Network Security Blog

I was sitting in a bar in Chicago near Wrigley Field here in Chicago. I looked over my shoulder and saw a video screen with the iTunes Update screen telling the user that they needed to update iTunes and Safari. The bartenders hadn’t even noticed the screen was there. Oh, and there’s a Windows Update icon sitting in the corner waiting to be clicked on too.
Installing Safari using the iTunes update functionality is dishonest of Apple. And all the people who think that users should know enough to unclick the Safari installation are unrealistic. The average user is just going to click on ‘install’ and trust that Apple is updating properly. Expecting the average user to understand that Safari is a separate application that has nothing to do with iTunes is dishonest and disingenuous. And by including Safari in an iTunes update Apple is proving that they’re no better than Microsoft.

Yesterday a friend of mine posted in a chat room “Hey, why’s Safari upgrading? I don’t even have Safari installed.” Most of us figured it had been installed alongside Quicktime or iTunes and let it go. But it turns out that wasn’t the case; in a bid to increase Safari’s marketshare, Apple is pushing out Safari to anyone and everyone who’s got Apple Software Update on their computer. And that means all Mac’s (obviously) and anyone who’s ever installed Quicktime or iTunes. If you’ve got an iPod, you’ve probably installed iTunes, despite your better judgment.

I wouldn’t go as far as to call this evil, but it’s definitely a questionable tactic on Apple’s part. Most users aren’t going to know Safari from the Sound Recorder in Windows, and they’ll just download it because it’s from Apple. They’ll probably never fire it up, but Apple will be able claim a big increase in the number of Safari installations. I’d say this ranks pretty high on the list of questionable business practices.

I have iTunes installed on my PC, but the Apple Software Update service is set to manual, since I want to be in control of my upgrades, not Apple. Most people should have it running, since patching is not something the average user ever willingly thinks about, let alone does. But the way Apple is abusing this service is reminds me of the tactics malware writers use to get their software on your computer; promise one thing and then load a number of other programs onto your computer when you’re not looking. Is this really the type of reputation Apple wants to garner?

Update:  Here’s Andy’s own take on the Apple Safari “upgrade”.

I’m not a big fan of the Information Security Sell Out, but I have to admire the fact that he’s created a ‘weaponized’ worm for Mac OS X.  He’s (or they) are refusing to show a proof of concept or release the vulnerability, so all we have so far is a claim, but I’m willing to believe that this is something real.  I’ll be interested in watching my Mac Book Pro over the next few months to see what patches are released and if anyone is given credit for discovering the vulnerabilities.  Not that I expect Apple to give anyone credit.  Or the Sellout to do anything as obvious as putting his own name on a vulnerability after posting that he’s got an exploit.

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: security, spam, McKeay

This makes sense in a twisted way:  scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.

I wonder how long this link will be valid, but while it is, here’s a full copy of the iPhone firmware.  I haven’t decompressed it myself, but I’ve heard from people I trust that it’s the real thing.

The guys over at Errata Security found a memory corruption error in the new Windows beta of Safari before (to quote a friend) “the ink was even cold on the press release”.  And all using publicly available tools. Ouch.

When I saw this last night, I couldn’t believe that Adobe would do something as stupid as shutting down the personal firewall so they could do updates.  What makes it funny is that they probably would have gotten away with it if they had just remembered to turn the firewall back on after the fact.  Come on guys, this isn’t rocket science.

This Quicktime bug has the potential to be a nasty, little cross-browser exploit.  If you haven’t already turned off Java in your browser, you should stop reading and do it now.  Even if you’ve updated to the latest and greatest Quicktime and Java patchs, you might want to leave Java off in your browser.  I’m running Firefox with Java off on both my main systems, and I’m running NoScript on my Mac Book Pro, soon to be installed on the Windows desktop.  Yes, no Java will interfere with some sites, but not as many as you’d think.

Thomas does an excellent job of explaining how this bug affects your system something close to plain English.  It’s more than a little bit scary that he can demonstrate how the bug in less than five lines of code.  If he can show it that quickly, I have to imagine it can’t be too hard for a talented coder to work up a more useful exploit for the vulnerability, if they haven’t already.  Making the exploit cross-platform will be a lot harder, but given a little bit of time, I’m pretty sure it will happen.

Technorati Tags: security, Java, Quicktime, noscript

I’m the sort of person who finds a wallpaper when I first set up a computer and almost never change it again.  Now, the art department at StillSecure created three sets of Cobia-themed wallpaper, which I want to use as my background.  I figured out how to get the Mac Book Pro to cycle through all the pictures in a folder, though it took me nearly half an hour.  I’m over two months in to having a Mac and still find out how to do new things on a daily basis so I take my small victories over the UI of the MBP very seriously. 

As you might guess, I’m not a rabid Mac fan yet; I’m still more comfortable in Windows.  Gimme another 6 months and we’ll see.

Technorati Tags: mac, cobia, mac book pr