MAAS History
Archives
Tuesday
Nov042008

Acrobat Reader Critical Validation Flaws

Adobe has released a bulletin related to critical flaws in Reader and Acrobat. The details are not fully disclosed but Secunia, a security research company, does discuss a boundary error related to certain types of content in PDF's. It is possible that this boundary error can be exploited, code can be executed and privileges compromised. Many researchers believe that the other validation errors are simular in nature and delivery. This is a platform independent issue so Windows users are also affected.

Users have to download a PDF and view it which gets back to a bigger issue, that users should only open files from users that they know or from sites that are trusted. It is important that users update their Acrobat or Reader application to the latest versions. 

Monday
Nov032008

New Features

I am happy to introduce a new weekly journal called "The Command Line." Twice a week my alter ego, dr. strangep0rk will be posting his odd take on the MacOSX command line. From the simple cp or rm command to specific commands for the Mac such as softwareupdate and unload. Once you realize how powerful it is to use executables via the command line you will never want to go back.

Second I will be offering up Mac centric Information Assurance Guides. Our first offering is for the OSX10.5 client. Drawing on over 20 years of experience including on the Apple ][, Mac Classic, Solaris, Linux, NeXT and OSX these guides will not forget what makes the Macintosh platform so unique, the user. These guides will be useful to Macintosh Users and System Administrators. They are being developed with the intention of enhancing the security foot print of MacOSX. Using this program and guides organizations will be able to seamlessly incorporate the Mac platform into their IA program. My goal is not to reinvent the wheel but create a program that is uniquely focused on the Mac platform. 

Wednesday
Oct152008

Definition of Trust

From a general social standard one will ask oneself on daily interaction with an individual “can I trust this person?” Mac users and administrators for years had little to worry about in terms of the level of trust that is place in the user and his or her daily interaction with public networks or files. This has changed in the last 10 years. From the administrator's standpoint this is a high-end Unix system that is being tasked more and more with providing a wide range of services. When implementing a secure Macintosh framework, a major goal is to provide a system for measuring the evidence to have confidence in the truth of the person or thing.

Due to the fact that we are humans, we are unable to identify a quantitative measure of confidence; we need to evaluate the evidence presented to a security structure. This allows the administrator to achieve a measure of assurance that the person cannot abuse this degree of trust. So, we need to develop a way to trust users, administrators and the files interacting within the secure Mac framework.

Ok, I know what you are thinking, these are Macs, security is taken care of and as a business we do not need to do the stuffy work of the rest of the IT world. Again, this is a warning, you are not just a Mac administrator you are an UNIX administrator. Think about how much better the Mac platform is since OSX. Why wouldn’t we not just want but also need to take the professionalism of the experience of Unix security gurus and make the Mac platform more secure? Security engineering methods make perfect sense and allow for continuous improvement and measurement by the organization. So as part of my final project for my masters in CS from BU, I plan to post my working framework for a secure Macintosh environment. 

Sunday
Oct052008

Potential Vulnerabilities in Illustrator for the Mac CS2

In the continuing effort by attackers to take advantage of a lack of awareness of Macintosh users another attack has emerged that needs user interaction. This can be successful since many Macintosh users tend to be less skeptical of files from unknown users. The Mac community for a long time has never really had to think about exploits, this is changing. In this case if a user opens an Illustrator file to take advantage of this vulnerability then it is possible for an attacker the continuing effort by attackers to take advantage of a lack of awareness of Macintosh users who tend to be less skeptical of files from unknown users. The Mac community for a long time has never really had to think about exploits, more and more we are identifying attack vectors that rely on some interaction from a user. If a user opens an Illustrator file to take advantage of this vulnerability then it is possible for an attacker to exploit the system. So, again if you do not trust the file do not open it, only open files from a known source and confirm the hash using md5 <filename in the terminal> or openssl sha1 <filename in terminal>. 

This gets to a large issue of trust. Evidence is presented to a system or in this case a user that builds a case to trust the action or file. Explaining to a user that they must ask themselves has the file passed a certain amount of evidential benchmarks to trust the file. These benchmarks should be set by the information security policies. Procedures for validation should also be included. It would only be obvious to say that you one benchmark is knowing the party that sent the file. 

More to come on trust...

 

CVE number:  CVE-2008-3961

Wednesday
Jun252008

Permision UID bit of ARDagent exploit

The ARDAgent, it was discovered by www.macshadows.com that take advantage of the UID setting to allow the file and files ran by it as the file owner. This of course can allow a attacker either by remote process or by acutally going to the keyboard to run a script using applescript. Entering the following command will show you that using Applescript to run a shell script, our example simply the whois command will run as root.

osascript -e 'tell app "ARDAgent" to do shell script "whoami"';

The results will be root. (Note: if you installed the latest version of Virus Barrier signatures then you will get an error.) You can solve this many ways, here are two ways which.

One
Enter the following into a terminal:
cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/
sudo chmod 0555 ARDAgent

or you can do it in one line as follows:
sudo chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

You will have to reboot after if you do any remote access management or screen sharing. If you are a Virus Barrier user the latest update should fix the problem by making it so that Applescript will not run shell scripts.
You can read about that here--->http://www.intego.com/news/ism0802.asp

This is using absolute mode for chmod settings.