Tuesday, December 16, 2008

Apple Security Update 008

10.5.6 was released Monday afternoon in combination with Apple Security Update 008. The security update is also available separately for Tiger, 10.4. You grab them via Software Update within Mac OS X or download them from Apple's website.

Here are some highlights:

- ATS (Apple Type Services) bug/security update. 10.5 only.

- BOM (Bill of Materials) security update.

- CoreGraphics security update.

- CoreServices security update to prevent web hijacking of a user's credentials.

- CoreTypes security update. Adds further file types to its Internet download warning list. 10.5 only.

- FlashPlayer Plug-in security update.

- Kernel security update. 10.5 only.

- LibSystem:
  • - Security update to the inet_net_pton API.
  • - Security update to the strptime API.
  • - Security update to the strfmon API.
- Managed Client bug/security update. 10.5 only.

- network_cmds bug/security update.

- Podcast Producer security update. 10.5 Server only.

- UDF (Universal Disk Format) ISO (International Standards Organization disk image) handling bug/security update.

Details regarding 10.5.6 can be found over at my MacSmarticles blog.

Thursday, December 11, 2008

Trojan OSX.RSPlug DNS Confusion Solution

Earlier in the year I posted an article questioning whether Apple had patched Mac OS X Server versions 4 and 5 to prevent the actions of Trojan OSX.RSPlug.A, which hijacks a Mac's DNS server settings in order to divert users to Phishing sites. Misinformation galore was available on the Internet, and of course there was no one in the Mac community I could find with any kind of clear discussion of the issue. If there were such folks around I would send you to them for better information than I can provide.

Thankfully this past week, during my investigation of Clamav's effectiveness against Mac malware, Adam Engst was kind enough to get me in touch with Rich Mogull. Rich provided me with a very helpful answer, quoted below:
Hi Derek,

Yes- that family of trojans makes DNS changes on your system, but not because of any vulnerability or problems with the OS X implementation of DNS. The trojan only works if you manually install it and enter you administrative password. It then changes settings just as you can do yourself under normal circumstances. On occasion, these trojans (and others) may be able to take advantage of other vulnerabilities on the Mac to make changes without an administrative password, or install itself automatically due to a browser weakness, but there are currently no known open vulnerabilities like these being used by bad guys. Right now, you still need to install it and manually enter your admin password- there's not much Apple can do to prevent that.
As a result, I chopped out my early Trojan OSX.RSPlug.A article and corrected a related sentence in my recent article "Update: The State Of Trojan OSX.RSPlug..." in order to remove my own confusion.

The confusion on the Internet regarding Apple Security Update 005 came from the fact that it repaired a very old DNS technology vulnerability. The fact that DNS was involved in both this vulnerability and the RSPlug Trojan was coincidental. I have never covered the DNS technology vulnerability here, called DNS cache poisoning, as it has not been of serious consequence to Mac users. If you are interested, coverage of the problem at the SANS Institute is adequate and provides references.

Wednesday, December 10, 2008

Off Topic: How to meet trolls and play S&M games

The Internet of course reflects humanity at large. The difference is, on the Internet cowards can come out of their hiding holes and swat you with their widdle hands. You say 'ouch' and they get all orgasmic. These lost little souls are referred to as trolls.

In the process of researching an upcoming article about Clamav, the cross platform Open Source anti-malware program, I ran over the biggest concentration of trolls of 2008. It's the Clamav Users email list. If you'd like to meet trolls and play S&M games, here is where to sign up:

Clamav Abusers

Tell them Derek sent you. Enjoy a laugh at my expense. ;-D
I guarantee you'll learn utter nonsense about malware while you're there. And who doesn't find nonsense amusing.

Thursday, December 4, 2008

Update: The State Of Trojan OSX.RSPlug, aka the 'Porno Trojan'

The net-cracker effort to bring the 'RSPlug' Trojan horse from Windows over to Mac OS X continues apace. As of this week we are now up to version E, aka Trojan OSX.RSPlug.E. Again, this Trojan is showing up at scam pornography websites.

The difference with variants D and E, however, are particularly nefarious. Instead of the Trojan itself being the full payload of malware, it downloads the actual payload from the Internet. This means the Trojan can install literally anything into your system. It's not just for DNS forwarding phishing scams any more.

