The Mac Security Blog
This happened very quickly, but when syncing an iOS device yesterday, we noticed that Google safe browsing data was being synced to the device. It’s fair to say that, for many, updating iOS devices to iOS 5 was fraught with much annoyance, and when it finally worked, it was easy to not pay close attention to the process. But in the iTunes LCD (the part at the top of the iTunes window that shows the playback timeline and other information), we spotted a message saying “Downloading Safari safe browsing data.” This database, provided by Google, is used by mobile Safari to check for known malicious web sites. To check if this is activated on your iOS device, go to Settings > Safari, then look for the Fraud Warning slider. If it’s not set to “On,” do so; it’s a good way to protect your device and yourself from known malicious websites.
We’re curious as to how often this database will update – whether it’s going to be regularly updated, such as daily or weekly, or whether updates will only come occasionally. If you spot a regularity to these updates, let us know in the comments.
Update: syncing our iOS devices over the past couple of days, it seems that this update occurs once a day, but we have no idea at what time the update is made available.
Hot on the heels of OS X Lion, released today, Apple has issued a new version of Safari, which includes some new features specific to Lion, but also contains dozens of security fixes. Safari 5.1 is included with Lion, and available for Snow Leopard (Mac OS X 10.6), and Safari 5.0.6 is available for Leopard (Mac OS X 10.5).
Lion users will have the new version of Safari in their new operating system. Users of Leopard and Snow Leopard can get the updates via Software Update. Full information about these updates is available here (Safari 5.1) and here (Safari 5.0.6).
In Apple’s second update today, the company has released Safari 5.0.5, which fixes a number of bugs, and two security issue. Both of these affect WebKit, the HTML rendering framework, and correct issues whereby “Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.”
This update is available for Mac OS X 10.5 and 10.6, and can be downloaded via Software Update, or from the Safari download page. The update is 39.3 MB. Full information about this update is available here.
It is worth noting that the Safari update does not correct the Comodo fraudulent certificate issue, which is addressed in Apple’s Security Update 2011-002.
The Wall Street Journal is reporting that Apple has added a “do-not-track” feature to the version of the company’s Safari web browser included in the latest developer release of Mac OS X 10.7 Lion. As the article says, “Do-not-track tools in browsers automatically send out messages to websites and online-advertising networks requesting that users’ movements around the Web not be tracked.”
We initially reported on this in January, when Mozilla proposed such a solution, then again when Google joined the club. It’s clear that this feature is going to impose itself, as Microsoft also offers it in the latest version of Internet Explorer.
Whether web sites will respect this feature or not is another story. It’s in the interests of many to ignore it, but the Wall Street Journal mentions that “Rep. Cliff Stearns (R, Fla.) introduced privacy legislation that would encourage companies to offer more information to consumers about how they are being tracked,” so this non-tracking feature may end up being useful, at least for those web sites hosted in the United States.
When you surf the web, you trust certain web sites where you provide confidential information, such as credit card numbers, or where you access and send e-mail. Certain applications that connect to remote servers also depend on this type of trust. A broad system based on the SSL (Secure Sockets Layer) protocol ensures that when you visit a web site, such as Apple.com, Amazon.com or Google’s Gmail, that the site is indeed what it pretends to be. For example, if you go to Apple’s MobileMe web site, you will see indications such as these in your browser:
At the left of the image above you see Apple Inc. written in green; this is proof that Apple’s digital certificate has been recognized by the Safari web browser. At the right of the image is a padlock icon, which shows that SSL is being used, and that data is sent and received in encrypted form. (Note that not all sites will display a name in green, as above, but all SSL sites will show a padlock in the browser title bar.)
So far so good.
There are a limited number of companies authorized, and recognized, who issue such certificates. One of these, Comodo, was recently hacked, and certain individuals were able to buy nine digital certificates for major web sites, including mail.google.com, login.yahoo.com, login.skype.com and addons.mozilla.org. This means that the malicious users who obtained these certificates will be able to set up web sites that can spoof users who check for the visual signs of trust shown above. They may be able to use these for phishing attacks as well; when you click on a link, and go to a site, if you see these signs indicating security, you’re likely to trust them.
In addition, this goes beyond just web usage. The same system is used when you log into Gmail using an e-mail program, or when you log into Skype via their application. When using public wifi networks, it’s possible that a man-in-the-middle attack may be able to spoof local DNS resources and lead you to a booby-trapped server.
The domains affected are as follows:
- login.live.com
- mail.google.com
- www.google.com
- login.yahoo.com
- login.skype.com
- addons.mozilla.org
Microsoft’s Security Advisory about this issue gives more information about the problem. As they point out:
Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.
Comodo also discusses the incident in this blog post.
The latest version of Firefox 4, just released this week, includes a fix to spot these fraudulent certificates. Google’s Chrome web browser was also updated for this last week.
Safari, however, doesn’t directly use the CRL or OCSP systems mentioned above; settings to activate this feature are found in Keychain Access. To do this, open Keychain Access; it is in the Utilities Folder in the Applications folder on a Mac. Choose Keychain Access > Preferences, then click on the Certificates tab. Set the first two options, for OCSP and CRL, to Best Attempt, and leave priority set to OCSP. This will tell Safari, or any other program that uses the built-in certificates on Mac OS X, to check these servers before accepting any SSL certificate on a web site. This may, however, slow down access to some sites. So it’s best to not have these settings on all the time.
For now, it’s good to turn these settings on to ensure that your Mac is protected. This affects not just Safari, but Mac OS X in general; certificate validation is a system-wide API. However, not all applications use this system, so we cannot guarantee that this will resolve the problem entirely.
ZDNet reports that the first computer to fall in the 2011 Pwn2Own hacking contest is a MacBook, and the crack was done via a Safari vulnerability. The winning team, from the French company VUPEN, exploited a weakness in WebKit, the framework used to display web pages in Safari and other applications. They said there are many WebKit vulnerabilities, and the exploit did not even crash the browser, so, in a real world situation, users could be attacked without any knowledge.
In other news, no one wanted to bother cracking Google’s Chrome browser. “If Chrome comes out unscathed, as it now appears it will, the browser will have survived three consecutive Pwn2Owns, a record.”