Forgot your password?
typodupeerror
Security OS X Apple

Intego's "Year In Mac Security" Report 132

Posted by kdawson
from the almost-popular-enough dept.
david.emery notes the release of Intego's "Year In Mac Security" report (PDF), adding: "Mac OS X and iPhones that haven't been jailbroken fare pretty well (although vulnerabilities exist, there's not been a lot of exploitation). Apple does come in for criticism for 'time to fix' known vulnerabilities. Jailbroken iPhones are a mess. The biggest risk to Macs are Trojan horses, often from pirated software."
This discussion has been archived. No new comments can be posted.

Intego's "Year In Mac Security" Report

Comments Filter:
  • by Chris Tucker (302549) on Tuesday January 26, 2010 @03:35AM (#30901222) Homepage

    ...and let Software Update do it's thing with Security Updates.

    Don't go online as Root, and really try not to open email attachments that claim to be "Nude Photos of (insert female athlete name here)"

    Really, how hard is that?

    • by silentace (992647) on Tuesday January 26, 2010 @04:46AM (#30901544)
      So you basically said what PC users do everyday (the ones that don't ever get viruses)...
      • Essentially, yes.

        With the proviso that smart Windows users have the their AV software and definitions all up to date and use something other than Outlook Express and IE for their email and web use.

    • Re: (Score:3, Informative)

      by mario_grgic (515333)

      Both Mail and Finder will warn you that what you are opening has been downloaded from the internet and ask you to confirm you want to execute it.

      Each file you download is put into a quarantine and your answer to the question is recorded.

      You generally don't have to worry about opening non-executable files like images, zip files, video files etc. But, you of course, do have to worry about shell scripts, apple scripts, applications and application documents that contain java script (like PDF if you use Adobe r

      • Any savvy user should already know all these things no matter what platform they use.

        The existence of the "Genius Bar" indicates that savvy users are in short supply.

        • You're right, I'd rather talk to somebody with a heavy accent named John and wait while he runs through a script, lie and tell him I've restarted when it's not needed, not reinstall Windows like he tells me to and then get a part sent out when a hardware part is broken (nothing like reinstalling Windows to fix a physically broken DVD drive).

          Or just go to the Genius bar, see if they can fix it/have a spare right there, if not they take it and it gets fixed.

          Gotta hate that highest rated customer service.

  • Should it be any surprise that unmoderated software could introduce security vulnerabilities? All a CPU does is execute instructions, so "jailbreaking" a phone just gives you the opportunity to run more software which may contain malicious payloads.

    When 20/20 took a look at dangerous "exploding" trucks, it was found that if you put a small amount of explosive near the crash area, that you could indeed cause a truck to explode in an accident. But does that mean that the truck company should be found at fault

    • by rsborg (111459) on Tuesday January 26, 2010 @04:26AM (#30901462) Homepage

      Should it be any surprise that unmoderated software could introduce security vulnerabilities?

      Really, the main problem is that jailbreak processes don't try to change your default root password. So the vulnerability is that Apple supplied a default root password (that isn't workable without jailbreak), and the haxx0rs remove the protection but fail to force user to change or randomize (and remember/show to user) that password.

      Nothing bizarre about that.

      • by bdsesq (515351) on Tuesday January 26, 2010 @08:21AM (#30902540)

        Apple either supplies a default root password or it has to build in a backdoor. Otherwise there is no way to upgrade the OS. Which way do you think is more secure?
        The jail break issue isn't Apple's problem. It is a problem with people doing things they don't understand.
        Looks like the jail break is just another way to root kit a computer (phone).

        • by socsoc (1116769)
          This has nothing to do with jailbreaking or upgrading the OS (which flashes the firmware). The password Alpine only leaves those vulnerable who were savvy enough to install SSH, but not smart enough to change the pass.
        • by exomondo (1725132)

          Apple either supplies a default root password or it has to build in a backdoor. Otherwise there is no way to upgrade the OS. Which way do you think is more secure?

