Professional Web Applications Themes

Security flaw in Jaguar vis-a-vis classic mode? - Mac Applications & Software

http://www.macintouch.com/mosxreader10.2pt73.html is a link to Mac in Touch with a series of reader reports about file permissions being ignored in Classic mode and another report about a trojan using OS 9 Netscape 4.7 being used to scan a drive and report its findings out to an unknown attacker. Apparently a malicious applet was downloaded from a Web site and was activated during Macaroni's running of jobs normally run at 3:00 AM (by default) by cron, but during the day on this computer, which its administrator happened to be observing at the time: "... there is nothing quite like watching a ...

  1. #1

    Default Security flaw in Jaguar vis-a-vis classic mode?

    http://www.macintouch.com/mosxreader10.2pt73.html
    is a link to Mac in Touch with a series of reader reports about file
    permissions being ignored in Classic mode and another report about a trojan
    using OS 9 Netscape 4.7 being used to scan a drive and report its findings
    out to an unknown attacker.

    Apparently a malicious applet was downloaded from a Web site and was
    activated during Macaroni's running of jobs normally run at 3:00 AM (by
    default) by cron, but during the day on this computer, which its
    administrator happened to be observing at the time: "... there is nothing
    quite like watching a persistent virus in real time wanting to send your
    private files through the SMTP port and a firewall reacting like an
    antiaircraft gun."

    Anybody have further information on this? I'd hate to have those MS-using
    weenies I've been sneering at for their complete lack of security to have
    any rebuttal for me.
    --
    Philip Stripling | email to the replyto address is presumed
    Legal Assistance on the Web | spam and read later. email to philip
    http://www.PhilipStripling.com/ | my domain is read daily.
    Phil Guest

  2. #2

    Default Re: Security flaw in Jaguar vis-a-vis classic mode?

    In article <tdl.com>,
    Phil Stripling <zzn.com> wrote: 

    It appears from the reports that Classic ignores 'read' permissions on
    directories.
     

    Yeah. Right. This report was from some anonymous user who used some
    of the right words but not in the right sequence. It has all the
    credibility of a jdoggy post.
    --
    Matthew T. Russotto net
    "Extremism in defense of liberty is no vice, and moderation in pursuit
    of justice is no virtue." But extreme restriction of liberty in pursuit of
    a modi of security is a very expensive vice.
    Matthew Guest

  3. #3

    Default Re: Security flaw in Jaguar vis-a-vis classic mode?

    In article <tdl.com>,
    Phil Stripling <zzn.com> wrote:
     

    I wrote Macaroni, and read this report, and I wish the author had
    provided some more detail about what was actually happening, or had
    given their name so that I could contact them for more information.

    Based on the sketchy information available I can only guess that the
    timing was coincidental. Macaroni normally waits for system idle time
    before doing anything. It's possible that the trojan this author
    describes also waits for idle time. It's also possible that the trojan
    modified one of the regular maintenance scripts-- meaning that it would
    have been activated sooner or later, regardless of whether Macaroni was
    installed.

    If the author of this report reads this newsgroup-- could you please
    contact me directly at com? I'd like to get more detail
    on what exactly happened. If Macaroni was in any way involved in making
    this happen, I want to fix it ASAP, but I need to know more about what
    exactly was happening before I can deal with it.

    --
    Tom "Tom" Harrington
    Macaroni, Automated System Maintenance for Mac OS X.
    Version 1.4: Best cleanup yet, gets files other tools miss.
    See http://www.atomicbird.com/
    Tom Guest

  4. #4

    Default Re: Security flaw in Jaguar vis-a-vis classic mode?

    Tom Harrington <no.spam.dammit.net> writes:
     

    My impression was that the app had scheduled itself to run and that the
    timeing was triggered not by Macaroni per se, but by the app's
    self-scheduling. The reporter seemed to think it would have run with chron
    at 3:00 am and that he was lucky to have the app run during the day
    instead.
     

    What it seems to me.
     

