Apple Mail in Leopard with the same old error - Linux

This is a discussion on Apple Mail in Leopard with the same old error - Linux ; http://www.heise-security.co.uk/news/99257 Again one can see that apple "quality" is about the same as "MS quality" -- Perl - the only language that looks the same before and after RSA encryption. -- Keith Bostic...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Apple Mail in Leopard with the same old error

  1. Apple Mail in Leopard with the same old error


    http://www.heise-security.co.uk/news/99257

    Again one can see that apple "quality" is about the same as "MS quality"

    --
    Perl - the only language that looks the same before and after RSA
    encryption.
    -- Keith Bostic


  2. Re: Apple Mail in Leopard with the same old error

    Peter Köhlmann wrote:

    >
    > http://www.heise-security.co.uk/news/99257
    >
    > Again one can see that apple "quality" is about the same as "MS quality"
    >


    I didn't know Apple Macs were susseptible to that sort of attack, I still
    tend to think of Apple's as being UNIX-Like, at least in security.

    Wouldn't you think that by now MS and Apple, if they are going to insist on
    executing straight from emails, would have wrapped these in a little
    application cage, or at the very least keep them inside the java vm.

    Am I getting synical as I get older, but I can't help feeling that a patch
    for this spesific one mentioned will simply try to examine the file further
    to decide if it is a picture or not.

    Caging wouldn't be difficult, there is only so much executing that makes
    sense directly from an email, such as the caged launch of a picture or file
    viewer, it could even allow for editors inside the cage to edit and return
    email contents.

    I wonder if Apple still has enough UNIX in it to allow for multiple
    directory caged root levels, I should imagine that in many cases a
    structure that only exists temporarily in ram would do the job.



  3. Re: Apple Mail in Leopard with the same old error

    ____/ BearItAll on Tuesday 20 November 2007 12:00 : \____

    > Peter Köhlmann wrote:
    >
    >>
    >> http://www.heise-security.co.uk/news/99257
    >>
    >> Again one can see that apple "quality" is about the same as "MS quality"
    >>

    >
    > I didn't know Apple Macs were susseptible to that sort of attack, I still
    > tend to think of Apple's as being UNIX-Like, at least in security.
    >
    > Wouldn't you think that by now MS and Apple, if they are going to insist on
    > executing straight from emails, would have wrapped these in a little
    > application cage, or at the very least keep them inside the java vm.
    >
    > Am I getting synical as I get older, but I can't help feeling that a patch
    > for this spesific one mentioned will simply try to examine the file further
    > to decide if it is a picture or not.
    >
    > Caging wouldn't be difficult, there is only so much executing that makes
    > sense directly from an email, such as the caged launch of a picture or file
    > viewer, it could even allow for editors inside the cage to edit and return
    > email contents.


    What type of person would send a program to someone by E-mail anyway? Other
    than that idiocy of wrapping PowerPoint files in a self-contained executable?
    There's rarely a reason to allow scripting and execution of file in a mail
    client, esp. whilst 98% of all E-mail is spewed by Windows zombies.

    > I wonder if Apple still has enough UNIX in it to allow for multiple
    > directory caged root levels, I should imagine that in many cases a
    > structure that only exists temporarily in ram would do the job.


    --
    ~~ Best of wishes

    Roy S. Schestowitz | "Have you compiled your kernel today?"
    http://Schestowitz.com | RHAT GNU/Linux | PGP-Key: 0x74572E8E
    run-level 2 2007-10-30 19:49 last=
    http://iuron.com - help build a non-profit search engine

  4. Re: Apple Mail in Leopard with the same old error

    Roy Schestowitz wrote:

    > ____/ BearItAll on Tuesday 20 November 2007 12:00 : \____
    >
    >> Peter Köhlmann wrote:
    >>
    >>>
    >>> http://www.heise-security.co.uk/news/99257
    >>>
    >>> Again one can see that apple "quality" is about the same as "MS quality"
    >>>

