Monday, September 29, 2014

Coverage Of:
Apple's Bash 'ShellShock' Bugs Patchfest

--
[UPDATES:
-> 2014-09-29 at 9:00 pm EDT. Some language altered. 'SCORE KEEPING!' section added.
-> 9:30 pm EDT. Updated CVE data and links in 'SCORE KEEPING!' section.
-> 2014-09-30 at 6:45 pm EDT. Added the 'FURTHER INFORMATION!' section with links to two SANS presentations on the Bash bugs. Added the 'ALERT' section with advice to server and client Mac users and a link to Rich Mogul's relevant article. Also added: A link to Adam Engst's 'How to Test Bash for Shellshock Vulnerabilities.']

ALERT: Active exploits are in-the-wild for Bash bug CVEs that have NOT yet been patched by Apple! These exploits are specific to UNIX (including OS X) servers exposed to the Internet. All admins should be applying every latest official Bash patch relevant to their servers as they are released. This is imperative. 

Client Mac users, however, generally have no major worries (as of yet). Nonetheless, here is an excellent strategy to help prevent potential exploits (with thanks to Rich Mogul):

1) Have your OS X Firewall running! Its tab is located in the Security & Privacy System Preferences pane.
2) Turn OFF Guest User access in the Users & Groups System Preferences pane.
3) Turn OFF Remote Login in the Sharing System Preferences pane.
~4) Not so critical, but useful: Check ON 'Block all incoming connections'. This setting is located in the Security & Privacy System Preferences pane, under the Firewall tab, under the 'Firewall Option' button. Note Apple's warning when you activate this setting! It will block ALL sharing services, which will itself cause problems on your LAN (local area network). If you aren't using a LAN, check it on.

Welcome to the Patchfest! 

This is where I'll be listing all the Bash 'ShellShock' Bugs CVEs and Apple patches as they are released.

1) 2014-09-29, 6:30 pm:

Apple has released its FIRST patch for the Bash security bugs. It patches two out of six known and published Bash security flaws. As such, expect further Apple Bash patchs in the very near future.

Here is Apple's Security Report, which includes links to the first available patches. I've added formatting and bolding to provide focus points.
APPLE-SA-2014-09-29-1 OS X bash Update 1.0
OS X bash Update 1.0 is now available and addresses the following:

Bash

Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5,  OS X Mavericks v10.9.5

Impact: In certain configurations, a remote attacker may be able to execute arbitrary  shell commands

Description: An issue existed in Bash's parsing of environment variables. This issue was  addressed through improved environment variable parsing by better detecting the end of  the function statement.

This update also incorporated the suggested CVE-2014-7169 change, which resets the  parser state.

In addition, this update added a new namespace for exported functions by creating a  function decorator to prevent unintended header passthrough to Bash. The names of all  environment variables that introduce function definitions are required to have a  prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via  HTTP headers.

CVE-ID
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy

OS X bash Update 1.0 may be obtained from the following webpages:
http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X Mavericks

To check that bash has been updated:
* Open Terminal
* Execute this command:
bash --version
* The version after applying this update will be:
OS X Mavericks:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222
NOTE: Not all currently knows Bash CVEs have been patched! The remaining CVEs must wait to be patched another day...

You can look up CVE reports using links under the 'Friends of Mac-Security' on the right of this page. But I will be providing links to CVE reports as the become known to me. Check out the 'SCORE KEEPING!' section below.

~ ~ ~ ~ ~ 

SCORE KEEPING!

[Last updated 2014-09-29 at 9:30 pm EDT]

Here is the current list of Bash bug CVEs. I'll be updating it as I learn more and as Apple patches each CVE. Note that this list is 'to the best of my knowledge'. CVEs not yet listed at NIST remain nebulous, strange and abstract in the aether, unverifiable by mere mortals on planet Earth. So don't hold me to them.

CVE-2014-6271 (√ Patched by Apple 2014-09-29)
http://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

CVE-2014-7169 (√ Patched by Apple 2014-09-29)
http://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

CVE-2014-6278 (Unpatched. No description. Not yet listed at NIST)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-6278

~ ~ ~ ~ ~

FURTHER INFORMATION!