          Or, i dunno, have the user set a password?! Which is then entered when modifications need to be made. You really think it's a good system to base it all on having a default root password do you?

      • Re: (Score:3, Informative)

        by UnknowingFool (672806)
        What? The jailbreak exploit has nothing to do with jailbreaking itself but the fact that most people that used the process installed SSH onto their iPhones and didn't change the default password on SSH. It had nothing to do with what Apple supplied on the phone but what 3rd parties modified the phone.
      • by Mista2 (1093071)

        If you are smart enough to jailbreak your phone, but dumb enough not to change root password, you really do get what you deserve.

    • Re: (Score:3, Funny)

      by DNS-and-BIND (461968)
      Please don't bash 20/20. Their scientific methodology might have been a little bit off, but their motives were in the right place. They were just trying to show that a major car manufacturer was corrupt...this is the media's job, isn't it? To expose corruption? Unless you can show that the car manufacturer has lily-white hands (and none of them do) please stop the bashing. These are educated, dedicated people who are doing a tough job under very difficult circumstances, and it's hard to get the stories
    • When 20/20 took a look at dangerous "exploding" trucks, it was found that if you put a small amount of explosive near the crash area, that you could indeed cause a truck to explode in an accident. But does that mean that the truck company should be found at fault for a usage scenario that is not supported?

      Point taken, but to be fair that was NBC's Dateline that did that, not 20/20.

    • by mdwh2 (535323) on Tuesday January 26, 2010 @09:35AM (#30903166) Journal

      When people point out something the Iphone can't do, we hear "Oh it can, but you just have to jailbreak it". When we get stories about security holes, we hear "Oh that doesn't count, you just have to not jailbreak it".

      So er, which is it?

      The problem is that the Iphone is the only phone where "jailbreaking" is necessary to get basic functionality working (e.g., tethering, running applications that Apple don't like).

      Consider, do you ever hear people talking about "jailbreaking" in the context of any other phone?

      My 5800 works fine, not had a virus (indeed on any of my phones), never needed to hack it.

      • Re: (Score:3, Interesting)

        by iamhassi (659463)
        "The problem is that the Iphone is the only phone where "jailbreaking" is necessary to get basic functionality working"

        Correct. Something as simple as deleting [techarena.in] a [appleiphoneschool.com] call [everythingicafe.com] is not possible on the iPhone without jailbreaking, which is shocking because on every cellphone I've used in the past 10 yrs I've had the ability to delete a phone call from the call log and it's a feature iPhone owners have been asking for since 2007. If you want to remove a single call you have to delete the entire phone call log

        Hon
        • every cellphone I've used in the past 10 yrs I've had the ability to delete a phone call from the call log and it's a feature iPhone owners have been asking for since 2007

          If you're so worried about your wife seeing your calls to your mistress, get another phone. Or delete the entire log.

          While I grant you it shouldn't be hard to delete a single call as opposed to the entire log, I cannot imagine needing to do so.

          • by mdwh2 (535323)

            One of the standard (and hence, predictable) pro-Apple replies: "Why would you want to do that?"

            That is not an answer to the criticism. Especially not for a company that prides itself allegedly on good UI and being easy to use.

            get another phone

            I did.

            I cannot imagine needing to do so.

            Good for you. Do you post to every discussion about technology, where you don't have a need for a particular thing? Or only to defend Apple?

          • by iamhassi (659463)
            "If you're so worried about your wife seeing your calls to your mistress, get another phone. "

            Why do people assume this? If I want to delete a call, it must be to cheat on my wife? Can't someone throw a surprise party, or maybe just remove telemarketer calls i don't want in the log?

            "I grant you it shouldn't be hard to delete a single call as opposed to the entire log, I cannot imagine needing to do so."

            well i'm glad you're the foremost authority on what everyone needs to be able to do. I've been
      • Re: (Score:2, Flamebait)

        by JasonBee (622390)

        I'm not sure what you mean by "basic functionality".

        My iPhone isn't broken and I have tethering enabled. Sounds like your problem is with AT&T. I'm in Canada under Fido/Rogers so YMMV.

