No Starch Press, November 2011, 320 pp., $49.95

In a recent survey by Veracode in December 2011 found that more than 80 percent of approximately 10,000 web applications examined failed security testing. This data shows that web applications provide a fertile ground for hackers to launch their malware. Obviously web developers still have some work to do to make their applications secure. The Tangled Web by Michal Zalewski is targeted toward web application developers and security professionals that have a solid understanding of the web and browser operations at an operational level. The author will go into fairly technical details assuming that the reader has the necessary skills to understand the technology discussed.

After an introductory chapter outlining some security fundamentals, the book is split into three parts. The first part covers browser and web technologies. Specific attention is paid to vulnerabilities and how they became to be part of the infrastructure. The second part covers browser security and highlights some of the ways to mitigate the inherent holes in the current technology. The final portion covers some of the new vulnerabilities that are expected to come in the near future. With a couple of exceptions, most chapters are concluded with a security engineering cheat sheet. This gives a summary of the topics covered in the chapter and serves as a guide to implementing some of the technology discussed. It provides a useful quick reference to the books contents after the reader has completed their read through and can be used as a design aid on future projects.

Part One goes into some depth on the various technologies used by browsers, both their inherent operating infrastructure and the services used over the web. Attention is paid to areas of the technology that are open to exploitation. In many cases the author outlines how some of the weaknesses came into being and provides a good view into the difficulty of building this technology. Part One is broken down into chapters that cover the different pieces of the browser function. Both internal processes, HTML and CSS parsing for example, are covered plus external processes, HTML and URL parsing, are reviewed. Two chapters cover additional programming capabilities of the browser i.e. JavaScript and plug-ins.  Throughout this section many examples are given on how the vulnerabilities can be exploited. This gives the reader a better understanding on how a hacker would go about using these weaknesses. In some cases a chapter has a limited discussion of the topic due its wide complexity. The author does include references to other works that cover the topic in greater detail and then focuses on key areas that are relevant to web security.

The first five chapters of Part Two concentrates on browser security mechanisms that attempt to prevent rogue content from interfering with valid, legitimate, content displayed with in the browser. These chapters cover how content isolation is maintained within the operation of the browser. The concepts discussed in part one are used to show how the browser security achieves this. Content from user input and downloaded data are included in this review. Furthermore the impact of scripting and plug-in functionality is discussed in depth to allow the reader to understand how this can impact the overall security of a web application. There are many references to works where researchers have shown example of exploits based on the vulnerabilities in the browser and associated functions. The latter two chapters in this section cover dealing with rogue scripts and extrinsic site privileges.  In general Part Two provides a comprehensive overview of many security flaws in the browser. There are comparisons between the major browsers and how their operation differs with respect to the exploits. Additionally there are also recommendations on how to understand and overcome them.

Part Three looks at some of the changes that may come to fruition in the future. The first chapter covers new and upcoming security standards. They are intended to mitigate some of the problems that plague browsers today. These include, cross domain requests (including a discussion of Cross-Origin Resource Sharing CORS), content security policy CSP, sandboxed frames, strict transport security, private browsing modes, in-browser HTML sanitizers and XSS Filtering. In each case a summary of the goal of the security measure and its current status is given. The second chapter covers new browser developments and how they may impact security. Several new or planned API sets are examined for their intent and current implementation. The final chapter is a synopsis of common web vulnerabilities and how they are defined. Common, simple definitions are used for the various vulnerabilities – e.g. Cross Site Scripting (XSS). For each there is a short description with a reference to the details section of the book.

There is a pivotal statement in Chapter 16 “the dream of inventing a brand-new browser security model is strong within the community, but it is always followed by the realization that it would require rebuilding the entire Web.” This book walks the reader through the inner workings of popular browsers with a focus on showing the weaknesses that are embedded in their very construction. The author does take time to explain how these came about and the attempts to fix them. In part 2 he also gives examples on how to develop web applications so you can navigate around these deficiencies. The security engineering cheat sheets give an easy way to develop a strategy to apply basic security concepts to web application development. The book provides an invaluable reference for anyone working with, testing or deploying web applications.

