SCPreferencesCreateWithAuthorization: an open invitation to malware developers
SCPreferencesCreateWithAuthorization: an open invitation to malware developers
- Subject: SCPreferencesCreateWithAuthorization: an open invitation to malware developers
- From: Nathan Duran <email@hidden>
- Date: Wed, 19 Dec 2007 09:00:03 -0800
Remember that trojan plugin that poked poisoned DNS servers into
unsuspecting users' network settings thereby redirecting web traffic
to phishing sites and porn ads? Well from what I've seen, 10.5 just
made that attack a whole lot easier.
Specifically, when run under an admin account (as I'd venture that
over 90% of all home and small business users in the world are since
that's the way their installer discs set them up)
SCPreferencesCreateWithAuthorization() will swallow an
AuthorizationRef without challenge and happily return a preferences
session with which one can obtain a write lock and proceed to do
whatever one wishes. My testing has shown that, on a stock Leopard
installation, any code anywhere can do this, and the user will never
see an authentication dialog. They may very well never notice that
anything has even happened.
But if that's not frightening enough, consider what else lives in SC's
persistent store that malicious code might be interested in. How about
the incomprehensibly inconsistently named "Dynamic Global
Host"/"BackToMyMac"/Wide-Area Bonjour settings? How much work would it
take to cause an unsuspecting user's machine to begin registering
itself and advertising services (which they assumed were private) on a
foreign BIND box? Haven't actually tried it yet, but it certainly
seems to be well within the realm of possibility.
Responses I've already received followed by reasons why they do not
require repetition:
1. Don't use an admin account
-OK, tell the installer team to stop creating them, then.
2. Check "Require password to unlock each System Preferences pane" in
your Security settings
-Sweet. Done. Now explain that to my grandma. After that you can
explain why it isn't set by default if it's so critical. If anything
this simply proves that SCPreferencesCreateWithAuthorization is
already perfectly capable of doing the right thing and is merely
choosing not to.
3. File a bug
-I was on the payroll once myself and even then I never saw a lot of
meaningful change take place in response to an externally filed Radar
bug unless it came from someone capable of exerting economic or legal
pressure on Apple. If you think it's an important bug, you can file it
at the level of priority it deserves much more quickly than I can
muddle through a web form. If you *don't* think it's an important bug,
it's probably not going to be fixed anyway. Google indexes mailing
list archives, not Radar, so I consider writing them up here a more
productive use of time (plus that whole thing about the bug reporting
site causing Safari 3 to wipe its entire cookie store has me wary of
going anywhere near it).
If Launch Services is going to start balking about double
clicked .html files, I don't think its unreasonable of a user--be they
a member of the admin group or not--to expect that their network
settings not be modified without their knowledge or consent. If they
say yes to the dialog, that's their problem. If they're never even
given a dialog, that's SCPCWA's. I like this function because it makes
debugging a whole lot easier when you don't have to run a helper tool
as root, but it needs to get smarter in a hurry before more people
start realizing that it exists and we all have to start giving Peter
Norton money again.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden