Saturday, August 22, 2015

So You Want To Be
An Advanced Mac Security User...

--

As I often point out, we're still in The Dark Age of Computing.

Today's recommended reading

Want security? Next-gen startups show how old practices don't cut it
Stop hackers from walking on the eggshells protecting your datacenter
22 Aug 2015 at 13:30, Trevor Pott @The Register ®
In case you hadn't noticed, IT security sucks. There is a chronic lack of people trained in IT security, people who will listen to IT security, and even a lack of agreement on how best to go about IT security. Fortunately, a new generation of startups are helping to tackle the issues....
[Note: This is a two page article]

As the imperative to create REAL security, with actual surprises versus entirely expected security flaws and hacks (which is actually what we have right now!). It's going to be an actual coding REVOLUTION! But there's an incredible amount of work required.

My attitude is: If you've got the interest, don't pay attention to how foreboding the subject may appear to be. Dive in and learn to swim through it, exercise your brain and climb the learning curve. You have the basic skills for learning and analyzing the information. Get to it! Make yourself an expert. Then share your expertise and help others with their swimming lessons.

No one ever told me I had innate tech skills. I entirely figured it out on my own by deciding I liked it and wanted to learn it. *Ding* I realized I'm great at it! (Except that CLI stuff, which I grudgingly tolerate).

There is nothing male, female or color selective about working with tech, including tech security. It's a human talent and developed skill. If you've got a hint that the talent is yours, jump into it and add your flavor to the mix. For me, its play time! If you're not enjoying it, you're not doing it right. That's why I write and work with tech, offering up what I know for free.

:-Derek

--

Monday, August 17, 2015

The OS X _PAGEZERO Memory Exploit,
A vulnerability in 10.10.5 and 10.9.5

--

Oh surprise. A new bad memory management exploit. Who'd have guessed. /s

In an effort to offer more advanced user Mac security information, I'm posting this article about an article about an article about a discovery for those interested:

My most excellent colleague Topher Kessler published an article today at his most excellent MacIssues website today about a newly discovered exploit of OS X, of both 10.10.5 and 10.9.5 with the latest security update already applied.

New Zero-Day memory injection vulnerability discovered in OS X
August 17, 2015 by Topher Kessler
PCWorld is reporting that a new zero-day vulnerability has been found for OS X, which affects versions of OS X from 10.9.5 through to the recently-released 10.10.5. The problem comes from how NULL pointers in programs are handled, where malicious programs may use a special condition to bypass the default location where NULL code is directed to, and allow the program to bypass OS X’s security. . . .
Italian teen finds two zero-day vulnerabilities in Apple's OS X
Jeremy Kirk, IDG News Service, Aug 17, 2015 6:26 AM ET
An Italian teenager has found two zero-day vulnerabilities in Apple’s OS X operating system that could be used to gain remote access to a computer. 
The finding comes after Apple patched last week a local privilege escalation vulnerability that was used by some miscreants to load questionable programs onto computers. 
Luca Todesco, 18, posted details of the exploit he developed on GitHub. The exploit uses two bugs to cause a memory corruption in OS X’s kernel, he wrote via email. . . .
xnu local privilege escalation via cve-2015-???? & cve-2015-???? for 10.10.5, 0day at the time | poc||gtfo
cve-2015-???? poc ~ os x 10.10.5 kernel local privilege escalation 
vulnerability got burned in 10.11. . . .
If you're interested in this current exploit, be certain to read through all of Topher's article, listed at the top above. He has some extremely relevant advice to follow before playing with Luca Todesco's "Null Guard" patch tool.

NOTE: I've decided to make an effort to bring attention to these advanced-level-user issues because Apple has been sitting on these things for months on end, causing the company to acquire a lazy security reputation. I figure it can't hurt to bring more pressure to bear on Apple to get their, apparently, lazy security fingers busy writing patches. Security is, after all, everyone's most basic need.

ALSO NOTE: As Graham Cluley has recently pointed out, Apple has still not fully patched the Thunderstrike 2 EFI rootkit attack. We know Apple is working on it.

Coming Up: I'll post a spreadsheet of recent Apple CVE patches. It's long. *sigh*

--

Thursday, August 13, 2015

When Apple's AirDrop Lets In The Loonies

--
An Apple AirDrop setting issue has begun causing concern. In this case, a very nice woman received some very obscene pictures of a sexual nature from an abusive FlasherRat within Bluetooth or Wi-Fi range of her iPhone. It's preventable with a setting change.

