MacNewsWorld reported yesterday reported a new worm targeting jailbroken iPhones. The worm has been dubbed ‘Duh’ and unlike previous exploits, this version is malicious, establishing a command-and-control botnet that is capable of sending data back to a central server.

The default root (SSH) password is also changed, in an apparent attempt to make it more difficult to re-secure an infected iPhone. According to Paul Ducklin from Sophos, the password is changed to ‘ohshit’ & is done by rewriting it’s hashed value in the master password file.

Please note that this worm only appears to affect jailbroken iPhones – iPhone running Apple’s official OS are unaffected. Unfortunately, since jailbreaking an iPhone is considered a warranty violation, Apple has made little effort to allow for 3rd party anti-virus vendors to develop software to prevent such attacks, claiming jailbroken iPhones are already running ‘unauthorized software’ and as such are used at the owners risk.

Detailed instructions for changing the default root (SSH) password can be found at the JustAnotheriPhone blog. Using the free MobileTerminal iPhone application is the simplest & most straightforward option.

While changing the root password will certainly increase protection against the ‘Duh’ worm and any future attacks, currently, the only 100% secure iPhone is one that has not been jailbroken. If you are using an iPhone in an enterprise or other environment where data security is an issue, running a jailbroken iPhone is strongly discouraged.

To restore the Apple-authorized OS to an iPhone, simply connect the iPhone to iTunes & click the ‘Restore to Defaults’ button. This will erase all data on the phone & return it to factory settings. This support article from Apple describes the backup & restore process in detail.


iPhone SMS Security Patch

August 10, 2009

iphone_homeThe iPhone OS 3.0.1 that was released on July 31 patched a security flaw that could have allowed hackers to remotely control iPhones by launching a text-message attack. Security researchers publicized the exploit at the Black Hat cybersecurity conference and Apple posted the security patch the following day.

While Apple moved quickly, Chris Miller, one of the researchers who publicized the exploit noted that he notified Apple about the flaw nearly a month earlier and that it was first discovered in OS 2.0. It may have taken a public exposure to jump start the release.

Read more about the SMS exploit at Wired.com.

entourage_mac_2008_iconWhile most of the blog coverage on the recent Office 2008 12.1.9 Update focused on the patching of Word vulnerabilities, considerably less attention was paid to what seems to me to be a much more important aspect of the update: Exchange Web Services support.

Entourage Web Services is Microsoft’s upcoming attempt to “achieve greater parity between Entourage and Outlook.”

According to Microsoft’s Description of the Microsoft Office 2008 for Mac 12.1.9 Update, this update is a “prerequisite for the installation of Microsoft Entourage 2008 for Mac Web Services Edition” and will have to be installed before the Entourage 2008 Web Services Edition can be installed.

Microsoft will be abandoning CalDAV for Exchange Web Services (EWS), which should offer better “performance, compatibility, and reliability” since EWS allows Entourage to shift the bulk of the ‘heavy lifting’ to the exchange server, rather than relying on the client to carry the load as it does now. It will also allow for the syncing of Tasks, Notes, and Categories with an Exchange server and will use EWS & HTTP to resolve names from the Global Address List, among other features.

Entourage for Exchange Web Services requires Exchange Server 2007 running Service Pack 1 with Update Rollup 4 or greater. Clients need to be running OS X 10.4.9 or later and the 12.1.9 update for Office 2008 for Mac, plus the Entourage for Exchange Web Services Edition (once released). More information on the Entourage for Exchange Web Services Edition can be found at The Office for Mac Team Blog.

Entourage Web Services is still in the beta stage, however, and not yet available to the general public. Its inclusion in the 12.1.9 update seems to imply that that may soon change.

Update to version 12.1.9 of Office update using the Auto-Update tool, or download the 12.1.9 update directly from Microsoft’s support site.

As with all software updates to mission critical software, please be careful.

apple-safariOuch. It took Baltimore security researcher Charlie Miller 10 seconds to hack & gain control of a fully patched MacBook using a pre-written exploit during the PWN2OWN hacking contest at this years CanSecWest Conference in Vancouver. He loaded the exploit into a web URL which was clicked by a user, imitating a common tactic of infecting users with malware at malicious sites (Windows users, you know what we’re talking about…).

The whole process was part of a competition held every year at CanSecWest. Miller won $5k & the MacBook he hacked. Rights for the exploit were sold to TippingPoint, CanSecWest’s sponsor, and Apple was notified of the exploit. Not bad for 10 seconds work…

I’m not trying to be alarmist, but it strikes me that we might be starting to see a a pattern forming here. It seems that Apple’s much-vaunted ‘virus-free’ bragging rights are eroding slowly but surely. And as their market share increases, these kinds of sightings are going to occur more & more frequently.

& while I’m certainly hesitant to tell everyone to run out & buy anti-virus for their macs, it certainly wouldn’t hurt to review some security best-practices for the internet, so…

  1. If you’re unsure about the source of a link, DON’T CLICK IT.
    • Just because a flashing icon/window begs you to click it, doesn’t mean you should (in fact, a flashing window should be a pretty good indicator that this ISN’T a link you should be clicking!!!).
  2. Enable Pop-Up Blockers.
    • Bit of a pain, sometimes, I know. But they typically do more good than harm.
  3. Unless there’s a good reason to, keep you’re browsers security settings enabled.
    • That includes warnings for suspected phishing, forgery, attack sites, & others.
  4. [Safari] Disable the “Open ‘Safe’ files after downloading” open in the Preferences.
    • Don’t let a web browser tell you if a file is safe. Again, if you’re unsure about the source, don’t open it (or at least scan it first!).
  5. Be careful when you’re downloading torrents or file from peer-to-peer applications – traditionally these are some of the biggest sources of infection for malware and viruses.
  6. Don’t use Internet Explorer. If the above Charlie Miller incident teaches us anything, we probably shouldn’t use Safari, either.
    • Firefox is a good choice, Opera is another – both are free.

OS X iServices Trojan Horse

February 2, 2009

cautionAn Intego Security Alert, published January 26, announced the discovery of a new variant of the Mac Trojan Horse iServices virus. The trojan is being packaged in cracked versions of Adobe Photoshop CS4 found on torrent sites.

Running the patching application to apply the crack will execute the trojan, which listens for web requests makes repeated connections to several IP addresses.

It’s important to recognize that this is NOT a proof-of-concept virus – this is the real thing. The previous version of the trojan used infected computers in DDoS attacks on a number of websites.

Intego claims that VirusBarrier X4 & X5 with the latest virus definition files will protect against this trojan. SecureMac, a mac-focused security site, has released the iServices Trojan Removal Tool (download connects to SecureMac’s download link), which they claim will also remove infected files.

The best defense against the virus, as well as it’s predecessor (bundled with a torrent of iWork ’09), is obviously to avoid downloading & installing cracked or otherwise modified software – whether from torrent sites or via peer-2-peer networks. Investing in appropriate anti-virus software is obviously (increasingly) important, as well.

Sigh. It was bound to happen sooner or later. Apple’s historic viral immunity really was just a question of market-share, after all…