What’s Up with Apple’s Updates?

Apple products, like all computers and software, are in a constant state of flux. Like every company, Apple issues updates to fix bugs, correct security vulnerabilities, and, in some cases, to enhance their products or add new features. Apple does this irregularly, unlike some companies such as Microsoft, whose “Patch Tuesday“, for example, is the second Tuesday of the month. This irregularity can cause a number of issues, especially within businesses, where IT managers can plan for “Patch Tuesday” but can never plan for Apple updates. With no clue as to when updates will occur, especially security updates, these people who manage large numbers of Macs can find it difficult to patch their computers on short notice. (See our previous post about whether Apple’s security update process is enterprise-ready.)

In addition to not being able to plan for updates, Apple has been notably reticent in communicating the contents of their updates. To be fair, this is not the case for security updates, or at least hasn’t been so since mid-2004, when Apple started thoroughly documenting security fixes (and we’ll get to another problem with security updates later). However, other updates, whether for Mac OS X, individual applications, or the iPhone, contain minimalist descriptions and release notes. For example, version 2.0.1 of the iPhone software - and this is an entire operating system - contained the following description:

Bug fixes

Not to be outdone, version 2.0.2, released two weeks later, contained exactly the same description.

As another example, look at a recent iTunes update, version 7.7.1. Its release notes said, “iTunes 7.7.1 includes fixes to improve stability and performance.” This is the case for most updates to Apple’s software. Now, most users don’t need to know exactly what has been changed in a given update, but developers and IT managers do need to know this information. (And it turned out that an AppleScript property in iTunes was changed; this doesn’t affect most users, but did affect AppleScripts that worked with iTunes.) Granted, members of Apple’s developer program have access to seeds of major operating system updates, but even these seeds don’t contain any detailed information. Developers, such as those at Intego, install these update seeds to test their software and ensure that it is compatible, but it can happen that they discover a problem with their software, and find it difficult to determine the exact cause, because release notes are so sparse.

There’s another problem with Apple’s security updates: Apple often takes way too long to release them. One recent example was Apple’s delay in fixing a serious DNS flaw, but Apple routinely drags its feet on issuing security fixes. Security researchers are increasingly going public with flaws they discover after waiting for Apple to patch them. Sometimes this is the only way to get the company to release an update. (In the security industry, when flaws are discovered, the person or company who discovers the vulnerability generally contacts the vendor first before releasing any information.)

So Apple has several problems with its updates: they are poorly documented, released with no schedule and no warning, and security fixes can be delayed for several months. Apple will need to improve this update procedure to become more usable in the enterprise market, where updates are essential and IT managers need more information than what Apple currently provides.

Apple Issues Seventh Mac OS X Security Update of the Year

Apple has issued Security Update 2008-007, the seventh of its kind this year, with a number of fixes for Mac OS X. This update patches Apache, ColorSync, CUPS, the Finder, PHP, QuickLook, Script Editor, and more. In all, 20 elements of Mac OS X are patched, some for the client versions of the operating system, and some for the server version. The update for Mac OS X 10.5 is 31.1 MB, and you can install it via Software Update, as always.

You can get more information about the security update on this page.

Firefox Extension Protects against Clickjacking

The latest version of the NoScript Firefox extension has been released, with special protection against clickjacking. This extension contains ClearClick:

“whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in “clear”. At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction. This comes quite handy now that more dangerous usages of clickjacking are being disclosed, such as enabling your microphone or your webcam behind your back to spy you through the interwebs.”

Apple has as yet offered no similar protection for its Safari browser.

Meanwhile, Macworld reports that there is a way for web sites to protect against clickjacking. “Web site owners, however, can take one step to prevent their users from falling victim,” said Giorgio Maone, an Italian security researcher who created the NoScript extension. “Programmers can use a script on their Web sites that checks to see if a Web page is embedded in another page.” This technique is called “framebusting”, and is used by major web sites such as PayPal.

Six iPhone Security Tips

We’ve written here about a number of iPhone security issues. The iPhone - as much a handheld computer as a telephone - contains a lot of your personal data. Protecting the iPhone is essential; the more you use its “smart” features, the more you need to think about protecting it. Naturally, the first protection is simply preventing others from using it as a phone and costing you money, but there are many other things to be done to keep it secure.

Macworld’s iPhone Central has an article about six ways you can protect your iPhone. It explains how to do the following:

• Enable Auto-Lock
• Enable Passcode Lock
• Use Wi-Fi safely on the iPhone
• Securely access corporate, Web mail
• Browse the Web via Safari
• Set device usage restrictions

If you use an iPhone, you should definitely read this article and apply its tips to make sure that your phone is safe and secure.

More on “Clickjacking” - Batten Down the Flash Hatches

We recently reported on “clickjacking”, a way to add invisible buttons to web pages, that overlay real buttons, and when you click them, something unexpected happens. Clickjacking has suddenly become a serious security issue, especially with Adobe issuing a security advisory about possible clickjacking in its Flash software. This vulnerability allows malicious users to hijack your microphone or camera, because Flash software allows access to these devices. You can make changes to the privacy settings on the Adobe Flash Player Settings Manager; interestingly, this software is not on your computer, but you access it by loading a web page which contains a Flash “animation” that changes settings on your computer.

In more clickjacking news, Securosis gives an overview of what clickjacking is and how it works. Their one-sentence explanation is especially clear: “Clickjacking allows someone to place an invisible link/button below your mouse as you browse a regular page.” The post then goes on to give more technical details and examples. You won’t be tested on this, but it’s good to be familiar with what this term covers.

Two iPhone Security Flaws Made Public

Security researcher Aviv Raff has gone public regarding two iPhone security flaws, more than two months after he contacted Apple about them. As Macworld UK reports, the first bug is that the iPhone’s e-mail application automatically downloads images sent with messages. This can be used by spammers as a means of verifying whether a given address is active; if the image is downloaded, this confirms that the message has been received.

While the first flaw is relatively minor (it may lead to being spammed more often), the second bug is more serious. It involves the way the iPhone displays URLs in e-mails. When messages are displayed in HTML mode, and they contain URLs, users can hover over the URL to see the link behind it; this can help weed out phishing attempts. But on the iPhone, the lack of screen space truncates the link’s URL. “An attacker could create a site with a long subdomain in order to fool a user into thinking it’s a legitimate site. In fact, a website designed to trick a person into revealing personal information, known as a phishing site, Raff said.”

Raff’s blog shows an example of the phishing problem, and how long URLs can lead users to mistake the actual URLs of sites they visit.