Friday, March 20, 2009
Hardening Safari 4 OS X in light of p0wning by Charlie Miller
It is an old news, but Safari , both version 3 and version 4 is "hacked" or p0wned. According to Charlie Miller, dude :-) , and his friends, it was very easy.
If you read some papers available on his site you will find out a fascinating Java Script exploit that probably can be called classics by now and as it seems Apple is aware of the mess, but did not do anything for more then a year : he claims that 2009 "p0wn" bug is essentially the same bug he found in 2007.
Now, may be , we fun boys still have time ( may be not) thanks to small popularity of our beloved platform, but it may be true that OS X is "less ready" to "tough realty" in comparison to Windowz that is suffering from hackers for years or even decades :-)
For the record: All Platforms and all browsers WAS hacked. It does not matter what went down first: I guess Mac was first because everybody wanted to get "p0wned" machine. So, no, you are not safer with Windows. Even so Vista + FireFox 3.0 seems to be a hardest combination ( if configured right of course), but , as I said, if you
go to the "bad site" or executed a trojan than you are the only one to blame for that :-)
Now, it is not all that bad: hackers did not found a remote exploits this year. While it does not mean there is none, it is calming, after famous Windows worm you probably know about.
So, what poor man ( Apple fun boy) do?
Before Apple reply try to make your Mac more secure. This called "hardening".
First some data points:
1) All browsers on OS X ( Safari, Firefox ) can be hacked per hackers, duh :-)
2) OS X is too friendly, memory layout is very predictable ( we know that, thank you very much)
3) You risking when you go to "bad" web sites. ( Well, Mac is no longer for p0rn! :-))
4) There are cases when malware was distributed via ads on a "good sites"
5) When you execute some thing it can be bad for you ... duh ... you know...
6) Did we say do not open mail from strangers or open attachments that you got even from friends? :-) Web mails like GMail or yahoo have virus scanner and may help as well as they have preview and you can upload documents to Google Documents to make them "safer"
There are extra measures you can take, if you are paranoid like me :
1) Firewall
Go to System Preferences. Security.Firewall. Pick last option: "Set access for specific services and applications" and watch the list. This is a most secure option.
You may also check all in "Advanced" dialog. Just in case ;-)
I hope you are behind NAT firewall of your router as well.
I do hope you never connect to un-trusted WiFi and that you house WiFi have WAP ( even so it is broken, but ... it is better than nothing )
2) Browsers , say Safari
This is a most important step for CURRENT situation. First, you should understand that you gonna loose some of connivence and functionality to gain some more security. Sucks, I know.
OK. Open Safari and go to Preference.
a) First tab : Uncheck "open safe files"
b) Security tab:
Uncheck : Enable plugins
UNCHECK: Enable Java
UNCHECK : Enable JavaScript
Make sure that these checked:
Warn when visition a fraudulent website
Ask before sending a non-secure form.
You will have to keep Accept cookies for at least : Only from sites I visit or Gmail and others will stop working.
Now you, can enable briefly JavaScript if you 100% sure about site and 100% need it ( for work for example). Do not do it for p0rn sites! :-)
You may want to do same with FireFox.
Opera browser was not tested, but it might be more secure ( less main stream).
Google Chrome was best, but it is not yet available on OS X.
3) System
Make sure it updated and keep updating: may be even make it daily. Check that it is working: in some cases, when say Mac log out or go down during update, cash may get fuzzy. In this case Update may stack. Happened to me :-) You need to Google and find 3 places you have cash on your system and then wipe it. I amy put a link here latter, it is not 100% relevant for this particular post. But DO fix update if this is broken.
There is another place : Remote Sharing . Check it out. Make sure you do not have much checked there if at all. There are OLD trick to enable REMOTE MANAGEMNT, but have it for " ONLY THESE USERS" ( even if it is empty). I do not know if Apple fixed that or not, but apparently it was more secure this way ( more system checks).
I will put some other tips here if I will recall or find out some new ones.
Keep it safe and have fun!
4) Applications
Adobe have a lot of security holes, some still un-pacthed.
If you have Acrobat or Reader go there and
a) DISABLE JavaScript !!!!
b) DISABLE Browser pluging : do not let Adobe open PDF in Safari.
I would recommend mitigate M$ Applications if you can same way.
Also, keep them updated.
Flash is another dark pony: you should go to www.Adobe.com and on your right see a get Flash and shock.
Check your \Library\Internet Plug-ins ( get Info) and see: if you have old version ( say 9.0) you may be screwed.
You have to update to latest ( 10? now) or disable it ( plugin in browser)
... As well as Apples own Quick Time.
5) User: you may create a "less privileged" user and use it to browse :-0
6) Virtualization: you can install a Sun's free Virtual Box and put say some Ubunty on it with FireFox ;) Keep a fresh image and swap it back after you done with session.
While malware can get out of VM, it is very hard and on OS X+Virtual Box+Linux+FireFox may be harder to do and find in the wild. That is yet another solution if you must have JavaScript .
7) Other box: if you are super paranoid, make a Linux ( Ubuntu or other ) box for internet browsing :-) make it boot each time from CD or USB Flash to keep it clean.
