clicky



OMG run for the hills!! Were all doooooomed!! well you might be if you still have an older iPhone or iPod touch.
Though those that can run the latest update should be sharpish about updating to get all those lovely security issues fixed. I have

*raises hand*

I'm not overly concerned.

Raises paw.

Me neither.

Is this such a problem? I would imagine that if you stuck to the big websites it might not even be an issue.

It depends on what you call big websites...

The New York Times, Der Spiegel and many popular tech sites have been infected with drive-by malware for OS X and Windows computers in the past 2 years, so a "big name" isn't a guarantee of a safe ride.

How many Mac users were infected with Malware then? I am surprised that I did not hear about this.

It was big news at the time. It was a phishing (Mac, Linux, Windows) and a keylogger (Windows) attack, as far as I can remember.

If you say so I am sure it was. I can't find any mention of it now though.



I am surprised that large numbers of Macs picking up malware on a drive by infection from a big site like the New York Times was more widely reported.



I can't even find mention of it at Sophos.

A 5 second Google finds a gazillion references. Here's one: http://malwareviruses.com/hacked-ad-ser ... es-website

Is that what you were thinking of, big_D? It's certainly evidence that "big name" sites cannot be trusted.

Well it is a blog that mentions a virus. No mention of lots of infected Macs though.

That was one of the big ones. Even Google's Ad network has suffered from rogue adverts, churning out viruses and phishing attempts at people visiting well known sites.

It is usually through a hijacked third party account with the advertising agency, which then pays for a "bad" advert to be placed on key sites.

Then there were the carpet-bombing flaws in Safari, which allowed drive-by downloads. The patches for Safari 4 and 5 in August patched critical vulnerabilities in Safari and WebKit, which allowed drive-by downloads on both OS X and Windows versions of the browser.

# CVE-2010-1807 (Mac and Windows) – An input validation issue exists in WebKit’s handling of floating point data types. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
# CVE-2010-1806 (Mac and Windows) – A use after free issue exists in WebKit’s handling of elements with run-in styling. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

There were malicious websites which used these attacks to execute code on Macs and Windows computers.

Apple's Preview app has also suffered from some of the same exploits that plagued Adobe's Reader application. Likewise, Adobe CS, Adobe Reader for OS X, Firefox, Google Chrome and other third party applications have also opened up OS X to various security vulnerabilities.

Luckily for most OS X users, many of these vulnerabilities have not been used in wide area attacks, but in Spear-Phishing attacks, which are used to gain access to passwords or account information, for getting at specific people or specific companies.

There have also been a fair number of trojan attacks on OS X computers over the last couple of years. Our own KW wrote a simple proof of concept trojan for OS X, just to prove how easy it was...