-> Today (2014-09-30) the SANS Institute posted and updated a 13 minute video presentation by Johannes B. Ullrich, Ph.D., about the Bash bugs situation (as of this moment). SANS offer:
- An audio presentation.
- A video presentation at YouTube with audio and slides.
- A PDF of notes.
- PowerPoint slides.
All are available HERE.

-> Wednesday (2014-10-01) at 3:00 EDT (19:00:00 UTC) SANS will be offering a 'webinar' with Johannes Ullrich and Chris Wysopal. It is entitled "Shell Shock - What you need to know." Here is the notification they sent out on Tuesday afternoon:


***************  Sponsored By Veracode  ***************

Shell Shock - What you need to know:
Wednesday, October 01 at 3:00 PM EDT (19:00:00 UTC) - There is speculation that Shellshock, the latest vulnerability in a long line of major discoveries, will be more catastrophic than Heartbleed. During this webinar, Johannes Ullrich, SANS and Chris Wysopal, co-founder and CTO of Veracode, will outline what you need to know about Shellshock. They will also explain how you can respond to this specific vulnerability and what you can do to prepare for the inevitable future vulnerability discoveries.


************************************************************

-> Adam Engst of TidBITS has created a great page entitled "How To Test Bash for Shellshock Vulnerabilities". It is an elaboration upon the work on my Bash coverage here. He will be updating it if/when further Bash CVEs are made public. Thank you Adam!

I wrote to Adam Engst tonight about what a terrific gestalt of helpful people we have within the Mac community, including himself and Rich Mogul. Links to a lot of other helpful Mac gestalt members are listed under 'Friends of Mac-Security' on the right of this page.

Share and Enjoy,


:-Derek
--

Ongoing Crazy Security Issues:
Nothing Much And Too Much To Say

--

INTRODUCTION

There are a great many computer security issues going on these days. The increase in ongoing security issues over this past spring and summer could be called an ongoing explosion of mushroom cloud proportions. The number of ongoing issues is quite literally overwhelming. As a computer security watcher, researcher, analyzer, commentator and teacher, I'm intimidated by having so much to comprehend.

Should I be writing about all of this within the context of this my Macintosh Security blog?

Because of my manifesto for this blog, my answer is no. I wish to write here only about directly dangerous issues to Apple computer users. I also wish to write articles that provide useful information, summaries and teaching Apple computer users. I have no interest in being redundant to other people's blog work on the Internet, except in an effort to bring their work to the attention of others. I also focus what I write here at average Apple computer users. My goal is to take the complicated and translate it into information that can be both comprehended and used by average Apple computer users. Let folks like me comb through the, frankly chaotic, world of geek level information and summarize it down into something readable by mere humans.


WHAT TO SAY WHEN THERE'S NOTHING MUCH AND TOO MUCH TO SAY

Without directly helpful information to share, despite the exploding mushroom cloud of ongoing computer security issues, I say nothing. I do this because I despise FUD! Needless FEAR, UNCERTAINTY and DOUBT are worthless. They're used a methods of manipulation and propaganda. These nasty tools are used to drive we humans into a state of despair and desperation, what I call 'Desperation Mode' whereby we will blunder our way into actions that suit the manifestos of the scum humans who are manipulating them. I have zero interest in playing these self-destructive, disrespectful games.

Therefore, when the only affect of my writing would be to create FUD, I don't write. I'm very happy to rip the mask off off FUD! I'm pleased when I can point out and satirize FUD. But I never see a point in messing up others by making my own FUD.

However, I believe it is useful to at least point out what's going on in the background while I wait for something useful to provide here in the blog. There's nothing much to say, but here's what's cooking:


WHAT COOKING ON THE APPLE COMPUTER SECURITY STOVE?

It's difficult to create a priority list regarding these subjects. What's more important? What's a more imminent problem? So I'm not going to bother. I'm simply going to list them as I see fit in the moment.


Oracle's Internet Browser Java Plug-in:

Java remains the single most dangerous software you can run via the Internet. If you don't need to, then don't. Uninstall the Java Plug-in. Only install the Java plug-in if you run into a website that requires you to use it. Even then, use Java security features in your web browsers as well as Java security add-ons. Apple has made the most recent versions of Safari extremely save against abusive Java code. It's not perfect. Using the features can be intimidating and dysfunctional. But they are entirely worth using. I strongly suggest reading up on Safari's new Java control preference features as well as similar features in other browsers. I may provide my own write up about these settings in the future.

