________
| Newest
Notes
Panther users: update Norton Antivirus 9.0 to 9.0.1.
(See OS X Issues)
Security Update 2003-12-19 patches 10.3.2 and 10.2.8.
(See OS X Issues)
Mac OS X 10.3.2 released (See OS X
Issues) |
Overview
of Mac Security
Despite
the relative rarity of Mac-infecting viruses, Mac users still
have cause to be conscientious. As hacker activity increases
generally, the impact on Mac users increases as well. And,
if you use an emulator to run Windows on your Mac, you are
vulnerable to all the baddies to which any Windows user is
vulnerable. Moreover, macro viruses have brought virus activity
to the realm of specific applications rather than specific
platforms. Bear in mind also that we share the network with
users of other operating systems, so while your activities
may not result in trouble for your Mac, they may cause trouble
for servers and other clients on the network.
Avoid
- downloading
software from untrusted sites
-
opening or forwarding unannounced e-mail attachments
-
using old passwords or passwords that can be cracked
-
using Telnet, FTP, or any program that sends your password
in clear text
It's
also wise to test your system. Did you know that you can download
a tool that finds security vulnerabilities in your system
and provides information concerning how to fix them? MacAnalysis
runs on Mac OS 8.6 and higher, though only the OS X version
is actively supported.
Besides
the above exhortations, this page offers a few notes on current
Macintosh-specific security issues. It is by no means comprehensive.
For best results, install virus checking software, keep your
definitions up to date (e.g., visit Norton's
virus definition download page frequently or use LiveUpdate),
and keep yourself informed via this and other channels. (The
Lab site license for Norton Antivirus covers your home machine
as well as your work machine. Version 9.0 is now available
from the Lab's software
download page) If you have a Macintosh security issue
that you would like to see featured here, send a note to amgreiner@lbl.gov.
Viruses,
Trojans, and Worms
Viruses,
trojan horses, and worms belong to a class of nasties collectively
referred to as "malware". Several examples of such
unfriendly code and some security issues that could be exploited
to distribute them are discussed below.
RealPlayer
8 for Mac OS 9 and RealOne Player for Mac OS X share a vulnerability
that could allow an attacker to run arbitrary code on your
Mac. The solution is an update available from the RealNetworks
Web site. A vulnerability in Flash Players older than
version 6 (6,0,65,0, to be precise) has been reported
by Macromedia. Viewing a maliciously altered Flash animation
(i.e., one hand coded outside the Flash authoring tool) could
lead to the execution of arbitrary code on a Mac, PC, or Unix
computer. Chances are your browser came with a vulnerable
version. The remedy: upgrade to the latest
Flash Player, available for download at the Macromedia
Web site.
Macro
Viruses consitute the bulk of prevalent Macintosh viruses.
Of particular note, the PowerPoint and Excel applications
in Microsoft Office 98 and 2001 for the Mac are vulnerable
to a new type of macro attack. This attack works around the
existing macro security, so you cannot rely on Office's built-in
protection unpatched. Microsoft has made patches available
for the affected versions of Office. If you have Office 98,
you must first install the Office
98 Updater and then install the patch. If you have Office
2001, you must first install Office
2001 for Mac Service Release 1. See Microsoft
Security Bulletin MS01-050 for more details and patch
downloads. If you use Word, be sure to enable macro virus
protection in your general preferences and be judicious about
opening Word documents, especially those not from a trusted
source. Be aware also that the macro protection in Word 98
and 2001 requires a patch to be secure against an RTF file
linked to a template with a macro. See Microsoft's Word
98 Security Update and Word
2001 Security Update. To apply one of these patches, you
will need to have installed the Office 98 Updater or Office
2001 for Mac Service Release 1. Since macros are written in
an application's macro language, they can cross from one platform
to another, running in the host application on a Mac as well
as on a PC. You can read more about macro viruses on the Microsoft
Web site. See What
Is a Macro Virus?
The
Nimda worm has been making its presence felt on the Internet
since September 2001, though it does not affect Macs. Still,
it is possible for a Mac user to aid the spread of this malicious
code. All computer users at the Lab should be cautious about
opening email attachments and visiting untrusted Web sites.
The MacFixIt Web site
has some Mac-related details about Nimda.
Melissa.W
is a variant of the Melissa virus. It travels via email in
an attached Microsoft Word 2001 document called Anniv.doc,
though the file name can be changed. The virus uses Outlook
to send itself, under your name, to the people in your Outlook
address book. More information about this virus is available
from Data Fellows. See their virus
description for Melissa.W.
