Posted by Maxim Weinstein
Tue, 24 Jun 2008 18:24:00 GMT
ZDNet blogger Ryan Naraine called us to task today for not calling Apple Software Update badware. Last month, we stopped short of labeling the application badware after Apple made changes to improve the disclosure of applications that were installed under the guise of updates:
Apple clearly responded to the concerns of the community in making these changes, and consumers will benefit. The previous version of Apple Software Update was confusing to users and had the potential to lead users to stop trusting in the update process, a process that is critical to security efforts. With this change, and hopefully additional changes as the community provides additional feedback to this latest iteration, users can feel more comfortable with what they’re agreeing to when installing updates and new software via Apple’s tool.
Naraine feels that the product’s behavior is still “deceptive and irresponsible”. He writes:
That’s 95 MBs, pre-checked by default, bundled into a security patch and ready to hose my machine.
This is clearly badware behavior and it’s shocking to me that Apple gets away with it. I understand the economics of Apple being aggressive to establish a presence on the Windows ecosystem but this is really unacceptable.
In some cases, including the behavior of Apple Software Update before the changes, an application is clearly and unambiguously badware. In others, including the present state of Apple Software Update, there’s some room for discussion. For example, we have not historically considered an option being selected by default to be a badware behavior, particularly if the disclosure about the meaning of the checkbox was clear to the user. I believe Naraine is making the argument that the meaning is not clear in the context of the Update application.
What do you think? Would you consider Apple Software Update badware? What would you change to ensure it is giving users an informed choice about which software is installed on their computers? Let us know in our discussion group.
Posted in all | Tags apple, guidelines, stopbadware
Posted by Laureli Mallek
Mon, 23 Jun 2008 19:34:00 GMT
Software company Intego found this Mac Trojan masquerading as a poker game. The Trojan actually transmits the user’s name, password, and IP address to an external server which it acquires through clever social engineering:
“A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.
Computer World wrote on Friday that SecureMac reported finding another Trojan circulating in the wild. “Its researchers had found a Trojan horse, dubbed ‘AppleScript.THT,’ being distributed from a hacker-operated site where discussions of spreading the malware via iChat, Apple’s instant messaging and video chat software, were also taking place.” Updating that warning today, SecureMac shared that the source code for the Trojan has been distributed, which increases the likelihood of derivative Trojans appearing soon. They write:
“The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items… Once installed, the Trojan horse turns on File Sharing, Web Sharing, and Remote Login. If the filename of the Trojan horse has not been changed, it can be located in the /Library/Caches folder under the name AStht_06.app.”
Sandi, blogging at Spyware Sucks, opines that Trojans like this demonstrate that social engineering transcends computer platforms. She emphasizes that sharing information about badware can help to build and reinforce a level of user awareness and suspicion about entering personal information while downloading software (and ideally when deciding to download software in the first place). Sandi also comments on complaints that these Trojans were discovered by companies developing Apple security products.
While there may be a financial benefit to those companies, the goal of the security community is to maintain computers as free of badware as possible, and sharing information about risks with professionals and users-at-large focuses attention on problems so that they can be solved or avoided as efficiently as possible.
Posted in all | Tags apple, badware, security, trojan
Posted by Maxim Weinstein
Fri, 20 Jun 2008 12:56:00 GMT
About a month ago, we questioned Apple for characterizing a Safari security vulnerability as a “feature” issue, not a security issue. This issue got further attention when Microsoft announced that the Safari vulnerability combined with a Windows vulnerability could lead to remote code execution.
I’m glad to report that Apple has patched the hole in the Windows version of Safari, though they continue to treat the unprompted downloading of files as a non-security issue, as indicated by this write-up from their advisory:
An issue exists in how the Windows desktop handles
executables. Saving an untrusted file to the Windows desktop may
trigger the issue, and lead to the execution of arbitrary code. Web
browsers are a means by which files may be saved to the desktop. To
help mitigate this issue, the Safari browser has been updated to
prompt the user prior to saving a download file. Also, the default
download location is changed to the user’s Downloads folder on
Windows Vista, and to the user’s Documents folder on Windows XP. This
issue does not exist on systems running Mac OS X.
In other words, Apple is saying that the only security issue is the Windows desktop vulnerability, so they’ve patched Safari to protect you from Microsoft’s flaws. While the patch is an essential download for users of Safari for Windows, it is disappointing that Apple continues to shift the blame and to indicate that the Mac version of Safari does not have a security issue.
I also hope that we will see a patch from Microsoft that addresses the Windows desktop vulnerability directly.
Hat tip to Ryan Naraine at the ZDNet Zero Day Blog for reporting on Apple’s update.