Of course, it will be possible to kill off the payload Internet sites one by one as sub-variants of D & E pop up. But once infected, a Mac could theoretically become zombied, which these days is the prime goal of net-crackers. Botnets can make big money. As was popularly reported last week, the taking down of one particular bot wrangler killed off as much as 70% of SPAM distribution for a few days. That's a massive botnet. Imagine the profit the bot wrangler was pulling in. Sadly, the botnet involved remained intact and another bot-wrangler stepped in to take advantage of it, restoring SPAM to its usual blasting volume.

You can read the details about Trojan OSX.RSPlug.E over at Intego's website.

One hilarious flagging giveaway of this Trojan is the continued laziness of the developers' social engineering method. Instead of altering their tease line to potential wetware victims, they left it exactly the same as the Windows version. This means that anyone who is both Mac and Windows savvy will realize immediately that something screwy is going on. The blunder is the tease line "Video ActiveX Object Error". For those who don't know, ActiveX is a scripting monstrosity perpetrated by Microsoft several years back. Yeah, it was another of their attempts to make the Internet proprietary. ActiveX is entirely irrelevant on Mac OS X, thank goodness, as it is a gigantic, wide open door for malware infection on Windows. The only web browser on Mac capable of running ActiveX rubbish is FireFox, and you have to specifically install an ActiveX extension. Therefore, for the moment, if you run into a "Video ActiveX Object Error" on a website, you have just run into an attempt to infect you with the Trojan OSX.RSPlug.

Tuesday, December 2, 2008

Trojan OSX.Lamzev.A

As of last week, Mac OS X has a second piece of malware. It is a Trojan horse officially called OSX.Lamzev.A. (It is also erroneously known as OSX.TrojanKit.Malez).

Detection and removal of this malware is built into the latest versions of the FREEWARE anti-malware programs ClamXav and iAnti-Virus.

So what is the strategy this time? To quote ZDNet:
OSX.Lamzev.A is a hacker tool designed primarily to allow attackers to install backdoors in a user's system, according to Intego. However, the company dismissed the tool as a serious threat because a potential hacker has to have physical access to a system to install the backdoor.
. . .
Other antivirus vendors noted that Lamzev could be disguised as a piece of legitimate software and used to trick users into creating the backdoor themselves.
Theoretically, this will become another piece of social engineering / wetware error malware where the user is tricked into installing it. Therefore, as usual, always verify that anything you install is legitimate software. Check it out at any of the well known shareware distribution sites like VersionTracker.com, MacUpdate.com, TuCows.com or MajorGeeks.com. All of these sites have human users and reviewers who can tell you what's legitimate. If you can't verify an application, don't install it! Also, if you want to be extra safe, work only inside a 'Standard' Mac OS X account, not an Administrator account.

I'm going to keep an eye on this Trojan to see what damage it can do. If it is a true 'backdoor' to Mac OS X, a cracker can do anything they like with your Mac. We'll see with time if this becomes a problem. For now, the anti-malware distributors consider it only a minor threat. Just run your usual FREEWARE anti-malware apps once a week, at least, to clean it out if somehow you've installed it.

Saturday, August 2, 2008

The AppleScript.THT Trojan Horse ***NOW INERT***

Malware #2 for Mac OS X has been discovered in the wild:
The AppleScript.THT Trojan Horse.

Good news:
This is just a Trojan Horse. It has to be installed by the user. Otherwise it is inert, meaning that it does not qualify as a virus. The continued non-existence of self-replicating malware for Mac OS X is a great relief and a big kudo for Mac security.

Bad news:
(besides me missing the discovery of this one by 6 weeks):
There are multiple variants of this malware in the wild. It can take over an Apple Remote Desktop system and do essentially anything to Macs it can successfully access. As to what exactly that means depends upon how someone has ARD setup on their machine.

