This article originally appeared in TidBITS on 2010-06-07 at 11:04 a.m.
The permanent URL for this article is: http://tidbits.com/article/11324
Include images: Off

Security News: Flash Attacked, iPhone Exposed, Spyware Discovered

by Rich Mogull

It's been a rough few weeks for the security of Apple users due to the appearance of a serious zero-day vulnerability in Adobe Flash, Reader, and Acrobat; a major data access vulnerability on iPhones; and a nasty piece of spyware. Let's look at each of these in turn, with a focus on what you can do to protect yourself.


Problem: Major Unpatched Adobe Vulnerability -- On 4 June 2010, Adobe warned of a new, unpatched vulnerability [1] in Flash and Reader that is being actively exploited. Current and older versions of Flash and Reader (including components installed with Acrobat 9) are vulnerable on multiple operating systems, including Windows and Mac OS X.

What you need to know. This is an extremely serious vulnerability that could allow an attacker to take control of your system. It is being actively exploited in the wild by attackers and there is no patch.

What we don't know is if Macs are being targeted. Nearly all of the information about this issue focuses on Windows. Still, since we know Macs are vulnerable, until more information appears it is only prudent to assume we Mac users are equally exploitable.

How to protect yourself. According to Adobe, the Flash 10.1 Release Candidate is not vulnerable [2] and thus all Mac users should immediately install this pre-release software. (In the advisory linked to above, Adobe also includes a workaround for Windows systems).

If you have installed Adobe Reader or Acrobat you should open your PDF files using Apple Preview instead. If you still need to use Reader or Acrobat, be very careful which files you open and stick to trusted sources to the best of your ability. We don't know for certain if this will protect you, but it is highly likely that you need to open a malicious file to be exploited.

We previously covered Adobe's security problems with Acrobat and Reader in "Protect Yourself from Adobe Acrobat and Reader Vulnerabilities [3]" (16 October 2009). The difference in this situation is that there is no patch, and the vulnerability is being actively exploited (at least on Windows).


Problem: iPhone and iPad Data Exposed -- Security blogger Bernd Marienfeldt [4] has determined that if you connect any version of the iPhone to an Ubuntu computer when the phone is turned off, certain data is exposed. (Ubuntu is a Linux-based operating system.) Additional research at Heise Security [5] discovered techniques to expose even more data.

What you need to know. This vulnerability appears related to the techniques I described in "iPhone 3GS Hardware Encryption Easy to Circumvent [6]," 07 August 2009. (In the course of researching that article, I discovered what appears to be another related vulnerability that I've reported to Apple and thus can't discuss until it's patched.)

Bernd discovered that if you connect an unpowered iPhone, even an encrypted iPhone 3GS with a PIN lock, to an Ubuntu system, all of the iTunes data and some third-party app data is exposed. Heise then determined they were able to access even more information by connecting an iPhone to a Windows computer as the iPhone is booting. Heise states they gained "full system access," including SMS messages, plain text passwords, and the capability to make a complete iTunes backup. Additional testing showed that iPads are also vulnerable.

This reveals two issues. First, that an iPhone with a PIN lock can connect to an untrusted system. Second, that the encryption and PIN lock can be circumvented to expose data, at least partially, under the right conditions. In other words, the hardware encryption on the iPhone 3GS is worthless at protecting data against even a moderately informed attacker.

How to protect yourself. With what we know now, it is clear that if you lose physical control of your iPhone, you cannot assume that your data is protected. Realistically, most lost or stolen iPhones won't be subject to an attack or forensic analysis and will be sold or taken by someone who wants a free phone. That said, enterprise users, celebrities, and other high profile targets are at greater risk of data exposure.

To minimize your risk, use a PIN code, lock your phone manually before shutting it down (not that I think I've ever turned my phone completely off), and set your phone to lock itself after a set time period in the General > Auto-Lock preferences. This particular vulnerability seems related to how your phone boots up when you turn it on, which means you aren't vulnerable unless you shut your phone down before locking it.

