Wednesday, December 8, 2010

QuickTime v7.6.9 Update
For 10.5.8 & Windows

~~
On December 7, 2010 Apple released QuickTime version 7.6.9 for Mac OS X 10.5.8 and Windows XP, Vista and 7ista. No update is required for Mac OS X 10.6.8 users. It contains 15 security patches, some for both Windows and Mac OS X, a couple are Windows only. As usual, most of these vulnerabilities are due to memory overflow programming errors. You can read about the security patchs at:

About the security content of QuickTime 7.6.9

I'm a bit concerned at the moment that Apple have this update listed as being for only Windows. This is INCORRECT. Hopefully Apple will correct their error today. Most likely they will add a separate listing for the Mac OS X 10.5.8 version.

According to Apple:

QuickTime is incorporated into Mac OS X v10.6 and later.
QuickTime 7.6.9 is not presented to systems running
Mac OS X v10.6 or later.
I double-checked and verified that all of these CVE issues have already been patched in 10.6.8. Therefore, be certain that your installation of Snow Leopard is up-to-date.

If you've read my previous posts you know that Apple's QuickTime is the very least secure of Apple's software. A great deal of the problem has to do with JavaScript/ECMAScript Hell, as I call it. As usual, I consider JavaScript to be the bane of the Internet and wish it would be entirely scrapped and replaced with a secure scripting language. Read back in my posts if you're interested in my rants about why JavaScript is a catastrophe.

Below is a quick summary of the security holes patched in QuickTime v7. Click on the CVE numbers for further details.

Common Vulnerabilities and Exposures IDs Patched:

CVE-2010-3787 - Heap-based buffer overflow in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JP2 image.

CVE-2010-3788 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of JP2 image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JP2 file.

CVE-2010-3789 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted AVI file.

CVE-2010-3790 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file.

CVE-2010-3791 - Buffer overflow in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MPEG movie file.

CVE-2010-3792 - Integer signedness error in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MPEG movie file.

CVE-2010-3793 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Sorenson movie file.

CVE-2010-3794 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of FlashPix image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted FlashPix file.

CVE-2010-3795 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of GIF image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GIF file.

CVE-2010-3800 - Viewing a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution.

CVE-2010-3801 - Viewing a maliciously crafted FlashPix image may lead to an unexpected application termination or arbitrary code execution.

CVE-2010-3802 - Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution.

CVE-2010-1508 - Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Windows only.

CVE-2010-0530 - A local user may have access to sensitive information. Windows only.

CVE-2010-4009 - Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.

Note: Not all of the CVE numbers have been listed at the National Vulnerability Database. Therefore, I instead provided links to their references at the Common Vulnerabilities and Exposures site. Check back at the CVE site as these CVEs progress beyond 'candidate' status.

Share and Enjoy!

:-D
~~

Sunday, November 28, 2010

Mac Security Status Report,
Part I

--
Introduction:

As a non-expert at computer security, it's a bit silly to believe I can provide any comprehensive report of current Mac security. However, I don't see anyone else bothering. Instead I see a variety of niche groups and niche skill sets involved with Mac Security but not pulling the pieces together. I also hear incessant vacuous FUD attacks from frustrated sources who wish Mac OS X was even remotely as unsafe as Windows blatantly is. It's plain old propaganda, not unlike the worthless political rhetoric in the media attempting to divide people through the promotion of fiction and fear. :-P

Therefore, I'm not going to worry about the areas in which I have lack of insight. Instead I'm going to take a stab at it and do what I do best: Examine the overall system of Mac security, provide some relevant details, then offer my summary and conclusions. Never rely on only one source of information about anything. Lord help anyone who uses Fox News as their soul political information source. Equally, lord help anyone who uses my work as their soul Mac security information source.

I) A Critical Mac Problem, Inadvertently Provided Via My Pet Troll:


The IT Ignorance Factor

Every source of difficult information has its trolls. It's difficult for Windows users to face Mac OS X security facts. Mac OS X is the #3 safest operating system available. The two better operating systems are OpenBSD and FreeBSD. It is no coincidence that Mac OS X is built upon an Open Source foundation that is based in part on pieces of both OpenBSD and FreeBSD.

This upsets my pet troll very much and makes him angry. This month he calls himself 'Tom' the troll. He is an anonymous coward reader of the blog, unwilling to let anyone know who he is or his stake in propagandizing Windows over Mac. It's all entirely dull and predictable to me. Occasionally my pet troll attempts to post FUD commentaries into my blog. I take a look at them, laugh a while, then step back and consider what pieces of his dishonest propagandist point of view could be useful to me. This time he wanted me to listen to the 'woe is we' rantings of one Roger Grimes, a Windows apologist and security analyst paid by Microsoft. You can listen to this fellow yourself at:

SecureABit.com

Scroll down to episode #67 of their podcast. Most of the dull program includes commentary from Mr. Grimes.