Although the number of vendors selling solutions, apps and hardware is below the gaudy days when this show spanned both North and South Moscone halls, plus Moscone West for sessions, a rough survey of the 2011 show revealed a bigger share of business-ready help: in apps, in hardware, in Mac software and in advice. Macworld 2009, Apple’s last, had more of everything except business: especially iPhone cases and iPod accessories. Those were still on display last week, along with a wave of iPad holders.

But 2011 was the year when Apple business users could find a Macworld supplier a-selling with no effort at all.

Two years ago, the Enterprise Software Alliance was about the only booth where Windows-friendly Mac software for business was showcased. This year a veteran firm from the Windows virus battlefields, ESET, was selling antivirus and giving away security training. The company said it has muscled antivirus maker Intego out of Apple’s retail store slots with NOD Antivirus 4. It’s called the Business Edition of antivirus for endpoints — what you’d call Macs, but now ESET uses the enterprise-savvy terminology, and perhaps technology, too.The tone of the conference has rolled away from Mac-centric and barreled on to mobile, since those iPhones and iPads have led the charge into businesses for Apple. This year there was an Indie section for Mac software and solution companies, smaller spaces with smaller firms doing novel things. One of the most clever, Dolly Drive, makes Time Machine a most flexible and stronger backup solution for Macs, by adding off-site storage (disks in the vendor’s cloud) plus the ability to create a bootable backup drive when crashes take out a disk. Dolly Drive gives a business user better control over what Time Machine backs up, too, and it sends only changes to files instead of 52 full copies of your Quickbooks file per year.

Backup, security: these are the things that keep computers working for your company so you can focus on your business, not the computers. Schlage showed off a remote lock and lighting control system to secure buildings, including your home office, using an iPad or iPhone as your controller. Schlage includes security camera options, but another security system supplier also delivered video straight to Macs.

“SAINT Corporation is very proud to provide Apple support to the growing community of security and compliance professionals using the Mac,” said Billy Austin, SAINT’s Chief Security Officer. Security pros, or businesses which need security tools, can now take full advantage of SAINT’s compliance checklists including templates for the following:

• Payment Card Industry (PCI)
• FISMA
• HIPAA
• USGCB
• FDCC

In addition to the native Apple installer as a .DMG file, the 7.6 product release features penetration testing coverage for Cisco network devices, SAP, and a new web application exploit for SQL Authentication bypass. The social engineering e-mail forgery template was enhanced to automatically determine the mail server of the targeted e-mail address. New vulnerability scanning features also now include authentication support for SSH public keys and SMB signing. A non-Windows Admin authentication field was added to identify what shares are open to a user or user group versus a domain admin account that can see everything.

SAINT customers now have the option of Apple’s Mac OS X platform in addition to SAINT’s other supported platforms, which include –

• SaaS cloud models
• Pre-configured appliances
• Linux/Unix
• Mac OS X

Although the iPhone was roundly hooted at when Apple introduced its first enterprise features — such as the ability to handle Microsoft Exchange mail on the iPhone’s Mail client — the phones have become a staple of business users around the world. IT managers have learned they can’t keep iPhones out of company networks, so they’re resigned to admitting them and are now employing them as IT tools.

Absolute Manage has a single feature that can sell it to any company using Apple’s mobile products. An administrator can wipe a computer or phone’s data off the device if it’s been stolen or lost. iOS 4 devices (which could be any 4G or 3GS phone) can also be locked with a remote command in an emergency, or have their passcode cleared for data protection.

These iOS 4 devices can also be used, with the Absolute Manage software, by IT managers to

• Manage user profiles
• Manage provisioning profiles
• Inventory installed third-party applications (custom developed, or from the AppStore)
• Gather device lifecycle management information from the devices

“We are extending our long-standing focus on lifecycle management for Apple products to include robust management for iPhone,” said the company’s CEO John Livingston. “With our forthcoming solution, IT will be able to address brand-new challenges such as managing in-house applications and managing iOS device configuration.”

