Monday, February 2, 2015

CRITICAL Adobe Flash FAIL Yet-Again:
Third Zero-Day Attack ITW In Three Weeks

--

[UPDATE 3: Adobe's patched version of Flash Player, v16.0.0.305, is now universally available. I added the link and summary text of their relevant security document below. Apple also updated XProtect to prevent use of earlier, vulnerable versions of Flash Player. Thank you Apple! 

And there is peace again across our land for at least this day. But the wary eye remains ever vigilant.

Update 2: Adobe Flash Player v16.0.0.305 is now available directly from Adobe's website:

https://get.adobe.com/flashplayer/

Please download and install now in order to avoid the ongoing exploit of previous versions of Flash.

Update 1: Adobe updated their related security statement on Wednesday:

(February 4): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.305 beginning on February 4. This version includes a fix for CVE-2015-0313. Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.
]

~ ~ ~ ~ ~


There is an exploit of older versions of Adobe Flash Player active in-the-wild (ITW). Adobe has now provided Flash Player version v16.0.0.305 at its website, as noted in the updates above. P
lease download and install the update ASAP! 

My pal and collaborator Al V notes that Apple has updated their XProtect system in OS X to disable exploited/vulnerable versions of Flash Player, those being earlier than 16.0.0.305 and 13.0.0.269.


• Here is Adobe's full security bulletin about the zero-day and update:

https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
Summary

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.  

Adobe is aware of reports that CVE-2015-0313 is actively being exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.  Adobe recommends users update their product installations to the latest versions: 

Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 16.0.0.305

Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.269. 

Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.442. 

Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.305.
• Here is Adobe's earlier alert about the zero-day exploit:

https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
Summary

A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh.  Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

Adobe expects to release an update for Flash Player during the week of February 2.
A relevant article on the attack over at Forbes:

Hackers Abuse Another Adobe Zero-Day To Attack Thousands Of Web Users
Visitors to any affected site would have been redirected to an attacker-controlled page where an exploit kit would attempt to compromise the target system by targeting the Adobe Flash zero-day.
My brief advice:

Have a Flash blocking add-on in ALL your web browsers. ALL.

Safari has it's own Flash blocking system which you can reach in its Preferences here:

1) Preferenced: Security: Manage Website Settings... (button):

2) On the left of the pane, choose 'Adobe Flash Player'.

3) On the resulting right side:

- a) REMOVE all 'Configured Websites' using the minus (-) button.

- b) Set 'When visiting other websites' to 'Block' using the popup menu.

This setting forces Safari to put up a 'blocked' notice. You can then click that notice to approve each individual website you visit. Just remember that at this point some very prominent, usually safe websites are being compromised with this zero-day. Be extremely careful what you unblock.

OR: Just UNINSTALL nasty Flash. POS.


--

ADDENDUM:

Snarky The Register posted a fun and poignant article on the subject:

According to Trend Micro, the Angler exploit kit was updated to leverage this particular flaw, and used to inject malware into PCs visiting web video site dailymotion.com via a dodgy ad network. 
Web browsers were told to fetch retilio.com/skillt.swf, which was booby-trapped to exploit the zero-day security hole. 
"So far we’ve seen around 3,294 hits related to the exploit, and with an attack already seen in the wild, it’s likely there are other attacks leveraging this zero-day, posing a great risk of system compromise to unprotected systems," said Peter Pi, threats analyst at Trend. . . .
The worst, very worst, part of it all is that Steve Jobs was right. ® 
(^_^)

Tuesday, January 27, 2015

OS X 10.10.2 Yosemite, Safari Updates and
Security Update 2015-001 From Apple:
58 New Security Patches

--

[Update: The link to Apple's security document for 10.10.2 & 2015-001 has be added below.]