One good change I can point to is Oracle's ongoing efforts to babysit Java by informing users when their installed version of the Java Plug-in is out-of-date. This is no substitute of the sandboxing of Java, as was originally intended by Java's creators Sun Microsystems. But's it's better than letting nasty little brat Java run around without a nanny to swat it when it's being naughty.


Adobe's Reader, Flash, AIR and Shockwave software:

Adobe's Internet freeware remains the second most dangerous software you can run on the Internet. If you don't need to use it, then don't. Instead, uninstall it. Only install Adobe's freeware if you run into website that requires you to us it. Even then, use Adobe plug-in security features in your web browsers as well as Adobe plug-in security add-ons. At this point, these features are no longer intimidating or dysfunctional. In general, they work quite well and are entirely worth using! Read up on the Adobe plug-in control preference features available within web browsers if you have questions about what they're doing.

I personally cannot stand the invasiveness of Adobe's update notification and installation features. Instead, as an advanced Mac user, I keep up with available updates on my own. Doing the same is a lot to ask of average Mac users. Therefore, it may well be best to allow Adobe's root level Launch Agent to run on your system so it can help keep you up-to-date. It's up to the user to choose what to do. Adobe's update notification is available in their installers if you'd like to use it.


Heartbleed Bug:

I've written up a couple articles about the dangerous and ongoing problems with old implementations of OpenSSL. This problem is going to live on for years, not kidding. It's entirely curable! However, oblivious, careless and lazy server administrators aren't bothering. Therefore, this problem periodically does damage. There are now convenient hacker tools to take advantage of Heartbleed. They are scripted. You get them running, walk away, come back later and analyze the successfully harvested data. There are also analysis tools to help hackers patch together the 64-bit chunks of harvested data into a completed puzzle. If that puzzle contains exploitable user data, it is either exploited by the hacker or posted online for sale to crooks. The exploitable data can include anything from your mother's maiden name to a victim's card numbers and PIN.

Every single Internet server containing the Heartbleed Bug has now been documented. If an Internet server administrator does not know if their server is exploitable, they should be fired or sued in civil court. I strongly expect such lawsuits to begin appearing this coming year. It's all about responsibility.


Bash Shell 'ShellShock' Bugfest:

This is, for the moment, a dangerous problem for those running OS X server's that are directly exposed to the Internet. If you're behind a router, you are probably safe in the short term. I know full well that eventually there will be PWNing ('owning', taking over or zombieing) of routers and OS X client users. I'll address those exploits if or when they become evident. For now, only OS X Internet servers are at risk.

Describing this problem is a challenge because in and of itself it is turning into a mushroom cloud of security flaws. I'll simply say that Bash (Bourne-again shell) is a UNIX shell used by OS X, OS X applications and OS X users to access CLI (character line interface) applications that are installed in the OS X system. It is old, poorly vetted, incredibly insecure software. Oddly, its numerous security flaws were unknown, at least in public, for many years. Over the past few days, the report of one single security bug in Bash has lead to the revelation that Bash has an undetermined plethora of security bugs. So far, I know of two security updates for Bash that have been made available over the past few days. But they do NOT solve the ongoing revelations of further security flaws.

The result is that Bash itself is not fit for use on servers exposed to the Internet. The result, at the moment, is a debate and study of either:

1) Playing 'whack-a-mole' by daily patching Bash as each new security flaw is discovered.
OR
2) Using an adequate replacement of the Bash shell.
OR
3) Taking affected servers OFF the Internet until a full and final solution is developed.

Meanwhile: Bash Internet exploit tools have already been made available to hackers, and they're being used.

Replacing Apple's installed version of the Bash shell is a huge PITA unless you understand exactly why and what you're doing. I cannot recommend bothering with it unless you're an advanced user who knows how to use the CLI to run their Mac. It is such a huge PITA the I have consistently run into Mac computer geeks who have posted WRONG and INCOMPLETE instructions for replacing Apple's Bash shell. When the geeks can't get it right, no way should average Mac users touch it.

