little exploit that affects IE or Windows makes it to the headlines here. Slashdot effectively goes out of its way to point out these exploits.
On the other hand, of the 40-some patches that were just released according to today's article, I had no idea about. Maybe 2 or 3 of them made it to headlines, the rest were very quiet.
-David
One reason *everyone* is more secure than Microsoft Windows is that only Windows has implemented anything even vaguely as bad as the ActiveX/Windows Desktop/IE integration mess.
On the other hand, just about everyone to some degree or another commits the sin of trusting untrustable files. Even the darling of the security set, Firefox, has an installation mechanism that involves executing files directly from the Internet without a user's explicit request.
Apple has "Open safe files after downloading" compounded by the unforgivable sin of treating things like archivers or installers as "safe" files.
I've written about this before.
On a security level, this is like shaking hands after sneezing, compared to Microsoft's fascination with running barefoot through a "Hot Ward" and snogging the Ebola patients, but it's still unacceptable.
Until Apple quits copying Microsoft's bad ideas, like opening files from the Internet using the Desktop launch service, they're just asking someone to waltz in and take advantage of them.
No, adding more annoying dialogs won't help. People learn to ignore them.
Most organizations (and most people) just don't want to believe exactly how bad it really is when a PC gets infected with malware these days. They don't want to know because if they remain in the dark about it they don't have to do anything to fix it.
If you mod me down, I shall become more powerful than you could possibly imagine.
Maybe they couldn't patch EVERYTHING without breaking something.
They will patch it, but 43 sounds like plenty for one update to me.
Wait... So what you're saying is that Apple Computer fixed something that could cuase a security issue before they were forced to due to a virus outbreak? Wow, they shold be ashamed of themselves for now following standard practiaces.
There won't be a significant virus threat with macs similar to the Winows OS. Viruses that crash the OS was popular due to the limited multi-user network capability of Windows. Mac OS X is designed and operates as a feature rich multi-user OS which makes root kits more popular. Why crash a computer when you can own it.
My post talks about being modded down. By rule, it gets modded up. This one should be modded down, however, I just screwed system by talking about both directions. It will probably be ignored.
Slashdot - where whining about luck is the new way to make the world you want.
I REALLY hope that Apple is planning to port (or participate in the ports already in progress) to get the NSA's MAC controls into Mach Microkernel.
OS X would be a WHOLE lot more secure with them in place.
This is why we need capabilities. Very badly.
Please, for the good of Humanity, vote Obama.
Changing CPU architectures will have absolutely effect on security.
Actually, it will; it has the effect of making the istuation better.
Think about it. For OS X, the clock has been reset on when we can expect the first real virus or exploit to arrive. Even if you were to agree that it's somewhat easier to write Intel viruses then you have to say - why write one now, when there are not that many intel Macs out yet?
Now a virus writer has a choice. Write an exploit for tens of millions of computers in the market but are slowly declining as people upgrade systems, or target the Intel macs with a much lower user population.
While technically it's probably possible to write a "universal binary" sort of virus it would be hard as with an exploit you get one shot at ejecting code, and it has to work on the platform where it ends up.
So OS X by switching platforms has probably bought itself at least two more years from any kind of serious real-life exploit problem.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
No, we don't need capabilities. We don't need mandatory access control. We don't need low-privilege browsers. We don't even need multi-user security on a single-user machine. All that stuff is great for limiting the damage once a vulberability has been exploited, but before any of those things we need applications that doen't have vulnerabilities deliberated included as part of the design. THAT is where the biggest problem is... not in bugs that can be fixed without inconveniencing anyone, but in design features that are inherently insecure and that they don't want to change because people are used to the way it works, because applications depend on the way it works.
.NET, and Apple can abandon "Open Safe Files" and sharing helper application bindings between the Finder and Safari.
But you can change these things even if you don't want to. If UNIX systems can ship with the Berkeley "r-suite" disabled or missing, then Windows can abandon Active Desktop and browser-integration with
I'm keep saying this but it's so funny that these people when it comes to Apple, says 'fixes whopping 43 bugs' lol. When it comes to MS, they go like 'omfg 43 bugs I was living with, geez is MS selling such a trash?'
Keep going, because it just sounds totally funny.
