Apple Mac malware: Caught on camera from Sophos Labs on Vimeo.

It's not every day that you can watch Mac malware in action, but the team at Sophos Labs has put together the demonstration video above; it shows a malicious installer downloaded from a site pretending to serve up an HD video player, which actually carries the RSPlug-F trojan. Even though Mac users would still have to provide admin credentials to install the application (unlike Windows users, who might catch the Zlob malware just by visiting the webpage), it would be perfectly natural to go ahead and authenticate after downloading an installer... but not a good idea in this case. The fake site and bogus application are appearing in two versions, one billed as MacCinema and another trying to steal the goodwill of a legitimate Windows app called HDTV Player (the real app is from blazevideo.com).

RSPlug-F does try to change your DNS settings to point at bad-guy controlled servers, which could conceivably result in you being redirected to malicious or phony sites; however, if your ISP is on the ball, those bogus DNS servers are already blocked. The only way to catch this bit of malware is via the installer, but it's easy to see how an innocent Mac user might be fooled by the convincing-seeming download site.

[H/T Ars Technica Infinite Loop]

Apple's Mac OS X 10.5.5 update (and Security Update 2008-006) fixes a critical DNS vulnerability that could allow attackers to trick victims into visiting malicious Web sites using what's known as a "cache poisoning attack." We wrote about the vulnerability in August.

Although Apple's release notes say BIND was updated "to address performance issues," the update also delivers the promised address port randomization that protects users from such cache poisoning attacks. The original patch offered protection for Apple's servers but did not completely protect client systems.

Apple's updates fixed flaws in several applications and system components, including some that attackers could use to run unauthorized software on a user's computer.

[Via IDG.]

It's not all new features and delight behind the scenes with the now-shipping iPod touch 2.1 firmware -- among the updates and changes are five patches to address security issues with the device. Frameworks that have been tweaked include the Application Sandbox, CoreGraphics, the mDNSResponder, Networking, and WebKit.

The mDNS fix tackles the Dan Kaminsky DNS vulnerability that sparked controversy over the pace of Apple's patch releases... yet more proof that the iPod touch is a teensy little computer, with all the risks and challenges thereto. You can review the security notes for the update at Apple's security site, and of course you can download the update through iTunes.

Also updated for security purposes today was the Bonjour for Windows package, now at version 1.0.5. This utility, which gives XP and Vista machines access to zero-configuration network resources such as printers or Mac OS X web sharing, now includes a couple of DNS-related patches including one for the vulnerability noted above. See here for the full details; Bonjour for Windows is downloadable from Apple as well.

The distance between good intentions and actual results seems to be getting longer and longer. While Apple did release a security patch yesterday that included a fix to BIND for the highly publicized cache poisoning exploit -- some time after most other vendors got updates out to customers -- that fix doesn't seem to be, you know, actually working.

Multiple sources have noted that Apple's DNS patch, at least on Mac OS X 10.4 and 10.5 client versions, isn't implementing the key feature that's meant to block cache poisoning: port randomization on requests. While the same version of BIND running on Linux systems behaves as expected, Mac OS X machines doggedly issue DNS requests on sequential ports, making them far more vulnerable to spoofing by malicious folk.

This may seem like an esoteric vulnerability, and indeed for most Mac users the more important question is whether or not your ISP or network manager has patched the primary DNS servers you rely on (you can check your DNS server status via Dan Kaminsky's tool here). The behavior of Apple on this security issue, however, is very troubling. Waiting weeks to issue a patch for a key vulnerability and lagging behind other OS vendors is bad enough; shipping that patch only to have the user community discover that it doesn't work worth a bucket of warm spit ... that's not the act of a company that claims to care deeply about the security of its customers.

Update: Kaminsky suggests that we lighten up; Mac OS X Server (which would be the most vulnerable to attack, if it serves as the primary DNS for your network) has been patched, even if the client patch isn't behaving properly yet.

Yesterday, shortly after I read TidBITS' post on securing the DNS flaw that Apple had ignored for a while, Apple released a security fix which finally took care of the situation. This comes 3 weeks after the security industry began taking matters into their own hands. This fix does overwrite the files updated in the TidBITs post on manually correcting the issue, mentioned above.

In Apple's notes on the update, they mention fixes for:

• Open Scripting Architecture, which addresses the ARDAgent issue which allowed Trojan Horses and non-administrator users to gain root access
• The aforementioned BIND issue which allowed for DNS poisoning (allowing malicious websites to forge their identity)
• A CarbonCore stack buffer overflow which allowed for arbitrary code execution
• A CoreGraphics memory corruption issue and a CoreGraphics PDF weakness, both allowing for arbitrary code execution
• A Data Detectors issue which could be exploited for [DOS](http://en.wikipedia.org/wiki/Denial-of-service_attack) attacks
• A Repair Permissions/emacs exploit in Disk Utility
  
• An LDAP weakness
• An OpenSSL weakness
• Multiple PHP vulnerabilities
• A flaw in QuickLook's handling of maliciously crafted Microsoft Office files
• An issue with rsync's handling of symbolic links

Some of those had been reported, some I hadn't heard about previously, but I'm certainly feeling more secure this morning.

[via Macworld]

For this week's Monday man page, it's a triple threat: dig, host, and nslookup. All three utilities are included with the BIND (Berkeley Internet Name Domain) version 9 package, part of every Mac OS X 10.4 installation, and all three do pretty much the same task: translate hostnames to IP addresses and vice versa. In 10.3.9 and earlier, the Network Utility 'lookup' tab was a front-end for nslookup, with an option via checkbox to use dig instead; starting in 10.4 the checkbox is gone and the utility is dig-only.

If you want a good introduction to how DNS works, the MacDevCenter has an excellent primer, and I can also heartily recommend DNS and BIND, possibly the most comprehensible book about a complicated subject that I've ever read. After the jump, we'll talk a bit more about how DNS lookup tools are useful, and why you might prefer one of this troika to the others.