Security Watch

Apple, Adobe Apps Get Patched

Also: The danger lurking on USB thumb drives and in social networking sites.

• By Russ Cooper
• 11/13/2006

Some of the issues addressed by Apple Security Update 2006-006 resemble other recent vulnerabilities in that they require that the user be convinced to open a malicious file or Web page. The file types include Flash, JPEG2000 (affecting ImageIO) and PICT (affecting ImageIO). The Web page vulnerability exists in the WebCore component.

Cybertrust recommends that the update be applied in the next 90 days, and that users do not use other applications while running Software Update. While the 10.4.8 update is not applicable to OS X 10.3 users, Security Update 2006-006 is available to them.

Exploit Released for Mac OS X Flaw
An exploit has been published and made available to the public which takes advantage of one of the vulnerabilities patched by Apple's latest security update. The vulnerability involves the ability for malicious code to be run locally, which will elevate the user's privilege to the privilege of the application being invoked. This could lead to the criminal's code running in the highest security.

Apply the Apple Security Update 2006-006 patch.

Online Dating Increases Cyber Crime Risk
According to a survey jointly conducted between CA Inc. and the National Cyber Security Alliance (PowerPoint here), about three-quarters of adults give out some sort of personal information while participating in online social networking sites, exposing themselves to risks.

It's impossible to imagine participating in a social networking environment without giving out some form of personal information. If you want to discuss something via e-mail, you must provide an e-mail address to someone. Similarly, if you're going to date or discuss things with friends, you're likely going to use your name.

The survey says that 84 percent of individuals are at risk because they download files from other people's profiles. These files might be pictures or other files commonly distributed among friends. Again, while it's certainly true that such files could allow spyware or bots to be implanted on victims machines, it's hard to imagine social networking without them.

The companies' recommendations on how to protect yourself seem rudimentary, and the survey didn't seem to elicit any new advice from them. Don't post your Social Security number together with your name, for example, seems like an obvious one. Of course, as software producers, they took the opportunity to recommend that you have up-to-date personal firewall, anti-spyware, anti-virus and spam filtering software.

IT Risks Rise on USB Drives Using Auto-Run Apps
With the introduction of a new memory stick, the U3 Smart Drive, thumb drivers can now automatically launch applications when they are inserted. It seems they simply make themselves appear as a CD drive to the OS, which typically allows code to automatically execute upon insertion. This, some claim, means an entirely new threat to our data.

The U3 drive is not rocket science; it's a capability that CDs have had all along (the editor of this newsletter says he's also received many press releases on thumb drives that auto-run). Some seem to think it will be faster, but its greatest threat is more likely the fact that it can be contained in such a small device that could be hard to scan for on entrance.

The best defense is to ensure that USB ports are disabled by default, if USB devices are not to be used in your organization. This doesn't work very well when keyboards or printers are also using USB, as they can simply be unplugged and a U3 (or any other thumb drive) inserted.

Various companies have developed software that prevents the use of thumb drives, and are likely effective against U3 type drives equally.