Monday, January 4, 2016

Apple Security In 2015, Sorry : Grateful

--

It's been an annoying year of Apple security flaws, not because of the number but because there were so many which Apple sat on for many months on end. The year ended with, again, a huge round of fingers pointing at Apple's poor system for Enterprise developer security certificates, which once again were abused and applied to malware. This is the same damned problem that enabled the Wirelurker (Machook) malware that became evident in November 2014.

Another annoyance enabled by Apple has been a flaw in AppleScript the company has thoroughly ignored. Month after month the SANS @RISK security newsletter reported the same thing:
ID:     CVE-2015-7007
Title: Apple OS X Input Validation Code Execution Vulnerability
Vendor: Apple
Description: Script Editor in Apple OS X before 10.11.1 allows remote attackers to bypass an intended user-confirmation requirement for AppleScript execution via unspecified vectors.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
So has this been fixed via security updates in previous versions of OS X?!

Apple deserves a great big, steal toed boot, kick up the backside for being LAZY and IRRESPONSIBLE about software security. This isn't the first lousy year for Apple security. But I find it very sad that Apple is back to blowing off security issues yet again.

Having had my rant, it is useful to note, however, that Apple has indeed been busy patching security holes in 2015. We're left in a state of Sorry : Grateful. Here's a fun article laying out Apple's busy security year as well as commentary about the usefulness of counting CVEs as a method of judging the quality of a company's security.

Apple had more CVEs than any single MS product in 2015, but it doesn't really matter
Meaningless league table sparks silly schadenfreude
. . . However, simply guffawing at Cupertino is problematic for many reasons.

The first is that the CVE Details survey makes no distinction between severity of vulnerabilities in the list. A low-risk vulnerability (for example, something that can only be exploited by an authenticated local user with administrative privilege) is not the same as a remote code execution bug that's easily exploited.

Second – and this applies to all platforms – many security bugs are cross-platform. A good example is libpng, which is everywhere from browsers to smart-watches. It may have had only had four advisories in 2015, but that will have drawn patches from a lot of other vendors.

Third: CVE Details seems arbitrary in its assignment of CVE to project. Hence, for example, a bunch of LibreOffice/OpenOffice bugs are counted as Debian CVEs, as are some Oracle MySQL bugs.

Fourth: CVEs only count reported vulnerabilities. They don't count anything that's being hoarded, whether by security agencies or by black-hats, for example. And there's nothing good to come out of turning CVEs into some kind of marketing scorecard. . . .
The worst security problem for Mac users in 2015 was adware. Several software download sites now foist the stuff as a matter of course, a sick and sad trend. Meanwhile, 2015 was the year when it became clear that computer users on all platforms are fighting back against marketing abuse with adblocking software, resulting in a slow burn war between websites who make their revenue from advertising and users who are sick of:

A) Being surveilled across the Internet.
B) Having targeted ads foisted at them from every possible source and angle.
C) Having their Internet experiences turned into noise and annoyance from rude and puerile advertisements, click-jacking, hostile HTML5 Canvas images, popups, deceitful search engine results, hard sell, lies lies and lies.

Now that advertisers have gotten the hang of web advertising, 20 years after the web went public, web advertising has reached an all time low in quality and integrity. Foisting adware on unsuspecting victim users is merely more of the same.

What Will 2016 Bring?

- More marketing warz, no doubt. 
- An increased lash-back at user surveillance across the Internet. 
- New intra & inter-nation cyber attack vectors. 
- Apple being shoved in a corner and forced to repair their poor Enterprise developer certificate system. 
- Flash hell. 
- Java hell. 
- Fragmandroid security hell on steroids.
- Our stupid governments demanding backdoors in everything Internet, to the thorough detriment of the citizenry and the glee of the FUD mongers who want to turn the world into one massive TOTALITARIAN hell hole of Neo-Feudalism.
- Further stupendous displays of technology ignorance from politicians and world leaders as well as its ramifications.