        With "both" companies my tethering is enabled with a quick call. My provider asserts that my data plan must be 1 GB or higher, but this is largely to protect me from ignorantly going over my data plan usage allowances. I go to my settings and turn on tethering. There is no step three ;)

        As for "applications that Apple doesn

        • by exomondo (1725132)

          As for "applications that Apple doesn't [sic] like", you must mean malware, trojans, and data theft mechanisms. If you want to run those by all means do so. You could save yourself some trouble and just write your date of birth and credit card numbers on a placard and hang that around your neck when you head to the mall.

          Yeah cos that's what apps like Google Voice were all about. Don't spout rubbish like that just because you don't know what you're talking about.

      • by BitZtream (692029)

        How about you don't jail break it if you're a 'fucking moron'? Or in your case, just don't buy one cause you can't understand the basic premise behind both of those statements.

        It isn't open and requires jailbreaking to prevent 'fucking morons' from causing problems.

        So a 'fucking moron' who doesn't know what they hell he/she is doing shouldn't jailbreak it, and those are the people who get exploited, which are the people 'who shouldn't jailbreak it'

        This is the problem with todays hacks. Hackers forgot the

      • by ceoyoyo (59147)

        You're right. On Android they call it "rooting."

        It's not necessary to not jailbreak your phone. Just remember to set your password when you install SSH. Same lesson applies to any machine you install SSH on.

      • by jo_ham (604554)

        You DO NOT need to jailbreak to use tethering. My un-jailbroken iPhone tethers just fine.

        You also don;t hear about it in any other context because no other phone is in the same sort of position - a popular device that doesn't do quite what some geeks want, with enough following to change. There are plenty of phones that are locked up just as tightly as the iPhone, with features crippled and controlled (but mainly at the behest of the carrier, not the owner of the App store), but they don;t get much press be

  • by Anonymous Coward

    Installing Windows.

    • Re: (Score:1, Informative)

      by Anonymous Coward

      The results of pwn2own indicate the contrary.

      • by BitZtream (692029)

        Not really. pwn2own requires private exploits that no one knows about, with Windows every known exploit is used as soon as possible. The last winner set on his hack for a year. He didn't find a new one, he just sat on it so he'd have it handy.

        That sort of contest doesn't indicate security in general, unless you're so retarded you think that because an OS didn't get bothered with during the contest that it must therefore be secure.

        • by mjwx (966435)

          Not really. pwn2own requires private exploits that no one knows about, with Windows every known exploit is used as soon as possible.

          That's a great argument against Security Through Obscurity, which happens to be Apple's MO. Security Through Obsucurity works so poorly that even Microsoft has given up on it.

          That sort of contest doesn't indicate security in general,

          Demonstrating how quickly a zero day exploit can be created and deployed has nothing to do with security in general.

          unless you're so retarded y

    • Some fan guy modded you flamebait but, I guess you mean installing boot camp or a virtual machine (hypervisor) and running it just like OS X, without antivirus/firewall and giving it access to OS X file structure.

      IMHO Apple made a huge mistake by allowing (SL Bootcamp) Windows to see (read only though) OS X drives. That is not a favour, it is a huge security risk especially for Mac only people not knowing the extent of Windows threats/trojans/data leakage.

      Fix? "My Computer", "Manage", "Disk Management", rem

  • by Anonymous Coward

    Apple doesn't care enough about security [serverwatch.com].

    • by mario_grgic (515333) on Tuesday January 26, 2010 @10:05AM (#30903526)

      The article you like to is talking apples and oranges literally. If the implication is that BSD bug is also a bug in OS X, then it's false. The bug is not present in OS X.

      iPhone on the other hand is a completely different beast and yes it is locked down platform mostly for the benefit of the users, so we don't have to worry if an application is safe to install and use.

      Yes, there may be security issues in iPhone apps, but even the security updates of applications go through the same review process, which may catch an omission in the review of the previous version (which is what happened in the case of the software discussed in the article).