Apple has released the latest OS X update to OS X 10.10.2 Yosemite as well as Security Update 2015-001. Included with these updates are new updates of Safari with its own security patches. There is a total of 58 new security patches. You can obtain the updates via the Updates tab in the App Store application or eventually at:

http://www.apple.com/support/downloads/


Below, I have provided the full Apple security documents for 10.10.2, Security Update 2015-001 and Safari. You can also access them at Apple's website:


The security content document for OS X 10.10.2 Yosemite as well as Security Update 2015-001 can be found at:

http://support.apple.com/en-us/HT204244

The security content document for Safari 8.0.3, 7.1.3 and 6.2.3 is available at:


https://support.apple.com/kb/HT204243


I've highlighted at the CVE numbers in Apple's OS X 10.10.2 security document. (CVE = Common Vulnerabilities and Exposures). If you'd like more information about any of the CVEs, use the link on the right of this page marked 'CVE Search'. It will take you to the search page at Mitre.org. If you can't find a specific CVE there or the CVE has no description, it is because the developer of the affected software has requested that the CVE information not yet be made public.


~ ~ ~ ~ ~

APPLE-SA-2015-01-27-4 
OS X 10.10.2 and Security Update 2015-001

OS X 10.10.2 and Security Update 2015-001 are now available and address the following:

AFP Server
Available for:  OS X Mavericks v10.9.5
Impact:  A remote attacker may be able to determine all the network addresses of the system
Description:  The AFP file server supported a command which returned all the network addresses of the system. This issue was addressed by removing the addresses from the result.
CVE-ID
CVE-2014-4426 : Craig Young of Tripwire VERT

bash
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  Multiple vulnerabilities in bash, including one that may allow local attackers to execute arbitrary code 
Description:  Multiple vulnerabilities existed in bash. These issues were addressed by updating bash to patch level 57. 
CVE-ID
CVE-2014-6277
CVE-2014-7186
CVE-2014-7187

Bluetooth
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  An integer signedness error existed in IOBluetoothFamily which allowed manipulation of kernel memory. This issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems.
CVE-ID
CVE-2014-4497

Bluetooth
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  An error existed in the Bluetooth driver that allowed a malicious application to control the size of a write to kernel memory. The issue was addressed through additional input validation. 
CVE-ID
CVE-2014-8836 : Ian Beer of Google Project Zero

Bluetooth
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  Multiple security issues existed in the Bluetooth driver, allowing a malicious application to execute arbitrary code with system privilege. The issues were addressed through additional input validation.
CVE-ID
CVE-2014-8837 : Roberto Paleari and Aristide Fattori of Emaze Networks

CFNetwork Cache
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  Website cache may not be fully cleared after leaving private browsing
Description:  A privacy issue existed where browsing data could remain in the cache after leaving private browsing. This issue was addressed through a change in caching behavior. CVE-ID
CVE-2014-4460

CoreGraphics
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution 
Description:  An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. 
CVE-ID
CVE-2014-4481 : Felipe Andres Manzano of the Binamuse VRT, via the iSIGHT Partners GVP Program

CPU Software
Available for:  OS X Yosemite v10.10 and v10.10.1, for: MacBook Pro Retina, MacBook Air (Mid 2013 and later), iMac (Late 2013 and later), Mac Pro (Late 2013) 
Impact:  A malicious Thunderbolt device may be able to affect firmware flashing
Description:  Thunderbolt devices could modify the host firmware if connected during an EFI update. This issue was addressed by not loading option ROMs during updates.
CVE-ID
CVE-2014-4498 : Trammell Hudson of Two Sigma Investments

CommerceKit Framework
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  An attacker with access to a system may be able to recover Apple ID credentials
Description:  An issue existed in the handling of App Store logs. The App Store process could log Apple ID credentials in the log when additional logging was enabled. This issue was addressed by disallowing logging of credentials.
CVE-ID
CVE-2014-4499 : Sten Petersen

CoreGraphics
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  Some third-party applications with non-secure text entry and mouse events may log those events
Description:  Due to the combination of an uninitialized variable and an application's custom allocator, non-secure text entry and mouse events may have been logged. This issue was addressed by ensuring that logging is off by default. This issue did not affect systems prior to OS X Yosemite.
CVE-ID
CVE-2014-1595 : Steven Michaud of Mozilla working with Kent Howard

