The Apple Security Report: Safari Needs Better Protection!
April 24th, 2008This week, Opera released a new beta of version 9.5 of its Mac browser. Now this isn’t necessarily a significant event, because Opera regularly releases updates for its products. However, like most other browsers — with one notable exception — Opera offers phishing protection.
What this means is that, in the event you click, say, on a bogus link in a letter or on a site taking you to a page that’s designed to steal your personal information and pilfer your personal finances, you’ll be appropriately warned.
Opera’s “Stay Safe” feature is mirrored to a large extent in recent versions of Firefox and even Microsoft’s Internet Explorer. Of course, there’s nothing to stop you from ploughing on and accessing the bogus site anyway, but you’ll at least be appropriately warned.
More recently, PayPal has said that, in light of the growing phishing problem, they were going to abandon support for older browsers. That sparked speculation that Safari might be included on the list, since it offers no phishing protection whatever. However, PayPal later clarified their statement, indicating that Safari would, in fact, remain supported.
So is Apple missing the boat here on a critical security protection technique? You see, phishing doesn’t know platform differences, and the Mac user can succumb to this form of criminal activity as easily as the Windows user simply by falling for a fake message purporting to be, say, from your bank. So why isn’t Apple doing more?
Certainly, I think Apple takes security mighty seriously. They issue periodic updates for recent versions of the Mac OS. A recent QuickTime upgrade, for example, according to security researcher Rich Mogull, added a number of critical changes to the code that will make the hundreds of millions of users on the Mac and Windows platform safer from exploitation.
According to Mogull, Mac OS X Leopard also has a number of enhancements that actually come close, but don’t exceed, those Microsoft incorporated in Windows Vista. Now understand, that doesn’t mean Vista isn’t a hodgepodge of bloated junk, but it does mean that Microsoft was forced to seriously consider ways to improve Windows security, after businesses lost billions of dollars over the years coping with the malware mess that afflicted the platform.
For now, except for one or two minor outbreaks and proofs-of-concept, the Mac OS X platform has remained relatively safe. This doesn’t mean that you shouldn’t install Apple’s security updates when they arrive. You never can tell when a security lapse will somehow be exploited. No operating system is perfect.
And, no, I don’t subscribe to the security by obscurity thesis that has it that Macs won’t be seriously vulnerable until the market share reaches some unknown threshold. I just think that Internet criminals still manage to make most of their ill-gotten gains on Windows and that’s not going to change in the foreseeable future.
At the same time, I think Apple, in addition to its questionable ethics about offering Safari installations for Windows users with a checkbox preselected, ought to consider such basics as phishing protection.
Now I have to tell you there are other ways to protect yourself, and it doesn’t necessarily require buying someone’s security software. You can, for example, make a one minute change in your Mac’s DNS settings, in the Network preference panel, to use OpenDNS rather than the DNS servers from your ISP. Thanks to the brilliant mind of developer David Ulevitch, who also created Phish Tank, a well-known repository of information about bogus sites, OpenDNS will use that technology to block access to those dangerous locations.
OpenDNS also offers a huge, highly efficient DNS cache, which means that you’ll be able to access your favorite sites slightly faster. As part of the free sign-up process, you can also configure methods to block other forms of unsavory content, such as porn sites.
Their technology is already being embraced by lots of businesses, including such disparate firms as The UPS Store and Sunsweet. A number of libraries are also reconfiguring their computers to use OpenDNS, and some ISPs are also taking this step.
Even better, it’s all free. OpenDNS pays its bills by selling pay-per-click ads for its customized landing sites, which you’ll see if you happen to connect to an inactive site by error.
In fact, I wonder if Apple couldn’t find some way to work with OpenDNS, maybe as part of the standard setup of a new Mac, so nobody would be forced to do the settings manually — although they are quite trivial actually.
For now, my own protection routine, other than OpenDNS, is the NAT security of my AirPort Extreme base stations and Leopard’s own fairly basic firewall feature. No, I haven’t installed any virus protection software, but that doesn’t mean I won’t change my mind should the need arise.
Print This Post
Another helpful read thanks.
Phish Tank — love the name!
Apple can still be nonchalant about patching known bugs in open source modules they use. Turns out that the problem Charlie Miller recently found in the PCRE library was disclosed a year ago. Miller says he hadn’t known that and didn’t think to look at changelogs to find something, because he didn’t think Apple would *still* be be doing this:
“Ironically, Miller gave a presentation at the Black Hat security conference last year, arguing that one way to find bugs in Mac OS X would be to look for out-of-date open-source software that ships with the Mac and then to scan that project’s files.
