Saturday, August 29, 2009

The Anti-Mac Security FUD-Fest Is Fun For All! Rah! Rah! Rah!

--
Man, I am getting a lot of traction out of that moronic article at CNET, not worth reading HERE. For me, it really is fascinating to sit down and contemplate what is actually going on in computer security right now. Here are some of the elements:

I) 7ista, aka Vista Service Pack 7, is now insighting cacophonous riots of anger because its security is still terrible. A net acquaintance posted these URLs over at MacDailyNews:

Cybercrime Rises and Vista 7 is Already Open to Hijackers

Vista 7: Broken Apart Before Arrival

Department of Homeland Security ‘Poisoned’ by Microsoft; Vista 7 is Open to Hijackers Again

Researchers show how to take control of Windows 7

That last article is about how to 'PWN' 7ista. Not good. Google provides a few hundred thousand similar complaints.

II) Meanwhile, the Anti-Mac Security FUD-Fest continues apace, thanks to our usual line-up of hacker pals. Mac OS X is already the best GUI OS for computer security, in part thanks to integrating the two best CLI OSes, OpenBSD and FreeBSD. The result: Mac OS X progresses forward to become BETTER than the BEST! That's good. Thank you Dr. Charlie Miller and friends.

III) So of course we get dumbass articles about how nasty bad and laughable Mac OS X security is, right? (o_0)

It's a strategy with many purposes, perpetrated by many sources. Figuring out the motivations behind the deceit is quite intriguing. Laughing at it all is fun! It lowers your blood pressure. Live longer and laugh at the clowns.


Here is yet-another post I made, this time at MacDailyNews.com, regarding the FUD-Fest and Microsoft. It sort of encapsulates it all:
Microsoft have put in place some modern methods of deterring hackers and crackers. They had to. They had the motivation. Their operating system is a bloated catastrophe of spaghetti code that is well beyond their comprehension. They can't fix it. They've made many attempts over the last 15 years and consistently failed. They gave up. Vista is the proof. 7ista is icing on the proof.

Should Apple add in these modern security measures? Damned right!

But is it a BFD? Will Mac OS X roll over and DIE? Will THE BIG ONE virus hit Mac OS X and make us all go running home sobbing to mummy? Of course not!

Apple's attention to security has been increasing exponentially over the last two years. This month's security updates were the most in Apple's history. But as is typical with humans, the house has to be on fire before you pour water on it and fix the cause. Mac OS X does not have a faulty electrical system that will burn the house down. Apple know that. We know that. So what's the motivation? Planning ahead takes extra prodding. Prod Apple and they respond eventually.

This is one reason I actually praise the Anti-Mac FUD-fest we've enjoyed since Symantec insighted it exactly four years ago. It has hurt no one. It has inspired Apple. We benefitted.

We the customers know we already had an incredibly secure operating system. It's based on the two most secure operating systems in existence bar none: OpenBSD and FreeBSD. So why not make it EVEN BETTER?!

Let's go MaNIaCaL!
Go Apple Go!
Add steal bar reinforcement to the castle walls!
Add boiling oil caldrons!
Put alligators in the mote!
Install the rotating knives!
Hire some Cenobites!

Conclusion: We win any which way you look at it. If users of the less secure operating systems can't deal with it, oh so sad for them.

As long as we keep our eye on the ball, which is keeping our computers as safe as possible, our progress toward better than best will continue. :-)
Rah! Rah! Rah!
Go! Apple! Go!
Yayyyyyyy APPLE!

Amusing, eh? Behind all the 'FEEL BAD DAMMIT!' garbage is not just a silver lining. The clouds are bogus, a theatre prop. Knock them over and there is the golden sun shining on all us Mac users.


OK, sober up! Enough euphoria! We have 21 Trojans to avoid. There continue to be security flaws in Apple stuff that deserve our attention. ClamAV still needs to further catch up with Mac malware. Mac OS X is not perfect, never will be. Be attentive.

For my next article I intend (for whatever that's worth) to provide another monthly summary of Mac OS X security patches. Bring your caffeine.

