Friday, August 22, 2014

What Life's Like On The Other Side:
Fragmandroid Illustrated

--

I've never been one to start computer warz, only to satirize them and righteously defend Apple when they deserve it. But I saw this graphic today and have to share it. Warning: It's nauseating.

This isn't the latest in boring modern art demonstration of how to paint a rectangle. This is a graphic showing the fragmentation of Google's Android operating system, per device. Click to to view the graphic in its full incredible gory. 

Google let this happen. Damn them.

And there's lots MORE. You'll find further interactive graphics and explanation over at OpenSignal's brilliant article:


As I posted over at MacDailyNews' summary article on the subject, pointedly in Google's direction:

OMF: How did you allow this to happen Google? HOW?

Smugness your way out of this catastrophe of technology. Nausea provoking. A rat’s nest of insecurity.

Thank you OpenSignal for so elegantly and blatantly pointing out what life's like on the other side. There's not much green over that hill! Good gawd.

Meanwhile, here's iOS situation in comparison to versions of Android in the wild:


What is there to say?
Except, hurray for iOS.
--


Wednesday, August 13, 2014

CRITICAL New Adobe and Apple Updates:
Adobe Flash, Adobe AIR and Apple Safari

--

Both Apple and Adobe have provided critical updates this week:

I. ADOBE UPDATES

Adobe Flash v14.0.0.176
Adobe AIR v14.0.0.178

Adobe released 'second Tuesday of the month' updates for Adobe Reader, Adobe Flash and Adobe AIR. Both Flash and AIR include CRITICAL security updates for OS X users.

Adobe's security bulletin for Flash and AIR can be found HERE.

These updates resolve memory leakage vulnerabilities that could be used to bypass memory address randomization (CVE-2014-0540, CVE-2014-0542, CVE-2014-0543, CVE-2014-0544, CVE-2014-0545). These updates resolve a security bypass vulnerability (CVE-2014-0541). These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2014-0538).
Keep in mind that every security update of Flash means there is also a security update of AIR.


II. APPLE UPDATES

Apple Safari v6.1.6
Apple Safari v7.0.6

Both updates are available using "Software Update" in the Apple menu of OS X. Quoting from Apple's security content documentation for the updates: 
WebKit

Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.4

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
IOW: The usual bad memory management security holes, the curse of contemporary coding. I'm hoping that Apple's new Swift programming language will end this trend.

The CVEs patched are: 

CVE-2014-1384
CVE-2014-1385
CVE-2014-1386
CVE-2014-1387
CVE-2014-1388
CVE-2014-1389
CVE-2014-1390




* You can check out CVEs (Common Vulnerabilities and Exposures) using the "CVE Search" link on the right of this page.

--

Wednesday, August 6, 2014

Upcoming Changes In Apple's Gatekeeper Security

--

Apple started providing 'Gatekeeper' with OS X 10.7.x. You can see its settings in the Security & Privacy preference pane, under the General tab.


It's a bad idea to have it set to allow applications from 'Anywhere'. Don't do that! But I find it too restrictive to only download from the Mac App Store. I continue to use many wonderful apps that are never going to be available directly from Apple. Therefore, I personally prefer to leave Gatekeeper set to allow apps from the "Mac App Store and identified developers."

What's changing in the OS X Mavericks 10.9.5 update as well as 10.10 Yosemite is further scrutiny of the "identified developers." The GUI for Gatekeeper will remain the same. But developers are going to have to take an extra step with their applications in order to allow their security certificates to get past the 'Gatekeeper'. Users may well find that many previously 'identified' application security certificates won't pass muster and will cause OS X to reject them.

You can read the gory details in Apple's Technical Note TN2206: OS X Code Signing In Depth. Skip ahead through the document to the section heading Changes in OS X 10.9.5 and Yosemite Developer Preview 5.
If your team is using an older version of OS X to build your code, re-sign your app using OS X version 10.9 or later using the codesign tool to create version 2 signatures. Apps signed with version 2 signatures will work on older versions of OS X….  
Important: To ensure your current and upcoming releases work properly with Gatekeeper, test on OS X version 10.10 (Seed 5 or later) and OS X version 10.9.5.
There are several articles discussing this change. Here is one, cited over at MacDailyNews, from Richard Mallion at the AmSys blog in the UK:

Gatekeeper changes coming

:-Derek


Friday, June 13, 2014

Apple Device Ransom Attack Revelations

--


Recently there has been what appears to be a series of attacks on Apple devices, both OS X and iOS, from various sources. I had been watching the issue, but it wasn't amounting to a serious problem. That changed earlier this week when a pair of hackers were arrested in Russia for attempting to pull off a real working ransom scheme. A couple of my colleagues have written up articles about the situation. I would like to draw your attention to them as well as the subject in general.

