Apple Releases Common Criteria Tools for 10.5

Apple has released Common Criteria Tools for 10.5. According to Apple,

An internationally approved set of security standards which provides a clear and reliable evaluation of the security capabilities of Information Technology products. By providing an independent assessment of a products ability to meet security standards, Common Criteria gives customers more confidence in the security of Information Technology products and leads to more informed decisions.

Common Criteria Tools for 10.5 can be downloaded here.

Mac Hack Vulnerability Had Been Public for Months

Last month, we reported about a Mac hack contest where a Mac was hacked in two minutes flat. Initial reports suggested that the security researcher, Charlie Miller, who hacked the Mac, had discovered the vulnerability used just a couple of weeks before the contest. Well, Macworld reports that this flaw had been made public in November 2007, and Apple had not patched it, allowing Miller to discover it “completely independently”.

The flaw in question affects the open-source PCRE software library, which is used by Safari. Developers corrected the flaw quickly, but Apple didn’t update the library until last week. Whether or not Miller actually discovered this flaw on his own, it shows one of the big problems of Mac OS X, and its reliance one third-party software: many flaws and vulnerabilities may be quickly fixed by the developers of this software, but it often takes Apple months to roll the fixes into Mac OS X. Astute hackers can easily find out what has been fixed in the underlying software, and be aware that Apple likely hasn’t fixed it as quickly, leading to vectors of attack against Macs.

Using NetBarrier to Find AirPort Networks

In addition to protecting your Mac from hackers, vandals and all kinds of network attacks, NetBarrier X5 has a set of tools for monitoring your network and checking network status. One of these tools is especially useful if you use AirPort to connect your Macs to a network.

NetBarrier’s Network section shows you a great deal of information about your network interfaces (AirPort, Ethernet, Bluetooth, etc.), and also shows you a list of all available AirPort networks, together with their signal strength and what channel they use. This last bit of information - the channel - can be especially useful when setting up a network at your home or office. If you are surrounded with WiFi networks, you want yours to be on a channel that is relatively unencumbered. You can check which channels are used by neighboring networks, and find out which is the best channel to use for your network.

You can also find which networks are open, when on the road, to know which you can connect to. Since you can see the signal strength in NetBarrier, you can see right away which network is best to try connecting to first. (Naturally, signal strength is not the only criterion for good network access; a lot also depends on how many other people are using that network.)

NetBarrier X5 has other useful network monitoring tools; check them out if you want to keep tabs on what’s happening on your network.

Security Updates for Mozilla Firefox and Thunderbird

Yet another update for Firefox, the open-source web browser. This fixes a security problem with the program’s JavaScript engine. The Mozilla Foundation calls this critical, yet says, “We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past.”

The same flaw exists in Thunderbird, so users should update both programs. The latest version of Firefox and Thunderbird can be downloaded here.

Macworld UK Likes FileGuard X5

Macworld UK has just posted a review of Intego FileGuard X5, giving it four stars. They like the program, and mention that, “FileGuard X5 provides a quick, secure and safe way to lock up your data.” We couldn’t have said it better.

Find out more about FileGuard X5.

Apple Updates Safari Again for Security Holes

Apple has just released Safari 3.1.1 for Mac OS X and for Windows, patching a number of security holes. With two patches for Windows and two for Mac, this isn’t a big update, but one of the fixes plugs the vulnerability used in the PWN 2 OWN hacking contest, in which a Mac was hacked in two minutes flat. This fix is described as follows:

A heap buffer overflow exists in WebKit’s handling of JavaScript regular expressions. The issue may be triggered via JavaScript when processing regular expressions with large, nested repetition counts. This may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions.

One may note that it took Apple three weeks after being notified of the above vulnerability to issue this fix.

The other fix patches a cross-site scripting vulnerability: “An issue exists in WebKit’s handling of URLs containing a colon character in the host name. Opening a maliciously crafted URL may lead to a cross-site scripting attack.”

This update can be downloaded via the Software Update preference pane in Mac OS X or from Apple’s Safari download page.