To: 'hip' Re: iMac_Sux.dmg

--
Recently a reader nicked as 'hip' sent me the URL to an evil crapware file entitled 'iMac_Sux.dmg'. Here is his full message with the exclusion of the URL for downloading the file:

Wanna crash an iMac?
Just mount this .dmg file, then have a look at what MassStorageCamera is doing.
It will be consuming all RAM and processors!!

I am not providing the URL in order to avoid being accused of distributing the thing.

Thank you 'hip'! I checked out the website where the file is located and enjoyed it. I particularly enjoyed the page quotations from The Hipcrime Vocab by Chad C. Mulligan. The insights are refreshing after living amidst the Neo-Con-Job / Tea Party / FuxNews / News Corp / Rupert Murdock Regime gibberish age within the USA where intelligent thoughts and verifiable facts are out of fashion.

I ran the .dmg and it did exactly as expected, without crashing my MacBook 2 GHz from 2006-11. It also auto-opened the 'CameraWindow' application that I installed for my Canon camera. I checked through the code within the .dmg and am going to 'guestimate' that the resource scripting near the end is instructing Mac OS X to treat the entire boot volume as a camera image volume. I was too bizy and lazy to dig further.

Clearly this is a very simple call being made within the .dmg that fools Mac OS X into thinking the opening .dmg volume is a camera. Fascinating. The fault of course is in MassStorageCamera for being allowed to eat your Mac alive. As I've pointed out previously, even Intego's VirusBarrier application has race condition bugs.

My POV: I've studied coding as well as code project management. Coding these days is typically for applications, etc., that are so vast that no single human being can comprehend them. The result is coding-by-committee which in and of itself is a guaranteed mess. There is also the eternal pressure of 'Do Less With Less' from clueless biznizz management and nagging clients, none of whom comprehend the escalating difficulties of coding. Then there is the basic crappiness of the archaic coding languages we still use these days. Anything based on 'C' coding is going to have plenty of problems if only from buffer overflows, the single largest coding plague of our day. We're also stuck with ECMAScript for Internet scripting (which incorporates LiveScript/JavaScript, the JScript abomination from Microsoft and the ActiveScript mess from Adobe). Java continues to FAIL to live up to the hype, causing its own security and memory problems. Then there are the eternal security holes in PHP and SMB on and on.

I'm not at all surprised that Apple missed the bug inherent in the 'iMac_Sux.dmg' file. I can easily see them being aware of it and tossing it on the back burner if only because it does not represent a security or major crashing problem. Similar CPU and RAM devouring buggy code has been around for many years. What sucks most is when system calls can crash the entire computer. Not having an iMac around to play with, I can't verify that this file crashes the machine. But I am going to guess that with current Intel iMacs it does not.

Dr. Charlie Miller and Dino Dai Zovi have the current best Mac hacking & cracking & pwning etc. book available for Mac OS X entitled 'The Mac Hacker's Handbook'. Both of them have Twitter accounts to follow. Both are very amusing to read. Dr. Miller is brilliant at coming up with methods for testing and breaking into Mac OS X. This past spring he won yet another Pwn2Own contest. He gave a presentation at Black Hat this last week where, among other things, he revealed yet-another security hole in Adobe Acrobat and Reader.

Here is a fun interview with Dr. Miller from March:

http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own/

CONCLUSION: Expect security holes. Expect coding errors. There is no such thing as a perfect coder. There is no such thing as a perfect application or operating system.

I'll also add my usual coda: The only people I've ever heard or read saying that 'Macs never have security problems' are either NEWBIES or TROLLS. One of course never takes seriously the word of either of these species of human. It is well worth keeping track of Mac security. It is also well worth sorting out Mac security FUD from FACT.

BTW: Considering all of the above, what are the chances that humans will ever create Turing Test verifiable Artificial Intelligence? Not in my lifetime! No SkyNet worries.
;-D
--

Tech Press Self-Immolation:Blundered Pwn2Own Reporting

Tech press TechTardiness abounds. It is no surprise that certain dimwits blundered their reporting of the Pwn2Own contest at CanSecWest. My net compatriot Daniel Eran Dilger covered it laudably today in his article:

CanSecWest security competition falsely portrayed, again

Read and enjoy!

64-bit 7ista Twice Hacked via both IE 8 and Firefox 3!The End Is Nigh!