Read all about it:


~~~~ New News ~~~~

Apple's Security Update 2008-005 made this Trojan inert. IT'S DEAD.

Therefore, I consider it deleted from the malware threat list for Mac OS X. That leaves only Trojan OSX.RSPlug.A and its variants (included Trojan OSX.RSPlug.D) as the ONE (1) Mac malware threat. But read on to the next article as a new #2 has hit the town. It's called Trojan OSX.Lamzev.A.

Wednesday, June 11, 2008

Mac Security Advise For Enterprise Users

One of the useful email lists I belong to is the 'Mac OS X enterprise deployment project.' You can join the list and view archives at:


In April I wrote up a quick article in response to someone's question about preventative maintenance for Mac OS X Server. Interest was expressed in my publishing the article formally on the Internet, so it is provided below. The information is a bit high end, directed specifically to enterprise users of Mac systems. But serious Mac security newbies will find a lot of useful references as well.



From: Derek Currie
Date: April 15, 2008 10:57:25 PM EDT
To: Mac OS X enterprise deployment project
Subject: Re: Apple's guidelines for preventative maintenance for XServes and/or OS X Server.

On Apr 15, 2008, at 04/15, 4:19 PM, Rich Trouton wrote:
"Does anyone know if Apple has posted specifications or guidelines for preventative maintenance for XServes and/or OS X Server? We're doing our regular security re-certification, and one of the things we're being asked for is documentation of how we're doing routine and preventative maintenance "in accordance with manufacturer or vendor specifications and/or organizational requirements." Right now, we don't have organizational requirements, so I'm trying to find Apple's specifications and I'm not finding them. Tempting as it may be, I don't think our re-certification folks are going to accept "there aren't any specifications, so I guess I don't have to do anything" as an valid answer."

Actually, Apple do provide some relevant documentation. See #6 ahead. But first let me provide a long winded brain storm:

1) Detail your backup strategy. I consider making backups the #1 rule of computing and the first step in computer security. Apple provide TimeMachine in Leopard Server.

2) Talk about KeyChain for storing and protecting passwords. I also use 1Password, and excellent shareware program.

3) Discuss what encryption you are using to protect critical data. You can use FileVault or use encrypted disk images created in Disk Utility. (Personally I use an encrypted .sparseimage for storing my database of server clients and other critical odds and ends I would never want stolen). Leopard server offers 256 bit encryption. You shouldn't need anything stronger. As long as you use a ridiculously un-guessable password, theoretically it would take the length of the life of the universe to crack.

Sideline Rant:

If you're not using encryption, start using it already. I know you know this, but for everyone else: Federal servers are now notorious for having been cracked by the Red Hacker Alliance in China, among others. If the data is seriously encrypted, they're wasting their time. Many businesses now demand encryption. Here is a blurb from the SANS Institute's security newsletter NewsBites Vol. 10 Num. 28 regarding some incredible ignorance at the NIH:

On Apr 8, 2008, at 04/08, 5:00 PM, The SANS Institute wrote:

-- NIH Workers May Not Store Sensitive Data on MacBooks
(April 4 & 7, 2008)

A National Institutes of Health (NIH) agency memo forbids employees from storing sensitive data on MacBook laptop computers. As of April 4, all NIH laptops running Windows or Linux operating systems must have the Pointsec encryption tool; Windows Vista users may also use that operating system's BitLocker disk encryption tool. There is presently a beta version of Pointsec for MacBooks, but not an approved version. The ban on MacBooks holding sensitive data applies to contractors as well as in-house employees.


[Editor's Note
(Schultz): As said so many previous times, nothing serves as a wake-up call for security as much as a serious security-related incident.
(Liston): Note: The issue here is the lack of an approved version of whole-disk encryption, not with OSX itself. Apple Fanboys: Return to standby. Nothing to see here-- you may safely return to caressing your MacBooks and iPhones.]

Obviously FileVault would be 'approved' if they bothered to notice it was there in Mac OS X.

(Also note that I pointed out Mr. Liston's lack of professionalism in an email I sent all over SANS. I got into a friendly back and forth with the President of SANS, a very nice fellow. He assured me of Mr. Liston's skills and privately told me that he pulls troll manoeuvres such as the above as a way of blowing off steam during a long boring day of security analysis, wink wink. Hopefully my efforts will shut the guy up in the future).

