Previous 1 2 3 Next 86 Replies Latest reply: May 22, 2011 4:57 PM by R C-R
ds store Level 7 Level 7 (30,315 points)

Mac's users running any browser with JavaScript turned on by default are vulnerable to being tricked into clicking on a trick image and/or link.

 

That image may appear to be a standard OS X window with a close box or the typical OS X looking window asking a question with OK or Cancel. It can look like anything really, it's purpose is designed to get you to click anywhere on it and initiate a download to your computer.

 

Safari tries to be helpful and "Open Safe Files" by default, which is being used with numerous success to run code on one's machine, by bypassing the normal user action of 'open the downloads folder and then clicks on the download to run' process in exchange for convenience.

 

Most Mac's are used with one person, and the initial setup of a new Mac (or a new OS X install) is the first user is automatically a Administrator User. Running one's typical day to day use while in Admin User mode gives any code running on one's machine more privileges and access than it would receive if the user of the computer created another OS X account and ran most of their computer use as a General User.

 

The ultimate access for rogue code would be Root User, which on Mac's is turned off by default, however a temporary access window to Root User is allowed when a Admin User provides his or her Admin Password. Once rogue code gets Root user access, it's all over, OS X is completely compromised.

 

 

The key to security on a Mac, or any computer system actually, is a process called "Compartmentalized Security" where the more privileges code receives, the more it's subjected to time and scrutiny to determine it's legitimacy.

 

Web browsers are the forward troops facing a overwhelming enemy, the World Wide Web. Not one modern web browser is 100% safe, not Safari, not Firefox, not IE, not Chrome, not Opera. Neither are plug-ins or scripts that run within these browsers 100% safe.

 

So the key to maintaining security is to provide a high level of "Compartmentalized Security" steps which shifts the exploit potential further down the privilege level so it can't do much of anything or gain further access.

 

People can get carried away with downloading and installing software in a rapid fire manner, this provides a ripe opportunity for malware to get onto one's computer, even gaining root access right away.

 

 

So in order to provide better compartmentalized security, provide more time and steps before potentially installing rouge code. I suggest the following actions:

 


1: Run most of your day to day computer use as a General User with less privileges. This can be done by creating a new Admin User, logging out of the present user and into the new Admin User, then turning the first user into a General User.

 

Whenever certain actions are needed, like accessing the Application's folder (where programs can be changed by malware) a Admin Name and Password will be required. A small hassle, but it provides another step for it to get past.

 

 

2: Use Firefox web browser and the following Add-ons: NoScript, Ad Block Plus and Public Fox.

 

Under the Toolbar customization, drag the NoScript button to the toolbar. NoScript turns off all scripts and plug-ins by default, which if you trust the site your on, you click the button for turning them on and the page automatically reloads.

 

In Public Fox preferences, set a password on downloads, this way a popup window appears before any download occurs, keeping malware from sneaking into your downloads folder and potentially being clicked on.

 

With Ad Block Plus, subscribe to the Easy List which automatically appears in the browser window. This will auto-update to keep advertising, which has been used numerous times as a attack venue, from appearing.

 

Click&Clean, Ghostery, BetterPrivacy, FlagFox, WOT, HTTPS-Everywhere (from the Electronic Frontier Foundation) are also highly recommended add-ons.

 

 

3: In Safari preferences, turn off "Open Safe Files" install the Ad Block Plus add-on and the Click2Flash add-on. If any add-on appears in the future to simulate what NoScript and Public Fox does on Firefox, then enable those add-ons.

 

 

4: Check the staus of your browser plug-ins. These websites makes it easy, bookmark them in a obvious place so you remember to visit them routinely. As soon as a vulnerability appears, either update or turn off the affected plug-in in your browser until a patch is issued.

