Monday, December 17, 2007

Mac-Security Column for December 2007


[NOTE: This is an article I published in the Syracuse Macintosh User Group (SMUG) monthly newsletter, AppleTree. Anyone is welcome to further publish it wherever they wish as long as the article is not further edited while my name as author and my copyright remain intact. Breaka da rulez and I breaka you head].


Mac Security column
2007-12-16
© Derek Currie

Last month I made a quick mention of Clam as a cross platform freeware anti-malware application. For Mac OS X you can obtain and use it in the form of ClamXav or Leopard Cache Cleaner (which runs on Jaguar, Panther and Tiger as well). This month I wanted to point out a couple more shareware anti-malware programs that may or may not be of interest.

But first let's take a tour through the many security enhancements Apple have provided in the past month:

November 12th Apple released the iPhone and iPod Touch version 1.1.2 update. It addressed an all too familiar problem with maliciously crafted images being able to terminate a running program or being able to run arbitrary code, also known as an infamous buffer overflow. This happens when the memory space designated for an application is overrun with data such that it runs into the next contiguous memory sectors. The resulting data can bomb the program using the offended memory sector, or if the trouncing data is properly designed and executed it could potentially take over your computer.

November 14 Apple released the Mac OS X 10.4.11 update as well as Security Update 2007-008 which is applicable to Mac OS X 10.3.9. The both cover the same security issues. Security repairs were provided for the following parts of Mac OS X:

• AppleRAID
• BIND
• CFFTP
• CFNetwork
• CoreFoundation
• CoreText
• Kerberos
• Kernel (6 fixes)
• Networking (5 fixes)
• NFS
• NSURL
• remote_cmds
• Safari (2 fixes)
• SecurityAgent
• WebCore (9 fixes)
•WebKit (3 fixes)

This update also provides a new security fix version of the Flash Plug-in.

November 14 Apple also released Safari 3 Beta version 3.0.4 for Windows. It patches two vulnerabilities in Safari itself, three vulnerabilities in WebCore and three vulnerabilities in WebKit. The most numerous patches it provides are related to cross-site scripting.

November 15 Apple released the Mac OS X 10.5.1 update, which included three security updates to its firewall. The Leopard firewall has been met with skepticism and disdain. These patches address the most noted problems.

December 13 Apple released QuickTime version 7.3.1 which includes three security updates. Earlier in the month Apple had been slammed by the likes of Secunia and SANS Institute for the continuation of a seemingly unending string of QuickTime security flaws. This update address a few of the problems specifically related to maliciously crafted RTSP movie files, QTL files and the QT Flash media handler. This update is for Mac OS X 10.3.9 on up as well as Windows XP SP2 and Vista.

December 14 Apple released Java 6 for Mac OS X 10.4. Does anyone remember when we were all fed the marketing spin that Java was supposed to the 'safe' programming language that couldn't harm your operating system and hardware? Yeah right, we wish. Surprise! This update covers thirty security flaws in Java for Mac OS X. The fixes prevent the ability of a malicious web page to raid or add to your Keychain (which is an outrageous security flaw) the usual arbitrary code execution and privilege escalation.

In all, these security updates are crucial, many of them patching vulnerabilities that could potentially lead to a hacker taking over your computer. Therefore, as usual, be sure you keep your Mac OS X security updates up-to-date! You can read about all these security updates in detail at:

http://docs.info.apple.com/article.html?artnum=61798


CONCLUSION: Software coding remains a mysterious art that is constantly full of flaws. Microsoft may be the masters at security blunders, but like it or not there are blunders using even the most deliberately secure of contemporary coding methods. In other words, expect more Mac security flaws and perhaps more Mac malware in the future. But also feel secure that Apple are on their toes these days cleaning up Mac OS X security problems.


Now on to a couple more anti-malware programs for Mac OS X. The first is called MacScan, which claims to identify and isolate Mac OS X Trojans, spyware and Tracking cookies. It is a shareware program that costs around $25. When it is downloaded you are provided with a 30 day demo period. The second program is freeware called Zebra Scanner, which claims to identify disguised Trojans. It has not been updated since 2005.

Let's save some time and let me share my conclusion that both of these programs are useless and unnecessary. However, there are a couple caveats to that statement I will provide below if you care to keep reading:

MacScan has been known in the shareware world as 'MacScam' because of the rather high price for its ability to do next to nothing. Example: I used it to scan for the demo Trojan that Zebra Scanner provides. It couldn't find it. I used it to find Tracker Cookies. It found false positives, it failed to find others until I ran it a second time, and when I asked it to remove those it found it did absolutely nothing. I had to remove the Tracker Cookies by hand. And I'm supposed to pay for this privilege?

The one useful thing MacScan does provide is a list of known 'LEGAL' spyware programs for Mac OS X. You can find this list on their website as well. Legal spyware includes keystroke loggers, VNC and remote administration programs that are openly provided to the Mac market. They are typically used in professional network situations where the network administrator or the boss want to keep track of the work being done by their computer clients or employees. You can find a slew of them available for download by searching with the term 'spyware' at VersionTracker.com.

