Washington Apple Pi

A Community of Apple iPad, iPhone and Mac Users

Are Web browsers smarter than users?

© 2011 Lawrence I. Charters

Washington Apple Pi Journal, reprint information

I've been wondering recently if Web browsers are getting smarter than users. Since this sounds deliberately inflammatory, let me explain:

Over the past several months, there has been much press about "viruses" now attacking Macs. A virus is a piece of self-replicating code that inserts itself into other programs or documents. The classic example is an infected Microsoft Word document: the Word document contains malicious code that executes when the file is opened, and the proceeds to infect other Word documents, or insert itself into the operating system, or steal the address book on the victim's machine and mail copies of itself to everyone in the address book. Viruses have long infected the Windows world, but as of May 2011 there are no verifiable viruses for Mac OS X.

Nor are there any Mac worms. A worm is somewhat different in that it is another self-replicating program designed to "worm" itself into other computers. The classic attack, again taken from the Windows world, is to insert itself into a victim's machine using a vulnerable port. Without getting into too much detail as to what a "port" might be, in simple terms modern networked computers listen to signals from other computers, such as Port 80, used by every Web browser in the world to listen for incoming information from Web sites. There are Windows worms that insert themselves into victim's machines over Port 80 (and many other ports), and then proceed to use the victim's machine as a host for reaching out and infecting other machines.

As of May 2011, there are essentially no worms attacking Macs. That claim is somewhat qualified as there are some Unix-based worms that will damage Macs, but they tend not to be self-replicating. Despite the somewhat less than ironclad claim, the truth is that Macs have little to fear from worms.

But there is malware out there that can cause grief for Mac OS X-based machines. "Malware" is an all-encompassing term that covers any kind of software that has a malicious purpose. The biggest threats to Macs in 2011 are from Trojan horses, programs that claim to be one thing and instead are something else entirely. And the most common means of spreading Mac Trojans is via Web sites.

Reported attack page

This warning, displayed in Firefox 3.6, warns that the Web site in question is listed as hosting pages designed to attack the visitor, either by stealing information or inserting hostile code onto your computer. If you see such a warning, quit your browser immediately. Don’t save anything, don’t push any buttons – just quit the browser. Click on image for a larger version.

Note that, unlike viruses and worms, Trojans are not self-replicating. This is small consolation, however, as few Mac users in 2011 are particularly security conscious. Why bother to sneak up on a victim if the victim isn't even the least bit wary?

Mac Defender

This came to a head in May 2011 when thousands of Mac users around the world started visiting Web sites and getting reports that their computers were infected with viruses. The users were then offered the opportunity to download a program, Mac Defender, which would allegedly get rid of the infection. If users did as directed, they were then prompted for credit card account names and numbers. It was all part of a scheme to steal credit card information.

Alleged malware warning

This window popped up when visiting the Web site of a magazine. The window claims that it has found suspicious programs on my “PC.” The only choice offered is “OK.” Whatever you do, don’t press that button. Instead, quit your browser immediately. In this particular case, the site was attempting to attack Windows computers, but you really shouldn’t try and analyze the situation: just quit the browser.

In response, Apple released Mac OS X Security Update 2011-003 on May 31, 2011. This update, released only for Mac OS X 10.6, expands on an existing "quarantine" system introduced in Mac OS X 10.5. Previously, the quarantine system routed all files download via Safari, iChat and Mail to the Downloads directory. When a user attempted to open such a file, a warning box popped up and asked, "[This file] is an application downloaded from the Internet. Are you sure you want to open it?"

Safari attack warning

This warning, displayed in Safari 5, warns that visiting the site could expose your computer to malware. The site in question, www.ipodnn.com, is a popular site for news stories about the iPod, and the problem was later corrected. But if you see such a warning, quit your browser immediately. Don’t try and explain the problem away. Click on image for a larger version.

The Security Update 2011-003 changed this quarantine system in two ways. Downloaded files are checked against a listing of known malware and, if a file matches the profile, a new warning box pops up that says, "[This file] will damage your computer. You should move it to the Trash." The default button is "Move to Trash." Additionally, the Security Update also added a new feature that checks for new malicious software definitions on a daily basis.
These are welcome changes, but they only apply to Mac OS X 10.6 and not older versions of Mac OS X. Additionally, they don't remove the root cause of the problem: the user.

Users not paying attention

While no software is perfect, Apple has done a good job of adding security to the Mac OS X operating system without imposing an undue burden on the user. In the Windows world, it is perfectly normal to spend lots of extra money subscribing to security suites; even ISPs (Internet Service Providers) try to sell such suites to their customers (including Mac users). But while Apple is lessening the burden, Mac users must still exercise caution and common sense.

Example: one Pi member recently told me that, even though Firefox complained about the security settings for his online banking site, he "got around" the problem by using a different browser. This is the wrong path. If your browser is complaining about the security of a site – especially a banking site – don't go there. If necessary, change banks; it isn't as if they are in short supply.

Similarly, several individuals have expressed irritation with how Safari, Mail and iChat always place downloaded files in the Downloads folder. Why this is an irritation seems to vary with the user, but in each case, the individual was very pleased to have found a way to circumvent Apple's quarantine settings. Again, this is the wrong path. The quarantine settings are there to protect you from bad guys and bad habits.

While there are a great number of things you can do to make using your Mac safer (the entire June 2011 General Meeting was devoted to the subject), we'll offer a few suggestions specifically for Apple's Web browser, Safari.

  1. 1) Set the default page to a known safe site, such as the Washington Apple Pi site.
  2. 2) In Safari's General preferences, make sure that all downloaded files are saved to the Downloads folder. This is the folder used by Apple's quarantine technology; don't mess with this setting.
  3. 3) Make sure the box next to "Open 'safe' files after downloading" is unchecked.
  4. 4) In Safari's Security preferences, make sure that the box is checked for "Warn when visiting a fraudulent website."
  5. 5) At the bottom of the Security preference window, make sure the box is checked next to "Ask before sending a non-secure form from a secure website."

Open safe files in Safari

In Safari's preferences, set your home page to a known safe site. And do not check the box at the bottom of the screen; you should never be opening anything directly from your web browser. Click on image for a larger version.

Of course, these settings alone don't make your computer safe. If Safari pops up with a warning message about a site or a file, you still need to add the necessary human touch and read the warning, and respond appropriately.

Google, by the way, uses a service that blacklists Web sites with known security problems. You can check the status of a site without ever visiting the site; just type in the appropriate URL. The following URL, for example, will report on the current status of the Washington Apple Pi site:

http://www.google.com/safebrowsing/diagnostic?site=www.wap.org

Resources

StopBadware Web site: http://www.stopbadware.org/

Google Safe Browsing diagnostic page for the Washington Apple Pi site:
http://www.google.com/safebrowsing/diagnostic?site=www.wap.org

Apple knowledge base article on Security Update 2011-003:
http://support.apple.com/kb/HT4657

Apple knowledge base article on file quarantine:
http://support.apple.com/kb/HT3662

Apple knowledge base article on how to remove Mac Defender malware:
http://support.apple.com/kb/ht4650