“I told Apple about this backporting problem then and they didn’t listen and I didn’t listen either, because we didn’t find the bug by looking at changelogs, we found it with source code analysis,” Miller said.”
I’m sorry to say it, but my confidence in Apple has gone down a fair bit over the past two years or so. And I think I’d be far less confident of independent Mac developers. When it was pointed out to one (very well-known) one recently that he was running a setuid root binary out user directories he said:
“I haven’t looked at the code recently, so I don’t remember exactly what I did, but I did ensure that I was doing all the necessary steps to ensure security.â€
Would that reassure you? As the user who brought the problem before him pointed out, because of the permissions that binary could be written to by a bad guy — “trojaned” — and then when it runs as root …
Mogull’s right: they’ve made some important changes but they could do more.
It’s just as well for users that the platform’s not too bad to start with and the market-share is low. I agree with you that AV is of little to no use, but I think people could consider not using admin accounts for day to day use. That’s what Dino Dai Zovi suggested in advised in conversation with John Gruber last year. On an admin account both /Applications and /Library are writable without any privilege elevation needed.
Maybe they’ve learned because the bug Miller “discovered” has since been fixed.
Peace,
Gene
Thanks Gene, I’ve switched all of my computers to OpenDNS after reading this. Phishing protection is the one (and only) omission in Safari that bothered me, and now it no longer does. The speed boost was nice too.
I’m curious to see how many people have been phished. Anybody here been taken by a bogus email? How about friends or family? What’s the hard number – 10% or 25% of internet users get phished? How many times in a month do you get fooled and click on a link in phish email? Have you been almost phished and in the nick-of-time narrowly escape?
I’m not saying Apple shouldn’t have phishing protection, but for me its non-issue. I’m just wondering if I’m just not getting (noticing) the phishing attacks while everyone else is dealing with them.
Even a handful of people are too many, and since phishing protection doesn’t or shouldn’t cost you anything, it’s certainly worth having.
Peace,
Gene
OK, forgive my ignorance, but I don’t see an OpenDNS setting in the Network preference pane. And briefly, what does OpenNDS mean? Thanks.
The instructions are clearly explained at the OpenDNS site. Click the link in the article above and you’ll see what it does. They have simple directions for the Mac OS, Windows, etc., including going direct to the router level if you prefer.
Basically, it involves adding two sets of IP numbers, 208.67.222.222 and 208.67.220.220, to which DNS requests are redirected.
Peace,
Gene
Gene, you really didn’t answer my question. There is a very large difference between a handful of people and millions of people. And depending on the number of people who actually get phished maybe a better solution could be developed.
I have yet to hear any real numbers on the phishing. I’m not saying protection isn’t needed, but speculation that phishing is a major problem is just spreading FUD if your argument is “a handful of people is too many.”
And unfortunately free software costs something. Apple (and other companies) pay someone to add the features to Safari (and other software). Where does that money come from? At some point the cost passes to other products that produce money.
I get phishing emails regularly and avoid them with relative ease. So I am failing to grasp the concept that this is a major problem where companies are said to be dropping current browsers and old browser because of it. It sounds just like some marketing ploy or feel good security measures that really don’t solve anything.
Again, I’m not saying that phishing isn’t a problem. What I am saying is that I’m very curious to see some actual facts on phishing.
Yes, I would like to see some data, but in the meantime, since it’s trivial to do it with OpenDNS, and it doesn’t seem that phishing protection in Firefox slows it down, it just makes sense to have it in Safari as well.
Even a few is too many.
Peace,
Gene
A few? A lot? I don’t know. I do know I don’t want anyone to be phished. OpenDNS may very well be the best solution. Maybe OpenDNS should be required when surfing. Maybe Apple doesn’t have to add the feature (or feel good security measure). Maybe it’s as simple as educating the few (or many). Who knows without knowing to what extent the problem is?
But agree that if anybody is worried about it OpenDNS is a plausible solution.
It’s not just spoofing DNS addresses that you have to watch out for when using Safari. This article at Rixstep links to another page with code that can hose your Mac through Safari. (“hose” read: lock up your Mac requiring a hard restart.)
http://rixstep.com/2/20080427,00.shtml
Apple has much work to do it would seem.
Cheers,
Tom.
My comments about OpenDNS were, in part, related to their phishing protection, although the service has other advantages.
Peace,
Gene