Meanwhile, I tried to find the blacklist MacScan is supposedly using to identify Tracking Cookies, but I failed. Something tells me I can find one on the Internet, so I will be in search of it this coming month and will share it when I find it.

What are Tracking Cookies? They technically are a mini-version of spyware under the guise of website cookies. They watch where you go on the web, store that information, then feed it back to their home site the next time you visit. It is supposed to be a marketing tool that a website can use for choosing what products to advertise to you. Personally, I consider it privacy intrusion. So I enjoy removing tracking cookies and blocking them from being allowed by my browsers.


Last and least we come to Zebra Scanner. Back when it was written there was a scare than hackers were going to attack the Mac with Trojans that were disguised as such benign things as JPEG files and text messages. But a security fix in Mac OS X 10.4 ended that possibility. Therefore, Zebra Scanner became useless. But there is one small possibility you could still get fooled by a malware application in disguise. That would be if you have your Finder set to NOT show file extensions. I am someone who was rather angry that Apple chose to go with file extensions to identify Mac OS X file types as opposed to the file types being embedded in the file's headers. Those stupid 'dot three' extensions on files are so Windows, so Luddite, so retro, so ugly. Apple actually compromised on the issue and still allows header file type identification, but for the purposes of avoiding Trojans, the dopey file extensions actually come in handy. Here is the example Zebra Scanner provide:



Suppose you are sent something that has a folder icon and has the title 'Christmas Icons'. Great, you figure it has nifty Christmas icons inside the folder. But darn, you have the Finder set to NOT show file extensions. So you have no idea that this bogus folder is actually an application with a fake folder icon pasted on top. So you 'open the folder' but actually find you are infecting yourself with the Trojan.


If you think you could be subject to that infection method, then you should use Zebra Scanner. If however you leave your file extensions left ON, then you can't be fooled. That fake folder's name has '.app' as an extension at the end.


So what if some goon physically removes the '.app' extension? It is very easy to do in Mac OS X. Then what you can do is a Get Info on the file before you do anything with it. The operating system will STILL tell you that it is an application. Therefore, don't run it.

Don't bother trying to come up with other crafty ways to fool the operating system. If you fake an application to be a .txt file the OS will attempt to open it ONLY as a .txt file. It will NOT run it as an application. You are safe. What you will get is an error message saying that the text file is unreadable, which makes sense since it is actually an application. This same routine follows if you change the application to any other extension as well.


CONCLUSION: Be wary of anything at all you receive out of the blue and don't absolutely know to be safe. Expect it to be bad news. (1) Have your extensions turned on in the Finder (2) Always do a Get Info on suspicious anything. (3) To be extra-super-safe, only use your Mac inside a standard account, not an administrator's account. This will help prevent Trojans from doing nasty stuff on an adminstrative level. Only your current standard user account can be hurt.

Next month I will hopefully have a source for a Tracking Cookie blacklist. So stay tuned if you are interested. In the meantime you can keep track of my ongoing Mac security news here at:

http://mac-security.blogspot.com

Share and Enjoy,

:-Derek

Saturday, December 8, 2007

Symantec Massive Booboo, Again


I suspect this post will come off as snotty. But the fact is that Symantec have consistently been the #1 purveyor of anti-Mac security FUD since 2005. They pulled another FUD attack just this past month.


As ever, FUD is used as a propaganda tactic in order to frighten people into doing your bidding. Our current USA federal executive branch is using FUD to drive a war machine for the purpose of their special interests, as opposed to the actual interests of the citizens they are supposed to be representing. Their particular FUD phrase is 'The Long War' referring to the non-existant 'war' on terrorism.

What has been Symantec's purpose? They want to sell Norton Anti-Virus to Mac users. Not surprisingly their FUD started precisely at the time when it became blatantly evident that Norton AV was one of the single most buggy applications available for Macintosh. Needless to say, Symantec's efforts so far have been rebuffed. The usual response is that Mac users are deliberately ignorant about security. In actuality I think we can all agree that Mac users will very much become knowledgeable about Mac security at such time as it proves to be of actual importance.

Payback is a bitch. And Symantec pulled quite a booboo this past week. You can read all about it here:

http://www.pcmag.com/article2/0,2704,2229576,00.asp


To quote PC Magazine:

Update: Symantec Screwup Is 'Worse Than Any Virus'
12.06.07
By Chloe Albanesius

A routine update from Symantec Security Response wreaked havoc on a California company's clientele this week when it inadvertently tagged a program produced by Solid Oak Software as a virus and cut off the Internet access of Solid Oak customers.

. . .

Solid Oak customers including schools, libraries and personal accounts, were not provided with a recovery mechanism and subsequently lost Internet access. Solid Oak did not have an exact number of those affected, but it likely numbers in the tens of thousands, according to a spokeswoman.

Customers have had to re-install entire operating systems and software, she said.

. . .

This is the third time in less than a year that Symantec's Norton products have caused severe damage to computers running CYBERsitter software offerings, said Brian Milburn, president of Solid Oak Software, in a statement. "In my opinion, Norton products are worse than any virus I can think of," he said.