 

https://www.mozilla.com/en-US/plugincheck/

 

https://browsercheck.qualys.com/

 

 

5: If you enjoy surfing the backalleys of the Internet and you have at least a decent dual core Intel based Mac, I'd highly advise installing the free VirtualBox and loading a free ISO of Linux Mint DVD 32 bit 10.10 (most consistent and easy to use, everything included, Linux distro)

 

http://www.virtualbox.org/

 

http://www.linuxmint.com/download.php

 

The object is to load and install Linux Mint into the virtual machine like installing a operating system onto a regular computer. Once completed, then save a snapshot to revert to after your Firefox browsing session (in Linux) is completed. All and any potential malware, caches etc is flushed when you revert the entire guest OS back to the earlier state. Keep the Guest OS updated via the Software Update option and save a new snapshot.

 

 

6: Use common sense, if it don't look right, then stop and flush the OS X based browser from memory via the Apple > Force Quit menu.

 

7: Install the free ClamXav, it will remove the OS X malware it knows about, offering some after the fact defense and Windows malware from their files.

 

http://www.clamxav.com/

 

I don't advise a full time, always on and running anti-virus solution for Mac's due to Apple's tendancy to change the underlining OS themselves to thwart potential malware. So something like Norton which maintains tight control over OS X should be avoided.

 

Malware on Mac's are a scarce thing because of Apple's top down approach, but trojans are a potential attack venue and people need to insure more steps to avoid being tricked.


MacBook Pro, Mac OS X (10.6.7), XP, Vista, 7 many Linux distros
  • thomas_r. Level 7 Level 7 (30,185 points)
    Run most of your day to day computer use as a General User with less privileges.

     

    That causes problems for some apps, which won't run on anything but an admin account or on the account they were installed on.  And it's not a guarantee of security - a user who gets in the habit of authenticating to admin to install stuff from their Standard account is no safer than the user who gets in the habit of authenticating to install from their Admin account.  This is a good general suggestion, but may not work for everyone and provides practically no real security against "social engineering" by itself.

     

    2: Use Firefox web browser and the following Add-ons: NoScript, Ad Block Plus and Public Fox.

     

    Again, using things like these won't protect you by themselves.  How do you know if a site is trusted and should have JavaScript turned on?  And most folks are finding this malware via trusted sites that have had malicious JavaScripts "sneaked" into their code, through malicious ads or search engine optimization poisoning.  How can you know if your trusted site is affected?  And, given how much this malware has been jumping around over the last week, I seriously doubt Ad Block Plus can keep up.

     

    3: In Safari preferences, turn off "Open Safe Files" install the Ad Block Plus add-on and the Click2Flash add-on.

     

    Note that even folks with Safari's Open "safe" files after downloading option turned off have been affected by opening the installer manually.  And some have been alerted to the presence of malware by the automatic appearance of the installer.  I'd still agree, though, but would add that you should keep your Downloads folder cleaned out, so that any suspicious items that turn up will be easily recognized, and not mistaken for something you downloaded earlier.

     

    As to Click2Flash, I think nobody should be on the web without it!  I don't trust Flash as far as I could throw Adobe.

     

    I'd highly advise installing the free VirtualBox and loading a free ISO of Linux Mint DVD 32 bit 10.10

     

    That is not a realistic suggestion for the average person, who will have neither the desire nor the knowledge to run Linux.

     

    6: Use common sense, if it don't look right, then stop and flush the browser from the Apple > Force Quit menu.

     

    This should have been #1!  AV software has struggled to keep up with all the variants of MacDefender, malware sites move on sometimes an hour-by-hour basis and malicious code sneaks into trusted sites.  In all, no automated defense tool will protect you from a new threat...  only your "wetware" can do that!

  • WZZZ Level 6 Level 6 (12,685 points)

    True, NoScript won't help if you allow the site and the site, itself, has been hacked. But it will block malicious third party scripts that are not allowed. My way of using NS is first to see if a site works with JS completely disabled, i.e. the site "not allowed." A good number of sites will function this way. Then if it's not working properly, I will allow (temporarily) the site and see if that gets it going. If it still won't function properly -- and if I really need it to -- I will gradually allow other scripts. There is a feature of NS where one can can shift-click on a script before allowing it to get options for vetting. I can also Google that URL to see what comes up for it. (Same way I use Little Snitch.) It's easy to rule out the data tracking scripts whose names are usually a giveaway.

