To: 'hip' Re: iMac_Sux.dmg

--
Recently a reader nicked as 'hip' sent me the URL to an evil crapware file entitled 'iMac_Sux.dmg'. Here is his full message with the exclusion of the URL for downloading the file:

Wanna crash an iMac?
Just mount this .dmg file, then have a look at what MassStorageCamera is doing.
It will be consuming all RAM and processors!!

I am not providing the URL in order to avoid being accused of distributing the thing.

Thank you 'hip'! I checked out the website where the file is located and enjoyed it. I particularly enjoyed the page quotations from The Hipcrime Vocab by Chad C. Mulligan. The insights are refreshing after living amidst the Neo-Con-Job / Tea Party / FuxNews / News Corp / Rupert Murdock Regime gibberish age within the USA where intelligent thoughts and verifiable facts are out of fashion.

I ran the .dmg and it did exactly as expected, without crashing my MacBook 2 GHz from 2006-11. It also auto-opened the 'CameraWindow' application that I installed for my Canon camera. I checked through the code within the .dmg and am going to 'guestimate' that the resource scripting near the end is instructing Mac OS X to treat the entire boot volume as a camera image volume. I was too bizy and lazy to dig further.

Clearly this is a very simple call being made within the .dmg that fools Mac OS X into thinking the opening .dmg volume is a camera. Fascinating. The fault of course is in MassStorageCamera for being allowed to eat your Mac alive. As I've pointed out previously, even Intego's VirusBarrier application has race condition bugs.

My POV: I've studied coding as well as code project management. Coding these days is typically for applications, etc., that are so vast that no single human being can comprehend them. The result is coding-by-committee which in and of itself is a guaranteed mess. There is also the eternal pressure of 'Do Less With Less' from clueless biznizz management and nagging clients, none of whom comprehend the escalating difficulties of coding. Then there is the basic crappiness of the archaic coding languages we still use these days. Anything based on 'C' coding is going to have plenty of problems if only from buffer overflows, the single largest coding plague of our day. We're also stuck with ECMAScript for Internet scripting (which incorporates LiveScript/JavaScript, the JScript abomination from Microsoft and the ActiveScript mess from Adobe). Java continues to FAIL to live up to the hype, causing its own security and memory problems. Then there are the eternal security holes in PHP and SMB on and on.

I'm not at all surprised that Apple missed the bug inherent in the 'iMac_Sux.dmg' file. I can easily see them being aware of it and tossing it on the back burner if only because it does not represent a security or major crashing problem. Similar CPU and RAM devouring buggy code has been around for many years. What sucks most is when system calls can crash the entire computer. Not having an iMac around to play with, I can't verify that this file crashes the machine. But I am going to guess that with current Intel iMacs it does not.

Dr. Charlie Miller and Dino Dai Zovi have the current best Mac hacking & cracking & pwning etc. book available for Mac OS X entitled 'The Mac Hacker's Handbook'. Both of them have Twitter accounts to follow. Both are very amusing to read. Dr. Miller is brilliant at coming up with methods for testing and breaking into Mac OS X. This past spring he won yet another Pwn2Own contest. He gave a presentation at Black Hat this last week where, among other things, he revealed yet-another security hole in Adobe Acrobat and Reader.

Here is a fun interview with Dr. Miller from March:

http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own/

CONCLUSION: Expect security holes. Expect coding errors. There is no such thing as a perfect coder. There is no such thing as a perfect application or operating system.

I'll also add my usual coda: The only people I've ever heard or read saying that 'Macs never have security problems' are either NEWBIES or TROLLS. One of course never takes seriously the word of either of these species of human. It is well worth keeping track of Mac security. It is also well worth sorting out Mac security FUD from FACT.

BTW: Considering all of the above, what are the chances that humans will ever create Turing Test verifiable Artificial Intelligence? Not in my lifetime! No SkyNet worries.
;-D
--

64-bit 7ista Twice Hacked via both IE 8 and Firefox 3!The End Is Nigh!