    But what about the secutity issue? Another poster says it lacks
    credibility, but not in the definitive manner I would have hoped. :->
    --
    Philip Stripling | email to the replyto address is presumed
    Legal Assistance on the Web | spam and read later. email to philip
    http://www.PhilipStripling.com/ | my domain is read daily.
    Phil Guest

  5. #5

    Default Re: Security flaw in Jaguar vis-a-vis classic mode?

    speakeasy.net (Matthew Russotto) writes:
     

    Wel, that's not the most reassuring riposte I've ever read, Matthew, I'm
    sorry to say. Could you be more specific on the problems with the
    reporter's description?
    --
    Philip Stripling | email to the replyto address is presumed
    Legal Assistance on the Web | spam and read later. email to philip
    http://www.PhilipStripling.com/ | my domain is read daily.
    Phil Guest

  6. #6

    Default Re: Security flaw in Jaguar vis-a-vis classic mode?

    In article <tdl.com>,
    Phil Stripling <zzn.com> wrote:
     
    >
    > My impression was that the app had scheduled itself to run and that the
    > timeing was triggered not by Macaroni per se, but by the app's
    > self-scheduling. The reporter seemed to think it would have run with chron
    > at 3:00 am and that he was lucky to have the app run during the day
    > instead.[/ref]

    That seems to be a strong possibility, but the lack of details in the
    person's description makes it hard to be sure. I'm sure you understand
    why I might focus on this one particular detail of the whole thing. :-)

    --
    Tom "Tom" Harrington
    Macaroni, Automated System Maintenance for Mac OS X.
    Version 1.4: Best cleanup yet, gets files other tools miss.
    See http://www.atomicbird.com/
    Tom Guest

  7. #7

    Default Re: Security flaw in Jaguar vis-a-vis classic mode?

    In article <tdl.com>,
    Phil Stripling <zzn.com> wrote:
     
    >
    > Wel, that's not the most reassuring riposte I've ever read, Matthew, I'm
    > sorry to say. Could you be more specific on the problems with the
    > reporter's description?[/ref]

    Speaking for myself, the following details are red flags in trusting
    this particular source:

    - Anonymity. There doesn't seem to be any reason for it, so you're left
    to wonder at the author's motives for concealing themselves.

    - Anonymity combined with lack of detail. If you need to know more,
    you're out of luck, because you have no way of contacting the author.

    - If you're wondering why I mention lack of detail when there seems to
    be so much information there, it's because all of that information
    actually does precious little in helping. You're essentially left with
    vague warnings of doom and no details of how you might avoid it. And
    some details are meaningless. Like "I am told that the read permissions
    of an Admin user on the internet can be changed by a malicious applet."
    Eh, what? That's not a meaningful statement. "AppleScript was always
    available." Of course, it always is on Macs.

    - Lack of rigor in ysis. Two attacks six weeks apart might be
    related, but you can't just assume that's the case, and no explanation
    is offered.

    - Plausibility. The message indicates that this problem could affect
    people who use Mac OS X but who browse the web in Classic using Netscape
    4.79. That's got to be a tiny percentage of the user base. It's hard
    to believe even a malicious person would find this worth their time.

    --
    Tom "Tom" Harrington
    Macaroni, Automated System Maintenance for Mac OS X.
    Version 1.4: Best cleanup yet, gets files other tools miss.
    See http://www.atomicbird.com/
    Tom Guest

  8. #8

    Default Re: Security flaw in Jaguar vis-a-vis classic mode?

    Tom Harrington <no.spam.dammit.net> writes:

    Okay, now we're getting somewhere -- thanks.
     

    My understanding is different. It's _not_ clear, and I'm making an
    assumption. It appears to me that browsing can be done with any browser
    under OS X, that the malicious app is downloaded in the normal course of
    browsing, and that the app can start 4.7, which makes Classic mode
    start. Then the attacker uses 4.7 to do the browsing under OS 9 and to send
    the results. I don't have to be browsing in Classic using 4.7 to download
    the malicious app, _as_I_read_it_, which could be wrong -- it is not very
    specific on what happened. He does say that in the first attack he was
    testing Safari 1.0 and Netscape 7.1 against MSIE 5.1 to see about
    rendering. This appears to be when the malicious app was downloaded.

    As to the anonymity, the reporter hints that there is an investigation and
    that he cannot give more info -- which is dumb, because he's given enough
    to let any attacker know the attack was discovered.

