Apple’s “solution” of disabling Java on versions prior to Snow Leopard isn’t realistic for users that still intend to keep their Mac on the Internet, since web-based Java is still popular, especially for proprietary corporate applications. If you are on a Leopard (10.5) or older system, Apple’s solution means that you could try to enable Java only while you are using websites that require it and then immediately turn it off afterward (a common example of usage is for remote control programs such as GotoMyPC and Logmein). To be fully secure though, the better solution is to upgrade your OS. However, upgrading your Mac’s OS could introduce incompatibilities with existing software that will require further costs to upgrade. Plus, if a user hasn’t upgraded to Snow Leopard — an admittedly old OS — yet, they may have a good reason for doing so.

Apple updates its operating system at a much faster pace than Microsoft. Leopard was superseded by Snow Leopard in August 2009 and Windows XP was superseded by Vista in November 2006, yet Microsoft is still providing critical security updates for XP until April 2014. Microsoft is providing more security updates for more versions of their operating system while Apple is starting to abandon users after less than three years.

To be fair, a majority of Mac users have already moved to either Snow Leopard or Lion, according to estimates from Net Market Share so most Mac users will be protected from this security flaw after installing Apple’s latest updates. Windows XP, meanwhile, is still on a majority of PCs according to that same study, even though its successor, Windows 7, was released in July 2009. Microsoft is doing this right by continuing to provide security updates for its older operating systems, which sort of makes sense given Microsoft’s constant battle with malware over the years. But Apple isn’t.

With Apple’s accelerated OS release cycle, leaving Leopard’s Java security unsupported after less than three years is unfair to users and a potential class action lawsuit waiting to happen since Apple’s extended warranty (AppleCare) is designed to support the Mac for three years. That MacBook you bought in May 2009 has a problem that Apple knows about, and Apple’s solution is to simply disable portions of the OS provided by Apple for your computer.

At the very least, Apple should be required to either patch a security flaw in any computer still under AppleCare or provide a free update to a currently supported version like they are doing for MobileMe users. Two years is simply too short of an upgrade cycle to expect users to keep up with in order to maintain the security of their systems.

If Apple continues this “current and previous version” approach towards security, Snow Leopard users are going to miss out on security updates when Mountain Lion 10.8 comes out this summer, only two years after they upgraded to Snow Leopard. Apple needs to step up to the plate and provide security updates for at least three years — otherwise Mac users could be more secure wiping an older Mac OS on that Intel-based Mac and installing Windows XP instead! At least then they’ll have until April 2014 before their computer turns into an unsecured ticking time bomb.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• New challenges for the IT organization
• The new IT manager, part 1
• Opportunities and challenges for mobile deals

The OSX.MacDefender.A definition has been added to the OS X File Quarantine database, which means if a user downloads the malware, it will automatically pop up a dialog warning the user that the file will damage your computer, and provide an option to delete the file. The update also allows Apple to automatically update the known malware definitions list through daily updates. Users can opt out of this feature in Security Preferences, shown below.

The security update also automatically searches for and removes Mac Defender and its known variants upon install. If it detects the malware in your system, it will notify you once the update is installed.

It’s great to see Apple getting out ahead of this malware threat before it really gets out of hand, but as always, the first step to protecting your computer starts with you. Don’t ever install something when you’re not sure that it comes from trustworthy origins, and remember that if a website is telling you you’re infected without you having asked to begin with, it’s a safe bet that it’s not a genuine report.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• The Case for Increased M&A in 2011: Actions and Outlooks
• The Structure 50: The Top 50 Cloud Innovators
• California’s New Energy Data Privacy Rules: Some Answers, Many Questions

Before the release of the support note yesterday, it was reported by ZDNet’s Ed Bott that Apple support staff on the phone were indicating that they couldn’t provide instructions for dealing with specific instances of malware. The fix is not overly complicated, but explaining it individually over the phone to every affected customer would tie up a lot of customer service agents, and it could set a dangerous precedent for the future treatment of such situations.