Well, when you absolutely need it, you may play with JavaScript ON/OFF ( when you need) and may be Googles Chrome or Apple updates ( Snow Leopard ?) will bring us some more safety in our so far, tfu tfu tfu ... small and safer little Mac world :-)
If you read some papers available on his site you will find out a fascinating Java Script exploit that probably can be called classics by now and as it seems Apple is aware of the mess, but did not do anything for more then a year : he claims that 2009 "p0wn" bug is essentially the same bug he found in 2007.
Now, may be , we fun boys still have time ( may be not) thanks to small popularity of our beloved platform, but it may be true that OS X is "less ready" to "tough realty" in comparison to Windowz that is suffering from hackers for years or even decades :-)
For the record: All Platforms and all browsers WAS hacked. It does not matter what went down first: I guess Mac was first because everybody wanted to get "p0wned" machine. So, no, you are not safer with Windows. Even so Vista + FireFox 3.0 seems to be a hardest combination ( if configured right of course), but , as I said, if you
go to the "bad site" or executed a trojan than you are the only one to blame for that :-)
Now, it is not all that bad: hackers did not found a remote exploits this year. While it does not mean there is none, it is calming, after famous Windows worm you probably know about.
So, what poor man ( Apple fun boy) do?
Before Apple reply try to make your Mac more secure. This called "hardening".
First some data points:
1) All browsers on OS X ( Safari, Firefox ) can be hacked per hackers, duh :-)
2) OS X is too friendly, memory layout is very predictable ( we know that, thank you very much)
3) You risking when you go to "bad" web sites. ( Well, Mac is no longer for p0rn! :-))
4) There are cases when malware was distributed via ads on a "good sites"
5) When you execute some thing it can be bad for you ... duh ... you know...
6) Did we say do not open mail from strangers or open attachments that you got even from friends? :-) Web mails like GMail or yahoo have virus scanner and may help as well as they have preview and you can upload documents to Google Documents to make them "safer"
There are extra measures you can take, if you are paranoid like me :
1) Firewall
Go to System Preferences. Security.Firewall. Pick last option: "Set access for specific services and applications" and watch the list. This is a most secure option.
You may also check all in "Advanced" dialog. Just in case ;-)
I hope you are behind NAT firewall of your router as well.
I do hope you never connect to un-trusted WiFi and that you house WiFi have WAP ( even so it is broken, but ... it is better than nothing )
2) Browsers , say Safari
This is a most important step for CURRENT situation. First, you should understand that you gonna loose some of connivence and functionality to gain some more security. Sucks, I know.
OK. Open Safari and go to Preference.
a) First tab : Uncheck "open safe files"
b) Security tab:
Uncheck : Enable plugins
UNCHECK: Enable Java
UNCHECK : Enable JavaScript
Make sure that these checked:
Warn when visition a fraudulent website
Ask before sending a non-secure form.
You will have to keep Accept cookies for at least : Only from sites I visit or Gmail and others will stop working.
Now you, can enable briefly JavaScript if you 100% sure about site and 100% need it ( for work for example). Do not do it for p0rn sites! :-)
You may want to do same with FireFox.
Opera browser was not tested, but it might be more secure ( less main stream).
Google Chrome was best, but it is not yet available on OS X.
3) System
Make sure it updated and keep updating: may be even make it daily. Check that it is working: in some cases, when say Mac log out or go down during update, cash may get fuzzy. In this case Update may stack. Happened to me :-) You need to Google and find 3 places you have cash on your system and then wipe it. I amy put a link here latter, it is not 100% relevant for this particular post. But DO fix update if this is broken.
There is another place : Remote Sharing . Check it out. Make sure you do not have much checked there if at all. There are OLD trick to enable REMOTE MANAGEMNT, but have it for " ONLY THESE USERS" ( even if it is empty). I do not know if Apple fixed that or not, but apparently it was more secure this way ( more system checks).
I will put some other tips here if I will recall or find out some new ones.
Keep it safe and have fun!
4) Applications
Adobe have a lot of security holes, some still un-pacthed.
If you have Acrobat or Reader go there and
a) DISABLE JavaScript !!!!
b) DISABLE Browser pluging : do not let Adobe open PDF in Safari.
I would recommend mitigate M$ Applications if you can same way.
Also, keep them updated.
Flash is another dark pony: you should go to www.Adobe.com and on your right see a get Flash and shock.
Check your \Library\Internet Plug-ins ( get Info) and see: if you have old version ( say 9.0) you may be screwed.
You have to update to latest ( 10? now) or disable it ( plugin in browser)
... As well as Apples own Quick Time.
5) User: you may create a "less privileged" user and use it to browse :-0
6) Virtualization: you can install a Sun's free Virtual Box and put say some Ubunty on it with FireFox ;) Keep a fresh image and swap it back after you done with session.
While malware can get out of VM, it is very hard and on OS X+Virtual Box+Linux+FireFox may be harder to do and find in the wild. That is yet another solution if you must have JavaScript .
7) Other box: if you are super paranoid, make a Linux ( Ubuntu or other ) box for internet browsing :-) make it boot each time from CD or USB Flash to keep it clean.
Well, when you absolutely need it, you may play with JavaScript ON/OFF ( when you need) and may be Googles Chrome or Apple updates ( Snow Leopard ?) will bring us some more safety in our so far, tfu tfu tfu ... small and safer little Mac world :-)
Labels: Hardening Safari 4 OS X
Subscribe to Posts [Atom]