    >>
    >> I didn't know Apple Macs were susseptible to that sort of attack, I still
    >> tend to think of Apple's as being UNIX-Like, at least in security.
    >>
    >> Wouldn't you think that by now MS and Apple, if they are going to insist
    >> on executing straight from emails, would have wrapped these in a little
    >> application cage, or at the very least keep them inside the java vm.
    >>
    >> Am I getting synical as I get older, but I can't help feeling that a
    >> patch for this spesific one mentioned will simply try to examine the file
    >> further to decide if it is a picture or not.
    >>
    >> Caging wouldn't be difficult, there is only so much executing that makes
    >> sense directly from an email, such as the caged launch of a picture or
    >> file viewer, it could even allow for editors inside the cage to edit and
    >> return email contents.

    >
    > What type of person would send a program to someone by E-mail anyway?
    > Other than that idiocy of wrapping PowerPoint files in a self-contained
    > executable? There's rarely a reason to allow scripting and execution of
    > file in a mail client, esp. whilst 98% of all E-mail is spewed by Windows
    > zombies.
    >


    Direct execution is something that I can't see me ever allowing on a machine
    of mine at the moment, but it will come. Having an email or document
    trigger local code is something that is wanted and is common now. That in
    itself has proved dangerous in the past, with hackers attempting to crash
    the application associated with a file type. Linux could have been just as
    vulnerable as Windows was in that area at one time.

    That idea could also be caged, it wouldn't be strictly necessary on Linux,
    but still has value on a MS machine.

    There is an area that will want more interaction between local and remote
    code though that is traditionally handled in a java machine. If we talk
    about virtual machines at the level of partial virtual applications. Then
    there is going to be a time when we will want to pass code from the server
    with no interaction from the user, it needs to be smart load and run
    dynamically.

    Secure comms are used obviously, but you still need protection after the
    tunnel.

    A typical office of word processor, spreadsheets, email client etc, need to
    be able to work together so that the engine can better distribute the work
    load. So you will want an email to be able to trigger code within the same
    instance of a virtual mode cage, but you may need it to go further, to
    reduce the startup time of vm applications or because the client is a hand
    held with limited resource space, you may want some code to hold back until
    it is needed. So the actions of the client will trigger the transfer and
    execution of code. So the only question left is 'How can we do this
    safely'. As I said, forget the comms side, but each end of the tunnel must
    take care of itself.

    The simple truth is that Linux is already very capable of this, nothing
    extra needs to be loaded onto a bog-standard Linux machine to do this. Look
    at the change root, it isn't an application,there is no code downloads
    involved, it is simply config settings. You have locked a machine, anything
    from an entire Linux through to a simple 'vi' editor in a cage. A chroot
    isn't going to be the sort of caging used for VMs, but it isn't a million
    miles away from it either.

    The worry then is Windows.

    As it happens their ISS (assuming a good firewall) is getting better now
    than it was, I know the the process issolation does seem to be very good
    which is the part that most relates to what I said above. Gads, that first
    ISS I worked with, when I finished the app and found just how open the
    whole piggin machine was I put my head down on the keyboard and wanted to
    quietly slip away, the place it was going relied very heavily on secure
    independantly running applications that only interacted through services.

    But still, fair play to MS, they too know the importance of getting the vm
    (at which ever level) absolutely right. ISS has come good, no doubt a few
    niggles here and there, but very workable. .NET3 is also much more capable
    than .NET 1.1 (lets ignore .NET2 shall we), ok so .NET3 it still has that
    piggin bug in it that drives crazy, it's on their video you know, if you do
    the c# video tutorials for .NET the man comes across the bug and goes
    around it, he has obviously seen it before because of the neat way he skips
    around and takes an alternative route, but he left it on the video, I bet
    he did that because he was as frustrated by it as I was. I first saw that
    video about two years ago and the same piggin bug is still there in .NET3.

    Don't doubt MS's VM leanings, they know as well as everyone else how
    important it is going to be. It was MS that helped Linux developers get XP
    onboard. That is absolutely true, MS had to put in the development
    resources for that one to happen. Vista still seems an odity in that area,
    I know it can host (the list of what it can host was on the Internet, just
    about every flavour of Linux had been tested), but not allowing Vista to be
    hosted doesn't seem like a good idea to me. Linux as a VM is inevitable,
    can called it another name if they like, but it is still Linux.



