Adobe has issued some information about a new security threat affecting Adobe Reader 9.1 and 8.1.4. While they don’t have an update available yet, they are recommending that users disable Javascript in Adobe Reader.
We’ve been seeing an increasing number of flaws in Adobe Reader and Acrobat, and, since PDFs are so common – many being used to display content on web sites – having a reliable PDF reader is as important as having a secure web browser. For this reason, we strongly recommend that you simply don’t use Adobe Reader, but rather use Apple’s Preview, which is provided with Mac OS X. While Preview has had security issues, there seem to be far fewer than with Acrobat’s PDF tools. If you need to edit PDFs, Adobe Acrobat is hard to replace; you should be attentive, and only use it on PDFs whose provenance you are aware of.
Intego has discovered a new proof-of-concept malware it is calling OSX/Tored.A. This malware is an application created with RealBasic, a version of the BASIC programming language available for Mac OS X, Windows and Linux. The malware in question is a self-contained application, which contains RealBasic code and a runtime needed for that code to execute. The malware attempts to copy itself to the System folder and the System/Library/StartupItems folder, renaming itself “applesystem” or “systemupdate”. It obtains e-mail addresses from Address Book, and sends e-mails to recent recipients containing a copy of the malware, but does so with an SMTP server that is currently non-existent. This malware also attempts to create a botnet, and records some keystrokes, and attempts to copy itself to other disks that are mounted.
While this malware is currently not in the wild, Intego finds the use of RealBasic, and its runtime, to be a novel approach to malware. Because of this, Intego has created a new malware class for VirusBarrier X5. The code in this malware is faulty, however, and it does not work correctly, so there is no real threat from this malware.
Computerworld has a long article about securing your Mac. With 15 tips, the article discusses the basics of keeping your Mac secure. This includes tweaking or verifying a number of preferences for the system in general and Safari; installing antivirus software, such as Intego VirusBarrier; turning off unneeded network services and guest account access; some password and login tips; and more. This article is a good way for Mac users to realize the power they have to take charge of their Macs’ security settings. Get to know these built-in tools, and know which other programs you need to make your Mac secure as well.
Just a week after the last Firefox security update, another one has been issued. There’s a critical vulnerability – described as “Crash in nsTextFrame::ClearTextRun()” – that is fixed in the new version, Firefox 3.0.10. Get the update here or use Firefox’s auto-update feature.
A number of reports are telling the tale of how actress Salma Hayek’s MobileMe account was “hacked”. We’d rather say it was “owned”; it was not hacked, as such, but someone did get into it.
Here’s what happened. Rather than trying to log into her account, someone entered her e-mail address and clicked the Forgot Password button. This takes you to a page where you enter an Apple ID, and are then asked to enter your birthday and answer a security question. In this case, it was relatively easy for someone to find this information. Hayek’s birthday is easy to find, and her security question, “What is my favorite role?” was pretty simple as well. (It was “Frida”.)
This highlights an inherent weakness of many e-mail services, where your identity depends on some simple questions (often “What is your mother’s maiden name?”) that people can figure out without too much trouble. If your question is, “What is my dog’s name?”, anyone can go to your blog or Facebook page to find the correct answer. Whenever possible, you should choose a security question that is easy to answer, but which others cannot figure out.
If you use MobileMe, you can change the security question by going to your account, then clicking Password Settings. In the Security Information section, type a new question (and not “What is my pet’s name” as suggested). Type the answer and click Save. You could also change your birthday, but you had better remember the new date you’ve chosen.
With a stronger security question, it will be much harder for anyone to take over your account. Remember, this account is not only your MobileMe information, but also your AppleID, which is used for iTunes purchases; anyone who gets control of it could spend your hard-earned money for iTunes loot. Think of doing the same for other sites where you have personal information that might be targeted by acquaintances or strangers. This simple bit of extra protection can make a big difference in securing your identity.
MacTech, the journal of Macintosh technology, has a MacTech Spotlight article about Intego CEO Laurent Marteau. He talks about how he got interested in the Mac, why he prefers working with Macs, and gives some advice to developers working in the Mac market.