The Absolute product suite goes beyond the management of Apple’s desktop and mobile products; companies can also use the software to manage PC Windows devices. Absolute said the iOS 4 support is scheduled to arrive in Q3 of 2010.

If only the new iPad could be so lucky to be so well protected. We’ve been using the tablet since its release, but nary an update is to be downloaded to advance the device’s security.

The 10.6.4 version of Snow Leopard, which is a 17-minute download on a middle-fast DSL line, introduces new protection to prevent back door attacks on Macs through the iPhoto software that ships with every system. A new feature called XProtect gets an update that keeps hackers from installing malware by fooling users into thinking iPhoto is at work, when damage is being done.

An update of a Mac’s operating system for security reasons — that’s a good idea. But Apple doesn’t have a practice of identifying security holes they patch with a new release. And sometimes a new OS version will make software stop running on a Mac. This is why backups are a vital complement to any security updating.Apple has brought out four updates to the Snow Leopard version of its OS now, updates that cover just a nine-month period. Not every one had a security benefit. But the state of security is so tenuous now that your Adobe PDF software, browser, and OS should be considered at risk if you haven’t seen an update in 90 days.

Browsers and Adobe software are the chief targets for hackers, since they cover so many more victims than just Apple’s products. More than 360 million people are using Firefox as a browser, for example, on both PCs and Macs. Adobe’s Flash and Acrobat readers run on hundreds of millions of systems. Adobe just introduced a 9.3.3 version of Acrobat to improve security.

As diligent as Apple and Adobe might be (some say Apple’s sluggish at best about security plugs), the vendors can’t do a thing to help secure your business if you don’t install updates. The rule of thumb was once “don’t install if you don’t need” an update. But security issues are much more serious by now. You can balance the time spent downloading and upgrading, the checks of your applications afterward, against the dangers of running an unprotected system.

About 30 minutes of downloading and watching mysterious messages — things like “optimizing” or “unpacking packages” or “moving items into place” or “registering components” — plus a reboot, and my iMac was running 10.6.4. I did the usual first step after an upgrade — started all the apps that matter to my workplace.

The Apple apps don’t need checking — Apple’s done that in its own labs. But the likes of Adobe CS apps, QuickBooks 2010, Microsoft Office apps and even reliables like Eudora, an antique mail program. 10.6.4 updates Apple’s Mail, as it turns out — so my add on Mail Tags software needs to be updated.

Picking a browser is like choosing a home repair store. You develop a habit of using one and stop thinking about the alternatives. Chrome is definitely a faster browser than Firefox in our use, delivering a payoff in the “time is money” formula. If you browse a lot, Chrome could be an upgrade. (Safari’s performance is much closer to Chrome’s)

But Chrome’s got some steps to catch up in other areas. In the Mac version we downloaded this week, some Web sites aren’t working completely. Our TypePad account editor (where we publish the 3000 NewsWire blog) won’t let us resize graphics for posts in Chrome. The editing features at the Constant Contact email site also won’t perform with Chrome for the Mac, either.

This puts Chrome in a category with the iPad: very fast and slick for consumption of information. Not so good for creating messages and more. As for the death of Firefox, that obituary shouldn’t be written yet. 350 million users won’t expire overnight.

The Firefox obit is based on the browser’s development resources, according to Infoworld’s writers. Firefox has said it will be releasing fewer interim security fixes in the future. Infoworld predicts that Chrome users will see more fix releases since it’s more open.

Security is important, even crucial to some kinds of business. And attacks through your browser are becoming commonplace now. But Chrome has no more defenses for scripting attacks than Firefox today. These are the hardest to engineer against. I wouldn’t hold the Firefox security against it at the moment.