This fellow pulls the usual pro-Microsoft, anti-Apple myth mongering and propagandist garbage. What is unique in my experience is his defeatist attitude regarding computer security. He says essentially that we're all screwed no matter what, but OpenBSD is the best we've got for operating systems, but darn it's too difficult to use for mere mortals, so use Windows. (o_0) Oh that makes (no) sense! He then tosses out 'The Grimes Corollary' that restates the 'Security Through Obscurity' myth. Been there, killed that, yawned.

However, I was able to pull out of Mr. Grimes' rants one useful comment. It is this: Enterprise IT technologists don't adequately, or in a timely manner, patch the computers under their care. They also allow their users to use simplistic passwords that are easily cracked. This is most particularly evident on Enterprise Mac computers. The reason why is simple: Enterprise IT technologists rarely bother to learn Mac security or enforce it. Therefore, Mr. Grimes tells his tale of enjoying visiting businesses that integrate Macs because so commonly the machines are not up-to-date with security patches and are using easily guessed passwords. I would assume he uses a dictionary attack program against them, which these days are extremely fast and effective. He also keeps track of all the reported Mac vulnerabilities and uses them against unpatched machines.

So here we have Macs, the safest GUI OS based computers available, being easily cracked via very basic techniques that anyone's granny could use. This is shameful. Mr. Grimes would like to blame the users for this state of affairs. But of course it is the IT technologists and the IT managers who are entirely to blame. Never, ever, expect a business user to be any kind of technology security expert. To do so is to literally invite into your business The LUSER Factor. I've covered this issue many times in the past. It is the main reason why Mac OS X has any malware at all and is the reason that nearly all Mac OS X malware are Trojan horses.

There is more going on in the Enterprise than just problems of 'the user', or what's 'between the chair and the keyboard'. In business the computer is a tool, and the tool master is the IT expert in charge of that tool. This leads me to create another descriptive phrase that I call The IT Ignorance Factor. This problem occurs due to a multitude of factors. I'll toss out a few of them:

A) The business does not provide adequate time and resources for adequate computer maintenance. IT people often pull out their hair trying to get biznizz types to comprehend technology. But the fact remains that not keeping computers maintained means directly damaging the company. There are multitudes of tales of woe. Here is one from today concerning the shockingly computer ignorant US federal government:

US embassy cables leak sparks global diplomatic crisis

If the government's IT 'experts' had been on the ball, this could not have happened. I strongly suspect that they were kept off the ball with the help of bad management. This is when IT technologists must become educators and stop the 'boss' from being an 'ass'.

B) Laziness. Clearly most IT technologists live in the Windows world. Why bother to learn that other platform if they don't have to. You've heard this illogic before.

C) Fear. It sounds odd, but many IT technologists have trouble enough dealing with Windows hell. They're scared to get involved with another platform, making things even more complicated, or so they illogically believe.

D) Arrogance. Most Mac users have met the know-it-all geek who is a gawd of Windows and sneers at Macs. Then of course when someone defends the Mac these stick-up-their-ass bozoids accuse Mac users of going all 'religious' or counter 'arrogant', ad nauseam.... Therefore, of course such creatures are not going to bother to learn or apply proper Mac security methods.

There are of course more excuses and failings involved. Post your faves in the comments if you like.

    

Thus ends Part I. Further parts of my Mac Security Status of 2010 will include a summary of all the current active Mac malware, a summary of the consistent types of security vulnerabilities in Mac OS X, and a summary of the non-Apple security threats against Mac OS X. I'll be covering the Koobface/Boonana worm, the 'Evercookie' technique and how to combat it, as well as further coverage of the ongoing foolish attempt by the US federal government to backdoor every computer data encryption method.
--

Wednesday, November 17, 2010

Adobe CRITICAL Security Update
Of The Month Club

--
And now for something useful:

Adobe have posted their promised CRITICAL "out-of-band" security updates for Adobe Acrobat and Adobe Reader. The new versions are 9.4.1. If you use either of these applications, get the security updates now. Proof-of-concept exploits for the previous versions have been available for weeks.

You can read about the CRITICAL security updates here:

Security updates available for Adobe Reader and Acrobat

The direct download URLs, to save you from suffering Adobe's lunatic website:

Adobe Acrobat 9.4.1 Pro update

Adobe Reader 9.4.1 update - PPC

Adobe Reader 9.4.1 update - Intel

See you back here next month for the latest in "out-of-band" CRITICAL Adobe security updates!

Stay safe, stay secure, laugh at the FUD.
--

Hilarious Anti-Apple Security FUD Attack! By eWeek!

