Don't FREAK out about the latest security warnings

FREAK is last week's worry, but installing untrusted applications is a perennial worry. It's a two-fer (or two-fear) in this column, about security issues new and old.

Super FREAKy

Apple released updates this week for a security vulnerability known as FREAK. FREAK allowed a malicious party to force a weaker encryption protocol to be used between about one-third of web servers with security credentials and many secure web clients and commonly used software libraries. That weaker protocol could be cracked cheaply and relatively quickly to reveal the contents of a session between a browser and web server. (You can read the full details about the attack in Jeremy Kirk's news report.)

Apple confirmed on March 3 that it would release updates the following week, which it did. This is better communication than usual, matching a more recent pattern. In the past, the company often remained mum about when security fixes would come, even when they were quite severe. The frankness is welcome.

The updates are for OS X 10.8 (Mountain Lion), 10.9 (Mavericks), and 10.10 (Yosemite); Xcode 2; iOS 8 (included in 8.2); and 3rd generation and later Apple TVs. This seems like a relatively small window of updates, given that the flaw is present in operating systems of all kinds dating back a decade.

But the fix is asymmetrical: it can be blocked either or both in clients and servers. Web sites immediately began relatively minor reconfigurations that prevent the flaw from being exercised, regardless of what secure software attempting to connect tries to do. Sites that have bothered to install security certificates (or require them for their business) are likely to update their settings if they fall into the category of affected servers.

FREAK is one of a category of irritating exploits that there's nothing you can do about on your own, nor have done as a preventative, to keep yourself safe. However, engaging the exploit would require a party with dire intent to insert themselves as a "man in the middle" (MitM). For all users, the likelihood of interception is low; for particular users, who might be targeted by enemies, criminals, or a government agency, the odds would be moderate to quite high--if this exploit were known and in use as a tool of interception or theft.

As it stands, those with OS X 10.7 and earlier or iOS 7 and earlier shouldn't fret, they iOS users may be feeling like . The holes have been closed so rapidly that this isn't likely to be a useful tool in the kit of those bent on interception.

Don't take any wooden apps

There's word that malicious installers for Mac software have started to crop up again. This isn't the first time this has happened, but it's often surprising to OS X users that there's any reason to worry because of Apple's generally great approach to software installation that prevents malware from gaining a grip without user intervention. But even if you wouldn't be suckered in, you might check friends' and relatives' configurations and understanding to make sure they're safe.

The installer scam involves software, often legitimate and desirable, that is wrapped in a package that makes it seem as if one needs to also install other, unrelated software. Some of it is pure malware, but all of it hijacks some aspect of your experience, such as adding browser extensions, redirecting your default search engine, or generating popups. The intent is to capture your attention to add clicks that the installation software maker is paid for or to fool you into purchases.

For purposes of software hygiene, I recommend never installing OS X software downloaded from anywhere but the Mac App Store or the developer's site, unless it's via a link provided by the developer to an alternate download. With some open-source, free, or alternate distribution model software, you may need to download elsewhere, but the project's home will almost always guide you there. (This assumes any given developer isn't unethical, which is nearly always true.)

The next level of safety is in the Security & Privacy preference pane (in Yosemite). In the General tab, the Allow Apps Downloaded From set of choices lets you determine the level of default installation risk. You can opt for Mac App Store only, the store plus Identified Developers, or Anywhere--if you dare.

For less-sophisticated Mac users you know or help with their computing needs, the Mac App Store might be the best choice. If they don't routinely or perhaps ever install third-party software or always require your or someone else's help, it's a good way to prevent a bad, accidental outcome.

The middle choice, Mac App Store plus Identified Developers, only allows the straightforward installation of software that's been signed by a digital certificate issued by Apple to a specific developer. The installer scam software may, in fact, come from parties that paid the $99-a-year fee to be part of Apple's OS X developer program, and are misusing their membership or stretching it to the extreme limits.

This is why avoiding download sites is a good strategy to begin with, rather than relying on this security setting in OS X. Apple can revoke developer certificates easily enough and push out other remedies, but it's better to not fall into a situation in which that recourse is what you rely on.

I always advise against the Anywhere setting, because then you let down your guard. With the middle setting, you can still install unsigned software. Find the application itself, right-click it, and select Open, and you're prompted to confirm that you want to launch it.

Join the CSO newsletter!

Error: Please check your email address.

Tags ApplesecurityOS X Yosemite

More about AppleLion

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts