On 20th of this month, lmh of MoKB fame posted a security advisory claiming that:

Mac OS X com.apple.AppleDiskImageController fails to properly handle corrupted DMG image structures, leading to an exploitable memory corruption condition with potential kernel-mode arbitrary code execution by unprivileged users.

(the bold highlighting is his, not mine, and is clearly intended to shock.)

A supposedly more complete description of the problem was posted here, and was subsequently “validated” by a third-party security company, Secunia, who rate it as a highly critical security flaw, allowing privilege escalation, denial of service and compromise of a vulnerable system. [Secunia tell me that they did not validate the issue, though they have been reported as having done so by others.]

This issue has been given a variety of numbers by various people, including:

• CVE-2006-6061
• CERT VU#367424
• BID 21201
• FRSIRT ADV-2006-4629
• SECTRACK 1017260
• Secunia 23012
• X-Force macosx-dmg-code-execution(30440)

Many of the above links are to organisations who people trust to provide authoritative security information. Indeed, so serious, apparently, is this bug, that it's even made the BBC News site, not once, but twice.

It is a shame, therefore, that lmh didn’t do his homework properly before writing his advisory. It is even more of a shame that all of these people trusted what was written by someone who couldn’t be bothered to analyse the kernel panic he’d triggered properly or to work out what the flaw was that he’d found.

I doubt this would normally even have been noticed. But lmh made a mistake when he accused me of being someone who “doesn’t bother reading, checking and… [being] willing to say something that doesn’t make sense at all” and then subsequently ignored my advice not to mistake me for someone who didn’t know what they were doing.

As as a result of his comments on his site, and with some cajoling from Matasano Security’s Thomas Ptacek, I decided to investigate further.

Guess what I found? Not only is lmh’s diagnosis completely incorrect, but the problem isn’t a security flaw at all, let alone a critical, highly critical, or warn-everyone-via-the-BBC type event.

Now, I should say, that I’m wary of suggesting that disk images are totally safe. There’s a lot of code involved in mounting and reading/writing a disk image, and quite a bit of that runs in kernel mode. But I am pretty peeved at the way that this issue has been so widely publicised, attracting a great deal of attention for lmh and MoKB, when in actual fact there is no such security flaw. I’m also upset that none of the security companies listed above, especially Secunia who put out a press release saying that they’d “verified” the problem [Secunia tell me that this is untrue.], actually did sufficient analysis to realise that. Hopefully in future they will do their jobs properly and actually go through the kernel code like I did.

Continue reading “dmg vulnerability debunked” $raquo;

Posted by alastair at 2:42 PM Digg It | Permalink | Comments (16) | TrackBacks (0)

I’ve just exchanged some U.S. Dollars for Pounds Sterling at a rate of two dollars to the pound. That is, one United States Dollar is now worth 50 pence.

I know in the past that it used to be worth even less than that. I think the peak may have been about 13 dollars to the pound some time in 1864, but for much of my adult life it’s been somewhere in the 1.5 to 1.75 range.

Most normal people don’t really care about the exchange rates. Unfortunately, however, I’m running a software business from the United Kingdom, and a large proportion of my customers are in the United States. That makes my business extremely sensitive to the exchange rate; the difference in takings caused by exchange rate fluctuations can be literally thousands of pounds. I really can see the difference it’s making to my bottom line… my company has to sell up to 14% more in order to make the same money it was making this time last year!

If things keep going the way they are, we’ll very likely have to increase our U.S. Dollar prices.

Posted by alastair at 11:34 AM Digg It | Permalink | Comments (11) | TrackBacks (0)

It's ironic that MoKB have replied to my post about dmg kernel panics by accusing me of not:

reading, checking and…[being] willing to say something that doesn't make sense at all.

They also continue to imply that dmg crashes really are a new discovery. Apparently it’s not enough that I'm a disk utility developer and therefore stand really quite a considerable chance of having seen one. No, it seems that it only happened if I announced it publicly, which I didn’t.

In fact, I reported such a bug to Apple so long ago that it’s now no longer listed in the “My Originated Problems” page on their Bug Reporter. I think I even sent them a dmg file that triggered a kernel panic when it opened, though it’s possible that I just documented the bug in question. The particular bug that I reported was certainly fixed, I know that much.

I also quite enjoy the way that they quote my remark about crashes not necessarily being (or implying the existence of) exploits and use it to imply that I’m some kind of Mac zealot. What they don’t say is that I mentioned that this criticism wasn’t operating system specific. I’m just as unhappy about similar leaps of faith (“Oh, it crashed… well that must be an exploit then!”) on the Windows side.

They then go on to say that “the definition of a 'crash' in kernel-land has quite a few possible meanings”. Ignoring the ungrammatical nature of that sentence, they proceed to conflate types of crash with causes of crashes, then fail to define the term “exploit” in any kind of meaningful way.