4) Discuss the fact that Mac OS X uses the PDF document format as part of its foundation, and that any PDF can be locked such that only a user with its password can open it. Discuss how locked PDFs are used in the work environment.

5) Discuss your implementation of PGP or GPG (the free Open Source version of PGP) in your work environment. Sources:

6) Apple has some security documents relevant to Mac OS X Server:

a) Mac OS X Server - Security Configuration - For Version 10.4 or Later - Second Edition

- If an update is provided specific to Leopard Server, it will be posted on the Security Configuration Guides page:

b) Mac OS X, Mac OS X Server: Protection for sensitive files when using Apache on an HFS+ volume

c) Mac OS X: How to keep network computers secure

d) Mac OS X Leopard - Features - Security

7) Apple also offer their Security-Announce mailing list. You can get it via email or via RSS:

Bonus Points:

1) Some nifty security statistics from March 2008 to quote in defense of Mac OS X's excellent security record:


An excerpt from the Zone-H Statistics Report 2005-2007, the number of registered computer attacks:

OS ________ | Year 2005 | Year 2006 | Year 2007
MacOSX ________ 2.139 _____ 2.247 _____ 1.488
Windows 2003 _ 72.377 ___ 183.953 ___ 114.137

To quote M. Sharp from Insanely-Great Mac:
"Assuming that the Mac's server market share is growing—the most-recent data on Apple sales I could find (Q2 of last year) had unit volume up 78 percent—then the above figures indicate that attacks are declining absolutely even as the number of servers increases proportionately and absolutely."

2) Apple provide references to security related software from third-party vendors at their 'Macintosh Products Guide' pages:

a) Go to the Mac Software/Products and Utilities page. In the 'Sub-category' popup menu choose "Security" and hit the Search button. Today there are 135 security related apps listed.

b) Go to the Mac Software/Servers, Networking & Communications page. In the 'Sub-category' popup menu choose "Security" and hit the Search button. Today there are 20 related apps listed.

You could also search for software firewalls, hardware firewalls, etc.

That should get you going!


Derek Currie

© 2008-04-15 Derek Gordon Currie

Wednesday, May 28, 2008

Mac OS X 10.5.3 IS HERE! So is Security Update 003 with 27 Security Patches! And, And, And...

At last, at last!
10.5.3 is HERE AT LAST!

I gave up counting bugs in 10.5.2 when I hit #35. I am crossing my fingers they are all stamped out with this ENORMOUS update. If you use Software Update from within Leopard, the client version of Mac OS X 10.5.3 Update is 420 MB! The server version is 496 MB! If you want the Combo versions, the client version is 536 MB! The Combo server version is 632 MB!

But just as eye-opening are the 27+ security patches (Twenty Seven +!) included in Security Update 2008-003. The PPC client version is 72 MB (Seventy Two!). The Intel client version is 111 MB (One Hundred And Eleven!). The PPC server version is 88.9 MB (Eighty Eight Point Nine Megabytes!). The Universal Binary server version is 118 MB (One Hundred And Eighteen!).

And I'm not finished yet! Pay attention!

Also new is the Digital Camera RAW Compatibility Update 2.1 at 2.4 MB.

AND the Logic Express Update version 8.0.2 at 73.5 MB.

AND Server Admin Tools 10.5.3 at 64.5 MB.

IOW: Get ready for a snoozer of a download marathon.

Now for the boring but useful part. Here are all the URLs where you can read about and download the update disk images, followed by a list of security patches. I dare you to read them all! Will you survive?

Mac OS X 10.5.3 Update
Mac OS X Server 10.5.3 Update

Mac OS X 10.5.3 Combo Update
Mac OS X Server 10.5.3 Combo Update

Security Update 2008-003 (PPC)
Security Update 2008-003 (Intel)

Security Update 2008-003 Server (PPC)
Security Update 2008-003 Server (Universal)

Server Admin Tools 10.5.3

Digital Camera RAW Compatibility Update 2.1

Logic Express Update 8.0.2

Here is a summary of the new Mac OS X security updates, published in the Secunia Weekly Summary - Issue: 2008-22, which you can read at the most excellent Secunia website.


Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.

The vulnerabilities include:

- An error in AFP server

- Various vulnerabilities in Apache (for Mac OS X Server v10.4.x)

- An unspecified error in AppKit

- Multiple unspecified errors in the processing of Pixlet video files