Thankfully, as I indicated above, no average Mac users need bother to worry about the Bash shell security flaws affecting their computer. Only OS X server administrators need worry about it, for now. This may well change! If the Bash problems aren't solved in a hurry, there will no doubt be related attacks on average user's routers and Trojan horses to abuse their Macs, if not outright PWN them. That's a worry for another day, if it happens at all. Meanwhile, we sit and wait for the experts to thrash through the Bash source code and clean up the potentially catastrophic mess buried therein.

There are piles of ongoing, constantly going out-of-date articles about the Bash ShellShock bugs. Keeping up will drive you nuts. If you're that kind of person, be sure to read only the most up-to-date articles AND be sure to read from a variety of sources. That's the only way to know what's actually going on at-the-moment. Bash analysis is constantly revealing new problems. New exploits are constantly showing up on the net.

Here's one very good overview, for today anyway, of the Bash ShellShock bugfest, posted by Intego:

http://www.intego.com/mac-security-blog/shellshock-vulnerability-what-mac-os-x-users-need-to-know/


Retail POS POS Device Malware:

"POS" has two meanings relevant to this problem. The first meaning is 'Point Of Sale' regarding devices that are used to collect customer payment data, be they Chip and PIN card readers or magnetic strip card readers. (To be clear, if a POS device has this problem, using Chip and PIN solves nothing-at-all. Don't be fooled by claims to the contrary). The second meaning is an deliberate punning obscenity which I'll leave you to translate. I use this obscenity because these devices are an obscenity of bad technology.

This is another curable security problem that lazy, stupid, cheap retailers are NOT patching. The stupidity involved is stunning and beyond comprehension. From my point of view, this catastrophe fits perfectly into my concepts of 'bad biznizz'. These are companies who literally don't give a rat's about their customers, to say the least, to state the obvious. They don't know how to run their businesses. They are distinctly anti-capitalist in their attitudes and their obliviousness. I'd like to be kind and say that these companies may only, innocently, be ignorant of the technology they're using to enable their businesses. But that is NOT the case. They know exactly what technology they're using and they are making the choice to IGNORE the requirements of owning and using that technology.

I've previously written about the source of this problem. My quick summary is this:
1) These devices user Windows XP Embedded as their operating system.
2) Windows XP exposes all collected data in-the-clear (having no encryption) in RAM on these machines.
3) Hackers on the Internet search for and find routes by which they are able to BOT (aka PWN) all the POS devices networked within victim company. They also BOT at least one node server computer within the same network.
4) The malicious malware hacking onto these machines sits in wait, watching all the data revealed in RAM, then sends that data off to a server node within the network of the infected companies. The collected data is then sent over the Internet to the hacker bot wranglers out on the Internet.
5) The collected data is then analyzed. Personal data is extracted. This data includes everything read into the retail POS devices, including card numbers and PIN numbers. (Yes, this includes Chip and PIN card data).
6) This personal data is then either used or sold on the Internet to crooks.

After the initial catastrophic revelations of this problem, (thank you Target, Neiman Marcus, ad nauseam), security updates were provided by Microsoft to update these archaic Windows XP Embedded devices. The updates did NOT solve the problem of in-the-clear exposure of personal data in RAM. They won't be able to solve that problem! But these patches have at least been swatting at each specific variant of malware being used to PWN these POS devices.

Except, a great many companies are NOT updating their POS devices. This is inexcusable. This is irresponsible. This constitutes customer abuse, as future court cases will no doubt prove. And of course, this is bad biznizz. The biggest recent new revelation of PWNed POS devices and the subsequent sales of customer personal data over the Internet, has come from the willfully stupid company Home Depot. The latest figure I have read is that Home Depot literally gave away 56 MILLION customer card accounts. Unforgivable.

New revelations of retail POS POS device PWNing are happening at an incredible rate. These revelations are not stopping. The number of worthless companies who are ignoring this problem is incomprehensible. Everyone loses, from the companies to the banks to the disrespected customers. The only winners are the hacker crooks. And yet this problem is NOT abating.

Obviously, this problem has no direct impact on Apple computer users. It does impact every credit and debit card user, many of whom are Apple computer users. Therefore, it's relevant here at this blog. Expect more of this curable security nightmare well on into the future.

