Monday, May 14, 2018

Critical Out-Of-Band Adobe Security Updates!
And ongoing minor Mac concerns...

--
Adobe has just announced to critical updates for Adobe Acrobat and Reader and Adobe Photoshop CC. The announcements are linked and summarized below:
APSB18-09: Security update available for the Adobe Acrobat and Reader

Originally posted: May 14, 2018

Summary: Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical vulnerabilities, and successful exploitation could lead to arbitrary code execution in the context of the current user. Adobe recommends that customers apply the appropriate update using the instructions provided in the "Solution" section of the security bulletin.

Priority Rating: Adobe categorizes this update as priority 1.


APSB18-17: Security updates available for Adobe Photoshop CC

Originally posted: May 14, 2018

Summary: Adobe has released updates for Photoshop CC for Windows and macOS. These updates resolve a critical vulnerability in Photoshop CC 19.1.3 and earlier 19.x versions, as well as 18.1.3 and earlier 18.x versions. Successful exploitation could lead to arbitrary code execution in the context of the current user. Adobe recommends that customers apply the appropriate update using the instructions provided in the "Solution" section of the security bulletin.


Priority Rating: Adobe categorizes these updates as priority 3.
The new patched versions are:

• Acrobat DC and Acrobat Reader DC v2018.011.20040
• Acrobat 2017 and Acrobat Reader DC 2017 v2017.011.30080
• Acrobat DC (Classic 2015) and Acrobat Reader DC (Classic 2015) v2015.006.30418

• Photoshop CC 2018 v19.1.4
• Photoshop CC 2017 v18.1.4

Update IMMEDIATELY. Exploits have not been reported by Adobe to be in-the-wild. But the Acrobat patches are of highest priority and plentiful.

There was also the usual monthly security patch of awful Adobe Flash on 'Patch Tuesday', the second Tuesday of the month. Several other security patches were released as well. The list of Adobe's latest security patch updates can always been found here:

https://helpx.adobe.com/security.html

- - - -



What Else Is Up?

There aren't many Mac security concerns at the moment. In the mean time, I highly recommend everyone obtain and use the free Malwarebytes Anti-Malware application, run it and keep it up-to-date. My colleague Thomas Reed has been doing a great job enabling it to find all current adware and PUPs (potentially unwanted programs) as well as the few active Mac malware.

Up and coming is Thomas Reed's Malwarebytes for iOS, seeing as Thomas is now in charge of mobile security as well as Mac security at Malwarebytes. The free version of the app will assist iOS device users with ad blocking and text message filtering. The Premier version will help protect users from malicious cell phone calls and malicious web sites. The app is currently in beta.

There isn't any active malware of iOS these days. Subsequently, Apple has removed and forbidden any apps that scan for iOS malware. Meanwhile, Apple has identified and removed several apps that surveil users from its App Store. They are in violation of Apple's iOS programming rules. It's disconcerting that these apps were originally approved and allowed to run on user devices. Thankfully, Apple has caught up with their oversight and removed the problem.

The biggest security hole in the entire Mac and iOS security system remains the same as last year: Rogue developers who've paid for Apple security certificates then applied those certificates to malicious software. The consequences of this security hole in Apple's certification system pop up all over the world from time to time. I wish these rogue certificates were an impossibility. However, Apple's only solution for now is to pull these certificates, making the malicious applications essentially inert. Stolen certificates from enterprise developers remains a problem. But Apple appears to have taken better control of them as I have not heard of any enterprise certificates being applied to malicious software in 2018. Let's hope it stays that way.

Spectre & Meltdown 



Of GREAT concern to every Intel and AMD CPU user is the ever evolving and elaborating Spectre (speculative execution) hardware security vulnerability catastrophe. Apple, as well as other computer manufacturers, have been responding as best they can in coordination with Intel and AMD. But the Spectre problems are profound and have no full solution in sight. Fortunately, exploiting Spectre is relatively difficult and no major exploitation has been reported in-the-wild. As this catastrophe unfolds, be certain to keep up-to-date with Apple security patches.

Of related concern has been the Meltdown vulnerability in Intel, AMD, ARM (Apple A-Series) and IBM Power CPUs. Meltdown has been easier to mitigate and has not become a concern on Mac computers. Just be certain you're up-to-date with Apple security updates.

