Monday, December 17, 2007

Mac-Security Column for December 2007

[NOTE: This is an article I published in the Syracuse Macintosh User Group (SMUG) monthly newsletter, AppleTree. Anyone is welcome to further publish it wherever they wish as long as the article is not further edited while my name as author and my copyright remain intact. Breaka da rulez and I breaka you head].

Mac Security column
© Derek Currie

Last month I made a quick mention of Clam as a cross platform freeware anti-malware application. For Mac OS X you can obtain and use it in the form of ClamXav or Leopard Cache Cleaner (which runs on Jaguar, Panther and Tiger as well). This month I wanted to point out a couple more shareware anti-malware programs that may or may not be of interest.

But first let's take a tour through the many security enhancements Apple have provided in the past month:

November 12th Apple released the iPhone and iPod Touch version 1.1.2 update. It addressed an all too familiar problem with maliciously crafted images being able to terminate a running program or being able to run arbitrary code, also known as an infamous buffer overflow. This happens when the memory space designated for an application is overrun with data such that it runs into the next contiguous memory sectors. The resulting data can bomb the program using the offended memory sector, or if the trouncing data is properly designed and executed it could potentially take over your computer.

November 14 Apple released the Mac OS X 10.4.11 update as well as Security Update 2007-008 which is applicable to Mac OS X 10.3.9. The both cover the same security issues. Security repairs were provided for the following parts of Mac OS X:

• AppleRAID
• CFNetwork
• CoreFoundation
• CoreText
• Kerberos
• Kernel (6 fixes)
• Networking (5 fixes)
• remote_cmds
• Safari (2 fixes)
• SecurityAgent
• WebCore (9 fixes)
•WebKit (3 fixes)

This update also provides a new security fix version of the Flash Plug-in.

November 14 Apple also released Safari 3 Beta version 3.0.4 for Windows. It patches two vulnerabilities in Safari itself, three vulnerabilities in WebCore and three vulnerabilities in WebKit. The most numerous patches it provides are related to cross-site scripting.

November 15 Apple released the Mac OS X 10.5.1 update, which included three security updates to its firewall. The Leopard firewall has been met with skepticism and disdain. These patches address the most noted problems.

December 13 Apple released QuickTime version 7.3.1 which includes three security updates. Earlier in the month Apple had been slammed by the likes of Secunia and SANS Institute for the continuation of a seemingly unending string of QuickTime security flaws. This update address a few of the problems specifically related to maliciously crafted RTSP movie files, QTL files and the QT Flash media handler. This update is for Mac OS X 10.3.9 on up as well as Windows XP SP2 and Vista.

December 14 Apple released Java 6 for Mac OS X 10.4. Does anyone remember when we were all fed the marketing spin that Java was supposed to the 'safe' programming language that couldn't harm your operating system and hardware? Yeah right, we wish. Surprise! This update covers thirty security flaws in Java for Mac OS X. The fixes prevent the ability of a malicious web page to raid or add to your Keychain (which is an outrageous security flaw) the usual arbitrary code execution and privilege escalation.

In all, these security updates are crucial, many of them patching vulnerabilities that could potentially lead to a hacker taking over your computer. Therefore, as usual, be sure you keep your Mac OS X security updates up-to-date! You can read about all these security updates in detail at:

CONCLUSION: Software coding remains a mysterious art that is constantly full of flaws. Microsoft may be the masters at security blunders, but like it or not there are blunders using even the most deliberately secure of contemporary coding methods. In other words, expect more Mac security flaws and perhaps more Mac malware in the future. But also feel secure that Apple are on their toes these days cleaning up Mac OS X security problems.

Now on to a couple more anti-malware programs for Mac OS X. The first is called MacScan, which claims to identify and isolate Mac OS X Trojans, spyware and Tracking cookies. It is a shareware program that costs around $25. When it is downloaded you are provided with a 30 day demo period. The second program is freeware called Zebra Scanner, which claims to identify disguised Trojans. It has not been updated since 2005.

