Well-anticipated like most other Apple products and services, the latest incarnation of the Mac OS X line, dubbed “Leopard,” began selling last October 26. Nevertheless, with almost a year’s worth of delay in its release, the latest big cat from Mac is already suffering early scratches on its fur.

Security researchers and users alike have complained of the seemingly backward development of the firewall in the Mac OS X v10.5. Users of the previous v10.4 “Tiger” face the awkward task of turning the firewall on (which is turned off by default) when upgrading. Moreover, it was observed that it still allows other connections though the option to block all is selected.

An incompatibility with an Application Enhancer (APE) has also resulted in some Macs hanging with a blue screen while installing Leopard. This APE was discreetly installed on Macs by Logitech for its mouse drivers and has since been addressed by Apple.

Researchers too noted that the secure Guest account feature retains access rights to the system. This, despite Leopard erasing the home folders of guests, can lead to abuse by guest users. Still others have found a bug in the Finder application that inadvertently deletes files or folders when transferred to external or network storage devices.

And while Apple is busy patching up the iPhone and iPod Touch, a hacker has just been successful at installing Leopard in PCs. In a tech discussion Web site, a member posted instructions on creating a bootable Leopard installation disk. The installer was tested on a Windows PC with specifications that are considerably higher than the average Mac. Leopard already supports a Boot Camp application that allows for a Windows partition on a Mac hard drive.

Even with its widely perceived superiority over other platforms, especially Microsoft’s Windows Vista, Mac OS X v10.5 is sure to find itself in a big catfight as the security spotlight slowly turns on Apple.

October is known for the Halloween season and just as we’ve noted last September, at least one malware would capitalize on the holidays to leverage its propagation. In fact, we’ve got quite a handful of threats that made themselves infamous last month. It’s not only people who get to wear disguises during Halloween; even maliciously crafted files do. Let’s start off this month’s roundup with the Trojan that supposedly spoke for the Dalai Lama…

Notable Malware

TROJ_MDROPPER.WI
This Trojan made itself known amidst monk-led protests and demonstrations in Burma and took advantage of that newsworthy event. It arrives as an attachment in spammed email messages, which claimed to be a message of support to the Burmese monks from the Dalai Lama. Once executed, TROJ_MDROPPER installs a backdoor by exploiting a vulnerability in MS Word. This Trojan’s social engineering tactic is reminiscent of WORM_NUWAR’s own tactic, which leverages on news events to facilitate its propagation.

WORM_NUWAR.ARC
This particular variant of Nuwar plays on the unsuspecting user’s penchant for cute little cuddly things. Similar to its brethren, it disguises itself as an eCard that can be downloaded from a web page where an image of a laughing kitten greets the user. Once executed on the user’s system, it propagates through email and installs a rootkit to hide its malicious activities.

TSPY_BAYROB.B
This information-stealing spyware illicitly obtains eBay account information by disguising itself as an eBay Web page to trick users. When installed, the spyware acts as a Web server, hosting spoofed eBay Web pages. Not only that, it further hosts bogus replicas of external validation sites in an effort to spoof an entire eBay transaction, all for the goal of getting the user’s eBay account information.

TROJ_CAPTCHAR.A
CAPTCHA is a system for validating the presence of a human user behind a Web transaction, usually implemented as a form of input, wherein the user would have to enter a series of alphanumeric characters based on a distorted (but still readable by humans) image. It seems that someone with a lot of creativity and imagination has come up with a Trojan for defeating this system. How does it do this? When executed, TROJ_CAPTCHAR.A displays a CAPTCHA image and entices the user to identify the characters presented. For each entry, the user is treated to an image of a woman stripping herself. By doing this, the malware created an incentive for the user to correctly input the characters. What the user doesn’t know is that (s)he is possibly aiding future spammers and information stealers in the process.

Halloween Storm
It seems that the Storm worm (aka Nuwar) doesn’t want to be left behind the Halloween festivities. It’s expected that this malware would capitalize on Halloween and it just did. A “Dancing Skeleton” website lures unsuspecting users into downloading Halloween.exe, which is a variant of the Storm worm.

Web Threats

CISRT Web Site Compromised
The Web site of the Chinese Internet Security Response Team (CISRT) was compromised in early October. Inspection of the site’s HTML code revealed that an IFRAME tag was used to redirect the browser to another site with malicious content. The malicious Web site executes a script that downloads a Trojan onto the affected system. This incident is similar to what happened with the NEFCC last June.

Arizona Government Site Hacked
An Arizona government university website was hacked early last October. When the HTML code of the website is inspected, it reveals multiple links leading to a website where a codec could be downloaded. This codec turns out to be none other than a copy of TROJ_ZLOB.DZW.

Vulnerabilities

Safari 3.0.03 Web Browser Flaw
A security flaw in the beta version of Safari was discovered last October and it’s likely to be exploited in the future for malicious purposes. The vulnerability allows a file referenced in an IFRAME tag to be automatically downloaded onto the system. What makes this dangerous is that no notifications are displayed by Safari when the file is about to be downloaded. In contrast, IE and Firefox prompt the user with a message that a file is about to be downloaded.

PDF File Links Exploit
A proof of concept exploit regarding Adobe Acrobat was recently disclosed. This exploit takes advantage of the vulnerability present on how Acrobat parses URIs (Uniform Resource Identifiers) or links within a PDF document. It turns out that this vulnerability, which is caused by a flaw in parameter passing to a particular API, can be employed by malware to automatically download malicious files.

RealPlayer Exploit
An exploit for a RealPlayer vulnerability has been discovered. Working in tandem with IE, this exploit enables malware to be automatically downloaded onto the affected system. The exploit works by hosting a maliciously crafted RealPlayer ActiveX code in a Web site which the user is lured to visit. Visiting the Web site would trigger the ActiveX code and connect to another URL, possibly where a malware can be downloaded.

That’s it for now. As always, Nuwar is once again present in our roundup and it’s very likely that this malware would still be present by the time Thanksgiving rolls around.