Apple updates iMovie and iWork – but the iWork fixes are more than cosmetic

Get ready!

We’re about to run the gauntlet of Mactivists, and we’d love you to join us.

The story is a simple one: Apple released updates for iMovie and iWork this week (get ready for about 1GB of download in total), bumping up the middle digit of the products’ version numbers.

Keynote on OS X, for example, goes from 6.5.3 to 6.6 (not merely 6.5.4); iMovie from 10.0.9 to 10.1; and iWork on iOS hits 2.6.

That means there’s a bit more on the feature front than just the bug fixes you’d expect with a point release, but not a sea of changes that means you’ll need to learn new menus and click different buttons.

Strictly speaking, the OS X product formerly known as iWork isn’t really called that any more, seeing that Keynote, Pages and Numbers (the Mac world’s equivalent of PowerPoint, Word and Excel) are now simply separately-downloadable App Store applications.

But all three of the Office-like products received updates that were announced on Apple’s Security Advisory list.

The vulnerabilities patched in the updates were all exploitable by means of booby-trapped files, meaning that a crook could, in theory, send you an apparently-innocent presentation, or spreadsheet, or document, that would have malicious side-effects.

According to Apple, those side-effects could cause information disclosure (where a crook gets to access private data outside the document you just opened) or remote code execution (where the booby-trapped file contains a hidden program that runs without warning).

Running the gauntlet

So, where’s the gauntlet we said we were running?

Actually, there isn’t much of a gauntlet any more.

Many Apple users have come wholeheartedly to the security party in the past five years, a change that we are delighted to report.

Nevertheless, you’ll still find Mac and Apple fans who stoutly deny that the malware risks endured by Windows and Office users apply to OS X at all.

Sometimes, they’ll claim that OS X “is secure by design” because of its BSD Unix roots, while Windows is not, because Microsoft knitted everything from scratch rather than standing on the shoulders of others.

Others will tell you that viruses and other malware on OS X are easily avoided “because you aren’t administrator by default,” and therefore as long as OS X users are circumspect about when they type in their password to authorise system-level changes, they are safe.

Neither of those arguments are true.

Much more similar than different

Windows and OS X are much more similar than they are different, at least in how the operating system is divided between a core of highly privileged code, called the kernel, and a collection of processes, or programs, running in what’s known as userland.

In 1982, before Windows existed in its current form, the internet was pummelled by a virus known as the Morris Worm, which automatically hacked its way into Unix computers all over the world, infected them, and spread onwards to the next victims.

Windows had to wait until the 21st century, and the Code Red virus, to experience anything similar.

Anyway, even a system that is “secure by design” isn’t necessarily secure in practice, in the same sort of way that a firearm stops being “safe” as soon as you start fiddling with all those intriguing little catches and levers with which it is equipped.

→ One vulnerability exploited by the Morris Worm was the fault of sysadmins who sloppily ran their mail servers with a special debug-only option turned on. The virus could, by design, send system commands inside an email, and the server would intentionally run those commands as root, the most powerful account in userland.

And Macs, like most other computers, don’t require you to use your administrator password to work on your own files – indeed, that’s the whole idea of having accounts with different privileges, so that you can work on your files without needlessly putting other users’ files (or system files) at risk.

If you can edit, email, encrypt or erase your own files using application features available to you with no special extra password, you can already accidentally alter, leak or lose your own data.

And therefore malware running with your privileges can do exactly the same thing deliberately, again with no special extra password.

In other words, exploitable bugs in how apps such as Keynote, Pages and Numbers load document files put you at just the same sort of risk as bugs like Stagefright and Stagefright 2 did to Android users. (Stagefright’s flaws involved booby-trapped video and music files).

Similarly, those bugs could be abused by crooks in the same way that unpatched Word users are regularly attacked by so-called exploit kits such as Angler and Microsoft Word Intruder.

In short: patch early, patch often!

Leave a Reply