Thursday, July 30, 2009

Critical Adobe Security Patches Arrive, Again

--
I just gotta rant for a couple paragraphs:

The most disappointing thing I learned this week is that Adobe knew about this current crop of security holes last December, 2008. So why are we only learning about it now and only getting patches now. Didn't I say Adobe sucks?

And isn't it amusing that Adobe patched up one slew of security holes last month, and waited on this slew of further security holes. What do they do over at their offices? Argue about whether to patch? How to patch? When to patch? How long can they delay it without people saying 'Adobe sucks"? I know they have a messed up work culture over there. Get with it dummies!

The Patches:

1) Adobe Flash Player v10.0.32.18. There is a special patch for version 9 users to v9.0.246.0.

2) Adobe Air v1.5.2

3) Adobe Reader v9.1.3 - Theoretically available Friday, July 31

4) Acrobat v9.1.3 - Theoretically available Friday, July 31

NOTE: Verify which version you have downloaded. Adobe often don't mark what specific version you are downloading. Instead they may tell you that you are downloading "the latest version" when in fact you are NOT. You need to DIY update whatever you downloaded to the actual 'latest version'. Adobe provide no warning whatsoever. Adobe know about this problem and maybe will stop this practice in the future.

As I say ad nauseam: We're still in the Stone Age of Computing, and in the future they will pity us for the clunky junky stuff we had to put up with. (o_0)
--

Wednesday, July 29, 2009

Black Hat Nails iPhone SMS Security Hole

--
I don't follow iPhone security, but this one is major. It is also coming out of Black Hat USA 2009. So if you have an iPhone, you'd better read this! Or you may become INFECTED!

Short version: SMS stands for Short Message Service. Thanks to a security hole in the iPhone OS, your iPhone can get pwned via a malevolent SMS message. To quote Forbes Magazine:
If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you turn the device off. Quickly.
Why Thursday? At 11:15 AM, Los Vegas, NV time, our pal Dr. Charlie Miller along with cybersecurity expert Collin Mulliner give their talk "Fuzzing The Phone In Your Phone". To quote Dr. Miller from his website Security Evaluators (you owe me for all this publicity Charlie!):
In this talk they will show how to find vulnerabilities in smart phones. Not in the browser or mail client or any software you could find on a desktop, but rather in the phone specific software. They will present techniques which allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices. This method does not use the carrier and so is free (and invisible to the carrier). They’ll show how to use the Sulley fuzzing framework to generate fuzzed SMS messages for the smart phones as well as ways to monitor the software under stress. Finally, they will present the results of this fuzzing and discuss their impact on smart phones and cellular security.
As you can see, the SMS security hole is NOT just on the iPhone.

Apparently Dr. Miller notified Apple about this hole over a month ago. One website said Apple knew about the hole 6 months ago. Apple is slow poke. Ars Technica reported July 3rd that Apple are working on a patch for this problem. At the moment there is no patch from Apple or any announcement regarding this problem. Theoretically the patch will be in iPhone OS X v3.1. World of Apple reports that yesterday, July 28, Beta 3 of iPhone OS X v3.1 was distributed for testing. They believe the release will be in mid-August. Oops. That's a couple weeks away. Time for suspense!

Some further reading pleasure can be found at MacFixIt, PCWorld and InfoWorld.

My suggested, but I don't have an iPhone, interim work around: Turn OFF incoming SMS on your iPhone. Or just leave your phone off, like that's an option.

Here is a discussion on how to stop SMS on the iPhone:

iLounge

Note that turning off SMS previews is NOT effective. You want to stop the messages from getting to your phone entirely. (You have permission to hit me if I am incorrect on this point).

Oh BTW: Dino Dai Zovi gave his talk "Macsploitation with Metasploit" today at 10:oo AM Los Vegas time and his talk "Advanced Mac OS X Rootkits" at 11:15 AM Los Vegas time. When I learn of any important ramifications, I'll post. There is an audio interview with Dino Dai Zovi at ThreatPost.com that reviews his interest and experience in Metasploit and Mac Rootkits.
--

Saturday, July 25, 2009

July's Round of Critical Adobe Vulnerabilities: New, Fresh, Dangerous

--
For those of you who took earlier advice from Intego or myself and killed off ADOBE READER, good work, because Adobe have released yet-another CRITICAL SECURITY ADVISORY! But this time it also includes FLASH as well as Acrobat. You knew it had to happen. Tsk tsk Adobe.

Here is where you can read all about it. I'm not going to quote the advisory. Just know that it was written by someone who is Windows-centric and it provides NO HELP for Mac users. Brilliant! Typical! ... As they say in Britain.