Bottom
line, the best defense against malicious code is use of antivirus
software. Install the latest version of Norton Antivirus from
the Lab's software
download page (now offering version 9.0; OS X 10.3 users
need to update to 9.0.1 via LiveUpdate) and keep your virus
definitions up to date.
PC
Emulators
If
you use Connectix Virtual PC or another PC emulator for the
Mac to run Windows, your Mac is at more risk than most. Any
virus or worm that targets Outlook for Windows or any other
Windows software can also infect your system. You thus need
to install the Windows version of Norton Antivirus in your
emulated Windows operating system, just as you need to install
the Mac version of Norton Antivirus on your Mac. In short,
you need to run *two* versions of Norton Antivirus on your
system if it is to be adequately protected. And you will need
to keep both updated. To download both versions of Norton
Antivirus, go to www.lbl.gov/download/.
Network
Issues
A vulnerability in Airport's password handling
makes it possible for a hacker to obtain the Airport administrator
password with the help of a network sniffer. Though the administrator
password is obfuscated before it is sent, it is done in a
predictable way. Best practice is to administer the Airport
only when connected via an ethernet crossover cable. If that
isn't an option, connecting by Ethernet is recommended over
connecting wirelessly.
OS X handles file sharing differently from OS
9. The most important difference from a security standpoint
is that OS X uses TCP/IP for file sharing, which makes Macs
connected to the Internet visible to other Macs on the Internet
if they have file sharing enabled. Thus, having a good password
on your OS X system is crucial to network security unless
you turn file sharing off.
OS X 10.2 makes communication with Windows systems
easy by implementing Samba.
Samba is not enabled by default, but if it is turned on, it
may be vulnerable to a remote exploit that could give an unauthoroized
user root access. Updating to the latest version of OS X 10.2
patches this vulnerability. See OS X Issues
for more information.
Several Microsoft applications are troubled
by network-related problems. One is caused by the
company's network-aware antipiracy system (described in Microsoft
Security Bulletin MS02-002 and further discussed in CIAC
Bulletin CIACTech02-003).
There are also two Internet-related vulnerabilities, one that
could allow remote execution of local applescripts and one
that could allow an attacker to crash Explorer or run code
of their choice on your Mac. (See Microsoft
Security Bulletin MS02-019 for details.) Another issue
with Microsoft products for the Mac involves digital certificates.
(More information on this one is available in a Microsoft
TechNet article.) Patches for the affected Macintosh applications
can be downloaded from the Mactopia
security patches page.
Netopia's
Timbuktu Pro 6.0
supports OS X, but there are some issues with OS X 10.1. Netopia
has a free updater to version 6.0.1 for compatibility with
OS X 10.1. The version of Timbuktu available from the Lab's
software downloads page is not vulnerable.
Apple's
Open Transport versions 2.5.1 and 2.5.2 made it possible for
Macs to be exploited in a distributed denial-of-service (DoS)
attack. All Macs running system 9.0 and G4s, iBooks, and iMacs
running OS 8.6 are vulnerable. After releasing a less-than-perfect
patch called OT Tuner, Apple made Open Transport version 2.6
available. This version corrects the DoS vulnerability and
avoids the trouble with wireless networks that some iBook
users had with OT Tuner. A thorough explanation is available
from C|Net in the article " Avoid
the Mac DoS Attack."
Security
at Home
If
you have a computer at home, chances are you move data and
media (like floppy or zip disks) between it and your work
computer. Thus, protecting
your home machine is an important part of keeping your
work machine secure. Make sure you have up-to-date antivirus
software (e.g., the Lab-licensed Norton Antivirus--yes, the
site license covers home use) installed, and avoid risky computing.
In addition, if your home computer has a full-time connection
to the Internet, you should consider protecting it with a
firewall.
Firewalls
for the Mac
A
firewall is basically a layer of protection between your computer
and outside networks. This can take the form of software or
hardware, depending on what level of security you need. For
most home systems, a software firewall is the way to go. One
option for the MacOS is Symantec's Norton
Personal Firewall (part of the Norton Internet Security
software suite). Version 1.0.2 supports Mac OS X natively.
Intego offers another software firewall called NetBarrier.
Another option, geared toward Macintosh servers, is DoorStop
by Open Door Networks. Mac OS X users can also take advantage
of built-in protection by setting up a firewall
at startup.