I should also mention that both Mac OS X 10.6 Snow Leopard and the iPhone got hacked via Safari. Just doing a little back-at-you priority swapping. These days it is a BIG DEAL when Mac OS X gets hacked because of its reputation as the safest GUI OS on the planet. Hacking Windows is ho hum because it happens every day.

Here are some links to somewhat detailed articles about the Day 1 results from the Pwn2Own contest at CanSecWest 2010 in Vancouver, Canada:

TippingPoint blog.
CNet.
MacWorld.

The contest still has two more days of hacking to go. But here is the current list of winners from Day 1:

PWNED! Vincenzo Iozzo and Ralf Philipp Weinmann - iPhone
PWNED! Charlie Miller - Safari [on Mac OS X 10.6]
Nils - Safari (Prize Claimed) [on Mac OS X 10.6]
PWNED! Peter Vreugdenhil - Internet Explorer 8 [on 7ista]
MemACCT - Internet Explorer 8 (Prize Claimed) [on 7ista]
Anonymous - Nokia
Anonymous - iPhone (Prize already won)
PWNED! Nils - Firefox [on 7ista]

Congratulations to all the hackers and thank you for making it clear that Internet surfing can be dangerous no matter the operating system or web browser. Details of each zero day hack are not published until they have been addressed by the companies or groups in charge of affected programs and operating systems. When the Mac OS X hacks have been published, I'll report them and provide links here.

I'll also post more from CanSecWest as it progresses. Dr. Charlie Miller will be presenting his 20 Mac OS X 10.6 Snow Leopard hacks.

The successful hacking of Windows 7ista is of particular interest because it involved bypassing the much lauded ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) built into 7ista. So much for those security technologies!

In each hack the victim computers were directed to websites containing exploit code. I'm going to hazard a wild guess that the sites used code written at least in part in the catastrophic mess known as ECMAScript, aka JavaScript/JScript. Readers of this blog will already know my low opinion of this scripting language and my desire that it be banished from the Internet forever. Listeners to the SecurityNow Podcast know that Steve Gibson of Gibson Research Corporation (GRC) called out ECMAScript as dangerous years ago. He recommends surfing the net with scripting turned OFF in all web browsers by default, only turning it on at trusted websites.

Java exploits are also well known at this time, indicating the need to also turn off Java while surfing the net, except again at trusted websites. What a shame.

(Note that JavaScript and Java have nothing whatsoever to do with each other apart from a similar name caused by a marketing moron deal between Netscape and Sun Microsystems, both companies now defunct).

'Tis The Season For Pwn2Own!

--
FUD FUD FUD FUD FUD!
FUD FUD FUD FUD!













This is the time of year when, historically, anti-Apple security FUD is at its highest pitch. The great event begins March 24th. Our dubious hacking heroes Dr. Charlie Miller and Nils will be participating.

Pwn2Own 2010
BY AARON PORTNOY
MON 15 FEB 2010 16:41PM

The TippingPoint Zero Day Initiative (ZDI) is proud to announce that the annual Pwn2Own contest is back again this year at the CanSecWest security conference held in Vancouver, BC on March 24th 2010. As the contest name implies, if you successfully exploit a target you get to keep it along with a ZDI cash prize and related benefits. This is our 4th year running and to commemorate we have increased the total cash prize amount to $100,000 USD. If you're unfamiliar with the past history of this competition check out the archived 2008 and 2009 blog entries.

When the contest starts, you can follow the results at TippingPoint's blog HERE. The favorite to lose this year is Microsoft Internet Explorer, either or both versions 7 and 8. Here is the schedule posted by ZDNet:

Day 1:
Microsoft Internet Explorer 8 on Windows 7
Mozilla Firefox 3 on Windows 7
Google Chrome 4 on Windows 7
Apple Safari 4 on Mac OS X Snow Leopard

Day 2:
Microsoft Internet Explorer 7 on Windows Vista
Mozilla Firefox 3 on Windows Vista
Google Chrome 4 on Windows Vista
Apple Safari 4 on Mac OS X Snow Leopard

Day 3:
Microsoft Internet Explorer 7 on Windows XP
Mozilla Firefox 3 on Windows XP
Google Chrome 4 on Windows XP
Apple Safari 4 on Mac OS X Snow Leopard

