crazylazy.info

txt


In 2008 we saw some Mac OS security problems, like Nitesh Dhanjani's carpet bombing on Safari. His original post is gone. Anyhow this was relevant. Much more practical to abuse than THT AppleScript Trojans, anything from Pwn2Own... But well. Apple pulled the BlackHat talk in 2008. And they recommended AntiVirus for MacOS X Users. After some people wondered about this sudden change, and drew similarities to Windows (what I don't understand), Apple changed again. Now you don't need AntiVirus any more. Because there are some problems if you've got third party products out there... and they are declared "not needed" by the operating system vendor.
Now we have 2009... and the fanboys cry for Steve Jobs, being on holiday. And for the iPhone. And there's a problem:

The technique, which Italian researcher Vincenzo Iozzo plans to detail at the Black Hat security conference in Washington next month, makes it possible to carry out stealthy Mac attacks that until now have not been possible. The in-memory injection approach allows unauthorized software to be installed on a Mac without leaving traces of the attack code or other tell-tale signs that the machine has been compromised.

(http://www.theregister.co.uk/2009/01/21/stealthier_mac_attacks/)

Obviously he wants to be pulled, too. Standing in a mystical line of forbidden talks. But anyhow. Matasano had a nice idea last year, too. Was quite interesting, making the ARDAgent do stuff. I used it as a comfort function. Wasn't patched for month and caused huge damage therefor. And the patch was easy... but no.

Here we are again, but in worse situation:

Miller said he is in the process of extending the technique to installing unauthorized applications on the iPhone.

A wide-spread operating system, affected. And I know exactly what it is. ;). Memory isolation issues, I saw happen on osX (I think for performance reasons), violated several of my policies. I wondered why, and thought it's buggy crap (snadbox-exec). Turned out to be more interesting:

Iozzo said OS X's address space layer randomization, which is designed to thwart such attacks by randomizing the memory locations of executable code, can be circumvented by local users. That's because an OS X program known as the dynamic linker is always located at the same address. The dynamic linker in turn allows him to predict the location of other libraries needed to make the attack technique work.

Cool, usability from bottom to top. ;) This is ridiculous. Seems the developers didn't have time to apply the security, and marketing didn't think it's important. ALSR seems to be much more sophisticated. You'd wonder how much Windows security improved in depth from the engineering perspective. In any case this is more than ridiculous.

I'd start some POF Malware again... but I'm out of time. I guess I just check my Spam folders. I heard there're some workaholics sending out Malware-attachments.

Have fun,
wishi

p.s.: here's a BlackHat webcast by Tiller Beauchcamp and Jesse d'Aguano. Focusing osX security.