--
Lots going on this week, with me gathering up news from all corners. But when I see something as hilarious as this, I have to post it ASAP. It's one of the infamous slide show articles over at eWeek. What is hilarious is that it says nothing that wasn't shouted to the rafters in 2005 by Symantec when they were trying to prop up their worst-in-class anti-malware application for Mac OS X. What I am posting here is verbatim. I did NOT add any capitals. The SHOUTING is all their's:

Security: Mac Malware Attacks Prompt Security Vendors to Rush Out Antivirus Tools
By Fahmida Y. Rashid on 2010-11-12
SECURITY VENDORS ARE SAYING THAT ATTACKS ON THE MAC ARE NOW SIGNIFICANT ENOUGH THAT APPLE USERS SHOULD INVEST IN ANTIVIRUS SOFTWARE FOR WHAT WAS ONCE THE "INVULNERABLE" PLATFORM. WITH KOOBFACE VARIANT BOONANA FRESH IN PEOPLE'S MINDS, THE CONCEPT OF A VIRUS ATTACKING MACS SEEMS LESS LAUGHABLE THAN IT DID EVEN TWO YEARS AGO. "MAC USERS MUST REMEMBER THAT LESS TARGETED IS NOT THE SAME AS INVULNERABLE," SAID RICHARD WANG, MANAGER OF SOPHOSLABS. THE THREAT IS STILL NOT THAT PREVALENT, WITH ONLY "ONE TO TWO" ATTACKS ON MACS EACH WEEK, COMPARED WITH THE "TENS OF THOUSANDS" PER DAY AGAINST WINDOWS PCS. MAC OS X HAS ONLY 10.6 PERCENT MARKET SHARE IN THE UNITED STATES, ACCORDING TO IDC AND GARTNER, BUT THE DAY HACKERS WILL FIND THE PLATFORM WORTH TARGETING IS NOT FAR OFF, VENDORS SAID. MAC ANTIVIRUS SOFTWARE IS NOT NEW, BUT IT USED TO HAVE A BAD REPUTATION FOR BEING RESOURCE-HUNGRY AND INCONVENIENT. THAT'S SOON TO CHANGE AS VENDORS RELEASE NEW MAC ANTIVIRUS TOOLS THAT ARE QUITE UNOBTRUSIVE. HERE ARE SOME OF THEM...
OMFG! MAC USERS ARE ALL GONNA DIE!

My usual point: NEVER has anyone but trolls said Mac OS X was "invulnerable" or anything similar. It's a propaganda trick: Make up a nasty, indicting quote with no attribution provided. Yes, Fahmida Y. Rashid of eWeek and Richard Wang of Sophos are acting like assholes. But this trick has been pulled countless times. Therefore, they're acting like unoriginal assholes. Just laugh.

I could do my usual lecture about the insane nature of the 'Security Through Obscurity' myth. If you care, go back a few years in my posts. Just know that Windows has over 1000x more malware than Mac OS X on a per user basis, which blows the stupid myth off the planet. Such silliness. But that's what happens when Marketing Morons get desperate to sell Sell SELL!
--

Wednesday, November 10, 2010

Firesheep Wi-Fi Warz

--
The Sheeple Are Burning

October 25 a hackertool was released for Firefox in the form of an add-on called Firesheep. It is extremely easy to install and use on Mac, Linux and Windows versions of Firefox. (I will not provide the link. Sorry.) It provides casual Firefox web browser users to spy on and doppelganger anyone who is connected to the Internet via a shared, open Wi-Fi connection. Simply connect your computer to the same open Wi-Fi connection and commence surveillance and identity theft.

It performs its dirty deeds by way of coopting the cookies being sent in the clear from any victim's computer. It is not a thorough form of identity theft, but it adequate while the hacker's computer remains within that open WiFi connection. IDs and passwords are typically not sent in the clear. However, the Firesheep add-on is able copy out of the air the cookies any user is sending to any website. The contents of the cookies may remain completely incomprehensible to the hacker. All that is required is the contents of that cookie to literally "BE" the intercepted victim. This means the hacker can access any active website connections and fake being that person through the use of their intercepted cookies. The hacker can do ANYTHING on those websites AS the victim. If at any point the website asks for password verification, such as when buying items from Amazon.com, the hacker is thwarted. Their identity theft stops dead at that point. However, anything else goes. This can create incredible havoc on the Internet.

At the point in time of this article being posted, well over HALF A MILLION PEOPLE have downloaded Firesheep. That essentially says it is becoming universal, endangering ALL unencrypted Wi-Fi connections to the Internet. And that was the purpose of creating and providing this add-on to the entire computer community.

The creator of this hacker tool is a Black Hat, which is to say that he bulldozes improvements in computer security by providing the means of exploiting a security hole to the world at large without any prior warning to anyone. To use a very mild metaphor, it is the equivalent of 'Tough Love' for computer users and software developers. In this case the desired effect is to lock up ALL Wi-Fi connections via encryption, ending forever open Wi-Fi connections.

There are two cures for this dilemma:

1) All websites must provide SSL encrypted connections at all times, not simply when a user logs in. This means that all websites would stop using merely HTTP connections and instead use only HTTPS connections between themselves and their users. This adds some minor overhead burdens but is entirely feasible. How long it will take the entire World Wide Web to catch up is the big question. The hope is that it will be immediate. But we're dealing with humanity here, therefore...

2) All Wi-Fi connections must require WPA account encryption. This means that all users of an 'open' Wi-Fi connection site must have and use a password in order to access the Wi-Fi hub. Surprisingly, this is an incredibly simple thing to do with nearly all modern routers. (Older routers that only use WEP encryption are SOL). Everyone making a connection to the router can use the exact same password! Routers know the MAC address of every device that connects to them. This allows them to keep each and every connection entirely separate. The fact that each connection uses the same password provides almost perfect separation of users while providing unbreakable (at this time anyway) encryption.

