Apple

Updated 1:45am PST Tuesday with pricing information.

McAfee has released a new security suite designed to help businesses better handle security for their growing segment of Macintosh computers.

Targeting small to large companies, McAfee Endpoint Protection for Mac provides antivirus and antispyware features, and both an inbound and outbound firewall, McAfee said Tuesday.

The company is positioning the tool as a plus for IT administrators and for users. Administrators can use the same console to manage McAfee security on both Mac and Windows machines, said the company. The software lets administrators deny or control which applications can run on supported Macs. The suite's ePolicy Orchestrator tool can also generate reports of malicious activity for review.

Some have debated whether the Mac needs security software since it has traditionally been a less visible target than Windows for attack. But with Internet threats continually on the rise, few computer environments are completely immune. Even Apple has advised Mac users to protect themselves with security software.

Antivirus software for the Mac has been sold for a long time by companies such as Symantec and McAfee. But most products have been geared to the individual user.

McAfee sees its Endpoint Protection suite as filling a growing need at schools, companies, and government agencies that have adopted more Macs in recent years.

"The demand for Macintosh in the enterprise is steadily growing, yet organizations are either not using any security technology for these endpoints, or they are using a standalone, non-manageable anti-virus protection solution," Peter Lincoln, IT director at Aquent, said in a statement provided by McAfee. "The use of McAfee Endpoint Protection for Mac enables us to have complete protection on all our endpoints. Using the same integrated management console also allows us to lower our operational cost and ensure security and compliance."

A survey conducted last year by ITIC showed that a greater number of companies were planning to allow Macs into their workforce.

McAfee Endpoint Protection for Mac is compatible with the latest release of Apple's Snow Leopard as well as existing Leopard and Tiger environments. A McAfee spokesperson said the product's retail price would be $55.08 per computer for a network of 500 - 1000 computers. The pricing includes one year of Gold technical support.

For the past month, some Mac OS X users have been reporting their personal data missing after logging into their guest accounts, and Apple now says it's working on finding a fix.

"We are aware of the issue, which occurs only in extremely rare cases, and we are working on a fix," an Apple representative said in a prepared statement Monday.

(Credit: Apple)

It's the first time Apple has said it is looking into the issue. In early September, a handful of Mac users reported the issue on Apple's discussion boards. The problem, when it occurs, goes like this, according to CNET's MacFixit: when logging into the guest account on their Mac first and then logging into their regular account, some users are finding all their data to be missing and their accounts completely reset.

It doesn't appear to be a widespread problem--there are fewer than 100 posts on several current discussion threads on the issue--but it's certainly topical. Microsoft is currently dealing with a massive data loss at its Danger subsidiary, the company it acquired that makes the Sidekick mobile phone.

Apple's data loss issue is also yet another problem related to its most recent operating-system release. Snow Leopard has been plagued with bugs since its release, including problems with the Finder hanging or crashing, incompatibility with certain apps, and the AirPort connection dropping.

Although Apple doesn't yet have an answer for why this is occurring, you can check here for some suggested fixes, if you're experiencing the problem.

iPhone and iPhone 3G users hit a roadblock last week trying to login to Exchange 2007 servers after upgrading to iPhone OS 3.1.

(Credit: Apple)

Because the problems began with the latest update, it may seem reasonable to assume that the update is to blame, but it's not. In fact, everything is working exactly how it's supposed to be, according to Apple.

"iPhone OS 3.1 is working properly with Exchange Server 2007," Apple representative Natalie Harrison told CNET News. "We added device encryption information to the data that can be managed by IT administrators using Exchange Server 2007. The policy of whether to support iPhone 3G, in addition to iPhone 3GS, which always has on-device encryption, on Exchange Server 2007 is set by the administrator and can be changed at any time."

What this means is that iPhone OS 3.1 now properly identifies itself to Exchange 2007 as having hardware encryption, and that's what is causing the problems for iPhone and iPhone 3G users.

iPhone OS 3.0 did not identify itself properly to Exchange 2007 on any iPhone. This means that if you had a 3G and Exchange 2007 was configured to require hardware encryption, you could still login, even though the device does not have hardware encryption.

With iPhone OS 3.1, all iPhones identify themselves properly to the server, essentially fixing a glitch in the previous operating system. However, now iPhone and iPhone 3G users that upgraded to iPhone OS 3.1 cannot login to Exchange 2007 servers that require hardware encryption.

If you use the new iPhone 3GS, you won't notice any change. Apple's newest phone is equipped with hardware encryption, so it will meet the requirements of the Exchange server when identifying itself.

