How Secure is Mac OS X?
The Apple OS is relatively safe ... for now.
released a report regarding malicious
software aimed at Mac OS X
, the latest operating system
for Macs. The report suggest that OS X isn't immune to malicious code, and that
they have documented 37 vulnerabilities in OS X. They go on to say that all
those vulnerabilities have already been patched by Apple. Symantec suggests
attacks against the Mac will increase as more "Mac mini
systems are sold, given its low price point.
But keep in mind that no malware targeting OS X has ever appeared in the wild.
Symantec, understandably, would like to see more Mac systems using its anti-virus
software, possibly explaining the issuing of such a report. Proof of Concept
malware has certainly been seen, but there is a significant difference between
Proof of Concept and active malware. Further, given that OS X represents something
less than 5 percent of the world's systems, the spread of malware targeting
OS X would likely be extremely slow. (DISCLAIMER: Russ Cooper's
company, Cybertrust, Inc., competes with Symantec in the area of security products,
but not anti-virus software.)
A heap overflow in GIF image processing by the Firefox
browser, Mozilla Suite, and Thunderbird,
Mozilla's standalone e-mail client, has been discovered. The vulnerability,
for which patches are available, could allow an attacker to send a malicious
HTML-based e-mail or host a malicious Web site containing a GIF image. The image
would, when rendered, execute code of the attacker's choice.
Similar vulnerabilities have been announced in Microsoft products. In this
case, the vulnerability lies in a Netscape-specific extension block within a
GIF file. GIF files are made up of a series of blocks, each of which contains
specific information. Although the Netscape-specific extension block is obsolete,
some image processors still contain code to parse the block.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
The most interesting aspect of this vulnerability is the fact that both mail
clients—Thunderbird and the mail client within Mozilla Suite—permit
the user to disable the display of images. One would think this would be sufficient
mitigation to prevent exploitation of this particular vulnerability, but the
feature to disable image processing doesn't function against images contained
within the e-mail.
HTML-formatted e-mails can display images using an IMG tag and a URL pointing
to a remote Web site. However, it's also possible to embed the image within
the e-mail, then reference it by referring to its Content ID. Another feature
within the affected e-mail products prevents the rendering of these inline images:
setting the option "Message Body As" to "Plain Text". It
will be interesting to see if the Mozilla folks correct the flaw in the option
to disable image processing to also include inline images.
A group of IT consultants in Australia say they're
in discussions with two banks to provide them with a bootable Linux OS-based
CD which would provide the bank's customers with a complete interface for online
banking. The concept is based on their "Safe Internet Computer," or
SafeIC. It's a PC with no hard disk, that boots off
the CD each time it's started, wiping the system clean of any malicious code
California State University spokesman Joe Willis announced
that hackers may have accessed personal information on 59,000 people affiliated
with the school.
The US Federal Deposit Insurance Corporation (FDIC)
board of directors has voted 5-0 to require banks to notify customers of suspected
Utah Gov. Jon Huntsman, Jr. signed into law a controversial
bill requiring ISPs, upon request, to block access to Web sites deemed harmful
to minors. Customers will be able to have their ISP prevent access to a list
of sites known as the "Adult Content Registry."
Numerous organizations, including the American Civil Liberties Union (ACLU),
claim the law violates the First Amendment. Utah is one of six states with similar
While there is a concern over a legitimate site ending up on the Adult Content
Registry, it always baffles me to see arguments against efforts to give consumers
more control over what they make available on their computers. This law requires
that a consumer opt into this service, and the owner of the connection can opt
out any time they choose. Pushing the effort to the ISP, which has a better
chance of controlling access than the typical end user, simply makes sense.
Another possible solution is to convince ISPs to offer such a service under
contract with the consumer, rather than giving it legal force. Contractual arrangements
typically offer a far better solution than a law does, and allows consumers
more flexibility in determining how their service will be restricted. In any
event, the public policy debate over this new law won't hurt anything.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.