The Mac Security Blog
We recently wrote about how Apple’s recent security update for Snow Leopard was causing problems with applications running in the Rosetta environment – PowerPC applications being emulated to run on Intel processors. Well Apple has responded quickly, and has released Security Update 2012-001 v1.1, an update to that update, to address this issue. Early reports suggest that it resolves the problem caused by the first update.
Apple describes the update as follows:
Security Update 2012-001 v1.1 is now available for Mac OS X v10.6.8 systems to address a compatibility issue.
Version 1.1 of this update removes the ImageIO security fixes released in Security Update 2012-001.
Snow Leopard users can download this update via Software Update, or from Apple’s Downloads page.
A number of outlets are reporting that the latest Mac OS X security update for Snow Leopard, Security Update 2012-001, which we reported on yesterday, is causing problems on Macs running Mac OS X 10.6 Snow Leopard. According to TidBITS, “many people [who have applied the update] are reporting problems with PowerPC-based applications that rely on Snow Leopard’s Rosetta environment.”
Adam Engst of TidBITS said that he:
can confirm that on my Mac Pro running 10.6.8 with Security Update 2012-001 installed, both Eudora 6.2.4 and Adobe Acrobat Pro 7 crash when using File > Open, or File > Save As, and neither will print at all, although they don’t crash. I’ve also confirmed that the problem is not related to utility software like Default Folder X by reproducing it in a clean test account.
For now, a several users at Nebraska High School have created a fix for this problem, called RosettaFix. The only other solution, according to TidBITS, is to “reinstall Snow Leopard from your original disks.”
We’ll post more if Apple releases a fix for this.
Smartphone users have discovered a new name in recent days: Carrier IQ. It was discovered that certain mobile phones use software by this company – the Mobile Service Intelligence Platform – to track usage and send data to phone manufacturers and telecom companies. Security researcher Trevor Eckhart looked closely into what this software does, and discovered that it records keypresses, SMSs, URLs visited, and more. In fact, the software seems to be able to record – and send to third parties – just about everything a user does on their phone.
Eckhart first discovered this on a phone running Android – an HTC phone, which used the Sprint network. (He shows how this works in a YouTube video.) But subsequent research has shown that this occurs on a number of phones, and with a variety of carriers. The telephone companies claim, however, that they only use this software to collect information to improve network performance and quality of service. The handset manufacturers are blaming the carriers for “requiring” this software. This has turned into a hot potato, and has, once again, raised the spectre of people’s portable devices listening in on what they do, and sending information about their actions to third parties.
Engadget has an excellent Q&A about what Carrier IQ is and isn’t, and Cnet has collected a group of articles addressing the problem. What is most striking is how each company involved seems to try to pass the responsibility on to others. Engadget points out that, in spite of what the CEO of Carrier IQ said in a video posted to YouTube, the software is capable of collecting data and sending it to third parties; they examined patents held by the company, which describe the software’s capabilities.
This has gotten as far as the US Congress. US Senator Al Franken has asked for answers from Carrier IQ regarding what this software does, saying that the actions of the software “may violate federal privacy laws.”
And how does the iPhone fit in to this story? Apple has issued a statement regarding their use of Carrier IQ’s software:
We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.
Apple calls information like this “diagnostic information,” and when you set up an iPhone, or other iOS device, you are asked if you want such information to be sent to Apple. If you said yes to this question, unaware of what this meant, you can turn this feature off. Tap the Settings app, then General, About, then Diagnostics & Usage. Then tap Don’t Send to turn this off.
While software such as this may indeed help improve quality of service, the real worry is that the data collected my fall into the wrong hands. Given the number of high-profile hacks of customer databases in recent months, one may assume that this data is not sufficiently protected. In addition, there are some kinds of data that this software seems to be capturing that it shouldn’t. There is no reason for it to record keypresses, especially because this will include any passwords that you type on your phone.
So, if you use an iPhone don’t worry. Turn off the Diagnostics & Usage collection, and you should be fine. However, if you use another phone, it seems there is no way you can turn off this data collection. Engadget has a roundup of which companies – handsets or carriers – use Carrier IQ.
Apple has released iTunes 10.5.1, the latest version of the company’s media management software, which notably includes the company’s new iTunes Match cloud music service. This update contains one minor security fix, described as follows:
Impact: A man-in-the-middle attacker may offer software that appears to originate from Apple
Description: iTunes periodically checks for software updates using an HTTP request to Apple. This request may cause iTunes to indicate that an update is available. If Apple Software Update for Windows is not installed, clicking the Download iTunes button may open the URL from the HTTP response in the user’s default browser. This issue has been mitigated by using a secured connection when checking for available updates. For OS X systems, the user’s default browser is not used because Apple Software Update is included with OS X, however this change adds additional defense-in-depth.
As the description points out, this isn’t a serious issue for Mac users, but Apple is fixing it for them anyway, as there’s always the possibility that someone could create a fake program that looks like Apple’s Software Update.
You can download this new version of iTunes from, of course, Software Update, or from Apple’s iTunes download page.
Apple has released the Java for Mac OS X 10.7 Update 1 and Java for Mac OS X 10.6 Update 6, for Lion and Snow Leopard, respectively. These updates patch 17 vulnerabilities, and increment Java to version 1.6.0_29. Full release notes are available on the Oracle web site and on Apple’s web site.
Apple says the following about these updates:
Multiple vulnerabilities exist in Java 1.6.0_26, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
These updates are available via Software Update, or from Apple’s Support Downloads page. With Lion, Apple does not provide Java in the standard installation, but rather users are prompted to download it the first time it is needed. It is not clear whether this update will show up in Software Update for users who don’t have Java already installed.
This happened very quickly, but when syncing an iOS device yesterday, we noticed that Google safe browsing data was being synced to the device. It’s fair to say that, for many, updating iOS devices to iOS 5 was fraught with much annoyance, and when it finally worked, it was easy to not pay close attention to the process. But in the iTunes LCD (the part at the top of the iTunes window that shows the playback timeline and other information), we spotted a message saying “Downloading Safari safe browsing data.” This database, provided by Google, is used by mobile Safari to check for known malicious web sites. To check if this is activated on your iOS device, go to Settings > Safari, then look for the Fraud Warning slider. If it’s not set to “On,” do so; it’s a good way to protect your device and yourself from known malicious websites.
We’re curious as to how often this database will update – whether it’s going to be regularly updated, such as daily or weekly, or whether updates will only come occasionally. If you spot a regularity to these updates, let us know in the comments.
Update: syncing our iOS devices over the past couple of days, it seems that this update occurs once a day, but we have no idea at what time the update is made available.