CoreGraphics
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 
Impact:  Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution 
Description:  A memory corruption issue existed in the handling of PDF files. The issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems. 
CVE-ID
CVE-2014-8816 : Mike Myers, of Digital Operatives LLC

CoreSymbolication
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  Multiple type confusion issues existed in coresymbolicationd's handling of XPC messages. These issues were addressed through improved type checking. 
CVE-ID
CVE-2014-8817 : Ian Beer of Google Project Zero

FontParser
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Processing a maliciously crafted .dfont file may lead to an unexpected application termination or arbitrary code execution 
Description:  A memory corruption issue existed in the handling of .dfont files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4484 : Gaurav Baruah working with HP's Zero Day Initiative

FontParser
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution 
Description:  A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking. 
CVE-ID
CVE-2014-4483 : Apple

Foundation
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Viewing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution 
Description:  A buffer overflow existed in the XML parser. This issue was addressed through improved bounds checking. 
CVE-ID
CVE-2014-4485 : Apple

Intel Graphics Driver
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Multiple vulnerabilities in Intel graphics driver 
Description:  Multiple vulnerabilities existed in the Intel graphics driver, the most serious of which may have led to arbitrary code execution with system privileges. This update addresses the issues through additional bounds checks.
CVE-ID
CVE-2014-8819 : Ian Beer of Google Project Zero CVE-2014-8820 : Ian Beer of Google Project Zero 
CVE-2014-8821 : Ian Beer of Google Project Zero

IOAcceleratorFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A null pointer dereference existed in IOAcceleratorFamily's handling of certain IOService userclient types. This issue was addressed through improved validation of IOAcceleratorFamily contexts.
CVE-ID
CVE-2014-4486 : Ian Beer of Google Project Zero

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A buffer overflow existed in IOHIDFamily. This issue was addressed with improved bounds checking. 
CVE-ID
CVE-2014-4487 : TaiG Jailbreak Team

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in IOHIDFamily's handling of resource queue metadata. This issue was addressed through improved validation of metadata.
CVE-ID
CVE-2014-4488 : Apple

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A null pointer dereference existed in IOHIDFamily's handling of event queues. This issue was addressed through improved validation of IOHIDFamily event queue initialization. 
CVE-ID
CVE-2014-4489 : @beist

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Executing a malicious application may result in arbitrary code execution within the kernel
Description:  A bounds checking issue existed in a user client vended by the IOHIDFamily driver which allowed a malicious application to overwrite arbitrary portions of the kernel address space. The issue is addressed by removing the vulnerable user client method. 
CVE-ID
CVE-2014-8822 : Vitaliy Toropov working with HP's Zero Day Initiative

IOKit
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved validation of IOKit API arguments.
CVE-ID
CVE-2014-4389 : Ian Beer of Google Project Zero

IOUSBFamily
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A privileged application may be able to read arbitrary data from kernel memory
Description:  A memory access issue existed in the handling of IOUSB controller user client functions. This issue was addressed through improved argument validation.
CVE-ID
CVE-2014-8823 : Ian Beer of Google Project Zero

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  Specifying a custom cache mode allowed writing to kernel read-only shared memory segments. This issue was addressed by not granting write permissions as a side-effect of some custom cache modes.
CVE-ID
CVE-2014-4495 : Ian Beer of Google Project Zero

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID
CVE-2014-8824 : @PanguTeam

Kernel
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A local attacker can spoof directory service responses to the kernel, elevate privileges, or gain kernel execution Description:  Issues existed in identitysvc validation of the directory service resolving process, flag handling, and error handling. This issue was addressed through improved validation. 
CVE-ID
CVE-2014-8825 : Alex Radocea of CrowdStrike