So I came up with my own stopgap probably sort of solution if you insist upon keeping Adobe Reader, Acrobat and the Flash Plug-in on your system. I originally posted this over at MacDailyNews.com. Please note that the preference setting names in Acrobat can be slightly different from the names I provide here for Adobe Reader. Otherwise, the setting changes are identical:
WHAT TO DO, my best guesstimation:

Since the information Adobe provided is Windows-centric and a total FAIL for Mac users, seeing as Mac OS X has no-such-thing as .dll files, here is what I guesstimate is what's required to stop this vulnerability:

1) In Adobe Reader Preferences, go to "Multimedia Trust (Legacy)" and UNCHECK "Allow Multimedia Operations". That should kill running any Flash crap in PDF files.

2) In the Preferences, go to "Trust Manager" and UNCHECK "Allow opening of non-PDF file attachments with external applications". That should prevent any embedded Flash crap from running anywhere else on your computer as well.

3) In the Preferences, go to "JavaScript" and UNCHECK "Enable Acrobat JavaScript". That will disable a PDF from even being able to call the Flash plug-in for embedded Flash crap. (Considering the sewer of malware code that JavaScript has become, thank you Microsoft, I'd leave JavaScript off FOREVER if you want to seriously be safe).

*** Or to be extra special safe: Delete BOTH Adobe Reader AND their Flash plug-in from your computer. :-)

AND! Delete these folders, if you've got them:

/Applications/Utilties/Adobe Utilities/Adobe Updater5
and
/Applications/Utilties/Adobe Utilities/Adobe Updater6

AND AND! To be extra special safe, do a Get Info on the Adobe Utilities folder, noted above, and LOCK IT! This will prevent any installers from replacing the nasty Adobe Updater folders and the auto-installation garbage they contain, preventing Adobe from reinstalling Adobe Reader or Flash.

RIP Adobe insecure buggy crapware. :-P

NOTE: If you use other Adobe software, be sure to DIY check for updates on Adobe's website regularly. Adobe has some great software! But they also make some crap insecure software. Protect yourself. :-D
Alternatives: Use Apple's Preview to open, view and create PDF files. To play Flash files that are not stuck in web pages, I use MPEG Streamclip. For web page embedded Flash files, you're hosed. Sorry. Write hate mail to Adobe.

(If you really need to view web page embedded Flash files, try using FireFox running with the latest version of the DownloadHelper extension and download them onto your computer. I love it. Extra crunchy. Also be sure to use the NoScript extension for added safety from bad JavaScript. And be super duper safe by adding on the McAfee SiteAdvisor extension. And to have almost god-like security be sure to add in ...).
--

Mac Attacks @ Black Hat USA 2009

--
BWAHAHAHA!

It's time for the second Black Hat Technical Security Conference of the year, this one being held in Los Vegas, NV. Where else! I wonder how much money casinos will lose to participants after hours.

The conference runs July 25 through July 30. I'll be keeping an eye on Mac related revelry. Here are a couple announced Mac security events, researched and presented of course by two of our greatest Mac hackers, Dino Dai Zovi and Dr. Charlie Miller. My anti-heroes. *sw00n*
DINO DAI ZOVI

Advanced Mac OS X Rootkits

The Mac OS X kernel (xnu) is a hybrid BSD and Mach kernel. While Unix-oriented rootkit techniques are pretty well known, Mach-based rootkit techniques have not been as thoroughly publicly explored. This presentation will cover a variety of rootkit techniques for both user-space and kernel-space rootkits using unique and poorly understood or documented Mac OS X and Mach features.

Macsploitation with Metasploit

While Metasploit has had a number of Mac exploits for several years, the exploit payloads available have done little more than give a remote shell. These payloads are significantly simpler than the DLL-injection based payloads for Windows-based targets like the Meterpreter and VNC Inject payloads. This talk will cover the development and use of the fancier Metasploit Mac payloads developed by Dino Dai Zovi (the presenter) and Charlie Miller, including bundle injection, iSight photo capture, and Macterpreter.
Here is Dino's bio from the site:
Dino Dai Zovi
Endgame Systems

Dino Dai Zovi has been working in information security for over 9 years with experience in red teaming, penetration testing, and software security assessments at Sandia National Laboratories, @stake, and Matasano Security. Mr. Dai Zovi is also a regular speaker at information security conferences including presentations of his research on MacOS X security, hardware virtualization assisted rootkits using Intel VT-x, 802.11 wireless client security, and offensive security techniques at BlackHat USA, Microsoft BlueHat, CanSecWest, the USENIX Workshop on Offensive Technology, and DEFCON. He is a co-author of "The Mac Hacker's Handbook" (Wiley 2008) and "The Art of Software Security Testing" (Addison-Wesley Professional 2006). He is perhaps best known in the information security and Mac communities for discovering the vulnerability and writing the exploit to win the first PWN2OWN contest at CanSecWest 2007.
Also featured is a talk by Kostya Kortchinsky on how to use breakout vulnerabilites in VMWare virtualization software for Mac to hack into the host machine. And that's bad. Kostya works in France and is infamous for being first to exploit announced Microsoft vulnerabilities.

