Apple on Monday released a large security update for Mac OS X that fixes dozens of vulnerabilities and provides protection against potential attacks exploiting a weakness in the protocol used to verify that a domain is legitimate.
There are 43 specific issues addressed in the 2009-006 update, released the same day as Mac OS X v.10.6.2.
It plugs a variety of holes for the Mac OS X v10.5.8, 10.6, 10.6.1, and Mac OS X Server v10.6 and 10.6.1, many of which could lead to arbitrary code execution and allow an attacker to take control of a computer.
Several updates affect Apache and QuickTime. Others target AFP Client, Apple Type Services, Core Graphics, CoreMedia, Dictionary, Disk Images, Dovecot, Directory Service, fetch mail, FTP Server, Help Viewer, Kernel, PHP, QuickDraw Manager and Spotlight.
One update fixes a hole in Adaptive Firewall that could allow a brute force or dictionary attack to guess an SSH log-in password, and another update addresses a vulnerability in Login Window that could allow a user to log in to any account without supplying a password.
Several updates address holes that could allow domain spoofing or man-in-the-middle attacks involving SSL (Secure Sockets Layer) used for encrypting data in transit, including a significant weakness in the X.509 protocol for generating SSL connections.
One of the updates affects the libsecurity feature and is billed as a "proactive change to protect users in advance of improved attacks against the MD2 hash algorithm" that could expose users to spoofing and information disclosure.
"There are known cryptographic weaknesses in the MD2 hash algorithm. Further research could allow the creation of X.509 certificates with attacker controlled values that are trusted by the system," the update says. "This could expose X.509 based protocols to spoofing, man in the middle attacks, and information disclosure. While it is not yet considered computationally feasible to mount an attack using these weaknesses, this update disables support for an X.509 certificate with an MD2 hash for any use other than as trusted root certificate."
That major weakness was revealed by security researcher Dan Kaminsky at the Defcon hacker conference in July. Kaminsky was able to trick a Certificate Authority into providing a certificate verifying authenticity for a domain that belonged to someone else.
The updates can be downloaded from Apple's site.
Apple on Thursday released a relatively minor update for Mac OS X Snow Leopard that fixes an issue users had with the operating system that downgraded them to an older version of Adobe Systems' Flash Player.
(Credit:
Apple)
When Apple released Snow Leopard on August 28, it included an older version of Adobe's Flash plug-in that was known to have security issues. Sophos security expert Graham Cluley warned users of the downgrade and urged anyone who installed the operating system to upgrade immediately.
Snow Leopard 10.6.1 addresses this issue by updating the Flash Player plug-in to version 10.0.32.18, the most current, stable release from Adobe.
While that is the big news for Apple's first Snow Leopard update, the company did include some minor fixes as well. The new version includes improved compatibility with Sierra Wireless 3G modems and addresses an issue that caused some DVDs to stop playback.
Printer compatibility has been improved, and so has the automatic account setup in Apple's Mail application. An issue that affected Motion 4 becoming unresponsive has also been fixed.
Mac OS X 10.6.1 can be downloaded from Apple's support Web site or via the software update mechanism in Mac OS X.
Share of the Mac operating system is growing, and with it the number of malware threats targeting the platform.
(Credit: Net Applications)
of the new version of the Mac OS, dubbed Snow Leopard, could include some security features that would make it secure, or at least push it closer to the level of security that Vista and Windows 7 have, experts said this week.
Contrary to popular Mac fanboy belief, Macintosh is not more secure from a software standpoint than modern Windows; it's merely safer to use because malware writers prefer to target the platform with the biggest install base, according to Charlie Miller and Dino Dai Zovi, co-authors of The Mac Hacker's Handbook, which came out this spring.
"Apple hasn't implemented all the security features that Vista has," Miller said. "They made some improvements in Leopard, but they are still behind."
If there is any truth to rumors circulating about Snow Leopard, the operating system security playing field could become more level as of this weekend and Mac users will really have something to brag about.
First off, a screen shot published on the Mac Security Blog of Intego on Tuesday appears to show a security feature supposedly in Snow Leopard that looks like it is detecting a Trojan in a disk image being downloaded via Safari. The post cites unnamed reports about an anti-malware feature being added.
"If it's true, it will mark a fundamental change in that Apple will be admitting that their operating system is as susceptible to malware as other operating systems," Miller said.