The article promises that “Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants,” and that the update will arrive “in the coming days.” Users will also receive an explicit warning notification if they happen to download this malware once the update is installed.

The step-by-step instructions for removing the Mac Defender malware involve using Activity Monitor to kill all running instances of the program and its equivalents (MacProtector, MacSecurity), then dragging the applications to the Trash, and finally, emptying the Trash. Apple also provides instructions for removing the malware’s login item, though the login item is no longer a threat once the application is removed from your system.

Glad to see Apple responding to the valid security concerns of its users. Let’s hope this isn’t the just beginning of the Mac’s serious malware woes.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• The Structure 50: The Top 50 Cloud Innovators
• Connected Consumer Q1: The Over-the-Top vs. Pay TV Battle Heats Up
• Smart Grid Apps: Six Trends That Will Shape Grid Evolution

A partial screen from Mac Defender: Not something you want to see on your Mac.

Although there has been scattered mac malware in the past, most malware to date have been proofs of concept or have piggybacked on illegal downloads. New malware program Mac Defender is a brilliant piece of social engineering that plays on fear of viruses and convinces the owner to pay money for removal of non-existent problems. Although Microsoft and PC manufacturers will help owners with malware problems (sometimes for an additional charge), AppleCare techs and Geniuses are currently refusing to assist or even acknowledge the problem according to reports. There’s actually a very logical justification for this.

It’s not about denying that Mac malware exists altogether. Apple has never actually denied that Macs get malware, but it hasn’t ever really sounded the alarm bell, either. Apple did include a copy of the anti-virus app Virex with .Mac subscriptions up until June of 2005, however. Apple in the past has also suggested anti-malware software, but now touts the Mac’s immunity to PC-based malware thanks to Snow Leopard’s robust security, stating only that “antivirus software may offer additional protection.” They do include some protection each time an OS update comes out, by patching any exploits previous malware took advantage of.

Mac Defender’s (a.k.a. MacProtector, but not to be confused with MacKeeper, which is a legitimate program) attack vector is unique on the Mac platform. While Windows users are familiar with fake programs that claim your computer is infected and then offer to remove said infection, Mac Defender’s reach will grow exponentially because Mac users aren’t as used to that strategy. While Apple can build in protection against this in the next software update, the success of MacDefender will serve as an example for the next slew of threats on the Mac.

Yes, the technically savvy are unlikely to fall for such threats. However, a large number of Mac users aren’t always technically savvy enough to read blogs and support forums. These are the customers more likely to call AppleCare and Apple Geniuses when they have technical problems rather than solve it themselves. Since Mac Defender is extremely easy to remove, reps are spending more time explaining why they can’t help users with malware rather than just explaining how to remove it.

Apple’s blind eye in this case is less about resource allocation in the short-term, and more about promoting the App Store as a safe software distribution channel so as to avoid a compounding of the time cost problem in the future. There’s some evidence that in a few cases, the Mac App Store can actually make Macs more vulnerable to attack, but so far that only applies with Opera, which is a web browser, and therefore susceptible to unique vectors of attack.

If consumers fear the threat of rogue software infecting their Macs, they can either buy the line of anti-virus makers and install protection that they then have to manage and invest in themselves, or they can take refuge behind the protective walls of Apple’s Mac App Store. Independent developers who’d rather deal directly with customers than go through Apple’s marketplace may not like the idea, but customers who to take Mac security for granted will increasingly use the App Store to avoid headaches like those provided by Mac Defender.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• The Structure 50: The Top 50 Cloud Innovators
• California’s New Energy Data Privacy Rules: Some Answers, Many Questions
• Players and Strategies for Real-Time In-Stream Advertising

The iPad has been a pretty big success so far, especially for a category-busting product. But investors and Apple users aren’t the only ones to have taken note of the product’s success. The iPad is now being used as scam bait to sucker in people who might not be that familiar with the warning signs of internet scams, which, not coincidentally, is just who the iPad seems directed at as a device.

