Archives for Category : Security

There is a nasty bit of Mac malware making the rounds that exploits a flaw in the Java web browser plug-in to install itself on your machine if you visit a site that has been compromised:

• Macworld: What you need to know about the Flashback trojan
• Apple: About Flashback malware

Apple has released Java updates to patch the Java flaw, which you should definitely install, but that will not remove the malware if it is already on your computer. The above Macworld article details how you can check for the presence of this little beastie.

Optional: Go Java-less

Most people will have no need for the Java plug-in so you can also simply disable it to protect yourself from possible future security issues it might have:

1. Choose Preferences from the Safari menu.
2. Select the Security tab.
3. Turn OFF the “Enable Java” checkbox.
4. Close the Preferences window.

If you do use a site that requires the Java plug-in you’ll see a missing plug-in placeholder for theta content when you visit it.

NOTE: You’ll also notice a checkbox labeled “Enable Javascript”. You generally DO NOT want to turn that off. Other than an unfortunate naming decision it has nothing to do with Java and is so ubiquitous these days that turning it off will probably break a lot of the sites you visit.

And While You’re at it: Less Flash!

The other historically popular vector for Internet malware is the Adobe Flash plug-in, used mainly for web video and annoying animated ads. Removing Flash is possible but a bit more problematic as you will probably bump into embedded videos that require it. It is possible though:

• Daring Fireball: Going Flash-Free on Mac OS X, and How to Cheat When You Need It

Another less draconian option is to install the ClickToFlash Safari extension. With it installed Flash based content will not be loaded when a site is visited, instead you see a ClickToFlash placeholder. Clicking it loads that particular Flash item but no others on the page.

Install ClickToFlash by visiting Apple’s Safari Extensions archive at https://extensions.apple.com/, then scroll through the list of Most Popular plug-ins until you find ClickToFlash. Click the Install button and you’ll be all set.

Other potentially beneficial side-effects of using ClickToFlash are: faster web site load times and less annoying animated ads.

A fake anti-virus application called “MAC Defender” is making the rounds. DO NOT DOWNLOAD OR INSTALL IT as it is a fake. It reports bogus virus infections and requests your credit card number to remove them. Details are here:

• Apple: How to avoid or remove Mac Defender malware
• ars technica: Fake “MAC Defender” antivirus app scams users for money, CC numbers

You can’t be spontaneously “infected” by this piece of garbage, you have to run it and enter your admin account password before it can install itself. Don’t!

To repeat, MAC Defender is a fake. Do not install it!

2011-May-31 Update

Security Update 2011-003 is now available via Software Update in the apple menu. This update detects known instances of the Mac Defender malware with the list of known instances automatically updated as needed.

If you use Skype for your audio and video conferencing make sure you’ve got the latest and greatest version as it contains a fix for a bug that could potentially allow malicious persons full access to your machine:

• The Register: Skype bug gives attackers access to Mac OS X machines
• Skype: Security Vulnerability in Mac Client Has Been Addressed
• Skype: Download Skype 5.1 for Mac

The fix was released about a month ago so if you haven’t updated your Skype application since then be sure to do it soon.

NOTE: PowerPC Mac users still using Skype 2.8 don’t have to worry as that version never had the problem.

You’ve probably been hearing a lot lately about how Apple is tracking your every move via the GPS on your iPhone. Or at least that’s what the headlines say.

The reality is a bit different, as spelled out in this press release from Apple:

• Apple Q&A on Location Data

The upshot is that the database in question contains the GPS locations of nearby Wi-Fi hotspots and cell towers and their GPS coordinates. The nefarious purpose of this information? To give faster location data to apps that request it with your permission (“Application XYZ wants to use your location …”) Details are in the Q & A.

The location data is an amalgamation of locations from all iPhone users in a given area with no personally identifying information included. It is not your specific location, it is the location of various radio sources in the area surrounding where you’ve been. Up to 100 miles away in fact. Using GPS alone could take several minutes for a result or may not be possible at all if you are indoors for example. Using this crowd sourced data gives results in seconds.

There is a bone fide bug in Apple’s current implementation in that the cached data is kept much longer than it should be, possibly up to a year where Android phones using the same technique correctly only keep the last week or so worth of cached data. According to the Q & A, Apple will be fixing this soon.

Anyway, them’s the facts. Feel free to chime in with your comments.

2011-04-29 Update

Macworld has an excellent article explaining exactly how Apple’s GPS-assist works:

• Macworld: How the iPhone knows where you are

What’s amazing to me is not just how inaccurate some of the original reporting was, one article stated flat out that Apple tracks your exact location, but how some of the follow up reports continue to get it wrong.

I just received a bogus Apple App Store order confirmation email containing an Order Status link that points to (a presumably compromised) guitar store web site. I can only assume that clicking on the link will take me to a faked form where the low-life scammer will try to steal credit card or other information. Here is what the message looked like:

This is a fake! When I hover the mouse cursor over the Order Status link for a few seconds I see that it points to a web site named best-guitar.net rather than Apple, which is a pretty big hint that’s it’s not legitimate. I’ve never received a notification from Apple’s App Store that looks like this so that raised alarm bells as well.

Be aware that this and similar scams are making the rounds.