CNET's review of Snow Leopard posted late on Wednesday says that File Quarantine, first introduced in Mac OS X 10.4 Tiger, has been refined in Snow Leopard. File Quarantine checks for known malware signatures and displays an alert dialog if it finds a known offender and will be automatically updated via Mac OS X's software update as new malware signatures are found in the wild, the review says.
It's unclear whether rumors are true that Snow Leopard includes several internal features designed to prevent attacks that Vista and Windows 7 have, known as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) on that platform.
By randomizing the location of key pieces of data, ASLR makes it much more difficult for attackers to predict where data is going to be in order to execute their code or the code resident in the process. For exploit code that gets past the ASLR barrier, DEP will try to block it from running, recognizing that it is data and not a legitimate code.
"If you have both, it's hard for an exploit to get around it. Leopard has some ASLR but everything is not randomized and Leopard has no DEP," Miller said. "Things could change significantly for the Mac if they do a good job...That was my main gripe with it."
In June, Dai Zovi reported on a new local privilege escalation vulnerability researchers had discovered that gives local root access on Mac OS X Tiger and Leopard. He offered up a wish list for Snow Leopard that included: real" ASLR; "full use of hardware-enforced Non-eXecutable memory (NX);" default 64-bit native execution for security-sensitive processes; sandbox policies for Safari, Mail.app, and third-party applications (akin to what Chrome has); and Mandatory code signing for kernel extensions.
Apple's Mac OS X security page makes reference to offering sandboxing, Library Randomization, and Execute Disable, but there are no details.
An Apple spokeswoman did not follow up on an e-mail request seeking an interview for this story.
The Snow Leopard Web site says it will offer protection against some common types of heap buffer overflow exploits but not new types of such memory overflow exploits, according to Dai Zovi.
The security level in Leopard falls in between Windows XP Service Pack 2 and Vista, he said. If Snow Leopard has full ASLR and DEP, it would bring its security close to the level of Vista, he added.
While adding full ASLR and DEP to Snow Leopard will boost the operating system's defenses against targeted attacks, the Mac OS software arguably has more holes that malware can slip through, Miller said. "It would be fair to say that Mac has more bugs, but it's impossible to measure," he said.
Market pressure has been missing
In this sense, Microsoft has benefited greatly from the plague of security holes in early Windows versions. Those problems led the company to embark on a quasi-religious conversion in 2002 with Bill Gates launching the Trustworthy Computing initiative and setting security as a top priority for the company. Its Security Development Lifecycle (SDL) program--designed to build security into the software--has become the model for the industry.
Microsoft puts "much more effort into auditing their code, the entire SDL process, developer training, automated source code scanners, and hiring external penetration testers," Dai Zovi said.
So far, Apple hasn't felt that kind of market pressure to improve Mac security, largely because malware writers have ignored it, so its secure software development process isn't nearly as developed or mature as Microsoft's, the security researchers said.
"Microsoft has had a head start. That's why they had ASLR and DEP first," Miller said. "It's not because they're geniuses. They just started caring about it sooner."
"These things go lock in step and it doesn't make sense for businesses to expend a ton of resources when the threat is not there," said Dai Zovi. "So far, Apple has been keeping up pretty well with the level of threats in the wild."
As far as security goes, market share is a double-edged sword. As the Mac operating system gets more popular, the amount of malware targeting it is growing.
The Mac has only about 5 percent market share worldwide (nearly half is in the U.S. alone), compared with nearly 95 percent for Windows, according to market statistics provider Net Applications. But the Mac share is rising, from 3.73 percent to 4.86 percent in less than a year, the firm says.
In the meantime, more and more Mac malware is appearing. Earlier this week, TrendMicro reported that it found a new variant of the JAHLAV family of Trojans that pose as pirated versions of legitimate applications, modify a computer's domain name system (DNS) settings and enabling successful phishing attacks and redirects to sites hosting malware. Earlier versions of the Trojan masqueraded as versions of QuickTime, but this one passes as Foxit Reader or an antivirus program.
Some malware is written for both Windows and Mac platforms and downloads the correct version depending on the browser. Last week, Symantec reported that sites purporting to show streams of new movies were actually feeding up a DNS-changing Trojan instead called OSX.RSPlug.A for Mac and Trojan.Fakeavalert for Windows. Last month, a McAfee blog post wrote about the OSX/Puper.a Trojan that is downloaded onto Mac systems when users download what they think is a video player.
