Even though they tried to do so quietly, they are slipping a ‘malware detector’ into the latest OS X update known as Snow Leopard.

The problem is though, it only scans for two trojans? Seems a bit pointless to me.

Although Mac OS X is considered by many to be the most secure operating system available to end users, it does suffer from security issues. Perhaps the new malware detector in Apple’s new Mac OS X Snow Leopard release will help prove that.

Mac OS X is viewed by many as the most secure operating system on the market. It’s certainly considered far more secure than Microsoft’s Windows operating system.

But with a report hitting the wire Wednesday claiming Apple’s new Mac OS X release, Snow Leopard, will feature a malware-detection tool, some of those beliefs might be put into question.

According to reports, Mac OS X will feature an application that will scan the user’s Mac for known trojans. It will also flag malicious files if they are downloaded from Safari, iChat, Entourage and a few other applications. There’s just one catch: that feature will only look for two trojans. Every other possibly damaging trojan will not be scanned for.

Only two trojans? Why not make it a full on malware scanner, or at least something a little more useful than a finite scanner.

I mean even Windows pushes their Malicious Software Removal Tool and I’m sure it scans for more than just two threats.

Either way it’s a step in the right direction and Apple are acknowledging their OS isn’t bullet proof and they need to do something to address that.

Over the past few months, we have seen several Mac OS X security issues hit the wire. From security outbreaks to an update that included several security fixes, it was becoming clear that Mac OS X’s reputation for strong security wasn’t as reliable as some believed. And if Mac OS X Snow Leopard does, in fact, feature that new malware detector, it could change everything. Just don’t expect Apple to change.

“The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box,” Apple wrote on the company’s Mac OS X Snow Leopard page. “However, since no system can be 100 percent immune from every threat, anti-virus software may offer additional protection.”

I’m a little shocked by that statement. Although Apple does admit that no system is totally immune from issues, it says anti-virus software “may” offer additional protection. I think that perpetuates the myth that end users don’t need to worry about Mac OS X security.

I think the landscape for Apple is changing, as they get more users in the marketplace they WILL be exposed to more threats.

And more people will have their fingers in the operating system trying to break it for fun and profit. With Mac machines being sold as lifestyle products you can bet the majority of Apple users aren’t very tech savvy.

You can’t really compare it to the Linux desktop market, but even then Linux does have anti-virus software available for free and commercially.

Source: eWeek

Features

• Injection of packets with bogus data and with randomly selected bad TCP cksum or bad TCP sequences
• Userland binary(tsctrl) for controlling trafscrambler NKE
• SYN decoy – sends out number of SYN pkts before the original SYN pkt
• TCP reset attack – sends out RST/FIN pkt with bad sequence
• Pre-connection SYN – sends out SYN with wrong TCP-checksum
• Post-connection SYN – sends out fake SYN after connection establishment
• Zero Window – send out pkt with “0” window set.

You can download Trafscrambler 0.2 here:

trafscrambler-0.2.tgz

Or read more here.

Everyone I know using an iPhone has already done it without a hitch, it’s been long awaited and it’s definitely an improved over version 2.0.

The new OS also includes patches for 46 previously unpatched security vulnerabilities in the version 2.0 OS.

Apple releases iPhone OS 3.0 to much fanfare. In addition to new features, the updated iPhone operating system brings several patches that address serious security issues in the mobile device.

Apple quietly plugged nearly four dozen security holes when it pushed out an upgrade to iPhone OS 3.0 on June 17.

With iPhone OS 3.0, users are getting fixes for several critical flaws, a number of which could be exploited by an attacker to execute arbitrary code. The WebKit and CoreGraphics components were the most vulnerable with 21 and eight vulnerabilities, respectively.

There are several serious flaws being fixed in this update, so even if you don’t need the features please update for the security.

Let anyone else you know using the iPhone to update too.

Apple’s advisory on the issues can be found here.

