Mac OS X

Security Quest #11: Leopard Firewall Updates

Apple recently released security updates for their OS products and among those were updates for Leopard all centered around the firewall. The three firewall updates were included in the OS X 10.5.1 update.

One of the fixes took a page from Microsoft by changing some words to help call the problem solved. This “re-wording” was for the problem described as:

The “Block all incoming connections” setting for the firewall is misleading.

Apple fixed this so the setting now reads “Allow only essential services”. According to the bulletin they have reduced the number of apps that allow connections through the firewall. It used to be any app running as root could get through the firewall. Now the list is limited to configd (for DHCP and network configuration), mDNSResponder for Bonjour, and racoon for IPSec.

Previously, any process running as root would be allowed through the firewall even if it was on the list to block. The OS X 10.5.1 update now blocks any process that’s in the list to be blocked, even if it runs as root.

And in the third firewall fix Apple changed it so that changes to the firewall take effect immediately. Previously some processes had to be restarted for the change to take effect.

So, Apple made some changes to the firewall so it makes a little more sense and the way it works is more clearly defined. I still prefer the OS X 10.4 method of opening ports by number.

News & Links RR Securing WordPress Tips – Good tips for securing a WordPress website. Privacy Implications of RFID Tags – An interesting read on the topic. Hushmail To Warn Users of Law Enforcement Backdoor – Hushmail, always thought to be secure, can read any email with a court order. Even those using their most secure product. Apple security updates (OSX 10.3 & 10.4 and Safari 3 Beta for Windows – Apple released OS X 10.4.11 for Tiger which includes security updates. Also Security Update 2007-008 for OS X 10.3.9. And finally, Safari 3.0.4 beta for Windows which includes security updates. In ID theft, some victims see opportunity – Roundup of ways companies make money from ID theft. Needing to pay to protect our identity just seems wrong to me.

OS Quest Trail Log

The OS Quest Trail Log #15:

When I upgraded to Leopard I kept Safari as my default browser so it would open whenever I clicked a link. But I kept using Firefox for almost everything. I liked how fast Safari was when I did fire it up. So this morning I decided to switch over and start using Safari as my primary browser, only going to Firefox when there’s no choice. Safari definitely feels faster and uses less memory.

The Greasemonkey and Browser Sync extensions to Firefox give it an edge in features over Safari, especially when running multiple computers. But, having to stop and start Firefox after using it for extended periods has become a bit annoying, especially when I had to do a force quit for Firefox. Let’s see how far I can go with Safari.

Software Upgrades

There were a lot of software upgrades for me this week. I already wrote about the upgrades to WordPress 2.3.1 and VMWare Fusion 1.1. Then there was the OS X 10.5.1 update for Leopard. I haven’t noticed much of a change since the upgrade. Wireless on my Mac Mini now works when it wakes from sleep mode but that’s about if for noticeable changes.

Adobe released Lightroom 1.3 which includes fixes for Leopard and additional enhancements. I updated my evaluation copy of Lightroom and found that the evaluation counter was reset back to 30 days.

Fetch, from Fetch Softworks, has been updated to version 5.3. It includes improved compatibility with Leopard. I upgraded but rarely use Fetch these days so haven’t used it since the upgrade.

Remote Buddy 1.8 was released. Four fixes, 5 new features, 7 enhancements to an already great remote control program. I didn’t have any problems after the upgrade but I barely scratch the surface of what this app can do.

News & Links Cocktail 4 for mac no supports Leopard – Cocktail 4 has been released and now supports leopard. Cocktail is a maintenance and UI tweaking tool for the Mac. Firefox 3.0 may ship with a slew of serious bugs intact – CNet tech news blog is reporting that Mozilla may ship Firefox 3 with only about 20% of the “blocker” bugs fixed. Blockers are supposed to be serious enough to justify postponing a release. OmniFocus for the Mac – Described as peronal task management software. Pre-release Beta no available. You can download the beta for free. If you buy before the Jan 8th release you pay half price ($40 – charged immediately) Congress Moves Forward With Required University Subsidies To Napster, Ruckus – TechDirt has an article that’s a rather glaring indictment of our government and how they subsidize failing businesses by attacking education. FileMaker’s Bento: Undercooked and Slightly Fishy – Good overview of Bento and its shortcomings. New bill would punish colleges, students who don’t become copyright cops – The article sums up the incredibly bad idea rather well. Meet Bento — Learn More – Bento is from Filemaker and is described as a personal database that’s Leopard only. A beta preview is available for download. Vista SP1 release candidate goes out to testers – The headline says it all. JkDefrag v3.29 – Free open source disk defragmenter for Windows 2000 through Vista was update to version 3.29. gOS PC Sells Out: People Like A Google Focused PC – Seems like the $200 Walmart PC, the one in the oversized case so people think it’s powerfull, appears to be a hit. Improve your Stacks with some drawers – Haven’t tried it yet, but sounds like the slickest solution out there. Google Has Even Bigger Plans for Mobile Phones – The Wall Street Journal is among those reporting Google will bid on some wireless spectrum in January. They report Google is already running a test version of an advanced wireless network.