Read and watch this BBC article for details in order to avoid these offending events on your own iOS devices. I suspect this issue is just breaking the surface. One of the BBC's accompanying videos demonstrates how to change iOS AirDrop settings.

Police investigate 'first cyber-flashing' case
By Sarah Bell
Victoria Derbyshire programme, BBC
Police are investigating a "new" crime of cyber-flashing after a commuter received an indecent image on her phone as she travelled to work. . . .

Supt Gill Murray said this particular crime was new to her force and urged people to report any other incidents. . . .

'Report it'

Ms. Crighton-Smith called the British Transport Police as she said she was worried about the motives of the perpetrator.

"What's the next stage from sending a naked photograph to a stranger, what happens next, was he getting any sort of gratification from it?" . . .

Airdrop is specific to iOS device and Apple Macs. It uses wi-fi and Bluetooth to talk over a short range to other devices, like other iPhones.

Its default setting is for "contacts only", which means only people you know can see you.

But if you want to share your information or your contacts with other people, you may make a change to the settings and change it to "everyone".

"This means that typically in a train carriage, or tube carriage, you can see other devices," commented Ken Munro, a cybersecurity consultant at Pentest Partners.

"That's what's happened in this particular case, someone has enabled everyone and then hasn't then set it back. As a result anyone within wi-fi or Bluetooth range can send something to you that's quite horrible...."
--

Tuesday, August 11, 2015

Happy Second Tuesday!
Adobe Flash v18.0.0.232 &
Adobe AIR 18.0.0.199
Patch 35 CVEs

--

[CVE = Common Vulnerabilities and Exposures]

Another Second Tuesday of the month... Another Adobe Flash and Adobe AIR patch marathon!


This time we're up to Adobe Flash v18.0.0.232 and Adobe AIR v18.0.0.199, patching 35 (thirty-five) CVE security flaws.


Where to download the updates

https://get.adobe.com/flashplayer/

https://get.adobe.com/air/


The new Adobe Flash (and AIR) Security Bulletin

https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

Details from the new Adobe Flash (and AIR) Security Bulletin, with added links to available CVE data!

Vulnerability Details

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2015-5128, CVE-2015-5554, CVE-2015-5555, CVE-2015-5558, CVE-2015-5562).

These updates include further hardening to a mitigation introduced in version 18.0.0.209 to defend against vector length corruptions (CVE-2015-5125).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-5550, CVE-2015-5551, CVE-2015-3107, CVE-2015-5556, CVE-2015-5130, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5557, CVE-2015-5559, CVE-2015-5127, CVE-2015-5563, CVE-2015-5561, CVE-2015-5124, CVE-2015-5564).

These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-5129, CVE-2015-5541).

These updates resolve buffer overflow vulnerabilities that could lead to code execution (CVE-2015-5131, CVE-2015-5132, CVE-2015-5133).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-5544, CVE-2015-5545, CVE-2015-5546, CVE-2015-5547, CVE-2015-5548, CVE-2015-5549, CVE-2015-5552, CVE-2015-5553).

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2015-5560).
(Note: CVEs not linked above did not have available data at Mitre.org at the time of this posting).

No new zero-day Flash/AIR exploits have been reported at this time. However, Adobe considers these updates to be CRITICAL. Therefore, it is advised to update ASAP.




--

Friday, August 7, 2015

CRITICAL Firefox Exploit In The Wild!
Update to v39.0.3, ESR v38.1.1 or
Firefox OS v2.2 NOW
PLUS a list of ongoing Apple security flaws

--

[UPDATE: 2015-08-11. Today Mozilla released Firefox v40.0, available HERE.]

[Firefox ESR is the Extended Support Release version, typically used by large organizations who need its special update features and reliability.]

Uh Oh! Firefox is being exploited in the wild, allowing a malicious/hacked website to abuse JavaScript along side Firefox's PDF viewer to search for and steal files from the user's computer. At the moment, Macs are not yet known to be targets, but are just as vulnerable. You can read about the exploit at Mozilla's website HERE.

Further details about the exploit are available from the Mozilla Security Blog.
The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.
THEREFORE:

Update to Firefox v39.0.3 (or higher) for regular users. Enterprise Firefox users can update to ESR v38.1.1 (or higher). Firefox OS users can update to v2.2.

~ ~ ~ ~ ~

Meanwhile, in the wings, off stage, coming up: We're waiting for Apple to release fixes for a few more security flaws. 