Not that I blame Apple for fixing bugs, but they do ship quite a buggy software in the first place, but people never tend to pick on Apple anyway.
Tom Ferris said there were still holes in Safari, QuickTime, and iTunes
I thought that every peice of code ever written at least has some holes.
there are unpatched exploits and DOS in latest may 11th safari still.
one cpu stealer is at www.niftyspot.com/safari_LostCities/
apple knew about it for a month and the other worse unpatched exploits for over 2 or 3 weeks... still unpatched.
...trying to get attention and page views. He is just calling any application crash a "security vulnerability", which is maybe defensible, in a rather strained sense, but has nothing to do with practical exploits.
here is one unpatched exploit ! its the most innocent one, a mere 100% cpu stealer denial of service
there are unpatched exploits and DOS in latest may 11th safari still.
code is at www.niftyspot.com/safari_LostCities/
apple knew about that for a month and the other worse unpatched exploits for over 2 or 3 weeks... still unpatched.
i am not such a osx whiner fool that I would promote actual good code insertion exploits, but I give apple about 5 or 6 more days before I get touchy about it. After all apple ignores safari exploits. that web site is one example of many
You are, of course, correct that he does not speak for Slashdot, however I would like to point out that there are many valid reasons for releasing full details on an unpatched hole. In particular:
* If they are taking an unreasonable amount of time to patch the hole (Microsoft often does this--l0pht bragged about making one "theoretical" hole they ignored practical)
* If it is already being exploited (this is so that more knowledgeable people than the vendors can make work-arounds, e.g. as was done with that nasty WMF hole last Dec.)
* Because the security reseracher feels as if they're being extorted into silence (Lynn vs. Cisco)
There are, of course, guidelines for "responsible disclosure" (trying to give the vendor a *chance* to fix it, but going public if they pull any crap) and a debate over "full disclosure" (the theory being that it forces vendors to pay attention to security... or else), but I won't get into that here.
It's far more than, as GP put it, "being a giant penis" to release these things--no one can rightfully make such a determination without analyzing the facts pertinent to the disclosure, especially all private correspondance between the researcher and the software maker.
It is true that learning another instruction set is not difficult. However, I must ask what the motivation for learning the instruction set is when such a small number of computers run the architecture?
-Lanimilbus
are you really that ignorant? there are more than 20 exploitable in the last patch, there have been hundreds in the last year. from an actual exploitable hole stat apple sucks badly, just because people have CHOSEN not to exploit it doesn't make it good.
"There are thousands of vulnerabilities that have been exploited on Windows, and like 20 potential on Macs, and that's equal?"
Exaggerate much?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
people never tend to pick on Apple anyway
ORLY?
The worst of Apple's bugs tend to be at the "You know, you really ought to wash your hands after using a public restroom" level.
Microsoft's are more at the "You know, you probably ought to wear protection when having anonymous sex in public restrooms" level.
The whole idea of a web page being able to download and execute code outside the sandbox is just so horribly alien to any kind of sane security model that I'm still boggled at it. And doubly boggled that someone at Microsoft hasn't gone to jail for it yet.
It's not so easy, removing features, even if they are unsafe.
I know, that's why my recommendation doesn't remove any user-visible features, and even improves the user experience by removing the perceived need for warning dialogs before doing "unsafe" things, and provides a more versatile and flexible tool for managing the whole process.
It would, as far as the user's concerned, add features. And improve security as well.
OS X would be a WHOLE lot more secure with them in place.
Not really, mandatory access control adds a lot of inconvenience and, for most people, the kinds of MAC they're likely to put up with can already be implemented in the existing OS.
They're not using groups to separate responsibility for system preferences.
They're not providing a way to use chroot to create stronger internal sandboxes.
They're bypassing traverse checking in the OS-9 compatible "aliases", and probably Spotlight as well.
They haven't ported jails or secure levels from FreeBSD.
They haven't a consistent emulation of the classic Mac file system semantics on top of foreign file systems, so they probably won't be incorporating any non-HFS+ file systems with tighter security (not just secure levels in FreeBSD, but anything from TrustedBSD or any of the Linux file systems).
hmm, I just hate smug people.
I don't see where you're getting the 100,000 vs. 20 numbers. Are you implying that Windows has as many as 100,000 unpatched vulnerabilities (and that Apple has as few as 20)? Source, please?