      The review process is not perfect nor ideal, but I for one am thankful that someone else is testing the applications for me and I don't have to waste the time and money on tools to check what each app does and it it is safe to use on my phone.

  • As much as Intego wants to present the state of malware on the Mac, the truth is that even Intego works pretty much like any other AV engine which tries to detect malware based on its signature or heuristics (behavioral), that they receive either from someone sending them a sample or collected with their honeypots around the world.

    The bots/trojans/RATs that are written for specific targets, do not have a signature, thus, are undetected. Then it becomes obvious that Antivirus solutions are not enough. You

    • Re: (Score:3, Funny)

      by x2A (858210)

      "but doesn't mention that Adobe's own CS4 install tries to phone home"

      Riiight... cuz that's what trojans are famous for isn't it... checking to make sure that you're allowed to run then. My god I do wish trojans actually did do that, and better than other software does it. I'll admit on here, I don't legally own any trojans at all, which means all I have to do is make sure that they can phone home to verify this, and never have to worry about them again! Ahh... pleasant thoughts.

    • So, original Adobe CS4 user who paid more than $1000 and gave his credit card number, home address and telephone should be protected from "evil Adobe" from checking updates or trying to figure which parts of software is used anonymously?

      Well, Intego and couple of other companies offer a application firewall but, obviously if you use original/activation system software, it will fail to work if it can't access to net. Solution is GIMP but, it would be a bit unrealistic.

  • by prawn_narwp (1579473) on Tuesday January 26, 2010 @04:31AM (#30901486)

    This is basically 7 total pages:

    * first couple pages on installing bitorrent'd software
    * Page 4 and 5 about people who installed openssh on their jailbroken iphones and didn't change their passwords
    * last page has citations back to their own blog

    The meat of it is about PDF, Java -- surely those have a more widespread effect right? But they spend a lot less words on those topics. Note that all the visuals have to do with the stupid ssh-admin-password and bittorent'd malware.

    Skip to the concluding paragraph -- they just have to emphasize the iphone again.

    I was going to say "I declare this posting unfit for Slashdot" but the good I see is that we can pick it apart to sort out the fluff.

    My rating system on severity overall on the entire population of apple products:

    1) pdf/java (5 stars)
    2) I-enabled-ssh-w/o-a-password (1 star - you're fault for being a retard)
    3) Charles Miller iphone vuln (5 stars when it wasn't patched)

    • You forgot to mention the shiny shiny screenshots of the product!

      Surely something with a button that big and red must be awesome.
    • by x2A (858210)

      "* last page has citations back to their own blog"

      *lol* it's like when some breaking story (ie, any story) hits the news, but perhaps controversial or unconfirmed, and they say "it has been reported that blah blah blah" and then you flick over the channel and they're saying "blah blah has reported that blah blah blah", and it doesn't take long to notice that all people are telling you is that people are telling you what they're telling you.

      Someone somewhere get tipped off about some rumour, phones someone h

  • lose/lose (Score:2, Funny)

    by starbugs (1670420)

    lose/lose (from the article) seems like a fun game to play right before installing Debian.

  • WTF, people. (Score:2, Interesting)

    by Anonymous Coward

    The ability to jailbreak is a security hole. Last I knew the techniques people use are remote code execution.

    For example as I recall the 1st gen jailbreak was to get a specially crafted TIFF file that exploited a buffer overflow when a page was loaded in Safari. Stop and think about that for a minute. This is the kind of behavior you don't want to be possible. Yet in the reality distortion field, it's a great thing suddenly. Users are totally unconcerned about this.

    I'm not sure if the exploit mechani

    • by dangitman (862676)

      This is the kind of behavior you don't want to be possible. Yet in the reality distortion field, it's a great thing suddenly.

      Ummm, citation needed?

