Introduction

The recent security scare with the Apple Macintosh platform and its exposure to the Flashback malware was centered around the use of Java on this platform, rather than being targeted directly using native code. But there have been similar risks targeted at this platform but this time using the Adobe Flash runtime environment.

Previously the typical computer’s operating system, desktop-productivity software and default Web-browsing environment has been targeted by malware writers. This has been more so with software that is used by many people, like Microsoft’s Windows XP operating system and Internet Explorer Web browsers.

But Microsoft, Apple and the open-source community have been working lately on hardening their operating-system, desktop-productivity and Web-browsing software against malware. This has been done through releasing software patches that fix vulnerabilities as soon as they are discovered and having such patches delivered using automated software-maintenance systems like Windows Update.

So malware authors are now turning their arrows towards the multi-platform runtime environments like Oracle’s Java and Adobe’s Flash and Air environments. These typically have a runtime component that is user-installed on most computing platforms, or this component is rolled in to some computing platforms.

These runtime environments have appealed to mainstream software developers because they can create their software in a “write once, run anywhere” manner without needing to port the software to the different platforms they want to target. This situation also has appeal to malware authors due to the ability to target multiple platforms with little risk as well as finding that these runtime environments aren’t patched as rigorously as the operating systems.

One main problem – Java and how it is maintained on the Macintosh

The Java runtime environment used to be delivered with the Windows platform until 2004 due to a legal agreement between Sun and Microsoft regarding an anti-trust issue. Now Windows users pick up the runtime code from Oracle’s Java website now that Oracle have taken over the Java environment from Sun.

But Apple still delivers the Java runtime environment to their Macintosh users, either with the operating system until “Snow Leopard” or as a separate download from their Website for subsequent users.

For both platforms, the Java runtime survives operating-system updates, even major version upgrades. As well, it, like the Adobe Flash runtime, has to be updated separately.

Windows and Linux users still have the advantage of going to the Oracle Website to install and update the Java Website and they can set up the Java installer software to implement the latest version automatically or let them know of updated Java runtimes. But Apple don’t pass on new updates for the Java runtime to MacOS users as soon as Oracle release them.

What Apple should do is pass on the Java runtime updates as soon as Oracle releases these updates. This could be involving Apple ceding the management of the MacOS X Java runtime to Oracle and writing any necessary integration code to support co-ordinated maintenance of this runtime the the Macintosh platform.

What users can do with these runtime environments

Users can keep their runtime environments for Flash, Java, Adobe Air and other “write once, run-anywhere” platforms by looking for updates at the developer’s Website. They can also enable automatic deployment of critical updates to these environments through various options offered by the installer.

But do you need to keep any of these runtime environments on your regular computer? You could do without it but some vertical, enterprise and home software requires the use of these runtime environments. In some cases, some developers write parts of their software in native code for the platform the software is to run on while using “write once, run anywhere” code that works with these environments for other parts.

For example, YouTube,  most browser-hosted games or file-transfer interfaces for Websites implement Adobe Flash Player while programs like OpenOffice, Adobe’s Creative Suite and some enterprise / vertical software require Java.

If you are not likely to running any programs that depend on a runtime environment regularly or can avoid needing that particular environment, you could avoid installing the environment at all to keep your computer secure and stable.

What can the industry do

Use of computer security software to protect against runtime-environment attacks

A question that could be raised is whether it is feasible for a computer-security program to be written so that it can inspect the software that is intended to be run in these environments.

This is more so as these environments become ubiquitous for delivering software to multiple computing environments. In the case of Java, this environment is being implemented as a baseline for the Android platform and as the language for writing interactivity in to Blu-Ray Discs.

This could be achieved through the use of plug-in modules for current desktop and appliance-level security applications; or for modules that connect to the runtime environments, observing for abnormalities in the way they handle computer resources.

Development of enhanced runtime environments that work with the host operating system’s security logic

It can also be feasible for the runtime environments to work tightly with the operating-system’s user access management and prevent the programs that work behind them from using resources unless they are explicitly allowed to. This could involve use of sandboxes or privilege levels that mimic the operating system’s privilege levels thus working at the lowest level unless they have to work higher.

