Archive for January 17, 2007

More Keychain/.Mac Brokenness

January 17, 2007 at 5:22 pm · Filed under Apple, Mac OS X, bug, computers, security, synchronization

.Mac sync doesn’t work without saving your password in the Apple Keychain — BROKEN! I don’t want to save my password on a laptop that’s likely to get stolen.

If you delete your .Mac password from the keychain, Sync Now from the iSync menu fails with an error, but without an opportunity to enter the password:

Menu: Sync Now Error

In System Preferences:.Mac:Sync, clicking Sync Now generates the same error message with a different icon:

System Preferences: Sync Now Error

After entering a password in System Preferences:.Mac:Sign In, the system pops up a keychain password prompt. If a password is provided, the .Mac password is immediately saved to the default keychain. This is the only keychain access dialog I’m aware of which doesn’t offer a checkbox to save the password, and instead forces password saving on — BROKEN!:

.Mac Keychain Password dialog

No .Mac renewals for me.

Comments

MoAB: Ambivalence

January 17, 2007 at 10:44 am · Filed under Apple, Mac OS X, bug, computers, security

So the MoAB released a bug announcement with exploit code for Colloquy, an IRC client.

MOAB-16-01-2007: Multiple Colloquy IRC Format String Vulnerabilities Colloquy is vulnerable to a format string vulnerability in the handling of INVITE requests, that can be abused by remote users and requires no interaction at all, leading to a denial of service and potential arbitrary code execution. Further information: Multiple Colloquy IRC Format String Vulnerabilities Exploit: MOAB-16-01-2007.rb

Apparently someone used their exploit:

Thanks to str0ke for donating to the project and mirroring exploits and other code. In other news, we’ve heard rumors about someone using this exploit to take people down from several Mac-related IRC channels (#macdev, #mac, #macosx, #opendarwin, #colloquy itself…). This is an unfortunate prank, and has no relation with us at all (except the fact of developing the proof of concept and distributing it to some people). They had fun for sure, anyway. Definitely ranting on IRC is a high risk activity.

Do you see anything strange here? They announced several bugs to the world, and provided instructions for exploiting them. People did exploit them, and MoAB now says “no relation to us at all”. Well, no. If you made these activities possible, there’s a strong relationship.

We’re lucky this happened with Colloquy, a relatively obscure product with a more sophisticated audience and very quick developers. Things would have been much worse with a serious attack on Mac OS X or Office.

Comments