Originally, this was considered to be one attacker using the moniker of '‘Oleg Pliss’ performing what I considered to be merely a proof-of-concept attack. The kidnapped Apple devices had messages pop up telling victims to send money to a Paypal account that never existed.

Then this happened:

Hackers suspected of holding Apple devices to ransom detained in Russia
Russian authorities say they have detained two young hackers who are alleged to have hijacked Apple devices and digitally held them ransom. 
The hackers - aged 17 and 23 - were detained in the course of "operational activities" by the Russian Interior Ministry, Russia's Ministry of Internal Affairs said. They are both residents of the southern administrative district of Moscow and one has been tried before, it said. 
According to Russian media outlet MKRU,  the hackers were caught by CCTV when they withdrew victims' ransom money from an ATM.
. . . 
It appears that just over a week before Australian users began reporting similar hijacking attacks, a Russian publication reported Russian citizens were being targeted. The same hackers then may have used their techniques to hijack Australian devices although it it may have been copycats.
The first impression was that these were the hackers passing as "Oleg Pliss". But there are strong indications that they are not. Their scheme turns out to be significantly different from and more elaborate than the "Oleg Pliss" attack. As The Sydney Morning Herald article above indicates, their attack to predates the "Oleg Pliss" attack. Details are still being collected regarding exactly what they were doing. But here are a few details:
…The hackers used two "well-established" schemes to conduct their activities.  
"The first was to gain access to the Apple ID of a victim's account by creating phishing pages, [gaining] unauthorised access to email, or using social engineering techniques," the Ministry of Internal Affairs said. "The second scheme was aimed at binding ... devices to a pre-arranged account." 
The pre-arranged account was one that hackers owned then "leased", or sold, to users by offering movies and music. But in order to access the content, users needed to link their devices to the account, which left the devices vulnerable to being hijacked by hackers who knew the log-in details.
This wasn't any proof-of-concept attack. It was serious and working, until the Russian police caught the two red-handed.

Until such time as Apple makes changes to its 'Find My Mac' system, this ransom scheme is likely to happen again. Note that the 'locked' devices are entirely recoverable as long as the users have followed The #1 Rule of Computing and have made a backup. Sadly, as usual, there will be the newbie, granny and LUSER factors that will mean trouble for those users. That's going to potentially be a big problem. We'll see how it goes. I don't want to FUD the situation, but the ransom problem is now very real for Apple users. So keep your eyes open and keep your Apple ID information safe from hackers while we wait for further revelations.

Current details are available in articles by my colleagues Thomas Reed and Topher Kessler:

Russian iCloud hackers arrested


Russian hackers arrested in possible ‘Oleg Pliss’ iOS ransom attack




--

Tuesday, June 10, 2014

Adobe Patch Tuesday Security Hole Circus

--

Another Adobe Patch Tuesday, another pile of security holes we didn't know were there all along.

I decided to take another tack in my attack against Adobe's crapware. Below is a rant I posted up on MacUpdate along with my half-star rating of Adobe's Flash Internet plug-in.


~ ~ ~

This is why I hate Flash, this stuff, this constant insecurity STUFF:

"These updates resolve cross-site-scripting vulnerabilities (CVE-2014-0531, CVE-2014-0532, CVE-2014-0533).


"These updates resolve security bypass vulnerabilities (CVE-2014-0534, CVE-2014-0535).


"These updates resolve a memory corruption vulnerability that could result in arbitrary code execution (CVE-2014-0536)."


These are all the security holes patched in this update. This profound patching happens with EVERY update. And we know damned well that there are a hundred+ MORE security holes in this crap code that haven't been patched yet. Could this crap be programmed any WORSE? And Adobe dares defend the use of Flash on the Internet. Shut up Adobe and kill this skanky thing DEAD already! 


Oh and did you know that Adobe incorporates an old, unpatched, security hole riddled, zero-day attack prone version of Flash in their crappy Shockwave Internet plug-in, and that Adobe don't give a rat's about the consequences? IASSOTS Adobe.


ADVICE: Don't install EITHER Flash OR Shockwave if you want to stay safe on the Internet. They're the #2 and #3 MOST dangerous software a Mac user can run, close behind Oracle's crap Java Internet plug-in.

~ ~ ~

I think that gets the point across.

STILL no new Shockwave update. How dare you Adobe? After all the flood of hate from the Internet community about your implementation of Flash in Shockwave you do N O T H I N G ? We got the message. You hate your customers.


Oh and, as per usual, if there are Flash security holes, there are AIR security holes. If you still are forced to use this crapware, be sure to update BOTH.


What DO you care about Adobe? Besides the money?


--




Friday, June 6, 2014

Heartbleed Bug Part 3.
OR: More OpenSSL Shoes Keep Dropping
And They Hurt!

--

[Updated June 7th at ~10:45 am, thanks to assistance from my colleague Al Varnell.]