The ultimate solution to in-the-clear data in RAM is end-to-end encryption. We're going to be hearing references to this concept also well on into the future until such time as it become the DEFAULT in the retail industry. And again: Chip and PIN cards do NOT solve this problem. They have nothing to do with it. Magnetic stripe cards have nothing to do with it. Insecure POS devices and bad biznizziz are the problem.


And so forth...

The above are the big ongoing problems. There are smaller problems as well, the most prominent of which is:

ADWARE. My colleague Thomas Reed is brilliantly covering the adware problem and has created a detection and removal tool AdwareMedic which I highly recommend! I've been a beta-tester for Thomas's adware tool and have been thoroughly impressed. If you've been the victim of adware, head over to Thomas' The Safe Mac website for both documentation and the solution. Bravo Thomas!

Thomas's The Safe Mac website covers many Apple computer security issues that I don't. I'd check out Thomas's site side-by-side with mine. Thomas maintains what we both consider the definitive list of both old and new Mac malware. Because Thomas and I belong to a great group of malware researchers and writers created by Mark Allen, the creator of the terrific ClamXav anti-malware, many of us on the Internet are coordinating our work and publications. You'll find all of these colleagues listed on the right side of this page under 'Friends of Mac-Security'. I recommend the work of all of them.

For malware detection and removal I recommend that all Mac users check out and support ClamXav. It's donationware, free to download and use, well worth every installing on every Mac. It finds and removes the vast majority of not only Mac malware, but also Windows and Linux malware. It's a gem of the Mac community. ClamXav is available from the Apple App Store. I strongly suggest instead downloading it directly from Mark's ClamXav website as that version includes efficient, non-invasive real-time malware scanning. This feature means you can automatically scan every file you download from the Internet. If you wish, you can aim ClamXav's real-time specifically at your Downloads folder, a terrific way to catch Trojan horses and break social engineering by malware rats. (Unfortunately, at this time Apple does not allow real-time scanning in apps offered at the App Store).

There are a number of excellent commercial anti-malware programs. My personal favorites are from Intego and Sophos. Many people prefer anti-malware from F-Secure. (I would have put Kaspersky AV in this list. But Eugene Kaspersky's outrageous Mac security FUD mongering on his blog this week killed my enthusiasm dead. What a shill! What a Symantec-clone!)

There are also some awful anti-malware programs. I personally suggest staying away from Avast!, Symantec's Norton™ AntiVirus , PCTools iAntiVirus, and MacKeeper. I've found these applications to generally be inadequate, buggy, out-of-date or outright abusive to users.

For detecting both legal and illegal spyware, any of the recommended commercial anti-malware programs can be useful. The MacScan shareware application specifically targets spyware. However, I have never been impressed by the thoroughness of it's scans. Therefore, if you believe it might be useful, be sure to test it before buying it.

As usual, the very best overall advice I can offer is to:

1) Make A Backup! It's the #1 Rule of Computing. If you don't backup, you deserve what you get.
2) Keep Up-To-Date! This is particularly important for Apple software.
3) Before You Update OS X, be sure to:

  • Repair your boot volume.
  • Repair your boot volume's permissions.

(Yes, repair your permissions. It's not crucial, but it can be extremely useful).


Thus ends today's mind dump.

I hope you find this useful, versus merely mind-numbing.

:-Derek


Friday, August 22, 2014

What Life's Like On The Other Side:
Fragmandroid Illustrated

--

I've never been one to start computer warz, only to satirize them and righteously defend Apple when they deserve it. But I saw this graphic today and have to share it. Warning: It's nauseating.

This isn't the latest in boring modern art demonstration of how to paint a rectangle. This is a graphic showing the fragmentation of Google's Android operating system, per device. Click to to view the graphic in its full incredible gory. 

Google let this happen. Damn them.

And there's lots MORE. You'll find further interactive graphics and explanation over at OpenSignal's brilliant article:


As I posted over at MacDailyNews' summary article on the subject, pointedly in Google's direction:

OMF: How did you allow this to happen Google? HOW?

Smugness your way out of this catastrophe of technology. Nausea provoking. A rat’s nest of insecurity.

Thank you OpenSignal for so elegantly and blatantly pointing out what life's like on the other side. There's not much green over that hill! Good gawd.

