Apple Issues Safari Security Update

Apple has issued a security update for the Safari web browser, incrementing the program to version 4.0.5. This update covers a total of 16 vulnerabilities in ColorSync, ImageIO and WebKit (the framework used to render web pages), but only ten of these affect Mac OS X (the others affect the Windows version of the program).

A number of these issues could have the following consequences:

Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

These issues involve the way WebKit handles “CSS format() arguments”, “HTML object element fallback content”, “XML documents”, and “incorrectly nested HTML tags” among others.

Full information is available here, and users can download the new version of Safari using Software Update, or from the Safari download page.

Mac Security Expert Charlie Miller: Flash is Weak

A few days before the CanSecWest security conference, an Italian web site, oneitsecurity, interviews Charlie Miller, Mac security expert, and former winner of the Pwn2Own hacking contest (and this year’s favorite). Miller is well known for having hacked Apple’s Safari browser in this contest, two years in a row. Discussing this year’s contest, he doesn’t seem as confident about breaking through Safari’s defenses:

Everything is my target at this point. I’d love to hack one of the mobile devices, but will probably end up on Safari again. I was the first to hack the iPhone and an Android device in the past, so I am comfortable with those two platforms, but its harder to exploit them. This year only one person can win per target, so my biggest obstacle will be making sure nobody beats me to the punch.

When asked which OS and browser combination is safest, Miller replied, “There probably isn’t enough difference between the browsers to get worked up about. The main thing is not to install Flash!” Flash has been strongly criticized of late for its security weaknesses, and Adobe has been slow to fix them.

Read the rest of the article for more about Miller’s hacking tools, and the different platforms he discusses.

Mac OS X Installed Base Nearly 11% in US

Ars Technica looks at some figures regarding OS penetration in the US, as provided by web analytics firm Quantcast, which show that Mac OS X penetration is currently at 10.9%. This is an interesting figure, and one that merits some examination.

First, Apple’s market share is far below 10.9% in the US, being around 7.5% last summer. So how does Apple get an installed base of nearly 11%? Macs tend to last longer than PCs, and they have a much better penetration in homes than in businesses, where people tend to keep them longer. So while Apple is selling around 8% of new computers, more of the ones they’ve sold over the years are still in circulation.

Of course, all of these figures are just educated guesses. And this older Ars Technica article looks at how to interpret this type of figure. It’s interesting to point out that browser share may be a better judge of actual computer use, because it leaves out the many “utilitarian” PCs that may simply run unattended, or be used for limited applications. Those PCs are generally bought once and never upgraded, until they are replaced, and few, if any, applications are purchased for them. The broader computer ecosystem depends on the computers that are purchased by individuals for home use, and by business for general productivity use.

Nevertheless, this installed base figure does show that Apple’s presence is increasing, in the US at least, and that the number of Apple users is higher than what sales figures may lead one to believe.

Is Apple Blocking Jailbroken iPhones from the App Store?

The Redmond Pie website is reporting that Apple may be banning jailbroken iPhones from the App Store. Two people have reported that their iPhones have been banned for “security reasons”; they discovered this when trying to connect to the App Store.

According to the screenshots they have provided, the Apple ID itself is banned, which means that those users are most likely banned from accessing the App Store using iTunes as well. It’s not clear if their iTunes Store accounts are totally blocked, or if this just applies to iPhone app purchases.

Since these reports are merely anecdotal for now, we will have to wait and see if more users of jailbroken iPhones are blocked from the App Store before being able to confirm this. It is possible that these “security reasons” are related to other issues, such as a credit card fraud probe of the iTunes Store, or a similar issue regarding fraudulent gift cards, which has been circulating for some time.

We have discussed the risks of jailbreaking an iPhone many times, notably in our Year in Mac Security 2009 report. It seems that Apple, unable to prevent jailbreaking as such, is shutting a different door, which may make people think twice before jailbreaking their phones.

