Thursday, February 16, 2012

Apple's Gatekeeper in Mac OS X 10.8 Mountain Lion

--
[Revised 2012-02-20 @11:30 pm]

Let's get happy! Apple has set up a new approach to nailing Trojan horse malware for the upcoming new version of Mac OS X, code named Mountain Lion, aka 10.8. AND! Apple did it right! It uses both and application blacklisting and whitelisting.  It also uses application security certificates (aka digital signing). Only Apple gets to provide them, as opposed to the ongoing SSL certificate highjacking mess with hundreds of certificate providers.

If this concept sounds familiar, it's because Microsoft started doing it with 64-bit Windows Vista, where it was a profound failure. Why a failure? Because Microsoft GOUGED their developers with punishing fees per security certificate. Developers ignored it. This resulted in, among other things, a lack of hardware drivers for 64-bit Vista. Profound OOPS factor! Eventually Microsoft got the clue and relented on their fees. Therefore, the 64-bit 7ista release received far better developer support.

Apple's approach builds upon Mac OS X Snow Leopard and Lion's XProtect anti-malware system by providing users with new Security & Privacy Preferences accessible options and warnings:



1) Allow applications downloaded from: Anywhere. You can choose to keep things the way they are now. However, Apple provides WARNINGS about potential problems known about specific programs found on their current blacklist. Similar to XProtect, the blacklist is updated over the Internet every day. Apple will also be daily revoking bad app developer security certificates.

Example:
You download an app off a random site off the Internet and Apple pops up a message warning you that this particular app is known to upload your entire Address Book to their server. That's dangerous! It could mean the developer could take that list and perpetrate a SPAM ATTACK! That SPAM could include links to Phishing sites, further malware, etc. Your friends will not be pleased.

This feature alone is going to infuriate the malware rats. Users cannot turn it OFF as long as you are the administrator for your account. I like it! The result is a great short-circuiting of most social engineering malware.

The drawback is more popup boxes on the screen that you have to dismiss, IOW an increased safety factor as well as an increased annoyance factor.

2) Allow applications downloaded from: Mac App Store. You can choose to only download software from Apple's Mac Store. This provides maximum security because as of Mountain Lion's release date ALL Mac Store provided apps will be sandboxedwhereby every app is limited to accessing only the Apple APIs it requires and the apps run within a restricted memory space. Think of all the memory corruption vulnerabilities constantly being patched in applications. Now the damage they can do will be severely limited.

Example:
You download a crappy xhumans-style app that plays you videos about moths. The app will not be able to rifle through your Address Book for suckers to SPAM. All developers will have to justify every API their app accesses as being critical to its functions.

This remarkable approach for protecting users from malware already gives malware rats painful anxiety hemorrhoids. The result for users is very similar to the wonderful 'walled garden' available to all iPhone / iPod Touch / iPad users. This is the ideal setting to lock into place for all the 'LUSERS' in our midst. It will be nearly impossible for them to infect their Mac. They cannot turn this off, as long as you don't provide them with the administrator password.

The drawbacks here are:
  • Paranoia about Apple ruling the software world.
  • The profit loss to developers by selling their apps via Apple's Mac Store.
  • The sense of losing our freedom to do as we like with our computers. 
But keep in mind that you can turn this feature OFF and continue to enjoy your freedom-filled life as a positive anarchist. (^_^)

3) Allow applications downloaded from: Mac App Store and identified developers. You can choose the compromise setting of using both the Apple Mac Store and make use of Apple's blacklist of dangerous apps, whitelist of safe apps and app security certificates. In other words, you can download whatever you like off the Internet, but Apple's lists will not only warn you of potentially bad software, it will prevent you from being able to install it at all.

Example:
You got this really kewl email telling you about an incredible application that will remind all your friends of your upcoming birthday, maximizing your receipt of birthday cards, congratulation messages and presents. You click the link to go to the website, which actually automatically downloads the software directly to your computer, like it or not. But then BAM! Apple's Gatekeeper STOPS the installation because this app is on their blacklist as potential scamware. Apple warns in a popup box that this app will not only grab your Address Book, but will PWN your Twitter account, Google+ account and Facebook account then grab all your friend contacts. The result could be a major scale SPAM, Phishing and linked malware attack on every single person you know.

This is a great default setting for everyone for every day use. You could be temporarily brain compromised, clicking on every link on the Internet, downloading goodness knows what, and the computer will stop you. And again keep in mind that you can turn this OFF, as long as you are your account administrator.

Meanwhile, malware rats will be restricted to only short term mass infection of suckers. Once Apple catches up with new malware on its blacklist, the malware rats will be ripping their hair out with consternation. What fun!

The Time and Sharing Problems:


It is difficult to keep Apple's XProtect perfectly up-to-date. On occasion it has taken Apple a number of days to provide malware signatures. We can expect a similar lag with their application blacklist and security certificate revocation.