That sort of thing. 

Meanwhile, BSD UNIX will continue to be the safest computer platform, including OS X. iOS will clean up its reputation again and reinforce the 'walled garden', including for Enterprise users. I expect a few malware and exploit attempts at watchOS, tvOS and of course OS X. I also expect surprises, giving me rise to write a few more than usually interesting posts in the blog.

Share and Enjoy 2016!

:-Derek

--

Monday, December 28, 2015

Adobe Flash/AIR Exploit In-The-Wild!
Critical Flash/AIR Updates Released

--

The all-too-familiar story: The single most dangerous software on the Internet has been exploited in-the-wild yet-again. The exploit is of CVE-2015-8651 (not yet documented at Mitre.org as of this date).

Adobe has provided the following security updates:

Flash v20.0.0.267

AIR v20.0.0.233

Adobe's security bulletin is HERE.
Summary

Adobe has released security updates for Adobe Flash Player.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2015-8651 is being used in limited, targeted attacks. . . .
Vulnerability Details

These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-8644).

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2015-8651).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-8634, CVE-2015-8635, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, CVE-2015-8650).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-8459, CVE-2015-8460, CVE-2015-8636, CVE-2015-8645).
And as usual: If you don't need Adobe Flash, uninstall it and never reinstall it again. Adobe's instructions for uninstalling Flash are HERE. Adobe's instructions for uninstalling AIR are about halfway down the page HERE.

--

Saturday, November 21, 2015

MacUpdate Interviewed By MacNN:
What's up with the 'MacUpdate Installer'?

--

MacNN has published an excellent story, well worth reading, about the changes going on at MacUpdate.com. Specifically discussed is the switch out of actual application installers for the 'MacUpdate Installer' that attempts to install more than what the user intended, to be gentle about the issue. Our pal Thomas Reed of Malwarebytes is featured as well as the founder of MacUpdate, J. Mueller:

MacUpdate tests changes in face of challenging specialist market
Optional additional installs, app discovery at forefront of changes
- updated 04:00 pm EST, Fri November 20, 2015
. . . "Fear not," Mueller said in response to a question about whether long-time users should be concerned about MacUpdate's testing of similar techniques. "We are not planning to go in the same direction [as CNET and Softonic]. We are learning about this process ... and testing it on only one percent of our hosted apps. We are focused on problem-solving, and the Mac community is very important to us." He added that more information would be made available to users once the testing phase is further along, but that the goal of the optional install offers is to learn about how the process works, how users who see it respond to it, and how to avoid the mistakes rivals have made."
I hope that is indeed the case.

Apart from the unintended installations foisted on MacUpdate users and the scary requirement of your admin password, both highly NOT recommended practices, what I don't like is that the user does NOT end up with the actual application installer. The 'MacUpdate Installer' does all the installing for the user. There is no opportunity to KEEP the desired installer. I personally do not deal with that.

Why do I want to keep the actual update installer?

1) I have three Macs I run simultaneously with a total of five different partitions I maintain. I don't typically install applications on just one Mac. I usually install on two Macs. Going through the MacUpdate Installer adware foisting process twice is not in my interest.

2) I archive ALL the current update installers for applications. I collect them on my main Mac in a 'Move Out' folder, along with all the contemporary research I've been collecting from the net. I usually weed out the older update installers and only keep the latest. Periodically, I then write all of this data out to optical disk for permanent storage. I then catalogue each new disk collection into a database of my entire collection. Whenever I want some piece of software from back in the past, I search the catalogue and it tells me where to find it. This system has saved me many headaches and has often saved my backside.

Needless to say, hanging onto a bunch of MacUpdate Installers that do NOT incorporate the desired actual installer is NOT going to work for me. I want nothing to do with them.