Possible Security Issue Involving .DS_Store Files on Web Servers

Intego’s researchers have discovered an interesting issue related to .DS_Store files and web servers that, in some cases, may lead to security issues. .DS_Store (Desktop Services Store) files are invisible files created by Mac OS X that contain preferences for the display of individual folders on a Mac. They tell the Finder how to display icons (their size and position), whether there is a background color in a folder window, and other information. The Finder creates a .DS_Store for every folder that is opened on a Mac, including remote folders or folders on removable media.

.DS_Store files can also contain data about other files in their folders. For example, a .DS_Store file may contain the names of files that are in its folder, and reading a .DS_Store file can therefore give information about the contents of a folder.

This isn’t a problem on a Mac, but it could be a problem on a web server. Intego’s researchers have found that many .DS_Store files are actually indexed by Google, and that by downloading them, and reading their contents, it can be possible to get a listing of some or all of the files contained in a web directory.

(This was a known issue on Mac OS X, and it no longer affects Apache running on Mac OS X or Mac OS X Server; Apple set up rules in a 2004 security update that prevent access to .DS_Store files on these operating systems.)

But how do .DS_Store files get on a web server? This can happen in several ways:

• A user copies an entire folder of files to a web server via FTP. In this case, the .DS_Store file contained in that folder (or multiple .DS_Store files contained in sub-folders) gets copied to the web server. (Note that some FTP clients do not copy .DS_Store files by default.)
• A user copies the entire contents of a folder via FTP to a web server by selecting all the files in a folder. In normal usage, the .DS_Store file will not be copied, but, if invisible files are displayed in the user’s FTP client, and the user simply selects all files in the folder and copies them to the web server directory, the .DS_Store file – and any other invisible file – will be copied to the server.
• A user mounts a network share in the Finder, and copies files to it. The simple act of mounting the share and displaying a folder in the Finder creates the .DS_Store file.

Here’s why .DS_Store files can be a security issue. In a test we did, we put two files in a folder: My Secret Files.dmg and My Top Secret Product picture.png. We copied that folder to a web server, and loaded the .DS_Store file in Safari. Here’s what we see:

Anyone who stumbles on that .DS_Store file can therefore see some or all of the contents of the folder, even if the items in that folder are not directly linked to a web page. In the above example, anyone could then copy the .dmg and .png files easily, by simply loading the URLs of the files.

In some cases, .DS_Store files are indexed by Google, and searching for the right text strings will turn up thousands of them. But in other cases, enterprising hackers who suspect that Mac users may have copied files to web servers may spend their time trying out different web directories with /.DS_Store to see what turns up. (Obviously, they could automate this with a script, and effectively spider entire web sites in a few seconds.) While this certainly doesn’t allow a hacker to break into a web site, it may allow them to find files that are not meant for public consumption.

Some people use web servers for exchanging files: they’ll give a URL to a colleague or partner to allow them to access specific material. If the web directories are not password-protected, and they contain .DS_Store files, they could be exposing potentially sensitive information to possible discovery. While not a critical issue, this should make web site managers rethink how they use their web sites. At a minimum, it is a good idea to ensure that .DS_Store files are not copied. But to be safe, any folders used to exchange important files should be password-protected.

One more point: this weakness also affects Macs in shared environments. If a network has a shared folder which contains sub-folders with permissions for specific users, any user who can access the main folder will be able to access the .DS_Store file, and will see what folders are there (which they might not be able to see otherwise). This can have a number of consequences, since it is possible to see information that should otherwise not be visible.

Apple Issues Security Update for iPhone OS

Apple has issue a security update for its iPhone OS, for both the iPhone and iPod touch, fixing five serious bugs in the way audio files and images are handled, in recovery mode, and in WebKit (the framework used for displaying HTML content). Several of these bugs could lead to arbitrary code execution, and the recovery mode bug could allow people with physical access to a locked iPhone to access its data.

Updates for the iPhone and iPod touch are available only through iTunes. More information about this update is available here.