Thursday, February 12, 2009

Mac Security Update 2009-001, Java Updates and a Safari for Windows Update

If you'd like to read Apple's notes about Security Update 2009-001, you can click HERE.

Ahead is a quick analysis of what is covered in the update, along with comments.

This security update is specifically for computers updated to Mac OS X 10.4.11 and 10.5.6, both client and server. Presumably it will be integrated into 10.5.7 when it's available.

There are 28 specific security updates including fixes for 48 documented vulnerabilities, making this another whopper relative to the updates we used to get from Apple a couple years back. I like that. The updates cover some interesting aspects of the Mac OS X Apple have not previously addressed. This indicates to me that over time they are carefully combing through aspects of the OS rather than randomly poking around or only responding as they receive vulnerability reports from third parties.

As ever, there are several buffer overflow patches. Memory management remains one of the banes of contemporary coding. I'm getting the idea that this problem won't go away until we invent an AI that can self-analyze its own computer code. It could happen!

A surprising trend in this update is the patching of security problems introduced specifically in Mac OS X 10.5.6. Ahem Apple. Ahem beta testers.

Cookies: There are a couple repairs for cookie problems introduced into the CFNetwork process in Mac OS X 10.5.6.

Printing: Included is a CUPS update as well as a repair of an error in the csregprinter process that allowed system privileges escalation.

Scripting: There are several patches provided for python and one for perl.

Remote Apple Events: There are a couple buffer overflow / out-of-bounds memory access patches.

SMB: Apple themselves patched a couple buffer problems, which is interesting. It's good to see Apple serious about compatibility with Windows networks.

X11: There are a collection of patches regarding font handling, user privilege plundering and several other vulnerabilites in the X11 server.

JavaScript: Here's another bane of contemporary coding. This time the patch is to Safari's RSS handling of feed URLs.

Mail services: A pair of patches are made to fetchmail and another pair to SquirrelMail.

Video: Yet another problem with maliciously crafted media files. This time a patch is provided for the Pixlet codec.

Other patched services include:

AFP Server
CarbonCore's Resource Manager
Certificate Assistant
DS Tools: dscl
Folder Manager
FSEvents framework: fseventsd
Network Time
Server Manager: servermgrd

And included is a security updated version of ClamAV for both 10.4 and 10.5 Server.

There were also a few other security related updates released today. Here is a list with links provided to their individual security update description documents:

Safari 3.2.2 for Windows

Java for Mac OS X 10.4 Release 8

Java for Mac OS X 10.5 Update 3

The Java security vulnerabilities that were patched include maliciously written web page Java applets allowing user privilege plundering. These problems weren't in Apple's implementation but in Java itself. SOS: Java was supposed to be as safe as a sandbox. Yeah, a sandbox full of land sharks.

My recommendation for security fanatics, as per recommendations from security expert Steve Gibson: If you don't want to take chances with hacker perpetrated JavaScript and Java, use a browser that lets you turn on support for both protocols on a site by site basis. As with using Little Snitch, it can be a PITA dithering around with little stuff on the net. But the geek in me adjusted such that I use site by site service control all the time. The browser I use for this purpose is OmniWeb. It's the bells and whistles web browser for Mac OS X and is well worth paying for if you like its abundant added features. You can also rig FireFox to handle site by site services as well. Camino and Safari are sadly site specific clueless. I haven't tested other browsers.

BTW: Coming up is my long delayed discussion of Tracking Cookies.

Share and Enjoy!


Friday, February 6, 2009

This is how bad it gets: US Govt Security. Plus my wetware lecture.

I recently read that Steve Ballmer had been invited to talk to the US Congress about 'innovation'. After ROTHFMAOTID, I fell asleep dreaming of the US Govt. actually making sense.

This morning I found a lovely story about just how insane the US Govt. remains. Even one of their security contractors can't keep out the malware. I wonder what OS they are using, NOT. This is lifted from the highly recommended EXCELLENT weekly SANS NewsBites email newsletter, Volume 11, Number 10, © 2009, accessible at:

--Government Security Contractor Suffers Data Breach
(February 3 & 4, 2009)
US government contractor SRA has notified its employees and customers that their personal information was compromised after the company found evidence of malware on one of its servers. The affected data include names, addresses, dates of birth, health information and Social Security numbers (SSNs). SRA provides computer security and privacy services. SRA informed the Maryland Attorney General's office of the incident on January 20.

Could this happen on Mac OS X? At this point in time the answer is: Maybe. The recent pirateware Trojan could theoretically pull these tricks.

Conclusion: Don't be naughty wetware. Always install only verified, legitimate software. Every time you type in your password to install something, think twice. Once you hit the OK button, you could be zombieing your computer.

Saying such stuff used to be FUD, and there are still people who rant and flame that such statements are going overboard. Not any more! Social engineering is becoming a fine art, and you are the target, no matter what computer platform you use. This sort of malware knows no operating system bounds. There isn't any anti-malware program that can be 100% predictive of what new and nasty Trojan is buried in something you just put on your drive. What's at fault here, as indicated above, is YOU if you install it. You can't blame Apple, you can't blame Microsoft, you can't blame Linus Torvalds. You get to point at the person in the mirror for not following the rules required for dead basic computer security.

And just as a reminder:
What is the very best way to protect yourself from the effects of malware infection?

It's that same old #1 rule of computing:
Make A Backup.

Now get out there and tell the world! Wetware unite! Social engineers: DIE!

Share and Enjoy,