Meanwhile, here's iOS situation in comparison to versions of Android in the wild:


What is there to say?
Except, hurray for iOS.
--


Wednesday, August 13, 2014

CRITICAL New Adobe and Apple Updates:
Adobe Flash, Adobe AIR and Apple Safari

--

Both Apple and Adobe have provided critical updates this week:

I. ADOBE UPDATES

Adobe Flash v14.0.0.176
Adobe AIR v14.0.0.178

Adobe released 'second Tuesday of the month' updates for Adobe Reader, Adobe Flash and Adobe AIR. Both Flash and AIR include CRITICAL security updates for OS X users.

Adobe's security bulletin for Flash and AIR can be found HERE.

These updates resolve memory leakage vulnerabilities that could be used to bypass memory address randomization (CVE-2014-0540, CVE-2014-0542, CVE-2014-0543, CVE-2014-0544, CVE-2014-0545). These updates resolve a security bypass vulnerability (CVE-2014-0541). These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2014-0538).
Keep in mind that every security update of Flash means there is also a security update of AIR.


II. APPLE UPDATES

Apple Safari v6.1.6
Apple Safari v7.0.6

Both updates are available using "Software Update" in the Apple menu of OS X. Quoting from Apple's security content documentation for the updates: 
WebKit

Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.4

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
IOW: The usual bad memory management security holes, the curse of contemporary coding. I'm hoping that Apple's new Swift programming language will end this trend.

The CVEs patched are: 

CVE-2014-1384
CVE-2014-1385
CVE-2014-1386
CVE-2014-1387
CVE-2014-1388
CVE-2014-1389
CVE-2014-1390




* You can check out CVEs (Common Vulnerabilities and Exposures) using the "CVE Search" link on the right of this page.

--

Wednesday, August 6, 2014

Upcoming Changes In Apple's Gatekeeper Security

--

Apple started providing 'Gatekeeper' with OS X 10.7.x. You can see its settings in the Security & Privacy preference pane, under the General tab.


It's a bad idea to have it set to allow applications from 'Anywhere'. Don't do that! But I find it too restrictive to only download from the Mac App Store. I continue to use many wonderful apps that are never going to be available directly from Apple. Therefore, I personally prefer to leave Gatekeeper set to allow apps from the "Mac App Store and identified developers."

What's changing in the OS X Mavericks 10.9.5 update as well as 10.10 Yosemite is further scrutiny of the "identified developers." The GUI for Gatekeeper will remain the same. But developers are going to have to take an extra step with their applications in order to allow their security certificates to get past the 'Gatekeeper'. Users may well find that many previously 'identified' application security certificates won't pass muster and will cause OS X to reject them.

You can read the gory details in Apple's Technical Note TN2206: OS X Code Signing In Depth. Skip ahead through the document to the section heading Changes in OS X 10.9.5 and Yosemite Developer Preview 5.
If your team is using an older version of OS X to build your code, re-sign your app using OS X version 10.9 or later using the codesign tool to create version 2 signatures. Apps signed with version 2 signatures will work on older versions of OS X….  
Important: To ensure your current and upcoming releases work properly with Gatekeeper, test on OS X version 10.10 (Seed 5 or later) and OS X version 10.9.5.
There are several articles discussing this change. Here is one, cited over at MacDailyNews, from Richard Mallion at the AmSys blog in the UK:

Gatekeeper changes coming

:-Derek


Friday, June 13, 2014

Apple Device Ransom Attack Revelations

--


Recently there has been what appears to be a series of attacks on Apple devices, both OS X and iOS, from various sources. I had been watching the issue, but it wasn't amounting to a serious problem. That changed earlier this week when a pair of hackers were arrested in Russia for attempting to pull off a real working ransom scheme. A couple of my colleagues have written up articles about the situation. I would like to draw your attention to them as well as the subject in general.

Originally, this was considered to be one attacker using the moniker of '‘Oleg Pliss’ performing what I considered to be merely a proof-of-concept attack. The kidnapped Apple devices had messages pop up telling victims to send money to a Paypal account that never existed.

