April 2007 - Posts
Still following the Safari hack and the fallout from it on Matasano. There are a lot of comments debating how serious it is anyway, because after all it isn't like you got root. A lot of comments all around about how much information is exposed.
Folks, it appears that this exploit allows arbitrary code execution in the login context of the currently logged-in user. No, that isn't root, but as I explained in my last post on the subject, a hacker does not need root to break your heart.
Remember that?
A Hacker DOES NOT need root to break your heart.
Don't get me wrong:
This isn't the end of the world, security wise, for the Mac. But it exists, it's real and it can break your heart even without admin rights.
UPDATE 21/04/07 19.33GMT. The Matasano website has been amended to add the following:
- Apparently the issue also affects Firefox.
- Turn off Java as a workaround for now.
Breaking news as of yesterday. The CanSecWest security conference are running an event with two Apple MacBook Pros to be won, simply hack them to take them over.
Of the two, the first MBP can be won by exploiting it to achieve a shell access with the current user context, and the second MBP can be won by exploiting it to achieve shell access in an administrator context.
The first MBP was won yesterday (20th April 2007) via a Safari exploit, with the second MBP still up for grabs at the time of writing.
There is considerable speculation over what exactly happened to the first MBP as details have not yet been published (Matasano's weblog appears to be the source for info here), but this appears to be an 0-day attack on a component of the default OS as shipped (and fully patched of course).If I had to speculate, my first thoughts would turn to the previously identified problems with Safari, but offhand I'm not sure if Apple have closed this hole, and I'm not sure this would count as a new hack anyway. Upon reflection, I think this will turn out to be something new. At the very least, a variation on previous holes.
Some people may point out that this exploit doesn't give you administrative access to the machine as such, and that's quite true. It certainly doesn't. However, how many 'home' users run their Mac with an administrator type account anyway, and in either case, who needs root to break your heart? I don't need admin access to run a shell-scrip from your user account using the above exploit, and it's very easy to ruin someone's use of their computer with just two lines in a script...
cd ~
rm -rf *
Hope you had all those files backed up.
At least, that is what this looks like to me. Dell are probably one of the most arrogant and ignorant suppliers I have ever dealt with when it comes to imposing their will on their customers. To actually listen to their customers and roll back their 'Vista only' policy to allow people to buy XP with their new computer once again suggests that all is not well with Microsoft's new operating system to say the least.
Please bear with me while I take a quiet moment to say "I told you so" to the folks at Redmond.
Your. New. Operating. System. Isn't. Ready. For. Release. After. Six. Years. Of. Trying.
[Taken from cnet.com] "In a statement last week, Microsoft said such a move (Dell selling the old OS) is normal after a new operating system comes out.
"Windows Vista is safer, easier to use, better connected and more
entertaining than any operating system we've ever released, and we're
encouraged by the positive customer response we've seen to date," the
company said. "It's standard practice to allow OEMs, retailers and
system builders to continue offering the previous version of Windows
for a certain period of time after a new version is released."
I have only two comments to add here. Firstly, this doesn't explain why Dell stopped selling XP and then started again. Secondly, note the comment :" more
entertaining than any operating system we've ever released". Right there is the problem with Vista I think. I don't buy an operating system to be entertained, not even at home where I'm trying to relax. I buy an operating system because I need one to get things done.
And the entertainment isn't even very well done. Take Windows DreamScene for example (please someone take it!). The wonderful opportunity of a lifetime to have distracting movies playing on your desktop instead of static wallpaper, for everyone who buys a computer just to load up the desktop and not run a program ever. Erm OK. And better still, as stupid as this idea is, it doesn't even work properly. Dreamscene crashes so often here that I can only assume it contains, well, an entire vista of bugs.
Also another area of concern for Microsoft should be XBox 360 quality control. This post came from a XBOX / Microsoft advocate, who apparently thinks that the Wii is a joke. At least the Wii works and doesn't deafen everyone in a half mile radius of ground zero when powered up.
Something is very wrong in Redmond. Everyone should be worried - even Linux advocates (After all, were Windows to disappear then who would you steal your UI interface from? Apple have angry lawyers you know).
