Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tiger and Leopard upgrades

Published: 2007-11-16
Last Updated: 2007-11-16 22:03:28 UTC
by Swa Frantzen (Version: 2)
0 comment(s)

Apple released in the last days upgrades to it's Tiger (10.4) and Leopard (10.5) versions of OS X.

For those unfamiliar with Mac OS X: this isn't just security patches, it's somewhat comparable to what Microsoft calls a service pack. As such it can include stability fixes, features, etc. and security fixes.

10.4.11 includes a long list of security fixes. Since it's a all or nothing deal, there's very little real use in discussing all of them individually. Just take the plunge: there are a few bad ones in there, so you'll need it anyway. Some readers wrote us that there might be some issues with it all, so be careful. That said, I'm running it for a bit already and have not seen a single bad thing so far.

10.5.1 includes some security fixes too, all centered around the application firewall:

Apple also released patches for the beta of safari, but hey, it's beta software!

UPDATE

Rex pointed out we were missing the security update to 10.3.9 (Panther) that fixes many of the security problems also fixed in 10.4.11.

--
Swa Frantzen

Keywords:
0 comment(s)

'Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.'

Published: 2007-11-16
Last Updated: 2007-11-16 21:57:26 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

The title is actually a quote from John Von Neumann. And while it's over half a century old, it is still indicative of the difficulty faced by those that are forced to generate random data.

When I teach a certain awareness course for developers, one of the basic messages is to not to try to reinvent crypto components, but use proven good ones. Basically, it's just way too hard to get it perfectly right for the mere mortals among us.

In crypto you basically have 4 basic building blocks: the symmetric and asymmetric cyphers, the hash functions and the (pseudo) random number generator. With those, you can build whatever you need.

Lately the random number generator in windows seems to be under scrutiny. Basically some crypto researchers are calling it broken and the press reports that Microsoft mostly seems to deny it's a problem.

While it's rather easy to make fun of Microsoft in this, take a look at what Microsoft employees write about PRNGs and the NIST recommendation: http://rump2007.cr.yp.to/15-shumow.pdf.

The viewpoints:

  • The research paper: http://eprint.iacr.org/2007/419.pdf
  • Microsoft doesn't seem to have a public statement, but their position boils down to:
    • There is no security vulnerability as the information is not leaked.
    • The information is actually only released locally to authorized users. E.g. Administrators have wide rights.
    • They encourage user to run with limited user rights.
    • They seem to be ready for what they call defense in depth (inside one machine) and to reevaluate the strength of their PRNG.
      [If a Microsoft spokesperson wants to send me quotable material, feel free ...]

Still security professionals will need to position themselves on the issue in the long run.

What do you think about it, why?  Let us know and we'll summarize the best replies we get.

--
Swa Frantzen

Keywords:
0 comment(s)
Diary Archives