International Mac Podcast

The problem with .Mac (the previous name for Mobile Me) was never the concept, nor was it what was promised, the problem was always the implementation. I expressed my views on .Mac back in January 2007 in a post entitled “.Mac – The Devil is in the Implementation”, and nothing has really changed since. I had high hopes that Mobile Me would finally give us the .Mac we’d always wanted. If all Mobile Me had been was a working version of .Mac without any new functionality it would have been great! However, since it’s launch Mobile Me has just been one disappointment after another. Things started badly when it took them days to get the system even remotely stable, got worse when they permanently lost thousands of people’s email, and didn’t improve at all when we found out Apple had lied to us about push.

(more…)

Yesterday Apple released security update 2008-005 which was supposed to fix the DNS flaw I recently complained about Apple not having fixed yet. Well, it appears that Apple only half-fixed the problem. Yes, they have fixed the BIND DNS server in OS X, but in reality that only protects X-Serves running a DNS server. Sure, regular OS X ships with the BIND DNS server installed, but it’s not on by default, and almost no one turns it on. What we all use all the time is the stub resolver that’s part of OS X, and that’s what Apple didn’t fix. This means that regular Mac users are still not protected from this DNS flaw while just about everyone else is.

(more…)

One of the things I really love about OS X is its Unix underpinnings. Under the hood we get all the *nix tools and utilities I’ve come to know and love. Printing with CUPS, remote shell with OpenSSH, Windows sharing with SAMBA, web publishing with Apache, and so on and so forth. This gives OS X great power, but it also places a great responsibility on Apple. Just like with any other software, vulnerabilities surface in open source programs. In general the open source community is very responsive to security issues, and patches are released quickly. Those patches protect those who update, but they leave those who don’t even more vulnerable. The reason for this is that the patches can generally be reverse engineered, making it easy for the bad guys to attack un-patched machines. In order to keep OS X secure Apple need to push out patches in the open source components in OS X to users as quickly as possible. This is where Apple fall down, they are notoriously slow at getting patches out.

(more…)

A few weeks back I posted about how there was a major flaw in DNS and how the details were being kept secret to give everyone time to patch. I did say that it would be a matter of when this got out, and not if. When turns out to be today. Details of the flaw were accidentally published on a blog and then un-published but once information gets out onto the net it’s out. There’s no way to put that genie into the bottle. I was able to find the details of the flaw, so if I can, the bad guys certainly can!

If you haven’t done so already, go to www.doxpara.com and click the button to check your DNS server:

Should the test fail, you need to do two things. Firstly you need to switch your DNS service to a safe service such as the free OpenDNS. Once that’s done you’re safe, however a few poor ISPs block DNS to all servers but their own so if you’re very unfortunate you will be unable to protect yourself. Secondly you need to contact your ISP to complain. It is not acceptable that hey are being slow about something as big as this. If they don’t give you a good response consider switching ISP. If they are not competent enough to keep their servers patched do you trust them?

This week it was announced that one of the core protocols that holds the internet together is fundamentally flawed. The problem is not with someone’s implementation of the protocol, but with the actual protocol itself. It’s hard to over-state just how big a deal this is. At the moment the details of the vulnerability are being kept secret to give the world time to patch, but you can get some technical information from the advisory issued by the US Cert. On Tuesday all the major DNS server vendors released patches at the same time. This is un-heard of, nothing like this has ever happened before in the history of the internet. That alone should bring home just how big this is.

Although the good-guys have successfully kept the details of the flaw secret to date, despite the large numbers of organisations involved, the reality is that the bad guys are frantically trying to figure this out as I type. It’s not a matter of if they’ll figure it out, but when. The security community have bought us time. That time should not be squandered, but used to protect the internet as a whole, and to protect ourselves.

(more…)

Although it is true that some Trojans use vulnerabilities like the current ARDAgent vulnerability to gain root access, they do not need to. The core message about Trojans is getting lost amidst all the talk about plugging this vulnerability. Even if there was not a single vulnerability in OS X we would be at the mercy of Trojans. That’s the whole point of Trojans. Any program you run can do anything you can do. Let’s think about that for a moment, what can you do on your system without needing a password? Here’s a short list for starters:

• You can run programs.
• You can read, edit, and delete files
• You can use the network
• You can set programs to auto-start each time you log in

Remember, a Trojan is just an ordinary program that pretends to do something you want, but actually does something else. It could delete all your files. It could run a key logger and phone home with your credit card number, user names and passwords, bank details etc.. It could use your machine to send spam. It can set itself to automatically run each time you log in and continue with it’s nefarious actions. It can do all this WITHOUT the need to exploit a single vulnerability in your OS or your software. If you can do it, a Trojan can. Think about that for a second, it’s not a comforting thought!

(more…)

The next update to OS X Leopard hit Software Update today as well as a security update for OS X Tiger. As well as a few bug fixes and some under the hood stuff 10.5.4 also contains all the same security fixes which were released separately for Tiger. You can get the full list from Apple here. The executive summary boils down to the usual array of potential crashes and arbitrary code execution. However, two bugs stand out as being particularly nasty, one in SAMBA (Windows File Sharing) which leaves you computer open to exploitation over the network if you’re sharing out folder over SAMBA, and one in Safari which leaves you vulnerable to being exploited by simply visiting a web page. Notably absent from this list of fixes is the issue with ARDAgent which is currently being exploited by an OS X Trojan (more in my previous post).

Bottom line, even if you don’t use Safari or Windows file sharing you should update soon, but if you do you should probably update ASAP.