:-Derek
~~~~~~

BONUS EUPHORIA: SNOW LEOPARD

If you haven't read the news, check this out:

Snow Leopard has built-in Trojan horse MALWARE DETECTION! Its database is auto-updating! Right now it only has two Trojan signatures, yawn. But expect improvement. And no, Apple didn't stick in someone else's anti-malware engine, least of all Symantec's (gag! gag! puke!! puke!!).

Snow Leopard installs just fine over TIGER! I thought this had to be bogus, but I've read it from several sources now and they weren't just quoting each other. It's a fact that even Apple verified. So if you don't have Leopard already, get the $29 (or $24 at some stores!) Snow Leopard disk and go to it! Well, when you're ready. There are some application incompatibilities.

Snow Leopard is FAST! That's faster than Leopard! Bless you Apple.

Snow Leopard is SMALLER! Saving at least 5 Gigabytes of space on your Mac appears to be normal. Ever heard of that? Try that move Microsoft.

-> But of course note that Snow Leopard is for INTEL MACS ONLY.

More on Snow Leopard in a couple weeks once I've ripped it apart, with my CLAWS.
--

Thursday, August 27, 2009

A Primer on Trojan Horses and Their Aliases

--
There actually is a standard naming system for malware. But very few anti-malware developers care. Therefore, we end up with a bunch of names for exactly the same malware. The CNET POS article mentioned previously, not worth reading HERE, demonstrates the problem. Here are some translations. I list the standard name first, then the extraneous names after:

The Trojan.OSX.RSPlug series is aka "DNSChanger" and "Jahlav" and "Puter".

Trojan.OSX.Lamzev is aka "Malez"

Trojan.OSX.PokerStealer is aka "Corpref"

The Trojan.OSX.iServices series is the fourth current Trojan type for Mac OS X. I'm unaware of any aliases so far.

Scan backward through my previous posts for coverage on each of these Trojans.




Count with me!





As of today:
  • The RSPlug series has variants A through P. That equals 16 variants. (When I checked last week there were 13 variants, so some mean old crackers have been very busy).
  • The Lamzev Trojan has no variants. Add 1.
  • The iServices series has variants A through C. That equals 3 variants. (The C variant is recent).
  • The PokerStealer Trojan has no variants. Add 1.

Count them all together and what do we got?

The number 21!
That's 21 Trojans!

BwaHaHa!

I am using the iAntiVirus Threat Database maintained by PC Tools as my source. Their list of Mac malware has flaws, but at least they have one. Who else bothers? Certainly not Intego! (Ahem! hint! hint!)

Just for comparison: I was hanging out at the ClamXav forum yesterday and someone pointed out that as of June there were 574,043 malware signatures in ClamAV. Let's see... take away 21... that's somewhere around 574,022 Windows malware in the wild. A little more math and that comes to 1 Mac OS X malware for every 27,334 Windows malware. Wait! Wait! What was that?!

1 : 27,334!

So who was the dope who thought up that 'security by obscurity' myth?
I don't think so.
--

Quickie: My POV on the "invulnerability" lie

--
The POS CNET article I noted in my previous post, not worth reading HERE, perpetrated the two most popular Anti-Mac Security FUD lies. Of course the author perpetrated the usual 'security by obscurity' lie that was proven ridiculous years ago. Go backward in my posts for my QED proof. Then there's the other one, upon which I commented:
My favorite LIE in the article:

"Most Mac users seem to take pride in their supposed invulnerability...."

Never have I ever heard or read any Mac user ever say that Mac OS X was 'invulnerable'. This is pure invention. The motivation behind inventing this lie is up to you to interpret. But I should add that it is a very popular lie.
Just laugh.
--

CNET hits an all time low: Anti-Mac Security FUD

--
I just read:

Snow Leopard could level security playing field

My response was:
This is the most shameful article I've ever read at CNET. I've been studying and writing about Mac security since 2005. All I can say is:

Elinor: YOU'RE FIRED ! ! !

For those interested in reality:

The anti-Mac security FUD-fest was started in August 2005 by Symantec. They were attempting to sell their worst-in-class anti-malware program Norton Anti-virus to Mac users who were smart enough not to buy it. MacAfee then joined in the FUD, but reversed course when their CEO pronounced that the best way to secure your computer was to Get A Mac.

After that point most FUD has come from hackers who have done their best to whip up a frenzy surrounding flaws they found in Mac related software, such as QuickTime, WebKit and Safari. But it is fair to say that they helped track down and patch several flaws in Mac OS X as well.