"browser-integration with .NET" .NET's pretty darn secure. MS Research did a pretty good job putting it together. Certainly as secure as anything else that runs in a sandbox (Java, Flash, Shockwave, etC).
Yes I think you are right about the tracking cookies and yes I don't like them. And yes I'm sure they are on my Mac as well. Is there any tool for removing tracking cookies from Firefox on Macs and Linux boxes? I think this a fairly serious and as far as I know overlooked problem on *nix boxes.
Tired of all the isms, don't exploit people as an employer, or a government, mmmmK?
Yeah, I don't really know how well it rates though I've heard some good stuff and nothing bad yet, but I have, use, and keep updated ZoneAlarm . Some of what I like about it is that it allows me to block embedded objects, java, and scripts on a website by website basis. If I want one website to be able to use any of these I can yet I can still block another from using them. Unfortunately it doesn't work with Netscape over 4.x or with Firefox and that I know of neither of these allows any of the above to be blocked by website, they're either allow all or block all.
FalconShould there be a Law?
I guess this sort of answers the tracking cookie question. You can either have a cookie free system and no automatic logins or tracking cookies and no automatic login. Perhaps it's time for spybot like program for Macs and Linux just to remove tracking cookies?
"Firefox has two handy options with cookie settings that are worth being aware of: When enabling cookies you can choose to allow cookies "for the originating website only". You can also choose to delete all cookies when Firefox closes. The former setting blocks advertiser tracking cookies from companies such as Doubleclick, used to follow you around the Internet to watch your "consumer behavior". The latter setting blocks permanent cookies, which will prevent websites from tagging you with a permanent ID marker, but it will also mean that websites cannot save your password or personal preference settings."
http://www.jsware.net/jsware/foxtips.php3
Tired of all the isms, don't exploit people as an employer, or a government, mmmmK?
"browser-integration with .NET" .NET's pretty darn secure.
Is it?
Enlighten me.
Is there a mechanism whereby an object in Internet or even LocalIntranet can request the execution of an arbitrarily specified object in the MyComputer zone? If so, does the user get a dialog asking whether this execution should be permitted, or is it unconditionally denied regardless of the user's settings? Is it possible for a user to specify that a specific object (based on any criteria, whether URL or certificate or address or strong name) be granted this right at the time the request is made?
Unless the answers are "no" or "yes, denied, no" then it's not "pretty darned secure".
Ok, thanks for the clarification, it clears up some of my confusion.
FalconShould there be a Law?
"Is there a mechanism whereby an object in Internet or even LocalIntranet can request the execution of an arbitrarily specified object in the MyComputer zone?"
.NET assemblies are given "No Trust" (not allowed to execute) in the Internet zone. (Go into the control panel, Administrative Tools folder, .NET Configuration and bring up Runtime Security Policy). They're currently given "Medium Trust" to Local Intranet, but that's still fairly limited. And that will likely change in IE 7 because they're redoing zones. Zones were an IE 4 convention and they were stupid to begin with.
.NET.
.NET Configuration (which goes far beyond the IE "zones") but there's no "click this button to wipe your system32" button or anything if a user comes across a rogue assembly.
Well, no, there isn't. By default,
The word "arbitrary specified object in the My Computer zone" is kind of confusing. Do you mean benign stuff like the keyboard or actual file system objects? Regardless, no, Internet and Local Intranet don't have that kind of access in
"Is it possible for a user to specify that a specific object (based on any criteria, whether URL or certificate or address or strong name) be granted this right at the time the request is made?"
No, there isn't. The user isn't given a dialog box -- they're told the assembly doesn't have permission to run. The user can change the assembly's trust level in
Although, I don't know why that condition is relevant. The dialog boxes are there so users aren't completely annoyed, trying to find where to grant apps access. Java, Flash, etc. all do this. I've seen (and written) Java dialog boxes that grant bytecode access to do some pretty heinous things (one click access to read/write on system32, for example). The only reason, I think, that people don't bring this up in Java security discussions is that very few people actually run Java apps in browsers in the first place.
But to answer your questions "no, N/A, no". Hence my opinion "pretty darn secure".
Here's the source code for the page:
<HTML>
<TABLE>
<TR><TD ROWSPAN=2000000000>
The bits on the bus go on and off... on and off... on and off...
