The App Store giveth and the App Store taketh away

The other day, the JoshMeister blogged about the Mac App Store and the effect of its approval delays in getting critical security updates to users.

Third-party Web browser maker Opera has released version 11.11 of its software, which fixes a "critical" security issue. Mac users who have downloaded Opera through the App Store may find themselves using a copy of Opera that is now two versions old, 11.01, which was released back in March and is vulnerable to the security bug patched in 11.11. Users who rely on the App Store to tell them whether their software is up-to-date may not be aware of the security risks and may continue to use an unsafe version of the Opera browser.

As the app store model becomes more popular on both smartphones and PCs, it's important to explore issues like this. What the JoshMeister doesn't mention is that centralized app markets can also help encourage users to keep software updated. It's much easier to have a single marketplace app, once per day or week, say "here are all the apps that have updates, click to update them all" than to have to manage each app individually. If this encourages users to keep their apps up to date, that's a positive thing for security.

Of course, this model requires two conditions to work effectively from a security standpoint. First, the updates have to be made available to users through the store in a timely fashion. Second, the updates have to be screened to ensure they're not violating the market's standards (e.g., they're not badware). Based on the delays observed with the Opera updates and other submissions to the Mac App Store, it seems that there is some tension between these two conditions. If critical updates for known vulnerabilities take substantially longer to get to users via the store than they would through an app's only automatic update mechanism, something needs to be fixed.

One potential improvement could be to allow vendors to flag certain app updates as containing high priority security fixes. The store could then prioritize those updates for approval. Of course, this could (and probably would) be abused on occasion by vendors trying to rush updates out to users, but I'd like to think such abuse wouldn't be so frequent as to be a major problem.

Another approach would be to prioritize approval of updates based on the popularity of the application. This would ensure that the most widespread apps would get patched more quickly than less used apps. I don't generally like options that give established vendors preferential treatment over new entrants to the market, but experience teaches us that criminals like to target badware at widely installed software.

Of course, the cynical side of me says that Apple and other operators of app markets care more about getting new apps into the market than getting security updates out to users. After all, new apps mean new revenue opportunities, as well as bragging rights. ("We have x apps in our store; our competitors only have y.") On the other hand, just as supermarkets get bad press and lose customers if they fail to take recalled products off the shelves, application stores may find their reputations suffering if users start facing security threats that could have been avoided. Here's hoping this will be enough incentive to get those stores to find solutions to getting critical updates out to users quickly and safely.

Mac attack

Sandi over at the Spyware Sucks blog "pointed": to "this thread": on Apple's Mac forums, indicating that some Mac users have been victims of a web-based malware attack:

bq. This has happened to me twice now, on two separate computers at work. My clipboard has been hijacked with this:

bq. [potentially dangerous URL removed]

bq. And once it's in the clipboard, I can't copy anything else over it until I've restarted the machine.

Several other users reported similar attacks, whether they were using Safari or Firefox as their browser.

[Update 8/19: There are also "reports": of this issue from users of Ubuntu, a popular distribution of Linux.]

This is a good reminder that users of operating systems other than Windows are not immune to malware or social engineering.

Mac hacked via web

According to the Mac Observer, a "MacBook Air was compromised": via what sounds like a drive-by download style attack in a hacking competition:

bq. On the first day of the event, contestants unsuccessfully attempted to remotely hack into the Mac, a Windows PC, and a Linux PC. On the second day, however, Mr. Miller was able to gain control over the MacBook Air in only two minutes by directing a contest organizer to visit a specially crafted Web site with the laptop.

Although the exploit code is not "in the wild" as the security industry likes to say, this still sends the message that the Mac is not immune to such attacks, even if Windows is the more commonly-exploited platform.