February wasn’t a good month for Apple Computer, as lots of people wondered whether the company’s once-impregnable operating system was vulnerable. But cries of doom in the popular press are premature. In reality, two of the three security issues concerning Apple’s OS X operating system that arose last month triggered very low-level security alerts. In fact, they would probably not have garnered attention had they not come on top of each other – and had there not also been the discovery of a security hole in Apple’s Web browser, Safari – a hole that is a potentially serious problem.
The first security issue, called Inqtana, was a “proof of concept”: that is, it did not exist outside the world of programmers checking for potential problems in software. It was first reported by numerous people to the IT security firm Secunia, which classified it as a worm. (A worm is a self-replicating virus that enters a computer or network and can cause disruptions.)
Inqtana exploited a problem with the Bluetooth wireless communications protocol in order to send copies of itself to other computers. It was designed simply to illustrate this weakness, and didn’t do anything else. In fact, it was never reported outside of testing conditions, and was even coded with an “internal counter” that rendered it dead after February 24.
Still, it inspired swift action. Apple quickly released a system patch that proofed Mac OS X 10.4.5 against it. Ironically, some other proposed solutions were more problematic than the worm itself. For instance, the U.K.-based company Sophos Plc issued an Inqtana update to its anti-virus software, which recommended that users delete certain files and applications – many of which were critical (and uninfected). According to the company, the flawed version of its product was available for less than two hours before it was patched.
The other “non-issue” was called Leap by security companies, and originally dubbed Oompa-Loompa (later amended to Oomp-A). That exploit shares characteristics of both a worm and Trojan horse – a seemingly innocuous program or file that, after getting itself installed, can compromise a user’s online privacy.
Oomp-A masqueraded as a desirable image, running a program called a shell script, which directly interfaces with the operating system. It tried to copy and send itself through iChat, the Mac OS X’s instant-messaging application, to other computers on a local wireless network. Security companies deemed Oomp-A a low risk, with little chance of doing damage. When several Apple experts dissected it, they found Oomp-A to be not only fairly harmless, but also poorly written. As Apple expert Andrew Welch says, “You cannot simply ‘catch’ the virus [Oomp-A]…you cannot be infected unless you unarchive [decompress] the file, and then open it.”
But, as Melissa, the IloveYou, and other widespread infections on millions of Windows machines have proven, people often tend to click before they look. This preying on impatience and faith is key to the security issue with Macs that does point to a danger. Reported by German news web site Heise Online, and originally discovered by a German graduate student, Michael Lehn, this security hole, labeled “Mac OS X File Association Meta Data Shell Script Execution,” has been deemed “extremely critical” by security firm Secunia.
Basically, it relies on the way Apple web browser Safari handles downloaded files. By default, Safari automatically opens “safe” files without asking for user confirmation. Lehn discovered that, although Safari usually requires confirmation before it opens an application or shell script, it won’t recognize a script that doesn’t have certain code in it. Eric Bangerman, who covers Apple issues for the web site Ars Technica, says that this hole could allow someone to create a disguised script that could wreak havoc on an Apple machine, deleting a directory or worse.
Yet the hole actually doesn’t offer a malicious hacker much else. Bangerman notes that most criminal hackers want financial gain. As a result, many Trojan horses or worms either turn users’ machines into “zombies” for sending spam e-mail, or install keyloggers, programs that log all keystrokes made on a computer and steal that information.
Mac OS X makes these options highly unlikely, if not impossible, Bangerman says. In the case of keyloggers and other malicious applications, Mac OS X warns users when an application is starting up for the first time. Again, many users might just click through this warning, but at least it’s there. And Apple designed Mac OS X so that it is difficult to run as a root user (that is, with full access to operating system settings), which would be required to turn a Mac into a zombie.
Still, it’s a good idea for Mac OS X users to take some defensive action. Even though no cases using this Safari hole have been spotted, it’s no secret that the hole exists. Fortunately, the best solution is the easiest. Users can go to Safari’s preferences and turn off the “safe files” option. Or they can use Firefox, Camino, Opera, or another alternative Web browser that doesn’t have an auto-open feature. For further security, one can run the ClamAV anti-virus application or Unsanity LLC’s Paranoid Android 1.3 – both are free.
Of course the best solution would be for Apple to close the hole in Safari – a task that Bangerman says should be easy to do.
(Apple declined several requests for comment on this story.)