Internet and Local Intranet don't have that kind of access in .NET.
You mean that if a web page does something like "location = 'file:///c|/...'", or gives the user a link to a local file that the user clicks on, it won't load the specified file? Doesn't matter whether the file is visible in the context of the untrusted document, the question is whether the file can be loaded at all.
The dialog boxes are there so users aren't completely annoyed, trying to find where to grant apps access.
I have had the same people come to me multiple times saying "Peter, I did it again, a dialog bax came up and asked me if I wanted to run something, and now my computer's acting strange. Can you help?"
Technically speaking, this is a social engineering attack, but because users are presented with so many warning dialogs they're trained to automatically approve them. Because they need to approve so many of them just to get their work done. So an approval dialog (no matter how worded) doesn't have enough of an effect on security to matter.
Perhaps it's time for spybot like program for Macs and Linux just to remove tracking cookies?
Perhaps it's time to quit worrying about cookies?
Safari has a similar option to "Accept cookies only from sites you navigate to".
Camino lets you "Accept cookies only from sites you visit".
And advertisers know about this feature, so they use other tricks like correlating your IP address with referrers or using tagged URLs to gather the information they're looking for.
We have a number of computers, both OSX and Windows on our network. We use a relatively inexpensive router/NAT/Fireawall with built in wired/wireless access and DHCP service. It can permit or deny access by type of service, time of day/week, port numbers, address, URL or keyword phrases. It uses a web interface, but is still a bit of work to set up properly. Once set up, nobody on the network can access forbidden content, regardless which computer or browser they use. It also has various logging capabilities and can be set up to e-mail these logs and intrusion alerts.
All I use right now is one PC and previously I had a difficult tyme justifying a router, however I plan on getting a Mac by the end of the month, so I'll get a router then. Networking and a router will make much more sense when I get the Mac.
FalconShould there be a Law?
"Source, please?"
Here is his source.
"You mean that if a web page does something like "location = 'file:///c|/...'", or gives the user a link to a local file that the user clicks on, it won't load the specified file? Doesn't matter whether the file is visible in the context of the untrusted document, the question is whether the file can be loaded at all."
.NET file system objects don't use "file:///c|/", so I'm not really sure what you're talking about here. Do you mean if a user clicks a hyperlink on an HTML document in a web browser (which has very little to do with .NET, by the way), would it open the file? Well, that's the browser's concern, not Java/.NET/etc. Any modern day browser would ask the user if they want to open the file, whether it was a click or a redirect.
.NET. You seem to be talking about a standard browser open.
Um... ok, I think you're confusing things here. Originally you were talking about file system objects. E.g., an assembly gets loaded by the browser and code within the assembly calls routines to perform file operations. In that case, the CLR would prevent the operations from going through based on the security settings (which, by default, wouldn't allow access to those kinds of routines from Internet or Local Intranet zones).
But
Just to make clear, though, that has nothing to do with
In reference to dialog boxes asking users to do stupid things, it's a tough nut to crack, honestly. There's a very thin line between completely locking down the UI and not driving users crazy.
Let me give you an example: on Friday I was working on a Mac (an OS lauded for its usability). I had to save a Perl file on the root of the hard drive, so it asked me for the admin password. No problem. Later on, I had to do some work on the file and it asked me for the password when I opened it. Understandable.
Now, I'm working on this file, and I save it a few times. EVERY SINGLE TIME I hit Ctrl-S, it asks me for the password. Why? I already gave it the password when I opened the file. The text editor process should be given free reign to make changes to the file when I need to save it. It shouldn't ask me repeatedly. If I close the text editor, logoff or reboot, that's the only time it should ask for the password again.
And you're right, it's a social engineering issue. However, no manner of code is going to fix this problem. You either take the attitude that the user needs to get work done and can't be bothered to repeatedly enter passwords (even though they have the potential to wreck the machine) or you distrust them completely and repeatedly ask for passwords.
When Vista comes out, this isn't going to go away. People are still going to go through the "click Yes repeatedly" process when they get a dialog box. Except this time they'll get in the habit of entering their admin password. Either way, they won't actually look at what the program is accessing or changing. They just want that P2P/screensaver/stupid bug that tells the weather installed.