I should also mention that both Mac OS X 10.6 Snow Leopard and the iPhone got hacked via Safari. Just doing a little back-at-you priority swapping. These days it is a BIG DEAL when Mac OS X gets hacked because of its reputation as the safest GUI OS on the planet. Hacking Windows is ho hum because it happens every day.

Here are some links to somewhat detailed articles about the Day 1 results from the Pwn2Own contest at CanSecWest 2010 in Vancouver, Canada:

TippingPoint blog.
CNet.
MacWorld.

The contest still has two more days of hacking to go. But here is the current list of winners from Day 1:

PWNED! Vincenzo Iozzo and Ralf Philipp Weinmann - iPhone
PWNED! Charlie Miller - Safari [on Mac OS X 10.6]
Nils - Safari (Prize Claimed) [on Mac OS X 10.6]
PWNED! Peter Vreugdenhil - Internet Explorer 8 [on 7ista]
MemACCT - Internet Explorer 8 (Prize Claimed) [on 7ista]
Anonymous - Nokia
Anonymous - iPhone (Prize already won)
PWNED! Nils - Firefox [on 7ista]

Congratulations to all the hackers and thank you for making it clear that Internet surfing can be dangerous no matter the operating system or web browser. Details of each zero day hack are not published until they have been addressed by the companies or groups in charge of affected programs and operating systems. When the Mac OS X hacks have been published, I'll report them and provide links here.

I'll also post more from CanSecWest as it progresses. Dr. Charlie Miller will be presenting his 20 Mac OS X 10.6 Snow Leopard hacks.

The successful hacking of Windows 7ista is of particular interest because it involved bypassing the much lauded ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) built into 7ista. So much for those security technologies!

In each hack the victim computers were directed to websites containing exploit code. I'm going to hazard a wild guess that the sites used code written at least in part in the catastrophic mess known as ECMAScript, aka JavaScript/JScript. Readers of this blog will already know my low opinion of this scripting language and my desire that it be banished from the Internet forever. Listeners to the SecurityNow Podcast know that Steve Gibson of Gibson Research Corporation (GRC) called out ECMAScript as dangerous years ago. He recommends surfing the net with scripting turned OFF in all web browsers by default, only turning it on at trusted websites.

Java exploits are also well known at this time, indicating the need to also turn off Java while surfing the net, except again at trusted websites. What a shame.

(Note that JavaScript and Java have nothing whatsoever to do with each other apart from a similar name caused by a marketing moron deal between Netscape and Sun Microsystems, both companies now defunct).

'Tis The Season For Pwn2Own!

--
FUD FUD FUD FUD FUD!
FUD FUD FUD FUD!













This is the time of year when, historically, anti-Apple security FUD is at its highest pitch. The great event begins March 24th. Our dubious hacking heroes Dr. Charlie Miller and Nils will be participating.

Pwn2Own 2010
BY AARON PORTNOY
MON 15 FEB 2010 16:41PM

The TippingPoint Zero Day Initiative (ZDI) is proud to announce that the annual Pwn2Own contest is back again this year at the CanSecWest security conference held in Vancouver, BC on March 24th 2010. As the contest name implies, if you successfully exploit a target you get to keep it along with a ZDI cash prize and related benefits. This is our 4th year running and to commemorate we have increased the total cash prize amount to $100,000 USD. If you're unfamiliar with the past history of this competition check out the archived 2008 and 2009 blog entries.

When the contest starts, you can follow the results at TippingPoint's blog HERE. The favorite to lose this year is Microsoft Internet Explorer, either or both versions 7 and 8. Here is the schedule posted by ZDNet:

Day 1:
Microsoft Internet Explorer 8 on Windows 7
Mozilla Firefox 3 on Windows 7
Google Chrome 4 on Windows 7
Apple Safari 4 on Mac OS X Snow Leopard

Day 2:
Microsoft Internet Explorer 7 on Windows Vista
Mozilla Firefox 3 on Windows Vista
Google Chrome 4 on Windows Vista
Apple Safari 4 on Mac OS X Snow Leopard

Day 3:
Microsoft Internet Explorer 7 on Windows XP
Mozilla Firefox 3 on Windows XP
Google Chrome 4 on Windows XP
Apple Safari 4 on Mac OS X Snow Leopard