Then this happened:

Hackers suspected of holding Apple devices to ransom detained in Russia
Russian authorities say they have detained two young hackers who are alleged to have hijacked Apple devices and digitally held them ransom. 
The hackers - aged 17 and 23 - were detained in the course of "operational activities" by the Russian Interior Ministry, Russia's Ministry of Internal Affairs said. They are both residents of the southern administrative district of Moscow and one has been tried before, it said. 
According to Russian media outlet MKRU,  the hackers were caught by CCTV when they withdrew victims' ransom money from an ATM.
. . . 
It appears that just over a week before Australian users began reporting similar hijacking attacks, a Russian publication reported Russian citizens were being targeted. The same hackers then may have used their techniques to hijack Australian devices although it it may have been copycats.
The first impression was that these were the hackers passing as "Oleg Pliss". But there are strong indications that they are not. Their scheme turns out to be significantly different from and more elaborate than the "Oleg Pliss" attack. As The Sydney Morning Herald article above indicates, their attack to predates the "Oleg Pliss" attack. Details are still being collected regarding exactly what they were doing. But here are a few details:
…The hackers used two "well-established" schemes to conduct their activities.  
"The first was to gain access to the Apple ID of a victim's account by creating phishing pages, [gaining] unauthorised access to email, or using social engineering techniques," the Ministry of Internal Affairs said. "The second scheme was aimed at binding ... devices to a pre-arranged account." 
The pre-arranged account was one that hackers owned then "leased", or sold, to users by offering movies and music. But in order to access the content, users needed to link their devices to the account, which left the devices vulnerable to being hijacked by hackers who knew the log-in details.
This wasn't any proof-of-concept attack. It was serious and working, until the Russian police caught the two red-handed.

Until such time as Apple makes changes to its 'Find My Mac' system, this ransom scheme is likely to happen again. Note that the 'locked' devices are entirely recoverable as long as the users have followed The #1 Rule of Computing and have made a backup. Sadly, as usual, there will be the newbie, granny and LUSER factors that will mean trouble for those users. That's going to potentially be a big problem. We'll see how it goes. I don't want to FUD the situation, but the ransom problem is now very real for Apple users. So keep your eyes open and keep your Apple ID information safe from hackers while we wait for further revelations.

Current details are available in articles by my colleagues Thomas Reed and Topher Kessler:

Russian iCloud hackers arrested


Russian hackers arrested in possible ‘Oleg Pliss’ iOS ransom attack




--

Tuesday, June 10, 2014

Adobe Patch Tuesday Security Hole Circus

--

Another Adobe Patch Tuesday, another pile of security holes we didn't know were there all along.

I decided to take another tack in my attack against Adobe's crapware. Below is a rant I posted up on MacUpdate along with my half-star rating of Adobe's Flash Internet plug-in.


~ ~ ~

This is why I hate Flash, this stuff, this constant insecurity STUFF:

"These updates resolve cross-site-scripting vulnerabilities (CVE-2014-0531, CVE-2014-0532, CVE-2014-0533).


"These updates resolve security bypass vulnerabilities (CVE-2014-0534, CVE-2014-0535).


"These updates resolve a memory corruption vulnerability that could result in arbitrary code execution (CVE-2014-0536)."


These are all the security holes patched in this update. This profound patching happens with EVERY update. And we know damned well that there are a hundred+ MORE security holes in this crap code that haven't been patched yet. Could this crap be programmed any WORSE? And Adobe dares defend the use of Flash on the Internet. Shut up Adobe and kill this skanky thing DEAD already! 


Oh and did you know that Adobe incorporates an old, unpatched, security hole riddled, zero-day attack prone version of Flash in their crappy Shockwave Internet plug-in, and that Adobe don't give a rat's about the consequences? IASSOTS Adobe.


ADVICE: Don't install EITHER Flash OR Shockwave if you want to stay safe on the Internet. They're the #2 and #3 MOST dangerous software a Mac user can run, close behind Oracle's crap Java Internet plug-in.

~ ~ ~

I think that gets the point across.

STILL no new Shockwave update. How dare you Adobe? After all the flood of hate from the Internet community about your implementation of Flash in Shockwave you do N O T H I N G ? We got the message. You hate your customers.


Oh and, as per usual, if there are Flash security holes, there are AIR security holes. If you still are forced to use this crapware, be sure to update BOTH.


What DO you care about Adobe? Besides the money?


--