The Mac Security Blog
We recently wrote about how Apple’s recent security update for Snow Leopard was causing problems with applications running in the Rosetta environment – PowerPC applications being emulated to run on Intel processors. Well Apple has responded quickly, and has released Security Update 2012-001 v1.1, an update to that update, to address this issue. Early reports suggest that it resolves the problem caused by the first update.
Apple describes the update as follows:
Security Update 2012-001 v1.1 is now available for Mac OS X v10.6.8 systems to address a compatibility issue.
Version 1.1 of this update removes the ImageIO security fixes released in Security Update 2012-001.
Snow Leopard users can download this update via Software Update, or from Apple’s Downloads page.
A number of outlets are reporting that the latest Mac OS X security update for Snow Leopard, Security Update 2012-001, which we reported on yesterday, is causing problems on Macs running Mac OS X 10.6 Snow Leopard. According to TidBITS, “many people [who have applied the update] are reporting problems with PowerPC-based applications that rely on Snow Leopard’s Rosetta environment.”
Adam Engst of TidBITS said that he:
can confirm that on my Mac Pro running 10.6.8 with Security Update 2012-001 installed, both Eudora 6.2.4 and Adobe Acrobat Pro 7 crash when using File > Open, or File > Save As, and neither will print at all, although they don’t crash. I’ve also confirmed that the problem is not related to utility software like Default Folder X by reproducing it in a clean test account.
For now, a several users at Nebraska High School have created a fix for this problem, called RosettaFix. The only other solution, according to TidBITS, is to “reinstall Snow Leopard from your original disks.”
We’ll post more if Apple releases a fix for this.
Apple has released Mac OS X 10.7.3, the latest update to Mac OS X 10.7 Lion. This update patches more than 50 vulnerabilities, from Apache to X11, and includes a number of updates to PHP, QuickTime and more. It also protects against some bogus certificates, issued to DigiCert Malaysia:
Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. DigiCert Malaysia has issued certificates with weak keys that it is unable to revoke. An attacker with a privileged network position could intercept user credentials or other sensitive information intended for a site with a certificate issued by DigiCert Malaysia. This issue is addressed by configuring default system trust settings so that DigiCert Malaysia’s certificates are not trusted.
These fixes are included in the overall 10.7.3 update, and a separate security update, Security Update 2012-001, is available for Mac OS X 10.6.8. Users can download the updates via Software Update, or from Apple’s Downloads page.
For more information about these updates, see this document.
Smartphone users have discovered a new name in recent days: Carrier IQ. It was discovered that certain mobile phones use software by this company – the Mobile Service Intelligence Platform – to track usage and send data to phone manufacturers and telecom companies. Security researcher Trevor Eckhart looked closely into what this software does, and discovered that it records keypresses, SMSs, URLs visited, and more. In fact, the software seems to be able to record – and send to third parties – just about everything a user does on their phone.
Eckhart first discovered this on a phone running Android – an HTC phone, which used the Sprint network. (He shows how this works in a YouTube video.) But subsequent research has shown that this occurs on a number of phones, and with a variety of carriers. The telephone companies claim, however, that they only use this software to collect information to improve network performance and quality of service. The handset manufacturers are blaming the carriers for “requiring” this software. This has turned into a hot potato, and has, once again, raised the spectre of people’s portable devices listening in on what they do, and sending information about their actions to third parties.
Engadget has an excellent Q&A about what Carrier IQ is and isn’t, and Cnet has collected a group of articles addressing the problem. What is most striking is how each company involved seems to try to pass the responsibility on to others. Engadget points out that, in spite of what the CEO of Carrier IQ said in a video posted to YouTube, the software is capable of collecting data and sending it to third parties; they examined patents held by the company, which describe the software’s capabilities.
This has gotten as far as the US Congress. US Senator Al Franken has asked for answers from Carrier IQ regarding what this software does, saying that the actions of the software “may violate federal privacy laws.”
And how does the iPhone fit in to this story? Apple has issued a statement regarding their use of Carrier IQ’s software:
We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.
Apple calls information like this “diagnostic information,” and when you set up an iPhone, or other iOS device, you are asked if you want such information to be sent to Apple. If you said yes to this question, unaware of what this meant, you can turn this feature off. Tap the Settings app, then General, About, then Diagnostics & Usage. Then tap Don’t Send to turn this off.
While software such as this may indeed help improve quality of service, the real worry is that the data collected my fall into the wrong hands. Given the number of high-profile hacks of customer databases in recent months, one may assume that this data is not sufficiently protected. In addition, there are some kinds of data that this software seems to be capturing that it shouldn’t. There is no reason for it to record keypresses, especially because this will include any passwords that you type on your phone.
So, if you use an iPhone don’t worry. Turn off the Diagnostics & Usage collection, and you should be fine. However, if you use another phone, it seems there is no way you can turn off this data collection. Engadget has a roundup of which companies – handsets or carriers – use Carrier IQ.
Apple has released iTunes 10.5.1, the latest version of the company’s media management software, which notably includes the company’s new iTunes Match cloud music service. This update contains one minor security fix, described as follows:
Impact: A man-in-the-middle attacker may offer software that appears to originate from Apple
Description: iTunes periodically checks for software updates using an HTTP request to Apple. This request may cause iTunes to indicate that an update is available. If Apple Software Update for Windows is not installed, clicking the Download iTunes button may open the URL from the HTTP response in the user’s default browser. This issue has been mitigated by using a secured connection when checking for available updates. For OS X systems, the user’s default browser is not used because Apple Software Update is included with OS X, however this change adds additional defense-in-depth.
As the description points out, this isn’t a serious issue for Mac users, but Apple is fixing it for them anyway, as there’s always the possibility that someone could create a fake program that looks like Apple’s Software Update.
You can download this new version of iTunes from, of course, Software Update, or from Apple’s iTunes download page.
Apple has released an update to Time Capsule and AirPort Base Station (802.11n) Firmware, fixing one security issue:
Impact: An attacker in a privileged network position may be able to cause arbitrary command execution via malicious DHCP responses
Description: dhclient allowed remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message. This issue is addressed by stripping shell meta-characters in dhclient-script.
This is an obscure issue, but you should update the firmware anyway, as it probably also contains other bug fixes. Apple recommends that you download AirPort Utility 5.5.3 before applying the firmware update. If you don’t already have that program, you can download it here.
To apply the Time Capsule and AirPort Base Station Firmware update, launch AirPort Utility, and select your AirPort device. You’ll see something like this telling you that a new version of the firmware is available:
Click on Update Firmware to download and apply the update. You’ll have to restart your AirPort Base Station or Time Capsule, losing network access for a couple of minutes.