Some other somewhat Mac relevant subjects that will be presented:
  • BitTorrent Hacks - Michael Brooks and David Aslanian
  • Reversing and Exploiting and Apple® Firmware Update [for an Apple aluminum keyboard] - K. Chen
And of course an array of new PHP and SQL vulnerability hacks. What, no Microsoft exploits? There's no fooling you! Of course there are! And let's not forget exploitation of ye olde Intel® BIOS, Oracle, parking meters, iPhones, routers, and the US federal government. Included is an in depth discussion of the Windows worm of the year, Conficker. The favorite subject this year appears to be rootkits. The Pwnie Awards will be announced July 29th. There's fun for everyone.
--

Monday, July 6, 2009

Quickie Reviews of ClamXav, iAntiVirus and MacScan

--
Recently, I've been testing the free anti-malware options for Mac. At the moment, none of them are perfect. But there is progress! Below are posts I made this week over at the VersionTracker.com sites regarding iAntiVirus, ClamXav and MacScan:

I) MacScan Is Unreliable:
I've tested MacScan several times over the course of several versions. The results are consistently flaky. It is impossible to get it to detect items reliably. Instead you have to run it over and over and over and over to get the thing to pick up everything.

For some purposes, like detecting the full raft of 'legal' Mac Spyware and Tracking Cookies, this is the only show in town. But OMG does it suck. IMHO MacScan requires an entire rewrite in order get a rating better than one star. The developers have done some nice things like providing some sort-of working removal tools for current Trojans. So they aren't evil. They're just lousy programmers.
II) iAntiVirus Is Basic, Not Perfect, Mostly Works:
Keep in mind that this thing is FREE:

Despite some outright dishonest flame reviews of iAntiVirus here at VT, it actually does work, mostly. I let it loose on a folder full of Trojans a friend shared with me and it successfully found MOST of them:

Trojan.OSX.RSPlug.C, D & F
Trojan.OSX.iServices.A & B

Problems:
1) It did NOT find Trojan.OSX.RSPlug.E, of which I had a number of copies in my folder-full-of-Trojans. That is upsetting.
2) It also uses wrong names for the iServices Trojans. But sadly, despite a clear naming convention for malware, hardly anyone bothers, which is of course pathetic.
3) The app only gives you two choices when it finds malware: Either remove the malware or nothing. There is no sophistication to this app whatsoever.

Maybe the 'Pro' version is way better. I don't know. The PC Tools website certainly 'claims' iAntiVirus detects all the current Mac malware. Judging from the free version, it only finds some Mac malware. Maybe I'll test the Pro version some time.

In the meantime, I own Intego VirusBarrier, which frankly is the ONLY anti-malware app for Macs I can recommend. It works great, detects everything, is updated daily, is entirely reliable, is never a CPU hog, and has all the bells and whistles you could want.

If you want to stick with free stuff, the best idea is to use BOTH iAntiVirus AND ClamXav. Between the two of them you're probably just fine. This is thanks to the fact that the excellent author of ClamXav went out of his way to convince the ClamAV project to accept contemporary Mac malware sample definitions. *Applause*
Addendum: I should note that iAntiVirus also fails to detect RSPlug.I and .L.

III) ClamXav: Progress! But Still Waiting For Full Mac Malware Detection:
Recently, ClamXav developer Mark Allen went out of his way to convince the ClamAV project to accept contemporary Mac malware samples for definition integration. *Applause*

However, my testing today shows only partial progress from the ClamAV project.

MY TEST: A friend provided me with a large collection of recent Mac Trojan horses including all the iServices and RSPlug malware. There were 18 samples in all. I used them as my testing ground.

RESULTS: ClamXav, via the latest engine and definitions of ClamAV, found 10 of them and successfully put them into my quarantine folder.

As my control, I used Intego VirusBarrier, latest version with current definitions. It found all but one of the malware. (The undetected malware was a .pkg with the payload inside a .bom file).

What ClamXav, via ClamAV, didn't detect:
DMG files containing:
RSPlug.D
RSPlug.E
RSPlug.F
RSPlug.I
RSPlug.L

I'm testing iAntiVirus, (runs on Mac OS X Leopard only). But it too is unable to detect RSPlug.E [as well as .I and .L].

CONCLUSIONS:

1) ClamXav is the best of the free anti-malware application options. But the ClamAV database of current Mac malware is still not completely up to date. However, it is far better than it was a couple months ago thanks to Mark Allen's work.

2) Even with the combination of ClamXav and iAntiVirus, it is still possible to have a current Mac Trojan sneak by. But then again, Intego VirusBarrier missed one as well, possibly due to the way the Trojan was packaged.

A high quality paid anti-malware application remains the best way to go for professional use. But for casual use, ClamXav is the best, despite remaining ClamAV deficiencies. I would combine it with iAntiVirus as well if you are running Mac OS X Leopard.
--