Incredible Start Page

Chrome’s got a wide array of extensions available. One of the more interesting is the Incredible Start Page, billed as “A new, customizable start page for Chrome. Easily find your favorite bookmarks and closed tabs. Take notes as you browse.” This is the sort of customization that Firefox won’t have, it appears. Whether you find everything that you’re already using in Firefox, or your extensions for Safari, remains as an exercise. We’ve gotten the Xmarks bookmark synchronizer installed on Chrome — a good first step in making a browser transition.

Halfway into a million-file scan, it's another two-plus hours to a clean bill of health

You want your Mac security tools to behave like Columbo, or Inspector Plodder from the play Sleuth. Not the fastest of detectives, but one that will not miss a detail. So it goes with the newest VirusBarrier X6 anti-virus and firewall product from Intego. You can set it and go, but you might as well go far away at first. Its initial inspections will take awhile.

On our 2.83 GHz iMac with 4GB of memory, that was more than four hours to do a full scan of our 150 GB of occupied hard disk. Full scan is a choice that the VirusBarrier setup prods you toward once you complete the easy install. Too bad that it’s so easy to send the tool into such thorough paces. VB X6 skips over the “check my malware file for updates” stop, so you notice that your file is “35 days out of date” amid a lengthy scan. We’d lead a user into NetUpdate, the VB checker for updated files, before starting a scan. This is also an “install and force a restart” program, not among our favorites.

A complete scan can be a once-in-a-great-while event, however. VB X6 has got one-0ff scan options for fresh files, or scan the folder, or whatever you want to drag onto nifty interface. The inspector is thorough enough to try to catch malicious scripts, the latest ploy in penetrating you Mac’s defenses. We were glad to see attention paid to a very long list of intrusion techniques like this. Drive-by attacks come out of scripts. You have to hope the malware file gets freshened up plenty to believe VB gets the job done. There’s good reason to believe it’s about 30 days or so between updates.

That’s because we’ve used the Intego products here since their V4 releases and watched NetUpdate finding fresh files at Intego HQ. VB X6 is one of those anti-virus products that arrives with 12 months of update subscriptions and collects a fresh $29.95 for the year that follows your first. By the time you’ve owned VB X6 for three years, you’ve bought the product twice. Of course, by 2013 there will be an X7, and you’ll have that year’s malware files included, if you buy it. (To recap: about $40 a year in cost of ownership, counting the updates, for Intego’s two-computer license.)

The genuine novelty of VirusBarrier comes from its extended controls over the Mac’s firewall. This was once called NetBarrier, just months ago, but now it’s included in the VB X6 package and called Network Protection. Intego used to charge $49.95 for NetBarrier all by itself. We know, because we bought it in December. By February Network Protection was included. While the upgrade to the X6 remains free until April for users who purchased late last year, if we’d waited two more months it would have been free and included.

We were not amused to learn that our X5 products that we’d bought in December got auto-updated to X6 during the install. If X6 had been a bust, we’d be reloading the older versions from a backup. How much nicer to leave an installed program alone and just load up a newer version.

The challenge in making firewall extenders like VB’s useful: You need to know your usual suspects when it comes to invasions of your Mac’s network. Intego does a much better job of explaining who to question than in previous releases in its online documentation. (Um, there are no docs if you can’t get online, like when you suspect an intrusion and want to pull your Web plug while you try to brace up your doors to the outside world.) The logs fill up with messages if want to watch over Inspector Plodder’s shoulder and suggest a new line of questioning. Deciphering them is beyond the average user’s ken, but we’ve got security whiz Steve Hardwick to do our decoding. You may not be so lucky.

This simple animation of your firewall's settings are the most likely view that business users will take of VB's Network Protection

Of course, these worrisome cases of attack are the best reason to invest in a thorough and plodding tool for protection. A MacScan study of our full system was complete in less than half the time, so we’re puzzled about whether VB X6 is more thorough or just eager to look at every single file. It was a puzzle how to tell VB not to examine those packed up download files the Mac expands to install software, or skip the acres of system preferences and files that only Apple installs on your system. You can shorten the time VB spends with all of these, but not eliminate them.