Kernel
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A local user may be able to determine kernel memory layout 
Description:  Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization.
CVE-ID
CVE-2014-4371 : Fermin J. Serna of the Google Security Team 
CVE-2014-4419 : Fermin J. Serna of the Google Security Team 
CVE-2014-4420 : Fermin J. Serna of the Google Security Team 
CVE-2014-4421 : Fermin J. Serna of the Google Security Team

Kernel
Available for:  OS X Mavericks v10.9.5
Impact:  A person with a privileged network position may cause a denial of service
Description:  A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking.
CVE-ID
CVE-2011-2391

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Maliciously crafted or compromised applications may be able to determine addresses in the kernel
Description:  An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them.
CVE-ID
CVE-2014-4491 : @PanguTeam, Stefan Esser

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in the handling of certain metadata fields of IOSharedDataQueue objects. This issue was addressed through relocation of the metadata. CVE-ID
CVE-2014-4461 : @PanguTeam

LaunchServices
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious JAR file may bypass Gatekeeper checks 
Description:  An issue existed in the handling of application launches which allowed certain malicious JAR files to bypass Gatekeeper checks. This issue was addressed through improved handling of file type metadata.
CVE-ID
CVE-2014-8826 : Hernan Ochoa of Amplia Security

libnetcore
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious, sandboxed app can compromise the networkd daemon
Description:  Multiple type confusion issues existed in networkd's handling of interprocess communication. By sending networkd a maliciously formatted message, it may have been possible to execute arbitrary code as the networkd process. The issue is addressed through additional type checking.
CVE-ID
CVE-2014-4492 : Ian Beer of Google Project Zero

LoginWindow
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A Mac may not lock immediately upon wake 
Description:  An issue existed in the rendering of the lock screen. This issue was address through improved screen rendering while locked.
CVE-ID
CVE-2014-8827 : Xavier Bertels of Mono, and multiple OS X seed testers

lukemftp
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Using the command line ftp tool to fetch files from a malicious http server may lead to arbitrary code execution 
Description:  A command injection issue existed in the handling of HTTP redirects. This issue was addressed through improved validation of special characters.
CVE-ID
CVE-2014-8517

OpenSSL
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Multiple vulnerabilities in OpenSSL 0.9.8za, including one that may allow an attacker to downgrade connections to use weaker cipher-suites in applications using the library 
Description:  Multiple vulnerabilities existed in OpenSSL 0.9.8za. These issues were addressed by updating OpenSSL to version 0.9.8zc. 
CVE-ID
CVE-2014-3566
CVE-2014-3567
CVE-2014-3568

Sandbox
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 
Impact:  A sandboxed process may be able to circumvent sandbox restrictions
Description:  A design issue existed in the caching of sandbox profiles which allowed sandboxed applications to gain write access to the cache. This issue was addressed by restricting write access to paths containing a "com.apple.sandbox" segment. This issue does not affect OS X Yosemite v10.10 or later. 
CVE-ID
CVE-2014-8828 : Apple

SceneKit
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 
Impact:  A malicious application could execute arbitrary code leading to compromise of user information
Description:  Multiple out of bounds write issues existed in SceneKit. These issues were addressed through improved bounds checking.
CVE-ID
CVE-2014-8829 : Jose Duart of the Google Security Team

SceneKit
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Viewing a maliciously crafted Collada file may lead to an unexpected application termination or arbitrary code execution 
Description:  A heap buffer overflow existed in SceneKit's handling of Collada files. Viewing a maliciously crafted Collada file may have led to an unexpected application termination or arbitrary code execution. This issue was addressed through improved validation of accessor elements.
CVE-ID
CVE-2014-8830 : Jose Duart of Google Security Team