     

    I will allow the minimum to get a site going. Sure, this doesn't offer bullet proof protection, but it goes a long way. It's much better than using any other browser without it. (There are simple whitelist/blacklist JavaScript Add-ons available for Camino and Safari, but they hardly compare.) Like CTF and FlashBlock, It blocks Flash with a placeholder.

     

    In addition, even if one "allows all," NS is still offering protection against certain kinds of exploits.

     

    http://noscript.net/features

     

    I also have the WOT Add-on, which advises about the safety of sites by placing icons (green to red) on the URL in the URL bar and in Google searches. I don't absolutely trust it, but it's better than nothing. It also gives warning popups, in addition to the ones Firefox gives, if a site is really poisonous.

     

    Not sure that AdBlock Plus protects that much. I understood that all the stuff it blocks still loads, it's just kept off the screen. Not 100% sure of this, but when malicious hacks on third party advertising appeared for the NY Times a few years ago, I don't think ABP kept them from loading and users with ABP were still vulnerable.

     

    Another inconvenience for running Standard is that system.log is not accessible except by running the su command and then sudo for the Console executable. Anything sudo needs to run first with su for the admin account.

     

    I think ds store's recommendations are sound, but probably somewhat on the too complicated, or much too complicated, side for many users, NoScript included. But, even my wife who hated it at first, doesn't complain about NS too much anymore. I think she understands its value. But it does take a bit of getting used to.

  • etresoft Level 7 Level 7 (26,605 points)

    You don't need to do any that stuff. The latest Mac malware that is going around still needs to ask your permission to install itself. Just type "⌘ q" and you're done.

  • ds store Level 7 Level 7 (30,315 points)

    Thomas A Reed wrote:

     

    That causes problems for some apps, which won't run on anything but an admin account or on the account they were installed on.

     

    Then the programs need to be reinstalled for "All Users" which most do now by default or reinstalled for the new Admin account. Since the previously Admin is now a General User, it's not a issue. If the program needs Admin/Root access the user should be made aware of that fact and understand they just elevated privileges to a most dangerous level.

     

    Linux has a security key that displays in the menu bar that one has opened a "sudo window" which any code run during that time can have Root level access. Of course OS X has no such warning.

     

    And it's not a guarantee of security - a user who gets in the habit of authenticating to admin to install stuff from their Standard account is no safer than the user who gets in the habit of authenticating to install from their Admin account.  This is a good general suggestion, but may not work for everyone and provides practically no real security against "social engineering" by itself.

     

    The only guaranty of security is unplugging the power from the computer and tossing the machine into a pit of molten lead.

     

    The user is rarely installing/uninstalling or making such drastic changes to their machine that entering their Admin name/password is such a burden. Those rare folks who do reside in that realm or even for a short duration, log into the Admin User from the start and competent enough to know the difference anyway.

     

     

    Again, using things like these won't protect you by themselves.  How do you know if a site is trusted and should have JavaScript turned on?  And most folks are finding this malware via trusted sites that have had malicious JavaScripts "sneaked" into their code, through malicious ads or search engine optimization poisoning.  How can you know if your trusted site is affected?  And, given how much this malware has been jumping around over the last week, I seriously doubt Ad Block Plus can keep up.

     

    Well your LESS protected without them. So far the NoScript "web cop" Add-on has protected Firefox users from the MacDefender trojan by not allowing Javascript to run by default.

     

    Even if a trusted site has the malware and one turns off NoScript for that site, then Public Fox (with a password block on downloads) stops any automatic download from occurring.

     

    Ad Block Plus defends against advertising which has been used as a malware vector. It provides the option to whitelist  favorite sites which trust has been established by the user.

     

    Again the reasoning here is to provide a "security guard" approach, nobody gets in without approval.