That’s symptomatic of the program’s downside — the need to tinker with its settings to tune up security. You can accept the defaults to get going, and tell VB to do a complete scan regular-like via a calendar. But you’d want to do this overnights. A good alternative is to rely on the “Real-Time Scan” feature, since it chews on about 10 percent of your Mac’s power all the time anyway. Anti-virus tools become a bog sometimes, the tar pit that your Mac tries to climb above while it stays safe — something like body armor you can’t sprint in while you wear it around.

The Web has become a combat zone, a place where a business can see hours killed off after a virus infection or a network home invasion. Nothing’s perfect, but it looks like if you want a beefy utility belt of security tools, and have the patience, budget and know-how to use them, VirusBarrier X6 will track down files with a criminal intent, and bar the door to unwelcome users.

The Mac enjoys an easier time in security because Apple’s product is a less juicy target. Malware and viruses are designed to make money for criminals, and the number of PCs out there running bareback is 10 times the number of Macs. Security by obscurity only works until it doesn’t. It’s just a matter of time, sad to say, before the criminals fan out and try to rob your system of power or privacy or both.

Anti-virus software (AV) is not just the paranoid geek’s tool anymore. The last virus we detected came off a Web page, and we last had data corrupted in 1997. But things have changed since Apple moved to Unix underneath it’s OS. Oh, and there’s that thing called the Internet, plus the Flash videos you may use to gather research (like from the Wall Street Journal’s site, now that they’re owned by Fox.) Flash, and Adobe’s Acrobat PDF files, are a big target for malware today.

You have more than one choice for a commercial AV tool for your systems (that wasn’t the case in ’97). What you buy probably should provide both firewall and virus protection. Two leading companies offer very different value propositions in their AV software. MacScan commits to a fixed price, while another supplier uses a subscription fee+purchase price model.

Today we look at MacScan, software built by a company that started tracking viruses in 2002 on the Mac. For five years MacScan didn’t even sell software; it simply created the definition files and patrolled the Web for criminal weapons. Since ’07 they’ve sold MacScan, which despite claims from its competitor Intego, still looks like a worthy value for AV.

Intego, whose products we’ve run at Bites HQ for more than three years, now sells a $49.95 X6 edition of VirusBarrier that protects two Macs. The MacScan 2.7 software protects three systems for the same price. (There’s also a 1-Mac license for MacScan for $29.95; Intego sells only its 2-Mac license.) Figuring the relative value requires you to consider the protection scope of such products. MacScan’s product manager told us at Macworld that the company ships along regular updates of the virus profiles, at no extra charge.

MacScan makes a significant point of examining Web cookies, a source of malware targets, in its regular process. A half-full iMac in our offices took more than an hour to probe with MacScan, but the AV software found nine tracking cookies in the first minute. And no viruses or other spyware. We got an option to disable these ad cookies after MacScan caught them.

A tracking cookie is not something you allow easily into your Mac. While you might not want to erase all of them, these are used by advertisers on Web sites to track your Internet use: where you browse, how you jump from links, even the information you enter into forms online. A fine article on the World Privacy Forum’s Web site explains that “allowing the tracking types of cookies to follow you around as you surf the Web is a lot like building a see-through house to live in, click by click.”

MacScan doesn’t reach any deeper into the malware world, though. It’s good at finding troublesome files on the system, but it won’t do a thing to block access to your computer. Apple’s firewall is the default for the MacScan user. While that’s better security than none, it might not be enough to keep prying spooks from hijacking your bandwidth.

Doing one thing well, and affordably, is noble and true to the Macintosh Way. We like to see more of what back doors might be open on our Macs, however. The extra features of firewall improvement are included with the new VirusBarrierX6. But they’re not easy to use, or so valuable that Intego could keep selling this super firewall that it once called NetBarrier as a standalone product. That’s for Monday, though.