- An unspecified error exists in Apple Type Services when processing embedded fonts in PDF files

- An error in Safari's SSL client certificate handling

- An integer overflow exists in CoreFoundation when handling CFData objects

- An error due to an uninitialised variable in CoreGraphics

- A weakness due to users not being warned before opening certain potentially unsafe content types

- An error when printing to password-protected printers with debug logging enabled

- Various vulnerabilities in Adobe Flash Player

- An integer underflow error in Help Viewer when handling help:topic URLs

- A conversion error exists in ICU when handling certain character encodings

- Unspecified parameters in Image Capture's embedded web server not being properly sanitised before use

- An error in the handling of temporary files in Image Capture

- A boundary error in the BMP and GIF image decoding engine in ImageIO

- Various vulnerabilities in ImageIO due to the use of vulnerable libpng code

- An integer overflow error in ImageIO within the processing of JPEG2000 images

- An error in Mail is caused due to an uninitialised variable

- A vulnerability in Mongrel

- A weakness in the sso_util command-line tool

- An error in Wiki Server

- A vulnerability in Apple iCal

- A vulnerability due to an error in the handling of return values of "hashes()" in the "cs_validate_page()" function when processing signed Mach-O binaries

- A vulnerability due to an error within the "ipcomp6_input()" function in bsd/netinet6/ipcomp_input.c when processing packets with an IPComp header

And that's not the complete list!

In other Mac OS X security news, there remains only 1 (ONE) bona fide malware in the wild, the so-called 'Porno Trojan'. (BWAHAHAHA! I love that name). News has it that it has mutated, thanks to scurrilous Phishing scam entrepreneurs, into other manifestations at other websites. So be wary of all unverified, untrusted downloads, particularly those pretending to be 'video codecs' you are supposed to need to install to view a web video. If you think you are a victim you can obtain the FREE removal tool at the generous MacScan website:

DNSChanger Removal Tool

Remember that Microsoft Office macro viruses still abound. Please take precautions, such as using a safer office suite of applications. May I suggest NeoOffice, the freeware Open Source office suite that created the now international standard Open Doc format. Or alternatively consider Apple's elegant iWork suite including Pages, Keynote and Numbers.

You can read my evaluation of Leopard update 10.5.3 over at my other Macintosh blog, MacSmarticles.

Share and EnJoY!


Saturday, March 29, 2008

The VERY SCARY Second Mac OS X Malware Arrives: Troj/MacSwp-B

from "Imunizator" sounds like slackerware right off the bat. In this case it is nasty spooky SCAREWARE! Run for your life, yawn, zzz.

This slackerware is actually a few weeks old, but since it was discovered by Sophos it has officially become 'malware'. The BIG question: What DAMAGE does this rubbish do to your Mac????

Nothing at all.

Thus I yawn.

So is this actually 'malware'? Well, it is in the sense that it takes advantage of the eternal 'wetware vulnerability' problem, damaging your personal sense of logic, scaring you into thinking you need to pay for this fraudulent crapware or your computer will meet a horrible doom. (And yes everyone, I was the one who invented the term 'crapware'. Seriously! I'm not kidding! - Well, actually a friend pointed out it is an obvious term that anyone could have created. So much for my creativity).

Then what does this thingy actually do? By definition this is SOCIAL ENGINEERING malware. It is a form of PHISHING. This particular method is very old, like well over a decade. Here is how it works:

1) You download the thing because it was offered at a nefarious website you shouldn't have visited. (NOTE: Instead you should have checked VersionTracker or MacUpdate to see if they had ever heard of it and consider it a worthwhile program, which they don't. Then you should have Googled its name to see if there are reports about its reputation).

2) You install and run it. (This is very naughty. Don't do this with anything you have not already verified to be legitimate, having a good reputation).

3) It pretends to scan your Mac's "Universal Binnaries". (Again: Slackerware much?)

4) It then lies to you and says you have privacy violations that require your attention or you'll suffer the consequences. And of course the only way to avoid this terrible fate is to pay for this crapware in order to activate its ability to fix the fake problems.