Meanwhile, the only malware that has shown up for Mac are Trojan horses, currently 4 types of 17 varieties. Trojans require user failure, not computer failure, in order to be installed and do damage.

In spite of the FUD-fest, the hype-mongers have been effective in forcing Apple to get serious about security, which previously they were not. So folks like myself actually thank Dr. Charlie Miller and friends for their help making Mac OS X even more secure than it already was. I have Charlie's book and I look forward to his continued useful work, and even his FUD foisting.

It's worth noting that only highly ignorant people still tell the tale known as 'security by obscurity'. It is easily disproven by anyone who can perform math, i.e. any 4th grader.

If you'd like to read Mac security facts and suitably laugh at the FUD, you might find my personal commentary and coverage of interest:

http://Mac-Security.blogspot.com

:-Derek Currie
--

Thursday, August 6, 2009

Security Update 2009-003 & Mac OS X 10.5.8 Update Released


Look Apple, I'm trying to enjoy the summer. So what's with the almost daily Apple software security updates? Enough already! - Actually, I'm not complaining. The faster the bug fixes for Leopard the better.

You can read about the 18 security patches in Security Update 2009-003 & 10.5.8 HERE. Several of the security patches are for Mac OS X 10.4.11 as well as 10.5.7. Therefore, if you're using Tiger, be sure to check for and install the update.

Primer on how-to-update:

1) Repair your boot volume's permissions via Disk Utility.

2) Verify your boot disk via Disk Utility. If you have disk problems, boot from another volume or your Mac OS X installation DVD/CD and perform the repair.

3) After both steps 1 & 2 are completed, install the update.

4) After the update and associated reboots have been completed, repair your boot volume's permissions again.

Note that MacFixIt.com are even more fanatical and suggest that all of the above be done after booting into Safe Mode. They also recommend NOT installing system updates via Software Update. Instead they recommend DIY downloading and installing of Apple's provided 'combo' updates.

I've been a member at MacFixIt for several years. If there is one consistent thing I've learned from hanging out over there, it's that those people who run into problems after installing updates most likely did NOT follow steps 1 - 4. Even Apple are known to leave behind messed up permissions after update installations. Making sure your boot volume is in good repair before any installation is obvious. Repairing permissions is of course not a panacea for fixing your Mac. But it never hurts, and it is very important before and after any major update. I will not entertain any arguments to the contrary. So there.

Techy stuff:

What's in Security Update 2009-003? No surprise: Lots of bad memory management repairs! Let's count them together:

I) bzip2 has been updated to version 1.0.5 to stop out-of-bounds memory access dangers.

II) Improved ColorSync profile validation to prevent the ramifications of a heap buffer overflow.

III) Improved bounds checking of Canon RAW images to prevent the ramifications of a stack buffer overflow.

IV) OpenEXR has been updated to version 1.6.1 to prevent the ramifications of a heap buffer overflow.

V) Improved memory initialization and validation of OpenEXR images to prevent the ramifications of an uninitiated memory access flaw.

VI) Improved bounds checking of OpenEXR images to prevent the ramifications of multiple integer overflow flaws.

VII) Improved bounds checking of EXIF metadata to prevent the ramifications of a buffer overflow in ImageIO.

VIII) Improved validation of PNG images in order to prevent the ramifications of an uninitialized pointer flaw.

IX) Improved handling of fcntl system calls in order to prevent system privileges escalation and arbitrary code execution caused by overwriting kernel memory.

X) Improved validation of AppleTalk response packets in order to prevent a buffer overflow flaw in the kernel.

XI) PCRE has been updated to version 7.6 in order to prevent the ramifications of a buffer overflow flaw in the PCRE library used by XQuery.

Of the 18 security patches, that's 11 memory management patches. This proves once again that memory management remains the primary bane of contemporary coding. This is one of my favorite rants, if you haven't previously noticed.

The remaining 7 patches repair certificate warnings, JavaScript handling, Multi-Touch access, inetd-based launchd services, format string handling by the Login Window, MobileMe credentials deletion, and file descriptor sharing.

OK. Attention Apple: It's August. Go on vacation please so I can have one too. Thank you. Over and out.









--

Wednesday, August 5, 2009

GarageBand v5.1: Tracking Cookie Security Patch

--