ZDNet also reports that a number of mobile devices are part of a second set of hacking contests:

Apple iPhone 3GS
RIM Blackberry Bold 9700
A Nokia device running Symbian S60 (likely the E62)
A Motorola phone running Android (likely the Droid)

Apple, apparently in preparation for Pwn2Own, released Safari v4.0.5 on March 10, 2010. It patched 16 security vulnerabilities. You can read about it HERE and HERE. Six patches were specifically for the Windows version of Safari. The other ten patches affected both Mac and Windows versions of Safari. Nine of the patches were specifically for WebKit, which is an Open Source project used in a number of web browsers, including Safari, OmniWeb, Chrome, Shiira, Midori, S60, Android and the Palm Pre web browser. Four of the patches patched the ImageIO used in the version for Windows. Does this cover the gamut of security vulnerabilities in Safari? The hackers at Pwn2Own consistently have surprises up their sleeves.

You can read the details of this year's Pwn2Own contest HERE.

The general concept of the contest is to gather contestants and provide them with a hacking events schedule well ahead of time. The contestants typically come to the contest prepared with a specific hack or set of hacks they will use on the target computers via interaction with the accompanying web browser. This year the contest is somewhat different in that each successive day will include the hacking of older versions of Internet Explorer with older versions of Windows. But the general contest provides three days of hacking using three pairings of web browsers and operating systems. Day 1 does not allow any access to applications on the target computer. Day 2 allows what I call 'LUSER sabotage' access to the target computers via default installed applications for each operating system. Day 3 provides popular third party applications on each computer that can be used as part of 'LUSER sabotage' hacking.

In years past the FUD mongering contingent have danced around like village idiots pointing out how quickly Macs have been hacked on Day 2. In reality, the speed of any hack is nearly irrelevant. This is due to the weeks of preparation provided to all contestants, who presumably have already proven their zero day hacks before the contest has begun. What is relevant is the existence of the hack and how much 'LUSER sabotage' is required to apply it.

This year two senior contestants, Dr. Charlie Miller and Nils, will be using Safari v4.0.5 to hack into Mac OS X 10.6.2 Snow Leopard. Vincenzo Iozzo and Ralf Philipp Weinmann, as well as an 'anonymous' human, will be hacking into the iPhone.

One concern I have this year is that Safari is not being used to hack into any version of Windows. Instead only IE 7 & 8, FireFox 3 and Chrome 4 are being tested. Presumably the choices of Windows browsers were made according to market share as well as hacker interest. I'm also a bit annoyed that no Windows Mobile phones were included in the contests. Microsoft have announced the dumping of their current mobile OS for an entirely new mobile OS. But there is no reliable time line for this change, making the hackability of current Windows Mobile devices entirely relevant.

Hack and Enjoy!

Pwn2Own Browsers Hacked: IE 8, "Safari" and "Firefox"

--
This time of year is now one of traditional contention. It's time for Pwn2Own at CanSecWest. It is a fun contest held among security experts to crack the chosen subjects for each year. This year a selection of web browsers was used.

Of course after the contest there is lots of snickering and gossip. But for better or worse, what exactly happened at the contest is rarely revealed, meaning that the specific cracks used are not allowed to be published so they can be provided to the programmers of the cracked software for consideration and patching.

Questionable aspect of this year's contest: Windows 7ista was used in PC testing. It's in beta.

Losers so far this year:

1) "Safari" for Mac. I use quotes as I have not been able to find what version was used. Presumably it is the latest public release, and not the version 4 beta. It was cracked within 2 minutes. How cracked? Unstated. My speculation: That hell hole known as "JavaScript" which these days includes JScript, a holey mess perpetrated by Microsoft. Apple have consistently had JavaScript security problems, starting with QuickTime in 2006 over at MySpace.

2) "Firefox". Again I use quotes as I have not found the version number. Neither do I know which platform, which may well mean both Mac and PC. How cracked? Unstated.

3) Internet Explorer 8.0. This browser was JUST released. Oops. It should have stayed in beta. Again, specifics of the crack have not been made public.

For further details, keep an eye on the Security Watch blog at PC Magazine and the TippingPoint DVLabs blog. You can also follow TippingPoint's Twittering. The contest will conclude later today (Friday, 2009-03-20).
--