I've been delaying writing up another sequel in my Heartbleed Bug series of articles. Today's revelations kicked me back into gear. This is insane and soooo disappointing:

Stop. Put down the cup. Six new bugs found in OpenSSL – including a hole for snoopers
On a scale of 1 to Heartbleed, this is a 7

I could link to more professional reports of this new OpenSSL mess. But the subject deserves The Register's harsh *snark* treatment. (O_o)
OpenSSL today pushed out fixes for six security vulnerabilities – including a flaw that enables man-in-the-middle (MITM) eavesdropping on encrypted connections, and another that allows miscreants to drop malware on at-risk systems.
[Expletives Deleted], this is awful

Here is the list of security holes:

https://www.openssl.org/news/secadv_20140605.txt

The worst of these six holes, quoting The Registry:
A DTLS invalid fragment bug (CVE-2014-0195, affects versions 0.9.8, 1.0.0 and 1.0.1) can be used to inject malicious code into vulnerable software on apps or servers.
. . . .

An SSL/TLS MITM vulnerability (CVE-2014-0224, potentially affects all clients, and servers running 1.0.1 and 1.0.2-beta1) is arguably worse.
. . . . 
All OpenSSL users should be updating.
For Mac users, the ramification is that Apple has some patching to do! At this time, Apple uses OpenSSL v0.9.8y, which has the CVE-2014-0195 security hole. That's very bad. Apple has to patch: EVERY version of OS X, including 10.9.3. Hopefully, the upcoming 10.9.4 update will have either updated or entirely removed OpenSSL.

As of OS X 10.7.x, Apple deprecated OpenSSL in favor of Common Crypto. However, Apple still has OpenSSL v0.9.8y within OS X for occasions when Common Crypto is not suitable. My colleague Al Varnell left a comment below regarding why Apple still integrates OpenSSL:
My reading of why Apple provides openssl 0.98y is as a convenience to third party developers that rely on openssl for whatever reasons and that it never uses it for any OS X or Apple apps, so I don't know that they will be in any hurry to replace it.
Theoretically, Apple will release a new 2014 Security Update to solve their OpenSSL problems. Keep an eye out.

NOTE: There are also XWindows applications and services using OpenSSL. Therefore, if you have installed any X11/XQuartz/Fink/MacPorts stuff, UPDATE THEM NOW. You know what to do. (I don't cover XWindows apps in this blog as it is beyond the scope of my intended audience).

Update: Al Varnell notes:
I did check early yesterday morning and MacPorts had already updated their version to 1.0.1h which is the newly recommended version to fix all currently known issues. That might be one quick way of reducing risk. 
~ ~ ~ ~ ~

Meanwhile, back to the Heartbleed Bug:

Several resources have been made available to help Mac users sort out:

A) What websites are still unpatched.
B) What websites are/were affected.
C) What websites require users to create a new password due to the bug.

My colleague Josh Long has put together an excellent list of Heartbleed Bug affected and unaffected websites. Save it to your desktop and refer to it as you surf the net. Or go through the list of websites you log into and check whether you must change your password there or not:

Heartbleed Affected More Sites Than You Realized
Given the enormity of this list, I strongly recommend that you search within this page for any sites you use, rather than trying to look through it alphabetically. Please note that there are several sections. Be sure to especially look at the first two sections; if you use any sites listed in those sections, you'll want to change your passwords for those sites (and anywhere else you may have shared the same password) as soon as possible.
Josh provides the following sections in his Heartbleed list:
  • Change Passwords NOW
  • Change Passwords NOW (but make sure you do it while connected to a trusted network) [IOW: Not while on an open Wi-Fi hub]
  • Unknown/Ambiguous
  • Known Safe - No Password Change Needed (according to the company and/or third-party tests)
  • Further Notes and Explanations
  • Other Lists of Current/Past Allegedly Affected Sites
  • Test Pages - How to Check Whether a Site Is/Was Vulnerable
Another tool I've found is the Chromebleed add-on for the Chromium series of browsers:

https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic

If readers find other such tools, please let us know in the comments! Thanks.

:-Derek
--



Wednesday, May 28, 2014

Apple Fumbles Again:
Software Update Broken Because
Apple Neglected To Update SSL Certificate

--

This crisis has ended, but…

Oh, if only I was the security boss over at Apple these days, my guillotine would be rusty with blood. Fumbling Bumbling Buffoonery. Better not hire me Apple.

But I digress. Check out these articles over at MacRumors and MacWorld (which itself has had recent severe incidents of fumbling and bumbling) about Apple breaking their Software Update system by way of forgetting to update its SSL security certificate. This is pure idiocy by Apple. Idiocy.

Apple Forgets to Renew SSL Certificate, Breaking OS X Software Update

Apple neglects to renew SSL certificate, breaks Software Update in the process

Apple, do you have a higher priority than user security?

No you do not.

Get your act together please. This is a trend. It deserves loud computer community criticism.


--