New computers and old network problems

Well, I don’t know if this is a continuation in the “new computers” series, or just rehashing an old problem.

I’ve noted before the problem of the complexity of trying to establish an ad-hoc network under Windows.  And, I’m trying various things with the new Mac.  So, in a situation, right now, where I have one network cable, and two computers downstairs, I decided to see what an ad hoc network was like with a Mac.

I remembered to do the bridging thing on Windows, and I’ve set up an ad hoc network with a pre-shared key.  (At least, I think I have.  That seemed to be the way it worked, and the Mac connected with a password, but, on the Windows machine, when I go back and look at it, it says it’s open.)  The Mac wouldn’t show the network when I looked at the list, but, when I gave it the name and password it seemed to connect just fine.

I got a Web site correctly on the Mac.  Then I went to connect to the Windows machines as servers, and that worked out fine.  Then I went to do some work on the Web, and … nothing.  The Mac wasn’t able to get onto the Internet.  I was still connected to the Windows servers, but couldn’t get a Web page.

And, then, suddenly, I could, again.  And then I couldn’t.  (At the moment, I can’t.)  (Sorry, started working again just before I finished this entry.)
I’ll have to give it a shot with the Mac connected to the cable, and see if I can set up an ad hoc wireless connection that the Windows netbook can use, but, at the moment, Mac networking is not working any better than Windows in the ad hoc environment.

Roll on PopulistNet.

New computers – Mac (nets)

One of my Mac fanatic contacts, when I mentioned that I needed to connect to my old Windows machines, said that it was easy, you just had to open “Networks,” and there they all are!  Well, no, not quite.  Not by a long shot, in fact.  I knew there was something called “Finder,” which was basically the interface to the filesystem on the Mac OS.  I even figured where to find it, going to the icon on the extreme left end of the top of the screen, and figuring that choosing the “Finder” under that option would change the top menu items from the browser that was active at the time.

So, I found Finder, and I even found the Network part of it.  And I asked it to search for servers.  It didn’t find any.  So I asked it to find a specific server.  It didn’t find that, either, but the fact that the name I had specified popped up with “afp:” at the beginning gave me an indication that I had to specify a protocol for Windows machines.  I went searching in the help files, and, eventually, found it.  Not too hard to figure out that it was “smb:”  at least, not too hard once you know it.  I then was able to figure out, on my own, that specifying the machine name with a leading “//” was wrong, because the Mac helpfully and intelligently adds “//” to whatever you type, but is too stupid to figure out that “////” is wrong.

New computers – Mac (basics)

My father-in-law is a dedicated Apple fanatic (as are a number of my friends).  Since I had an MS-DOS machine when we first met, he tagged me as an IBM person.  (It was vain to point out that, although I had once installed a Baby 36 for a charity, I did not, in fact, have a System 360 installed in the non-existent basement of my apartment.)  He eventually figured out that Microsoft made the operating system, but, even though I have worked on (among others) a predecessor to AOS(VS), Apple DOS, UNIX, TOPS-10, VMS, JCL, and CP/M, and make no secret of my frustrations with Windows, he still considers me to be one of “the enemy.”

Well, I’ve always wanted to have a crack at Macs.  I got the first one installed in one company I worked for, over twenty years ago, used it for a while, and, despite the frustrations, was still interested in getting one of my own.  So, this year, while I had the need to update at least two machines, and since the price had come down from “completely-out-of-the-question” to merely “obscene,” I decided to get one.

The experience has been interesting.  I shall, no doubt, have more to say about aspects of operation in the future, but it has been an education to get a new Mac (a MacBook Pro laptop) and take it out of the box.