The Apple iPhone OS 3.0 contains more than 100 new features, some of which were aimed squarely at enterprises. In March, Apple gave about 50,000 individuals who paid to be part of the company’s developer program access to both the updated SDK (software development kit) and the beta version of the operating system as part of an effort to bring more secure business functionality to the iPhone.

The popularity of the iPhone and other smartphones has brought about an increased interest in properly securing and managing the devices. Along those lines, the Center for Internet Security just released a benchmark with advice on using the iPhone securely.

“Phones are small and relatively cheap, and fashionable, so many companies still don’t realize—or don’t want to acknowledge—that they can be as serious in terms of breach effects as a laptop or desktop PC,” Gartner analyst John Girard said.

I would take a wild guess though with 100 new features introduced that Apple has also introduced some security vulnerabilities.

I’d give it a week or so before some issues start to pop up with the new OS.

Companies do need to look at the security of mobile devices seriously, that’s partially why BlackBerry is so popular as it’s easy to setup secure communications and lock down the device.

Source: eWeek

They are a bit behind in the curve as they don’t have a formal security program and it’s unknown if they use secure development practices (they seem to focus more on interface design than anything else).

Something has to be done though or the next big botnet could be running on Apple machines.

A well-known security consultant says Apple is struggling to effectively protect its users against malware and other online threats and suggests executives improve by adopting a secure development lifecycle to design its growing roster of products.

“Based on a variety of sources, we know that Apple does not have a formal security program, and as such fails to catch vulnerabilities that would otherwise be prevented before product releases,” writes Rich Mogull, founder of security firm Securosis and a self-described owner of seven Macs. “To address this lack, Apple should integrate secure software development into all internal development efforts.”

Microsoft was among the first companies to integrate an SDL into its internal development routine. Under the program, products are built from the ground up with security in mind, so that poorly written sections of older code are replaced with code that can better withstand attack. It also subjects programs to a variety of simulated attacks. Adobe Systems recently beefed up the SDL program for Reader and Acrobat following criticism about the security of those two programs.

With their fairly rapid development and pumping out of new product lines (Apple TV, Mac Mini etc) they are going to face security problems at some point.

That’s without considering the Internet connected mobile devices (iPhone, iPod touch).

Adobe has taken notice too with it’s recent spate of exploits and improved its Secure Development Lifecycle to ensure future problems are minimized.

Mogull’s suggestion was one of five he made recently to ensure company is doing everything it should to safeguard its customers.

“It’s clear that that Apple considers security important, but that the company also struggles to execute effectively when faced with security challenges,” he writes in a recent article on Mac news website Tidbits. He goes on to fault the company for its ongoing failure to patch a gaping security hole in Mac versions of Java.

The suggestions came as Apple on Monday announced Safari 4.0, a release that fixes more than 50 vulnerabilities in the browser. Protection against clickjacking attacks, denial-of-service flaws and bugs that allow for remote code execution were among the fare.

Another suggestion from Mogull is that Apple appoint and empower a high-ranking executive to oversee security in all Apple products. The CSO, or chief security officer, would serve as the public face for Apple security as well as the internal boss who coordinates the company’s response to security incidents and development of new products that are safe.

I believe Apple is indeed need of a solid CSO, one that can implement more proactive measures against security flaws such as secure development, a dedicated response and research team for vulnerabilities and spearhead a generally more responsible organisation when it comes to security concerns.

Obviously to fit into Apple it has to be someone charismatic that can ’sell’ the benefits of Apples ‘iSecurity’ system or whatever they are gonna call it.

I’m sure they’ll find some way to spin whatever security measures they take into a marketing exercise.

Source: The Register

Tested on:

• Core Duo (1st gen) Macbook Pro 15″
• Core 2 Duo Macbook Pro 15″

Technical details on how it works here.

You can download EFIPW v0.1a here:

efipw_v0.1a.zip

Or read more here.

Guess what? He’s done it again! This time though he’s even faster clocking in at under 10 seconds. No one else stood a chance. He walked off with the prize again, $5000 and the MacBook that he hacked.