Posted in all | Tags apple, microsoft, safari, stopbadware, windows
Posted by Maxim Weinstein
Mon, 16 Jun 2008 17:17:00 GMT
An article in today’s Boston Herald highlights a case in which an unsuspecting user had his life turned upside down because of malware:
A child porn possession charge lodged against a Department of Industrial Accidents investigator fired for having smut on his state-issued laptop has been dismissed because experts concluded he was unwittingly spammed.
“The overall forensics of the laptop suggest that it had been compromised by a virus,” said Jake Wark, spokesman for Suffolk District Attorney Daniel Conley.
In addition to highlighting the importance of keeping one’s computer well protected, this story reinforces our previous position about the Safari “carpet-bombing” vulnerability. If users are going to be held accountable for the files downloaded to their PCs, it is critical that web browsers protect users from unexpected, unauthorized downloads.
I’m heartened by the fact that prosecutors dropped the charges in light of the forensic evidence, and I hope that they eventually catch the real bad guys, who are the ones taking and distributing inappropriate pictures of young children.
Posted in all | Tags apple, stopbadware
Posted by Laureli Mallek
Thu, 12 Jun 2008 18:46:00 GMT
I blogged previously about a Safari vulnerability noted by Nitesh Dhanjani. He found that Safari automatically downloads items to a default location, which happens to be the desktop on both Apple and Windows machines. By itself, this vulnerability can be frustrating (by “carpet bombing” your desktop) or dangerous (downloading a cleverly disguised piece of badware). On machines with Internet Explorer, the Safari vulnerability combines with an Internet Explorer vulnerability noted in 2006 by Aviv Raff and a larger problem develops (italic emphasis mine).
The new [2006 to current] version of Internet Explorer is vulnerable to a DLL-load hijacking. When IE7 is executed it will load several DLL files. While trying to load some of those files, it does not provide the full path of the DLL file to the function which loads the DLL file to the memory, and therefore Windows will search for this file in the user’s machine using the directories provided in the PATH environment variable, and will load the first match it will found…
Now, all the attacker has to do to bypass this detection is to put a malicious DLL file (or just a downloader DLL of a malicious file) in one of the PATH directories (e.g. the user’s desktop), and the next time the user will run IE7 the code of the attacker’s file will be executed instead of the original DLL file… I’ve reported this to Microsoft few days ago [in November 2006]. Their response: “If the attacker can put a dll on the box in a location that is in the user’s PATH variable, then they already own the box.
LiuDie Yu proves this type of attack can cause an item to be downloaded by Safari on to the desktop of a Windows machine, perhaps as an “hidden” document which is not displayed on the desktop, and executed as the Internet Explorer application launches. Microsoft has issued a warning about the danger to people running both browsers on their Windows machine. It suggests that users “Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.”
An immediate work-around has been suggested by several sources: change the default download location in your Safari browser to a separate folder for downloaded items. Hopefully Apple and Microsoft will realize that these vulnerabilities do pose a threat serious enough to warrant a patch in the near future.
Posted in all | Tags apple, browser, internetexplorer, safari
Posted by Laureli Mallek
Mon, 19 May 2008 17:09:00 GMT
You may recall that StopBadware.org recently played a role in successfully encouraging Apple to improve its disclosure in pushing the Safari web browser to users through its Apple Software Update application. Now, Nitesh Dhanjani, a security researcher, writes about his recent interaction with Apple. Dhanjani alerted Apple to several potential issues that he discovered in the company’s web browser, Safari, most notably the potential for a “Safari Carpet Bomb.”
He writes that Safari “cannot be configured to obtain the user’s permission before it downloads a resource,” and provides this example:
Now assume that http://malicious.example.com/cgi-bin/carpet_bomb.cgi is the following:
#!/usr/bin/perl
print “Content-type: blah/blah\n\n”
Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served.”
CNET commented that files downloaded by Safari to the desktop on Windows, or the Downloads folder on Mac OS, create the potential for multiple files of unknown nature to mingle with legitimate downloads.
The Apple security team replied to Dhanjani’s emails courteously, but making it clear that this is not a security priority for the company:
We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.
Assuming Nitesh’s analysis is accurate, “unwanted downloads,” as Apple calls them, represent a serious security threat to users, who can be easily tricked into executing a malicious file. StopBadware.org believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is.
Posted in all | Tags apple, browser, by, download, drive, security
Posted by Maxim Weinstein
Thu, 17 Apr 2008 15:11:00 GMT
A few weeks ago, the blogosphere raised concerns about the Windows version of Apple Software Update for offering new software installations (e.g., Safari) disguised as product updates. At the time, we blogged about it and said we were looking into it. It turns out that we were prepared to release an alert today identifying the product as badware. I’m glad to report, however, that we don’t have to, as Apple yesterday released an updated version that addresses the concerns that bloggers and StopBadware.org raised with them.
