The Vista laptop also went down, the fault of Abode. The irony of Adobe being at fault is only compounded by the LookingGlass vendor of the week last week being Adobe. No NX, No ASLR, unsafe libraries, no cookie Adobe.
http://www.cnet.com/8301-13509_1-9906502-20.html
Only the Mac faithful could take something like a Macbook being hacked and turn it into a commerical for Apple products. It seems as if the Macalope is stumping for a job as Apple's Chief Security Officer or as Obama's running mate, I can't decide which.
"Plus, you hack it, you keep it. So, sure, everyone's trying to hack the Air."
He seems to imply that the only reason people were hacking Macs were they get to keep them. Since not everyone can live without the faux sexiness that is Apple, of course someone will find a way to go home with that hardware. He also goes on to explain the only reason "security researchers" are paying attention to Mac is that they are cool and we are not.
I have a different theory: it was the easiest. With Vista and Linux correctly implementing technologies Apple botched like ASLR it is the naturally easiest target. If you want an analogy, it is kind of like the slow Antelope that has been separated from the herd by predators.
We all know what happens to that ailing animal.
Monday, March 31, 2008
Thursday, March 27, 2008
Safari and Apple get Owned...Again...
Last week Apple released a huge security update, likely because 7 days later CanSecWest would be hosting its PWN2OWN contest. I wanted to write a blog post then and mention something about the best way to force Apple into releasing patches would be to announce an upcoming exploitation of Apples. It's not just Cansec, but the same thing happened when I announced I'd be publishing the disputed WiFi vulns at Toorcon, they quickly patched the vulns they denied existed. However, I decided to wait on that blog post.
Later in the week I saw Safari update debacle. I wanted to write a blog post about the underhanded padding of their marketshare, and note that Apple just made millions of Windows users less secure now by adding additional insecure code to their machines. However, I decided to wait on that blog post, too.
I decided to wait on writing both these posts because I know that even with the updates that Apple has released for Safari there are still tons of flaws in it that are exploitable and someone would leverage one to win the PWN2OWN contest and walk home with a Macbook Air.
Dave Aitel just reported on DailyDave that Charles Miller won the Macbook Air using a Safari exploit. I would like to note that out of the three machines (OSX, Linux, Vista) OSX was the first to fall. I hope this puts to rest the myth that OSX is more secure but I am sure the zealots will have a million reasons why this is a fixed or rigged contest. The only question I have remaining is who is going to be the first to file a class action lawsuit against Apple on behalf of users who were tricked into installing Safari and are now at risk of compromise? I am not advocating someone do that, I am not fan of needless litigation, but I can already picture the commercials the ambulance chasing lawyers could use.
"Were you tricked into installing Safari by Apple? Have you had any personal data compromised? Call the law firm of Dewey, Cheatem, and Howe!"
The other interesting thing about the updates is something I like to call the "window of owning". I advise our clients on this: Apple bundles open-source, but patches it late. It takes them weeks to as long as a year to patch their version of the code after it was patched in open-source. It's fairly straightforward to keep track of the open-source (and other 3rd party) code that Apple uses it, and when a vulnerability is announced for the open-source version, write exploits for the Mac version.
This "window of owning" is one reason that the update last week was so large. Apple security dug deep and fixed a lot of vulnerabilities that they would normally not bother with in a futile attempt to get OSX through the PWN2OWN contest unscratched.
UPDATE: More info at Security Focus.
UPDATE 2: Some people don't know the screenshot above is from our LookingGlass tool. I added it to show how many unsafe functions are used in Safari as well as the lack of ASLR or NX support. This means that I would wager that a vulnerability in the OSX version of Safari would also work on XP/Vista with a high success rate since Apple does not employ any of the available features to mitigate an attack.
Wednesday, March 26, 2008
Welcome to the arms race…
http://www.reuters.com/article/domesticNews/idUSN1929797920080326?feedType=RSS&feedName=domesticNews&rpc=22&sp=true
I am guessing now it won’t be long till plans for “EMP hand grenades” and manuals to shoot down small agile aircraft appear online. That’s just the nature of things and has always been true in information security. The examples are endless: you build a firewall, attackers will figure ways to avoid it. You put in a IDS, attackers will find a way to blind it. You use AV, attackers will find a way to evade it. When I see articles like this, I spend a lot of time wondering what countermeasures are being devised for it.
