Dan Gillmor points to reports of a Horrible Apple OS Security Hole. In fact, he says, Mac users should be “extremely careful in surfing until Apple fixes this.”

[Update: The link above is dead. Now that Dan has left the Merc and has his own site, all old links redirect to his new site at Bayosphere.com. To read about the “Extremely Critical” vulnerabilities identified in this alert, see advisory 11622 and advisory 11689. Both have since been patched by Apple, but a Mac user who doesn’t install these patches is highly vulnerable. As Secunia explains: “[These] vulnerabilities … in Mac OS X [allow] malicious web sites to compromise a vulnerable system. … The rating has been upgraded to “Extremely Critical” because the issues are very easy to exploit and a large number of working exploits are available.”]

Well. I promise not to say I told you so, or anything, even though this is at least the third report I’ve seen in recent weeks of serious security issues with the Mac OS.

The reality is, any operating system that includes networking components will be attacked if it becomes sufficiently popular. Both Linux and the Mac OS have a partial advantage over Windows in that they don’t allow every user to run as Administrator, with full access to the machine’s innards.

But anyone who smugly thinks that using a Mac makes them immune from security exploits is headed for disaster. In fact, a really well-written Mac worm could probably spread very quickly, because the Mac community isn’t as attuned to the need for patches and ongoing security as us long-suffering Windows users.

I spent 15 minutes on the phone yesterday with my old friend Marty, trying to work out why his Web browser was feeding him a steady diet of “page not found” error messages. SBC is taking its own sweet time getting his DSL line set up, so he’s stuck on dial-up in his new home. And he couldn’t connect to the Web despite his best efforts.

We went through the standard troubleshooting drill. Did you use the Internet Setup Wizard? Yep. Does ipconfig say you have an IP address and a valid DNS server? No problem there. Can you ping a remote site? Yep. But nslookup failed, and bypassing the DNS servers by typing a numeric IP address in the browser’s address bar didn’t work.

“Hmmm,” says I. “Do you have a firewall installed?”

“No,” says Marty. “I checked McAfee Security Center, and it says that Personal Firewall is not installed. All I have is their antivirus software. I even tried disabling it, but no luck.”

We stumbled around for a few more minutes, and I gave him a few suggestions, including removing and reinstalling all network components. (I also told him to ignore his ISP’s well-meaning but mostly clueless tech support staff, who had pointed him to an ancient KB article that described a problem with the Windows 98 Winsock components. Sheesh.)

About 20 minutes later, a message from Marty popped into my Inbox:

After 20 hours of agony–tweaking, changing, experimenting, restarting, more tweaking ect. turns out my internet DNS problem was that the nasty folks at McAfee activated, without my permission or notification, a copy of Mcafee Firewall on my PC. This was not listed in the McAfee Security Center so I had no way of even knowing it was there.

I was getting desperate so I was heading off the “add/remove software” function to get rid of my pop up blocker when I noticed Mcafee Firewall had been installed during what I thought was a routine update of the virus files.

Mcafee–What a bunch of assholes!

Thanks for your moral support and efforts……

I knew it! This sounded too much like an overly protective firewall, especially after ruling out every other reasonable explanation.

As for McAfee, well… Earlier this year, after receiving a free copy with a new Dell PC, I briefly experimented with the latest version of McAfee’s antivirus software. It was better than previous versions, but still too intrusive for my tastes. When it failed to recognize a half-dozen copies of Bagle one week, I jettisoned it.

I don’t recommend McAfee software to anyone, and when I see a friend using it, I usually suggest that they switch to something else at the first reasonable opportunity. (My current personal favorite is Trend Micro’s PC-cillin.)

Techdirt provides A Look Into How Spammers Spam:

some anti-spammers have managed to get themselves into the various “spam clubs” where top spammers trade tips with each other. From that they’ve learned, as we all pretty much knew already, that the state of the art in spamming is using compromised machines that have had a trojan installed on them. Lists of such controllable machines are offered to other spammers, both for additional spamming capabilities and for denial of service attacks. Basically, the spammers have built up quite a distributed super computer – and those contributing cycles and bandwidth don’t even know about it.”

Jesper M. Jahansson, Security Program Manager at Microsoft, has a new column: Help: I Got Hacked. Now What Do I Do?

Let’s just say you did not install the patches like we discussed last month. Now you got hacked. What to do?

I’ll skip to the end for you:

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Are your security patches up to date?

A reader alerts me that he got an e-mail from Microsoft telling him his Windows Security Update CD (ordered last month) is on the way. Have you received yours yet?

While it’s a good idea, the implementation has a real problem, because it only includes patches through October 23rd of last year. Why doesn’t Microsoft make a monthly disk containing all current Service Packs and patches? That disk could then be available as a downloadable ISO image file that can be burned to a CD? I’d gladly burn 10 copies and give them to every technically unsophisticated Windows user I know.

In its current issue, PC Magazine has an interesting review of 11 anti-spyware programs. Spy Stoppers is available online.

It’s a pretty good overview, marred by one huge omission: The article doesn’t include a definition of spyware. In fact, I’ve found that this sloppy use of the terms spyware and adware is causing mass confusion among people. It’s not fair that reasonably benign programs like Gator (annoying, but easy to remove) should get lumped in with CoolWebSearch (hostile, evil, and nearly impossible to remove).

Right now, the purveyors of the truly awful CoolWebSearch program and its many variants are engaged in a battle to take over as many innocent machines as possible. Someone has shut down the incredibly useful Spyware Info Web site, which offers the free CWShredder utility to remove this parasite. I’m not particularly worried about cookies from DoubleClick, but I am concerned that a program can install itself and then aggressively hide its actions and make itself impossible to remove.

That’s not spyware. That’s a hostile takeover.

You’d think that a government agency that specializes in data security could keep its own house clean. But not in Norway, where Yahoo News reports that everyone who subscribed to a new government-sponsored security newsletter received the FunLove virus as a special welcome. For more details, see Norway’s Data Agency E-Mails Out Virus.

Of course, that could never happen here. Right?

In the last month, I’ve cleaned the damn Klez virus off of three computers in my neighborhood. In each case, the person with the infected computer didn’t even know they had been hit. Of course, they had antivirus software that hadn’t been updated in more than a year, and they had never installed any updates for Windows. That’s a perfect recipe for acute viral infection. Klez and Bugbear are rampant these days. Both are particularly nasty because they can infect a computer without requiring that you open an attachment. In fact, both viruses can bypass your email program completely and jump over a network share to infect other computers — unless you’ve installed the proper Windows security patch, that is. (And this patch was released in March of 2001, for heaven’s sake, so there’s really no excuse for not having installed it!)

Now would be a good time to check your computer and see if Windows and your AV program are up to date. You can get the latest Windows patches from Windows Update. If you need antivirus software, I recommend Norton Antivirus 2003.

Looking for information about a virus? Start with the Symantec Security Response page, where you can search for viruses (old and new) and get quick information about those threats that are most prevalent right now. Click on the Klez page to download an easy-to-use utility that can help you get rid of the virus if you’ve been infected.