If you’re reading this, hoping for information about how to score yourself a free cheeseburger, I’m sorry to disappoint. Nope, this is about how Apple’s Macintosh security has fallen down and gone boom. Yes, that’s right. Just in the last couple of days it has come to light that some 550,000 Apple Macintosh computers have been turned into zombie PCs by malware that only infects Apple Macintosh computers.

The zombie virus, named Flashback, is a Mac OS specific piece of malware that exploits a security hole in Java that Apple has only just patched on Tuesday. A hole that had been fixed in Windows for six weeks. Flashback infects Macintosh computers with a backdoor (BackDoor.Flashback.39) after a user is redirected to a website where JavaScript code is used to run a Java applet containing the trojan. That backdoor can then be used for just about anything, such as loading even more malware onto the infected Mac, such as password sniffers, banking information stealers, search hijackers, etc.

If you’re a Mac owner, you should probably be patching Java immediately. And maybe checking to see just how much malware may be on your Mac.

And to anyone who claims that a Macintosh is more secure than any other PC (Windows, Linux, or otherwise): Welcome to reality.

Apple announces record Macintosh growth over 2011.  Apple Macintosh virus infection runs amok at the start of 2012.  Coincidence?  I think not.  It’s time for Macintosh owners to start taking their security seriously.

To celebrate the 4th of July, hackers found a cross-site scripting (XSS) flaw to exploit on YouTube that allowed them to insert JavaScript code into the comments section of videos.  In theory this XSS vulnerability could have allowed them to do things like steal passwords.  Fortunately however the hackers on a somewhat less than mature roll used the YouTube security hole to do nothing more nefarious than redirect folks looking for Justin Bieber videos to false news reports that he had perished recently in a automobile accident.  Funny perhaps, but not the danger one would expect from such a vuln.

The bug was fixed in mere hours after it first appeared.  First comments were temporarily hidden by default to protect video viewers, and then once that was in place the actual security hole was patched and things returned to normal.

That’s how security is supposed to be done.

There’s been an interesting little buzz lately that brings up a troublesome question, how do you handle a significant security threat when it isn’t a bug, but in fact a feature?  The concept is certainly nothing new, especially to Microsoft users.  But this time it’s Adobe’s Portable Document Format (PDF) that’s giving security experts the shakes.  Not that this is exactly anything new either, sadly.

The problem lies in just what exactly a PDF document is allowed to do.  Besides embedding images, PDF files are also allowed to contain embedded music and video.  But wait, that’s not all.  Also on the list of allowed embedded files within PDF files?  Why not forms that upload data to webservers?  Heck, why not allow Javascript itself?  Hell, why not just go balls to the wall and allow fully fledged executables?  Yes, Adobe actually allows all of these things to be embedded into a PDF document.

And what security features are in Adobe’s Reader to prevent malicious PDF trojans from doing bad things when you open them?  Why, there’s a simple pop-up question.  And not only that, but the pop-up question’s text itself can be manipulated, as shown by Didier Stevens.  This form of attack is no accident.  It’s not a bug.  It’s not something that will just be fixed because it was wrong.  Because it’s a feature.  Adobe intended for things like this to be possible.

Oh, sure, I imagine at the time that the folks at Adobe imagined great things.  With only good in their hearts, they imagined brilliant coders doing wonderful things with all of the possibilities available.

Like any tool however, the good or the bad is not in the tool itself, but in how you use it.  And this tool has a lot of dangerous potential.

But wait!  That’s not all!  Because when you order from Adobe, you get two for the price of one!  Jeremy Conway, another security researcher, has found it’s worse than just that.  That because of this ability of PDF documents, you can actually infect existing PDFs into trojans by running a malicious PDF in Adobe Reader.  Yes, that’s right.  PDF documents are wormable.  No PDF document is trustworthy.  Just opening one bad PDF can infect all of your PDFs.  You don’t need to download some big bad virus.  You don’t need to execute some malicious program.  All that you need is the Adobe Reader and to innocently open one infected PDF file.

All by design!  No bugs here.  Just a lack of foresight that creates a semi-intentional security hole big enough to drive a convoy of Mack trucks through.  Just one of the many lovely features of the PDF format.

So the next time that you open up a PDF file in Adobe, if it pops up a window asking you if you want to Open or Do Not Open, don’t even bother asking yourself if you know who sent you this PDF.  Because it doesn’t matter if it’s from a theoretically safe source or not.  Right now, all PDF files are suspect, no matter who sent it to you.  If it pops up the question:  Do Not Open!

In computers we trust.

But the funny thing is, we shouldn’t.  We really really shouldn’t.