If you do lose your iPhone or iPad, and you are a MobileMe subscriber or have your phone connected to a Microsoft Exchange server, you can trigger a remote wipe and delete stored data. This works only if the device is connected to the Internet. MobileMe subscribers can trigger remote wipe in the Find My iPhone section of the service, while Exchange users need to contact their Exchange administrators.

The good news is iPhone OS 4.0 may reduce the severity of this vulnerability. Apple announced that users will have the option of better encrypting their email data using the PIN code as the key, and software vendors can integrate more advanced encryption into their apps.


Problem: New Spyware -- On 1 June 2010, Intego, a Mac security software vendor, released details on a new form of Mac spyware [7] found in downloadable screensavers hosted on normally trusted sites like MacUpdate, VersionTracker, and Softpedia.

What you need to know. The malware, called OSX/OpinionSpy, is the Mac version of a spyware program that first appeared on Windows systems in 2008. Interestingly, OpinionSpy isn't included in the actual downloads, but is downloaded during the installation process for the host software. As a result, there is a good chance that antivirus software wouldn't find it by scanning either the application or screensaver installer.

In some cases, the software will warn you at installation that it includes a "market research" program. You will, however, always be prompted to enter your administrative credentials. As with any software, entering your admin password allows the program to do whatever it wants on your Mac.

There is no evidence that OpinionSpy takes advantage of any Mac OS X vulnerabilities. It relies on tricking the user to install it.

Once installed, OpinionSpy scans your system, monitors your activity, and sends the information to its control servers. The traffic is encrypted, so it is uncertain exactly what is shared. It will also occasionally ask you to fill out forms and surveys.

OpinionSpy is spyware - software that spies on your activities and sends the information to the company that runs it. Not all spyware is necessarily malicious, but since OpinionSpy sometimes hides itself during the installation process, injects itself into other programs like Safari and iChat, doesn't disclose what it sends to its control servers, and tries to stay running even after you turn it off, it is reasonable to consider it malicious.

OpinionSpy is not a virus, and doesn't attempt to replicate itself.

How to protect yourself. As always, common sense and a little skepticism are your first layers of defense. Be wary of any application that asks you to participate in market research. Also be careful of any program that requires administrative credentials to install - especially something as simple as a screensaver. While many legitimate programs do need administrative access, it's worth taking a few minutes to research any previously unknown application from a company with which you're not familiar before entering your password.

Throwaway programs like screensavers and casual games are common sources for spyware, back doors, and other kinds of malware. It isn't unusual for these programs to make it onto trusted download sites since the site operators don't have time to perform robust testing before posting them. I always recommend caution before installing software from an unknown or untrusted developer. That's especially true since antivirus software (if you use it, which I don't generally recommend; see "Should Mac Users Run Antivirus Software? [8]," 18 March 2008) won't always pick up these applications since they don't spread via the usual vectors.

I personally also use Objective Development's $29.95 Little Snitch [9], an outbound firewall that asks for your permission before allowing any program to make a connection out to the Internet. I deny programs I don't recognize (and then research what they are), along with any programs I'm otherwise suspicious of.

If you spend a lot of time downloading software like widgets, screensavers, and small games from lesser-known developers, you might consider antivirus software in addition to Little Snitch. I don't recommend this for most Mac users, but heavy downloaders, gamblers, and those looking at adult content should consider investing in extra protection.

[1]: http://www.adobe.com/support/security/advisories/apsa10-01.html
[2]: http://labs.adobe.com/technologies/flashplayer10/
[3]: http://db.tidbits.com/article/10652
[4]: http://marienfeldt.wordpress.com/category/apple-iphone/
[5]: http://www.h-online.com/security/news/item/iPhone-leak-is-getting-bigger-Update-1012575.html
[6]: http://db.tidbits.com/article/10468
[7]: http://www.intego.com/news/osx-opinionspy-spyware-installed-by-freely-distributed-mac-applications.asp
[8]: http://db.tidbits.com/article/9511
[9]: http://www.obdev.at/products/littlesnitch/