5) You pay for the crapware. You lose your identity. The crooks use your identity to buy lots of toys and stiff you with the bill. They then sell your identity to others and further stiffing behavior continues until you or your credit card company get the clue and stop payment, invalidating your card. And that's not fun, OK?

Do you need to buy anti-malware to protect you from Troj/MacSwp-B? NO. Clam will do nicely, thank you. Instead you should familiarize yourself with social engineering strategies. You can read about social engineering at:


Here is the source report of Troj/MacSwp-B:


You can read a snide evaluation of Troj/MacSwp-B at:

Mac-Daily News

As MDN sez:
"Do not download, authorize, and install software from unknown, untrusted Websites or any other sources."

Especially, never-ever provide your administrator password when installing or running ANY program unless you know absolutely, totally, fur shur that the software is legitimate. Otherwise you are giving away the farm and the malware rulz your Mac. And that's bad, OK?

Now go watch something
really scary like the latest US political speech on CNN. Yes, mentally-challenged fascist vampires do exist.

Tuesday, March 11, 2008

Version 12.0.1 Security Update for Office 2008

Microsoft today released the version 12.0.1 update for Mac Office 2008. It contains security as well as bug patches. It has repairs for every application in Office 2008. Included are fixes for:

1) "... Vulnerabilities that an attacker can use to overwrite the contents of a computer's memory by using malicious code."

2) Issues that can cause Office 2008 to stop responding or quit.

3) Over 20 bug repairs.

Needless to say, this update is 'CRITICAL'.

You can read more about it HERE and HERE.

You can download it HERE.

You can get toss Office in the dumpster and replace it with the free/donationware NeoOffice HERE. Recommended. It is a thoroughly 'Macified' version of OpenOffice for X11. It has over twenty features that the X11 version does not. It can read and write most Office files. It includes a word processor, spreadsheet and presentation program. It has built-in support for Microsoft's new 'OpenXML' document format found in Office 2007 and Office 2008. It invented the new ISO 26300 OpenDocument universal file standard. It has a new QuickLook plug-in. It has a Spotlight importer. Its HTML code export feature follows international web standards (unlike Office 2008). It can export presentations to Flash format. It still supports Visual Basic for Applications macros (unlike Office 2008). It is also compatible with WordPerfect and Microsoft Works documents. You can compare the rest of its feature set with Office HERE. And yes, it really is free and well worth supporting.


Sunday, March 9, 2008

Office for Mac 'CRITICAL' Security Flaw

The SANS Institute is well known for its IT security training. They typically go a bit overboard trying to FUD Mac users. But if you ignore that rubbish they are a very good source of computer security information. If you are interested they also have a very good Mac security course schedule. I wouldn't mind attending!

This week SANS reported that Microsoft are going to be releasing four security bulletins on March 11, 2008. All the bulletins discuss 'CRITICAL' security flaws. Three are in Microsoft Office and one is in Microsoft Office Web Components. The affected versions of Office and its applications are Office 2000, Office XP, Office 2003, Excel, Office Outlook and Office for Mac. The vulnerability of interest here is the one affecting Office for Mac. You can read more at:


When I learn specifics about this flaw I will have a follow-up post.

This information was provided in SANS NewsBites Vol. 10 Num. 19. You can obtain a free subscription at:


Thursday, February 28, 2008

New Exploit: "ipcomp6_input()" Denial Of Service

Today Secunia posted in their weekly report a vulnerability in Mac OS X 10.5, and possibly earlier versions, that can be used in Denial Of Service (DoS) attacks. So far it remains unpatched by Apple. You can read the details

I seriously doubt this is going to affect much of anyone at this point in time as it requires the use of IPv6 packets. IPv6 is up and coming, but not yet in major use.

Secunia offer the following solution while we wait for a patch: "Use a firewall to block IPv6 packets containing an IPComp header." There are a couple complicated ways to do this on Mac OS X. The first is to go into the Mac OS X CLI (character line interface) and configure IPFW. You can read the man (manual) page of IPFW in the Terminal. The other method is to download WaterRoof HERE, which provides a GUI for IPFW. Neither method is for the faint of heart, and certainly not for an average Mac user. Have fun! :-D