Security
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A downloaded application signed with a revoked Developer ID certificate may pass Gatekeeper checks
Description:  An issue existed with how cached application certificate information was evaluated. This issue was addressed with cache logic improvements.
CVE-ID
CVE-2014-8838 : Apple

security_taskgate
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  An app may access keychain items belonging to other apps 
Description:  An access control issue existed in the Keychain. Applications signed with self-signed or Developer ID certificates could access keychain items whose access control lists were based on keychain groups. This issue was addressed by validating the signing identity when granting access to keychain groups. 
CVE-ID
CVE-2014-8831 : Apple

Spotlight
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  The sender of an email could determine the IP address of the recipient
Description:  Spotlight did not check the status of Mail's "Load remote content in messages" setting. This issue was addressed by improving configuration checking.
CVE-ID
CVE-2014-8839 : John Whitehead of The New York Times, Frode Moe of LastFriday.no

Spotlight
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Spotlight may save unexpected information to an external hard drive
Description:  An issue existed in Spotlight where memory contents may have been written to external hard drives when indexing. This issue was addressed with better memory management. 
CVE-ID
CVE-2014-8832 : F-Secure

SpotlightIndex
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  Spotlight may display results for files not belonging to the user
Description:  A deserialization issue existed in Spotlight's handling of permission caches. A user performing a Spotlight query may have been shown search results referencing files for which they don't have sufficient privileges to read. This issue was addressed with improved bounds checking.
CVE-ID
CVE-2014-8833 : David J Peacock, Independent Technology Consultant

sysmond
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with root privileges
Description:  A type confusion vulnerability existed in sysmond that allowed a local application to escalate privileges. The issue was addressed with improved type checking.
CVE-ID
CVE-2014-8835 : Ian Beer of Google Project Zero

UserAccountUpdater
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  Printing-related preference files may contain sensitive information about PDF documents
Description:  OS X Yosemite v10.10 addressed an issue in the handling of password-protected PDF files created from the Print dialog where passwords may have been included in printing preference files. This update removes such extraneous information that may have been present in printing preference files.
CVE-ID
CVE-2014-8834 : Apple

Note: OS X Yosemite 10.10.2 includes the security content of Safari 8.0.3. For further details see https://support.apple.com/kb/HT204243

OS X Yosemite 10.10.2 and Security Update 2015-001 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

~ ~ ~ ~ ~

About the security content of Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3

This document describes the security content of Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3. 

Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3

WebKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
CVE-ID
CVE-2014-3192 : cloudfuzzer
CVE-2014-4476 : Apple
CVE-2014-4477 : lokihardt@ASRT working with HP’s Zero Day Initiative
CVE-2014-4479 : Apple




--




Sunday, January 25, 2015

Adobe Flash Player v16.0.0.296 Critical Update!
Plus: How to update Flash via System Preferences

--

The THIRD version of the Adobe Flash Player plug-in within two weeks is now available. It is critical to UPDATE NOW.


Today's current version of Flash Player plug-in is:


v16.0.0.296


All other versions are being exploited in the wild. Get rid of them now. Or just get rid of Flash altogether.

Adobe's Security Bulletin regarding this update is here:

http://helpx.adobe.com/security/products/flash-player/apsa15-01.html
UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.
~ ~ ~ ~ ~

Adobe is initially pushing out this Critical update via it's Flash Player preferences pane. (Gawd knows why. I consider it laziness). Therefore, here are:

Instructions For Updating Flash Via System Preferences

1) Open System Preferences... under the Apple menu.

2) In the lowest area of System Preferences, find the 'Flash Player' preferences icon and click it. (If you don't have the Flash Player preference pane installed, you either have an ancient version of Flash Player installed or you don't have it installed at all, good for you).

3) In the resulting Flash Player preferences pane, click the 'Advanced' tab.

4) Look down the pane to the 'Updates' area.

5) Click on 'Check Now'.

This will trigger looking for the latest version of Flash Player for OS X. If you need to update, the download and installation process will start. You'll need to close your web browsers for the installation to complete. You can open them again after.

~ ~ ~ ~ ~

Following the instructions above, at least as of today, you should see this:



Note the listed version of the Flash Player plug-in. 16.0.0.296. Further updates will show newer version numbers.