To give credit where credit is due, I’ve got to say that I’ve been impressed with the performance of the Mac and the Safari browser on the Web, which is what I’ve done with it so far.  The overall design is nice, of course.  I like the battery life (so far), and the “sleep” mode performance.  The machine recognized a generic mouse I plugged into it, and happily connected to the Internet when through a wired LAN.  The minimal (well, OK, slightly more than minimal) experience I’ve had with Mac OS X was quite sufficient to get me started on the machine, and I’ve even managed to puzzle out some things with the help of the “Help” system (but more on that later).

The big thing with Mac advertising, and Mac devotees, is that the Mac is easy to use “right out of the box.”  And, yes, that is partially, and possibly even mostly, true.  But not completely.

The reason that I needed to plug in a mouse was that I could not figure out how to “choose” or activate something with the trackpad.  I could move the pointer around, no problem, but then there were no buttons to push.  Tapping didn’t work.  I remembered seeing people tapping hard on the trackpad on Mac laptops, so I tried that.  Sometimes it worked, and sometimes it didn’t.

Experienced Mac laptop users will be smirking, of course, knowing what I eventually found out.  You don’t tap the trackpad, or even tap it hard.  You press, deliberately, and you can actually feel a detent “click” when you’ve pressed hard enough.  (And, of course, whatever you wanted to activate gets activated.)  This is sort of implied in the documentation (when I found it), but even there isn’t really made clear.  And it certainly isn’t “intuitively obvious.”

Ah, yes, the documentation.  Once you’ve figured out how to open up the box the laptop comes in, you take the laptop out of the clear cellophane “envelope,” and open it up.  Since it is shipped with the battery charged, as soon as you take the protective foam sheet off the keyboard, and figure out the power button (not *too* hard, if you’ve got good eyes: white on silver is pretty, but not exactly clear) things start happening.  Once you’ve gotten over the excitement, you may notice that there are power cords in a bay at the back of the box.  You are less likely to notice that there is a black cardboard envelope nestled into the black packing material at the front of the box.  Pulling on a tab in just the right way starts to loosen this, although you still seem to have to find a finger hole in the envelope in order to get it out, and then figure out how to open it.  Once you do, you will find a brief booklet which does tell you which of the two power cords is actually a power cord, and which is a mere (and very short) extension cord.  It also tells you a few other things that would have been handy, had I not already figured them out by trial and (mostly) error.  (There is also a CD or DVD which I haven’t yet had the time to try out.)

OK, some of the design is great.  (Not insanely, but great.)  Not all of it.

Apple Safari Denial Of Service (iPhone, iPad, iPod, OS X, Windows) 0-Day

I’ve spent a lot of time thinking about what to do with this one, and when I say a lot of time, I really mean just over 3 months now. I also informed Apple that I would be writing this article, and asked for an official quote from them, and also a rough date as to when the relevant patches would be disclosed.
I found this one by fuzzing Safari 5.0 on the night that it first came out, I was using Browser Fuzzer 2 (bf2)and then spent a while playing with it to see if I could turn this into more than just a Denial Of Service (DoS), unfortunately I wasn’t able to. This is not to say that it’s not possible to do so, I’m just not too sure on how to do it, it may very well be more than just a DoS with a few tweaks to the code.

I initially tried selling this one to ZDi, but their response to me was fair and to the point:

“Dear xyberpix

We have reviewed your recent case and discovered it was a duplicate of an issue we received in January of this year. We have also determined that this issue is likely non-exploitable. Due to this we are going to pass on the opportunity to pursue acquisition of this vulnerability information through the ZDI program.

Thank you for the submission and we look forward to your future work.

The ZDI Team”

So, January 2010 and to date, this still has not been fixed by Apple! People give Microsoft and Adobe a hard time about their time to release patches, but seriously 8 months is really pushing it!

So I figured I’ll see what Apple has to say about this one, and sent it along to their product security team, asking if they were willing to reward vulnerability researchers for their time. I wasn’t asking for anything major at all, maybe the cheap iPad or even just a copy of Logic Studio 9 for my trouble. That’s really not too much to ask really is it? I didn’t have any high hopes though, and well here was their response:

“Hello Xyberpix,

When we address an issue in a Security Update, we give credit to the person who reported the issue to us.  However, Apple does not directly provide financial reward.”