Excel poses for its close-up at Macworld

Microsoft has released the 11.5.7 update to its Office suite, aimed at the users of Office 2004. You should download this update to protect your Mac from being hacked by compromised Word, Excel or PowerPoint files. Even the Mac has security flaws, but more common are the hacker entry points through things like Office or Adobe’s Flash. (If you aren’t up to date on the Microsoft security releases, 11.5.7 won’t load up. You can check your status in the Updater Logs folder inside your Microsoft Office 2004 folder. Microsoft also has prior updates available for download, to catch you up.)

Microsoft was one of the few big-name vendors at this year’s Macworld Expo, but it didn’t have new software to roll out this month in conjunction with its show appearance. The Redmond Giant was talking up the forthcoming release of Microsoft Outlook for the Mac. (Talking only, since no demos were presented at the Microsoft booth.) Outlook will be a replacement for Entourage, which still has advocates within the Mac expert community. One advantage of Entourage, noted in a Macworld panel, is its smooth interface with Microsoft Exchange servers, operated at countless companies who handle their own e-mail. Outlook will be inside the Office 2011 suite, and it’s not yet clear if it will be sold standalone. Entourage never was.

Those differences between Entourage and Outlook might have protected the Mac from some Microsoft-based exploits, however. Outlook has such a weak security reputation that it’s called Lookout by the PC community — at least those who’ve been infected by a mail message that wormed its way into the Windows environment on office PCs. Microsoft has closed these holes repeatedly on the PCs, but the tight link between Explorer and Windows remains a point of attack. No such link exists on the Macs.

It appears that Apple isn’t the only vendor who’s chosen an ill-advised name for a recent product though. (iPad will need some extra oomph to sell.) Microsoft will call its new generation of mail program Outlook, “which you’d think was one of the more bankrupt names” in the computer world, according to one panelist on the e-mail client showdown session at Macworld 2010. It’s important to Mac-PC offices that the two products exchange messages easily, to enable switchers as well as interoffice mail using the .PST message format.

Meantime, be careful where you browse in the course of your business. Steve got attacked while shopping for business travel at Expedia. You should always look extra closely at any dialog box on the Mac that advises you to update for security reasons. Apple’s software will never use this language, just advise you an available software update.

By Steve Hardwick, CCISP

Should you be worried about a Web drive-by attack? First off, what is it?

Most Internet users are not familiar with the concept of a Web drive-by attack. The one I recently encountered was scary because of its simplicity and how it preys on security fears. It also underlines how easy it is to create attacks that are targeted to specific operating systems. Mine took place in Windows, but it would be easy enough to target the Mac OS, too.

To be able to infect a computer in a drive-by, the hacker has to trick the end user into loading a piece of malicious code. In the past this was done using e-mail attachments and other applications that were used for file transfer. However there is a growing threat where your Web browser (Firefox, Safari) is used to trick you into downloading and running the virus code. Here is a walkthrough on what I recently encountered as it gives a good understanding of this type of attack. (For anyone who wants a much more in-depth explanation, Virus List is great site to visit.)

I was going to various sites, trusted sites that I have used in the past without any problems. As I arrived at Expedia.com, one of my favorite travel sites to look at air fares, the following screen popped up. When I saw it, my first thought was that I had a virus on my system.

The screen displayed on top of the browser looked identical to Microsoft Forefront Client Security interface, which is the antivirus software (A/V) installed on my PC. Even the progress bars moved on the display and the virus list was populated. To all intents and purposes it looked and felt like I had a bad case of several viruses on my system. After the virus list had been completed I got the two more screens.

Fortunately I am well-versed in security products. As soon as I was asked to run a program outside of my A/V application the alarm bells started to ring. I also noticed that the file had been downloaded to my PC from a Web site I did not recognize. This is not usual behavior for an anti-virus program. So I decided to hit cancel. When I tried to close any screen I saw the screen above.

Now I was definitely concerned.

I took a quick look at my process monitor and I saw there were three browser windows open. Each one of the these two new “Windows” screens was a Web page. Plus the warning message was also a Web page. This told me that that my antivirus was not sending these messages. They were specially-constructed Web pages. I looked at the “Forefront” page and got the source URL The I took a quick visit to www.samspade.org and found out that this was a site out in France and not a site that I knew to be good. So I now knew it had nothing to do with the travel site I had gone to, or Microsoft Forefront. To stop this whole chain of events I had to shut down the browser application using my process monitor. (On the Mac, you’d do a Force Quit from the Apple menu, and you should.)