From Daring Fireball (just joined today by the way, after spending 3 days on a rather dry course, reading the site archives). Actual press release on Yahoo Business.
Well I wonder if any of the Windows advocates who love to take cheap shots at Apple will dare to sneer over this one. Not only was Vista delayed for a long time, SQL 2005 was originally going to be called SQL 2003 when I first heard about it. Or was it even SQL 2002?
One thing - Apple planned to release in June. It says so right in the announcement. I think this is the first time us customers were actually officially told that June was the intended target date. This is going to hurt some software developers who are tying the next release of their software to Leopard, A tough choice at this point. Do they miss out on a few months possible revenue (ok, I'm assuming the software was planned to be ready in June alongside Leopard) or do they change from "are tying their software to Leopard" to "were tying" and ship now, in which case you have to ask what's missing from the software they release now that they were relying on Leopard to provide).
Delay happens. It isn't like Tiger or even Panther are going to suddenly turn into pumpkins on June 30th.I'd much rather something I want to rely on done is properly than done fast.
JEYO have released their Mobile Extender for Office 2007 and Vista. This essential bit of software for Smartphone users allows you to backup your SMS messages to Outlook, and more importantly to access the SMS system on your phone from Outlook in order to send and receive SMS messages on your computer desktop as you would emails.
In all honesty, this is a vital piece of software for me and I'm glad it's finally caught up with my desktop "side-grade" to Vista. A few points that prospective buyers ought to consider though:
- I've had great support - but others have complained about it.
- It doesn't appear to support MMS messaging (this would take a lot of work, I know, but isn't that the developer's job?)
- Sending SMS messages through the extender doesn't work around any bugs in the phone you're using. Or the cost of sending a large message if you're in a country where you get charged by message block for text messaging.
- It works with most Smartphone makes.
But you have to make sure you buy the correct version, and I don't see the Apple iPhone listed as a supported phone. 
- Windows only. I'm fairly sure it would work with a Mac using BootCamp, but I haven't tested it with Parallels or VMware Fusion.
- If you're upgrading from Version 2.0 of the mobile extender you'll need to get a new key. Go here and have your old details ready.
Is the point passing just over the heads of the WGA team bloggers at Microsoft.
In a post last month they talk about the fuss surrounding WGA getting caught sending information back to Microsoft whether or not the user agreed to this (by accepting the EULA) or not.
In their reply on the WGA blog Microsoft publish information on the information sent back to base, which is nice but also raises more concerns because it shows that some of the information sent back is encrypted. I personally think this is to protect the information from interception during transmission, but some people feel suspicious about the encrypted data and feel that part of the reason could be to hide what is being sent back to Microsoft.
Frankly I don't blame them for being suspicious. Microsoft have been caught with a hand in this cookie jar before. And the point that the WGA team seem to miss is that trust is a coin and at the moment Microsoft just don't have much trust left in the account with many people.
No matter how they dress it up, no matter how 'honest' their intentions might be, Microsoft have left a bad taste in the mouths of many customers with the whole WGA concept. When people already doubt your motives you should stop acting in a suspicious manner and you absolutely have no defence if you are not completely honest and open and upfront about what you do from this point. A "trustworthy Microsoft" would be like a reformed drug addict to many people. You don't just have to swear you're clean, you don't just have to be clean, you have to be seen to be clean.
Well the current crop of ads are selling to computer enthusiasts. You surely don't expect someone who knows nothing about computers and the whole fuss about how they work to 'get' the UAC spoof do you?
As for the ads, I think the first few were funny and fresh but right now Apple have dragged on this campaign for too long. I always feel better about people when they're telling me why *they* are so good than I do about people who just can't stop snarking about 'the other guy' (so Gates and his odd rant about Mac security aren't sitting too well with me either). I understand that sometimes you have to boost your team up above the competition and I'm comfortable with anyone trying to do that, but if that's all you've got then it begins to sound bad. Nobody likes to be stuck next to the guy who won't stop moaning at parties.
And that's a shame - I'm sure plenty will disagree with me but there has never been a better time to own a Mac in my opinion. I'd love to see Apple talk about that.
Format: mov
Duration: --:--