Okay, fair enough, I didn’t go looking for bugs for financial gain, but it would have been a nice token nonetheless. I guess the fact that I’ve been a loyal Apple fan boy for close on 8 years now means nothing to them at all. I guess this is why I’m a firm believer in the No More Free Bugs movement, in the same sense though I can’t sit around idly and wait for what’s been over 3 months since I found this issue, and Apple has not released a patch yet!

Apple also came back to me stating that they had addressed this vulnerability in iOS 3.2 and iOS 4.0, well, erm, dunoo how to tell you guys this but, nope you didn’t. So being the nice guy that I am I sent them the relevant crash logs as requested. Their response was the following:

“Hello xyberpix,

Thank you for forwarding this issue to us.  We take any report of a potential security issue very seriously.

After reviewing the issue, it appears that this denial of service issue results in the unexpected termination of MobileSafari, but not of the host operating system or a system service.  For our internal tracking purposes, this will be classified as a “Crash / Hang” issue. Although we do not see additional security concerns, we do consider this to be an important issue, and are working with the engineering team to address it.

If you have reason to believe that the issue has ramifications beyond terminating Safari (such as terminating the operation of the host operating system or system service, or executing arbitrary code), we would appreciate the steps to reproduce this, or crash logs from when you observed it.”

I then replied asking about this issue on platforms other than iOS, namely Windows and OSX, to which I recieved the following response:

“Hello xyberpix,

The crash is still a security issue on platforms on which it has not been addressed.  So far, it has only been addressed on iOS.

For the protection of our customers, we ask that you do not disclose details of this vulnerability until it has been addressed on all platforms.

When we release an update to address this issue on other platforms, you will be credited for the vulnerability.”

Okay, so let me get this straight, this is not a security issue on iOS, it’s a crash/hang issue, which they have apparently addressed in iOS 4, and I had to bug Apple about the Windows and OS X Safari issues, even after I informed them that it was possible to crash Safari on all platforms, not just iOS? Something’s not quite right here…

When I asked for a rough timescale on when a patch for this is going to be released, I was given the following response:

“The following information should be considered confidential.  We are sharing this information as a status update on an issue you reported.  Please do not share this information with others.

This issue has already been assigned CVE-20xx-xxxx, when it was fixed on iOS.

The issue is currently planned for our next available software update.  I don’t have a date for you yet, but we will coordinate with you closer to the release of the udpate.

I completely understand confidentiality, but I also believe that security researchers should get more than just credit for discovering a vulnerability that Apple’s testers should have found in the first place.

Oh wait, it seems they did find it, but they just claimed to have fixed it, instead of actually fixing it, did I get that right?

My last attempt at contacting Apple was on the 2nd August 2010 to ask if they could please give me an official statement on this issue that I could include in this post, and if there was still no chance at all of getting some sort of reward for this finding. Their response was this:

“Hello xyberpix,

We do appreciate the time you took to find and report the issue to us.

As mentioned, it is not our policy to provide financial compensation for issues.”

I really don’t want this post to be taken the wrong way, yes I was looking for compensation for the vulnerability, but not thousands of dollars, just a little something to make the time spent on this one worthwhile. I also wanted to have an official statement from Apple on this one as to when they are likely to release a patch, neither of which they were willing to do. Personally I don’t feel that either of these things were too much to ask at all from a company that is growing in leaps and bounds each year.

If any Apple employee’s would like to discuss this one further with me, the case number for this issue is 111476071, and you have all my contact details.

As a matter of courtesy and security I will not be publishing the code for this DoS, as I do not believe that would be responsible, once a patch that works has been released by Apple, I will upload the code. I have also removed the CVE number and also the specific function that causes the crash.
I’m really looking forward to all your comments on this one people, as I’d love to hear your views.