The State of Mac Malware
There’s been a lot of buzz recently about the sudden increase in Mac-specific malware cropping up so far this year. First people raved about the fairly tame and unthreatening BlackHole RAT trojan, then Mac users had to watch out for a slightly more crafty but avoidable MACDefender trojan, and now there’s news of a more advanced malware kit (Weyland-Yutani Bot) that has the ability to steal data entered into Firefox (Safari and Chrome currently unaffected, but expected to follow soon). AppleCare has reportedly been receiving a significant number of calls about the MACDefender trojan, and has issued a support document on how to deal with it.
Clearly some change is in the air, but exactly how does it affect normal Mac users? I for one actively look for Mac-based malware (eg. MACDefender), and have never stumbled across it by accident. Maybe I need to surf on the ‘dark side’ of the web more often. I just wanted to give my take on recent events and the state of Mac malware, and why I don’t think there’s any reason to be too worried just yet.
Everything You Need to Know About the iPhone Tracking ‘Scandal’ [Updated]
Seeing as I cover OSX/iOS security and privacy, I figured it’s about time I weighed in on this whole iPhone/iPad tracking ‘scandal’. I have to admit I was surprised when I first heard of the iPhone storing location data, especially that it does so with Location Services turned off. This issue is not new, however, and was described in a fair amount of depth by Alex Levinson several months ago. What has made it so popular this month is the release of the iPhoneTracker app, developed by Pete Warden and Alasdair Allan, that creates a visual map of your visited locations. I promptly tested iPhoneTracker, and sure enough it showed a bunch of areas that I’d visited. Upon closer inspection, however, I noticed that it didn’t specifically geolocate me in two places where I’d spent a lot of time; namely home and work. On top of that, there were a number of locations I’d never even been to.
[Updated] According to the info recently published by Apple, this stored location data is not the location of the iPhone itself, but rather a subset of crowd-sourced location information for local cell towers and wifi networks, which is only used to rapidly provide the user with location information. Full details at the bottom of this post. Read more
Understanding Apple’s Approach to Security
With Apple’s growing market share in desktop computers, and relative dominance in mobile computing, the security of Mac OS X and iOS are increasingly becoming talking points. Apple continues to tout the security of OSX, whilst the iOS hacker community keeps looking for (and finding) exploits that will allow them to jailbreak iPhones and iPads. This article is my own look into Apple’s history and strategy, and how this translates into the company’s focus on security today. Read more
Apple Hires Former Navy/NSA Expert as Head of Information Security
Apple has reportedly hired former Navy and NSA expert, David Rice, as the company’s global head of information security. Rice is the author of Geekonomics (2007) about the danger posed to US infrastructure by unpatched vulnerabilities. It’s rumored that Rice has been tapped to help Apple push further into the enterprise market (particularly iPhones and iPads), where security is becoming an increasing concern. Although Apple hasn’t formally commented on this position, Rice is expected to start work in March.
Sources: AllthingsD, Electronista
Apple Releases QuickTime 7.6.9 Security Update
Apple has released QuickTime 7.6.9 for Leopard 10.5.8 and Windows (XP,V,7), patching a number of vulnerabilities including several that were fixed in the recent 10.6.5 update.
The vulnerabilities include improper handling of JP2, AVI, MPEG, Flashpix, GIF, PICT, and QTVR files. Viewing maliciously-crafted files can lead to remote code execution in some cases.
QuickTime definitely needs more strengthening. Leopard and Windows users, go forth and patch!
iOS 4.2.1 Released with Free “Find My iPhone”
Apple has finally released the highly-anticipated iOS 4.2 (actual version is 4.2.1), bringing support for the iPad along with several other feature including AirPlay and AirPrint.
Along with this release, Apple has made the “Find My iPhone” functionality in MobileMe free to all iPhone, iPad and iPod Touch device owners. This service uses a combination of GPS, cell tower and wifi-network triangulation to obtain the location of the device, which can then be mapped. It also allows you to send messages, lock or completely wipe the remote device. To use this feature, you’ll need add a MobileMe account using your iTunes Apple ID by going to Settings > Mail, Contacts, Calendars > Add account. You can then track your device using the Find My iPhone app available in iTunes, or using the MobileMe web interface.
Users concerned about the privacy implications of this feature can easily disable it by going to Settings > Mail, Contacts, Calendar > Select your MobileMe account > Set ‘Find My iPhone’ to Off. Have a look at Apple’s KnowledgeBase article for more info on this feature.
iOS 4.2.1 brings with it a number of security updates (including Safari and numerous WebKit patches). Although it’s not mentioned in the update details, the previously-reported cool-but-deadly keylock bypass vulnerability has been fixed. Hit the jump for full details.
Related: Protecting and Recovering Your iPhone and iPad from Loss and Theft!
Apple Releases Mac OS X 10.6.5 (Security Update 2010-007)
Apple has finally released Mac OS X 10.6.5 bringing a number of bugfixes and security patches to the OS and applications. The list includes numerous improvements to AFP (File Sharing Protocol), QuickTime, and other image/PDF-based issues. I noticed that Apple are crediting themselves on quite a few of these, so it’s nice to see they’re putting in the effort of hunting down bugs.
Available via Software Update!
Vulnerability in FaceTime Beta (Quietly Patched?)
A vulnerability has been found in FaceTime Beta whereby a logged-in user can view and change any of the account details (including the security question/answer) for that account, without first being re-authenticated. There is also an issue with the logout function, as the password remains in the password field after logout, even after the application is quit and reopened.
Although no updates have been officially released, there are reports that some users can no longer reproduce these issues. Quiet fix by Apple? To be safe, you can avoid logging into FaceTime Beta on a computer you don’t own/fully trust until an official update or final version are released.
Apple-Produced Java Runtime Deprecated
Following its release of Java for Mac OS X 10.6 Release 3 (10.5 R8), Apple stated that “the version of Java that is ported by Apple, and that ships with Mac OS X, is deprecated”. Apple has long been producing its own Java runtime, and Java was originally brought to Mac OS X with the aim attracting Java developers to the platform. Since Java application failed to take off, and Apple’s own Cocoa has proven to be extremely successful, they have no real incentive to maintain Java themselves.
This doesn’t mean that Java will disappear from OSX, but instead will allow third parties, such as Oracle (who recently purchased Sun) to provide their own Java runtime directly. The Java Preferences app will allow users to manage the different versions of Java that are installed.
From a security perspective, there is one distinct benefit of this change: faster updates. Apple has always been slower to release security updates, and this will allow those updates to reach Mac OS X users in a much more timely basis.