The Mac Security Blog

ZDNet Australia went to the recent AusCERT IT security conference in Australia and asked a number of security specialists whether they felt Mac users needed antivirus software. The answers were a resounding “yes”, with just one exception. The security specialists cited recent threats, and the growing Mac market share that makes the platform a more attractive target. However, one person said that “users should get used to the performance degradation” inherent with antivirus software. This is one point that we disagree with, because Intego VirusBarrier does not slow down Macs. However, all the other reasons given in this short video are certainly valid.

Just in time for summer, MacUpdate has a bargain for you. MacUpdate is offering its May software bundle with 11 great Mac applications, including Intego NetBarrier X5. The kicker is the price: only $49.99, which is $20 less than NetBarrier X5′s normal price. For this great price you get NetBarrier X5 and ten other great Mac applications:

• Micromat TechTool Pro 5
• Parallels Desktop 4
• Circus Ponies Notebook 3
• Mariner Paperless
• Posterino
• MoneyWell
• Multiplex
• DVDRemaster Pro 5
• RipIt
• BetterZip

So act now; the offer is valid through June 10.

Ira Winkler, president of Internet Security Advisors Group, writing in Computerworld, makes a bold suggestion regarding Apple’s advertising claims regarding security. He feels that, given the number of vulnerabilities found for Mac OS X, that the Federal Trade Commission should investigate these claims. “Apple gives people the false impression that they don’t have to worry about security if they use a Mac,” he says. “And perhaps because the company is invested in fostering that impression, Apple is grossly negligent in fixing problems.”

We have reported here about Apple’s foot-dragging regarding certain vulnerabilities, notably the six-month-old Java vulnerability we wrote about last week. But it’s Apple’s marketing that gets singled out in this article. Winkler writes, “How can Apple get away with this blatant disregard for security? Its advertising claims seem comparable to an automobile manufacturer implying that its cars are completely safe and its competitors’ cars are death traps, when we all know that all cars are inherently unsafe. Claims like those would surely draw the wrath of the Federal Trade Commission.”

Winkler doesn’t say this is a problem with Apple’s software or operating system. “And just to be clear, it is not that Apple’s software has security vulnerabilities that is the problem; all commercial software does. The problem is that Apple is grossly misleading people to believe otherwise.”

We’ve written about Adobe’s Acrobat and Adobe Reader software, which are commonly used on the Mac, and which have been found to have a number of security issues over the years. We’ve lamented – as in this case – the time it takes for Adobe to get its security updates released, and even gone as far as suggesting that Mac users avoid using Adobe Reader and switch to Apple’s Preview as a PDF viewer to avoid exposure to dangerous security issues.

Well, Adobe has posted some information about new security initiatives. The company is planning to improve security in three ways: through code hardening, incident response process improvements, and regular security updates. While point two mentions “quicker turn-around times on patch releases” – because one criticism of Adobe has been the delays in getting security updates out to the public – point three seems a bit odd. Under “regular security updates”, Adobe says the company will “release security updates for all major supported versions and platforms of Adobe Reader and Acrobat on a quarterly basis.” In other words, there will be grouped security updates every three months, and not as needed. This means that between the time a vulnerability is found and an update is released, users may have to wait three months (actually a bit more; given the time that it takes to create and test an update, a flaw found in the last two weeks of any cycle probably won’t get patched on the next update issuance date).

While Adobe is trying to reassure its enterprise customers, especially by announcing regular “patch Tuesdays”, a la Microsoft, we Mac users may feel this is a ludicrous idea. Only issuing security updates every three months is hardly the type of responsiveness that Mac users want to see from software vendors. We’re actually more concerned now than before, and reiterate our recommendation that you should avoid Acrobat Reader unless there is some compelling reason for you that it is better than Apple’s Preview. While Preview has had security issues, there seem to be far fewer than with Acrobat’s PDF tools. If you need to edit PDFs, Adobe Acrobat is hard to replace; you should be attentive, and only use it on PDFs whose provenance you are aware of.

A critical vulnerability in the version of Java included with Mac OS X currently puts Macs at serious risk. Java, a programming language that can allow applications to run easily on multiple platforms and embedded in web pages, has a serious flaw that can allow local code to be executed remotely. This can lead to “drive-by attacks”, where users are attacked simply by visiting a malicious web site and loading a web page. If a Java applet is loaded in a web browser, and malicious code is run, this flaw can allow hackers to run code and potentially access or delete files on any Mac, and run applications for which the user has permission. In addition, if this flaw is executed together with a privilege escalation vulnerability, hackers could remotely run any system-level process and get total access to any Mac.

Apple has been aware of this vulnerability for at least five months, since it was made public, but has neglected to issue a security update to protect against this issue. Security researcher Landon Fuller has published, on his web site, a proof-of-concept Java applet that exploits this vulnerability to demonstrate how easy it is to run code remotely.

Malicious Java applets can also be circulated by other means, for example, as attachments to e-mail messages. A program called Applet Launcher allows users to run Java applets by double-clicking them.

For now, Intego has not found any malicious applets in the wild, but the publicity around this vulnerability will mean that hackers are likely to attempt to exploit it quickly, before Apple issues a security update. VirusBarrier X5 currently blocks this proof-of-concept malware, and will be updated to block any malicious Java applets that are discovered.

The best way to protect against this exploit is to deactivate Java in your web browser. In Safari, choose Safari > Preferences, click the Security tab, and uncheck Enable Java if it is checked. It is safe to leave Enable JavaScript activated, since this vulnerability only affects Java applets.

If you use Firefox, this setting is found on the Content tab of the program’s preferences.

Intego VirusBarrier X5 with virus definitions dated May 20, 2009 or later detects this proof-of-concept applet and will be updated to block any malicious Java applets that are discovered. Intego recommends that users never download and install software from untrusted sources or questionable web sites, and that people use care when opening unexpected attachments to e-mail messages, even from friends and colleagues.

Read the full Intego Security Memo.

A six-month-old critical vulnerability in Java in Mac OS X is still unpatched, say The Register and security researcher Landon Fuller. Apple is putting Mac users in danger, not fixing a problem that “allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable,” says Fuller. Apple has shown their sluggishness in updating such third-party software in Mac OS X in the past, but this six month delay is truly excessive.

There are a few things Mac users can do to protect themselves against this issue. Disable the use of Java applets in their browsers and disable the “Open ‘safe’ files after downloading” option in Safari’s General preferences (or similar settings in other browsers).

In case you’re wondering if this vulnerability is truly dangerous, Landon Fuller has created a proof of concept Java applet (linked here) that “will be executed on your system by a Java applet, with your current user permissions.” (Make sure you have the sound on when you try this out.)