    • Re: (Score:3, Informative)

      by TJamieson (218336)

      FWIW, this has changed about jailbreaking. What you said used to be true on the 1.x series of iPhone software, where everything always ran as root. Therefore, a hole in libTIFF lead to (remote) root code execution. Starting with the 2.x series, Apple finally forced the restricted user account named Mobile to be used instead of root. That made it so now a libTIFF exploit *also* would require a privilege escalation exploit rolled inside; made things much harder. Starting around the 2.x software, the new way t

    • by JasonBee (622390)

      http://secunia.com/advisories/27213/2/ [secunia.com]

      Yeah that is ancient news my friend. It was patched with OS version 1.1.2. in 2007 if my information is correct.

      iPhones and iPods can now run OS version 3.1+

      I would say that pretty much anyone going online has patched as version 3 of the OS brought copy/paste functions.

      I can't imagine using my iPhone or iPod without copy/paste.

  • don't jaibreak your iphone, don't trust bittorrent, don't visit suspect sites, don't click on emailed links that are not from trusted sources - well DUH!
    • so what they are saying is... don't jaibreak your iphone

      I think I'll just settle for not buying one. ;-)
  • by DrXym (126579) on Tuesday January 26, 2010 @06:23AM (#30901922)
    If Apple didn't put such draconian limits on what a person could do with their own property, perhaps there wouldn't be the need to "jailbreak" it.
    • by RMH101 (636144) on Tuesday January 26, 2010 @06:53AM (#30902086)
      THis is missing the point. The reason jailbreaking is allegedly unsafe is because once jailbroken, you can install SSH, and if you're dumb enough to not change the default root password, you can get owned. You get warned about this specifically when you install SSH anyway. If the phone were sold "open" and you installed SSH, you'd have the same issue. The point is that if someone goes out of their way to install SSH on their phone (which is a pretty hardcore geek activity anyway) and doesn't change the root password, then they're kind of asking for trouble.
    • by jo_ham (604554)

      So, you're blaming Apple for a user's inability to think umm, I am installing SSH on my device, maybe I should not use the default root password".

      Right.

      Is it also Ford's fault that I can't easily get into my car because of the draconian limits on copying car keys when I lose my main and spare set?

      • by DrXym (126579)
        People who jail broken phones don't care about ssh. They just want phones which work on other networks and with unsigned apps. It is a direct consequence of Apple locking their phone down in draconian ways that people want to jailbreak. Thus they turn to software cracks.

        If the reasons that motivate most people to escape were addressed, then so would the unintended side effects. There would be a fraction of the hacks if a) Apple sold a proper unlocked network free model and b) Provided a simple and painles

        • Re: (Score:2, Troll)

          by indiechild (541156)

          iPhone unlocking has nothing to do with jailbreaking. I unlock my iPhone but I definitely don't jailbreak it (don't want the instability and hassle of dealing with stuff that comes from non-official sources).

          • by RMH101 (636144)
            Well, if your carrier won't unlock you (interestingly O2 UK will do at any point, for free, for pay-monthly customers!) then you *have* to jailbreak it to unlock it.
            My jailbroken phone isn't unstable...
          • by socsoc (1116769)
            Ummm... You have to jailbreak in order to run the unsigned code to unlock it. Unless you perform magic.
            • by jo_ham (604554)

              Or you just ask your carrier to unlock it for you. O2 will do it for you here in the UK now that the exclusivity deal has finished.

              Locked phones are not unique to to Apple.

              Jailbreaking the phone to run the unsigned unlock code also doesn't make you vulnerable. Installing SSH and not changing the default password does. That is a separate thing.

        • by jo_ham (604554)

          The two are *totally* unrelated. Unlocking to other networks has *nothing* to do with jailbreaking your phone.

          Nor does jailbreaking itself cause you to be vulnerable - you need to also install SSH as well.

          If you are installing SSH, you really ought to know what you are doing.

    • Draconian? Really? I own many Apple products and I am rarely stopped from doing anything. Perhaps your hatred of Apple has colored your post to the point that it's ridiculous hyperbole?
      • by DrXym (126579)
        I think it is quite obvious that I was referring to the iPhone here. It is also quite obvious that the restrictions on the phone are draconian, as witnessed by the large demand for jail broken devices.
        • How big is the demand for jailbroken devices? I know there are a lot of people on /. that would almost reflexively jailbreak one if they owned it, but how does that translate to the general population? Hardcore geeks like us are neither typical of people in general nor Apple's target market.