Let's save some time and let me share my conclusion that both of these programs are useless and unnecessary. However, there are a couple caveats to that statement I will provide below if you care to keep reading:

MacScan has been known in the shareware world as 'MacScam' because of the rather high price for its ability to do next to nothing. Example: I used it to scan for the demo Trojan that Zebra Scanner provides. It couldn't find it. I used it to find Tracker Cookies. It found false positives, it failed to find others until I ran it a second time, and when I asked it to remove those it found it did absolutely nothing. I had to remove the Tracker Cookies by hand. And I'm supposed to pay for this privilege?

The one useful thing MacScan does provide is a list of known 'LEGAL' spyware programs for Mac OS X. You can find this list on their website as well. Legal spyware includes keystroke loggers, VNC and remote administration programs that are openly provided to the Mac market. They are typically used in professional network situations where the network administrator or the boss want to keep track of the work being done by their computer clients or employees. You can find a slew of them available for download by searching with the term 'spyware' at

Meanwhile, I tried to find the blacklist MacScan is supposedly using to identify Tracking Cookies, but I failed. Something tells me I can find one on the Internet, so I will be in search of it this coming month and will share it when I find it.

What are Tracking Cookies? They technically are a mini-version of spyware under the guise of website cookies. They watch where you go on the web, store that information, then feed it back to their home site the next time you visit. It is supposed to be a marketing tool that a website can use for choosing what products to advertise to you. Personally, I consider it privacy intrusion. So I enjoy removing tracking cookies and blocking them from being allowed by my browsers.

Last and least we come to Zebra Scanner. Back when it was written there was a scare than hackers were going to attack the Mac with Trojans that were disguised as such benign things as JPEG files and text messages. But a security fix in Mac OS X 10.4 ended that possibility. Therefore, Zebra Scanner became useless. But there is one small possibility you could still get fooled by a malware application in disguise. That would be if you have your Finder set to NOT show file extensions. I am someone who was rather angry that Apple chose to go with file extensions to identify Mac OS X file types as opposed to the file types being embedded in the file's headers. Those stupid 'dot three' extensions on files are so Windows, so Luddite, so retro, so ugly. Apple actually compromised on the issue and still allows header file type identification, but for the purposes of avoiding Trojans, the dopey file extensions actually come in handy. Here is the example Zebra Scanner provide:

Suppose you are sent something that has a folder icon and has the title 'Christmas Icons'. Great, you figure it has nifty Christmas icons inside the folder. But darn, you have the Finder set to NOT show file extensions. So you have no idea that this bogus folder is actually an application with a fake folder icon pasted on top. So you 'open the folder' but actually find you are infecting yourself with the Trojan.

If you think you could be subject to that infection method, then you should use Zebra Scanner. If however you leave your file extensions left ON, then you can't be fooled. That fake folder's name has '.app' as an extension at the end.

So what if some goon physically removes the '.app' extension? It is very easy to do in Mac OS X. Then what you can do is a Get Info on the file before you do anything with it. The operating system will STILL tell you that it is an application. Therefore, don't run it.

Don't bother trying to come up with other crafty ways to fool the operating system. If you fake an application to be a .txt file the OS will attempt to open it ONLY as a .txt file. It will NOT run it as an application. You are safe. What you will get is an error message saying that the text file is unreadable, which makes sense since it is actually an application. This same routine follows if you change the application to any other extension as well.

CONCLUSION: Be wary of anything at all you receive out of the blue and don't absolutely know to be safe. Expect it to be bad news. (1) Have your extensions turned on in the Finder (2) Always do a Get Info on suspicious anything. (3) To be extra-super-safe, only use your Mac inside a standard account, not an administrator's account. This will help prevent Trojans from doing nasty stuff on an adminstrative level. Only your current standard user account can be hurt.

Next month I will hopefully have a source for a Tracking Cookie blacklist. So stay tuned if you are interested. In the meantime you can keep track of my ongoing Mac security news here at:

Share and Enjoy,


No comments:

Post a Comment