(You may wish to change the radio button from 'Allow Adobe to install updates (recommended)' to 'Notify me to install updates'. I personally choose the second option because the first option requires Adobe's annoying launch daemon to be running 24/7).

BTW: NPAPI and PPAPI are competing Internet plug-in standards. Google created PPAPI and use it in the Chromium web browsers, including Opera. No other web browsers bother with it. Everyone else uses the NPAPI standard. You can ignore 'PPAPI Plug-in is not installed.'

~ ~ ~ ~ ~

Are you sick of Adobe Flash Player security rubbish going on and on as if forever? Tell Adobe about it:

Contact | Adobe

Click 'Contact Customer Care'.
Click 'Adobe Flash Player'
Click 'How-to's and troubleshooting'
Click 'Still need help? Contact us.'
This forces you to go to the Adobe Flash Player Forum.

OR go directly to the Flash Player forum:

https://forums.adobe.com/community/flashplayer/using_flashplayer

Check if a topic specific to Flash Player security hell has already been started. If not, start your own.

OR choose an Adobe office near you and call them:

http://www.adobe.com/company/contact/offices.html

--
Thank you, as always, to my Mac security friend Al V for his help!
--


Thursday, January 22, 2015

Critical:
Adobe Flash Zero-Day Exploit ITW
Shut Down Flash Plug-In NOW

--
[UPDATES:
-- Saturday, January 24, Adobe provided yet-another NEW update to Flash Player v16.0.0.296. I'm providing a new article specifically pointing out how to check for it and install it while we wait for Adobe to make it available on their website, the lazy so-and-sos!

v160.0.0296

All other versions are being exploited in the wild. Get rid of them now. Or just get rid of Flash altogether.

- - Today Adobe has released a very swift NEW update to Flash Player v16.0.0.287. It patches CVE-2015-0310. At the moment it is unclear whether this is the specific zero-day vulnerability that was reported. I'll keep my ear to the ground as details appear. In the meantime: UPDATE NOW to Adobe Flash Player v16.0.9.287, available here:

https://get.adobe.com/flashplayer/

Here is Adobe's NEW security bulletin for this update:

http://helpx.adobe.com/security/products/flash-player/apsb15-02.html

Again: Update NOW! In the meantime, please lock down your Macs against Flash security exploits using the information provided below.]

~ ~ ~ ~ ~

The recently updated version of the Adobe Flash Player internet plug-in (v16.0.0.257) is being exploited in the wild (ITW). It is important to disable Flash NOW. I discuss some methods below.

Here is an article about the current situation from Dan Goodin at Ars Technica:

Attack for Flash 0day goes live in popular exploit kit
Attack exploiting fully updated Flash installs Bedep botnet.
If you've been meaning to disable Adobe Flash, now might be a good time. Attacks exploiting a critical vulnerability in the latest version of the animation software have been added to a popular exploitation kit, researchers confirmed. Attackers often buy the kits to spare the hassle of writing their own weaponized exploits. . . . 
Adobe officials say only that they're investigating the reports. Until there's a patch, it makes sense to minimize use of Flash when possible. AV software from Malwarebytes and others can also block Angler attacks.
How to disable Adobe Flash Player plug-in:

I. The most direct and permanent way to stop Flash is to trash the Internet plug-in from your OS X system. You'll need to be using administrator privileges. The plug-in will be found here:

~/Library/Internet Plug-Ins/Flash Player.plugin

(You don't have to, but can also trash flashplayer.xpt found in the same location).

After it is removed, you'll need to restart your web browser to remove the plug-in from its memory.


II. Some web browsers allow some control over Internet plug-ins. I'll cover Apple's Safari web browser here as an example:

- A. In Safari, go to the menu item Safari/Preferences.../Security and note the last checkbox titled "Internet plug-ins:". You can be drastic and simply UNcheck 'Allow Plug-ins' and you're safe. But alternatively, you can click the button "Manage Website Settings..." and work with the "Adobe Flash Player" settings. 

