Microsoft recently issued a security advisory regarding what they call a “Vulnerability in WordPad Text Converter” which can allow remote code execution. Microsoft claims this vulnerability affects only Word 97 files on Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. However, Intego’s tests of infected files show that this flaw also affects Microsoft Word for Mac, (at least versions 2004 and 2008), causing the application to crash. Because of this, remote code execution may be possible on Macs as well.
For now, no examples of infected files have been found with code that can run on Macs, but Intego has updated VirusBarrier’s virus definitions, and those dated December 17, 2008 or later protect against files that exploit this vulnerability.
Three browsers have seen new security updates; actually more than three, since the Mozilla Foundation released updates to three of their products at the same time. The Firefox 3.0.5 update has the most important security fixes. Eight flaws patched, with three of them considered critical (two cross-scripting flaws, and one memory corruption issue). You can get Firefox 3.0.5 here.
As for the other version of Firefox (2.0.0.19), this is the last update to Firefox 2. (Get it here.) It patches nine issues, many of which are the same as those fixed on Firefox 3.
The last Mozilla browser is SeaMonkey version 1.1.14 (available here). It patches many of the same issues that the two Firefoxen patch.
Moving on to another browser, Camino, version 1.6.6 (get it here) is another open-source browser based on Mozilla, using the Gecko rendering engine. The release notes say “Upgraded to version 1.8.1.19 of the Mozilla Gecko rendering engine, which includes several critical security and stability fixes.”
Finally, Opera 9.63 (available here) fixes many security issues, including an HTML parsing flaw, a cross-site scripting issue and more.
If you use any of these browsers, do update them immediately. With an increasing number of threats coming from the web, it is essential that your browser be up-to-date.
The Register presents figures from a Cisco report that say that 90% of all e-mails sent are spam. More than 200 billion spam e-mails are sent each day, says Cisco, clogging up the Internet and making your life miserable.
Interestingly, the US is the largest source of spam, with more than 17% of spam coming from that country, though this might be explained by botnets, networks of computers that have been taken over by malware and are controlled by spammers.
Cisco has a (rather boring) video on YouTube presenting their findings.
Naturally, you want to prevent spam from taking up your time, as much as possible. To keep your spam under control, you should use Intego Personal Antispam, the intelligent antispam program which learns from your spam and your valid e-mail to provide the best spam filtering for Mac.
Robert Chapin of Chapin Information Services has analyzed how password managers work in a number of web browsers, and has found that Safari comes in tied for “last place”. Chapin tested Opera, Firefox, Internet Explorer, Safari and Google Chrome, and found that, while most of the browsers failed most of his tests, Safari only passed two of them. All told, this is a “toxic soup of potential vulnerabilities that can coalesce into broad insecurity.”
All modern browsers have password managers, that work alone or with other parts of the operating system to record user names and passwords, and enter these automatically in fields on web pages. (On Mac OS X, Safari works with Keychain Access to manage passwords securely.) Password managers should only send user names and passwords to forms on pages that match the domains on which they were recorded, and not send this information to other websites without informing users. Yet Chapin found that this is often not the case.
Among the problems are three in particular that, when combined, allow password thieves to take passwords without the user’s knowledge.
1. The destination where passwords are sent is not checked.
2. The location where passwords are requested is not checked.
3. Invisible form elements can trigger password management.
While Chapin analyzed Windows browsers, we ran a series of tests of the current version of Safari for Mac OS X (3.2.1) using Chapin’s Password Manager Evaluator. We obtained the exact same results for Safari for Mac OS X as he reports for the Windows version.
What users should do is be very careful about allowing Safari to enter a user name and password automatically if they are on a site that seems unfamiliar. As Macworld reports, hackers did this with “a fake password entry form on a MySpace page. Because both the fake and real login forms were on the myspace.com domain, browsers like Firefox could be tricked into automatically sending login information to the fraudsters.” It seems that Safari is vulnerable to this strategy as well. While using a password manager is practical and saves time – and allows users to create unique passwords for different sites without needing to remember them – it is clear from this study that such a practice is fraught with danger.
Computerworld reports that Sun has patched at least 14 bugs in Java, yet wonders when Apple will get around to it. With Apple having released a security update and a major OS update yesterday, it is unlikely that Mac users will see these Java fixes soon.
The Computerworld article points out that, “Mac OS X users must wait for Apple Inc. to craft its own Java update. Unlike rivals such as Microsoft Corp., Apple maintains its own version of Java and is responsible for delivering patches to Sun’s software.” And says that, “If the past is an accurate indicator, Apple’s customers may not receive yesterday’s Java fixes for months. When Apple refreshed Java in late September, for instance, it fixed more than two-dozen vulnerabilities, some of which had been patched in updates for Java for Windows, Linux and Solaris as far back as March 2008.”
We have reported several times about Apple’s slowness in issuing security updates for third-party software that is part of Mac OS X. It seems that the broader press is questioning this more and more, and these delays greatly irritate enterprise customers who run Macs in environments where security is crucial. As they see their Windows computers being patched quickly, they find that Apple drags its feet for months to bring Macs up to the same level of security.
Apple today released Mac OS X 10.5.6, a major update to Mac OS X, which contains a number of security fixes. Patching a total of 15 flaws, this update is about 190 MB. Apple also released Security Update 2008-008 for Tiger, weighing in at 163 MB (for the Intel version), containing similar security fixes.
The security update fixes such elements of the system as CoreServices, the FlashPlayer plug-in, the kernel, libsystem, and Podcast Producer. The security fixes in this update are detailed on Apple’s web site.
The update can be installed via Software Update, or can be downloaded in standalone or combo versions from Apple’s downloads page. Note that the combo version of this update, which also includes other updates since 10.5.0, is 688 MB.