But let’s be clear, and let’s define “crash” and “exploit” (something MoKB’s post said it was going to do, then didn’t):

crash

…to break down or cause (a computer system or program) to break down completely…

exploit

vt to gain control of a computer system or program (usually without authorisation) by taking advantage of a flaw in the design of that system or program. — n a tool or technique for gaining control of a computer system or program.

The former definition comes from The Chambers Dictionary. The latter is my own. I haven’t included all the other meanings of the two words, since they aren’t in dispute here. It should be quite clear from the definitions that crashes and exploits are quite distinct things, contrary to what Brian Krebs’ article implies.

Now, it is true that some crashes are indicative of an exploitable bug, and that still others can be misused as part of a deliberate denial of service attack. But a crash is not an exploit. It doesn’t even mean that an exploit is possible! Interestingly, despite disputing this fact when I originally mentioned it, MoKB go on to state it themselves, saying that

Basically exploiting a bug a [sic] in kernel-land requires some conditions to be met:

and then listing a few such conditions (there are more that they don’t mention).

Anyway, MoKB people, please understand that I have a lot of experience with low-level issues. You aren’t going to steamroller your way through me by claiming that I’m just some random Mac blogger (which isn’t true) or that I “don’t understand”. I do understand; I used to work as an embedded systems developer and even before that I was patching bugs in software I owned, breaking into computer games so I could cheat, re-writing bits of my machine’s operating system so they worked better, etc… These days, I write disk utilities, though I still tinker with other things.

Trying to mischaracterise me as someone who “doesn’t know what they’re talking about” because I happen not to agree with you is just a very good way to make yourselves look foolish. But go right ahead, if you’re determined.

Posted by alastair at 11:36 AM Digg It | Permalink | Comments (3) | TrackBacks (0)

Here’s my latest attempt at Saturn. It looks sharper through the eyepiece, so I’m sure I should be able to do better.

I’m thinking about buying myself a 5x Powermate, which will mean fewer things hanging off the back of the telescope, meaning that the camera will be in a better position for focusing (presently I have to have my Barlow lens almost hanging out of the back of the ’scope in order to get the CMOS sensor in the focal plane—well, to the extent that it actually is, anyway).

Posted by alastair at 11:05 AM Digg It | Permalink | Comments (0) | TrackBacks (0)

Yes, it really is possible to panic your Mac by mounting a dmg file. Those of us who work with the filesystem have known that this is possible for ages; I know I’ve reported at least one instance of this problem to Apple in the past.

Of course, it's more painful for us because it often happens when we're trying to do something new on an external hard disk (yes, it’s possible to get things such that you can’t connect your external disk without the kernel panicking). When that happens, you have to send SIGSTOP to the Disk Arbitration daemon to prevent it from automounting the disk the moment it’s attached. (You can’t just kill it, because it’s automatically respawned if it dies.)

Anyway, this is hardly new. And as usual the reports in the media are distorted, for instance, Brian Krebs writes:

“the crash report generated after I used Safari to click on the file indicated that the exploit had indeed resulted in a "kernel panic," which in most cases means that if someone wanted to use the exploit to install malicious code, they could do so regardless of the security settings or precautions already present on the machine”

conveniently ignoring the fact that this is still just a crash, not an exploit, and that not all crashes are actually exploitable anyway. (This complaint would be valid whatever operating system we were talking about.)

I was also amused to read on the Matasano Security blog comments that make it sound like the problem of user-mounted filesystems is unique to Mac OS X. That isn’t true, of course. Windows lets non-administrators mount all kinds of removable media, and Windows Vista apparently has similar disk image support to Mac OS X. UNIX and Linux set-ups also frequently allow users other than root to mount filesystems, and virtualisation products like VMWare commonly install drivers that allow their users to mount virtual disk images by double-clicking, just like a dmg file.

That said, it is true that Mac users are currently more vulnerable in this regard than people on most other platforms, because downloadable disk images are not nearly so widespread on the other operating systems (yet), which makes John Gruber’s advice to disable Safari’s auto-open feature an even better idea than it already was.

Posted by alastair at 10:28 AM Digg It | Permalink | Comments (3) | TrackBacks (0)

Over the past few months, I’ve been getting increasingly into astronomy. Initially I wanted to start with just a telescope, as I spend a lot of time during the day working on computers so I didn’t really want to spend more time as part of my new hobby.

Recently, however, I’ve started to get interested in astrophotography. My current set-up is pretty straightforward; I have an STF Mirage 7" telescope, mounted on an EQ-5 mount with the Skywatcher dual-axis drive system. When I’m taking photos, this is coupled to a Canon EOS 400D DSLR camera; currently I have adapters for eyepiece projection and prime focus photography (I realise that this is backwards; normally people start with piggy-back set-ups because they’re easier and you can get some good photos that way, but I don’t have a suitable bracket for that yet).

As my scope has a focal length of 1800mm, I was pleasantly surprised to discover that, at prime focus, the EOS camera gives almost the same field of view as my 25mm eyepiece (it’s a bit smaller, so I can’t quite fit the full moon into the frame in the camera whereas it does fit into the field of the 25mm Plössl eyepiece).

