The Mac Security Blog
Right after releasing a major system update with the largest number of security fixes ever, Apple has released two other updates which contain security fixes.
iTunes 9.1, released in advance of the iPad, which will be available this Saturday, fixes seven bugs, but only one for Mac OS X (the others are for Windows). This update, for Mac OS X 10.4.11 or later, is available for download via Software Update, or from Apple’s iTunes download page. It’s about 93 MB. Full information about the security fixes is available here.
As for the QuickTime update, it fixes 16 bugs, and is available for Mac OS X 10.4 and 10.5 The fixes it contains were in the Mac OS X 10.6.3 update that was released on Monday. It, too, is available via Software Update, or from Apple’s Downloads page, and full information is available here. It’s a 69 MB download.
Apple has released Mac OS X 10.6.3, a major system update, with dozens of security fixes. This update, which patches 93 different bugs, covers the full breadth of the operating system, from AppKit to xar, by way of QuickTime, Disk Images, CoreAudio, Mail, SMB, FTP and much more.
This update is a whopping 439 MB, and is available via Software Update. As of this writing, it is not yet posted on Apple’s Downloads page, but will be there soon, in both standard and combo forms.
You can get details of the security fixes here.
Hacker Charlie Miller earned $10,000 for cracking a Mac the other day, and will soon be explaining how he went about finding 20 bugs in Apple’s Preview. Miller claims that he will show Apple how to find the bugs, but will not give them details about the bugs themselves.
Following this, a Forbes article looks at how much the black market is willing to pay for such bugs: from $15,000 to $115,000 dollars, currently. Forbes talks to “bug broker” Adriel Desautels, who buys bug information from hackers and sells them to, well, we don’t know. He claims that he doesn’t sell them to cybercriminals, but who else would be willing to pay his prices? In some cases it is the affected vendors, so they can patch their software. In others it is security companies, so they can protect against bugs before their competitors. Some might even be government agencies, whose spies might want them to infiltrate criminal or terrorist groups.
The Mac bug market is growing, Desautels says, even though Mac bugs are worth less than Windows bugs. But the fact that this market exists at this level shows that cybercriminals are looking for new ways to attack Macs.
It’s time, once again, for the annual crack-a-thon, in which savvy hackers save up their exploits to earn some cold cash. As is usually the case, Macs fell quickly, but so did the iPhone and Windows 7 in day one of the event.
It’s the CanSecWest conference in Vancouver, which hosts the Pwn2Own contest. On Wednesday, the hackers lined up to take their chances at part of a purse of $100,000. The first to fall was the iPhone, which was hacked in “20 seconds.” Naturally, this doesn’t mean that the hackers just started trying to figure out how to hack the device, but spent a couple of weeks doing so in advance of the event. The hackers had discovered a vulnerability, and set up a booby-trapped web page that copied the SMS database from the handset.
Mac hacker Charlie Miller cracked a MacBook, using using Safari and a drive-by download. This was Miller’s third consecutive victory against the Mac, and it was worth $10,000. (There’s a short video of Charlie Miller discussing this on YouTube.)
And at the same time, Windows 7 fell to a Dutch hacker who exploited two Internet Explorer vulnerabilities. He, too, won a prize of $10,000. And a German hacker cut through the defenses in Mozilla Firefox to get at Windows 7.
While this sort of exploit doesn’t suggest that the hackers found vulnerabilities and cracked them on the same day, it does show that experienced hackers can crack pretty much any system given time. None of these vulnerabilities involve the type of social engineering that tricks people into installing Trojan horses. There is no user interaction allowed in this contest, other than directing a user to a web site. (Browser-based vulnerabilities are the easiest to crack, in fact.) All of these vulnerabilities could be exploited in the wild, as these hackers demonstrate.
This was just day one of the Pwn2Own contest. Other platforms and devices are sure to be hacked in the following days, but the prizes for some of them are lower, and fewer hackers are interested in spending the time to work on their vulnerabilities. Full information about the contest, the targets, and the prizes can be found here.
In the past couple of days, we’ve been seeing a lot of spam purporting to come from the Apple Store. As you can see below, this spam is pretty primitive; it doesn’t look anything like Apple’s standard layout, and gives little information. In addition, it’s not even seriously dangerous: unlike phishing attempts, the link on this message doesn’t lead you to a page where you enter your name and password. It simply takes you to a “Canadian Pharmacy” website, where you can order “medications”, such as Viagra (which is most certainly bogus).
This spam is certainly taking advantage of the buzz around the iPad, as well as Apple’s general good health. So be aware: if you receive an unexpected e-mail, hover your cursor over the links it contains to see if they go to the site in question. As you can see above, this is not the case.
The Mozilla Foundation has issued an update to the Firefox web browser, bringing the software to version 3.6.2. This update fixes a single flaw discovered a month ago, in which “the WOFF decoder contains an integer overflow in a font decompression routine. This flaw could result in too small a memory buffer being allocated to store a downloadable font. An attacker could use this vulnerability to crash a victim’s browser and execute arbitrary code on his/her system.”
You can download the new version of Firefox here, or by using the program’s auto-update feature.