ZDNet also reports that a number of mobile devices are part of a second set of hacking contests:

Apple iPhone 3GS
RIM Blackberry Bold 9700
A Nokia device running Symbian S60 (likely the E62)
A Motorola phone running Android (likely the Droid)

Apple, apparently in preparation for Pwn2Own, released Safari v4.0.5 on March 10, 2010. It patched 16 security vulnerabilities. You can read about it HERE and HERE. Six patches were specifically for the Windows version of Safari. The other ten patches affected both Mac and Windows versions of Safari. Nine of the patches were specifically for WebKit, which is an Open Source project used in a number of web browsers, including Safari, OmniWeb, Chrome, Shiira, Midori, S60, Android and the Palm Pre web browser. Four of the patches patched the ImageIO used in the version for Windows. Does this cover the gamut of security vulnerabilities in Safari? The hackers at Pwn2Own consistently have surprises up their sleeves.

You can read the details of this year's Pwn2Own contest HERE.

The general concept of the contest is to gather contestants and provide them with a hacking events schedule well ahead of time. The contestants typically come to the contest prepared with a specific hack or set of hacks they will use on the target computers via interaction with the accompanying web browser. This year the contest is somewhat different in that each successive day will include the hacking of older versions of Internet Explorer with older versions of Windows. But the general contest provides three days of hacking using three pairings of web browsers and operating systems. Day 1 does not allow any access to applications on the target computer. Day 2 allows what I call 'LUSER sabotage' access to the target computers via default installed applications for each operating system. Day 3 provides popular third party applications on each computer that can be used as part of 'LUSER sabotage' hacking.

In years past the FUD mongering contingent have danced around like village idiots pointing out how quickly Macs have been hacked on Day 2. In reality, the speed of any hack is nearly irrelevant. This is due to the weeks of preparation provided to all contestants, who presumably have already proven their zero day hacks before the contest has begun. What is relevant is the existence of the hack and how much 'LUSER sabotage' is required to apply it.

This year two senior contestants, Dr. Charlie Miller and Nils, will be using Safari v4.0.5 to hack into Mac OS X 10.6.2 Snow Leopard. Vincenzo Iozzo and Ralf Philipp Weinmann, as well as an 'anonymous' human, will be hacking into the iPhone.

One concern I have this year is that Safari is not being used to hack into any version of Windows. Instead only IE 7 & 8, FireFox 3 and Chrome 4 are being tested. Presumably the choices of Windows browsers were made according to market share as well as hacker interest. I'm also a bit annoyed that no Windows Mobile phones were included in the contests. Microsoft have announced the dumping of their current mobile OS for an entirely new mobile OS. But there is no reliable time line for this change, making the hackability of current Windows Mobile devices entirely relevant.

Hack and Enjoy!

The Anti-Mac Security FUD-Fest Is Fun For All! Rah! Rah! Rah!

--
Man, I am getting a lot of traction out of that moronic article at CNET, not worth reading HERE. For me, it really is fascinating to sit down and contemplate what is actually going on in computer security right now. Here are some of the elements:

I) 7ista, aka Vista Service Pack 7, is now insighting cacophonous riots of anger because its security is still terrible. A net acquaintance posted these URLs over at MacDailyNews:

Cybercrime Rises and Vista 7 is Already Open to Hijackers

Vista 7: Broken Apart Before Arrival

Department of Homeland Security �Poisoned� by Microsoft; Vista 7 is Open to Hijackers Again

Researchers show how to take control of Windows 7

That last article is about how to 'PWN' 7ista. Not good. Google provides a few hundred thousand similar complaints.

II) Meanwhile, the Anti-Mac Security FUD-Fest continues apace, thanks to our usual line-up of hacker pals. Mac OS X is already the best GUI OS for computer security, in part thanks to integrating the two best CLI OSes, OpenBSD and FreeBSD. The result: Mac OS X progresses forward to become BETTER than the BEST! That's good. Thank you Dr. Charlie Miller and friends.

