Wednesday, May 18, 2011

Apple's Mac App Store Puts Users At Risk

Users of Apple Inc.'s Mac App Store—a feature added to Mac OS X v10.6 Snow Leopard and built into the upcoming v10.7 Lion operating system—may be putting their computer's security at risk.

Third-party Web browser maker Opera has released version 11.11 of its software, which fixes a "critical" security issue.  Mac users who have downloaded Opera through the App Store may find themselves using a copy of Opera that is now two versions old, 11.01, which was released back in March and is vulnerable to the security bug patched in 11.11.  Users who rely on the App Store to tell them whether their software is up-to-date may not be aware of the security risks and may continue to use an unsafe version of the Opera browser.

I have notified Apple and Opera about this issue.  An Opera representative acknowledged that "We are waiting for the App store to approve the next version of Opera for Mac. For now the only solution is to go to www.opera.com/download/".

Opera is not the only software in the Mac App Store that's outdated.  For example, the current version of Amazon's Kindle app is 1.5.1, while the version in the App Store is still 1.2.3, which was released in January.  Amazon does not publicly disclose its changelog, so there is no easy way to know whether any security issues exist in Kindle for Mac version 1.2.3.

In the past, Apple has come under fire for taking unreasonable amounts of time—sometimes weeks or even months—to approve both new apps and app updates in its iOS App Store.  It remains to be seen how quickly Apple will approve the latest Opera update in the Mac App Store.

Lest any readers think that Macs are immune to security issues and this is much ado about nothing, there are indeed active attacks on Macs taking place in the wild today.  Earlier this month, noted security researcher Brian Krebs warned about a new crimeware kit that makes it easy for criminals to hack and gain control of Mac systems.  The same day, Mac security firm Intego and others warned about new malware spreading on the Web that falsely claimed to be Mac security software called MACDefender (or MAC Defender, and later renamed Mac Security and Mac Protector).  Although attacks against Macs may currently be less common than Windows attacks, the threat of Mac security breaches is increasing and should not be taken lightly.  Regardless of which operating system you're using—even if it's a mobile platform such as iOS or Android—it's important to follow good Internet safety practices (see OnGuard Online for some basic tips).

If you find that an app you've downloaded from the Mac App Store is outdated, fret not; there's an easy fix to get the latest version, assuming it's a free app that's also available on the Web.  You can drag the outdated app from your Applications folder into the Trash (which will require an administrator password due to the way the App Store installs apps), and then you can drag the current version of the application from the developer's Web site into the Applications folder.

UPDATE, 25 May 2011: Finally, a full week after Opera released version 11.11 on its site and publicly disclosed the security vulnerability it had patched, and after a lot of coverage in the tech press resulting from this article, Apple has finally released Opera 11.11 in the Mac App Store.  As suggested by other security researchers and tech commentators, one would hope that Apple will begin to improve its app approval process to fast-track security updates, especially when the vulnerabilities have been publicly disclosed or exist in popular software.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.