Picture of Jürgen Kreileder

Archive for the ‘Security’ Category

OS X Applications Insecurely Installing World-Writable Files

Files, directories, and devices that are writable by any user (“world-writable”) on a multi-user system can be dangerous locally exploitable security holes. There are very few legitimate reasons for having world-writable files and directories on a system.

Many UNIX and Linux systems actually have cron jobs that check for world-writable files. On Apple’s OS X there is no such safeguard and many vendors do not seem to care about file permissions much at all. Several well-known applications are either installed with world-writable files or create them when used:

World-writable files in system directories

The following applications install world-writable files in shared directories (/Applications, /Library, …):

  • Adobe CS 4, CS 5: Some uninstallers + several files and directories in /Library/Application Support + various stuff in other locations
  • Adobe Media Player: directory + some files in Contents/Resources
  • Adobe Flash Player: directories (including AddIns und AddIns/airappinstaller)
  • Amazon MP3 Downloader: some directories
  • EPSON (Scan, TWAIN data source, Easy Photo Print, …): pretty much everything, including executables
  • Eye-One Match 3: complete app, including executable
  • eMusic Download Manager: complete app, including executable and JavaScript (the application is based on Mozilla)
  • Telltale games: complete apps including executable and libraries
  • Apple OS X: some plist and cache files, including at least one LaunchDaemon plist file
  • Google+Growl Utility (not a Google product): whole app including executable
  • HP Scan Pro (plus supporting files): everything including executables
  • DivX Converter: resource files
  • Apple Remote Desktop: some plist files
  • Apple GarageBand: several plist and data files
  • Apple ColorSync: some profiles
  • Microsoft Office 2011: directory in /Library Application Support
  • Elgato EyeTV: several plist files
  • ABBYY FineReader Sprint 8.0: several data files
  • ArcSoft (Connect Suite, MediaImpression 2): all files, including executables
  • Extensis Suitcase Fusion 2: all files, including executables

World-writable files in user directories

The following applications install world-writable files in user directories (/Users/$USER):

  • GoogleGrowl.plugin: whole plugin including executable
  • 3rd-party extensions for Apple Safari: some extensions (e.g. AdBlock) install world-writable files
  • Apple iPhoto: the whole library seems to be world-writable
  • Adium add-ons: several add-ons install world-writable files
  • eMusic Download Manager:some preferences files are world-writable
  • Adobe (CS 4, CS5, Flash, …): several preferences files
  • Apple MobileDevice: crash logs are world-writable

The lists have been compiled by inspecting my own systems and those of several friends by running

sudo sh -c \
  "find / -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print0 | \
   xargs -0 ls -dl 2>&1 | \
   tee world-writable-files.txt"

and analyzing the output.

Note that running Disk Utility‘s “Repair Disk Permissions” does not have any influence on the issues described here.

Most OS X installations are probably single-user systems in reality but the situation is still somewhat ugly.

Facebook Chat Via XMPP Finally Supports TLS

Looks like Facebook silently introduced encryption for chats in XMPP/Jabber clients (Pidgin, Adium, etc.): Its servers now support the use of TLS as defined in RFC 3920.

Facebook’s FAQs (1, 2) have not been updated accordingly yet.

Google SSL Search Plug-In for Firefox

As of today Google finally supports searching over SSL. Expectedly, you can use it via https://www.google.com/.

Firefox’s built-in search capabilities still use the unencrypted search, though. To remedy this I built an OpenSearch plug-in which makes Firefox use the HTTPS-based search:

Install Google Secure Search Plug-In

(Read more about Google’s SSL Search here)

wordpress.org Cracked, Exploit in 2.1.1 Release

As pointed out on the WordPress development blog, a cracker gained access to the wordpress.org servers and replaced the 2.1.1 download with a modified exploitable version. The exploitable download may have been on the site for three or four days!

It may be a good idea for the developers to sign their releases with a well known and trusted PGP key. This would allow people to verify that downloaded files are really what they should be!
This is a well-established practice used by other projects, for example by the Linux kernel.

WordPress SSL Patch Update

The recently released security update for introduced some changes that broke my HTTPS patch for it. I have updated the patch for WordPress 2.0.6 and 2.0.7-RC1 now: wp2-ssl.patch.

Read the complete SSL setup guide here: Securing WordPress 2 Admin Access With SSL

Regarding WordPress security, please note that there still is a possible exploit for 2.0.6: New WordPress exploit also affects version 2.0.6
Make sure you use safe a PHP version and set register_globals = off.