ZDNet's Zero Day blog has covered a number of Mac malware threats this year alone. In January, Intego, which has been tracking Mac malware for several years, discovered a Mac OS X Trojan circulating in pirated copies of Apple's iWork '09 software found on BitTorrent trackers and other sites. Symantec researchers in April linked malware found in bogus copies of iWork '09 and Adobe Photoshop CS4 to what they said could be the first Mac OS X botnet launching denial-of-service attacks. And in May, a new e-mail worm dubbed OSX/Tored-A targeting the Mac was uncovered, although it was not found to be spreading in the wild.
"The frequency is increasing" for Mac threats in the wild, said Dai Zovi. "Still, there are only a handful of threats; no where near what Windows users face."
In addition to considering how buggy the software is, how secure the operating system code is, and whether malware writers are creating viruses and Trojans for the platform, another factor in play is how likely Mac users are to be duped into visiting a malicious site, opening a malicious e-mail attachment, and downloading a fake file.
Most Mac users seem to take pride in their supposed invulnerability, so one would think that they are less cautious in their surfing activities. But it's hard to tell.
"No computer or operating system is more or less secure when it comes to users being tricked into downloading something," Miller said.
Dino Dai Zovi
(Credit: Tehmina Beg)It was summer 2005. Dino Dai Zovi walked into a Manhattan Starbucks, ordered a coffee, sat down, and opened up his laptop.
Before his coffee was cold he had found a local privilege escalation vulnerability in Mac OS X Tiger, which could allow people to elevate from normal user to full super user, and had written code that could exploit the hole.
"I just think that I got lucky, but that's what I always think when I find a bug that quickly," he said in an interview on Wednesday.
Dai Zovi has been exploiting Macs for a long time, publishing his first Mac OS X shellcode (code used as the payload in an exploitation of a vulnerability) for the PowerPC in July 2001. He said he has reported more than 10 vulnerabilities to Apple over the years and does so out of love for the platform.
"I'm an avid Mac user," he said. "So I have a vested interest in them being more secure."
The 29-year-old got an early start in computers, using bulletin boards in second grade and accessing the Internet through a computer running VAX at 13. He taught himself to program and got a computer science degree from the University of New Mexico. While still in college, Dai Zovi worked for the Information Design Assurance Red Team at Sandia National Laboratories, which performs security assessments for the government, military, and commercial industry.
Since then he's worked for consultancies @Stake and Matasano Security, Bloomberg, been director of security at a hedge fund in New York, and now works as chief scientist at Endgame Systems, an information security start-up.
Dai Zovi's Mac hacking hobby has won him some measure of fame. He won the first ever PWN2OWN hacking contest at the CanSecWest security conference in 2007, exploiting a vulnerability in Apple's QuickTime that affected not only Mac-based computers but also those running Windows and for which Safari, Internet Explorer Firefox were vulnerable. (In the contest, participants show up with exploits ready to go. The exploits do not require local access to the systems; they only require that the user visit a web page to simulate a drive-by web exploit, as is common on the Internet today.)
He co-authored a book, The Mac Hacker's Handbook this year with security expert Charlie Miller that argues that contrary to popular belief, the Mac platform is not more secure than Windows, it's just not targeted by malware writers--yet.
"The sky is not falling," Dai Zovi said. But also, "the Mac is not magically protected from malware."
If security features are added to the new version of Mac OS X, Snow Leopard, which is due out on Friday, that could change Dai Zovi and Millers' opinion. (The CNET review of the product is here.)
Charlie Miller
(Credit: Charlie Miller)Miller has won the PWN2OWN contest the past two years. In 2008, he was able to gain control of a Leopard-based MacBook Air using a newly discovered vulnerability in Safari. That took him less than two minutes. This year, it only took him 10 seconds or so to exploit a hole in Safari on a MacBook running Leopard.
Miller is probably best known, though, for being the first to hack the iPhone, discovering a hole in the mobile version of Safari in 2007.
One of the reasons he entered the PWN2OWN contest was to prove that Mac OS security was lacking.
"I had a feeling that Mac was easier (to hack) than Windows," he said. "If I can find the Safari bug or exploit in a few days and it would take me 10 times as long for IE, why would I do that? I go after the easiest guy."