Any modern day browser would ask the user if they want to open the file, whether it was a click or a redirect.
.NET. You seem to be talking about a standard browser open.
.NET, or even Firefox's XUL.
... running the "save file" procedure in a hidden "root" subprocess ... every time you save. The problem is that the system made it too easy to routinely change your security domain. Rather than saving the file to the root directory of your system disk, you should have kept the working copy of the file (the one you're editing) in your own directory (eg, on the desktop or in documents), and put it in the write-protected root of the file system (if you had to) only when it was working.
... so ...
.NET, nor active scripts. That mechanism should be managed by the application that is using the control, preferably by installing an extension in the component as Dashboard on the Mac or the KDE desktop do. Any application that is used to display untrusted content (Mail.app, Safari.app, Outlook, Internet Explorer, Firefox, Konqueror) must not provide that extension. Applications that need to execute unsandboxed code (such as Windows Update, the Windows control panel, or Dashboard) should be (and in the case of Dashboard, are) implemented as shells that don't load sources of untrusted content at all.
Just to make clear, though, that has nothing to do with
I'm talking about the integration of the browser with locally executed unsandboxed code, whether that's implemented using ActiveX,
The browser should not ask the user for permission to open a "file://" URL, because it should not be able to do anything "unsafe" just because the document is in the "My Computer" zone. Or any other zone. The browser shouldn't allow a document to do anything "unsafe", period, regardless of where the file is or what type of file the browser thinks it is.
I had to save a Perl file on the root of the hard drive, so it asked me for the admin password. No problem. Later on, I had to do some work on the file and it asked me for the password when I opened it. Understandable.
Now, I'm working on this file, and I save it a few times. EVERY SINGLE TIME I hit Ctrl-S, it asks me for the password. Why?
Because you're entering a new security domain
This dialog isn't really the same kind of thing as the one I'm talking about, though. It's not there to warn the user that they're doing something dangerous, it's to verify to the system that the person who's requesting the action is really the account owner... which is why it asks every time.
The perception that this password dialog has something to do with "keeping you from accidentally doing something dangerous", like the typical approval dialog, is a common and mistaken one. It's got nothing to do with that at all.
The solution isn't to make the dialogs better, or to make the dialogs go away, it's to design the system so that the dialogs aren't necessary, to make it easy and obvious how to work without being interrupted by them. Apple made a mistake here... the editor should have offered to save the file somewhere else, and moving it back into the protected directory should have been a separate process... so it was clear that editing the file in place wasn't a normal thing to do.
Getting back to the Windows example, the privileges granted a document by an application should not be related to the zone the document is in. They should be related to the security domain the application is in and the role within that domain the application plays.
That is, the HTML display component (Webcore in Safari, Gecko in Firefox, KHTML in Konqueror, the HTML control in Internet Explorer) should not have a built-in mechanism to grant local user privileges to a document or a component of a document at all. Not via ActiveX, not
Do this, and you don't need any "I'm about to do something stupid" dialo
Am I the only one who's system was royally screwed by this update?
First, of all, patching OS X is in violation of Apple's advertising campaign. You would have to reboot your computer and Macs don't need to be rebooted. So, you couldn't patch if you wanted to. Second, Mac is secure from viruses and trojans, so patching is obviously useless, there is no need for security patches.
If you look at it from my point of view, there is no point to patching a Mac because even with all the root problems and such, the real problem with Macs are the users. As it says on my blog, http://64now.com/ all that needs to be done to make an easily spread virus for a Mac is to download ffmpeg for mac, make an installer based on Apple's installer system, require the user to enter their administration password, install the backdoor or security hole, even disabling firewalling while you're at it, then package it and stick it on Version Tracker. It would be months before anyone knew there was a security hole and it will have been installed on a large percentage of the computers out there.... even the ones run by computer competant users.
Antivirus software for Mac is designed to block known viruses. They lack the advanced features such as sandboxing like those found on PCs since there are really not that many creative viruses on Macs. For the most part, the only purpose for virus scanning software on Mac is to make sure you're not receiving a PC virus and sending it out again to a PC user.
So, thanks to Apple that advertises that their machines are bulletproof and users shouldn't worry about security on their machines, all these fancy hacks are a waste of time, take advantage of the users' trust and you don't need rootkits.