Random Access

Security Quest #10: Microsoft Patch Tuesday

Another second Tuesday of the month and another bundle of patches from Microsoft was expected. This time around there’s only one update for Microsoft desktops. Windows Vista goes patch-less this month.

MS07-061 is a critical update for Windows XP on the desktop. It’s for both the regular and 64-bit editions. It supersedes MS06-045 and patches a vulnerability that allowed remote code execution when a specially crafted URI was passed. Windows 2000 Professional & Windows Vista are not affected. Several server versions also require the patch. I needed to reboot after installing this patch through automatic update.

MS07-062 was also released but it is only for servers.

Old Business

I’d previously written about the Paypal security fob and VeriSign’s Personal Identity Protection program (PIP). Verisign has since added a credit card sized “security card” that can be carried in a wallet. It’s not available at the subsidized PayPal price and it’ll set you back $48. At least it appears these are gaining traction which is good. It appears that now multiple fobs can be registered with the same ID so you can have one for the home and one for the office if you don’t want to carry them.

News & Links Microsoft exec calls XP hack ‘frightening’ – Not really news, but points out that patching is needed. A Windows XP SP1 PC without a firewall or other security software was easily hacked, is this really news? SP2 enables a firewall by default. ‘Botmaster’ admits infecting 250,000 computers – Security consultant by day, botmaster by night. John Schiefer could get a 60 year jail sentence after pleading guilty. Infamous Russian malware gang vanishes – The Russian Business Network has vanished. No one thinks they packed their toys away. Encrypted E-Mail Company Hushmail Spills to Feds – HushMail’s easiest to use service not so private. Hushmail provides encrypted e-mail. They offer a service that provides encryption on their server. While easier to use it does mean they see your passphrase, unlike their client-side encrypt products. Malware-pushing web sites on the rise, say researchers: 66,000 and counting – Malware hosting websites on the rise according to researchers. Drive Erazer erazes your drivez – If you have a lot of hard drives that you really want to erase. Some Maxtor Personal Storage 3200s shipped with virus – Oops.

OS Quest Trail Log

The OS Quest Trail Log #14: Just News & Links

It’s been a slow week on the quest. Everything either made it into a post already or is part of a post I’m working on. So it will just be news & links today.

Software Upgrades Acorn Release Notes – Acorn image editor has been updated to version 1.03. I’ve been using this as my editor for what little image work I do. I didn’t have any problems with the upgrade.

Jungle Disk 1.46 has been released. It adds support for file archiving ad automated cleanups. While I liked Jungle Disk I still haven’t found a regular use for it so I haven’t tried the update.

News & Links Mac OS X 10.5 (Darwin 9.0) – Apple has released the Darwin source code that’s the foundation of Leopard An old hat with new tricks: Fedora 8 officially released – Fedora 8 has been officially released Featured Firefox Extension: Kick Off Your Daily Browsing with Morning Coffee – Firefox extension to open set of bookmarks on a given day or days – The Monster Guide to Customizing Apple’s OS X! – numerous OS X tweaks in one place.

Retrospect updated for Leopard – The Unofficial Apple Weblog (TUAW) – EMC’s Retrospect Backup software has been updated for Leopard. blacktree-alchemyQuicksilver has gone open source and is up on Google Code.

Random Access

Security Quest #9 – OSX.RSPlug.A Brings Macs Mainstream

There was news last week of a piece of malware targeting OS X. It’s called OSX.RSPlug.A (a.k.a. DNSChanger) and it’s a trojan distributed through porn sites (no puns). A lot was made of the fact that this *could* redirect browsers to malicious websites, such as phishing sites.

The only real news here was that OS X was specifically targeted by a malware writer. It didn’t exploit any deficiency in OS X security. The only way to get the malware to install was to convince the user that they wanted to install the software. Intego and other security software vendors are promoting the fact that they can detect the trojan.

Let’s look at what’s involved to infect a Mac with this bug. You had to:

  • Visit a website, in this case a porn site, and be enticed into downloading a file. In this case it was said to be a codec needed to view some videos.
  • After downloading the DMG file you had to open it and run the installer.
  • When the installer ran you’d be prompted for your password which you’d have to enter.
  • Then the software would install.

So the only security hole was between the keyboard and the chair, not in the software.

MacWorld has a good article on how to detect the trojan.

The first rule of PC (personal computer, including Macs) should always be only install software from trusted sources. This wasn’t a drive-by install where the user visited a website and it automatically installed. On the other hand, there are people who say they visit websites in bad neighborhoods with Macs since it’s safe and secure. This does show that Macs are beginning to be targeted so that is probably not a good attitude. As much care needs to be taken on Macs as on Windows machines.