Of course he wrote the exploit before hand, but still impressive!

Charlie Miller, a security researcher who hacked a Macintosh in two minutes last year at CanSecWest’s PWN2OWN contest, improved his time today by breaking into another Macintosh in under 10 seconds.

Miller, an analyst at Independent Security Evaluators in Baltimore, walked off with a $5,000 cash prize and the MacBook he hacked.

“I can’t talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched,” said Miller on Wednesday, not long after he had won the prize. “It probably took five or 10 seconds.” He confirmed that he had researched and written the exploit before he arrived at the challenge.

It guess it might be a Safari exploit, but I guess if you keep your ears open you’ll hear about it soon enough.

I wonder if he’ll be able to pull the same trick again next year, with his record so far I’d say it wouldn’t be a large stretch of imagination.

The PWN2OWN rules stated that the researcher could provide a URL that hosted his exploit, replicating the common hacker tactic of enticing users to malicious sites where they are infected with malware. “I gave them the link, they clicked on it, and that was it,” said Miller. “I did a few things to show that I had full control of the Mac.”

Two weeks ago, Miller predicted that Safari running on the Macintosh would be the first to fall.

PWN2OWN’s sponsor, 3Com Corp.’s TippingPoint unit, paid Miller $5,000 for the rights to the vulnerability he exploited and the exploit code he used. As it has at past challenges, it reported the vulnerability to on-site Apple representatives. “Apple has it, and they’re working on it,” added Miller.

Interestingly another researcher later broke into a Sony laptop that was running Windows 7 by exploiting a vulnerability in Internet Explorer 8. So Safari and IE8 both fell!

What with all the claims from Microsoft that IE8 is so secure…I guess that pissed on their bonfire didn’t it?

This year’s PWN2OWN also has a section for mobile operating systems, the prize is larger too at $10,000. If you want to join you can have a crack at Windows Mobile, Google’s Android, Symbian, and the operating systems used by the iPhone and BlackBerry.

Source: Computer World (Thanks Navin)

Not one person entered the first day, perhaps they don’t want to divulge those heavy exploits…or perhaps no one had any. The second day had a lot more entrants. It’ll be interesting to see what the 3rd day turns up when everything is open to attack.

A brand-new MacBook Air running a fully patched version of Leopard was the first to fall in a contest that pitted the security of machines running OS X, Vista and Linux. The exploit took less than two minutes to pull off.

Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. The feat won him a $10,000 prize paid by Tipping Point, whose Zero Day Initiative pays bounties to researchers for responsibly disclosing vulnerabilities.

Interesting the exploit came in Safari, but gave full control. Still $10,000 is not bad for a days work (I’d imagine though he’s probably prepared the exploit earlier).

I was somehow expecting Mac to fall first.

At time of writing, the Windows and Linux machines were still standing.

Under contest rules, Miller was forbidden from providing specifics of his hack. He said he chose Apple over the other machines because “I thought of the three it was the easiest”. He said he didn’t test the exploit on any other platform. As a Mac user, he added, he felt an incentive to exploit the system because he believes it will help make the platform stronger.

Miller’s win came on day two of the contest, which gradually eases the rules for what constitutes as qualifying exploit. Not a single attendee entered the contest on day one, when all vulnerabilities had to reside in the machine’s operating system, drivers or network stack. Winners were eligible for a $20,000 prize.

On day two, the attack surface was expanded to include browsers, mail applications and other common applications, and the bounty was reduced to $10,000. Contestants on day three will be allowed to attack still more applications, such as Skype, QuickTime and browser plugins for a $5,000 prize.

I wonder if any of our readers are attending CanSecWest, any of you guys there? Having a go at the contest?

I think more things should be organized like this, at the end of it – it really does make all the OSes more secure. Saying that though just because no-one exploited it, doesn’t mean the vulnerability isn’t there and the bad boys aren’t already using it.

It’s been shown before, the underground is always ahead…and a vulnerability with exploit for a fully patched Windows machine is worth way more than $20,000!