OS
X Issues
Happy
news for OS X users! the Lab's Computer Security folks have
written security guidelines
for OS X and OS X Server. The best thing you can do as
a conscientious OS X user is to look through the checklist
for your system and address each item that applies to it.
MacOS
X offers some serious security features and generally gives
you good security by default. For example, it takes some effort
to share more than a Public Folder
in OS X. However, if you are using Mac OS X, you will
need to keep abreast of system and security updates as they
come out and choose a good password for yourself. Apple has
a Security
Updates site with pertinent information and links to updates.
In addition, you should always be able to get the most current
patches via the Software Update preference pane. You will
also need to make sure you have a good password, especially
if you enable file sharing. Otherwise, your system will be
open to anyone on the Internet who can guess your password.
Using
the latest version of OS X is usually also wise (though it
sometimes pays to wait about a week after a new release).
You can download system updates via Software Update or from
Apple's updates
download page.
The
latest version of the Macintosh operating system is OS X 10.3.2
(Panther). An update for 10.3.2, Security
Update 2003-12-19, fixes a vulnerability to malicious
DHCP hosts on a local network and patches several other security
issues. Users of Panther are strongly advised to use version
10.3.1 or higher. Some serious problems with external Firewire
drives (loss of data upon restart while the device is connected
to a Mac running Panther), use of FileVault file encryption,
and other troubles were reported with the initial (10.3) release
of Panther. The 10.3.1 patches for OS X and OS X Server fix
these problems plus a few security issues. Note: Apple is
recommending that users of external FireWire 800 drives update
their firmware with a patch from the drive's vendor even if
they update to 10.3.1.Security updates for 10.3.1 (both OS
X and OS X Server) include those dated 11-19-2003
and 12-05-03.
Panther users should also note that version 9.0 of Norton
Antivirus is not fully compatible with 10.3. The solution
is an update to version
9.0.1, available via LiveUpdate.
The
latest system update for OS X 10.2 ("Jaguar") is
10.2.8, initially released on September 2. Apple released
a second version of it (fixing a bug in Ethernet performance
on some G4s) on October 3. Three security problems with OS
X 10.2.8 and earlier have surfaced recently as well. They
are described by @Stake.
Thus far, these are fixed only by upgrading to 10.3, a situation
discussed at News.com
along with the hope that user complaints will prompt Apple
to offer free patches. (Cross your fingers.) Apple has, however,
issued Security
Update 2003-11-19, which fixes several issues in OS X
and OS X Server 10.2.8, and Security
Update 2003-12-05, which prevents unauthorized access
to a user's cookies in Safari. Another update, Security
Update 2003-12-19, fixes a vulnerability to malicious
DHCP hosts, among other things.
The
latest system update for OS X 10.1 is MacOS X 10.1.5. A security
update for OS X 10.1.5 is dated March 3, 2003 (Security Update
03-03-2003). It is available from Apple's
Web site and via Software Update. The update fixes a vulnerability
in Sendmail (which is not enabled by default) and another
in OpenSSL. Unfortunately, this patch does not fix a Sendmail
vulnerability that affects versions prior to 8.12.9 (where
the address parsing code does not adequately check the length
of email addresses.) The best solution is updating to 10.2.5+.
Details are posted on the Sendmail
Web site.
Several
popular OS X applications call for security updates as well.
Microsoft has a very convenient security
patch list on its Mactopia web site. It includes updates
for Office, Outlook, and Internet Explorer. Finally, iTunes
version 2.0 (but not 2.0.1) shipped with a bad installer for
OS X. It is possilbe, though highly unlikely, for the installer
to delete all data on non-boot partitions instead of deleting
a previous version of iTunes. Apple released a more reliable
installer with iTunes 2.0.1. See Apple's
iTunes alert.
For
those who enjoy the Unix end of the Mac OS X experience, be
warned that Virex 7.2 is incompatible with Fink. The Fink
home page warns that Fink users should not install Virex
7.2 under any circumstances.
Lab
Computer Security Notice
The
Lab's computer security notice, the ubiquitous "Notice
to Users" displayed on Lab computers either as a sticker
or as a warning at system startup, is available for Macintosh
systems. For OS X, you can download and install a small security
warning application, then set it up as a Login Item. (Instructions
are given in the OS X security
guidelines.) An extension for OS 9 can be obtained from
the Lab's Software
Downloads page.
|
