The Mac Security Blog
Apple has released Mac OS X 10.7.3, the latest update to Mac OS X 10.7 Lion. This update patches more than 50 vulnerabilities, from Apache to X11, and includes a number of updates to PHP, QuickTime and more. It also protects against some bogus certificates, issued to DigiCert Malaysia:
Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. DigiCert Malaysia has issued certificates with weak keys that it is unable to revoke. An attacker with a privileged network position could intercept user credentials or other sensitive information intended for a site with a certificate issued by DigiCert Malaysia. This issue is addressed by configuring default system trust settings so that DigiCert Malaysia’s certificates are not trusted.
These fixes are included in the overall 10.7.3 update, and a separate security update, Security Update 2012-001, is available for Mac OS X 10.6.8. Users can download the updates via Software Update, or from Apple’s Downloads page.
For more information about these updates, see this document.
The Opera web browser has been updated to fix a high-risk cross-scripting vulnerability, as well as a low-risk JavaScript issue. Version 11.61 also improves stability. In addition, Opera has added an auto-update mechanism. When launching version 11.60, users see an upgrade notice, and a message indicates that, “You will never have to upgrade manually again, because the newest version of Opera contains an auto-update mechanism.”
Google has updated its Chrome web browser for three high-risk vulnerabilities, bringing the program to version number 16.0.912.77. Google’s release notes point out that one of the bugs, regarding Safe Browsing navigation, “was fixed in 16.0.912.75 but accidentally excluded from the release notes,” so this release actually mentions four vulnerabilities, but only actually fixes three of them.
The Chrome browser auto-updates on Mac OS X, so you don’t have to worry about downloading a new version.
The year 2011 was the most active year for Mac malware since Mac OS X was released. It notably saw an extensive outbreak of sophisticated attacks that led users from Google image searches to web pages serving malware. Users seeking banal images – pictures of cats, trees or birds – were sent to web sites that told them that their Macs were infected by malware, and tried to get them to buy a program that would “clean up” their Macs. This malware went by many names, but was initially called Mac Defender.
2011 can be split into two unequal parts: before May 2, the day that Intego discovered the MacDefender fake antivirus, and after that day, when the Mac community realized that the malware threat had suddenly become much more serious. The Mac Defender fake antivirus used sophisticated social engineering tricks that had been proven effective on the Windows platform to trick Mac users. And Mac users weren’t ready for such deception.
As the summer ended, and Mac Defender and its variants were fading away, and when everyone thought the Mac malware situation would calm down, a second malware attack, the Flashback Trojan horse, plagued Mac users. This, too, used social engineering to get Mac users to install a Trojan horse.
In addition to malware, there were plenty of privacy issues and hacking stories that affected Apple products and Mac users. Mac OS X and third-party software required a number of security updates. A new version of Mac OS X – 10.7 Lion – was released. And Steve Jobs passed away.
It was a very eventful year.
Read the full report – download a 2.6 MB PDF file.
Apple has recently updated its Xprotect file quarantine system, used to check for malware downloaded by certain programs – notably Safari, Mail and iChat – but Intego has spotted a new variant of the Flashback Trojan horse, called OSX/FlashBack.J. This variant was released after Apple’s update, and Xprotect does not recognize it yet.
VirusBarrier X6′s generic signatures already detected this new variant, and will probably detect many future variants as well.
It was only three weeks ago that Google updated their Chrome web browser for a number of security flaws. The company has released another update, addressing three high-risk issues, and incrementing the version number to 16.0.912.75. None of these issues are serious enough to lose sleep over, but sometimes even the smallest vulnerabilities can be exploited.
As always, Chrome will update itself, so no need to worry about downloading anything on your own. Full information about the security fixes in the update is available here.