Miller comes from a Linux and Windows background and is relatively new to the Mac platform because he worked in the financial and government sector before becoming a security whiz.
After getting a Ph.D. in mathematics at the University of Notre Dame, Miller worked at the U.S. National Security Agency for five years. Hired as a cryptographer, Miller pushed for computer security training because he was "looking for something else to do."
He then worked at a financial-services firm before moving back to his home town of St. Louis and taking a job as principal analyst at consultancy Independent Security Evaluators, where Macs are standard.
"I hack products I own and use and like," he said. "I want to know how they work and play around with them...I thought the Mac OS and the iPhone were cool."
Updated at 6:58 a.m. PDT with more details about the PWN2OWN contest.
(Credit:
Apple)
The next version of Apple's OS X, which is due out Friday, may bundle antivirus capabilities.
Mac security firm Intego said that the latest version of the operating system, Mac OS X Snow Leopard, could have an antimalware feature, according to reports, in a blog post Tuesday.
The company published a screenshot which it said was of the security feature detecting a Trojan in a download, made via Apple's Safari Web browser.
Intego pointed out that the most recent Mac adverts compare Mac security favorably to PCs. However, security experts have historically been divided over the relative security of Microsoft and Apple code, while some point out that any comparison is further complicated by the differing market penetration of Macs and PCs.
Tom Espiner of ZDNet UK reported from London.
Apple on Wednesday issued a security update that fixes 18 vulnerabilities including several that put computers running Mac OS X at risk of remote code execution if a maliciously crafted image is viewed.
In addition to fixing a problem with how PNG images are handled, Security Update 2009-003 fixes issues related to ImageIO's handling of OpenEXR images, EXIF metadata, as well as Canon RAW images and images with an embedded ColorSync profile.
The update, which arrives as part of the release of Mac OS X v10.5.8, extends the list of content types the Mac OS X will flag as potentially unsafe when downloaded from the Web. It also fixes a problem with how XML content is handled and resolves the way the kernel handles AppleTalk response packets.
Apple also identified and fixed a problem with MobileMe. Signing out of MobileMe does not remove all credentials and a person with access to the local user account could continue to access associated systems.
Updated 12:30 p.m. PDT with Apple comment
Macintosh security consulting firm SecureMac.com on Tuesday issued a critical warning for what it says is an unpatched Java security vulnerability in Apple's Mac OS X.
According to the man credited with discovering it, Landon Fuller, the Java flaw even affects the latest version of Mac OS X, 10.5.7, released just a week ago. Fuller has gone so far as to release a proof of concept for the security hole.
The vulnerability could be used to perform what SecureMac refers to as "drive-by-downloads," or the ability to infect a computer by simply visiting a Web page. Fuller explains that the flaw allows malicious code to run commands with the permissions of the current user.
In a post on his Web site, Fuller clearly seems upset and mystified that the vulnerability remains unpatched in the latest versions of the operating system.
"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller said on his site. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept to demonstrate the issue."
"We are aware of the issue and we are working on a fix," Apple spokeswoman Monica Sarkar said. She could not give a time frame for the fix and declined to comment further.
Fuller's demonstration runs on "fully patched" Intel and PowerPC Macs.
The only workaround for the vulnerability is to disable the use of Java applets in your Web browsers and turn off the preference to "Open safe files after downloading" in Safari, he said.
Apple released a Mac OS X security update on Thursday that contains fixes for more than two dozen vulnerabilities, including one in Safari RSS that could lead to arbitrary code execution and one in Remote Apple Events that could disclose sensitive information.
Also fixed are a vulnerability in AFP Server that could trigger a denial of service and vulnerabilities in Apple Pixlet Video, ClamAV, CoreText, Python, SMB, and X11 that could lead to arbitrary code execution. Another fix closes a hole in Printing that could allow a local user to get system privileges and one in DS Tools that could expose passwords to other local users.
Security Update 2009-001 can be obtained from the Software Update pane in System Preferences or Apple's Software Downloads Web site.
Apple also on Thursday released Safari 3.2.2 for Windows, which fixes a vulnerability that could allow execution of arbitrary JavaScript in the local security zone. That update is also on Apple's download site.
Updated 10:50 a.m. PST December 2 to correct that Apple previously recommended antivirus software to Mac users, and at 1:50 p.m. PST with call back from Apple and link to 2002 Apple anti-virus item. A follow-up blog will be posted that goes into more detail about the coverage.