  5. Re: Apple Mail in Leopard with the same old error

    BearItAll wrote:

    > Peter Köhlmann wrote:
    >
    >>
    >> http://www.heise-security.co.uk/news/99257
    >>
    >> Again one can see that apple "quality" is about the same as "MS quality"
    >>

    >
    > I didn't know Apple Macs were susseptible to that sort of attack, I still
    > tend to think of Apple's as being UNIX-Like, at least in security.


    Apple is about 85% FreeBSD & the rest is Apple's junk bolted on. As that is
    their proprietary SW, who knows wtf it contains. It's probably why Paul Hudson
    of FuturePublishing says that their Apple Macs crash at least once a day.

    I have the latest FreeBSD release on another machine, & that *doesn't* crash.
    As they say..."Go figure"..

    Most BSD-users don't consider Apple's SW a BSD, & don't rate it at all.

    > Wouldn't you think that by now MS and Apple, if they are going to insist on
    > executing straight from emails, would have wrapped these in a little
    > application cage, or at the very least keep them inside the java vm.
    >
    > Am I getting synical as I get older, but I can't help feeling that a patch
    > for this spesific one mentioned will simply try to examine the file further
    > to decide if it is a picture or not.
    >
    > Caging wouldn't be difficult, there is only so much executing that makes
    > sense directly from an email, such as the caged launch of a picture or file
    > viewer, it could even allow for editors inside the cage to edit and return
    > email contents.
    >
    > I wonder if Apple still has enough UNIX in it to allow for multiple
    > directory caged root levels, I should imagine that in many cases a
    > structure that only exists temporarily in ram would do the job.




    --
    Operating systems: FreeBSD 6.2 (64bit), PC-BSD 1.4,
    Testing: FreeBSD 7.0-BETA 2
    Linux systems: Kubuntu 7.10 "Gutsy" amd64,
    Debian 4.0, PCLinuxOS 2007.

  6. Re: Apple Mail in Leopard with the same old error

    [H]omer wrote:
    > Roy Schestowitz spake thusly:
    >
    >> What type of person would send a program to someone by
    >> E-mail anyway?

    >
    > Unless it's by prior arrangement and consent, all Email sent
    > to me that contains anything other than text is automatically
    > junked at the server.
    >
    > I got sick and tired of empty Emails with winmail.dat crap
    > attachments, chain mail "jokes" - many of which contained huge
    > videos that bogged down the server and my bandwidth, dodgy
    > Word and Powerpoint attachments; company "newsletters" in HTML
    > format - that were basically un-viewable without Javascript,
    > Java, Flash, or in some cases even ActiveX; and spam
    > masquerading as gif files, advertising \/i@gr@ or pump-n-dump
    > stocks.
    >
    > It's amazing how little spam gets through once you confine
    > what your server forwards to just text. Of course greylisting
    > takes care of the rest. All hail greylisting.


    You are not the only one to ban html E-mail:

    http://www.fcw.com/online/news/97178-1.html

    DOD bars use of HTML e-mail, Outlook Web Access
    By Bob Brewin
    Published on December 22, 2006

    Due to an increased network threat condition, the Defense
    Department is blocking all HTML-based e-mail messages and has
    banned the use of Outlook Web Access e-mail applications,
    according to a spokesman for the Joint Task Force for Global
    Network Operations.
    --
    HPT

  7. Re: Apple Mail in Leopard with the same old error

    ____/ High Plains Thumper on Tuesday 20 November 2007 21:44 : \____

    > [H]omer wrote:
    >> Roy Schestowitz spake thusly:
    >>
    >>> What type of person would send a program to someone by
    >>> E-mail anyway?