     

     

    I'd highly advise installing the free VirtualBox and loading a free ISO of Linux Mint DVD 32 bit 10.10

     

    That is not a realistic suggestion for the average person, who will have neither the desire nor the knowledge to run Linux.

     

    Well note that I placed a condition on that advice, "if one likes surfing the backalleys of the Internet" as all browsers are venerable to some extent from direct website intrusions. So another "compartmentalization" level is required for sites that are prone to that sort of behavior which use images or warz as click bait.

     

    And mind me saying Thomas, it's rather presumptious of you to dictate what another would like or not like.

     

    Remember Apple opened the door to multiple operating systems running on their hardware, the PPC days are long gone, a brave new world is here where one can run all the major operating systems on one machine.

     

    Heck, Steve Jobs even used Linux on his Pixar renderfarm, I bet his MacPro runs everything under the sun just like my 17" Quad does.

     

    Apple is the second largest grossing corporation in the world next to Exxon, professional IT people like myself use Mac's now because of their ability to run all major operating systems. It's looking rather sad showing up to the job dragging a ugly bulky Dell when one can have a slim sexy looking silver MacBook Pro.

     

    So no need to get fan boy defensive any longer.

     

    Note that even folks with Safari's Open "safe" files after downloading option turned off have been affected by opening the installer manually.  And some have been alerted to the presence of malware by the automatic appearance of the installer.  I'd still agree, though, but would add that you should keep your Downloads folder cleaned out, so that any suspicious items that turn up will be easily recognized, and not mistaken for something you downloaded earlier.

     

    As to Click2Flash, I think nobody should be on the web without it!  I don't trust Flash as far as I could throw Adobe.

     

    This should have been #1!  AV software has struggled to keep up with all the variants of MacDefender, malware sites move on sometimes an hour-by-hour basis and malicious code sneaks into trusted sites.  In all, no automated defense tool will protect you from a new threat...  only your "wetware" can do that!

     

    Well at least we agree on something, I actually don't approve of anyone using Safari AT ALL, because of it's lack of a NoScript option and failing every Pwn2Own contest.

     

    But there are those who will, by stubborness or brand loyalty, will continue to use Safari so I recommend at least a partial security solution.

     

    And since the MacDefender trojan uses Javascript, not Flash, Click2Flash offers little protection, just another preventative measure against other attacks.

  • ds store Level 7 Level 7 (30,315 points)

    etresoft wrote:

     

    You don't need to do any that stuff. The latest Mac malware that is going around still needs to ask your permission to install itself. Just type "⌘ q" and you're done.

     

    Computer security is skating not to where the puck is, but where it's going to be.

  • thomas_r. Level 7 Level 7 (30,185 points)
    Then the programs need to be reinstalled for "All Users"

     

    It's not that simple.  I have personally encountered apps that simply won't work properly except on one account.  Some versions, at least, of Photoshop Elements are among that list...  unless you're running an admin account, you don't have access to places that they need to make changes on a frequent basis, and thus they don't work right.  Running a Standard account is a good idea, but not always practical for everyone.

     

    The user is rarely installing/uninstalling or making such drastic changes to their machine that entering their Admin name/password is such a burden.

     

    Don't judge by your own experience.  I know people who are constantly downloading and installing games, fun apps, etc and would think nothing of entering their admin name and password.  For such people, running a standard account would not be significantly safer, since they'd just authenticate everything anyway.

     

    the reasoning here is to provide a "security guard" approach, nobody gets in without approval.

     

    My point is, security guards are not infallible, and if you rely on them entirely, you'll eventually be in danger.  One should not install security measures and then just forget about it.

     

    And mind me saying Thomas, it's rather presumptious of you to dictate what another would like or not like.

    [...]

    So no need to get fan boy defensive any longer.

     

     

    With regard to the average user not wanting or being able to install Linux, I don't think it takes any presumption whatsoever to be able to say that.  If you believe the average user would be interested in installing Linux on their Macs, you clearly do not understand the average user.

     

    As to the name calling...  I don't see how saying that some of your suggestions are unrealistic or not as secure as you imply makes me a "fan boy."

