Very portable exploit code has been posted on milw0rm for the most recent Apple Quicktime vulnerability. We're still waiting for a fix Apple... In the meantime, don't use quicktime :), certainly not around people you don't trust... Another tip would be to disable your browser's java/script support while you wait on a fix. Of course, that's not the only delivery method. Milw0rm's site also gives useful information in case you need to build an IDS signature to watch for it. Get it from bleeding edge here.
More information on securityfocus.
Friday, November 30, 2007
Wednesday, November 21, 2007
Leopard Firewall Security Issues (OSX 10.5.1)
Recently, there have been a couple of "not so good" reports on Apple's most recent spin of OSX. Most of the posts have been pretty accurate, however I would say that none of it should prevent moving to 10.5.1 if that has held you back. There are some things you need to know if your a security nut and prefer to control a very smart computing platform. These might help you get started:
Don't depend on the OSX Security application to manage the local firewall configuration.
This application in combination with the application specific controls in 10.5.1 are doing some pretty unusual stuff with the firewall. Use an /etc/rc.firewall script and enable it's startup through a method similar to 10.4+. Search on the terms below and you'll get a bag full of helpful how-tos. Apple maintains an excellent support documentation site as well.
-rwxr--r-- 1 root wheel 344 Nov 5 09:09 Firewall
-rwxr--r-- 1 root wheel 240 Nov 5 09:10 StartupParameters.plist
[user@local:/Library/StartupItems/Firewall] $
Don't forget about IPv6 !!
Yuck, by default OSX treats ipv6 as a trustworthy way to communicate. The default is to allow any, just like the default ipv4 settings. Add some lines in your /etc/rc.firewall setup that will call ip6fw and deny all ip6 chatter that is not necessary. Better yet, disable it if you aren't using it with ip6 -x.
Note: The dust has not yet settled on ip6fw, and ipv6 in general. Things like check-state don't work. I am anticipating some changes soon in ipfw2 and ipv6 support. Advanced firewalling using ipfw2 and ipv6 can get very complicated very quick. If you're interested I'll post a decent config to help out.
Whatever you do, don't leave this in a default state:
65535 allow ipv6 from any to any
Give it a lower order friend like : 65534 deny ipv6 from any to any
Don't depend on the OSX Security application to manage the local firewall configuration.
This application in combination with the application specific controls in 10.5.1 are doing some pretty unusual stuff with the firewall. Use an /etc/rc.firewall script and enable it's startup through a method similar to 10.4+. Search on the terms below and you'll get a bag full of helpful how-tos. Apple maintains an excellent support documentation site as well.
-rwxr--r-- 1 root wheel 344 Nov 5 09:09 Firewall
-rwxr--r-- 1 root wheel 240 Nov 5 09:10 StartupParameters.plist
[user@local:/Library/StartupItems/Firewall] $
Even with an ipfw add 65500 deny log ip from any to any as the last item in the firewall the system services that are still allowed to receive incoming connections are:
- configd, which implements DHCP and other network configuration services
- mDNSResponder, which implements Bonjour
- racoon, which implements IPSec
Don't forget about IPv6 !!
Yuck, by default OSX treats ipv6 as a trustworthy way to communicate. The default is to allow any, just like the default ipv4 settings. Add some lines in your /etc/rc.firewall setup that will call ip6fw and deny all ip6 chatter that is not necessary. Better yet, disable it if you aren't using it with ip6 -x.
Note: The dust has not yet settled on ip6fw, and ipv6 in general. Things like check-state don't work. I am anticipating some changes soon in ipfw2 and ipv6 support. Advanced firewalling using ipfw2 and ipv6 can get very complicated very quick. If you're interested I'll post a decent config to help out.
Whatever you do, don't leave this in a default state:
65535 allow ipv6 from any to any
Give it a lower order friend like : 65534 deny ipv6 from any to any
Subscribe to:
Posts (Atom)