Here's how #2 cure would work at Starbucks: A simple sign is provided at the counter that says something to the effect of "To access Starbucks' Wi-Fi connection, please use the password 'starbucks'." That's it! Simple.

Since Firesheep was let loose for the average computer user, there have been plenty of happy stories of users speaking to the manager of shops that provide free Wi-Fi and asking them to turn on WPA account encryption. For anyone familiar with setting up Wi-Fi routers, turning on WPA is trivial. The shop managers have been happily changing their router setup and killing off the Firesheep threat. I strongly suggest that you do the same EVERYWHERE you go with your Wi-Fi device.

WEP encryption, unfortunately, was created in haste and provides NO SECURITY. It is trivial for hackers to obtain tools that can break into WEP encryption within less than a minute. It is expected, in fact, that future versions of Firesheep or similar hacker tools will include a WEP cracking tool.


The Next Best Thing To A Cure


I knew further shoes were going to drop regarding this subject. I just found out this evening that a helper tool has been provided by Zscaler that can warn you when there are Firesheep prowling around in an open Wi-Fi connection. Once again it is a Firefox add-on. Its name is Blacksheep. (Why black? Read back in the article about Black Hat hackers.)

Below is a quote from our pals at the SANS Institute from SANS NewsBites Vol. 12 Num. 89:
--Firefox Extension Warns users When Others are Using FireSheep (November 8, 2010)
Researchers have released an extension for Firefox that detects when computers on a local area network are using FireSheep, a tool that steals unencrypted cookies from websites. Called BlackSheep, the extension alerts users by displaying a message telling them that someone is using FireSheep and providing the LAN IP address of the FireSheep user. FireSheep was created and released to draw attention to the lack of encryption for session cookies on many popular websites.
http://www.theregister.co.uk/2010/11/08/firesheep_detection_tool/
[Editor's Note (Northcutt): Interesting, dueling plug-ins. For the moment this is quite limited as you can install FireSheep and BlackSheep on the same computer only if you use different Firefox profiles. The duel would be over unencrypted LANs:
http://www.zscaler.com/blacksheep.html ]
The Blacksheep add-on page provides instructions and a video showing it in action.

Also of interest: Microsoft, Intego and other anti-malware providers have added Firesheep to their list of detected 'malware'. This is IMHO a weak move as Firesheep is NOT malware. It is a hacker tool that requires deliberate installation by the hacker and has no user-based malware behavior whatsoever. However, parents or employers would be interested to know about the hacker behavior of their children or employees.

Do NOT consider Blacksheep to be any kind of cure! It is merely a defensive tool when you're STUCK at an unencrypted Wi-Fi spot, such as the Airport or wherever they are too clueless to turn on WPA encryption, or they don't know how, or they're stuck with worthless WEP encryption on their router. Do NOT consider Blacksheep to be thorough defense! It is not. I personally would only use it out of desperation.

The single best defenses against having your cookies stolen and your ID doppelgangered when you're STUCK in an open Wi-Fi spot are to:

1) Never log into anywhere that does not provide end-to-end HTTPS/SSL encryption. An example would be Google's GMail. You can't turn off HTTPS at the GMail site if you try! That's the way it should be everywhere.

2) Remember that eMail provides NO SECURITY apart from possibly an SSL connection to and from your eMail server. Otherwise, everything you email is in the clear for anyone to read. These days I think of some dorky, bored CIA/NEA/FBI human intercepting everything I email and reading it. I even write them little notes from time to time to set off their keyword alarms just to wake them up. Unconstitutional as it is to invade any US citizen's privacy, the Bush League set the precedence for breaking the law anyway, and sadly the Obama administration is goose stepping right along to the same deranged tune. I have further rants on such subjects at my zunipus blog.

The safest thing to do when you're STUCK at an open Wi-Fi spot is to merely browse happy, smiley, shiny websites for fun, not for work, not for financial interactions, not anywhere a hacker could steal your identity. With Firesheep they are you anywhere you go on the web.

Stay safe kids! And watch out for sheep.

;-Derek
--

Smartphone Bank App Security Problems

--
The benefit of Apple having a closed App Store is their scrutiny of all applications submitted. This has helped maintain a superior security record for the iPhone versus any Android phone. However, a big hole in Apple's vetting system has become evident whereby all smartphone users have been put in danger by poorly designed and coded banking applications. Thank you to the SANS Institute for bringing this issue to my attention on in SANS NewsBites Vol. 12 Num. 89:
--Security Flaws in Smartphone Banking Apps (November 5, 2010)
Researchers have found that several banking applications for Android and iPhone contain security flaws that store account information in plaintext. Attackers could potentially steal sensitive data by luring users to maliciously crafted websites designed to find the information. Of the seven applications inspected in the study, just one, from the Vanguard Group, did not store information in plaintext. The institutions were notified of the problems and reportedly have taken steps to fix the flaws.

http://www.wired.com/threatlevel/2010/11/bank-apps-for-phones/
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=228200291
[Editor's Note (Pescatore): The Android phone world seems to be trying to compete with the iPhone by saying "Droid does anything - no restrictive App Store." The reality is that the Apple iPhone could actually compete by making the bar a bit higher for iPhone apps, to make sure that the apps don't do silly things like storing account info or passwords in the clear on the phone. I think users are very comfortable with "only" having 20 Tetris games to choose from if they know that none of the 20 are going to send their information to identity thieves.]
Dear Apple,

Please vet submitted Apps more thoroughly for security flaws. Much appreciated!

