Apple fanbuoys* – let’s make anti-virus peace!


My colleague Chet has already warned you about Apple’s latest critical update to QuickTime 7, issued this morning. Please read his article to find out if, and how, this patch applies to your computer.

(To summarise. If you use OS X 10.6, you are on QuickTime 10, patched a month ago in the 10.6.5 system update. If you are using Windows, you have QuickTime 7, and need the new upgrade. And if you have OS X 10.5 or earlier, you are also on QuickTime 7. So you are in the same basket as Windows users. Upgrade now.)

Fifteen separate CVE vulnerabilities are patched in the QuickTime 7 fix, including a bunch of heap overflows announced back in October. Seven of these are claimed by CVE to “allow remote attackers to execute arbitrary code” by serving up a maliciously-crafted image or movie file.

Everyone seems to accept that patches against this bugs of this type are vital for Windows users, since they’re far-and-away the biggest target of malware authors.

Chet goes further, advising you to patch as soon as possible whether you are on Mac or Windows.

Chet is right – he usually is! – but I suspect that there may be some doubters in the Mac camp.

When we recently released Sophos Anti-Virus for Macintosh Home Edition for free, a vocal minority of Mac users let rip at us, saying that avoiding risky sites, and being cautious before typing in the OS X software installation password (similar to UAC on Windows), are enough to keep Mac users safe.

Indeed, both these behaviours – which ought to be common sense for all users on all operating systems – are to be applauded. But remotely exploitable buffer overflows which can be triggered by viewing image or movie files are well-worth worrying about.

Exploits which allow the remote execution of code embedded in otherwise-harmless files are highly sought after by cybercrooks – which means they are prepared to invest time and money to acquire them – specifically because they bypass the warnings or password requests you would usually see.

And unexceptional file types, such as images and movies – which are considered safe to render without warning dialogs, since they aren’t supposed to be executable – can surprisingly easily end up embedded into non-risky web pages, even those belonging to well-known, trusted brands. (Not convinced? Here’s some evidence.)

So here is some advice:

* Avoid visiting obviously-risky sites. (The outspoken Mac fans are right.)

* Require good reason to trust newly-downloaded software with your installation password. (The outspoken Mac fans are right.)

* Install patches and updates as quickly as you reasonably can, especially if they fix remotely-exploitable vulnerabilities.

* Use anti-virus software. Even non-risky browsing may expose you to as-yet-unpatched vulnerabilities and the unexpected, unannounced installation of malware. (The outspoken Mac fans are wrong.)

* Consider browsing through a web security device which can block infected web pages proactively, even before they reach your computer.

Oh, and please stay safe online over the festive season.

[*] Buoys, because it’s pronounced ‘boy’ in British English. Buoys, because we know you care about marking a safe course for others, whether we agree about anti-virus or not.