Mac OS X Server Break-in: Vulnerability or User Error?

Tom Yager at InfoWorld is reporting about a break-in on an Xserve, which raises several questions. Among the symptoms of this break-in were the following:

• Kerberos authentication was disabled, making the system extremely slow to respond to LAN-based secure shell (ssh) initiation requests. Screen sharing sessions would not connect at all. However, Server Admin was fully functional
• All e-mail was down
• A launch script for Communigate Pro 5.2.x had been placed in /System/Library/StartupItems, causing Postfix and Cyrus to abort on launch after logging that SMTP, IMAP and POP ports were already opened. All of these services answered with Communigate Pro’s greeting rather than Postfix or Cyrus
• The StartupItems launch script was removed after Communigate Pro was successfully launched
• Communigate Pro’s HTTP administration ports were not open at either their default TCP ports or any other listening ports
• Communigate Pro reinstalled itself when the contents of its configuration directory were deleted
• Several inbound messages from Eastern European senders were addressed to the recipient pw@mydomain.com. This account did not exist in Postfix prior to the attack

It looks as though someone hacked the Xserve to send out spam, but it’s not clear why they would have installed Communigate Pro, a commercial mail server. (Perhaps it was easy to get access to the Xserve, but not to its own internal mail server.) What is most disturbing is that the hacker managed to change the administrator’s password, which is something that has not been seen before in remote exploits on Mac OS X.

It’s not clear if this intrusion was the result of some sort of user error or mistaken configuration. We have no more information on this suspected vulnerability, but anyone running Mac OS X Server should check to make sure they don’t have the same problems.

Nominate Intego Software for Macworld UK’s Readers’ Awards

Macworld UK is announcing the winners of its best product awards on June 12, and they are taking nominations from readers in addition to judging a list of hardware and software selected by their staff. You can go to this page and nominate your favorite Intego program: is it VirusBarrier, which protects you from all known Mac viruses, and Windows viruses too? Is it Personal Backup, which ensures that you always have copies of all your files, especially the irreplaceable ones? Or is it one of Intego’s Internet Security Barrier suites, which provide several Intego programs in a single package? Choose your favorite and tell Macworld why you like it!

New Variants of the RSPlug Trojan Horse

Intego first reported on the OSX.RSPlug Trojan Horse back in October of 2007. Since then, the people behind this malware have been busy making variants in order to better trap Mac users. Most of the variants aren’t really variants; they are simply disk images with different names from the original. (One antivirus vendor claimed to have found some three dozen such variants, but did not, it seems, examine the code to see that they were all the same.)

Other variants include two whose code are different, but especially variants that purport to install differently-named software. The original RSPlug Trojan horse installed “software” called MacCodec; other versions’ installers claim to install MacVideo or Porn4Mac. Also, the containers - the disk images containing the installers - differ. The first version was found in a series of disk images named with four digits followed by the disk image extension: for example, 1023.dmg. Others have included operacodec1234.dmg, nitroticket2018.dmg, uincodec4264.dmg, ixcodec1292.dmg and xerocodec1292.dmg. (Note that there may be variations in the numbers contained in these names, as well as the names themselves.)

In any case, this Trojan is alive and well, and recent posts in Mac forums show that users are still being infected. Intego VirusBarrier protects against all these variants, and will continue to protect against new ones as they are discovered.

Security Update for Adobe Flash Player

You probably use the Adobe Flash Player regularly, at least if you watch online videos or play basic web games: both of these use Flash to display graphics and images. Adobe has announced that the latest version of Flash Player corrects a vulnerability, “that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. It is recommended users update to the most current version of Flash Player available for their operating system.”

It is recommended that all users update Flash Player immediately. This software is used often, and usually transparently, so most users don’t even realize that it’s a web browser plug-in. You can download the latest version of Flash Player here.

QuickTime Update Includes Anti-Hacker Features

Apple has been unlucky with QuickTime. The media software used, on Mac OS X and Windows, to play back music and videos, has often been the object of security vulnerabilities. From January 2005 to the present, Apple has issued a total of 15 QuickTime security updates (and this doesn’t count security fixes that are rolled into larger operating system updates).

Apple’s latest QuickTime security update contains, as eWeek reports, “anti-hacker features” to hopefully cut down on the number of vulnerabilities in the software. The Mac OS X version of QuickTime gets stack buffer safety checking and “function call hardening, which should prevent some buffer overflows”, two new features that should make the software more robust.

Time will tell whether this makes a difference, but recent experience has shown that QuickTime is Apple’s Achilles heel.

Are Macs Safe Out of the Box? (Read the Fine Print)

For a long time, Apple boasted that Macs were safer than Windows PCs, and that Macs didn’t have any security issues. But as we’ve seen (and as you can see looking at recent articles here), Apple has had to issue some very complex security updates, one of which patched more than 80 vulnerabilities.

Apple has always said that Macs were safer out of the box, but we’ve noticed, in fine print on Apple’s website, that they seem to be less sure of this. In fact, this fine print endorses the idea that Macs do need additional security software:

In case you can’t read it, it says, “A Mac running with factory settings will protect you from viruses much better than a PC, but it’s never a bad idea to run extra virus and security software.”

So even Apple is realizing that Mac security is more complicated than they make it seem. We at Intego have know this for ten years.