Dear Google,

'Anything goes' does not trump application security.
--

Friday, November 5, 2010

Evercookie,
Koobface boonana worm Trojan,
Firesheep and MORE!
Oh My

--
There are four ongoing scary security monsters threatening ALL the popular computer platforms this month. But that I mean they affect Mac, Linux and Windows. At the moment, there is nothing dire or critical about them. But each of them is nasty in their own way.

I've been holding off tackling each of them in order to gather day-by-day new information and to wait for 'the other shoe' to drop from each of them. I expect they're all going to be annoying aspects of our computer lives for quite some time to come. I'll be devoting an article to each of them individually. But first I want to introduce you to our gang of circus animals:

I) A round of applause for the Black Hat creation known as the EVERCOOKIE. Essentially, it is a collective set of methods for spying on your web browser behavior, able to renew itself despite actions you take to prevent it. Stopping this monster can be annoying and complicated. I'll discuss the currently known tricks.

II) Next up in circus ring number 2 is the latest in Java insecurity. As per usual, the utterly chaotic computer security community can't agree upon a name for the thing. Having reviewed the data, I am going with the name Intego are using: Koobface. Because of its various activities, it can be called a worm, a Trojan horse, a root kit, a back door AND a bot. Because its primary interface to the user (or 'LUSER' in this case) is as a Trojan horse, I am unofficially going to refer to it as Trojan.OSX.Koobface.A. Apparently a second version has just been discovered, which I will call Trojan.OSX.Koobface.B. Meanwhile, you are bound to see the exact same thing also called the 'Boonana' Trojan. (o_0)

III) In the third ring of our circus of naughtiness is Firesheep, the Black Hat extension for Firefox that simplifies the long standing ability to spy on and doppelganger anyone connected within the same unencrypted WiFi connection. It's not just for hackers any more! This one piece of software has sparked an Internet encryption revolution, or so I'd like to believe.



IV) But wait! That's not all! Get a load of the latest idiotic idea from The Corporate Oligarchy! They want government access to ALL things encrypted. Say goodbye to Internet privacy! George Orwell's '1984' Big Brother has arrived and you're going to want to kick him in the balls! Anti-privacy efforts have become that invasive and deviant. The control freaks are out to run our lives.
(>_<) ACK!

So hang onto your propeller beanies while, during the next few days, I cover each of these gnarly subjects relevant to the future of Macintosh computer security.

Oh fracking my!
--

Thursday, November 4, 2010

Adobe Flash Player 10.1.102.64 CRITICAL Update

--
THIS MONTH'S critical Adobe Flash Player update for Mac OS X is available a few days ahead of schedule. Thank you Adobe! It patches 18 security holes.

Security update available for Adobe Flash Player
Critical vulnerabilities have been identified in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.95.1 for Android. These vulnerabilities, including CVE-2010-3654 referenced in Security Advisory APSA10-05, could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.1.102.64. We expect to make available an update for Flash Player 10.x for Android by November 9, 2010. . .
The download link is HERE.

NOTE: We're still waiting for CRITICAL security updates for Adobe Reader 9.4 and Adobe Acrobat 9.4. You can read details about the ongoing security problems HERE.
--

Friday, October 29, 2010

Adobe Flash, Reader and Acrobat
CRITICAL Security Hole
Of The Month Club

--
Another month, and other Adobe software security hole exploit. If you still use Flash, pay attention! This security hole is currently being exploited In-The-Wild.

Affected:

-> Adobe Flash Player 10.1.85.3 and earlier

-> Adobe Reader 9.4 and earlier 9.x versions

-> Adobe Acrobat 9.4 and earlier 9.x versions

Hackers exploit newest Flash zero-day bug
Those reports came from Mila Parkour, an independent security researcher who notified Adobe early today after spotting and then analyzing a malicious PDF file. According to Parkour, the rigged PDF document exploits the Flash bug in Reader, then drops a Trojan horse and other malware on the victimized machine.
Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat

This issue is described in CVE-2010-3654.

Adobe provide a workaround in their 'Security Advisory' article linked above. They have promised to fix the security hole by November 9th.

Darn, Adobe blew their quarterly update schedule yet again. Can you comprehend why Adobe still believe in 'scheduled' security updates?
(o_0)

Thursday, October 28, 2010

Firefox v3.6.12 Released <- Important security patch

--
Just gotta love the Mozilla developers! Within A DAY Firefox has been updated to repair a nasty JavaScript security hole being exploited out In-The-Wild. So go grab the thing and update NOW:

Firefox v3.6.12 (English, US)








Thank you Mozilla!
--

Wednesday, October 27, 2010

Firefox v3.5 & v3.6 Zero-Day Exploit:
JavaScript Hell

--
An active zero-day exploit of Firefox versions 3.5 and 3.6 been found In-The-Wild. (The current version of Firefox is v3.6.11). Specifically, the Nobel Peace Prize website injects malware into victim computers via a newly discovered Firefox security hole. So far, the malware being injected is the Windows-only Trojan horse Belmoo-A. However, the injected malware could just as easily be any of the current Mac OS X Trojans.