So far, the scam only works on Windows PCs, but even if you’re a Mac-using iPad owner, make sure any friends and relatives using the other platform are aware of the ruse. Basically, you get an email telling you that iTunes needs to be updated in order to update your iPad device, and provides a link to the software in question.

Of course, instead of taking you to some kind of iTunes download, the link instead opens up a direct line to their sensitive information, if accessed via a PC. Specifically, the malware in question is Backdoor.Bifrose.AADY, which uses Internet Explorer to open a back door on your system and look around for software serial numbers and login data, including usernames and passwords for various sites.

People on Macs or other Apple platforms, like the iPad and iPhone, won’t be affected at all by following the link, but obviously it’s never a good idea to open suspicious links in emails in case that changes in future versions of the scam.

At least for now, the iPad itself hasn’t been a target for hackers and/or malicious code. Apple’s securely locked down content distribution system in the form of the App Store really helps things there, but it’s only a matter of time before it becomes a target in a big way, and this attack is the first sign of why that’s a dangerous prospect. You’ve no doubt seen the articles about people picking up the iPad as their first ever computer. That category of user is the ideal candidate for malicious software, since they’ve yet to experience the nasty side of the Internet and don’t have any built-in defenses against these types of scams.

The iPad is raising Apple’s profile, and that means trouble for those uneducated about Internet security risks. It could also mean problems for all Mac users in the long run, as the iPad draws more people to OS X in the same way the iPod and iPhone did before it. But for now, it’s still the most secure platform around, so enjoy it while it lasts.

It looks like we’re getting close to the official release of 10.6.3, the latest update to Mac OS X Snow Leopard — and, from what we’re hearing on the developer grapevine, it might prove to be the most extensive Snow Leopard update yet.

TUAW reported on Friday that the latest build of 10.6.3 (known as 10D572, for those of you paying obsessively-close attention) was seeded to developers only two days after a previous build. Typically, ever-shortening intervals between build seeds indicates imminent release to the public. TUAW describes the latest build as focusing on “Graphics Drivers, Quicktime, Images & Photos, Mail, and Security Certificates.”

Oh, what’s that? Want more details? OK, here’s the full rundown of features and fixes we can expect in 10.6.3;

• Compatibility issues with OpenGL-based applications
• Performance improvements for 64-bit Logic
• Changes to QuickTime X that increase reliability and improve compatibility and security
• Printing reliability and compatibility with third-party printers
• Issues resolved that prevented files from copying to Windows shares
• Issues resolved with recurring events in iCal when connected to an Exchange server
• Issues resolved that prevented files with the “#” or “&” symbols in their names from opening in Rosetta
• Issues addressed that caused background message colors to display incorrectly in Mail when scrolling
• Issue resolved that caused machines using BTMM and the Bonjour Sleep Proxy to wake unexpectedly

OK, as far as lists go, this one’s not not very exciting, I know. But, what if you fired-up Software Update and were offered the latest pre-release version of 10.6.3? Would that excite you?

Update Snafu

According to TUAW’s Michael Grothaus, this is exactly what happened to one Mac owner last week. They don’t name him, probably to save him the email-avalanche from other Mac owners — not to mention the inevitable Cease & Desist order from Apple (you just know Apple would bully the poor chap into silence, right?) but they do offer up this tantalizing screengrab of the autoupdate snafu:

Image courtesy of TUAW

Grothaus writes that the update “…weighs in at a whopping 1.19GB” and, at that size, I’m happy to wait until Apple has finished tweaking (and trimming) the code!