Here’s some additional information about our recent activity on this issue:
On Monday, I called Apple’s PR department to notify them that we were preparing to release a badware alert about Apple Software Update on Thursday (i.e., today). (It is our standard policy to give advance notice and send a copy of the draft to the software producer before we release a badware alert.) When I hadn’t received a call by Tuesday, I e-mailed the draft to several PR people at Apple whose job titles seemed most likely to be relevant to the issue. I never did receive a response.
The alert draft made one clear recommendation to Apple:
Clearly differentiate, in a manner understandable to a typical computer user, between software updates and installations of new applications.
Our detailed report draft, which accompanied the alert, also included the following observation:
Apple does not appear to have a software license agreement (SLA) or privacy policy for Apple Software Update. None is included during installation, none can be found in the application itself, and none is listed on Apple’s SLA web page. We have not been made aware of any behaviors in Apple Software Update that affect user privacy.
Late on Wednesday, one of our staff noticed that Apple Software Update was notifying him of a new version of itself. This morning, I ran Apple Software Update myself and, sure enough, I saw a new version of Apple Software Update available (listed as version 2.1, reported in the app as 2.1.0.110). I chose to install it and was immediately presented with an SLA for Apple Software Update. After accepting, the update installed and prompted me to reboot. After the reboot, I ran the new version of Apple Software Update, and I saw this:
Notice the difference in how the new applications (in this case, Safari and iTunes + QuickTime) are presented compared to the old version:
Note also the difference in language in the line under “New software is available from Apple.” We had noted the old language, which explicitly referred to updates, in our report draft.
Apple clearly responded to the concerns of the community in making these changes, and consumers will benefit. The previous version of Apple Software Update was confusing to users and had the potential to lead users to stop trusting in the update process, a process that is critical to security efforts. With this change, and hopefully additional changes as the community provides additional feedback to this latest iteration, users can feel more comfortable with what they’re agreeing to when installing updates and new software via Apple’s tool.
Posted in all | Tags apple, itunes, stopbadware
Posted by Maxim Weinstein
Fri, 28 Mar 2008 14:09:00 GMT
According to the Mac Observer, a MacBook Air was compromised via what sounds like a drive-by download style attack in a hacking competition:
On the first day of the event, contestants unsuccessfully attempted to remotely hack into the Mac, a Windows PC, and a Linux PC. On the second day, however, Mr. Miller was able to gain control over the MacBook Air in only two minutes by directing a contest organizer to visit a specially crafted Web site with the laptop.
Although the exploit code is not “in the wild” as the security industry likes to say, this still sends the message that the Mac is not immune to such attacks, even if Windows is the more commonly-exploited platform.
Posted in all | Tags apple, mac, malware, stopbadware, windows
Posted by Maxim Weinstein
Mon, 24 Mar 2008 20:32:00 GMT
Bloggers have recently reported that the current version of the Apple Software Update tool for Windows, which is bundled with some of Apple’s current products, such as QuickTime and iTunes, offers the user “updates” for applications (e.g., the Safari web browser) that are not currently installed on the machine. Choosing to install the offered updates, all of which are selected by default, reportedly results in the additional applications being downloaded and installed. This differs from many automatic update applications, which offer only to update software that is already installed on the user’s machine.
Gizmodo reported the practice on Friday:
If you pop open Apple software Update in Windows, you’ll see a fresh item in there today: Safari 3.1. Even if you don’t already have it installed. This is the first time they’ve used Software Update to push Safari on Windows users that didn’t already have it. What’s up with the new, more aggressive thrust?
John Lilly, CEO of the Mozilla Foundation, which oversees the development of open source web browser Firefox, also reported and commented on the behavior:
What Apple is doing now with their Apple Software Update on Windows is wrong. It undermines the trust relationship great companies have with their customers, and that’s bad — not just for Apple, but for the security of the whole Web. What they did yesterday was to use their updater for iTunes to also install their Safari Web browser…
StopBadware.org has not at this time evaluated the products in question. As we are committed to consistently and fairly applying our badware guidelines, we have added the current Windows versions of Apple Software Update tool, QuickTime player, and iTunes to our testing queue. When we have completed our evaluation, we will post our findings.
Posted in all | Tags apple, itunes, stopbadware
Posted by Laureli Mallek
Wed, 05 Mar 2008 15:58:00 GMT
Apple traditionally has not been a target of hackers, yet that may be changing. Two articles this week note that increased popularity and some specific security holes in programs pose potential weaknesses.
Jeremy Kirk, at PC World, explains that increased popularity of the operating system correlates to increase likelihood for attacks. Apple has been actively releasing security updates and several companies have developed products for OS X security.
PayPal has recently requested that users transition away from Safari. The program does not provide adequate phishing protection. Michael Barrett a Senior Researcher at Paypal, and a StopBadware board member, had this to say: “Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera.”
Just goes to show that vigilance (and downloading security updates) is important for all operating systems available.
Tags apple, mac, stopbadware
|