I am guessing now it won’t be long till plans for “EMP hand grenades” and manuals to shoot down small agile aircraft appear online. That’s just the nature of things and has always been true in information security. The examples are endless: you build a firewall, attackers will figure ways to avoid it. You put in a IDS, attackers will find a way to blind it. You use AV, attackers will find a way to evade it. When I see articles like this, I spend a lot of time wondering what countermeasures are being devised for it.
Saturday, March 22, 2008
The LookingGlass Vendor of the Week: Adobe
With the CanSecWest PWN2OWN contest pending the vendor for this week is particularly important. Adobe is fair game in PWN2OWN and this week it gets the scrutiny of the LookingGlass scanner. The first screenshot is from a filesystem scan, the second is the process scan of the Adobe reader, the 3rd is of a Flash helper application that I was unaware was running and I still don’t really know what it does. Since Flash is owned by Adobe now I decided to include it. As you can see there is an abundance of dangerous features and spotty support for ASLR and NX.
Up next week is AT&T.
Up next week is AT&T.
Tuesday, March 11, 2008
New LookingGlass version: 1.0.1.0
LookingGlass Version 1.0.1.0 Released
This is a bug fix release.
The process scan now runs in a separate thread.
Process stats added.
New Version: Download at http://portal.erratasec.com/lg/LookingGlass.exe
This is a bug fix release.
The process scan now runs in a separate thread.
Process stats added.
New Version: Download at http://portal.erratasec.com/lg/LookingGlass.exe
The lookingGlass vendor of the week.
Now that a beta version of LookingGlass has been released, I will do a write up once a week on a vendor and how they fare under the scrunity. First up is Apple. The reason Apple gets the initial treatment is that Apple’s Quicktime inspired the creation of this tool. The two Apple applications I have installed are Quicktime and iTunes. Both have modules that do not support ASLR and NX. This can give an attacker a static location to make a remote overflow work, which allowed the two previous RTSP attacks to be exploitable. I doubt you will see a change anytime soon since I doubt Apple would want to have a more secure version of their software running on Vista than they would on OSX.
Next week: Adobe
Friday, March 07, 2008
http://www.cnn.com/2008/CRIME/03/06/bum.bot/index.html?eref=rss_topstories
You have to love what happens when geeks get bored.
You have to love what happens when geeks get bored.
Thursday, March 06, 2008
New Looking Glass
A new version of LookingGlass with a process tab is available.
You can get it at http://portal.erratasec.com/lg/LookingGlass.exe
You can get it at http://portal.erratasec.com/lg/LookingGlass.exe
Wednesday, March 05, 2008
A quick chumby post.
I am the proud owner of a chumby. If you do not know what a chumby is where have you been? When I first heard about chumbys my first thought was that, they would be perfect in a bathroom. So luckily, I had a few chili cheese dogs with extra kraut earlier that day so I could test out my theory. I found that with a chumby I tend to stay in a bathroom 10 to 20 minutes longer than normal. Because of this the chumby now resides on my bedside table and allows me to wake up every morning to basketball scores and Dave Letterman’s top 10 list. The thing I like the most about the chumby is how configurable it is. There are tons of widgets and it looks easy to add your own content.
Secret APIs not a conspiracy
This story on Slashdot claims that Apple has a conspiracy to slow down third-party web browsers like Firefox. This makes Apple's own Safari web-browser fast by comparison. Apple does this by forcing Firefox to use only the published APIs, while it's own Safari uses secret APIs that are faster.
The reality is much different. What we are seeing here is the yin-yang of operating system APIs. An API, or "Application Programming Interface", is a contract between the operating system and the application developer. APIs are designed to always work the same way, even though the operating-system changes underneath to work in different ways.
Since published APIs give a "cooked" rather than "raw" access to the underlying operating system, they aren't as fast or as feature rich as developers would like. Therefore, developers often bypass the published APIs in order to get that extra oomph out off their code. The problem is, minor changes in the operating system will break their code. You don't see it on the outside, but the insides of operating systems change frequently.
