There’s a piece of Mac malware, known as ‘Flashback’, that’s going around and takes advantage of a Java vulnerability in order to compromise and infect Macs online. Although the vulnerability isn’t Mac-specific, and was patched back in February, Apple has yet to distribute that update to everyone via Software Update, leaving everyone vulnerable.
Apparently the team behind this malware is quite efficient at updating it, and so they have been successful in spreading it around. Lion doesn’t come with Java by default, so unless you’ve manually installed it, you’re safe. If you have installed Java on Lion however, I don’t know yet whether Lion’s built-in anti-malware is being updated quickly enough to keep up with the new malware variants (although I highly doubt it).
If you are running Snow Leopard (or earlier), or Lion with a manually-installed Java, then the best thing to do is disable it. The majority of web users do not need Java on a regular basis. I recommend disabling Java system-wide by going to Applications > Utilities > Java Preferences and then unchecking all the checkboxes in the General tab. If you use Safari to browse, you can disable Java by going to Safari > Preferences > Security and unchecking ‘Enable Java‘.
Keep an eye out for an upcoming Java update from Apple.
[Updated] Seems all the talk about this has nudged Apple to act! They’ve released Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7. F-Secure have released a free Flashback remover tool, and Apple have announced they are also working on software to detect and remove Flashback malware.
I wasn’t going to post about last week’s fairly significant iTunes update, but then Apple went and patched a whole bunch of vulnerabilities across the board. Some of these are fairly significant so I thought I would provide a short breakdown of the changes. Either way, you should definitely be patching all of your Apple devices and software tonight.
Hit the jump for a summary of the key vulnerabilities patched in Apple’s security updates.
The Defence in Depth blog has a post about a flaw in Lion’s redesigned authentication mechanisms and Directory Services. In short, it is possible to change the password of the currently logged in user by simply running the following command in the terminal, and it won’t ask you for the user’s current password:
$ dscl localhost -passwd /Search/Users/<username>
In Lion it is also easy to dump a user’s SHA-512 password hash using the following command:
$ dscl localhost -read /Search/Users/<username>
Then look for the dsAttrTypeNative:ShadowHashData chunk in the output (sample below). The hex string in red is the salt, and the green is the hash.
62706c69 73743030 d101025d 53414c54 45442d53 48413531 324f1044 74911f72 3bd2f66a 3255e0af 4b85c639 776d510b 63f0b939 c432ab6e 082286c4 7586f19b 4e2f3aab 74229ae1 24ccb11e 916a7a1c 9b29c64b d6b0fd6c bd22e7b1 f0ba1673 080b1900 00000000 00010100 00000000 00000300 00000000 00000000 00000000 000060
Cracking password hashes can be done using his custom Python script, or John the Ripper (with the Jumbo patch). Note that even if someone manages to obtain your password hash, if you’re using a strong password it will be extremely difficult for them to recover it. Seems like both of these are important but fairly low-risk flaws introduced into Lion. Hopefully Apple will look into these for the next update.
[Update 1] While waiting for an Apple-supplied security update, it is possible to protect yourself from this vulnerability by adjusting the permissions on dscl:
sudo chmod go-x /usr/bin/dscl
This makes it so that only root can execute dscl. To revert this simply run:
sudo chmod go+x /usr/bin/dscl
[Update 2] This vulnerability was patched in Mac OS X 10.7.2.
There was a lot of attention given to yesterday’s news of Passware Kit Forensic v11 being able to extract your Lion login password if your computer was locked or sleeping, even with FileVault turned on. It’s worth pointing out that not only is this old news (from 2006), it isn’t even a vulnerability specific to Mac OS X, but rather a vulnerability introduced on computers with FireWire (or iLink) ports. The FireWire specification provides external devices with the interesting ability to interact directly with system memory (without going through the OS). While in theory this could open up interesting uses, in reality it just enables vulnerabilies due to the fact that a computer’s live memory can be used to extract data or manipulate parameters. Windows systems are vulnerable to this attack too, and there are tools (eg. winlockpwn) that exist that allow an attacker to unlock a locked Windows machine, or dump its memory, just by plugging into it via FireWire/iLink.
This flaw definitely has security and privacy implications, but only if the attacker is able to get physical access to your computer. As I’ve pointed out on a number of occasions, if someone gets phsysical access to your computer, it’s game over. Even without a FireWire port, techniques such as the Cold Boot Attack may allow an attacker to recover passwords or decryption keys from live memory. Until Apple completely phases out FireWire in favour of Thunderbolt, this will continue to be an issue to be aware of. Thunderbolt itself, although not fully tested, may yet be found to have some similar issues; although I’m hoping Apple/Intel will have learnt from past mistakes.
There’s not a huge amount you can do to protect yourself apart from:
- Disable automatic login, and shut down your computer when you don’t plan on using it (especially if you’re going to be away from it for a while). Note that for this to really be effective, you’ll need to enable FileVault as well – otherwise the attacker will be able to access your unencrypted HD.
- Block your FireWire port with epoxy – or destroy it altogether.