Note of course that Trojan horses are inert until a 'LUSER' runs and installs them, providing it with their computer's Administrator password.

Firefox are aware of the situation and are working on a patch. In the meantime, they recommend the workaround of disabling JavaScript (aka ECMAScript), or installing and using the Firefox add-on NoScript. I use NoScript. I love it! I never leave my homepage without it.

As per usual, JavaScript is the bane of the Internet. However, Java isn't fairing too well either, much to everyone's dismay. I'll be writing about Java's security ills early next month.
--

Wednesday, October 13, 2010

U2 can B Incognito On The InterWebs!

--
I was just thinking of this today: InterWeb surveillance. Being not exactly friendly toward the "We Must Know ALL!" attitude of the US government and marketing morons, along with "The Customer Is CRIMINAL" attitude of the Corporate Oligarchy, I simply want to be left the frack alone to my personal privacy. No one ever has the right to 'watch' me. I don't deal with peeping pervs at my house, or over the InterTubes.

Therefore, I don't deal with Google collecting data on me wherever I go on the net. I've written about Tracking Cookies here on the blog and how to subvert them. But I get really tired of various websites still attempting to load Google Analytics.

Then I clicked over to Intego's Mac Security Blog this evening. (You'd think they'd pay me for all the PR I give them! ;-) To my synchronistic joy I found a great little article about a niffy kewl Safari extension that does ALL the Google blocking for me. It blocks FaceBook surveillance as well! And here it is:

INCOGNITO
Incognito is a Safari extension that prevents Google and Facebook from following you on the web.

It's a jungle out there
When browsing the web, you are continuously being tracked. Not only by the websites you are visiting, but also by major companies that embed their 'content' into other websites through ads and analytics.
As a result, companies like Google and Facebook have an almost complete picture of your online activity.

Your online counterspy
Incognito protects your privacy by blocking Google Adsense and Google Analytics on non-Google pages. In addition, it allows you to optionally block Facebook content on third-party websites as well as embedded YouTube movies outside of the YouTube website.

No ad-blocker
Although effectively blocking Google Adwords, Incognito is no dedicated ad-blocker. It simply prevents companies from gathering information outside of their own website.
It's FREE.

A similar tool for Firefox is Google Sharing.
The Firefox Addon for the GoogleSharing system. GoogleSharing ultimately aims to provide a level of anonymity that will prevent google from tracking your searches, movements, and what websites you visit.
It's also FREE.

BTW:
I also use Safari AdBlocker. And Safari Cookies. I also frequently use software from The Tor Project (formerly The Onion Project), including Vidalia and Tor Button for Firefox, which provides excellent proxy anonymity on the TubeWebs.

IOW: I am the boss of my Internet browsing, not the government, not Google, not the Red Hacker Alliance, not hacker/crackers, not Apple, not Microsoft, not the Neo-Con-Jobs, not nobody, not no how but ME. It is in keeping with my Positive Anarchy point of view. I make all the honest, responsible choices I wish to with total disregard for the extraneous interests of others. Control freaks: Go have an aneurism over it. :-P

Speaking of which: Over at my MacSmarticles blog this coming month, I'm going to be providing lesson articles on how to setup and use Tor, via Vidalia and Tor Button for Firefox. Sorting out how to use tools is a huge PITA if you're not a computer geek. Therefore, I shall be translating the methods into human-speak for mere mortals. Because this is geek level technology, it's still a bit time consuming. But once you get the hang of the protocol and set it all up for the first time, it ain't no big deal.