One of the things that make Macs a less than perfect choice for visiting bad neighborhoods is that Safari has “Open Safe Files after downloading” enabled by default. It’s a poorly named option and should be turned off. Safari doesn’t determine safety. What it really means is that it will open files which don’t automatically execute anything when all system are working. This includes DMG and PDF files which have recently carried malware. If a vulnerability was found that enabled auto execution this default setting could be deadly. If nothing else, the name gives a false sense of security since it sounds like OS X can determine if the file is safe or not. This is set under Safari preferences, on the general tab. Click the thumbnail at the beginning of this paragraph to see the setting. The screen shot shows the Safari defaults.

If you want to visit bad neighborhoods or want an extra level of protection there is software available to help protect your Mac.

ClamXAV is an free (donationware) virus checker for OS X that’s built on the open source ClamAV anti-virus engine. The software allows certain directories to be watched and all file changes in those directories will be scanned. Scans can also be scheduled. There isn’t any real-time scanning, other than the watch directories feature. I used ClamXAV under Tiger but there are currently Leopard issues so I haven’t re-installed it since upgrading. These issues appear related to scheduling an other non-detection related features.

Intego has a full menu of security products. They are clearly the market leader in OS X security software. When I switched from Windows I naturally wanted anti-virus software so I purchased an earlier version of their anti-virus software. While I never came across any viruses for it to detect the software seemed fine. My main complaint is I feel they’re expensive. Be aware that their products that include definition updates may have just a one year subscription. I stopped using them when my subscription ran out and I didn’t feel the upgrade cost was justified for me. They also promoted paid upgrades through the same update engine that pulled down virus definition updates but didn’t identify them as paid until the update was selected, which was annoying. Intego has stated all their products are Leopard compatible. Trial versions are available.
MacScan by SecureMac is AntiSpyware program for OS X that is currently Leopard compatible. This is a traditional anti-spyware program that scans the Mac on demand or on a schedule. Detection ranges from tracking cookies to key loggers. A thirty day demo is available. I downloaded and ran the demo today. I’ll have more info when I’ve run it awhile but it’s a fairly simple interface as is shown by the thumbnail at the beginning of this paragraph (click to see full screen). The 41 pieces of spyware detected in the scan where all tracking cookies from websites and web ads. When spyware is detected you have the option of picking and choosing which you want “isolated” in MacScan terms. Despite the term, tracking cookies are just deleted.

Both McAfee and Symantec have security software for the Mac. Neither seems to have particularly good reviews available. The Symantec software can be viewed here (select Macintosh Products from the drop down list). McAfee information is here. Neither Symantec or McAfee products appear Leopard ready.

ClamXav and MacScan appeal to me because they are non-intrusive on the system. They are also the lowest cost solutions. I’ll probably stick with ClamXav.

The Intego, McAfee and Symantec products all cause me the same concern – that they’re too intrusive on the system and aren’t worth the performance cost. But if I knew I’d be going into bad neighborhoods I’d give Intego a try. At least they’re dedicated to the Mac platform. Just beware of feature bloat intended to justify their existence and upgrades.

I’m a believer that computer habits are better prevention than software. If your switching from Windows and used anti-virus, or have been using a paid virus scanner on the Mac ask yourself how many viruses were detected by the software you used.

Software News

CCleaner – Home – CCleaner is a freeware privacy tool and has recently been updated to version 2.02.525. Free download of 1Password 2.5.3, courtesy Macworld – 1Passwd is free for a limited time and with limitations (no upgrades, no access to online version). Mac software used by many.

News & Links Mac OS X 10.5: About the PubSub Agent – Apple let’s us know that it’s OK for PubSub to access our keychain. ModSecurity and WordPress: Defense in Depth – Paper about securing WordPress

Bogus FTC e-mail has virus | CNET – FTC’s name is being used by spammers to spread malware

Intego reporting new OS X trojan horse in the wild – The Unofficial Apple Weblog (TUAW) – New Mac trojan. Like the article says, it doesn’t install itself. It requires the user to install and provide admin permission. Secrets: How to: Discover malware before installing – MacWorld provides some tips with how to avoid and detect Malware without having to buy software

WashingtonPost.comDeconstructing the Fake FTC E-mail Virus Attack – Security Fix – interesting Security Fix blog post about a successful email phishing attack. The vulnerability exploited was the user. Note the update at the end which links to a report showing only 1/2 of AV software detected the malware. Hiding In Plain Sight – Security Fix – I’ve told windows to show file extensions for so long I forgot about this. A good reminder to set windows to tell all it knows. Acknowledges Data Loss – Security Fix – looks like fell for a phishing scam and lost control of some customer data, resulting in a wave of phishing emails targeting their customers.