With the release of Mac OS X 10.7 “Lion”, Apple is changing the way we’ll be doing system upgrades. Lion will only be available to Snow Leopard users electronically through the Mac App Store, and thus it will no longer be possible to purchase a physical install DVD. Before I go into the intended topic of this post, allow me to <rant> about how I’m not too keen on this decision. As a result, it’s no longer possible to install OSX on Macs that don’t have an internet connection (yes, these do exist!). Even for those who do, many don’t have very fast internet connections, or may have extremely low usage caps. I know that UK internet providers still offer entry-level packages 5Mbit lines and stupidly low 1-5 GB monthly limits. Lion is likely to be about 4GBs in size. Oh, you want to install OSX on more than one Mac? Suuure, just download the 4GB install package on each Mac.</rant> You get the point…
The real thing I wanted to talk about is Apple’s solution to system re-installation or recovery, and specifically the security implications thereof. Installing Lion will cause it to create a small ‘recovery’ partition on your primary drive, which is essentially a partition equivalent of an install DVD. If you have a problem with your main OSX partition, and need to run repair utilities or reinstall, you just boot from the recovery partition. Sounds really useful actually, as you don’t need to worry about having a DVD handy. But where this solution brings ease-of-use and convenience, it also brings some security risks.
Although Mac OS X is still largely unaffected by malware, the winds of change are indeed upon us, and it’s unrealistic to assume the Mac will remain virus-free forever. As viruses get more complex they find ever-improving ways of making themselves persistent on a system. There are countless examples of Master Boot Record viruses on Windows where the only sure-fire solution is to completely wipe the hard drive and reinstall from CD/DVD. Because once your system is infected, good security practice forces you to assume that any file or executable is compromised. So, how does this affect a bootable recovery partition? If I were a virus writer, I’d make pretty darn sure that I infect a core installer file on the recovery partition so that any installation will have my virus. The nice thing about DVDs is that even if you insert them into an infected computer, they can’t be changed, and so you have complete confidence (barring a very advanced/rare firmware virus) that wiping and reinstalling from DVD yields a fresh and clean install of your system. As a security professional, I don’t think I’ll be able to trust a recovery partition like that.
But wait, there’s more. Even if your computer is completely secure from remote attacks, the same goes for someone with physical access to your Mac. Now, as a disclaimer, I have to point out that anytime an attacker gets physical access to any computer it’s game over. Even if you use FileVault, I may not be able to log in to your computer (unless some kind of cold boot attack is still possible), but I can easily boot your computer from a USB stick (or remove your hard drive if you have a Firmware password), trojan your recovery partition and corrupt your primary boot partition (similar to an Evil Maid attack). What are you going to do? Reinstall Mac OS X from my trojaned recovery partition of course! It’s not like you have a choice.
Any system compromise can lead to the installation of a persistent backdoor for the lifetime of the recovery partition on that hard drive. I don’t want to sound overly critical; I am probably one of the most fervent Apple supporters you’ll ever meet (with good reasons too), but not to the extent it stops me from thinking about potential impacts. I appreciate that Apple is trying to make things easier for Joe User. Being able to download updates electronically is awesome, and I honestly believe many would take advantage of that (myself included), but users should be given the choice. Particularly in situations like this where not having a physical install medium can have an impact on both usability and security.
My guess (or maybe hope) is that if Apple is not going to sell install DVDs itself, we may be allowed to burn our own install DVDs after downloading Lion from the Mac App Store. Either way, it is fairly trivial to burn the Lion installer onto a DVD – but users shouldn’t have to (or sometimes can’t) resort to a hack like that. Take heed, Apple.
[Update 21/07/11] Ok, so Apple isn’t going to allow users to burn their own DVDs, but they have confirmed that Lion will be available on a mini USB drive in August (for $69).
Apple’s popular Find My iPhone feature of MobileMe is being extended to Macs as well, as part of iCloud and Lion (10.7.2). It will also allow the person who found or stole the machine to login using a limited guest account (with only access to Safari), in order to allow your Mac to connect to the internet. As with the iOS version, Find My Mac will allow you to remotely send a message, lock or even wipe your computer.
I’m guessing the geolocation will be limited to triangulating local wireless networks, but I’m hoping it will also send back the public IP address of the network it’s currently connected to, which would help significantly when trying to recover a stolen device. I wonder how developers of commercial Mac tracking software are feeling right about now?
Apple has released Security Update 2011-003 for Mac OS X 10.6 which updates the system’s built in ‘File Quarantine’ (aka. XProtect) mechanism to detect and remove OSX.MacDefender.A. More significantly, however, Apple has now enabled the ability for File Quarantine to receive daily updates to to its malware definition list, essentially giving Mac OS X a very simplistic built-in anti-virus. Now it’s just up to Apple to actually update the malware definitions list on a regular basis.
In System Preferences > Security > General, users can choose whether or not they want to “Automatically update safe downloads list”. I’m not sure “safe downloads list” is the best name for it however, as it doesn’t really help users understand what its purpose is. I highly recommend keeping this option checked. Note that the screenshot below is not a recommendation of what your preferences should look like, it’s merely highlighting the new option. For more into about configuring your Security settings check out Securing Leopard: Security, FileVault and Firewall (to be updated with this new setting shortly).
[Updated 01/06/2011] As I wholly expected, a new variant of MACDefender is already out in the wild that does not get detected by OSX’s File Quarantine. As File Quarantine is simply a blacklist of known malware, it does not have the ability to pick up on malware it doesn’t recognise. This will be a good test to see how quickly Apple responds and updates the File Quarantine definitions. If you installed the 2011-003 security update then your system is already set to check for new updates every 24 hours. Browse safe out there.
[Updated 02/06/2011] Apple has already updated the File Quarantine definitions for the latest MACDefender variant (OSX.MacDefender.C). Pretty good response time by Apple!