Apple has provided a document about Spectre and Meltdown and its mitigations here:

About speculative execution vulnerabilities in ARM-based and Intel CPUs

iMore has kindly provided further information here:

'Meltdown' and 'Spectre' FAQ: What Mac and iOS users need to know about the Intel, AMD, and ARM flaw

Rowhammer
Continuing and evolving is exploitation of the DRAM Rowhammer phenomenon. It affects all DDR3 and DDR4 SDRAM. It affects all modern Mac computers. There is no for solution for this problem. The phenomenon is a product of the ever shrinking and subsequently spatially intimate physical components of RAM chips. Some attempts at using software mitigations have been tried and more are forthcoming. But the problem has not been solved. Fortunately, there have not been any active exploits on Mac or iOS hardware. If an exploit is reported, I'll be posting.

Newly discovered is a method of exploiting Rowhammer using GPU memory chips on Android devices. The exploit is called GLitch and can be triggered by malicious JavaScript embedded into web pages.  So far, there has been no similar exploit discovered for iOS devices.

APFS: Not Ready For Prime Time 


In March, there was concern over a severe programming bug found in Apple's as yet unfinished APFS file system, exploitable on devices running macOS 10.13 and 10.13.1 High Sierra. The bug allowed a simple command in the OS terminal to reveal the administrative password for an APFS encrypted Mac device. The exploitation command could be enacted either by direct physical access to the Mac or via malicious code on a web page. Macs running macOS 10.13.2 and higher have been patched against this security bug. More about this situation can be found here:

Apple macOS Bug Reveals Passwords for APFS Encrypted Volumes in Plaintext
It should be noted that you would not find the password in the plaintext when converting a non-APFS drive to APFS and then encrypting the drive.
My advice regarding APFS, the new Apple File System, remains the same: Don't use it. 

• The finished APFS specification has not been released to developers or the public.

• APFS is still incompatible with Fusion drives.

• There continue to be problems accessing APFS partitions from HFS+ Macs, despite Apple's attempts to provide a solution.

• There is no complete method for repairing APFS systems apart from Apple's meagre Disk Utility application. Micromat was the first and currently only disk utility developer to provide partial repair support for APFS in TechTool Pro 9.6+. But Micromat make it clear that it is not a complete APFS repair solution. All disk utility developers point out that the reason for this delay continues to be Apple and their unwillingness / inability to provide finished APFS specification documentation.

IOW: APFS is not a finished standard. It is not ready for prime time. IMHO, it is to be avoided.

Meanwhile, Apple says:
When you install macOS High Sierra on the Mac volume of a solid-state drive (SSD) or other all-flash storage device, that volume is automatically converted to APFS. Fusion Drives, traditional hard disk drives (HDDs), and non-Mac volumes aren’t converted. You can’t opt out of the transition to APFS.
Wrong. There is a solution to Apple's forced conversion of HFS+ to APFS when installing High Sierra. I suggest enacting this solution unless you have some compelling reason to experiment with APFS. You can read about the solution here:

How to Skip Converting to APFS When Installing macOS High Sierra
Despite the Apple support article saying that you can’t opt out of the transition to APFS, it turns out that you can skip APFS if you choose to start the installer from the command line of Mac OS and give a directive to skip file system conversion.



Potentially helpful for those who have converted to APFS is the free downloadable APFS Retrofit Kit available from Paragon:
If you work on a Mac computer with macOS 10.10 to 10.12 and want to read APFS-formatted HDD, SSD or flash drives, you need APFS Retrofit Kit for macOS by Paragon Software. 
Paragon is working to provide the kit for Windows and Linux users as well. Due to my concern that APFS is an unfinished standard, use Paragon's kit with caution. 

And as ever, Make A Backup before engaging in any computer device adventure. It will save your butt. It's the #1 Rule of Computing!

HEY APPLE! FINISH APFS ALREADY! Sheesh. 

Stay safe out there kids.

:-Derek

~ ~ ~ ~ ~ 


Addendum Reading Assignment:

How many ways can a PDF mess up your PC? 47 in this Adobe update alone
Tons of critical fixes for Reader, Acrobat and Photoshop
--

Sunday, February 4, 2018

Active Adobe Flash Zero-Day Exploit Active
In-The-Wild

--

Same old story. Don't Use Flash v28.0.0.137 (or earlier) until Adobe provides an update! The update should be out this coming week. Keep an eye out.

The current known attack vector, CVE-2018-4878, is a malicious Microsoft Excel document containing a malware Flash object which, when opened, triggers the installation of ROKRAT, (Remote Administration Tool), capable of taking over the infected computer. At this time, the infection vector is assumed to have originated in North Korea and is primarily targeting South Korea.

