Security Watch

How Secure is Mac OS X?

The Apple OS is relatively safe ... for now.

• By Russ Cooper
• 04/11/2005

Malicious Code
Symantec Corporation released a report regarding malicious software aimed at Mac OS X, the latest operating system for Macs. The report suggest that OS X isn't immune to malicious code, and that they have documented 37 vulnerabilities in OS X. They go on to say that all those vulnerabilities have already been patched by Apple. Symantec suggests attacks against the Mac will increase as more "Mac mini" systems are sold, given its low price point.

But keep in mind that no malware targeting OS X has ever appeared in the wild. Symantec, understandably, would like to see more Mac systems using its anti-virus software, possibly explaining the issuing of such a report. Proof of Concept malware has certainly been seen, but there is a significant difference between Proof of Concept and active malware. Further, given that OS X represents something less than 5 percent of the world's systems, the spread of malware targeting OS X would likely be extremely slow. (DISCLAIMER: Russ Cooper's company, Cybertrust, Inc., competes with Symantec in the area of security products, but not anti-virus software.)

Hacking
A heap overflow in GIF image processing by the Firefox browser, Mozilla Suite, and Thunderbird, Mozilla's standalone e-mail client, has been discovered. The vulnerability, for which patches are available, could allow an attacker to send a malicious HTML-based e-mail or host a malicious Web site containing a GIF image. The image would, when rendered, execute code of the attacker's choice.

Similar vulnerabilities have been announced in Microsoft products. In this case, the vulnerability lies in a Netscape-specific extension block within a GIF file. GIF files are made up of a series of blocks, each of which contains specific information. Although the Netscape-specific extension block is obsolete, some image processors still contain code to parse the block.

Want More Security? This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

The most interesting aspect of this vulnerability is the fact that both mail clients—Thunderbird and the mail client within Mozilla Suite—permit the user to disable the display of images. One would think this would be sufficient mitigation to prevent exploitation of this particular vulnerability, but the feature to disable image processing doesn't function against images contained within the e-mail.

HTML-formatted e-mails can display images using an IMG tag and a URL pointing to a remote Web site. However, it's also possible to embed the image within the e-mail, then reference it by referring to its Content ID. Another feature within the affected e-mail products prevents the rendering of these inline images: setting the option "Message Body As" to "Plain Text". It will be interesting to see if the Mozilla folks correct the flaw in the option to disable image processing to also include inline images.

Human Factors
A group of IT consultants in Australia say they're in discussions with two banks to provide them with a bootable Linux OS-based CD which would provide the bank's customers with a complete interface for online banking. The concept is based on their "Safe Internet Computer," or SafeIC. It's a PC with no hard disk, that boots off the CD each time it's started, wiping the system clean of any malicious code each time.

Privacy
California State University spokesman Joe Willis announced that hackers may have accessed personal information on 59,000 people affiliated with the school.

Governance
The US Federal Deposit Insurance Corporation (FDIC) board of directors has voted 5-0 to require banks to notify customers of suspected identity theft.

Utah Gov. Jon Huntsman, Jr. signed into law a controversial bill requiring ISPs, upon request, to block access to Web sites deemed harmful to minors. Customers will be able to have their ISP prevent access to a list of sites known as the "Adult Content Registry." Numerous organizations, including the American Civil Liberties Union (ACLU), claim the law violates the First Amendment. Utah is one of six states with similar laws.

While there is a concern over a legitimate site ending up on the Adult Content Registry, it always baffles me to see arguments against efforts to give consumers more control over what they make available on their computers. This law requires that a consumer opt into this service, and the owner of the connection can opt out any time they choose. Pushing the effort to the ISP, which has a better chance of controlling access than the typical end user, simply makes sense.

Another possible solution is to convince ISPs to offer such a service under contract with the consumer, rather than giving it legal force. Contractual arrangements typically offer a far better solution than a law does, and allows consumers more flexibility in determining how their service will be restricted. In any event, the public policy debate over this new law won't hurt anything.