Security

But the thing I’m most interested in is whether 10.6.3 addresses the alleged boat-load of security exploits identified by hacker extraordinaire and security expert Charlie Miller. At this week’s CanSecWest security conference, Miller will discuss how he discovered them (all 20 of them) via a process known as ‘fuzzing’. His presentation is subtitled “An analysis of fuzzing 4 products with 5 lines of Python” and, according to security website h-online.com, those 4 products are all made by Apple;

In cracking competitions, it is regularly the Apple systems which are cracked first by attackers. Miller has argued for some time that Mac OS X is among the comparatively insecure operating systems. Apple users are currently “safer, but less secure.

“Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.”

Miller said that the 20 exploits are all contained in closed-source Apple products, but pointed out that exploits could be found throughout Mac OS X due to bugs in many popular applications from different vendors;

OS X has a large attack surface consisting of open source components (i.e. webkit, libz, etc), closed source 3rd party components (Flash), and closed source Apple components (Preview, mdnsresponder, etc). Bugs in any of these types of components can lead to remote compromise.

Sooner, Not Later

It seems not a keynote goes by without Steve Jobs showing us one of his shareholder-and-media-friendly line charts illustrating Macintosh sales. You know the ones, always trending up-and-to-the-right. Apple is clearly proud the Mac is selling better than ever (in a conference call in late 2009, Apple announced that, for 19 out of the previous 20 quarters, the Mac grew faster than the rest of the market!)

Statements from Apple regarding sales are always kinda tricky; they’re usually vague enough to allow pretty much any positive interpretation but, for the most part, we can at least agree that the Mac has been enjoying fantastic growth. The old days of ‘security by obscurity’ are drawing to a close. Sooner, not later, Mac-specific malware will come. (You know, the real malware of Windows-exploit proportions!)

Miller says that “… in their minds, [Mac owners] don’t have a security problem until it affects their bottom line, which hasn’t been the case, yet.” And that ‘yet’ is the real issue here. Mac OS X 10.6.3 probably addresses some vulnerabilities — we can expect at least that much — but I wonder how obsessively Apple focuses on the security of its venerable OS, and, whatever its actual efforts, is it enough? Can Apple do what Microsoft still struggles to produce; a user-friendly, user-proof OS that isn’t riddled with vulnerabilities?

Every update to Mac OS X reminds me that the days of security-indifference amongst Mac owners are well and truly numbered.

Tell me I’m worried for no good reason, or scream at me and call me a moron for not already using security software, in the comments below.

Hopefully many heeded that warning, since now a new virus has surfaced that uses the same M.O. as ikee, but that has a much more malicious intent and effect. Specifically, the new malware mines personal data from your device, using the very same exploit ikee revealed earlier in the week.

The new worm, dubbed “iPhone/Privacy.A” by digital security firm Intego, affects only jailbroken iPhones, and grabs things from your device like address book contacts, text messages, photos, music, video, calendar entries and email messages. Basically, almost anywhere it can look for sensitive data, it will. The virus doesn’t seem to be able to access information stored by other applications on your iPhone, like password managers, but if you’re affected, the only safe course of action is a full wipe and restore.

Theoretically, according to iPhone security researcher Charlie Miller speaking to Computerworld, attacks based on the same exploit could do more than just mine data. Running up your phone bill, sending out bulk text messages and spamming your contacts are all well within the realm of possibility. Miller goes on to describe how easy it would be for a hacker to infect a device:

This could easily be installed on a computer on display in a retail store, which could then scan all iPhones that pass within the reach of its network. Or a hacker could sit in an Internet café and let his computer scan all iPhones that come within the range of the Wi-Fi network in search of data.

In order to secure your device against this kind of attack, there are a few options. First, change the default SSH password if you haven’t already. So far, that appears to be the easiest way to foil attempts to infiltrate your jailbroken device. The best way to prevent this and any kind of future attack along the same lines, however, is to not jailbreak your device in the first place, or to restore it to factory settings if you’ve already jailbroken. Of course, for many who use their devices with carriers who don’t officially offer the iPhone, that isn’t an option.