One of them is also being exploited in the wild as a method of infecting Macs with adware and crapware. It is generically called the DYLD_PRINT_TO_FILE exploit. 

Another pair of security flaws are called 'Thunderstrike' and 'Thunderstrike 2' rootkits. They involve infecting Mac EFI firmware with malware. Apple has been progressively patching these two problems since 10.10.2, but has not yet entirely blocked them.

The last of the currently prominent security flaws allows hacking the Keychain on both OS X and iOS to steal user passwords. This flaw further implicates problems in Apple's app sandbox system and their security vetting of iOS apps for the iOS App Store. Apple has known about this set of flaws since October 2014 and has so far neglected to patch them. 

It is assumed at this time that Apple will patch this group of security flaws in OS X 10.10.5 Yosemite. So keep an eye out for it in the very near future. If you find it annoying and dangerous that Apple has been sitting on these OS X and iOS security flaws for a considerable amount of time, you're not alone!
--

Tuesday, July 14, 2015

Adobe Flash Security Concerns Peak:
Drama Online

--

[Update 2015-07-16: I added a Wired article link and two fun images with links to "Flash Sucks" items currently available from Zazzle. (^_^) ]

Due to the recent stream of zero-day exploits of Adobe Flash, the concerns within the security community have reached a peak. This is a listing of some of the commentary going on around the net. You know my opinion. Here are some others:















--

FOUR CRITICAL Adobe Updates:
Flash 18.0.0.209
Shockwave Player 12.1.9.159
Acrobat & Reader 2015.008.20082

--

[Update 2015-07-15: I added download page links for Adobe Acrobat and the non-cloud version of Adobe Reader. Thanks to my collaborator Al for assistance!]

Adobe has released FOUR CRITICAL updates today. Below I list each of the updates, link to their Security Bulletins and link to where you can download them. I've also added a list of CVEs patched in each update. A total of 50 CVEs have been patched in these updates. I believe that's a record for Adobe.

Adobe Flash Player 18.0.0.209

Adobe Security Bulletin

Download Page

CVEs Patched
CVE-2015-5122: "A use-after-free vulnerability that could lead to code execution."
CVE-2015-5123: "A memory corruption vulnerability that could lead to code execution."

Adobe Shockwave Player 12.1.9.159

Adobe Security Bulletin

Download Page

CVEs Patched
CVE-2015-5120 - "Memory corruption vulnerabilities that could lead to code execution"
CVE-2015-5121 - "Memory corruption vulnerabilities that could lead to code execution"

*Neither CVE is yet listed at Mitre.org

Adobe Acrobat & Reader:
DC v2015.008.20082 and v11.0.12

Adobe Security Bulletin

Adobe Reader DC Download Page

Adobe Reader (non-cloud) v11.0.12 Download Page

Adobe Acrobat Pro and DC Pro Download Page

CVEs Patched
CVE-2014-0566 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2014-8450 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-3095 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-4435 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4438 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4441 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4443 - “Null-pointer dereference issues that could lead to a denial-of-service condition.”
CVE-2015-4444 - “Null-pointer dereference issues that could lead to a denial-of-service condition.”
CVE-2015-4445 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4446 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-4447 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4448 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-4449 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-4450 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-4451 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4452 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-5085 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-5086 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-5087 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5088 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-5089 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-5090 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-5091 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-5092 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-5093 - "A buffer overflow vulnerability that could lead to code execution."
CVE-2015-5094 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5095 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5096 - "Heap buffer overflow vulnerabilities that could lead to code execution."
CVE-2015-5097 - “Integer overflow vulnerabilities that could lead to code execution.”
CVE-2015-5098 - "A buffer overflow vulnerability that could lead to code execution."
CVE-2015-5099 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5100 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5101 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5102 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5103 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5104 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5105 - "A buffer overflow vulnerability that could lead to code execution."
CVE-2015-5106 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-5107 - "An information leak vulnerability."
CVE-2015-5108 - “Integer overflow vulnerabilities that could lead to code execution.”
CVE-2015-5109 - “Integer overflow vulnerabilities that could lead to code execution.”
CVE-2015-5110 - "A stack overflow vulnerability that could lead to code execution."
CVE-2015-5111 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5113 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5114 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5115 - "Memory corruption vulnerabilities that could lead to code execution."

* CVEs not linked above have not yet been listed at Mitre.org.

--