Consistent and responsive updating of the runtime environment across all platforms

Adobe, Oracle and others who develop “write-once, run-anywhere” platforms could implement a consistent and responsive update policy for these platforms in response to any discovered bug or exploitable software weakness. The developers of these platforms have to be sure that the updates are delivered as soon as possible and across all platforms that the runtime environment is targeted at.

This includes development of a strategy so that access to the targeted platforms is guaranteed by the runtime-environment developer. For example, it may include immediate propagation of firmware updates for devices or the use of the developer’s own installation routines for all regular computing environments.

Allow design-time native-binary compiling for desktop Java

Another improvement that I would like to see is for software that is written in the Java language to be able to be compiled to native binary (.EXE) code during development. Here, this could allow a desktop-software project that has routines written in Java as well as routines written in other languages like C++ and targeted to one platform to be able to run quickly and securely on that platform.

It will then avoid the need to require the installation of the Java runtime when a program like Adobe’s Creative Suite software is deployed to the end user. It can also allow the developer to deliver the software to many platforms in a binary form that is native to each target platform, thus allowing for efficient use of system resources.

Conclusion

Once we adopt proper standards concerning the management and maintenance of “write-once, run-anywhere” software-development platforms and make them to the same standard as regular-computer operating systems, this can reduce the chance of these platforms being exploited by malware authors.

Articles

A look at Apple’s Flashback removal tool | MacFixIt – CNET Reviews

Apple releases fix for Flashback malware | Engadget

Downloads – Apple’s support Website

Java Update for MacOS 10.6

Java for MacOS Lion

My Comments

Apple has reacted to the groundswell of concern about the recent Flashback malware and have issued updates to its Java runtime environment for both MacOS Snow Leopard and Lion.

Here, they have implemented a check-and-remove routine for this Trojan as part of the installation routine for the new Java runtime environment. For most Macintosh users, this will simplify the process of removing any existence of this malware as well as keeping this runtime environment up-to-date.

The CNET article also gave a detailed review of what goes on as well as how to fix situations if the installation takes too long and the procedure hangs. As I have posted previously, Apple could improve on the issue of providing system maintenance and desktop security software so that Mac users can keep these systems in good order.

Article

HP sued over security flaw in printers | Security – CNET News

My comments

An increasing trend that I have covered on this site and have noticed with equipment that I have reviewed is for the equipment to be updated with new firmware after it is sold to the customer.

Field-updating practices

Previously, this practice involved the device’s user using a regular computer as part of the update process. In a lot of cases, the user would download the update package to their computer and run a special program to deploy the update to the connected device. If the device, like a router, was connected via the network, the user uploaded the update package to the network-connected device via its management Web page or other network-file-transfer methods.

Now it is becoming more common for one to update the software in their device without the need to use a regular computer. This would be done using the setup options on the device’s control surface to check for and, if available, load newer firmware. 

It also includes the device automatically polling a server for new firmware updates and inviting the user to perform an update procedure or simply updating itself during off-hours for example; in a similar vein to the software-update mechanisms in Windows and MacOS.

As well, an increasing number of devices are becoming able to acquire new functionality through the use of “app stores” or the installation of add-on peripherals.

The HP lawsuit concerning printer firmware

Just last week, there has been a lawsuit filed against HP in San Jose District Court, California, USA concerning weaknesses in the firmware in some of their printers allowing for them to accept software of questionable origin. Issues that were raised were the ability to load modified software that could facilitate espionage or sabotage. This was discovered through lab-controlled experiments that were performed on some of the affected printers.

As all of us know, the firmware or apps are typically held on servers that can be easily compromised if one isn’t careful. This has been made more real with the recent Sony PlayStation Network break-ins, although data pertaining to users was stolen this time. But it could be feasible for a device to look for new firmware at a known server and find compromised software instead of the real thing.

They even raised the question not just about the software that is delivered and installed using a computer or network but the ability to install ROM or similar hardware chips in to the device to alter its functionality. I would also see this including the ability to pass in code through “debug” or “console” ports on these devices that are used to connect computers to the devices as part of the software-development process.

This could have implications as equipment like home appliances, HVAC / domestic-hot-water equipment and building security equipment become field-programmable and join the network all in the name of “smart energy” and building automation. Issues that can be raised include heaters, ovens or clothes dryers being allowed to run too hot and cause a fire or building alarm systems that betray security-critical information to the Social Web without the users knowing.