III) So of course we get dumbass articles about how nasty bad and laughable Mac OS X security is, right? (o_0)

It's a strategy with many purposes, perpetrated by many sources. Figuring out the motivations behind the deceit is quite intriguing. Laughing at it all is fun! It lowers your blood pressure. Live longer and laugh at the clowns.


Here is yet-another post I made, this time at MacDailyNews.com, regarding the FUD-Fest and Microsoft. It sort of encapsulates it all:

Microsoft have put in place some modern methods of deterring hackers and crackers. They had to. They had the motivation. Their operating system is a bloated catastrophe of spaghetti code that is well beyond their comprehension. They can't fix it. They've made many attempts over the last 15 years and consistently failed. They gave up. Vista is the proof. 7ista is icing on the proof.

Should Apple add in these modern security measures? Damned right!

But is it a BFD? Will Mac OS X roll over and DIE? Will THE BIG ONE virus hit Mac OS X and make us all go running home sobbing to mummy? Of course not!

Apple's attention to security has been increasing exponentially over the last two years. This month's security updates were the most in Apple's history. But as is typical with humans, the house has to be on fire before you pour water on it and fix the cause. Mac OS X does not have a faulty electrical system that will burn the house down. Apple know that. We know that. So what's the motivation? Planning ahead takes extra prodding. Prod Apple and they respond eventually.

This is one reason I actually praise the Anti-Mac FUD-fest we've enjoyed since Symantec insighted it exactly four years ago. It has hurt no one. It has inspired Apple. We benefitted.

We the customers know we already had an incredibly secure operating system. It's based on the two most secure operating systems in existence bar none: OpenBSD and FreeBSD. So why not make it EVEN BETTER?!

Let's go MaNIaCaL!
Go Apple Go!
Add steal bar reinforcement to the castle walls!
Add boiling oil caldrons!
Put alligators in the mote!
Install the rotating knives!
Hire some Cenobites!

Conclusion: We win any which way you look at it. If users of the less secure operating systems can't deal with it, oh so sad for them.

As long as we keep our eye on the ball, which is keeping our computers as safe as possible, our progress toward better than best will continue. :-)

Rah! Rah! Rah!
Go! Apple! Go!
Yayyyyyyy APPLE!

Amusing, eh? Behind all the 'FEEL BAD DAMMIT!' garbage is not just a silver lining. The clouds are bogus, a theatre prop. Knock them over and there is the golden sun shining on all us Mac users.


OK, sober up! Enough euphoria! We have 21 Trojans to avoid. There continue to be security flaws in Apple stuff that deserve our attention. ClamAV still needs to further catch up with Mac malware. Mac OS X is not perfect, never will be. Be attentive.

For my next article I intend (for whatever that's worth) to provide another monthly summary of Mac OS X security patches. Bring your caffeine.

