WWDC 2011 Reaction: Lion, iOS 5 and iCloud
I’ve been following Apple for pretty much my whole life, and I like to think that I have a good feel for how the company is going to behave. Every so often they actually manage to surprise me a little, which is always nice, and WWDC 2011 managed to do that. First off, it was nice to see Steve back in action, particularly as all the stuff he announced is essentially what he had been dreaming about and predicted as the future of technology back in WWDC ’97! Secondly, although it may not seem like it, this WWDC was different, and in my opinion is the starting point for something fairly major, both for Apple and the future of the way we use technology in general.
I don’t want this to be a long protracted post about what was announced, but here is a short recap. Read more
Mac OS X Security Update 2011-003 adds MACDefender Protection [Updated]
Apple has released Security Update 2011-003 for Mac OS X 10.6 which updates the system’s built in ‘File Quarantine’ (aka. XProtect) mechanism to detect and remove OSX.MacDefender.A. More significantly, however, Apple has now enabled the ability for File Quarantine to receive daily updates to to its malware definition list, essentially giving Mac OS X a very simplistic built-in anti-virus. Now it’s just up to Apple to actually update the malware definitions list on a regular basis.
In System Preferences > Security > General, users can choose whether or not they want to “Automatically update safe downloads list”. I’m not sure “safe downloads list” is the best name for it however, as it doesn’t really help users understand what its purpose is. I highly recommend keeping this option checked. Note that the screenshot below is not a recommendation of what your preferences should look like, it’s merely highlighting the new option. For more into about configuring your Security settings check out Securing Leopard: Security, FileVault and Firewall (to be updated with this new setting shortly).
[Updated 01/06/2011] As I wholly expected, a new variant of MACDefender is already out in the wild that does not get detected by OSX’s File Quarantine. As File Quarantine is simply a blacklist of known malware, it does not have the ability to pick up on malware it doesn’t recognise. This will be a good test to see how quickly Apple responds and updates the File Quarantine definitions. If you installed the 2011-003 security update then your system is already set to check for new updates every 24 hours. Browse safe out there.
[Updated 02/06/2011] Apple has already updated the File Quarantine definitions for the latest MACDefender variant (OSX.MacDefender.C). Pretty good response time by Apple!
The State of Mac Malware
There’s been a lot of buzz recently about the sudden increase in Mac-specific malware cropping up so far this year. First people raved about the fairly tame and unthreatening BlackHole RAT trojan, then Mac users had to watch out for a slightly more crafty but avoidable MACDefender trojan, and now there’s news of a more advanced malware kit (Weyland-Yutani Bot) that has the ability to steal data entered into Firefox (Safari and Chrome currently unaffected, but expected to follow soon). AppleCare has reportedly been receiving a significant number of calls about the MACDefender trojan, and has issued a support document on how to deal with it.
Clearly some change is in the air, but exactly how does it affect normal Mac users? I for one actively look for Mac-based malware (eg. MACDefender), and have never stumbled across it by accident. Maybe I need to surf on the ‘dark side’ of the web more often. I just wanted to give my take on recent events and the state of Mac malware, and why I don’t think there’s any reason to be too worried just yet.
Low Risk MACDefender Trojan is Easily Avoided
There have been widespread reports of people installing a trojan that masquerades as an anti-virus program dubbed MacDefender. When visiting a malicious or compromised website promoted by SEO (search engine) poisoning, some Mac OS X users using Safari are experiencing the automatic download of a disk image which then automatically mounts and launches an installer. Intego’s blog has a detailed report which shows that they’ve discovered instances of scareware, where the websites (ironically displaying a faux-Windows GUI) show a fake virus scan and inform the user that their computer is infected.
Note: The automatic mounting and execution of the installer can easily be prevented by unchecking the “Open ‘safe’ files after downloading” option in the Safari Preferences.
If the user installs it, the MacDefender app look very professionally done and is unlike any other OSX malware to date. It will periodically open porn sites, pop up warnings that the user’s computer is infected, and prompt them to purchase the MacDefender anti-virus software. The software purchase page is just a place to get the user’s credit card number, and no product is delivered.
For the most part this is a very low-risk trojan, and can easily be avoided by disabling the ‘safe files’ option, and not installing software that randomly appears on your computer. No website can arbitrarily scan your computer for malware, and if they tell you that you’re infected, they’re lying. If common sense and good security practice aren’t enough, you can install an anti-virus (eg. VirusBarrier or Sophos) that will pick up this trojan.
If you did accidentally install the trojan, it can be removed with the following steps:
- Open Activity Monitor (in /Applications/Utilities/), and find the MacDefender.app process in the list. If it’s there, select it and click ‘Quit Process’.
- Open System Preferences (in the Apple menu) and click on Accounts. Click on the Login Items tab for your user, and find MacDefender in the list. If it’s there, select it and remove it using the minus [-] button below the list.
- Delete MacDefender from your Applications folder.
Check out my article on Securing Leopard and Top 100 Security and Privacy Tips!