You too can be 100% INCOGNITO on the Webnets!


~~~~~~~~~~~~~

MenInBlack
The Stranglers
© 1979

We're not here to destroy
We are here to employ

We have come to make you function
So we can eat at our functions

We are the meninblack ...

Information can destroy
So we'll treat you just like toys

Healthy livestock so we can eat
Human flesh is porky meat...

We are the meninblack...

We don't approve of artificial food
We grow you for our own good

First we gave you the wheel
Then we made you live to kill

So the best stock will survive
We eat you all alive

We are the meninblack ...
~~

Wednesday, October 6, 2010

October Adobe Security Updates:
Acrobat, Reader and AIR

--
Rather quietly, in keeping with Adobe's bad PR attitude, their latest 'CRITICAL' security updates have hit the net. Below are some direct links to help you past the clickity-click-click garbage you have to endure when going through Adobe's home page.

I) Adobe Acrobat Pro v9.4.0 update

IIa) Adobe Reader v9.4.0 update - multiple languages INTEL version

IIb) Adobe Reader v9.4.0 update - multiple languages PPC version

III) Adobe AIR v2.0.4.13090 update

And of course you've already installed Adobe Flash Player v10.1.0 update from two weeks ago, right?

What's been fixed?

Adobe Acrobat and Reader:
This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.
--Quoting from CVE-2010-2883:
Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.3.4 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information.
Adobe AIR: Beats me! As of today, Adobe have provided NO release notes for AIR v2.0.4. Imagine my cynicism. When Adobe bother to provide release notes, they will appear HERE.

Can anyone spare Adobe an anvil? Mine's in for repair. ;-)

And now it's time for a laugh! Every month this summer Adobe have had 'CRITICAL' security flaws discovered and patched in Acrobat, Reader and Flash Player. There have also been two updates to Adobe Air. Despite this situation, Adobe still hold to the bizarro naive notion of 'quarterly updates'. Here is their message to the world regarding this situation, as of today:
Note that today’s updates represent an accelerated release of the quarterly security update originally scheduled for October 12, 2010. With this accelerated schedule, Adobe will not release additional updates for Adobe Reader and Acrobat on October 12, 2010. The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.
Right. So we'll all meet back here on February 8th. Sure. Everything will be safe and sound until then! Uh huh.

We know better. See you back here next month!
;-P
--

Tuesday, September 21, 2010

Adobe Flash Player Updated is to v10.1.85.3

--
Adobe has successfully hidden from the public, apart from at their two security pages, the fact that a 'Critical' security update was posted to to their website on Monday. The Adobe website simply says you're downloading version 10.1, same as last weeek, which is a worthless statement!

So, grumble, let me do their job for them and let you know that:

A) The current version of Adobe Flash Player for Mac that is up on the Adobe website IS indeed the promised updated version.

B) The previous version of 'Flash Player.plugin' was 10.1.82.76.

C) The new updated version you're installing is 10.1.85.3.

The inevitable rant:

Why this has to be a secret is beyond comprehension. I sniff the scent of some Marketing Moron at Adobe in the air who is attempting spin control by hiding the fact that Adobe has had to provide 'out of band' security updates to Adobe Flash Player EVERY MONTH THIS SUMMER. Sorry marketing kiddies, but facts are facts. You are directly damaging customers by hiding updates from them. This is why I call you Marketing Morons! Get it? Drop an anvil on your head, or whatever it takes, and turn yourselves into beneficial Marketing Mavens and HELP YOUR CUSTOMERS! Otherwise get out of the business and benefit the world by your absence.
--

Saturday, September 18, 2010

Adobe Flash Player Security Update:
Moved Up To Monday, September 20th

--
Adobe have announced that they've moved up the critical security update for Flash Player to Monday, September 20, 2010.

Be sure to grab the update ASAP as the security hole it patches (CVE-2010-2884) is being exploited in-the-wild on at least Windows boxes. So far no known exploit is being used on Mac OS X.

You can read Adobe's announcement here:

Schedule Update to Security Advisory for Adobe Flash Player (APSA 10-03)

Meanwhile, the critical security updates for Adobe Reader and Acrobat remain scheduled for the week of October 4, 2010.

--

Tuesday, September 14, 2010

NEWEST-New CRITICAL Adobe Security Holes
déjà vu déjà vu déjà vu...


--
Question: What is the point of 'in band' quarterly Adobe security updates when this stuff keeps repeating month after month after month?

SHORT VERSION:

Don't use Adobe Reader, Adobe Acrobat, or Adobe Flash until yet-another-nother set of 'out-of-band' security updates are available. Each of these applications have NEW security holes that are being exploited IN THE WILD.

[...Hysterical laughter is heard from some distant room...]

Temporary fix options:

A) PDF Viewing

Use Preview, provided with Mac OS X, for all PDF file reading.

Delete the Adobe PDF Viewer Internet plug-in. You will find it here:
/Library/Internet Plug-ins/AdobePDFViewer.plugin
Delete Adobe Reader 9. You will find it here:
/Library/Applications/Adobe Reader 9
B) Flash Playing

Control Flash in your web browser and/or delete Flash Player:

There are several options for taking control of Flash in your web browser. I personally use ClickToFlash for Safari and other WebKit browsers, as well as Flashblock for FireFox.

OR

Just delete Adobe Flash Player from your computer.

How to remove Adobe Flash Player:

Check to see if you have the 'uninstall_flash_player_osx.dmg' file and run it. It should be located here:
/Applications/Adobe Flash Player/uninstall_flash_player_osx.dmg
OR

You can find and remove the Flash web plug-in files here:
/Library/Internet Plug-Ins/Flash Player.plugin

/Library/Internet Plug-ins/flashplayer.xpt
After deleting Adobe Flash Player files, be sure to Quit then restart your web browsers in order to clean Flash Player out of memory.