Apple is now offering an update via 'Software Update' to GarageBand version 5.1, available for users of Mac OS X 10.5.7. You can read about the included security patch HERE.

To quote Apple:

Impact: A user's web activity may be tracked by third parties and advertisers.

Description
: When GarageBand is opened, Safari's preferences are changed to always accept cookies. The default preference is to accept cookies only for the sites being visited. The altered setting may allow third parties and advertisers to track a user's web activity. This update addresses the issue by not changing the preference setting. Users who have run previous versions of GarageBand should confirm that their Safari preferences are set as desired.


What's going on:

GarageBand is allowing what are called 'Tracking Cookies' to be accepted by Safari. This type of cookie is used for marketing purposes to watch your individual behavior on the net. IOW you are under surveillance. This is essentially the same as having a chip implanted in your brain that collects data on your interests. It triggers off advertisements that 'fit your interests' as you visit further web pages. I personally find this form of marketing to be invasive and disrespectful. I never allow it.

If you think you've been messed over by this bug in GarageBand, here is what I suggest:

1) Update to GarageBand v5.1.

2) Just to be safe, make a backup of Safari's 'Cookies.plist' file. You will find it here:

~/Library/Cookies/Cookies.plist

3) As Apple suggests, go into Safari's Preferences and hit the 'Security' tab. Change the 'Accept cookies' setting to "Only from sites I visit". This stops any 3rd party cookies from being dumped into your browser, killing off any chance of being infected with Tracking Cookies.

4) Click the "Show Cookies" button. It is just below the settings in #2.

5) Either painstakingly go through your cookies and 'Remove' those you don't want, or simply hit the 'Remove All' button. This makes certain that all Tracking Cookies have been deleted along with all your other cookies.

There are of course complications after tossing your cookies. The most common result is not being able to automatically log in to sites where you have an account or membership. If you haven't kept track of all your IDs and passwords then you're hosed and will have to create new accounts. My solution is to keep a personal list of my net IDs and passwords in text file stored on the encrypted .DMG volume that loads when I log into my user account. I also keep my IDs and passwords encrypted inside the application 1Password, which is a shareware super form of keychain. I've mentioned it here on the blog several times.

In the worst case scenario where you MUST have something that was stored in your cookies, you can always swap back in your backed up Cookies.plist file from step #2 above.

Tracking Cookies aren't actually malware, and having a few buried in your cookie pile won't kill you. Nonetheless, they are a form of spyware. They are also IMHO of no benefit to anyone but marketing companies.
--

Saturday, August 1, 2009

Adobe Releases Security Patched Reader and Acrobat v9.1.3

--
As promised, on Friday, July 31, Adobe released security patched versions of Acrobat and Adobe Reader. The links in the previous article about the subject should get you started, but I've provided them again below.

NOTE: verify that you are downloading and installing versions 9.1.3 of Reader and Acrobat and not an earlier version. The download page for the Acrobat 9.1.3 update is clear regarding versions. However, the Acrobat Reader page is NOT. Therefore, after you download and install "the latest version" of Reader, go under the Help menu to "Check for Updates...". Otherwise you may have only installed an earlier version of Reader without the new security patches.

Those patch download links again:

1) Adobe Flash Player v10.0.32.18. There is a special patch for version 9 users to v9.0.246.0.

2) Adobe Air v1.5.2.

3) Adobe Reader v9.1.3.

4) Acrobat v9.1.3.

Glad to be of service!
--

iPhone OS v3.0.1 Patches The SMS Security Hole

--
Friday, July 31, Apple released iPhone OS version 3.0.1 ahead of schedule to patch the SMS security hole revealed Thursday at Black Hat USA 2009. According to the Associated Press, iPhone users must connect their iPhones to their computer in order to be alerted about the update, download and install it.

It is important to install this update ASAP. You can read Apple's description of the SMS security problem and patch HERE. Credit for discovery of the SMS problem was given to Charlie Miller and Collin Mulliner.

The AP report that Google have patched the SMS problem in their Android OS. Meanwhile, Microsoft are "investigating the vulnerability" in their Windows Mobile OS. There are no announcements at Microsoft.com regarding the SMS problem at this time.
--