Firefox has reverse-engineered the secret APIs that Safari uses. The consequence of this is that when Apple makes a change to Mac OS X, it will break Firefox. This is most likely in the next major release of the OS, but it could happen in a minor patch. We are therefore likely to see another Slashdot post in the future about Apple's "conspiracy" to break Firefox.
I've been in this position before. When I created BlackICE (the first popular personal-firewall), I found that Windows did not provide APIs with the features and functionality that I wanted. Therefore, I bypassed Microsoft's published APIs and tapped directly into the raw operating-system kernel. As Microsoft changed the internals, we quickly created updates to our program to adapt to the changed.
However, we became popular enough that Microsoft added our software to their list of third-party software that "must work" when they release updates. When they created SP2 for WinXP, our software broke. This delayed SP2 by a month while Microsoft reverse-engineered our product to find out why BlackICE broke. They found that we had reverse-engineered Windows to make our product work in the first place. (Much gnashing of teeth and threats of lawsuits ensued.)
This forced Microsoft to leave the part we were accessing unchanged, and to make the rest of their code work around it. It was an ugly hack on their part to deal with the uglier hack on our part.
This in turn created two things in Windows Vista. The first is reasonable firewalling APIs that third-parties can use. The second is a feature in the kernel that scans for applications messing around in places they shouldn't. They position that kernel checking as rootkit control, but I'm pretty sure it's really BlackICE control.
Looking back out how I jerked around Microsoft, it's hard for me to take them seriously as the Evil Corporation That Runs The World. They are at the mercy of the market, not controlling it. To this day, when I visit the Microsoft campus, I meet employees still angry with me over the SP2-vs-BlackICE incident.
Thus, it's perfectly natural and expected that Safari should be faster than Firefox, but there is no conspiracy. Apple keeps the internal APIs secret from the outside world so when get blamed when their operating-system updates break outside software.
The reality is much different. What we are seeing here is the yin-yang of operating system APIs. An API, or "Application Programming Interface", is a contract between the operating system and the application developer. APIs are designed to always work the same way, even though the operating-system changes underneath to work in different ways.
Since published APIs give a "cooked" rather than "raw" access to the underlying operating system, they aren't as fast or as feature rich as developers would like. Therefore, developers often bypass the published APIs in order to get that extra oomph out off their code. The problem is, minor changes in the operating system will break their code. You don't see it on the outside, but the insides of operating systems change frequently.
Firefox has reverse-engineered the secret APIs that Safari uses. The consequence of this is that when Apple makes a change to Mac OS X, it will break Firefox. This is most likely in the next major release of the OS, but it could happen in a minor patch. We are therefore likely to see another Slashdot post in the future about Apple's "conspiracy" to break Firefox.
I've been in this position before. When I created BlackICE (the first popular personal-firewall), I found that Windows did not provide APIs with the features and functionality that I wanted. Therefore, I bypassed Microsoft's published APIs and tapped directly into the raw operating-system kernel. As Microsoft changed the internals, we quickly created updates to our program to adapt to the changed.
However, we became popular enough that Microsoft added our software to their list of third-party software that "must work" when they release updates. When they created SP2 for WinXP, our software broke. This delayed SP2 by a month while Microsoft reverse-engineered our product to find out why BlackICE broke. They found that we had reverse-engineered Windows to make our product work in the first place. (Much gnashing of teeth and threats of lawsuits ensued.)
This forced Microsoft to leave the part we were accessing unchanged, and to make the rest of their code work around it. It was an ugly hack on their part to deal with the uglier hack on our part.
This in turn created two things in Windows Vista. The first is reasonable firewalling APIs that third-parties can use. The second is a feature in the kernel that scans for applications messing around in places they shouldn't. They position that kernel checking as rootkit control, but I'm pretty sure it's really BlackICE control.
Looking back out how I jerked around Microsoft, it's hard for me to take them seriously as the Evil Corporation That Runs The World. They are at the mercy of the market, not controlling it. To this day, when I visit the Microsoft campus, I meet employees still angry with me over the SP2-vs-BlackICE incident.
Thus, it's perfectly natural and expected that Safari should be faster than Firefox, but there is no conspiracy. Apple keeps the internal APIs secret from the outside world so when get blamed when their operating-system updates break outside software.
Subscribe to:
Posts (Atom)
