Mac OS X 10.1 Security Issues Fixed
Mac OS X 10.1’s significant improvements in performance and usability may have plenty of people considering a switch from the reliable workhorse of Mac OS 9, but it seems clear we can never go home again with regard to the issue of security. A number of security issues, most with Mac OS X’s Unix underpinnings, have surfaced since the operating system’s initial release, and although the Mac OS X 10.1 release offered fixes for a number of concerns that had arisen, three more cropped up almost immediately. One affected Internet Explorer 5.1, another dogs WebDAV and iDisk, and a third enables any application to run with root privileges. Apple reacted more quickly than in the past, publishing a workaround for the Internet Explorer problem within days and offering fixes for the Internet Explorer and root access problems on 19-Oct-01, less than three weeks after Mac OS X 10.1 shipped.
That’s good, but other aspects of Apple’s approach to addressing security issues remain problematic. After an initial quiet period following the release of Mac OS X 10.0 during which many (including TidBITS) called for Apple to make public statements about security breaches, Apple finally created a security announcement mailing list and a set of related Web pages, one of which lists security updates to Mac OS X. Unfortunately, the mailing list has been used only once since it was created in May of 2001, and then only to tell subscribers to visit the Security Updates page. Worse, that page has not yet been updated to explain the 19-Oct-01 fixes. Even if it’s not completely up to date, it’s worth visiting that page periodically to see at least those security concerns Apple has acknowledged and addressed.
Let’s look at the three recent issues, including the concern with WebDAV and iDisk, which remains outstanding.
Mac OS X Easily Rooted — Although we generally think of crackers taking over machines remotely over the Internet, local exploits are becoming a concern to some users given Mac OS X’s Unix underpinnings and multi-user capabilities,. In previous versions of the Mac OS, anyone who could sit down at a Mac unprotected by third-party software (or in Mac OS 9, Apple’s built-in file encryption) could access any data on the Mac. The old Multiple Users feature was helpful for keeping kids from messing up a Mac, but wouldn’t stop anyone who wanted to break through. With Mac OS X, though, there’s more of an assumption of security, so it was troubling to discover that there was a trivially easy way to gain root access for anyone at the desktop, even if you’ve never enabled root access. All you had to do was launch certain applications that always run as root (like NetInfo Manager, Disk Utility, or Print Center), then launch another application from the Apple menu’s Recent Items menu (or from anywhere in the Apple menu). Apple fixed this problem with Security Update 10-19-01, available via the Software Update preferences panel (choose About this Mac from the Apple menu, then click "Version 10.1". If "Version 10.1" is replaced with "Build 5L14", you have the fix.) You may still find it interesting to read Stepwise.com’s explanation of how this breach worked.
Why was this a concern? From the Unix perspective, root access is a big deal, since it gives someone complete control over the machine despite any previous restrictions. But from the perspective of a normal Mac owner, who likely has only a single user and has that user set to login at startup, this security hole wasn’t a major concern. I’m far less worried about someone gaining root on my iBook locally than stealing it, which seems a lot more likely given the need to have physical access to the machine. To be fair, the discovery of this exploit also points out the need to be careful with remote control programs like Netopia’s Timbuktu Pro and the various VNC servers and clients.
For an additional bit of perspective, remember that anyone can reboot a Mac OS X system using a Mac OS installation CD or a copy of Mac OS 9 installed on the hard disk. Afterwards, this person has full control of the system, since Mac OS 9 doesn’t recognize or honor Mac OS X file permissions on local disks. Apple is working on securing Open Firmware to close these holes, but Open Firmware restrictions can still be bypassed by resetting Open Firmware or transplanting the disk to another computer. As a result, this local root exploit is best thought of a reminder that anyone with physical access to a machine effectively has full control over it, despite any software security short of an encrypted filesystem.
Internet Explorer 5.1 Automatic Execution — By default, Microsoft Internet Explorer 5.1 is set to decode MacBinary and BinHex files automatically during download. Nothing new here, and that’s not a security concern. But for some reason under Mac OS X 10.1, Internet Explorer 5.1 automatically launched at least some applications that were encoded in MacBinary or BinHex without being compressed by StuffIt as well. With normal applications, that wouldn’t be a problem, but if someone posted a Trojan horse – a malicious application that masqueraded as something benign – damage could result. It’s not entirely clear what types of applications (Classic, Carbon, Cocoa, etc.) would be automatically launched or why, but it’s moot now that Apple has released Internet Explorer 5.1.3 via the Software Update preferences panel. If you aren’t able to update right away for some reason, the problem is easy to work around. In the Download Options pane of Internet Explorer’s Preferences window, turn off "Automatically decode MacBinary files" and "Automatically decode BinHex files." Changing these settings has no functional liability; all it does is cause Internet Explorer to hand off decoding tasks to StuffIt Expander rather than performing them internally.
iDisk via WebDAV Exposes Passwords — In Mac OS X 10.1, Apple modified the Finder so it accesses your iDisk via WebDAV rather than the older Apple Filing Protocol (AFP). Unfortunately, as Alan Oppenheimer of Open Door Networks has pointed out, Mac OS X’s WebDAV implementation sends your password as unencrypted text across the Internet. This is a violation of the WebDAV specification and basic security principles. Someone who could monitor your Internet connections could discover your password and use it to access your iDisk and mac.com email account (and since many people reuse the same password many times, other services could be compromised as well). AFP remains secure, but to use it you must access your iDisk by choosing Connect to Server from the Go menu and then typing "afp://idisk.mac.com" (after which you can make an alias to the iDisk or add it to your Favorites for easier future access). FTP also sends passwords as unencrypted text, so your level of concern here should match your level of concern over exposing passwords via FTP. If you must use FTP or iDisk via WebDAV, common sense would dictate not reusing passwords used for those services with more sensitive services. As an alternative for FTP, try Interarchy 5.0.1 or RBrowser, both of which can use SSH encryption (built into Mac OS X 10.0.4 and later) for secure connections.
As far as we can tell, this WebDAV security hole was not fixed in the Security Update 10-19-01, although Apple is aware of the problem. A related discussion on TidBITS Talk indicated that Mac OS X 10.1’s WebDAV implementation may support only Basic authentication, which eliminates one of the significant advantages of WebDAV over FTP.
The moral of the story is that it’s definitely worth letting Software Update look for updates regularly, since that will almost certainly be the fastest way to receive any updates that Apple releases. In the meantime, if you’re interested in learning more about some of the basics of security in relation to Mac OS X, Roland Miller has posted a report about 10.0 that applies in large part to 10.1 as well.