So how did this happen? Some technical details follow.

First the hacker constructed a simple set of Web pages to emulate ForeFront and trick the user into downloading a virus program. The virus progam was automatically downloaded as soon as the “Forefront” page came up. Once the user clicks OK to run the bogus “clean up” file the virus is installed and the hacker is in business.

The next thing is to load the Web pages and the virus on a Web site. In this case it was n6-scanner.com. It would take some skill to bypass the Web site security and load it, but on the whole this can be relatively easy to do. Web sites can be a very fertile ground for unpatched operating systems. (Ed. note: A very good reason to update the Mac OS with Security Updates — if only Apple would supply them sooner.) The hacker’s last step, the hard part, is to get you to go to a second Web site to load the code to direct the end user to the target site. This can be a simple HTML redirect, or a more sophisticated script line of code. The attack works best if this is a well-visited site, which is why it is harder. Once this last step is completed the hacker’s work is done. Just wait for the virus to distribute and take effect.

Why is this a very dangerous attack?

Well, the first reason is that it is relying on end user behavior. As soon as the user sees that there is a virus reported on their machine their first instinct is to get rid of it. The thought that the screen they are seeing is not the antivirus software is not immediately obvious. Most Windows users are now used to seeing virus attacks and want to get them off their system as soon as possible. Consequently many would click straight through these bogus screens without a second thought.

Next, the attack had bypassed the antivirus system. Hopefully, the A/V would have thrown something up after the viral payload was executed, but it may not have. The affectivity of the A/V is only as good as the last update. So if it is a recent virus, and the user had not updated their A/V definitions, then anything could happen.

The Web pages can be tailored to specific operating systems. In my case I saw a Windows based application. Your machine will send a lot of information back to the Web server about what you are using. If you want to see what you are sending out, go to Shields Up on https://www.grc.com and run the Browser Headers check. You may also want to run some of the other tests just to see how secure you are. So it would be fairly easy to construct an attack that was design to attack an Mac based system — that is, to switch the screen the user viewed and the downloaded payload. This is what came back on my system

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.33 Safari/532.0

Finally, the Web pages and the launching script can be placed on multiple Web sites. The attack codes can be put on different sites too – they do not need to be collocated on one site. The launch code can be added to multiple Web pages on a single site. So a Web page on a trusted site can get infected. One day the site is safe, the next it is infected.

What you can do to protect against this type of attack

Many users are not familiar with their antivirus software. Take a quick look at your software’s manual (I know, that sounds unpleasant).

• Find out what your A/V software does should it hit a virus: what messages it displays and what operations it will take to quarantine and remove any viruses it finds.

• Take a careful look at ANY program that is launched on your system from a Web visit. Make sure you know where it came from. If in doubt, do a quick Web search on the file name. In many cases this kind of program contains a virus payload. In some cases, especially a drive-by, the file name may be automatically generated. You will have to rely on looking up the URL of the source site. Sam Spade is a great site to get information on who owns the Web site.

• A great fundamental protection is to add another user account on your system, even if you’re the only user of your Mac. Your first is an administrative account and the other is a user account with no administrative rights. The second account is the one that you use most of the time. It does not have rights to install new programs. This may block this type of attack and stop the program load. The administrative account would be used when you want to load a safe application.

• Lastly, you can active a security scanner to your browser to detect dangerous sites. Firefox checks for these, working from a list of known dirty sites. Google’s Chrome, when it is released for the Mac, will have this capability, too.

Steve Hardwick has over 10 years of information security experience. He has worked with different environments from military customers, financial institutions, healthcare organizations and Fortune 1000 companies, as well as conducting security assessments for large and small corporations. He is currently Partner Manager at Mobile Armor Inc. providing cost effective solutions for securing and protecting mobile data.