FREAK is last week’s worry, but installing untrusted applications is a perennial worry. It’s a two-fer (or two-fear) in this column, about security issues new and old.
Apple released updates this week for a security vulnerability known as FREAK. FREAK allowed a malicious party to force a weaker encryption protocol to be used between about one-third of web servers with security credentials and many secure web clients and commonly used software libraries. That weaker protocol could be cracked cheaply and relatively quickly to reveal the contents of a session between a browser and web server. (You can read the full details about the attack in Jeremy Kirk’s news report.)
Apple confirmed on March 3 that it would release updates the following week, which it did. This is better communication than usual, matching a more recent pattern. In the past, the company often remained mum about when security fixes would come, even when they were quite severe. The frankness is welcome.
The updates are for OS X 10.8 (Mountain Lion), 10.9 (Mavericks), and 10.10 (Yosemite); Xcode 2; iOS 8 (included in 8.2); and 3rd generation and later Apple TVs. This seems like a relatively small window of updates, given that the flaw is present in operating systems of all kinds dating back a decade.
But the fix is asymmetrical: it can be blocked either or both in clients and servers. Web sites immediately began relatively minor reconfigurations that prevent the flaw from being exercised, regardless of what secure software attempting to connect tries to do. Sites that have bothered to install security certificates (or require them for their business) are likely to update their settings if they fall into the category of affected servers.
FREAK is one of a category of irritating exploits that there’s nothing you can do about on your own, nor have done as a preventative, to keep yourself safe. However, engaging the exploit would require a party with dire intent to insert themselves as a “man in the middle” (MitM). For all users, the likelihood of interception is low; for particular users, who might be targeted by enemies, criminals, or a government agency, the odds would be moderate to quite high—if this exploit were known and in use as a tool of interception or theft.
As it stands, those with OS X 10.7 and earlier or iOS 7 and earlier shouldn’t fret, they iOS users may be feeling like . The holes have been closed so rapidly that this isn’t likely to be a useful tool in the kit of those bent on interception.
Don’t take any wooden apps
There’s word that malicious installers for Mac software have started to crop up again. This isn’t the first time this has happened, but it’s often surprising to OS X users that there’s any reason to worry because of Apple’s generally great approach to software installation that prevents malware from gaining a grip without user intervention. But even if you wouldn’t be suckered in, you might check friends’ and relatives’ configurations and understanding to make sure they’re safe.
The installer scam involves software, often legitimate and desirable, that is wrapped in a package that makes it seem as if one needs to also install other, unrelated software. Some of it is pure malware, but all of it hijacks some aspect of your experience, such as adding browser extensions, redirecting your default search engine, or generating popups. The intent is to capture your attention to add clicks that the installation software maker is paid for or to fool you into purchases.
For purposes of software hygiene, I recommend never installing OS X software downloaded from anywhere but the Mac App Store or the developer’s site, unless it’s via a link provided by the developer to an alternate download. With some open-source, free, or alternate distribution model software, you may need to download elsewhere, but the project’s home will almost always guide you there. (This assumes any given developer isn’t unethical, which is nearly always true.)
The next level of safety is in the Security & Privacy preference pane (in Yosemite). In the General tab, the Allow Apps Downloaded From set of choices lets you determine the level of default installation risk. You can opt for Mac App Store only, the store plus Identified Developers, or Anywhere—if you dare.
For less-sophisticated Mac users you know or help with their computing needs, the Mac App Store might be the best choice. If they don’t routinely or perhaps ever install third-party software or always require your or someone else’s help, it’s a good way to prevent a bad, accidental outcome.
The middle choice, Mac App Store plus Identified Developers, only allows the straightforward installation of software that’s been signed by a digital certificate issued by Apple to a specific developer. The installer scam software may, in fact, come from parties that paid the $99-a-year fee to be part of Apple’s OS X developer program, and are misusing their membership or stretching it to the extreme limits.
This is why avoiding download sites is a good strategy to begin with, rather than relying on this security setting in OS X. Apple can revoke developer certificates easily enough and push out other remedies, but it’s better to not fall into a situation in which that recourse is what you rely on.
I always advise against the Anywhere setting, because then you let down your guard. With the middle setting, you can still install unsigned software. Find the application itself, right-click it, and select Open, and you’re prompted to confirm that you want to launch it.