OS Quest Trail Log

The OS Quest Trail Log #13: More Leopard

It’s been just over a week with OS X 10.5 Leopard. So far I’m liking it a lot. I wouldn’t have picked it going in, but Spaces has turned out to be the killer feature for me. I’m using it on both my 24″ iMac and my 13″ MacBook.

I installed Leopard on my Intel Mac Mini yesterday. This Mac is used only as a media center and has little software and no unique data. So I went for a straight upgrade. The only minor glitch was with the wireless network When the setup wizard ran it wouldn’t connect to the wireless networks. Messages alternated between bad password and a general network error. But I was able to go into network preferences and pick the network from there and it connected fine.

The software I use is running well under Leopard, with just minor glitches. I’m getting used to cover flow in the finder and think I’ll actually find it useful. Apple seems to be moving more towards the way I like to organize things, mainly by not organizing them. I like GMail exactly because with a few tags I can find email via searches and don’t need to organize it into folders. Finder seems to have gone the same way. I can through stuff in directories and use spotlight, coverflow and quickview to find them fast. I’ve actually held off telling Pathfinder to replace Finder at start-up.

I’m also surprised by how fast Leopard is. I did erase and installs on my two main machines and upgraded memory on my iMac, so I can’t directly compare old and new speeds. But Leopard feels faster. Maybe some things are cosmetic, like bouncing icons less. But spotlight is faster since before it really wasn’t worth using, now it is.

Oh yea, another cool feature. iCal isn’t even running and the icon in the doc has today’s date.

It was another week where the quest was pretty much all Leopard and that about covers it.

Software Upgrades Downloads: Flash Player 9 Update – Adobe has updated Flash Player 9 to be compatible for Leopard. Note the requirement to uninstall the old version first. The uninstaller is linked on the page. Netscape Navigator Web BrowserNetscape Navigator lives and is now at version GIMP – The GNU Image Manipulation ProgramGIMP has been updated to 2.4.1

Growl 1.1.2 has been released for the Mac. iStats menu 1.2 – An update to the popular iStat Menus program for Macs. Great for those of us who like tech info on how our Macs are running. (Donationware) Mozilla Firefox Release NotesFirefox has released a new version

News & Links Leopard DNS Issues (and work-around) – Solution for issue some Jungle Disk users had with Leopard. I like Jungle Disk even if I haven’t found a reason for me to use it. Imperium: Google’s March Towards Becoming America’s Biggest Company – It’s a scary thought that the 5th largest U.S. company, by stock valuation, makes it’s money by selling ads. And some expect it to become the largest. MacBook (Late 2007): About the Mac OS X 10.5 Leopard installation disk – Apple does seem to have a bit of copy protection on their OS DVDs. Fair use advocates hit back with copyright principles of their own – Fair use advocates responds to the big content manifesto about user generated content. They try to restrict the impact on fair use. IP firm sues… everyone for WiFi patent infringement – A broken patent and/or legal system. Some Leopard early adopters bitten by installation bugs – Ars Technica rounds up some problems people have experienced upgrading to Leopard. Official Gmail Blog: Code changes to prepare Gmail for the future – Google will be rolling out more updates to GMail. Hack Attack : Install Leopard on your PC in 3 easy steps! – Installing Leopard on a PC. Hacked iPhones and now Leopard on non-Apple hardware. Oh my. Everex’s $199 green PC: attention ignorant Wal-Mart shoppers – amusing note about Everex’s “green” pc at Walmart. It’s a mini-ITX motherboard in a tower case. Because “Research indicates that Wal-Mart shoppers equate the size of the system to its capability.” Is it time to get rid of the Whois directory? – Column discusses that there’s a proposal to get rid of the whois database. One argument against doing so is “accurate and available information is essential for law enforcement in crimes”. Good to know criminals accurately register domains. Killing the RIAA: Is “stealing” music the same as supporting music? – Interesting take on the RIAA and that spreading songs through file sharing networks (“stealing” in RIAA terms) actually helps the artist more than buying the CD since artists get little or nothing from CD sales. Say goodbye to the transparent menu bar – There’s already a utility to get rid of the semi-transparent menu bar. Appeals court rubber stamps FCC’s DSL (de)regulation – Appeals court ruling could eliminate independent ISPs and limit consumer choice. Why hasn’t this been publicized in the US? I found the news on a UK site. Apple sells 2 million copies of Leopard since Friday – I guess Leopard is popular.It took 6 weeks to sell 2 million copies of Tiger. Leopard Spotlight: the upgrade disc gripe – Looks like Leopard drop-in disks (shipped with new Macs) require Tiger to already be on the Mac. ‘Net Governance Body Punts On WHOIS Privacy – Security Fix – WHOIS database will remain full of information and public. Options are to provide false info or pay to keep the info private.