- B. First click on "Adobe Flash Player" then move over to the right in the window. There you'll see a list of 'Currently Open Websites' using Flash. 

- - 1. If any of these websites are trusted an important to you, use the popup menu to their right and set them to "Ask".

- - 2. For websites NOT important to you, highlight them one at a time and remove them using the minus sign button at the bottom left of the sub-window.

- C. Go to the bottom right of this same window and notice the setting "When visiting other websites:".  You can also change its popup menu to "Ask". But the safest setting, until Adobe block this exploit, is 'Block'. That's what I'm using.

- D. Click 'Done' in the Security window when finished.




III. There are many Flash blocking add-ons/extensions for web browsers. Here are a few I use:

Safari: ClickToFlash
Firefox: FlashStopper (this works much better with the latest versions of Firefox than Flashblock).
Chromium (and variants thereof): FlashControl.

Be sure to check now whether these add-ons are actually set to 'block' flash. You don't want them set to 'allow' Flash.

That's a quick summary of how to stop being botted by Flash while this and similar crises are ongoing.

I've got a somewhat busy day on my end today. But when I have time, I'll post more about this situation in 'Updates' at the top of the page.

:-Derek

--

Tuesday, January 13, 2015

Adobe Flash & AIR Critical Security Updates
For January 2015

--

Adobe has become as ridiculous as Apple: Release the security update installer, then get around to publishing the security bulletin as an afterthought. :-P

Second Tuesday of the month, here's another Flash & AIR critical security update! You know these are just going to keep coming, on and on forever. Flash, and therefore AIR, is a security nightmare of bad code. Wonderful wonderful. :-P

Flash: Version 16.0.0.257
AIR: Version 16.0

Here's the late posted security bulletin:

http://helpx.adobe.com/security/products/flash-player/apsb15-01.html



Adobe cleanup on aisle 15!
Details

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.  Adobe recommends users update their product installations to the latest versions:

Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 16.0.0.257.
Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.260.
Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.429.
Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.257.
Users of the Adobe AIR desktop runtime should update to version 16.0.0.245.
Users of the Adobe AIR SDK and AIR SDK and Compiler should update to version 16.0.0.272.
Users of Adobe AIR for Android should update to version 16.0.0.272.

These updates resolve an improper file validation issue (CVE-2015-0301).

These updates resolve an information disclosure vulnerability that could be exploited to capture keystrokes on the affected system (CVE-2015-0302).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-0303, CVE-2015-0306).

These updates resolve heap-based buffer overflow vulnerabilities that could lead to code execution (CVE-2015-0304, CVE-2015-0309).

These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-0305).

These updates resolve an out-of-bounds read vulnerability that could be exploited to leak memory addresses (CVE-2015-0307).

These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2015-0308).
Here's where to download the updates:

http://get.adobe.com/flashplayer/


https://get.adobe.com/air/


And while you're at it, just for fun, there's an update for the Adobe Shockwave plug-in to version 12.1.6.156:


https://get.adobe.com/shockwave/



"Someone get the mop!"




--

MacHeist Anarchy Bundle!
->VirusBarrier, Little Snitch +++
for dirt cheap!!!

--

[Updates: It's all over. What a heist!
. . .
- - The current Heist has been extended through January 23rd
- - An 11th application has been added: Control Center (worth $7). Details below.
- - In case you missed it, the Heist was hacked and taken over by North Korea (kidding!) on the night of January 20th. Visitors were forced to battle pong and MacMan with Kim Jun Un in the guises of Seth Rogan, James Franco and Jonah Hill. It was mayhem.
- - ALL the applications have now been unlocked
- - The tenth application is Postbox, an alternative email client program worth $10. Details below. Meanwhile: Cocktail has been unlocked and is now part of the loot! Little Snitch was also unlocked. MacHeist has changed the value of VirusBarrier to $108, which would mean they're providing the business version with three Macs supported. This version includes malware definitions for Windows as well as Mac!