    Oh, well.
    --
    Philip Stripling | email to the replyto address is presumed
    Legal Assistance on the Web | spam and read later. email to philip
    http://www.PhilipStripling.com/ | my domain is read daily.
    Phil Guest

  9. #9

    Default Re: Security flaw in Jaguar vis-a-vis classic mode?

    Phil Stripling wrote:
     

    Extraordinary claims require extraordinary evidence. I'm not
    discounting the possibility entirely but neither am I prepared to trash
    Classic because -one- individual in the entire universe of Mac users
    has put two and two together and arrived at five.

    I'm happy to revisit this issue should it prove to be more widespread,
    but for me anyway, this whole thing reads like work of an individual
    with an active imagination and problems, more than likely, of his own
    creation.

    If I had a nickel for every time my computer intuition lead me down a
    blind alley, I could probably buy a new Harley with the proceeds.

    YMMV. Some settling of contents may have occurred during posting.
    Objects in mirror may be closer than they appear. Que sera, sera.


    --
    -John Steinberg
    email: invalid

    ....And that, my liege, is how we know the Earth to be banana-shaped.
    --Sir Bedevere
    John Guest

  10. #10

    Default Re: Security flaw in Jaguar vis-a-vis classic mode?

    In article <tdl.com>,
    Phil Stripling <zzn.com> wrote: 
    >
    >Wel, that's not the most reassuring riposte I've ever read, Matthew, I'm
    >sorry to say. Could you be more specific on the problems with the
    >reporter's description?[/ref]

    Read today's MacInTouch -- Daniele Procida gives a number of problems
    with the story.

    In addition, the sentence "A second firewall recorded repeated cycling
    through a list of keywords to be sent out surreptitiously through the
    SMTP port." simply doesn't make any sense. Firewalls don't work that
    way. If the SMTP port is blocked, it's blocked; the firewall won't be
    recording any keywords. The claim "The Recent Items panel on the
    Apple menu was changed and now displayed the ten most recent
    applications and doents" is silly; that's what "Recent Items" is
    supposed to do.
    --
    Matthew T. Russotto net
    "Extremism in defense of liberty is no vice, and moderation in pursuit
    of justice is no virtue." But extreme restriction of liberty in pursuit of
    a modi of security is a very expensive vice.
    Matthew Guest

  11. #11

    Default Re: Security flaw in Jaguar vis-a-vis classic mode?

    In article <net>,
    speakeasy.net (Matthew Russotto) wrote:
     
    > >
    > >Wel, that's not the most reassuring riposte I've ever read, Matthew, I'm
    > >sorry to say. Could you be more specific on the problems with the
    > >reporter's description?[/ref]
    >
    > Read today's MacInTouch -- Daniele Procida gives a number of problems
    > with the story.
    >
    > In addition, the sentence "A second firewall recorded repeated cycling
    > through a list of keywords to be sent out surreptitiously through the
    > SMTP port." simply doesn't make any sense. Firewalls don't work that
    > way. If the SMTP port is blocked, it's blocked; the firewall won't be
    > recording any keywords. The claim "The Recent Items panel on the
    > Apple menu was changed and now displayed the ten most recent
    > applications and doents" is silly; that's what "Recent Items" is
    > supposed to do.[/ref]

    For what it's worth, I'm in private contact with the person who made
    this report. They're still insisting on not revealing who they are.
    But should any important details come to light that maintain their
    anonymity (including the answer to "why do you need to be anonymous?"),
    I'll post them here.

    --
    Tom "Tom" Harrington
    Macaroni, Automated System Maintenance for Mac OS X.
    Version 1.4: Best cleanup yet, gets files other tools miss.
    See http://www.atomicbird.com/
    Tom Guest

Similar Threads

  1. Today's warning from Dept. of Homeland Security re security flaw
    By Dot in forum Windows Setup, Administration & Security
    Replies: 3
    Last Post: August 2nd, 08:23 AM
  2. #24781 [Opn]: Security lapse due to flaw in session.use_only_cookies
    By spagmoid at yahoo dot com in forum PHP Development
    Replies: 0
    Last Post: July 24th, 03:15 PM
  3. recent announcement re security flaw
    By Amy Howland in forum Windows Setup, Administration & Security
    Replies: 0
    Last Post: July 17th, 05:38 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139