Safari’s Private Browsing Stores Some User Data

Apple’s Safari web browser offers a “private browsing” feature, which prevents storage of store browser history, download history, auto-fill entries, Google searches (in the Search field), and cookies. It turns out, though, according to an article on MacFixit, that some data gets recorded. Plug-ins, such as Flash Player, are not affected by Safari’s private browsing setting.

The article concludes by saying, “As such, if you’d like your browsing to be even more private, turn off plug-ins. In Safari, this can be accomplished by going to Safari > Preferences > Security and deselecting ‘Enable plug-ins.’”

Another Mac OS X Server Hack?

In a recent article, we reported on Tom Yager, a journalist for InfoWorld, who suspected that his Mac OS X server was hacked. Tom has since written about a root exploit he discovered, and now continues discussing this exploit and the effects it has had, turning his server into a spam zombie. Intego’s researchers believe this is the result of an OpenSSH vulnerability that has just been discovered, which affects multiple Unix- or Linux-based platforms. We would recommend that, until Apple patches this flaw, users keep an eye open, especially on their servers. Yager’s articles give a good idea what to look for.

URL Spoofing Flaw Affects Safari

Secunia has issued an advisory about a URL spoofing flaw they have discovered in Safari, both for Mac OS X and for Windows. As they say, “The problem is that it is possible to hide the actual location of a page in the address bar via a specially crafted URL containing a number of certain special characters in the “user” field before the “@” character.” What this means is that you may go to a web site, via a link, and not be on the correct site; the address may look correct, but may not be, leading you into a phishing net.

The only precaution you can take for now, until Apple fixes this, is to avoid browsing on untrusted websites. If you even visit a website that has a link to, say, PayPal or to your Bank, don’t click that link (unless you trust the originating site), but rather type the URL or use your own bookmark.

How Secure is your Mac OS X User Account?

When you work on your Mac, you think you are protected by your user account’s password. Well, savvy users know this is not the case; it’s easy to boot any Mac from a Mac OS X installation DVD and reset the password of any account. But not everyone worries about hackers carrying around Mac OS X discs with them.

That’s not the only way to reset a password, though. A hint was published on the Mac OS X Hints web site explaining how to do this without an installation disc, but simply from booting into “safe mode” and issuing a few commands. This means that any hacker can access all the files on your Mac, regardless of your password.

We at Intego have long been aware of this kind of problem. We know that Apple’s password protection is not very secure, and, while you can apply an Open Firmware password, there are other ways to protect your sensitive documents. Intego created FileGuard for just this reason. With FileGuard, you can create virtual safes that provide unbreakable protection for all your sensitive files. The passwords you use with FileGuard’s safes cannot be reset by a hack or trick; only you can open the safes you create. And with 256-bit encryption, even the NSA can’t get at your files.

If you have sensitive files on your Mac, don’t entrust them to Apple’s password protection; you really need serious security that will prevent anyone from accessing your files. Use Intego FileGuard for those files that merit such protection.

Apple Releases Common Criteria Tools for 10.5

Apple has released Common Criteria Tools for 10.5. According to Apple,

An internationally approved set of security standards which provides a clear and reliable evaluation of the security capabilities of Information Technology products. By providing an independent assessment of a products ability to meet security standards, Common Criteria gives customers more confidence in the security of Information Technology products and leads to more informed decisions.

Common Criteria Tools for 10.5 can be downloaded here.

Mac Hack Vulnerability Had Been Public for Months

Last month, we reported about a Mac hack contest where a Mac was hacked in two minutes flat. Initial reports suggested that the security researcher, Charlie Miller, who hacked the Mac, had discovered the vulnerability used just a couple of weeks before the contest. Well, Macworld reports that this flaw had been made public in November 2007, and Apple had not patched it, allowing Miller to discover it “completely independently”.

The flaw in question affects the open-source PCRE software library, which is used by Safari. Developers corrected the flaw quickly, but Apple didn’t update the library until last week. Whether or not Miller actually discovered this flaw on his own, it shows one of the big problems of Mac OS X, and its reliance one third-party software: many flaws and vulnerabilities may be quickly fixed by the developers of this software, but it often takes Apple months to roll the fixes into Mac OS X. Astute hackers can easily find out what has been fixed in the underlying software, and be aware that Apple likely hasn’t fixed it as quickly, leading to vectors of attack against Macs.