Adobe's Security Advisory:
A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

Adobe will address this vulnerability in a release planned for the week of February 5.
More about the exploit from Dan Goodin at Ars Technica:

An Adobe Flash 0day is being actively exploited in the wild
Adobe plans to have a fix for the critical flaw next week.
... While the number of in-the-wild attacks exploiting Flash zerodays has dropped significantly over the past year or two, the risk posed by the Adobe media player remains unacceptably high relative to the benefit it provides most users. And now that word of the vulnerability is circulating, it wouldn't be surprising for other groups to use it against a much wider audience.
[Note that Ars Technica quotes the CVE as "2018-4877" as opposed to 2018-4878. I consider '2018-4877' to be a typo. Sadly, as usual, Dan's article is being quoted verbatim around the Internet along with the wrong CVE number. Stick with CVE-2018-4878, the CVE identified by Adobe. Because of the precautions taken at CVE.Mitre.org, it's impossible to identify the differences between these two CVE numbers until after the current zero-day as been patched. Meanwhile, the NIST (National Standards of and Technology) CVE database doesn't yet list either number. Bureaucracy at work. Zzzz.]

CONCLUSIONS:

Don't use Microsoft Excel
Don't use Adobe Flash

:-Derek

--

Tuesday, July 25, 2017

Adobe Flash Marked For Death
At The Stroke of Midnight
December 31, 2020

--

Adobe will be assassinating the pestilence that is Flash at the end of 2020. They've posted the hit contract here:

FLASH & THE FUTURE OF INTERACTIVE CONTENT
Adobe has long played a leadership role in advancing interactivity and creative content – from video, to games and more – on the web. Where we’ve seen a need to push content and interactivity forward, we’ve innovated to meet those needs. Where a format didn’t exist, we invented one – such as with Flash and Shockwave.
No actually. Adobe bought both Flash and Shockwave along with Macromedia in 2005.
And over time, as the web evolved, these new formats were adopted by the community, in some cases formed the basis for open standards, and became an essential part of the web. . . .
Given this progress, and in collaboration with several of our technology partners – including Apple, Facebook, Google, Microsoft and Mozilla – Adobe is planning to end-of-life Flash. Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats. . . .
Looking ahead, Adobe will continue to . . .
...Yeah, yeah.

We now have (as of today) another 3.4 years of Flash & Shockwave insecurity to endure. And after, there shall of course be those who cling to Flash as an orphaned rat still suckles...

Remember, if you must use Flash, be certain to keep it Up-To-Date! Else peril awaits like a ravenous zombie shackled with rusting chains...

Party at my place, New Year's Eve 2021.


--
Who wants to set up a web timer?
--

Monday, June 19, 2017

Stack Clash:
A UNIX Security bug likely to affect macOS

--

I'm posting this information as a warning to those running macOS as a server. The 'Stack Clash' security bug is likely to affect macOS owing to the fact that macOS is certified BSD UNIX.

Apple has been notified and no doubt will examine the situation and provide a patch ASAP if required. (Likely required).

For now, have a read of this article by Dan Goodwin over at Ars Technica.

Serious privilege escalation bug in Unix OSes imperils servers everywhere
“Stack Clash” poses threat to Linux, FreeBSD, OpenBSD, and other OSes.
Anyone running a Unix-based OS should check with the developer immediately to find out if a patch or security advisory is available. The best bet is to install a patch if one is available or, as a temporary workaround, set the hard RLIMIT STACK and RLIMIT_AS of local users and remote services to a low value. 
The Stack Clash security bug is listed as CVE-2017-1000364.

This isn't a PaNiC situation. But it's important to be aware that this bug is likely to affect macOS.

There will be more information available shortly, no doubt. I'll post here as it is released.

:-Derek



--

Tuesday, February 28, 2017

Making My Own Trouble: Calling Out Kaspersky

--

Introduction:

It's been fairly quiet regarding Mac security. There have recently been three malware out-in-the-wild, but they've proven to be not much of anything. Therefore, I haven't bothered to FUD anyone about them. I don't like FUD.


Therefore, having a low boredom tolerance, I often make my own trouble for my own amusement. I decided to share this particular experience with those here who are interested. It's my call out to Kaspersky for distribution of BS.