So what’s the latest in security news to remind us how insecure computers can be?  Right.  Let’s get crackin’…

Gone in 60 Seconds, WPA Key On A Silver Platter:

To start with, let’s hear it for wireless networking!  Never has hacking been easier.  You don’t even need to connect a wire.  Often, you don’t even need to be in the building.  Just drive by, park nearby, walk along with a laptop, whatever your evil little heart desires, and you can begin the computer equivalent of breaking and entering at your convenience with no real worry of strange looks or calls to security.  That in itself makes wireless networking so very dangerous.  But then there’s the encryption protocols…

The absolute worst, most rubbish ever to use, would be WEP.  Don’t even touch it.  If you think you’re secure using WEP you might as well just not even bother trying.  Now WPA was at least  better.  Key word here however is “was”.  As in past-tense.  Yes, that’s right.  A system of hacking WPA was developed by Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University that is based on the established Becks-Tews method and can hack WPA in as little as one single minute.  Yes.  Sixty seconds or less and your WPA key is handed over on a silver platter.  This is of news because one of the formerly best hacks of WPA, the aforementioned Becks-Tews method, takes more than ten minutes.  You can look deeper into these methods if you care to, but the simple point is WPA is dead to us.  As dead as WEP.  Now the minimum to be secure wirelessly is WPA2.  Which, being old itself, you should have been using already anyway.

Hot List – Snow Leopard Insecurities:

So you just upgraded your Mac to Snow Leopard, Apple’s latest Mac OS X.  Congratulations!  But did you know that Show Leopard comes with an older version of Adobe Flash?  Yes, that’s right.  Even if you had upgraded to the latest and safest version from Adobe before (which would be 10.0.32.18 at the time of writing), you’re downgraded now.  Back to version 10.0.23.1.  And that means exposure to old exploits and attacks on your shiny new and “secure” Mac.  All without a hint of warning from Apple.  Isn’t that nice of them?  So if you upgraded to Snow Leopard, be sure that one of the first things that you do is update your Adobe Flash … again.

But that’s not all.  Oh no.  Apple’s far too unconcerned with security for that.  Apple has kindly included malware protection built in to Snow Leopard.  (Why is it when Microsoft does this, it’s anticompetitive, but when anyone else does it, it’s heralded as genius?)  Which you’d think is good.  Bundled protection means more people are safe.  If you download and install some Big Nasty Snow Leopard pops up a warning and recommends that you toss it in the Trash before it harms your computer.  How nice.  It sounds good, except that so far Apple’s protection is very … limited.  It hardly identifies any baddies at all.  And this is the problem, because it lulls you into a false feeling of security.  You’re protected, right?  Wrong!  So until Apple does a much better job of identifying malware it is highly suggested that you also install your own protection software.

Microsoft IE – Something Rotten in Denmark England:

And speaking of Microsoft and bundling, Microsoft’s SmartScreen Filter, built/bundled into Internet Explorer 7 and 8, has decided to protect a lot of folks from those dangerous blokes across the pond by blacklisting every uk.com top level domain!  Um, come again?  Yes, that’s right.  To protect you from phishing attacks, IE blocks Blighty.  As one would imagine, this has caused a great deal of problems and phone calls from concerned web surfers over there.  Of course Microsoft fixed things fairly quickly.  After all, blacklisting entire countries on a whim is kind of bad press.  But it just goes to show, sometimes “security” works as much against you as it does for you.

O2- Something Else Rotten in Denmark England:

Customers of O2, a British internet service provider, may want to disconnect.  O2 has been handing their customers faulty routers.  The O2 Wireless Box II (a rebranded Thomson TG585) and the O2 Wireless Box III (a rebranded Thomson TG585n) are vulnerable to cross-site request forgery (CSRF) attacks, allowing pretty much anyone to easily log into your router itself, at will, no questions asked.  This in turn lets them steal your encryption key, even if you use WPA2, and do all sorts of other not-so-nice things to your computer.  Needless to say, this is bad.  But after badgering O2 about it, security champion Paul Mutton has finally convinced O2 that it actually is a problem.  And O2 has promised to look into it and remedy as necessary.  If you’re an O2 customer, make sure you keep on top of this, as at-will hijacking of your router is A Bad Thing.

World of Warcraft – Gone Phishing Again?:

Yes, same as always then.  The official Blizzard WoW forums are being used to distribute malware to steal your passwords, blah blah blah.  If you play World of Warcraft and have somehow not heard of all of the phishing and malware trying to steal your account information so that hackers can sell your loot for real money, then you must be oblivious.  To everyone else, same s___, different day.  This latest phish is pretending to offer you exclusive access to a new service.  Just click on their invitation, bend over, and take it from  behind.  I guess these things must work, because hackers keep doing them.  But honestly, if there isn’t a group of people that should be extremely aware of security by now…  Welcome to the World of Phishcraft.

What’s This?  Good News?  Google Polishes Chrome:

If you use the newest web browser darling, Google Chrome, then congratulations, you’ve got a patch to fix a couple of severe vulnerabilities.  The update to 2.0.172.43 protects you from a known attack on Google’s V8 JavaScript engine, and from a known attack on webpages using XML-encoded information.  If you  haven’t patched your Chrome yet, it is highly recommended.

Well, that’s it for now.  Be wary.  Be safe.

Mozilla released yesterday an update to their popular web-browser Firefox that fixed a security hole in the browser’s Just-In-Time (JIT) JavaScript compiler.  Exploits based on the security hole had only been discovered on Tuesday.  So yes, that was a total of two days Mozilla took to patch the security hole.  Unlike some companies, who shall remain Microsoft.