"We have thousands of users with no Internet access and all Symantec has done is to provide our mutual customers with a non-functioning support number that tell them to use on-line support," Milburn added. "The problem is even worse because [it's] the holiday season. Users are trying to order gifts on-line and they can't."

. . .

The situation is "embarrassing" for Solid Oak, Solid Oak's spokeswoman said. The company has been forced to pass along to customers instructions from Symantec, but nothing is working as of Thursday, she said. "People are upset," she said.

Solid Oak received an e-mail from Kevin Haley, Symantec's director of product management for Security Response, at 11 a.m. PST Thursday but no further instructions were relayed at the original time of this story's publication, according to Solid Oak.


Happily Symantec issued a solution this Friday.

Personal blether-fest related to the subject:

As I tell everyone, we are still in 'The Stone Age Of Computing.' Software development in particular is remarkably primitive, a PITA, consistently unreliable, and still requires drastic improvements in user-friendliness. Essentially, the software development task, using the crummy tools and coding philosophies we have at this time, is well beyond the comprehension of any one human being. And as usual, once you get into the process of coding by committee, you can break up a project into pieces, but getting the pieces to all be of the same quality and getting them all to work together properly is just about impossible.

A great example to watch right now is the progress of Mac OS X 10.5 Leopard. Undoubtedly it is the best OS on the market. But new bugs are discovered every single day. It clearly is suffering from what is called the '1.0' effect where the first publicly released version of any program is not-ready-for-prime-time. Why this effect happens so consistently is a complicated matter I may discuss some other time. Suffice it to say that it is expected and eventually works itself out. But nothing is perfect.

Much as I love Mac OS X Tiger, even at the 11th revision it still has bugs. Example: Have you noticed that even in 10.4.11 you still have the icons of some of the files in a folder disappear from time to time? It is because of flaws in the Finder. You can find a freeware tool called Refresh Finder to help overcome this nonsense at:

http://www.soderhavet.com/refresh/


CONCLUSION: Every software company consistently makes mistakes. It is part of our times. But it is particularly satisfying, in a mean-spirited kind of way I must admit, when a lying, fear-mongering company like Symantec fall of their face due to their own incompetence and arrogance. Let's hope we all learn from our mistakes and learn to treat each other with more understanding and respect.

Friday, December 7, 2007

How To Utterly Destroy The 'Security By Obscurity' Myth


One of the favorite baseless myths about Macintosh is that its incredible security record is due to 'obscurity'. This week the old scarecrow was foisted on the public once again:


The Financial Times tries spreading some Apple Mac security FUD
Thursday, December 06, 2007 - 12:10 PM EST
http://macdailynews.com/index.php/weblog/comments/15715/

So, in celebration I have updated a post I regularly make at the comp.sys.mac.advocacy UseNet newsgroup:
---------------------------------------------------------

How To Utterly Destroy The 'Security By Obscurity' Myth:

Use math.

1) Take the current number of known malware in the wild for Windows. The number is so huge that I never find any sources in agreement. But let's use the very out-of-date, conservative number of 114,000 Apple used in an ad a year ago.

2) Take the number of known malware in the wild for Mac. Just to rub it in I like to inflate this number by including both the number for Mac OS X of 1 (one) and add all the old Mac OS 1 - 9 malware, that being 55. Total = 56 malware for Mac in its entire history.

3) Divide: 114,000 / 56 = 2036.

4) Slowly and kindly explain this to the myth mongers: Using verifiable data there are 2036x more malware for Windows than Mac.

5) Now go in for the kill and calculate the number of malware on a per computer basis for each OS. You can do this using market share percentages. The current agreed percentages are 92% of the US market are Windows boxes and 6% are Macs. (If myth mongers complain that you should use world market numbers, go right ahead. You'll still shock them). Using proportional math:

114,000 is to 56 malware as 92% is to 6% market share times Y, where Y is the difference or disparity factor between the number of malware per computer user for each platform.

Y = (114,000 / 56) / (0.92 / 0.06) = 132

Conclusion: There are 132 times more malware per Windows user than there are per Mac user.

There are theories about why this massive disparity exists. Blame Microsoft incompetence, blame user hatred of the Windows, blame simplicity of hacking Windows. But does 'security of obscurity' of the Mac explain this number? Obviously not.

Then stomp on the grave of this myth:

(A) Take out of the calculations the friendly 55 old non-Mac OS X active malware and point out the figure of 114,000 times more active malware for Windows than Mac. Doing the math, that gives a disparity factor of 7434 times more malware per Windows user than per Mac user. How's that sound?

(B) If there was equality in the security of the Windows platform versus the Mac platform you would at least expect something dramatically closer to a 1:1 ratio of malware per user between the platforms. 132 times more malware per Windows user is utterly insane. What does that make 7434 times more malware?

(C) Considering these figures, why does anyone use Windows? Why are businesses, designed to make money, wasting billions every year on Windows security upkeep and security damage when simply switching to Mac would wipe out nearly all those costs?


Share and Enjoy,

:-Derek