Sandi over at the Spyware Sucks blog pointed to this thread on Apple’s Mac forums, indicating that some Mac users have been victims of a web-based malware attack:

This has happened to me twice now, on two separate computers at work. My clipboard has been hijacked with this:

[potentially dangerous URL removed]

And once it’s in the clipboard, I can’t copy anything else over it until I’ve restarted the machine.

Several other users reported similar attacks, whether they were using Safari or Firefox as their browser.

[Update 8/19: There are also reports of this issue from users of Ubuntu, a popular distribution of Linux.]

This is a good reminder that users of operating systems other than Windows are not immune to malware or social engineering.

The other day, Rob Pegoraro at the Washington Post wrote a column about Apple’s tendency to keep its mouth shut rather than communicating with customers:

The Cupertino, Calif., corporation provides some of the best tech support in the business—no other major computer vendor makes it easier to sit down with a live employee and get help. But if you’re not at the Genius Bar at one of its stores, Apple can be one of the least communicative companies around.

And when Apple’s MobileMe online service melted down after its launch last month, subscribers might as well have been yelling at their monitors.

Here at StopBadware.org, we’ve found Apple to be equally uncommunicative. A couple months ago, when we notified them that we were preparing a badware alert about Apple Software Update, they quietly changed the product at the 11th hour but never contacted us about it. More recently, we’ve tried to contact several senior executives there to initiate an informal, low-pressure conversation about their disclosure practices, but our invitation has gone unanswered.

No one is questioning Apple’s ability to design a neat product or generate enthusiasm about a product launch. Failing to engage with the security and user communities, however, is a different thing entirely, and one in which Apple is coming up short. It’s time for the folks in Cupertino to change their (i)tune and start loosening their lips.

Aviv Raff, a security researcher, released an advisory indicating that the iPhone is vulnerable to a URL spoofing attack.

By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.).

When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain.

He reports that both version 1.1.4 (and possibly older versions) and version 2.0 of the iPhone firmware are affected.

Apple has acknowledged the vulnerability and is reportedly working on a patch. Meanwhile, be especially wary of clicking on links in iPhone Mail.

Hat tip to Ryan Naraine at the Zero Day blog.

ZDNet blogger Ryan Naraine called us to task today for not calling Apple Software Update badware. Last month, we stopped short of labeling the application badware after Apple made changes to improve the disclosure of applications that were installed under the guise of updates:

Apple clearly responded to the concerns of the community in making these changes, and consumers will benefit. The previous version of Apple Software Update was confusing to users and had the potential to lead users to stop trusting in the update process, a process that is critical to security efforts. With this change, and hopefully additional changes as the community provides additional feedback to this latest iteration, users can feel more comfortable with what they’re agreeing to when installing updates and new software via Apple’s tool.

Naraine feels that the product’s behavior is still “deceptive and irresponsible”. He writes:

That’s 95 MBs, pre-checked by default, bundled into a security patch and ready to hose my machine.

This is clearly badware behavior and it’s shocking to me that Apple gets away with it. I understand the economics of Apple being aggressive to establish a presence on the Windows ecosystem but this is really unacceptable.

In some cases, including the behavior of Apple Software Update before the changes, an application is clearly and unambiguously badware. In others, including the present state of Apple Software Update, there’s some room for discussion. For example, we have not historically considered an option being selected by default to be a badware behavior, particularly if the disclosure about the meaning of the checkbox was clear to the user. I believe Naraine is making the argument that the meaning is not clear in the context of the Update application.

What do you think? Would you consider Apple Software Update badware? What would you change to ensure it is giving users an informed choice about which software is installed on their computers? Let us know in our discussion group.

Software company Intego found this Mac Trojan masquerading as a poker game. The Trojan actually transmits the user’s name, password, and IP address to an external server which it acquires through clever social engineering:

“A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.

Computer World wrote on Friday that SecureMac reported finding another Trojan circulating in the wild. “Its researchers had found a Trojan horse, dubbed ‘AppleScript.THT,’ being distributed from a hacker-operated site where discussions of spreading the malware via iChat, Apple’s instant messaging and video chat software, were also taking place.” Updating that warning today, SecureMac shared that the source code for the Trojan has been distributed, which increases the likelihood of derivative Trojans appearing soon. They write:

“The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items… Once installed, the Trojan horse turns on File Sharing, Web Sharing, and Remote Login. If the filename of the Trojan horse has not been changed, it can be located in the /Library/Caches folder under the name AStht_06.app.”

Sandi, blogging at Spyware Sucks, opines that Trojans like this demonstrate that social engineering transcends computer platforms. She emphasizes that sharing information about badware can help to build and reinforce a level of user awareness and suspicion about entering personal information while downloading software (and ideally when deciding to download software in the first place). Sandi also comments on complaints that these Trojans were discovered by companies developing Apple security products.

While there may be a financial benefit to those companies, the goal of the security community is to maintain computers as free of badware as possible, and sharing information about risks with professionals and users-at-large focuses attention on problems so that they can be solved or avoided as efficiently as possible.