Source: The Register

It just shows nothing is infallible, all he needed to find was a writable memory address and he was pretty much done (he used a much higher range of registers than previously).

A teen hacker known for his deftness with iPhones has figured out how to unlock models running the latest firmware versions by cracking a protection that has frustrated hackers for weeks.

The breakthrough by George Hotz, aka Geohot, means people who have bought a recent iPhone will once again be able to use it on the phone network of their choice. Apple makes as much as $400 for every handset that’s activated on an approved network, so its developers have worked hard to prevent the so-called unlocking of iPhones.

A very smart young man indeed, just showing 1 person can indeed defeat the security of a huge multi-national billion dollar company.

And he’s done it twice.

The latest salvo was fired late last week, following a 24-hour hacking spree by Geohot that was broken up by only three hours of sleep. It turns out the latest firmware contained modifications to the device’s memory registers to prevent unlocking. Geohot worked around those changes by finding another, much higher register that was vulnerable.

“I guess Apple thought big numbers were harder to guess,” he wrote.

He then found a way to install his custom-built code by exploiting a flaw that allowed him to erase a range of memory addresses where security software is stored.

An amazing 27% of iPhones are running on unauthorized networks which means they are cracked. Of course Apple will soon come out with a new firmware update that negates this problem….but then the game will just start all over again.

And no one doubt Geohot or someone like him will break it again.

If you want to know how to do it check out step-by-step instructions here from iClarified here.

Source: The Register

KisMAC supports several third party PCMCIA cards – Orinoco, PrismII, Cisco Aironet, Atheros and PrismGT. USB Prism2 is supported as well, and USB Ralink support is in development. All of the internal AirPort hardware is supported as well.

System Requirements

• Mac OS 10.4
• A Mac with a supported PCMCIA, USB or internal AirPort

Features

• Reveals hidden/cloaked/closed SSIDs
• Shows logged in Clients (with MAC Addresses, IP addresses and signal strengths)
• Mapping and GPS support
• Can draw area maps of network coverage
• PCAP import and export
• Support for 802.11b,g,n
• Different attacks against encrypted networks
• Deauthentication attacks
• AppleScript-able
• Kismet drone support (capture from a Kismet drone)

Active mode, also referred to as managed mode, sends probe requests and is pretty boring.
Passive mode is more commonly known as monitor mode, and passively monitors what’s already in the air without interfering in it.
Active attacks like deauth and reinjection (where supported) require your device to be in monitor or passive mode.

You can download KisMAC here:

KisMAC

Or read more here.

It comes (somewhat oddly) only 24 hours after a Mac OS X security update that fixed 41 OS X and Safari security vulnerabilities.

Previously independent researchers proved that Apple’s claim that the Leopard firewall could block all incoming connections was false.

In an advisory accompanying the Mac OS X v10.5.1 update, Apple admitted that the “Block all incoming connections” setting for the firewall is misleading.

“The ‘Block all incoming connections’ setting for the Application Firewall allows any process running as user “root” (UID 0) to receive incoming connections, and also allows mDNSResponder to receive connections. This could result in the unexpected exposure of network services,” Apple said.

With the fix, the firewall will more accurately describe the option as “Allow only essential services”, and by limiting the processes permitted to receive incoming connections under this setting to a small fixed set of system services, Apple said

Sounds like they are back-pedaling rather fast. They also addressed two other issues with the application based firewall.

CVE-2007-4703: The “Set access for specific services and applications” setting for the Application Firewall allows any process running as user “root” (UID 0) to receive incoming connections, even if its executable is specifically added to the list of programs and its entry in the list is marked as “Block incoming connections”. This could result in the unexpected exposure of network services.

CVE-2007-4704: When the Application Firewall settings are changed, a running process started by launchd will not be affected until it is restarted. A user might expect changes to take effect immediately and so leave their system exposed to network access.

So watch out, Apple is not the panacea of security as some people claim it to be.

Source: ZDNet