The Wire

A periodic pointer to some of the more interesting and newsworthy security news stories. In no particular order:

Proof-of-concept for Mac OS X systems Released
Possible Malicious Apps for Google’s Android Phone
Online Gaming Exec. Sentenced to 33 Months
‘Massive Cybercrime Conspiracy’

Read after the jump for summaries and links to more information.

–Dan Goodin from The Register writes that researchers have disclosed a critical vulnerability in the latest version of Mac OS X that they claim Apple has sat on for almost seven months without fixing. The Reg says the flaw “could be exploited by attackers to remotely execute malicious code, and virtually all Apple devices – including Mac computers and servers, iPhones, and even Apple TV – are susceptible.” Once again, full disclosure in the face of apparent vendor lethargy.

I exchanged e-mails about this threat last night with Dino Dai Zovi, probably one of the foremost experts on Mac security. Dai Zovi said while the flaw may be exploitable through a number of third-party applications that run on top of Mac OS X (Firefox, for example), it isn’t likely we’ll see this bug being exploited in the wild. “This vulnerability is more complex than much simpler vulnerabilities in Mac OS X that did not result in widespread exploitation,” Dai Zovi wrote in an email to KoS. ” There have yet to be any reports of Mac-based malware exploiting a browser vulnerability in order to install itself in the wild.  For that reason, I wouldn’t suggest that Mac users need to take action to protect themselves against this issue at this time.”

MITRE’s writeup on this vulnerability has a nice list of applications that may be a potential way to exploit this flaw.

–The blogs are abuzz with word of fraudulent apps being posted to the Android Market. The apps, reportedly created by an anonymous developer named “09Droid”, appear to be an attempt to snag online banking credentials from Android users. The F-Secure blog has a bit more on the nasty apps.

–The chief executive of an overseas, online gambling operation was sentenced by a U.S. judge to 33 months in prison after pleading guilty to racketeering, writes Wired.com’s Threat Level. The sentence, against David Carruthers, 52, a former executive at BetonSports, comes as U.S. lawmakers consider allowing Internet gambling, even as federal regulators step up enforcement of existing anti-online gaming laws.

–In other cyber justice news, a federal grand jury in Dallas last Friday indicted 19 people in what the government is calling a “massive cybercrime conspiracy” – a Web hosting scam that defrauded both customers and contractors, according to Dark Reading’s Tim Wilson. The accused alleged created a mess of shell companies purporting to be legitimate Web hosting and services providers, and used said companies to collect customer fees, obtain loans, and purchase good services. “In the end, many of the customers were left without Web servers, the loans were not repaid, and many contractors — including collocation service providers such as AT&T and Verizon — were never paid, the indictment says.”