  • etresoft Level 7 Level 7 (26,605 points)

    ds store wrote:

     

    Computer security is skating not to where the puck is, but where it's going to be.

     

    I'm from Alabama. I only moved to Canada recently. Your analogy has no significance to me.

     

    I think you are trying to say that the MacDefender trojan is a harbinger of doom and that it signals the beginning of an onslaught of Mac-targeted malware. Perhaps that is true, but it doesn't change the fact that MacOS X is an inherently secure operating system. The MacDefender trojan could have easily been written ten years ago. As malware goes, it is a pathetic attempt written by an amateur. If this is the best they can come up with in ten years, wake me up in another ten.

     

    People on the internet have been trying to spread disinformation that Macs can be hacked "in seconds". It's all a pack of lies - nothing more.

  • ds store Level 7 Level 7 (30,315 points)

    WZZZ wrote:

     

    Not sure that AdBlock Plus protects that much. I understood that all the stuff it blocks still loads, it's just kept off the screen. Not 100% sure of this, but when malicious hacks on third party advertising appeared for the NY Times a few years ago, I don't think ABP kept them from loading and users with ABP were still vulnerable.

     

    My reasoning with Ad Block Plus is more along the advertsing being hijacked to display what appears to be a OS X Window or scan progress like one see's on Windows to invite a click response to go to a malicious site.

     

    Another inconvenience for running Standard is that system.log is not accessible except by running the su command and then sudo for the Console executable. Anything sudo needs to run first with su for the admin account.

     

    Still minor relative to 99% time certain files and folders are protected from unknown altteration.

     

    I think ds store's recommendations are sound, but probably somewhat on the too complicated, or much too complicated, side for many users, NoScript included. But, even my wife who hated it at first, doesn't complain about NS too much anymore. I think she understands its value. But it does take a bit of getting used to.

     

    Complicated for most users that will just ignore it and install anything, not backup their files, just like they do on Windows.

     

    For them it's best perhaps that they get a dumbed down iPad, then we IT professionals can concentrate on people we can help, instead of those we can't help.

     

    Be surprised, most of the web doesn't need scripts running as much as people THINK it does. And since NoScript can be made to allow those common use sites to be "allowed" lets the user adjust their own preferences and convenience level, instead of running hog wild with everything turned on and allowing anything to do anything at anytime.

     

    However for those looking to surf a little safer and have the chops to make the changes, it's good advice I think, until Apple pulls their web browser security up and sandboxs Safari, with a big popup window when a download occurs just like Firefox does, not some tiny thing that disappears behind another window or downloads so fast you can't see it on ultra fast connections with small file sizes.

  • Linc Davis Level 10 Level 10 (159,555 points)

    The MacDefender trojan could have easily been written ten years ago. As malware goes, it is a pathetic attempt written by an amateur.

     

    The trojan itself is rather crude, but the SEO poisoning attack on Google is sophisticated. That's where the expertise comes in.

  • ds store Level 7 Level 7 (30,315 points)

    Thomas A Reed wrote:

     

    It's not that simple.  I have personally encountered apps that simply won't work properly except on one account.  Some versions, at least, of Photoshop Elements are among that list...  unless you're running an admin account, you don't have access to places that they need to make changes on a frequent basis, and thus they don't work right.  Running a Standard account is a good idea, but not always practical for everyone.

     

    Hehe, Photoshop Elements, this is the same Adobe that makes Flash right?

     

    If they can't understand the real world uses of their software that Admins need to lock down the Application's folder as not to drag their product off to be copied/deleted, then Steve Jobs was right to call them "lazy"

     

     

    Don't judge by your own experience.  I know people who are constantly downloading and installing games, fun apps, etc and would think nothing of entering their admin name and password.  For such people, running a standard account would not be significantly safer, since they'd just authenticate everything anyway.

     

    Well if they install something that compromises their Mac, then they go no one to blame but themselves.

     

    But, with entering admin password at least they got that chance to decide.