The Article Of Interest:


I visit snarky The Register every day for computer security news, among several other websites. I get tired of the puerile cockney humor but they do a good job covering the subject. This was the article that inspired my trouble making today:


Apple's macOS is the safer choice – but not for the reason you think
Eugene Kaspersky looks forward to a new darker dawn
Apple's Mac operating system may be the safer choice – but only because cybercriminals can't get their hands on people who know how to exploit it.

That's according to security showman Eugene Kaspersky, who gave a keynote at the Mobile World Congress in Barcelona on Monday. In recent months, Kaspersky has made a habit of giving MacOS a kicking, and this keynote was no different.

"People still think MacOS is safe," he told attendees with some measure of incredulity. But it's not. While there is certainly less malware for the operating system than, say, Windows, it's more a case of difficulty in hacker recruitment than evidence of stronger inherent security.

Of course, this zeal may have something to do with a big push from Kaspersky for its security software for the Mac, not that you'd need it from Eugene's logic. And that may have something to do with Kaspersky's huge certificate cock-up at the start of the year that exposed millions of people to interception attacks. . . .

So what's the solution? A complete redesign of all of our systems, starting from scratch by building on top of secure platforms and software. He dreams of systems that are no longer "secure" but "immune."
Emphasis mine. Before I continue, let me point out that creating an 'immune' operating system is exactly what we want. Let's all champion that effort.

But Mr. Kaspersky's keynote comments about the Mac remind me of something from way back in 2005 when lousy (IMHO) Symantec attempted to FUD Mac users into believing their chosen computer platform was going to be inundated with malware, just like Windows. It was only a matter of time.


Symantec: Mac users deluding themselves over security

Symantec's 2005 FUD campaign, obviously an attempt to promote Norton for Mac sales, was the impetus that inspired me to study and write about Mac security. Thank you Symantec! I hate you. 


Therefore, here's what I have to say back to assertions Mr. Kaspersky made in his keynote, which is what I posted at The Register:

Maybe Aricept Can Help

"So what's the solution? A complete redesign of all of our systems, starting from scratch by building on top of secure platforms and software. He dreams of systems that are no longer "secure" but "immune.""

OS X (macOS) is an operating system started from scratch by building on top of a secure platform and software. It was built on top of BSD UNIX, which remains the single most secure (by testing and reputation) operating system available. OS X is certified BSD UNIX. 
So Mr. Kaspersky, maybe Aricept can help. Either that or do your research before you blether.

An "immune" OS is something else entirely. We have no such thing at this time apart from running a standalone computer with no input and no output, no EM radiation or sound emanations, etc.

Hint To Kaspersky: 
One reason your anti-malware isn't a hit on OS X (macOS) is that, thanks to the work of many people, both volunteer and paid, malware is discovered, described and tested with the results passed along to Apple. On a good day, Apple then responds ASAP by providing automatic OS subsystem updates blocking that malware within their XProtect anti-malware system. (Yes, Apple has plenty of bad days when they don't keep up, such as their current forgetfulness about blocking out-of-date versions of Adobe's supremely dangerous Flash Player Internet plug-in).

As a result, there's very little point in bothering to write malware for OS X seeing as it will typically be squashed by Apple within a brief period of time, thanks again to the work of many of us OUTSIDE of Apple.

Mr. Kaspersky, realism is always welcome. Pulling bonehead Symantec quality FUD manoeuvres is NEVER welcome. Make your choice.

In any case, thank you Kaspersky for your many contributions to the computer security community. Apologies that they don't result in profits from your Mac software.
If I die before I wake, you know why. ;-)



Oh and here's The Register's 4 Jan 2017 article about "Kaspersky's huge certificate cock-up" mentioned above:


Kaspersky fixing serious certificate slip
Security smashed for 400 MEEELLION users
Kaspersky is moving to fix a bug that disabled certificate validation for 400 million users. 
Discovered by Google's dogged bug-sleuth Tavis Ormandy, the flaw stems from how the company's antivirus inspects encrypted traffic. . . .
~ ~ ~ ~ ~

--

Monday, December 12, 2016

Apple Adds 'Junk' Option To iCloud Calendar:
Spam Rats Exterminated

--

Apple has kindly responded, in part, to the Calendar spam nightmare. They've now provided a couple ways to 'Junk' the spam directly inside the iCloud Calendar rather than forcing victims to 'Accept', 'Decline' or 'Maybe' the spam, none of which were acceptable options.