Thankfully, as you'll read in MacNN's article, paying (and at the moment logging-in) members of MacUpdate are kindly prevented from having to deal with the MacUpdate Installer rubbish. For now, I can entirely avoid the problem by simply logging in. MacUpdate also know I've bought piles of software through them as a member. I have no reason to feel I am not contributing to their financial success.

Would I become a full fledged, fee paying member of MacUpdate.com? I don't know of any valid reason to do so. I would never use their MacUpdate Desktop software specifically because of the reasons I want to keep update installers. Recently, MacUpdate Desktop has greatly improved and can be VERY useful! I'm grateful MacUpdate finally got it into good shape. (It used to be extremely clunky). But I don't need it or want it.


~ ~ ~ ~ ~

This situation will play out in the months to come. I'm grateful that the folks at MacUpdate are being professional about this situation and at least promise not to inadvertently or purposely install crapware of hardcore malware onto user's Macs. There are good intentions. But I personally find nothing to appreciate about the MacUpdate Installer system.

As for MacUpdate.com, the website, as long as there is a convenient and friendly way for me to avoid the MacUpdate Installer, I'm happy and will continue to help them out with reviews and purchase their deals whenever possible. They've been a terrific asset to the Mac community.

:-Derek


--

Wednesday, November 11, 2015

Adobe Update Day:
Flash v19.0.0.245,
AIR v19.0.0.241

--

Another second-Tuesday-of-the-month, another set of Adobe updates. Happily, at this time there are no zero-day exploits out in the wild. Hurray.

The Adobe Security Bulletin is HERE.
Vulnerability Details
  • These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-7659).
  • These updates resolve a security bypass vulnerability that could be exploited to write arbitrary data to the file system under user permissions (CVE-2015-7662).
  • These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7660, CVE-2015-7661, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, CVE-2015-8046).
You can download the latest version of Adobe Flash HERE.

You can  download the latest version of Adobe AIR HERE.

As usual, if you don't need Adobe Flash, it is extremely wise to UNinstall it. Flash is the single most dangerous software on the Mac platform. Instructions for uninstalling Adobe Flash are HERE.

 Stay safe out there kids.

-- 

Friday, November 6, 2015

Updating List Of MacUpdate
Adware Infested Installers


 

[Updates: 
- Chrome and Calibre added. Thanks to Morse and mrflick! 
- Dropbox added. List alphabetized. Direct links to developer download pages added.
Please add more in the comments as you find them.
- 2015-11-18: MacUpdate swapped "Install" vs "Download" on ALL their product pages. Apparently, this is some marketing strategy to shove people into using their MacUpdate Desktop application. This verifies that they have some marketing moron helping them to ruin their website. I personally suggest getting rid of said marketing moron influence ASAP, dear MacUpdate, before they kill you.]

November 5th, it was determined that MacUpdate has stopped foisting their 'MacUpdate Installer' adware installer on users who have logged in.

November 6th, I was able to verify ongoing adware infestations and add a couple more infested installers to the list by NOT logging in to MacUpdate. Therefore...

Advice: Log into MacUpdate to avoid the adware installers (at least for the time being!).

Here is the updating list of adware infested installers at MacUpdate, in chronological order of discovery:

AppCleaner
BetterTouchTool 
Calibre
Chrome 
Cyberduck 
Dropbox
FileZilla
Firefox
GitHub Desktop
iBackup Viewer
MPlayerX
Onyx
Skype
VLC

Link to this article if you'd like to keep track of the list. I'll be adding to it as I find or verify reports of adware infested installers at MacUpdate. The current list is thanks to reports from Thomas Reed, Neartheredrocks and myself. Please comment if you find further infested installers. Thanks.

Please remember to NEVER install anything via an obvious adware installer. What is really installed CANNOT be trusted. The fact that these adware installers require your Admin password makes them potentially dangerous to the welfare of your Mac.

Instead, go to the website of the software developer directly and download from there. Direct links to developer download pages are provided in the list above.