MacHeist is having another charity drive, donating 10% of sales, providing 11 Mac applications for a measly $14.99. The heist is running through January 18th, 2015 (or so). What's included for $14.99 is truly astounding. Just get it and savor the goodness. Mmm.

I'm posting this article here instead of at my MacSmarticles blog because two of the very best Mac security applications are included: Intego's VirusBarrier and Objective Development's Little Snitch. To get these pinnacles of greatness for $15 is beyond belief. Not kidding!




The full list of applications:


Default Folder X - - This beloved application is on all my Macs.


VirusBarrier - - This is the best anti-malware available for client Macs, my favorite. Even if you already own it, this is a cheap way to subscribe to its malware definitions for another full year. Provided is the business version with three Macs are supported; Both Windows and Mac malware definitions are provided for one year.


uBar - - A replacement for the OS X Dock reminiscent of the Windows task bar.


Speedy - - Quick access to favorite apps, docs, folders, site bookmarks...


TotalFinder - - Returns stuff dumped from the modern OS X Finder while adding its own bells and whistles.


Parallels Access - - Access your Mac or Windows box from iOS or Android. A one year subscription.


CodeKit - - Assists in web development, including scripting and previews.


Cocktail - - A favorite utility for OS X cleaning, repair and customization. It includes an auto-pilot system as well as periodic programmable daemon. I already own it! I like it! 


Little Snitch - - The best 'reverse firewall' on the planet, another of my favorites, running on all my Macs.


Postbox - - An alternative mail client to Apple Mail. It has been acclaimed for providing better support of Gmail that Mail. Adds another $10 in value to the bundle.

- - How well Postbox runs on OS X 10.10 Yosemite or 10.6 Snow Leopard is unclear to me. One page at the developer's website specifically says Postbox is for OS X 10.7 - 10.9, saying nothing about support for other versions of OS X. Another page says Postbox is for 10.6 and above. Nowhere is 10.10 Yosemite mentioned. Hmm.

Control Center - - 'A multi-utility minimalistic app that lets you control and monitor most aspects of your computer. You can use it for controlling music (iTunes/Spotify), monitor hardware statistics, communication protocols (WiFi/Bluetooth) and much more.' - - The latest version looks to be excellent, 4 star over at MacUpdate.

The theme for this MacHeist is ANARCHY! featuring applications NOT found at the Apple Mac App Store. They break the Apple store rules, transcending Apple's limitations in their quest to provide the unusual if not outright profound! Or so goes my personal marketing spiel.

Here's how much I like this bundle: I own four (4) of these applications already. But I'm getting it anyway. VirusBarrier: I already own a license to get me through to the middle of 2016. Now I'll have another license to get me through to the middle of 2017. (o_0) Am I crazy? I don't think so. Not for $15 and all the new kewl stuff I don't own. I know I'll be passing along other duplicate licenses to friends.


Ringing up the cash register: For $15 you get $324 worth of loot.




The Full List of Charities:


Action Against Hunger


American Foundation for AIDS Research


Friends of the Earth - - My personal favorite.


Heart to Heart


Humane Society International


The Nature Conservancy


Save the Children


Global Fund for Women


Cancer Research Institute


World Wildlife Fund


As usual with MacHeist, you can choose to donate your 10% of the sale to your favorite charity, or have it split up amongst them all equally.


How come I'm foisting MacHeist? I always do. I love these folks. I'm amazed at what they create. I'm amazed at what they accomplish. I'm amazed at the ripping good deals they offer with every heist. I celebrate their efforts for charity. Therefore, I'm happy to market their heists to the masses. Please join in!


HINT: If you're already a MacHeist member, remember to LOG IN before you buy your loot. That way all the new loot will be listed with your past loot. If you're not a MacHeist member, be sure to REGISTER first. It will make your purchase as well as loot list sane and simple.


Share and Enjoy! (^_^)/


:-Derek



--