If you already upgraded to iPhone OS 3.1 on an iPhone or iPhone 3G and connect to an Exchange 2007 server, you can ask that the IT admin turn off the hardware encryption requirement for those devices.

Company IT administrators who require hardware encryption to access Exchange 2007 will need to decide whether they want older iPhones to access their servers. If so, they will need to configure Exchange to not require encryption from the iPhone and iPhone 3G.

Of course, if you haven't upgraded your iPhone, it will continue to access Exchange 2007 as it always did.

Share of the Mac operating system is growing, and with it the number of malware threats targeting the platform.

(Credit: Net Applications)

of the new version of the Mac OS, dubbed Snow Leopard, could include some security features that would make it secure, or at least push it closer to the level of security that Vista and Windows 7 have, experts said this week.

Contrary to popular Mac fanboy belief, Macintosh is not more secure from a software standpoint than modern Windows; it's merely safer to use because malware writers prefer to target the platform with the biggest install base, according to Charlie Miller and Dino Dai Zovi, co-authors of The Mac Hacker's Handbook, which came out this spring.

"Apple hasn't implemented all the security features that Vista has," Miller said. "They made some improvements in Leopard, but they are still behind."

If there is any truth to rumors circulating about Snow Leopard, the operating system security playing field could become more level as of this weekend and Mac users will really have something to brag about.

First off, a screen shot published on the Mac Security Blog of Intego on Tuesday appears to show a security feature supposedly in Snow Leopard that looks like it is detecting a Trojan in a disk image being downloaded via Safari. The post cites unnamed reports about an anti-malware feature being added.

"If it's true, it will mark a fundamental change in that Apple will be admitting that their operating system is as susceptible to malware as other operating systems," Miller said.

CNET's review of Snow Leopard posted late on Wednesday says that File Quarantine, first introduced in Mac OS X 10.4 Tiger, has been refined in Snow Leopard. File Quarantine checks for known malware signatures and displays an alert dialog if it finds a known offender and will be automatically updated via Mac OS X's software update as new malware signatures are found in the wild, the review says.

It's unclear whether rumors are true that Snow Leopard includes several internal features designed to prevent attacks that Vista and Windows 7 have, known as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) on that platform.

By randomizing the location of key pieces of data, ASLR makes it much more difficult for attackers to predict where data is going to be in order to execute their code or the code resident in the process. For exploit code that gets past the ASLR barrier, DEP will try to block it from running, recognizing that it is data and not a legitimate code.

"If you have both, it's hard for an exploit to get around it. Leopard has some ASLR but everything is not randomized and Leopard has no DEP," Miller said. "Things could change significantly for the Mac if they do a good job...That was my main gripe with it."

In June, Dai Zovi reported on a new local privilege escalation vulnerability researchers had discovered that gives local root access on Mac OS X Tiger and Leopard. He offered up a wish list for Snow Leopard that included: real" ASLR; "full use of hardware-enforced Non-eXecutable memory (NX);" default 64-bit native execution for security-sensitive processes; sandbox policies for Safari, Mail.app, and third-party applications (akin to what Chrome has); and Mandatory code signing for kernel extensions.

Apple's Mac OS X security page makes reference to offering sandboxing, Library Randomization, and Execute Disable, but there are no details.

An Apple spokeswoman did not follow up on an e-mail request seeking an interview for this story.

The Snow Leopard Web site says it will offer protection against some common types of heap buffer overflow exploits but not new types of such memory overflow exploits, according to Dai Zovi.

The security level in Leopard falls in between Windows XP Service Pack 2 and Vista, he said. If Snow Leopard has full ASLR and DEP, it would bring its security close to the level of Vista, he added.

While adding full ASLR and DEP to Snow Leopard will boost the operating system's defenses against targeted attacks, the Mac OS software arguably has more holes that malware can slip through, Miller said. "It would be fair to say that Mac has more bugs, but it's impossible to measure," he said.

Market pressure has been missing
In this sense, Microsoft has benefited greatly from the plague of security holes in early Windows versions. Those problems led the company to embark on a quasi-religious conversion in 2002 with Bill Gates launching the Trustworthy Computing initiative and setting security as a top priority for the company. Its Security Development Lifecycle (SDL) program--designed to build security into the software--has become the model for the industry.

Microsoft puts "much more effort into auditing their code, the entire SDL process, developer training, automated source code scanners, and hiring external penetration testers," Dai Zovi said.

So far, Apple hasn't felt that kind of market pressure to improve Mac security, largely because malware writers have ignored it, so its secure software development process isn't nearly as developed or mature as Microsoft's, the security researchers said.

"Microsoft has had a head start. That's why they had ASLR and DEP first," Miller said. "It's not because they're geniuses. They just started caring about it sooner."

"These things go lock in step and it doesn't make sense for businesses to expend a ton of resources when the threat is not there," said Dai Zovi. "So far, Apple has been keeping up pretty well with the level of threats in the wild."

As far as security goes, market share is a double-edged sword. As the Mac operating system gets more popular, the amount of malware targeting it is growing.

The Mac has only about 5 percent market share worldwide (nearly half is in the U.S. alone), compared with nearly 95 percent for Windows, according to market statistics provider Net Applications. But the Mac share is rising, from 3.73 percent to 4.86 percent in less than a year, the firm says.

In the meantime, more and more Mac malware is appearing. Earlier this week, TrendMicro reported that it found a new variant of the JAHLAV family of Trojans that pose as pirated versions of legitimate applications, modify a computer's domain name system (DNS) settings and enabling successful phishing attacks and redirects to sites hosting malware. Earlier versions of the Trojan masqueraded as versions of QuickTime, but this one passes as Foxit Reader or an antivirus program.

Some malware is written for both Windows and Mac platforms and downloads the correct version depending on the browser. Last week, Symantec reported that sites purporting to show streams of new movies were actually feeding up a DNS-changing Trojan instead called OSX.RSPlug.A for Mac and Trojan.Fakeavalert for Windows. Last month, a McAfee blog post wrote about the OSX/Puper.a Trojan that is downloaded onto Mac systems when users download what they think is a video player.

ZDNet's Zero Day blog has covered a number of Mac malware threats this year alone. In January, Intego, which has been tracking Mac malware for several years, discovered a Mac OS X Trojan circulating in pirated copies of Apple's iWork '09 software found on BitTorrent trackers and other sites. Symantec researchers in April linked malware found in bogus copies of iWork '09 and Adobe Photoshop CS4 to what they said could be the first Mac OS X botnet launching denial-of-service attacks. And in May, a new e-mail worm dubbed OSX/Tored-A targeting the Mac was uncovered, although it was not found to be spreading in the wild.

"The frequency is increasing" for Mac threats in the wild, said Dai Zovi. "Still, there are only a handful of threats; no where near what Windows users face."

In addition to considering how buggy the software is, how secure the operating system code is, and whether malware writers are creating viruses and Trojans for the platform, another factor in play is how likely Mac users are to be duped into visiting a malicious site, opening a malicious e-mail attachment, and downloading a fake file.

Most Mac users seem to take pride in their supposed invulnerability, so one would think that they are less cautious in their surfing activities. But it's hard to tell.

"No computer or operating system is more or less secure when it comes to users being tricked into downloading something," Miller said.

(Credit: Matt Hickey)

So Apple on Friday released an update to the iPhone OS (3.0.1) that takes care of an SMS vulnerability. It's a fairly important patch, and usually when Apple updates the iPhone OS, jailbreakers have to wait until the Dev Team comes out with a new version of jailbreaking software before they can update.

But according to the iPhone Dev Team's Twitter, this is not the case with the 3.0.1 firmware. In fact, the current versions of redsn0w and ultrasn0w work the same with the 3.0.1 firmware as they do with the 3.0 firmware that came out a few weeks ago. In short, the jailbreaking software already works. I checked with the Dev Team community and had this confirmed. "Restore to 3.0.1, run redsn0w, select the 3.0 file... Bang zoom."

So go ahead, iPhone hackers, and secure your devices soon. You don't have to worry about losing Cydia and other rogue apps.

Apple on Friday fixed an SMS-related security flaw in the iPhone that had been at the center of one of the most talked-about exploits at this week's Black Hat security conference.

"We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms," Apple representative Tom Neumayr told CNET.

"This morning, less than 24 hours after a demonstration of this exploit," Neumayr continued, "we've issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what's been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit."

The security flaw involved malicious SMS messages that could allow hackers to take control of an iPhone. The flaw could have let them make calls, send text messages, or almost anything they wanted on the victim's iPhone.

Security researchers Collin Mulliner and Charlie Miller showed the flaw in action at Black Hat earlier this week. Miller said the flaw could take control of the iPhone because of the way the device handled the SMS message. Researchers at Black Hat also showed how SMS-related vulnerabilities can affect Windows Mobile smartphones including those from HTC, Motorola, and Samsung.

Miller said that Apple was first notified of the flaw six weeks ago.

According to Apple, the iPhone 3.0.1 update released today improves the device's memory handling, essentially fixing the exploit.

The update is available by plugging your iPhone into your computer and clicking on the Check for Update button in iTunes.

The encryption functionality of the iPhone 3GS is so easy to crack that it is essentially "broken" as far as protecting sensitive personal data like credit card and social security numbers, according to a forensics expert and iPhone developer.

"I don't think any of us [developers] have ever seen encryption implemented so poorly before, which is why it's hard to describe why it's such a big threat to security," Jonathan Zdziarski told Wired.

With physical access to a 3GS iPhone and some free software data can be extracted within two minutes and an image of the entire raw disk in about 45 minutes, he said. The iPhone decrypts the data on its own once the extraction has begun, he explains in a video demonstration.

Apple has been touting the encryption and other features to entice corporate users to the device. And it seems to be working. Nearly 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones per company, the company said on its financial results conference call on Tuesday.

Apple has issued an advisory regarding security enhancements included in the iPhone OS 3.0 release Wednesday.

(Credit: Apple)

Here is a synopsis of the 46 iPhone security vulnerabilities addressed by the latest operating-system update for the iPhone and iPod Touch. As may be expected, many of these security patches focus on the Web-browsing framework WebKit.

CoreGraphics Changes to CoreGraphics prevent maliciously crafted image and PDF files from causing unexpected application termination or arbitrary code execution; vulnerabilities causing the same problems in FreeType v2.3.8 were also patched.

Exchange Changes were made to prevent a user from connecting to a malicious Exchange server that could lead to the disclosure of sensitive information by adding improvements to the handling of untrusted certificate exceptions.

ImageIO Changes to ImageIO prevent the use of maliciously crafted PNG images from causing unexpected application termination or arbitrary code execution.

International Components for Unicode Changes to Unicode prevent the use of maliciously crafted content that may bypass Web site filters and result in cross-site scripting.

IPSec Changes to IPSec patch multiple vulnerabilities in the racoon daemon that may lead to a denial-of-service attack.

Libxml Changes to XML library Libxml patch multiple vulnerabilities in Libxml2 version 2.6.16.

Mail Changes were made to the Mail app to give users control over the loading of remote images in HTML messages (see below). Additionally, the app was changed to prevent an application from causing an alert to appear that may be used to initiate a phone call without user interaction.

MPEG-4 Video Codec Changes to the MPEG-4 Video Codec will prevent the viewing of maliciously crafted MPEG-4 video files that may lead to an unexpected device reset.

Profiles Changes to Profiles will prohibit the installation of a configuration profile that may weaken the passcode policy defined by Exchange ActiveSync.

Safari Changes to Safari support the clearing of Safari's history via the Settings application, allowing prevention of disclosure of the search history to a person with physical access to the device. Now search history is actually removed. Additionally, if a user were to interact with a maliciously crafted Web site, a patch has been put in place to prevent unexpected action on another site such as "clickjacking."

Telephony Changes to Telephony address a problem in which a remote attacker may cause an unexpected device reset.

WebKit Changes to Web-browsing framework WebKit were very numerous in this release, given how popular the iPhone has become for Web use. They included many fixes to prevent arbitrary code or script execution, when visiting maliciously crafted Web sites. Some of these vulnerabilities could lead to app crashes and unexpected device resets, or the disclosure of sensitive information.

Previous coverage: Security updates in iPhone OS 2.2.

Updated 12:30 p.m. PDT with Apple comment

Macintosh security consulting firm SecureMac.com on Tuesday issued a critical warning for what it says is an unpatched Java security vulnerability in Apple's Mac OS X.

According to the man credited with discovering it, Landon Fuller, the Java flaw even affects the latest version of Mac OS X, 10.5.7, released just a week ago. Fuller has gone so far as to release a proof of concept for the security hole.

The vulnerability could be used to perform what SecureMac refers to as "drive-by-downloads," or the ability to infect a computer by simply visiting a Web page. Fuller explains that the flaw allows malicious code to run commands with the permissions of the current user.

In a post on his Web site, Fuller clearly seems upset and mystified that the vulnerability remains unpatched in the latest versions of the operating system.

"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller said on his site. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept to demonstrate the issue."

"We are aware of the issue and we are working on a fix," Apple spokeswoman Monica Sarkar said. She could not give a time frame for the fix and declined to comment further.

Fuller's demonstration runs on "fully patched" Intel and PowerPC Macs.

The only workaround for the vulnerability is to disable the use of Java applets in your Web browsers and turn off the preference to "Open safe files after downloading" in Safari, he said.