Friday, January 23, 2009

iWork '09 and Security

The new version of iWork has a few issues with security that previous versions did not have. Note that I have no personal experience of any of the issues below, but I rely entirely on other sources. Please, use your own judgement when you use the information.

A Trojan called iServices.a has spread with an unofficial version of iWork that can be downloaded from other places than Apple.com. According to Intego, 20000 people have already downloaded the Trojan, but that sounds exaggerated. Once the Trojan is installed, it listens for instructions from a remote server. The remote server could for example ask for your personal address book or other private data, which would be sent without your knowledge.

To see if you have the Trojan, go to /System/Library/StartupItems. If there is a folder there called iWorkServices, the Mac is infected.

To remove the Trojan automatically, download this script at MacUpdate.

To remove the Trojan manually:
  1. Open the Terminal (Applications > Utilities > Terminal).
  2. Type sudo su and enter.
  3. Type your account password and enter. (This assumes you are administrator.)
  4. Type rm -r /System/Library/StartupItems/iWorkServices and enter.
  5. Type rm /private/tmp/.iWorkServices and enter.
  6. Type rm /usr/bin/iWorkServices and enter.
  7. Type rm -r /Library/Receipts/iWorkServices.pkg and enter.
  8. Type killall -9 iWorkServices and enter.
More information about the Trojan can be found here.

The next security issue is ad.doubleclick.net. Several posters in Apples forum confirm that the iWork applications send information to the advertising company doubleclick.net when the application is launched. It seems like lists of software installed at the computer and the computer model is sent to doubleclick.net without the user's knowledge. Apple has so far not made any comments on this, so we do not know if the information is limited to that, or if other information may be sent under some circumstances.

A serial number is only needed if you buy the downloadable version. If you buy the DVD, you just install it and that is that. This makes it easier to copy the application between machines, and it is likely to increase both the piracy and the usage of the product. There is also a way to hack the trial version to work as a full version, but this is not the right forum to give instructions how to do that.

Finally, iWork '09 includes the possibility to save documents so they cannot be opened without a password. However, Apple has not said anything about what level of encryption is used. The encryption may be very good, but it may also be ridiculously easy to break for anyone with the right tools. We users do not know. For now, I would not recommend anyone to use iWork's password functionality except for harmless documents. Do not use it for bank details, credit card information or commercial confidential information, for example.

All this should remind us that iWork is not just a harmless tool on our harddisks. If one is not careful, one can get into some really delicate situations.

No comments: