Thursday, December 18, 2014

OS X PowerPC Security Holes Katy Perry Kate Upton Chili Hot Dogs!!!

Given that Leopard and below are no longer supported by Apple, it's reasonable to expect security holes to pop up every now and then, and though Apple will never officially patch them, us PowerPC users can at least come up with the necessary workarounds. The only problem is, news of these vulnerabilities is a bit scattered, so I wanted to put up one post that's a compilation of all the security holes you should be aware of when running OS X on PowerPC--hence the clickbait title, I want everyone to see this (sorry Katy Kate fans). This post will also be linked on the right and updated as more security exploits are discovered.

Here's the big list, and honestly, this is mostly about linking to posts on Cameron Kaiser's TenFourFox Development blog since he wrote the bash replacement below and knows just as much as anybody:

1) Yes, the bash that comes with your PowerPC Mac is compromised. Cameron Kaiser was nice enough to build a new version) that fixes the security flaw so us PowerPC users can rest easy (also works for Snow Leopard).

2) SSLv3 is no longer safe. The solution here is to update TenFourFox and Tenfourbird to their latest versions which disable SSLv3. Webkit browsers that depend on the system SSL libraries remain vulnerable (UPDATE: leopard-webkit now disables SSLv3 as well).

3) Certain versions of OpenSSL have a hole. Older OpenSSL-based libraries bundled with Tiger and Leopard are not vulnerable to this specific bug, but if you have versions 1.0.1 to 1.0.1f installed on your system through Macports or Homebrew/Tigerbrew, you'll want to update to the latest version.

4) That handy tool sudo, giving you root access from the command line, is vulnerable to an exploit. Check this post for the solution and also look down to the comments on how to use nano to correct it in case vi is a mystery to you.

5) Flash is not safe.

6) Java is not safe. I've seen links about installing Open JDK 7 on Leopard, but I don't know how feasible it is. You could also put Debian on a separate partition and run the latest Java from there.

7) Finally, your Firewire ports are vulnerable to physical attack. You can check out Adam Albrec's Security Mode scripts to secure your laptops from this and other vulnerabilities.

As said, this post will be continually updated with developing news. Hopefully the list won't get too long. ;-)

UPDATE I:

And I've been informed of yet another one. The Diginotar SSL certificate is compromised. This was back in 2011 and was the first time Apple released a security update that didn't include PowerPC, so maybe that's why I blocked it out. Follow the step-by-step instructions at $ ps | Enable (their mpkg automator didn't seem to change things for me) to clear your system. This flaw only affects you if you use Safari or another browser that accesses your system's SSL certificates. It does not effect TenFourFox.

UPDATE II:

Via TenFourFox Development again, there are potential vulnerabilities in OS X's ntpd (Network Time Protocol daemon). This is used when you sync date and time automatically with Apple's time server in the Date & Time System Preference. I say potential because the typical user won't find themselves vulnerable, but people using ntpd in more elaborate ways should read the referenced blog post. A new version compiled for PowerPC is linked there for download.

UPDATE III:

Time to get your FREAK on! That's FREAK for "Factoring Attack on RSA-EXPORT Keys." Once again, if you're using TenFourFox you're not vulnerable, but Webkit users are. The comments on this post seem to indicate that (as of 3/8/15) development on Leopard Webkit is continuing and an update that ultimately plugs the hole may be arriving soon. Leopard-webkit has now been updated to plug this hole.

UPDATE IV:

This one's called Darwin Nuke and in theory can enable an outsider to trigger kernel panics on your system. I say in theory because Cameron Kaiser reports he's unable to trigger a successful attack against his PowerPC systems. However, since the vulnerable code does exist in the Tiger and Leopard kernels, it's safest to disable all incoming ICMP traffic on your router's firewall. On my Linksys router, this was already disabled by default with the Security --> Firewall setting, "Block Anonymous Internet Requests". If you don't see anything comparable on your router, google your router's brand and "disable ICMP". ICMP is used by network administrators for troubleshooting purposes, so the average user doesn't need it, anyway.

UPDATE V:

Run this RootPipeTester tool to see if you're vulnerable to something called systemsetupusthebomb. Read in detail at TenFourFox Development, but the short version is you should open your Security preference pane and check "Require password to unlock each secure system preference" (wording may be slightly different on Leopard), and you'll be secure against all known attacks. For an even more airtight solution, rename your writeconfig file according to the instructions Cameron Kaiser laid out on the linked post above.

Monday, December 8, 2014

Lock Down Your Mac With Security Mode

You may recognize Adam Albrec as the author of PPC Media Center, a suite of Applescripts that serves as a GUI wrapper for youtube-dl, and as a past guest poster here. Well, he's back, this time with another package of Applescripts called Security Mode (download at bottom of post). If you've ever wondered what it would take to completely lock down your PowerPC laptop in the modern jungle out there, this is what you've been waiting for.

Along with the Applescripts comes a very extensive Read Me file that has a lot of general tips as well as how to use/edit the scripts. In all honesty, I'd never heard of the Firewire vulnerability before perusing the Read Me, and I'm supposed to be on top of this stuff.

So what do the scripts do? As Adam writes:

The primary app is a simple toggle that will change your laptop to a 'Secure Mode' which implements the following security features:

- A password is now required to unlock the screen on waking the system from sleep (like after having the lid closed), or once the screensaver has become active.

- The unit will have the screensaver activate after 10 minutes.

- The display will sleep after 20 minutes of inactivity.

- The system will sleep after 30 minutes of inactivity.

- Firewire will be disabled - thus illuminating the threat of a DMA (Direct Memory Access) attack.

...

When toggled again, all the security features listed above go back to normal 'Home Mode':

- No password is required to wake the system or deactivate the screensaver.

- Both display and system sleep are set to 'Never'.

- Firewire will work normally.

As a convenient means of identifying the system's current security status, the Dock position will change in 'Secure Mode' to the left of the screen, and back to the bottom in 'Home Mode'.

The secondary helper app SM Fw-Disabler, when set as a login item, will make sure that whatever mode the system is in when it is shut down, will continue when restarted until the user chooses to change it.

Both scripts store your user name and password in plain text, so you need to keep the scripts on an encrypted volume. FileVault instructions are included in the Read Me for this purpose. Also...

As stated in the script comments, all the settings in the script including the sleep/screensaver times and Dock position changes can be set if the above are not to the user's liking. Those who are great at Applescript will have no trouble at this, but for those who might like some tips, just leave a comment here on the blog and I'll reply ASAP.

Finally, the Read Me concludes with some not-commonly-known tips on PCMCIA expansion bays, Open Firmware passwords, and TrueCrypt. All in all, this is great stuff, so download the scripts and the Read Me at the following Mediafire link:

(updated to version 2.0, addressing Finder-lockup problems in the previous release)
PowerPC Security v2.0.zip

(ADDED: This can also be useful for Snow Leopard. It'll take some tinkering with the Applescript, but leave a comment and Adam will be glad to help.)