          I have an iPhone with quite a few apps on it, and it's not jailbroken. This means that any software I install on it gets at least a screening from a company that has a lot to lose by allowing malware on the phone.

          • Re: (Score:3, Insightful)

            by DrXym (126579)
            This means that any software I install on it gets at least a screening from a company that has a lot to lose by allowing malware on the phone.

            They also have a lot to lose by allowing apps like voip, instant messaging, map readers, voice search, flash player, browsers, podcasters, movie players, music players, file downloaders etc. etc.. Basically anything that competes with their tech, or offends the network, or they simply don't like on grounds of taste or any other arbitrary reason. They even ban apps w

            • by jo_ham (604554)

              The locking to network is not Apple's beef - they don;t care one way or the other (or in fact, prefer unlocked since it means they can sell more phones). You can get your iPhone unlocked by just asking your carrier (note: does not work in USA).

              The main point is that everyone knows ahead of time about the walled garden, and yet wants in anyway - only to them complain that they are in a walled garden. This is what Android is for!

            • Flash player? You're assuming that I want the number one security vulnerability installed on the phone that's also my PDA, browser, game machine, etc. I depend on my iPhone. I don't feel fully dressed without it. I don't want stuff on it that's likely to compromise it.

              • by DrXym (126579)
                I'm not assuming anything. Apple explicitly doesn't want any alternative stack through which people can avoid paying Apple money. It has absolutely nothing whatsoever to do with security.
                • Not assuming anything? Seems to me you're assuming Apple's motives are what you attribute to them. Do you have any evidence that Apple's lockdown is not due at least partly to security and the desire to present a seamless experience?

                  • by DrXym (126579)
                    Yes, their absolute refusal to support any kind of runtime environment. Flash, Java, Silverlight - anything. Even a C64 emulator which provided access to CBM Basic was banned. They don't want anything that competes with their app store. Security is *way* down the list of reasons for this.
                    • Do you know this through insider knowledge, or are you reading the minds of top Apple execs? You seem awfully sure of the motives of people that you show no sign of knowing personally.

  • Back in 2004 Intego's big complaint about the Mac was that because it's based on UNIX, if you could get it to execute a shell script you could do anything on the computer, and that Applescript wasn't sandboxed. They never noticed that the same was true of CMD.EXE and VBscript on Windows, DCL on VMS, and every other native scripting environment on every OS, ever, anywhere.

    Intego's business model appears to be FUD.

  • I recall reading this (URL:http://www.semiaccurate.com/2009/07/31/apple-keyboard-firmware-hack-demonstrated/) last year but never heard any follow up from Apple. Does anyone know if there was actually any firmware release for this to close this potential security hole? It appears the likelihood of this getting exploited is rather small (requiring local access at this time) but it still warrants a response from Apple IMO.
    • by AHuxley (892839)
      Take your pick
      Its an active hole in the wild used by anyone. (no hint yet?)
      Its an active hole in the wild used by the NSA, CIA, FBI. (not going to be fixed anytime soon)
      Its not an easy hole to use in the wild. (no chatter yet?)
      Apple staff are so distracted by itoys. :)
  • Not so fast (Score:1, Redundant)

    by Swift2001 (874553)

    I ran a Windows computer at work. And I had one at home. Never had a problem.

    Then I went to another office. We had to spend a fair amount of time researching on the Web. All it took was one person landing on an illicit web site, and the shit hit the fan. All of a sudden, one after another, everybody's hit with trojans and God knows what else. No IT guy to run the thing, so I became the informal computer guy. Several computers are taken out and got the OS rebuilt. The only way to protect against the exploit

A sheet of paper is an ink-lined plane. -- Willard Espy, "An Almanac of Words at Play"

Working...