Further ramifications of this lawsuit

Device manufacturers will have to look at the firmware that governs their products in a similar vein to the software that runs regular and mobile computing equipment. This includes implementing authenticated software delivery, software rollback options and the requirement to keep customers in the loop about official software versions and change-logs (differences between software versions).

In some cases, business computing equipment like laser printers will have firmware delivered in a similar manner to how computer software is rolled out to regular computers in larger businesses. This includes software that enables centralised firmware deployment and the ability to implement trial-deployment scenarios when new firmware or add-on software is released.

Devices that have proper-operation requirements critical to data security or personnel / building safety and security may require highly-interactive firmware delivery augmented with digital-signature verification and direct software-update notification to the customer.

Similarly, security-software vendors may push for a system of integrating software solutions, including “edge-based” hardware firewall appliances in the process of software delivery to other devices.

Conclusion

What I would like to see out of this case if it is allowed to go “all the way” is that it becomes a platform where issues concerning the authenticity, veracity and safety of field-updatable firmware for specific-purpose devices are examined.

Articles – From the horse’s mouth

Press Release | Kingston

My Comments

I have had a look at the Kingston press release about the security of data held on USB flash drives and found that it was based on a Ponemon Institute study commissioned by Kingston. The main factor that I had observed was that the survey was based on data that represented the “big end of town” – the larger companies and government departments who typically handle a lot of high-stakes company and customer data.

Here I still find that small businesses and individuals are as at risk from removable-media data theft as are larger organisations. Most of these users would consider secure data storage as storing the confidential data on a USB memory key or external hard disk rather than on the computer’s hard disk. Here, they would keep that memory key or external hard disk locked in a desk drawer, filing cabinet or safe when the data is not needed. If the data isn’t changed or viewed often, like a valuables inventory, the USB memory key or external hard disk may be kept at a bank’s safe-deposit facility.

As well, the typical USB memory key can be attached to one’s keyring that has their house, car and business keys on it and a lot of these users may take advantage of the fact. These key rings are often at risk of loss due to absent-mindedness that can be common amongst us or theft as has been known to happen in the UK and Europe where houses have been broken into in order to steal the keys for powerful or expensive cars that are parked at these houses.

Of course, it is not just government and big business who handle or are responsible for “high-stakes” ultra-confidential data. Small businesses and individuals can also handle this kind of data, whether they provide services to these entities or not.

For example, I had provided technology assistance to a “one-person” business who valued fine art, antiques and collectables. This involved the handling of data relating to the collectable items and who owned the collectable items, as I commissioned newly-bought computers or trained her in computing techniques.

As well, individuals may need to keep copies of information pertaining to personal medical and legal issues where there is a strong emotional link. This information may be considered of high value where it concerns individuals who are in the “public eye” and the tabloid media are hungry for any bit of information about these individuals in order to run that exclusive “scoop”.

A common reality that this “enterprise-focused” article misses is that the typical small-business owner or personal user chooses and purchases their own computer hardware from retail. This is compared to larger organisations who maintain a dedicated IT team who is responsible for purchasing and maintaining the computer and communications technology for that organisation.

For this class of user, I would recommend that they use removable storage that is made by respected brands like Kingston, Verbatim, Sony or SanDisk. It may be worth knowing that some of the good retailers may resell these good brands under their own labels, usually in the premium end of those labels.

I would also recommend that you investigate the use of security-enabled encrypted USB memory keys. Here, I would look for those units that have continual software support from the vendor. This is important if you change your computing platform like what Apple hopes use do or move to newer versions of our current operating systems.

As well, you should make sure that you have good desktop security software on your computer. You could even get by with free programs like AVG or Microsoft Security Essentials. Even Macintosh users should make sure they run good anti-malware software on these computers especially as software threats are targeting this platform as well.

It is also worth making use of strong passwords or other data-locking options that the operating system or USB security software may provide for the confidential data. This may work in conjunction with the common practice of keeping the removable media under lock and key such as in a locked filing cabinet or safe.

What I fear is that a lot of press concerning data security tends to be focused at the big end of town and smaller users tend to be forgotten about. As well, a lot of the good-quality data-security options are often designed and priced out of the range of the small business operator or consumer even though there is a need for this level of data security amongst some of this class of user.