OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

FinFisher vulnerability closed

Published November 29th, 2011 at 12:00 PM EST , modified November 29th, 2011 at 12:00 PM EST

Apple recently shipped a fix for a vulnerability in iTunes that allowed an attacker to send users on a malicious wireless network malware disguised as legitimate software updates.  It seems that, although the patch applies to Mac OS X, security researchers were only able to find a way to exploit this vulnerability in Windows.  So why do we Mac users care about this?  Because of the interesting fact that this vulnerability was apparently used by FinFisher, a hacker tool sold by a company named Gamma International to world governments, to be used for covert surveillance!

This sounds like a story straight out of Hollywood.  If I were to read about this on someone’s blog, my first instinct would have been to immediately discount the blog author as a tinfoil-hat wearer, and I’d be expecting to hear shortly about how aliens and Bigfoot are also involved in the conspiracy.  So why shouldn’t the same apply in this case?  Because this story has been covered by more well-known authors and publications, such as Brian Krebbs, formerly of the Washington Post, who reported on the FinFisher story recently, and who wrote about how it could be exploited several years ago.

FinFisherFinFisher is, apparently, malware that is written and distributed by a real company, Gamma International.  Certainly this is the first malware that I have seen that has its own web site!  It is designed to use the iTunes vulnerability to allow governments to install the FinFisher software on a target’s machine.  Evidently, this sort of thing is becoming more necessary as criminals and terrorists take more of their communications into encrypted online chats and internet telephony.  The only way to intercept such communication is via software installed surreptitiously on the criminal’s computers.  The story caught the public eye recently when protestors captured the Egyptian State Security headquarters and found evidence that licenses for this software had been purchased.

This may not seem very concerning on the surface.  After all, isn’t this supposed to help our law enforcement agencies catch the bad guys?  The question is, who exactly are the bad guys, and who are the good guys?  Not all world governments may have the best interests of their citizens in mind when purchasing such software.  Worse, how do we know that this software is only available to law enforcement agencies?  Do we really know that Gamma International isn’t selling FinFisher to wealthy international hackers?  Are large companies purchasing and using it for industrial espionage?

It has been hypothesized that some security companies may knowingly omit “government malware” from their databases.  For good or ill, however, at least one security company has taken a firm stance against such a policy.  F-Secure posted their opinion in March, saying that they will never omit any kind of malware from their database.  Whether that is a reasonable is a matter for debate.  After all, suppose that the US government could have foiled the 9-11 attacks using such a technique.  Should AV companies help such terrorists escape surveillance?  Yet, at the same time, shouldn’t they help protect ordinary citizens against the potential dangers of too much government surveillance?  And the danger of such tools falling into the hands of criminals?

There is no easy answer to these questions.  However, one thing is sure…  one should be very cautious about what is downloaded from any open wireless network.  Even if this vulnerability has been closed, and even if it may never have been exploited on the Mac, this is not the only way that a wireless network could be used maliciously.  Fake DNS servers could be used, for example, to redirect users to malicious web sites mimicking legitimate ones.  Whenever you use an open wireless network in a public place, be extremely cautious about what you do!

This post is more than 90 days old and has been locked. No further comments are allowed.