     

     

    My point is, security guards are not infallible, and if you rely on them entirely, you'll eventually be in danger.  One should not install security measures and then just forget about it.

     

     

    Well we shouldn't be having to worry about security actually if Apple paid more attention to their browser.

     

    With regard to the average user not wanting or being able to install Linux, I don't think it takes any presumption whatsoever to be able to say that.  If you believe the average user would be interested in installing Linux on their Macs, you clearly do not understand the average user.

     

    I do understand the "average user", I clean their machines and see what they have been doing.

     

    And the last time I checked, the Bootcamp forums still have a lot of action going on, that's considerably more difficult than simply installing a guest os in a virtual machine program.

     

    for those who don't understand my advice, it will fly over their heads like neuroscience fly's over mine.

     

    As to the name calling...  I don't see how saying that some of your suggestions are unrealistic or not as secure as you imply makes me a "fan boy."

     

    Well it appears your bias is showing when I suggest a solution that's anything not Apple that's all.

     

    But on the other hand you wrote:

     

    Thomas A Reed wrote:

     

    Note that even folks with Safari's Open "safe" files after downloading option turned off have been affected by opening the installer manually.  And some have been alerted to the presence of malware by the automatic appearance of the installer.

     

    So technically speaking, people who are competent enough to install Firefox and the Add-ons I suggested shouldn't be using Safari at all right?

     

    We all get tricked, I almost got nailed downloading a fake Linux distro from a cloned site when my WOT popped up and screamed bloody murder.

     

    So you see, having many safeguards in place does make a considerable difference in protecting one's on line security.

     

     

     

    One must maintain a well rounded security policy, just "unchecking Safari safe files" is not going to cut it.

     

    So far I don't see that well rounded security happening with Safari, however since Firefox has significant Windows exposure, it already has these safeguards in place.

  • ds store Level 7 Level 7 (30,315 points)

    etresoft wrote:

     

    People on the internet have been trying to spread disinformation that Macs can be hacked "in seconds". It's all a pack of lies - nothing more.

     

    Well that's not exactly true.

     

    Just Google: "safari pwn2own seconds"  and see the articles for yourself and the date.

     

    Apple rolled out a security update a month after the contest, those who are still using a unpatched Safari are vulnerable.

     

    So for a month there all Mac's were exploitable, and given what researchers say that Webkit has lots of vulnerabilities, it might still be a ongoing problem.

     

     

    Realistically speaking, until a browser stands up to repeated hacking attacks without failure, then it's a secure browser.

     

     

    None of them do, but some are more secure than others or can allow less things to run all the time, reducing the exploit vectors.

     

    Why one needs to also run as a General User, in case their browser gets pwned it has limited privileges.

  • etresoft Level 7 Level 7 (26,605 points)

    You are mixing up issues here. Are we talking about fake antivirus malware for Macs or hacking contests? It doesn't matter because that is exactly what you are supposed to do - get mixed up and confused so you don't know what is going on with Mac security.

     

    To simplify: Macs are secure. Your browser can't be hacked in seconds. You are being lied to.

  • Barney-15E Level 8 Level 8 (41,465 points)

    A vulnerability is just a vulnerability until it is actually expoloited.

    That vlunerablity must also be multiplied by a probability of it actually being exploited to become a risk.

    Currently the vulnerability can be infinite, but there is still zero probability, so the risk is zero.

     

    When the probability of being exploited gets to be somewhere greater than zero, it will be something to worry about.

  • ds store Level 7 Level 7 (30,315 points)

    Barney-15E wrote:

     

    A vulnerability is just a vulnerability until it is actually expoloited.

    That vlunerablity must also be multiplied by a probability of it actually being exploited to become a risk.

    Currently the vulnerability can be infinite, but there is still zero probability, so the risk is zero.

     

    When the probability of being exploited gets to be somewhere greater than zero, it will be something to worry about.

     

    People's machines are being exploited and the vulnerability is Safari not asking the users permission before initiating a download.

Previous 1 2 3 Next