Note that this is not entirely Apple's fault! Knowing the anti-malware community as well as I do, I can verify that it can be extremely hard to get a copy of the latest malware for analysis, signature creation and infection prevention. The anti-malware community is outrageously unprofessional in many respects. Therefore, there is almost NO SHARING of malware between anti-malware companies and providers. That includes sharing malware with Apple. If at some point the anti-malware community grows up and becomes serious, standardized and scientific in its approaches, all this competitive rubbish will go away. But don't hold your breath. We're still living in a metaphorical Wild West of computer security. Thankfully, Apple is taking the role as the new sheriff in town.

There is a wonderfully detailed article about Mountain Lion's Gatekeeper by Rich Mogull. You can find it on the TidBITS website:

Gatekeeper Slams the Door on Mac Malware Epidemics

Rich Mogull has also provided a follow up article with more technical details, available at his Securosis blog:


Meanwhile, Macworld has been providing a series of articles about Mountain Lion, including coverage of Gatekeeper that goes into further detail:

Mountain Lion: Hands on with Gatekeeper


No doubt, further details and analysis will be provided as Mountain Lion approaches. Please tell us about further information in the comments!
--

Wednesday, February 15, 2012

Adobe Flash Player: Critical Security Update to v11.1.102.62

--
And then Adobe released a critical security update for their Flash Player! Be sure to update ASAP to Adobe Flash Player version 11.1.102.62. You can 1-step download the update from here:

http://get.adobe.com/flashplayer/?promoid=BUIGP

The update includes six security patches relevant to Mac OS X users. You can read Adobe's provided details here:


For those interested, three of the security patches involve memory corruption. Two of the patches repair security bypass vulnerabilities. One of the patches is for a cross-site scripting vulnerability.

Don't forget to update to yesterday's new critical security update version of Adobe Shockwave Player as well!
--

Tuesday, February 14, 2012

Adobe Shockwave Player: Critical Security Update to v11.6.4.634

--
Adobe has again done the right thing and ignored their own idiotic quarterly updates schedule. I'm glad someone over there has a brain in their head. This time the problem is with Adobe Shockwave Player. Adobe says:
These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.
Update Adobe Shockwave Player to version 11.6.4.634 immediately. You can download it here:


http://get.adobe.com/shockwave/otherversions/


A good article about the many dangerous security flaws in the previous version is available at ZDNet:


You can read Adobe's detailed explanation of the critical security issues here:


And for those interested: 
ALL the critical security flaws are due to poor memory management, still the bane of modern code engineering. (o_0)
--

Thursday, February 9, 2012

Hacked iTunes Accounts Resulting In Robberies

--
*Updated 2012-02-09 4:22 pm*


This issue in the UK came to my attention today. I wanted to make sure all iTunes users were aware of it. The depth and details of this hacking problem have not yet been revealed. It is useful that everyone with iTunes accounts read about this problem and consider whether they may be affected. Apple consider the problem to be limited to isolated incidents and has responded by stating:

“Apple takes precautions to safeguard your personal information against loss, theft and misuse.”

Below is a link to a source article about this problem provided by DailyMail.co.uk:


I've been reading other, possibly exaggerated accounts of this situation. One such account is the original article at the website The Global Mail. (Please note that this website is poorly formatted for many users, uses incorrect security terminology, and that the article may have been sensationalized. It does however offer some useful data).


If you would like direct information about the problem, there is lengthy related thread at Apple's Support Communities board entitled "iTunes store account hacked".
--

Thursday, February 2, 2012

Apple's FileVault 2 Cracked

--
While we wait for me to write something further about the SSL certificate fiasco of 2011, here's an urgent subject brought to my attention by Sophos:


Note: This crack requires physical access to your Mac. The computer must also have an accessible FireWire port. The computer must also be running at the time the cracker accesses it.

The problem: Apple stores the FileVault 2 password in RAM on your computer. Oops. Major DUH factor Apple.

The workaround: You have to shut down your Mac computer when you're leaving it accessible to others. This wipes the accessible password data from RAM. Simply putting it to sleep doesn't help. Yes, this is a PITA.

The solution: One of the other full disk encryption software systems. Sophos mention their own SafeGuard software of course. Here are some other possibilities to investigate:

• TrueCrypt, open source freeware.

OR, if you're desperate and determined, DESTROY the FireWire ports on your Mac. If FireWire doesn't work, the crack doesn't work.


If you know of other options, please post them in the Comments.

I of course never recommend anything sold by Symantec, thanks to their consistently bad attitude toward Apple, their anti-Apple security FUD attacks and their consistently worst-in-class software. Therefore, I personally recommend that you AVOID using PGP.
--