Apple activates iCloud.com Calendar spam reporting feature
By AppleInsider Staff 
Sunday, December 11, 2016, 09:31 pm PT (12:31 am ET)
Apple on Sunday instituted a new junk content reporting feature on its iCloud.com web portal, the first step in what appears to be an activation of countermeasures against iCloud Calendar spam invites users began to receive in volume last month.
There are two ways to attack invitation spam in the iCloud Calendar.


(Click to enlarge)

In the screenshot above, we notice the invitation spam via both a Calendar entry, marked as A, and the Notifications counter at the bottom of the window, marked as B. AppleInsider, in the article linked above, has described how to use the Notifications counter to 'Junk' the invitation spam. I'm going to describe how to perform the same function using the invitation spam Calendar entry.



(Click to enlarge)

In the screenshot above, I've double-clicked the invitation spam entry in my Calendar. The result is a detailed information sub-window. I prefer this approach for removing invitation spam specifically because of the details provided. The text in the sub-window is a bit scrambled, but we can make out some typical signs of spam. The sender is Chinese. The invitation spam was sent to victims on an alphabetical spam-it list. The invitation spam directs the victim to an unfamiliar website.


Note that Apple has added 'Report Junk' link beneath the text "This sender is not in your contacts." Click "Report Junk" and this new sub-window appears:



(Click to enlarge)

Click 'OK' and the deed is done! The invitation spam will be safely removed from both the Calendar and the Notifications counter. Extermination achieved. Perform this procedure on further invitation spam. When you're done, your Calendar will be clean and back to normal.



(Click to enlarge)

It is assumed at this time that Apple is using Calendar 'Junk' reports to create a 'Black List' that will keep future invitation spam out of the Calendar. Because of the very similar coding used for email spam, I expect Apple will eventually combine both their email spam and Calendar invitation spam filtering systems. We'll see.


WHAT'S LEFT TO FIX


1) Apple still has to provide a 'Junk' reporting method in both the macOS and iOS Calendar applications.


2) Apple still has to provide a fix for Photo Sharing invitation spam.


Little steps to solve big problems.



--

Tuesday, November 29, 2016

Permanent Solution To Calendar Spam Attacks!

--

Over the US Thanksgiving holiday weekend, I was bombarded with two further Calendar spam rat attacks foisting fraudulent flotsam from China. I happily dispatched them with the previously prescribed method, no dangerous 'decline' required.

But better yet! Yesterday (11-29) Sean Gallagher of Ars Technica posted a permanent solution to Calendar spam rat attacks that works the charm. It shoves off spam 'invitations' (infestations) into the Mail application instead, where the crapulent assaults will be forced through your spam filtration system, killing them dead. 


√ Spam rat exterminated.



How to stop the wave of Apple Calendar invite spam
Deleting them just encourages them—and confirms your address is live.
Sean Gallagher, Ars Technica, 2016-11-28

Here is my slightly simplified set of instructions. Note that this must be performed on a desktop/laptop computer. It will not work using iOS!


1) Sign in (log in) to your iCloud account at:


https://www.icloud.com




2) Click on the Calendar icon.



3) When your Calendar page is loaded, look down at the bottom left for the gear symbol. Click on it and choose 'Preferences'.




4) In the Preferences sub-window, click on the 'Advanced' tab.




5) In the bottom section of the 'Advanced' window, labeled 'Invitations', you'll see the default radio button setting is 'In-app notifications'. Click instead 'Email to ...' your iCloud email address. (Ignore 'Use this option if...).



6) Click 'Save' in the bottom right.


No more 'invitation' infestations into your Calendar. But note! Any legitimate Calendar invitations will also be sent to your email account. Therefore, be careful when perusing your email to watch for invitations you'd like to accept. In Mail you can choose to have them added to your Calendar.


When you receive spam rat 'invitations' in Mail you can simply mark them as 'Junk'. More garbage from the same spam rats should in future be flung into your 'Junk' without your having to ask.


Reporting Calendar 'Invitation' Spam:


I had a chat with tech support over at SpamCop.net about Calendar 'invitation' spam. They kindly declined to recode their spam reporting website software to accept this new spam variety and instead referred me to another organization that might take up the challenge. But the fix Sean Gallagher provided solves the problem. I can in future toss off 'invitation' spam to SpamCop directly from Mail.


Remaining problem, iCloud Photo Sharing spam:


Sadly, there is no similar preference fix to stop iCloud Photo Sharing spam. That one is Apple's burden to solve.



--