[Update 5/5/11] There are reports of variants of the MACDefender trojan going around under the name “Mac Security” or “Mac Shield”. For the reversers, check out this reverse engineering of the MACDefender binary.
Updates: Mac OS X 2011-002, Safari 5.0.5, iOS 4.3.2
Apple has released several security updates which patch vulnerabilities in the way Mac OS X and iOS handle certificate trust. This comes off the back of the recent Comodo hack in which several fraudulent – yet valid – SSL certificates were created for a number of prominent websites, rendering users vulnerable to potential man-in-the-middle attacks. These updates (2011-002 and iOS 4.3.2/4.2.7) improve the way certificate verification is performed in OSX and iOS. The Safari 5.0.5 update patches two critical bugs which could result in remote code execution.
In other news: Updates to Safari in Mac OS X 10.7 “Lion” have shown that the browser will bring support for the new Do-Not-Track functionality, intended to give users the ability to opt-out from tracking by Third Party tracking and ad companies. Whether or not this functionality will be fully respected by third parties remains to be seen. Lastly, a tethered jailbreak for iOS 4.3.2 has already been released.
Safari, Mac OS X and Fraudulent SSL Certificates (Comodo)
Following the recent hacking of Comodo, a certificate authority that distributes SSL certificates, web users to the following domains are at a higher risk of phishing and sniffing attacks:
- login.live.com
- mail.google.com
- www.google.com
- login.yahoo.com
- login.skype.com
- addons.mozilla.org
Attackers were able to obtain SSL certificates for these domains, essentially allowing them to pose as those websites. The certificates have since been revoked by Comodo, however this relies on browsers checking for them by checking Comodo’s Certificate Revocation List (CRL) and having the Online Certificate Status Protocol (OCSP) enabled. Firefox and Chrome were updated last week to block the fraudulent certs, but Safari doesn’t do CRL and OCSP checking by default.
Hit the jump for how to enable these checks in OSX and Safari. Read more
Mac OS X 10.6.7 and Security Update 2011-001
Apple has released 10.6.7 and its first security patch of the year, 2011-001, fixing a large number of bugs and vulnerabilities. In particular it fixes a known graphics bug in the 2011 MacBook Pros. It also improves Back To My Mac connectivity and SMB (windows file sharing). From a security perspective it fixes issues in a number of components including the Kernel, Airport, ImageIO, and QuickTime, many of which potentially lead to remote code execution. This update also adds detection for the OSX.OpinionSpy spyware to Mac OS X’s built-in file quarantine.
It’s a fairly big update, so users are naturally advised to patch soon. Hit the jump for the full list of security issues fixed. Read more
Safari Errorjacking Vulnerability and Exploit [Patched]
One of the vulnerabilities patched in Safari 5.0.4 is a fairly critical issue in WebKit (CVE-2011-0167) that allows Javascript to jump into the local zone, and access any file on the local computer that is accessible to the current user. This could be used by malicious websites to extract files and information from the victim’s computer. The vulnerability affects Safari on Mac OS X and Windows, and could affect other WebKit-based browsers, although Chrome is safe due to added restrictions.
The bug exists because most browser error pages are loaded from the local “file:” zone, a zone that Javascript is not normally allowed to access directly. Since a child browser window remains under the control of the parent, it is possible to cause a child browser window to error, thus entering the normally-restricted local zone, and then instructing the child window to access local files using this elevated local-zone privilege.
This issue was a nice catch, discovered by Aaron Sigel who has a detailed explanation, video demo and proof-of-concept on his blog. It probably goes without saying, but Safari users should run Software Update as soon as possible.
Java Security Updates for Leopard and Snow Leopard
Apple has released Java for Mac OS X 10.6 Update 4 and Java for Mac OS X 10.5 Update 9, patching a number of vulnerabilities in the Java virtual machine. The most serious of these may allow an untrusted Java applet to execute arbitrary code outside of the Java sandbox. Users with Java installed should update soon. Those of you who don’t have Java don’t need to worry. If you’re unsure, just check Software Update.
Apple recently announced that the version of Java ported by Apple for Mac OS X has been deprecated. Starting in Mac OS X 10.7 “Lion”, the Java runtime will no longer be installed by default, instead requiring users to install Oracle’s Java runtime should they require Java support. Apple also recently stopped bundling Flash with Mac OS X by default, with new MacBook Air and MacBook Pros shipping without Flash. The divesting of these two products will not only eliminate Java and Flash vulnerabilities on default installs of Mac OS X, it will allow users who install these apps to get updates quicker directly from Oracle and Adobe, instead of having to wait for Apple to release software updates.
Hit the jump for details of the Java update for 10.6.
Understanding Apple’s Approach to Security
With Apple’s growing market share in desktop computers, and relative dominance in mobile computing, the security of Mac OS X and iOS are increasingly becoming talking points. Apple continues to tout the security of OSX, whilst the iOS hacker community keeps looking for (and finding) exploits that will allow them to jailbreak iPhones and iPads. This article is my own look into Apple’s history and strategy, and how this translates into the company’s focus on security today. Read more
Loading ...
