The Mac Security Blog
We love sharing the great reviews we get for our software, especially when they are as in-depth and well-written as Nancy Gravley’s Mac Observer review of Internet Security Barrier X6. Nancy took a close look at three of the five programs in Internet Security Barrier X6: Personal Antispam, VirusBarrier X6 and Personal Backup. (The suite also contains ContentBarrier and FileGuard.)
Nancy loves Personal Antispam, and calls it “an awesome application.” She likes the way you can train the program based on your e-mail, and its URL filter, which lets you block spam that contains specific URLs.
She likes the way VirusBarrier X6 protects against malware, and how it offers different settings for different types of protection.
And she thinks that Personal Backup is a great tool offering multiple types of backups: regular backups, clones and synchronizations.
For more about Intego Internet Security Barrier X6, see the Intego web site.
We reported on a barely-threatening remote administration tool, called BlackHole RAT, in late February. At the time, this was a non-event, as it was not being distributed in any efficient manner, and was more or less a proof of concept. Intego’s security researchers have spotted a new variant of this malware, OSX/BlackHoleRAT.B, which features some improvements over the original, but is still not a very serious threat.
The RAT backoor is in a faceless background application named “Safari.app,” like the Safari web browser. In addition to the backdoor in the original version, this variant also contains a binary called “isightcapture” that can take screenshots and photos using a Mac’s iSight camera and send them to remote servers. Beyond these improvements, the risk of this is still low. It is not found in the wild, and, while there are improvements, there is no efficient Trojan horse available. (The developer of this software claims there will be one named “Adobe CS5 Master Suit Crack,” presumably disguised as a tool to crack Abode CS5.)
So, for now, still nothing to worry about, but it’s good to be aware that there are hackers out there trying hard to get into Macs.
Intego today announced that Washing Machine, the company’s popular program that cleans up files left behind by web browsers and other Internet programs, is now available from Apple’s Mac App Store. Washing Machine helps Mac users delete files, which take up space or present privacy risks, created by a number of programs that access the Internet. Users can clean files quickly, manually or automatically, and use secure cleaning to ensure that the files can never be recovered.
Washing Machine can clean five types of items: Bookmarks, Caches, Cookies, Download Histories, and Browsing Histories. It works with most web browsers, and many utilities or other programs that store information without users being aware. It even cleans up after some programs that users would never think are storing data. These files can take up several gigabytes, and can slow down applications and lead to longer time for backups.
Washing Machine uses “cleanlists” to store the items users want to clean, and “smart cleanlists” to find items to clean according to specific conditions. Washing Machine lets users clean items manually, either by individual item or by cleanlist, or automatically, with as many scheduled cleanings as the user wants.
Washing Machine cleans files created and saved by web browsers, as well as some RSS readers, e-mail programs, Twitter clients, development programs, and even applications such as iTunes, Front Row, Flash, Java and Spotify. It even cleans the caches of system utilities, such as QuickTime, Help Viewer, System Preferences, Dashboard and more.
Washing Machine 2 is available now in English, French, German, Italian, Japanese and Spanish. The US price is $9.99, with comparable prices in other currencies. Washing Machine is available from the Intego web site and from the Mac App Store.
Hot on the heels of an update just over a week ago, Google has issued another security fix for its Chrome web browser. This latest version, 10.0.648.204, fixes six high risk flaws, as well as other performance and stability issues.
Launching Google Chrome will cause the browser to check for updates. If you choose Chrome > About Chrome, you can see which version you have, and, if the update is not made automatically, click on Update Now to check for an update.
When you surf the web, you trust certain web sites where you provide confidential information, such as credit card numbers, or where you access and send e-mail. Certain applications that connect to remote servers also depend on this type of trust. A broad system based on the SSL (Secure Sockets Layer) protocol ensures that when you visit a web site, such as Apple.com, Amazon.com or Google’s Gmail, that the site is indeed what it pretends to be. For example, if you go to Apple’s MobileMe web site, you will see indications such as these in your browser:
At the left of the image above you see Apple Inc. written in green; this is proof that Apple’s digital certificate has been recognized by the Safari web browser. At the right of the image is a padlock icon, which shows that SSL is being used, and that data is sent and received in encrypted form. (Note that not all sites will display a name in green, as above, but all SSL sites will show a padlock in the browser title bar.)
So far so good.
There are a limited number of companies authorized, and recognized, who issue such certificates. One of these, Comodo, was recently hacked, and certain individuals were able to buy nine digital certificates for major web sites, including mail.google.com, login.yahoo.com, login.skype.com and addons.mozilla.org. This means that the malicious users who obtained these certificates will be able to set up web sites that can spoof users who check for the visual signs of trust shown above. They may be able to use these for phishing attacks as well; when you click on a link, and go to a site, if you see these signs indicating security, you’re likely to trust them.
In addition, this goes beyond just web usage. The same system is used when you log into Gmail using an e-mail program, or when you log into Skype via their application. When using public wifi networks, it’s possible that a man-in-the-middle attack may be able to spoof local DNS resources and lead you to a booby-trapped server.
The domains affected are as follows:
- login.live.com
- mail.google.com
- www.google.com
- login.yahoo.com
- login.skype.com
- addons.mozilla.org
Microsoft’s Security Advisory about this issue gives more information about the problem. As they point out:
Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.
Comodo also discusses the incident in this blog post.
The latest version of Firefox 4, just released this week, includes a fix to spot these fraudulent certificates. Google’s Chrome web browser was also updated for this last week.
Safari, however, doesn’t directly use the CRL or OCSP systems mentioned above; settings to activate this feature are found in Keychain Access. To do this, open Keychain Access; it is in the Utilities Folder in the Applications folder on a Mac. Choose Keychain Access > Preferences, then click on the Certificates tab. Set the first two options, for OCSP and CRL, to Best Attempt, and leave priority set to OCSP. This will tell Safari, or any other program that uses the built-in certificates on Mac OS X, to check these servers before accepting any SSL certificate on a web site. This may, however, slow down access to some sites. So it’s best to not have these settings on all the time.
For now, it’s good to turn these settings on to ensure that your Mac is protected. This affects not just Safari, but Mac OS X in general; certificate validation is a system-wide API. However, not all applications use this system, so we cannot guarantee that this will resolve the problem entirely.
Adobe has issued a security bulletin outlining updates to its Reader and Acrobat software for a zero-day Flash flaw that has been exploited in the wild. The company has also issued a security bulletin for a Flash Player update for the same flaw.
With all of this, users should update all three of the programs, notably Flash Player, which is especially vulnerable to booby-trapped websites. Adobe also points out that Adobe Air is vulnerable, and recommends that users update that software, if they use it. Adobe Air is used for some standalone applications.
Google Chrome already was updated for this Flash Player issue, but if you use other browsers, you will need to update to the new version of Flash Player.
Mac users can get the updates at the following links:
For more information, see the appropriate security bulletins linked to above.