-- 

[Footnote: I have ALL of the adware installers I note in this list. I've verified them. I can provide these adware installers to anyone interested in further verification or conducting research. :-Derek]


-- 

Thursday, November 5, 2015

Further Observations Regarding
The Adware Infestation At MacUpdate

--
My colleague Thomas Reed was the one who first tipped me off about the beginning of the adware infestation at MacUpdate. He and I are part of a group started by Mark Thomas of ClamXav who share and consult with one another regarding Mac security. Thomas, as I hope many of you know, has been at the forefront of studying, detecting and removing adware within the Mac community. He's been a constant asset to myself and others for many years. His AdwareMedic application was a breakthrough. His addition to the team at Malwarebytes has been a well deserved accolade. His software is now part of Malwarebytes Anti-Malware for Mac.

Thomas Reed has been keeping track of MacUpdate adware in his own blog at Malwarebytes. It's well worth reading his article here. You can read about the initial discovery of what's going on at MacUpdate along side Thomas' useful insights:

Has MacUpdate fallen to the adware plague?
Following Mr. Urdaneta’s hints, I sought out the Skype page on the MacUpdate site and downloaded the app. The result was a file named Skype Installer.dmg, which seems legit on first glance. However, opening this disk image file results in a MacUpdate installer,
very similar to the adware-riddled custom installers used by sites like Download.com and Softonic. . . .
 Note that between Thomas and myself, we've found that the MacUpdate adware installer flips between a number of different adware installations. I've witness the attempt to install Yahoo! adware as well as MacBooster.

The nightmare of the matter is that this installer asks for your ADMINISTRATOR PASSWORD, which means you're giving this malware access to the deepest depths of your Mac home. DON'T DO IT! Anything-at-all could be installed after you've provided that password to the malware.

I have a name I use for people who foist nastiness on potential customers:

Marketing Morons.

The marketing folks who seriously care about the welfare of their collaborators, their customers, are called:

Marketing Mavens. 

~ ~ ~ ~ ~

I'll be adding further observations of the infestation as I find them and consider them helpful and relevant.
--

Tuesday, November 3, 2015

A Reply From MacUpdate
+ A Short Term Workaround
++ The Best Adware Removal Tool

--

Following my suggestion, I wrote to the staff at MacUpdate.com about their new adware installer infestation strategy. You know my opinion of the situation, so I'm not going to critique what they said except to point out that it is an extremely polished reply, indicating that someone such as an ad agency is holding their hand through this despicable transition. That's very interesting.
Hi Derek,

This is a new way were approaching a select few of of our apps by adding special offers to the downloads. The feedback helps us out a lot.

If you're a paid member at MacUpdate, you can go to the Preferences tab of your profile and deselect the "Show Banner Ads," then click "Apply All Changes." This will turn off the banner ads that are on our website, as well as the special offers that appear in a few of our downloads. The download links only show you offers and nothing is installed without your permission. You're able to decline the offers if you do not wish to have them.

If you're a user of MacUpdate Desktop, you can perform one-click installs, which eliminates the special offers. If you're not a member of MacUpdate Desktop you can learn more about it and become one here: http://www.macupdate.com/desktop

Please let us know if you have any further questions.

Cheers,

Joel Lockard
Content/Support
MacUpdate
 PLEASE: Write your own message to MacUpdate regarding their adware installer. Their contact URL is:

http://support.macupdate.com/contact/

~ ~ ~ ~ ~

So, brainstorming what to do amidst this LOSS of the last bastion on dedicated Mac software updates, outside of the Apple App Store, here are some concepts:

I) Watch what you receive as downloads from MacUpdate. Typically, the page for an application at MacUpdate lists the size of the installer download.  If what you get is NOT that size, or more specifically if what you get is between 1.6 and 1.8 MB in size, you most likely got screwed with the MacUpdate Installer of adware.

It doesn't hurt to open the .DMG file and verify that you've been screwed with MacUpdate Installer.