Apple is recommending that Mac users install antivirus software.
But don't read this as an admission that the Mac operating system is suddenly insecure. It's more a recognition that Mac users are vulnerable to Web application exploits, which have replaced operating system vulnerabilities as the bigger threat to computer users.
On November 21 Apple updated a technical note on its Support Web site that says: "Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult."
The item offers three software suggestions: Intego VirusBarrier X5 and Symantec Norton Anti-Virus 11 for Macintosh, both available from the Apple Online Store, and McAfee VirusScan for Mac.
MacDailyNews unearthed the same note posted by Apple in June 2007 and published it on Tuesday,a long with a link to a March 2002 note from Apple urging people to use an anti-virus program.
Apple representatives did not respond to e-mails seeking comment on Monday, but did return a call on Tuesday. A spokesman said he would look into the matter.
Brian Krebs, who first reported on the Apple antivirus recommendation Monday in his Security Fix blog at The Washington Post, said an Apple store employee told him he didn't need antivirus software when he purchased a MacBook three months ago.
... Read more
On Thursday, Apple released Safari 3.2. Although the update affects both Mac and Windows users, many of the Mac updates were provided in Apple's October update for Mac OS X users. The update includes eight fixes specific to Safari and three specific to Webkit.
Safari 3.2 is available via the Apple Software Update application, the Apple Software Downloads page, or Apple's Safari download site.
Safari-1
This patch affects Safari users on Windows XP or Vista. This update addresses multiple vulnerabilities in zlib 1.2.2 detailed within CVE-2005-2096. Apple credits Robbie Joosten of bioinformatics@school, and David Gunnells of the University of Alabama at Birmingham for reporting the vulnerabilities.
Safari-2
This patch affects users of Windows XP or Vista. This update addresses the security issue in the libxslt library detailed within CVE-2008-1767 in which processing an XML document may lead to an unexpected application termination or arbitrary code execution. Apple credits Anthony de Almeida Lopes of Outpost24 AB, and Chris Evans of the Google Security Team for finding the vulnerability.
Safari-3
This patch affects users of Windows XP or Vista. The update addresses the heap buffer overflow issue that exists in the CoreGraphics' handling of color spaces detailed within CVE-2008-3623 in which viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding the vulnerability.
Safari-4
This patch affects users of Windows XP or Vista. This update addresses the security issue detailed within CVE-2008-2327 in which viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding the vulnerability.
Safari-5
This patch affects users of Windows XP or Vista. The update addresses the vulnerabilities detailed within CVE-2008-2332 in which viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. Specifically, a memory corruption issue exists in ImageIO's handling of embedded ICC profiles in JPEG images. Apple credits Robert Swiecki of the Google Security Team for finding the vulnerability.
Safari-6
This patch affects users of Windows XP or Vista. This update addresses the security issue detailed within CVE-2008-3608 in which viewing a large maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding the vulnerability.
Safari-7
This patch affects users of Windows XP or Vista. This update addresses the security issue detailed within CVE-2008-3642 in which viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. Apple credits itself for finding the vulnerability.
Safari-8
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, or Windows XP or Vista. The update addresses the vulnerabilities detailed within CVE-2008-3644 in which disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a local user. Apple credits an anonymous researcher for finding the vulnerability.
WebKit-1
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, or Windows XP or Vista. This update addresses the security issue detailed within CVE-2008-2303 in which visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution. Apple credits SkyLined of Google for finding the vulnerability.
WebKit-2
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, and Windows XP or Vista. The update addresses the vulnerabilities detailed within CVE-2008-2317 in which visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution. Specifically, a memory corruption issue exists in WebCore's handling of style sheet elements. The issue has already been addressed in systems running Mac OS X v10.5.5. Apple credits the TippingPoint Zero Day Initiative for finding the vulnerability.
Webkit-3
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.5, and Windows XP or Vista. This update addresses the security issue detailed within CVE-2008-4216 in which visiting a maliciously crafted Web site may lead to the disclosure of sensitive information. This update addresses the issue by restricting the types of URLs that may be launched via the plug-in interface. Apple credits Billy Rios of Microsoft, and Nitesh Dhanjani of Ernst & Young for finding this vulnerability.