:-Derek
~~~~~~

BONUS EUPHORIA: SNOW LEOPARD

If you haven't read the news, check this out:

� Snow Leopard has built-in Trojan horse MALWARE DETECTION! Its database is auto-updating! Right now it only has two Trojan signatures, yawn. But expect improvement. And no, Apple didn't stick in someone else's anti-malware engine, least of all Symantec's (gag! gag! puke!! puke!!).

� Snow Leopard installs just fine over TIGER! I thought this had to be bogus, but I've read it from several sources now and they weren't just quoting each other. It's a fact that even Apple verified. So if you don't have Leopard already, get the $29 (or $24 at some stores!) Snow Leopard disk and go to it! Well, when you're ready. There are some application incompatibilities.

� Snow Leopard is FAST! That's faster than Leopard! Bless you Apple.

� Snow Leopard is SMALLER! Saving at least 5 Gigabytes of space on your Mac appears to be normal. Ever heard of that? Try that move Microsoft.

-> But of course note that Snow Leopard is for INTEL MACS ONLY.

More on Snow Leopard in a couple weeks once I've ripped it apart, with my CLAWS.
--

CNET hits an all time low: Anti-Mac Security FUD

--
I just read:

Snow Leopard could level security playing field

My response was:

This is the most shameful article I've ever read at CNET. I've been studying and writing about Mac security since 2005. All I can say is:

Elinor: YOU'RE FIRED ! ! !

For those interested in reality:

The anti-Mac security FUD-fest was started in August 2005 by Symantec. They were attempting to sell their worst-in-class anti-malware program Norton Anti-virus to Mac users who were smart enough not to buy it. MacAfee then joined in the FUD, but reversed course when their CEO pronounced that the best way to secure your computer was to Get A Mac.

After that point most FUD has come from hackers who have done their best to whip up a frenzy surrounding flaws they found in Mac related software, such as QuickTime, WebKit and Safari. But it is fair to say that they helped track down and patch several flaws in Mac OS X as well.

Meanwhile, the only malware that has shown up for Mac are Trojan horses, currently 4 types of 17 varieties. Trojans require user failure, not computer failure, in order to be installed and do damage.

In spite of the FUD-fest, the hype-mongers have been effective in forcing Apple to get serious about security, which previously they were not. So folks like myself actually thank Dr. Charlie Miller and friends for their help making Mac OS X even more secure than it already was. I have Charlie's book and I look forward to his continued useful work, and even his FUD foisting.

It's worth noting that only highly ignorant people still tell the tale known as 'security by obscurity'. It is easily disproven by anyone who can perform math, i.e. any 4th grader.

If you'd like to read Mac security facts and suitably laugh at the FUD, you might find my personal commentary and coverage of interest:

http://Mac-Security.blogspot.com

:-Derek Currie
--

Black Hat Nails iPhone SMS Security Hole

--
I don't follow iPhone security, but this one is major. It is also coming out of Black Hat USA 2009. So if you have an iPhone, you'd better read this! Or you may become INFECTED!

Short version: SMS stands for Short Message Service. Thanks to a security hole in the iPhone OS, your iPhone can get pwned via a malevolent SMS message. To quote Forbes Magazine:

If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you turn the device off. Quickly.

Why Thursday? At 11:15 AM, Los Vegas, NV time, our pal Dr. Charlie Miller along with cybersecurity expert Collin Mulliner give their talk "Fuzzing The Phone In Your Phone". To quote Dr. Miller from his website Security Evaluators (you owe me for all this publicity Charlie!):

In this talk they will show how to find vulnerabilities in smart phones. Not in the browser or mail client or any software you could find on a desktop, but rather in the phone specific software. They will present techniques which allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices. This method does not use the carrier and so is free (and invisible to the carrier). They�ll show how to use the Sulley fuzzing framework to generate fuzzed SMS messages for the smart phones as well as ways to monitor the software under stress. Finally, they will present the results of this fuzzing and discuss their impact on smart phones and cellular security.

As you can see, the SMS security hole is NOT just on the iPhone.

Apparently Dr. Miller notified Apple about this hole over a month ago. One website said Apple knew about the hole 6 months ago. Apple is slow poke. Ars Technica reported July 3rd that Apple are working on a patch for this problem. At the moment there is no patch from Apple or any announcement regarding this problem. Theoretically the patch will be in iPhone OS X v3.1. World of Apple reports that yesterday, July 28, Beta 3 of iPhone OS X v3.1 was distributed for testing. They believe the release will be in mid-August. Oops. That's a couple weeks away. Time for suspense!

Some further reading pleasure can be found at MacFixIt, PCWorld and InfoWorld.

My suggested, but I don't have an iPhone, interim work around: Turn OFF incoming SMS on your iPhone. Or just leave your phone off, like that's an option.

Here is a discussion on how to stop SMS on the iPhone:

iLounge

Note that turning off SMS previews is NOT effective. You want to stop the messages from getting to your phone entirely. (You have permission to hit me if I am incorrect on this point).

Oh BTW: Dino Dai Zovi gave his talk "Macsploitation with Metasploit" today at 10:oo AM Los Vegas time and his talk "Advanced Mac OS X Rootkits" at 11:15 AM Los Vegas time. When I learn of any important ramifications, I'll post. There is an audio interview with Dino Dai Zovi at ThreatPost.com that reviews his interest and experience in Metasploit and Mac Rootkits.
--