If you got screwed, I highly recommend ejecting the .DMG and trashing the adware installer. I NEVER suggest navigating your way through the minefield of adware installers. You want the real, source installer for your applications. That is NOT what you got. Therefore...

II) Go back to the application's page on MacUpdate and click on the developer's link. You may get shuffled off to some page at MacUpdate about the developer. That's not what you want. Typically, the REAL link to the developer is on such pages. Go THERE instead, find and download the actual update installer.

III) Before you download the actual update installer, grab the URL for the download page from your web browser (typically small site icon on the far left side of the URL listing in the browser) and drag the resulting .webloc link file to a folder that accompanies the application. 

I've done this sort of thing for years. Every application on my Macs either has its own devoted folder with the application and all related files, OR I leave the application in the root of the Applications folder and create a 'stuff' folder specific to the application. For example:

Firefox is kept in the root of my Applications folder. But sitting next to it in List View is a folder I created called "Firefox stuff". Inside that folder I keep notes about Firefox add-ons, documentation I've found on the net... and a .webloc file for the downloads page for Firefox over at Mozilla.org. If I want to download the latest Firefox version, I just double-click the .webloc file and it opens the page in my default web browser. Simple.

IV) Theoretically, we as a group of Mac security fanatics could create a simple blog page somewhere that is a simple list of all Mac applications and the corresponding developer download page for each of those applications. To begin with, we could list the Mac applications that are being screwed with at MacUpdate. If we're confronted with an adware installer, we could go to that simple page, search for the application we want, then click the link to its downloads page.

The result is that MacUpdate can continue to be used for its non-screwed over functionality, such as listing new updates, new release notes, reviews and comments. But the nasty adware installer process can be entirely avoided.

Note: I personally don't have the time or interest in doing the work required to maintain such a page. I'm happy to play admin, but I'd leave the updating and expansion of such a page to fellow admins.

~ ~ ~ ~ ~
Adware = Malware. That's the fact of the matter. I'm not going to debate the issue.

In the case of the 'MacUpdate Installer' adware vehicle, its particular malware name is:

Adware.OSX.InstallMiez.A

As per usual, some may anti-malware providers give it a different name. But that is the most commonly used 'official' name. 


I've seen references to it going back to August of this year. I note that it has been infested into fake installers for many different applications, but also into WAREZ and KEYGEN software. So if you're pirating stuff, surprise. 

Reading through its installer dialog, it is quite clear that it was NOT written by someone whose first language is English. The spelling and grammatical errors suggest to me someone in Eastern Europe or Israel. But that's not for certain. Rather than guess any further, I'm going to wait for further analysis of this thing from the security experts. It may be associated with an adware distribution company or an advertising agency.


So You've Installed Adware. Now What?!

 You download and run the free version of Malwarebytes Anti-Malware. The majority of it was developed by my colleague Thomas Reed. He now works for Malwarebytes and his excellent AdwareMedic application has become Malwarebytes Anti-Malware. You can download it from here:

Malwarebytes Anti-Malware 

Install it. Run it. Let it update its malware definitions off the Internet. Then hit the 'Scan' button. It will go searching through your system to find all reported Mac adware and help you remove the awful stuff.

If you've used AdwareMedic before, you'll notice that Malwarebytes Anti-Malware takes a bit longer to run. That's because the proliferation of adware on Mac has been accelerating.

If your adware infestation hasn't been removed, be sure to click 'Next Steps' inside Malwarebytes Anti-Malware for documentation about what to try next, including sending a system summary to Malwarebytes in order to track down new adware and where it infects itself.

The 'Get Help' button in Malwarebytes Anti-malware offers its 12 page User Guide.

Note that most of the other commercial anti-malware applications will also identify this adware, including my fave, Intego VirusBarrier. 

I'll continue to watch this situation and provide further information and suggestions when I believe they'd be relevant and helpful.

Stay safe and free of marketing morons! (As opposed to beloved marketing mavens).

:-Derek 


--