Miller suggested that Apple may want to consider re-engineering its security measures to account for jailbroken devices, but as that would mean tacitly acknowledging and even accepting a practice it stridently disapproves of, I think the best bet for jailbreakers is just to shut down all SSH access, if possible.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Mobile Q4: All Eyes Were on Android, 4G and the Rising Tablet Tide
• Report: A Mobile Video Market Overview
• In Q3, the Tablet and 4G Were the Big Stories

ZDNet.com reports that a group called the “Partnerka,” which consists of Russian spam and malware affiliates, have begun to focus on the Mac. Their tactics involve using social engineering tricks (read: preying on human weakness) to install fake codecs and scareware programs (the kind that pressure you into installing and paying for bogus single purpose anti-malware software).

The plans and methods of the “Partnerka” were revealed at the Virus Bulletin Conference 2009, where Sophos Labs researcher Dmitry Samosseikko talked about a site called Mac-codec.com which has since been taken down, that offered a bounty of 43 cents for each successful installation of malicious software on a Mac computer. According to Samosseikko, that’s a high price, and indicates that the Mac malware game is becoming more attractive to online crime organizations.

Even though the site is gone, the threat is not. These malware schemes work because they offer something many Mac users might be looking for. Partnerka’s Mac-codec.com was offering video players and fake video codecs that attempt to draw in people trying to playback video they’ve downloaded somewhere on the web. Previous DNS-changing trojan malware attempts depended on porn video lures.

Focus on the Mac platform might be growing for online criminals, but most malware plots still require you to make the first move. To help protect yourself from fake and harmful codecs, use Perian and VLC, and if your video still won’t play back, just give up altogether. No video content is worth the theft of your private data, after all.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce
• What Google’s Honeycomb Means for Apple and Microsoft

Not that any TheAppleBlog readers would ever try to acquire software in a less-than-legal manner, but just in case you know someone who would, tell them to watch out for web sites claiming to bear Snow Leopard gifts.

Like the Adobe Photoshop CS4 and iWork ’09 before it, Snow Leopard now has a super-special malware edition floating around the web. It’s a classic software honeypot scheme: You find a site advertising a free Snow Leopard upgrade, download a disk image file (.DMG), and it unleashes its trojan payload.

Trend Micro is advising folks to avoid any and all sites advertising free Snow Leopard upgrades, since what you actually get is a new variant of the DNS charger trojan known as OSX_JAHLAV.K. The Apple-specific malware, once it makes itself at home on your computer, will redirect your Internet browser to phishing sites and malware-infected web sites. OSX_JAHLAV.K has a particularly nasty trick up its sleeve — it sends you to a site that advertises fake antivirus software that will notify you that you have an infection until you pay to register and have it removed.

Trend Micro’s advice is to pick up its Smart Surfing for Mac malicious URL-blocking software, which will cost you $50 a year in subscription fees. My advice is to think long and hard about how much you’re willing to pay down the road just to avoid spending $29 upfront for the 10.6 upgrade.

No doubt this will give antivirus companies cause to raise the red flags once more, and spout on about how the end is nigh for the days of OS X being the secure choice, but as before, smart browsing and downloading policies are still your best bet for a happy, safe Mac.

Photo courtesy of Flickr user Darcy McCarty.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce
• Content Farms: The Players, The Benefits, The Risks

The Knowledgebase Article makes it sound as potentially bad as it is.

Impact: Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution

Description: A memory corruption issue exists in the decoding of SMS messages. Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution. This update addresses the issue through improved error handling. Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Fraunhofer SIT for reporting this issue.

All iPhones were vulnerable to attack, regardless of OS version. The only defense from having your personality rewritten or being possessed by a ghost was to shut the phone off, which was hardly practicable. While it’s always nice to see Apple give credit to the those who discover an exploit, it’s unfortunate it took the researchers going public to get the company to move on this issue.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Mobile Q4: All Eyes Were on Android, 4G and the Rising Tablet Tide
• Report: A Mobile Video Market Overview
• In Q3, the Tablet and 4G Were the Big Stories