    >>
    >> Unless it's by prior arrangement and consent, all Email sent
    >> to me that contains anything other than text is automatically
    >> junked at the server.
    >>
    >> I got sick and tired of empty Emails with winmail.dat crap
    >> attachments, chain mail "jokes" - many of which contained huge
    >> videos that bogged down the server and my bandwidth, dodgy
    >> Word and Powerpoint attachments; company "newsletters" in HTML
    >> format - that were basically un-viewable without Javascript,
    >> Java, Flash, or in some cases even ActiveX; and spam
    >> masquerading as gif files, advertising \/i@gr@ or pump-n-dump
    >> stocks.
    >>
    >> It's amazing how little spam gets through once you confine
    >> what your server forwards to just text. Of course greylisting
    >> takes care of the rest. All hail greylisting.

    >
    > You are not the only one to ban html E-mail:
    >
    > http://www.fcw.com/online/news/97178-1.html
    >
    >
    > DOD bars use of HTML e-mail, Outlook Web Access
    > By Bob Brewin
    > Published on December 22, 2006
    >
    > Due to an increased network threat condition, the Defense
    > Department is blocking all HTML-based e-mail messages and has
    > banned the use of Outlook Web Access e-mail applications,
    > according to a spokesman for the Joint Task Force for Global
    > Network Operations.
    >
    >


    Greylisting is the key. Keeping multiple boxes is a good way to handle this
    (other than filtering).

    --
    ~~ Best of wishes

    Roy S. Schestowitz | Useless fact: the buttocks is the largest muscle
    http://Schestowitz.com | RHAT Linux | PGP-Key: 0x74572E8E
    23:20:02 up 21 days, 3:18, 4 users, load average: 1.93, 1.32, 1.48
    http://iuron.com - Open Source knowledge engine project

  8. Re: Apple Mail in Leopard with the same old error

    ____/ William Poaster on Tuesday 20 November 2007 16:41 : \____

    > BearItAll wrote:
    >
    >> Peter Köhlmann wrote:
    >>
    >>>
    >>> http://www.heise-security.co.uk/news/99257
    >>>
    >>> Again one can see that apple "quality" is about the same as "MS quality"
    >>>

    >>
    >> I didn't know Apple Macs were susseptible to that sort of attack, I still
    >> tend to think of Apple's as being UNIX-Like, at least in security.

    >
    > Apple is about 85% FreeBSD & the rest is Apple's junk bolted on. As that is
    > their proprietary SW, who knows wtf it contains. It's probably why Paul
    > Hudson of FuturePublishing says that their Apple Macs crash at least once a
    > day.
    >
    > I have the latest FreeBSD release on another machine, & that *doesn't* crash.
    > As they say..."Go figure"..
    >
    > Most BSD-users don't consider Apple's SW a BSD, & don't rate it at all.


    On top of the BSD stack you're left with /heaps/ of proprietary software. If
    you consider OS X _as a whole_, BSD is just a fragment. In Debian GNU/Linux,
    for example, Linux only accounts for 2 or 3 percent of the code.

    >> Wouldn't you think that by now MS and Apple, if they are going to insist on
    >> executing straight from emails, would have wrapped these in a little
    >> application cage, or at the very least keep them inside the java vm.
    >>
    >> Am I getting synical as I get older, but I can't help feeling that a patch
    >> for this spesific one mentioned will simply try to examine the file further
    >> to decide if it is a picture or not.
    >>
    >> Caging wouldn't be difficult, there is only so much executing that makes
    >> sense directly from an email, such as the caged launch of a picture or file
    >> viewer, it could even allow for editors inside the cage to edit and return
    >> email contents.
    >>
    >> I wonder if Apple still has enough UNIX in it to allow for multiple
    >> directory caged root levels, I should imagine that in many cases a
    >> structure that only exists temporarily in ram would do the job.

    >
    >
    >


    --
    ~~ Best of wishes

    Roy S. Schestowitz | Useless fact: the buttocks is the largest muscle
    http://Schestowitz.com | RHAT Linux | PGP-Key: 0x74572E8E
    23:20:02 up 21 days, 3:18, 4 users, load average: 1.93, 1.32, 1.48
    http://iuron.com - Open Source knowledge engine project

+ Reply to Thread