Anyway, I was quite pleased with my second attempt at photographing the Great Nebula in Orion:

This was generated from a stack of 50 or so photographs of around 10 seconds each at ISO 800. Some tweaking was necessary to get the image to look like this; my camera is a stock EOS 400D, rather than an astro-modified one, so it doesn’t capture the nebulosity as well as it might. That said, I’m very pleased with this picture.

I also had a go at capturing Saturn using eyepiece projection, but sadly I couldn’t seem to achieve good focus with the Barlow lens in the system. The CMOS sensor in the camera is definitely in the focal plane for some setting of the telescope’s focuser, because I can defocus on both sides (i.e. I can turn the focus knob until it looks focused in the viewfinder, and I can then continue to turn it in the same direction until it defocuses again). Of course, with a Barlow and the T mount adapter for the camera, it’s getting a bit silly with everything hanging off the end of the telescope, but I should still be able to take reasonable pictures of Saturn I think as it’s quite bright and therefore doesn’t need long exposures.

Posted by alastair at 3:40 PM Digg It | Permalink | Comments (0) | TrackBacks (0)

What with today’s weather consisting of sunshine and showers, it isn’t perhaps surprising that we’ve had a rainbow in the sky this afternoon. However, this is a particularly impressive rainbow… often they’re quite faint but this was really bright. Here’s a picture taken from the top of our house:

and here’s a slightly zoomed-in picture of the base of the rainbow:

You can see how clear it is in the close-up picture below, where you can even clearly see the violet end of the spectrum on the left of the arc. Often rainbows are so faint that this is nearly impossible to see, but it’s quite clear here (and I haven’t tweaked the image to make it any clearer):

Posted by alastair at 3:21 PM Digg It | Permalink | Comments (0) | TrackBacks (0)

I'd just got everything ready to go off to Clanfield, the observatory site run by Hampshire Astronomical Group, when I found that my car won’t start. It isn’t even turning the engine over, though the battery is fine, which leads me to suspect the solenoid.

I’m rather disappointed, because this was to be my first trip there as a member (well, almost a member anyway… they need to have a meeting to consider the new applications), and I was looking forward to meeting some of the other members as well as the chance to watch my first meteor shower (the Leonid shower, which should peak early on Sunday morning according to current predictions). Though I had been wondering if there was more chance of watching a rain shower than a meteor shower (but the weather men claim it will clear up later, which doesn’t look impossible from the latest infra-red satellite images from the Met. Office).

I’ve also missed a discussion about whether or not life is sufficiently unlikely to develop that it might be a rarity, which is annoying as well. Personally, I find it extremely unlikely that there aren’t many other civilisations similar to our own; indeed, I fully expect that we’ll even find life floating in deep space, between the stars, and I don’t just mean bacteria either. The universe is so stunningly, unimaginably huge, and life is so much tougher than everyone tends to assume—as, indeed, it has developed something of a habit of proving in recent years, what with bacteria in rocks, organisms at the bottom of the sea around the oceanic vents, and yet more organisms in streams of boiling water in volcanic regions of our planet.

We even have evidence that Earth-born organisms can survive vacuum, radiation exposure, deep cold and indeed launch. So how arrogant we would be to presume that nowhere amongst the billions upon billions of stars we see shining in the night sky could there be any organism that could evolve and live under such conditions.

Posted by alastair at 7:41 PM Digg It | Permalink | Comments (0) | TrackBacks (0)

Is it just me, or is the Zune tag-line “Welcome to the social” just irredeemably “chav”?

Here’s the box:

and there's even a dialog box to prove that we aren’t missing anything:

Maybe this will work in the United States, but over here, “Welcome to the social” is usually voiced in a thick accent and tends to mean “Welcome to the Department of Social Security office”, or “Welcome to the social security system” (or possibly “welcome to the local working men’s club”, depending on the context). There’s nothing wrong with that, of course, but it probably isn’t the type of image that Microsoft want to project if they’re going to try to compete with an image-conscious high-value product like the iPod.

(The pictures are from flx-tech.net, where a user reports that the install program didn’t work on the Zune he managed to lay his hands on before the official release.)

Posted by alastair at 4:13 PM Digg It | Permalink | Comments (1) | TrackBacks (0)

Having recently taken up astronomy, I now find myself constantly wishing that the weather here were better. Tonight was frustrating for me, because it was pretty dark, but there's a lot of moisture outside here at the moment, which means dew everywhere, and also some very irritating high cloud has developed. Irritating because it reflects light back down from street lamps, but also because the Moon is out, and illuminating half the sky.

On the plus side, I did practice the one of the more complicated polar alignment methods, and also (I think) managed to do a reasonable job of focussing my camera through its viewfinder. (For those who haven't tried astrophotography, this is surprisingly tricky.)

Posted by alastair at 11:54 PM Digg It | Permalink | Comments (0) | TrackBacks (0)