Wednesday, May 18, 2011

Apple's Mac App Store Puts Users At Risk

Users of Apple Inc.'s Mac App Store—a feature added to Mac OS X v10.6 Snow Leopard and built into the upcoming v10.7 Lion operating system—may be putting their computer's security at risk.

Third-party Web browser maker Opera has released version 11.11 of its software, which fixes a "critical" security issue.  Mac users who have downloaded Opera through the App Store may find themselves using a copy of Opera that is now two versions old, 11.01, which was released back in March and is vulnerable to the security bug patched in 11.11.  Users who rely on the App Store to tell them whether their software is up-to-date may not be aware of the security risks and may continue to use an unsafe version of the Opera browser.

I have notified Apple and Opera about this issue.  An Opera representative acknowledged that "We are waiting for the App store to approve the next version of Opera for Mac. For now the only solution is to go to www.opera.com/download/".

Opera is not the only software in the Mac App Store that's outdated.  For example, the current version of Amazon's Kindle app is 1.5.1, while the version in the App Store is still 1.2.3, which was released in January.  Amazon does not publicly disclose its changelog, so there is no easy way to know whether any security issues exist in Kindle for Mac version 1.2.3.

In the past, Apple has come under fire for taking unreasonable amounts of time—sometimes weeks or even months—to approve both new apps and app updates in its iOS App Store.  It remains to be seen how quickly Apple will approve the latest Opera update in the Mac App Store.

Lest any readers think that Macs are immune to security issues and this is much ado about nothing, there are indeed active attacks on Macs taking place in the wild today.  Earlier this month, noted security researcher Brian Krebs warned about a new crimeware kit that makes it easy for criminals to hack and gain control of Mac systems.  The same day, Mac security firm Intego and others warned about new malware spreading on the Web that falsely claimed to be Mac security software called MACDefender (or MAC Defender, and later renamed Mac Security and Mac Protector).  Although attacks against Macs may currently be less common than Windows attacks, the threat of Mac security breaches is increasing and should not be taken lightly.  Regardless of which operating system you're using—even if it's a mobile platform such as iOS or Android—it's important to follow good Internet safety practices (see OnGuard Online for some basic tips).

If you find that an app you've downloaded from the Mac App Store is outdated, fret not; there's an easy fix to get the latest version, assuming it's a free app that's also available on the Web.  You can drag the outdated app from your Applications folder into the Trash (which will require an administrator password due to the way the App Store installs apps), and then you can drag the current version of the application from the developer's Web site into the Applications folder.

UPDATE, 25 May 2011: Finally, a full week after Opera released version 11.11 on its site and publicly disclosed the security vulnerability it had patched, and after a lot of coverage in the tech press resulting from this article, Apple has finally released Opera 11.11 in the Mac App Store.  As suggested by other security researchers and tech commentators, one would hope that Apple will begin to improve its app approval process to fast-track security updates, especially when the vulnerabilities have been publicly disclosed or exist in popular software.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

7 comments:

  1. Good advice and like the links.

    Here is what I use to learn about 3rd party updates

    http://www.cnet.com/techtracker-free/

    ReplyDelete
  2. Josh, as I mentioned on FB your 'easy fix' is inappropriate for many MAS applications. Your suggestion makes no distinction between free apps (which in most cases are interchangeable between MAS versions and from-vendor versions) and paid apps (which most definitely are not).

    If you replace your MAS-purchased copy of, for example, Pixelmator with a copy downloaded from the Pixelmator web site, you're replacing a fully-functional licensed copy with a demo -- and knocking out all the paid features. In order to revert to the MAS version, you'd have to delete the downloaded app and reinstall.

    Basically, you're ignoring the fact that MAS licensing and copy protection is entirely independent from vendor copy-protection/licensing schemes. Not to mention that you gloss completely over the fact that many MAS apps are *not* available for download separately.

    I'm not disputing your central thesis that there's a security risk inherent in slow MAS approvals for common applications, and for the two apps you use as examples you certainly could replace them with independent download versions. I'm just suggesting that you redact or qualify the part about downloading replacements to make it clear that you are talking about free apps, not paid apps, and that there are potential issues to be considered.

    ReplyDelete
  3. Thanks for the warning about deleting purchased apps, Mike. Indeed, my suggestion above assumes that the outdated version that you want to replace is a free app that's also available as a free download from the developer's Web site. I have updated the article to clarify this.

    ReplyDelete
  4. This is why PPA's in Ubuntu rule!

    ReplyDelete
  5. Huh. Ubuntu has had an app store for quite sometime, and I bet it doesn't have this problem.

    ReplyDelete
  6. Just to point out that the exact same situation of purchasing an older "insecure" version could happen when purchasing software in a shop or buying a boxed CD of software online. There isn't a guarantee that you're getting the latest version, in fact, you probably aren't. Not such a headline grabber though.

    ReplyDelete
  7. eric: Although your point is valid about boxed software (such as Microsoft Office, for example) being outdated before it gets installed, downloading an application from the App Store is a very different thing. The big difference is that when people download software from the Internet, they have the reasonable expectation that they're getting the latest version. This is true whether they're downloading it directly from the developer's site or from a popular download site like Download.com or MacUpdate, but the App Store goes even further than update sites because it's supposed to keep users informed about updates, and it tells users "All apps are up to date" when they click on the Updates tab. The average person does not second-guess this because the App Store is supposed to know the latest versions and notify them whenever their software is out of date. In fact, Apple promises as much on its site. This is a direct quote from https://www.apple.com/mac/app-store/ :

    "Since developers are constantly improving their apps, the Mac App Store keeps track of your apps and tells you when an update is available. Update one app at a time or all of them at once, and you’ll always have the latest version of every app you own."

    By the way, Apple is still distributing the two-versions-old Opera 11.01 in the App Store as of today.

    ReplyDelete

Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)