~~~~~~~~~~~~~~

LONG VERSION:

Just when you thought your Adobe apps were safe, this dark sense of wariness creeps into your subconsciousness followed by a sense of déjà vu as you read the latest news. I'll let Adobe give you the bad news. Here are the two pages at Adobe where you can find their security announcements:

Adobe Product Security Incident Response Team (PSIRT)

Adobe Security Bulletins and Advisories

The latest Adobe bad news déjà vu déjà vu déja vu (with added emphasis mine):


I) Security Advisory for Adobe Reader and Acrobat (APSA10-02)
Release date: September 8, 2010

Last updated: September 13, 2010

Vulnerability identifier: APSA10-02

CVE number: CVE-2010-2883

Platform: All

SUMMARY

A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

We are in the process of finalizing a fix for the issue and expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.

Please note that these Adobe Reader and Acrobat updates represent an accelerated release of the next quarterly security update originally scheduled for October 12, 2010. With this accelerated schedule, we do not plan to release any new updates for Adobe Reader and Acrobat on October 12, 2010.

AFFECTED SOFTWARE VERSIONS

Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh

MITIGATIONS

Current exploits in the wild target the Windows platform. Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited. For more information on EMET and implementing this mitigation, please refer to the Microsoft Security Research and Defense blog. Note that due to the time-sensitive nature of this issue, testing of the functional compatibility of this mitigation has been limited. Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.

SEVERITY RATING

Adobe categorizes this as a critical issue.

DETAILS

A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of public exploit code for this vulnerability.

Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.

We are in the process of finalizing a fix for the issue and expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010. These updates will also address the issue referenced in Security Advisory APSA10-03 (CVE-2010-2884).

Please note that these Adobe Reader and Acrobat updates represent an accelerated release of the next quarterly security updates originally scheduled for October 12, 2010. With this accelerated schedule, we do not plan to release any new updates for Adobe Reader and Acrobat on October 12, 2010.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.

ACKNOWLEDGMENTS

Adobe would like to thank Mila Parkour of http://contagiodump.blogspot.com for working on this issue with Adobe to help protect our customers.

REVISIONS

September 13, 2010 - Updated information on the release schedule, and that the releases represent the next quarterly security update (originally scheduled for October 12, 2010).
September 10, 2010 - Added the Mitigations section with instructions for a mitigation option for Windows users.
September 8, 2010 - Advisory released.

II) Security Advisory for Adobe Flash Player (APSA 10-03)
Release date: September 13, 2010

Vulnerability identifier: APSA10-03

CVE number: CVE-2010-2884

Platform: All

SUMMARY

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.

We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.

AFFECTED SOFTWARE VERSIONS

Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android
Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh

SEVERITY RATING

Adobe categorizes this as a critical issue.

DETAILS

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.

We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.

Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL:

http://blogs.adobe.com/psirt

or by subscribing to the RSS feed here:

http://blogs.adobe.com/psirt/atom.xml

ACKNOWLEDGMENTS

Adobe would like to thank Steven Adair of the Shadowserver Foundation for working with us on this issue with Adobe to help protect our customers.

~~~~~~~~~~~

And now for another rant:

This past week we learned that the first version of Adobe Flash Player had been released for the Google Android OS for smartphones. We also learned that it is a dreadfully buggy, slow, battery consuming POS. Now we learn, if you read through the Adobe bulletins above, that Flash for Android has a 'critical' security hole.

These two Adobe Flash problems were known over a year ago. Dr. Charlie Miller warned us that Flash is the single biggest source of pwnage security holes on the Mac OS X platform. Steve Jobs made it clear that Flash for Mac is a resource hog, verifiable by anyone with a brain (which apparently is not the case with Adobe's current CEO). It is no surprise that Flash turns out to be a resource hog, running as slow as a one-legged dog on Android.

Conclusion: It's time for Flash to die.

Then what?

Contrary to popular mythology, there is no perfect replacement for Flash. The HTML5 video spec promises to replace one niche for Flash with a totally free-forever video playing alternative. (Yes kids. The patent holders for H.264 are giving it away for everyone forever). However, actual Flash applications will be more difficult to replace. These include games, slideshows, web page embedded applications, etc.

Once upon a time we dreamed that Java would take up these roles, and perhaps it may someday. But for now, Java is considered much more difficult to program than Flash, slow to run, and Java has its own security problems. Ideally a Java app building program, as easy as Flash, will appear and will use stringent security protocols, secure memory management and decent speed along with restrained CPU access. It could happen! For all I know, such a Java app builder already exists. Please post a comment if you have related information.

In the meantime, I'm supported the death sentence for Adobe Flash.

Share and Enjoy,

:-Derek
--

Wednesday, August 25, 2010

Adobe 'Out Of Band' CRITICAL Update Parade:
Shockwave Player v11.5.8.612

--
Adobe continues their parade of CRITICAL security updates with Shockwave Player v11.5.8.612. Thankfully, you only have to make one click on one page to download it. (Someone over there is getting the clue). And get this! (Don't go into shock!) It's 64-bit! Here is the download page link:

Shockwave Player v11.5.8.612

You can read about the security patches HERE.

To quote Adobe:
The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.
My quick summary:

There are 20 security patches.

-> 16 patches are for memory corruption vulnerabilities (aka buffer overflow bugs).

-> 2 patches are for DOS (denial of service) attack issues.

-> 1 patch is for a pointer offset vulnerability.

-> 1 patch is for an integer overflow vulnerability (aka buffer...).

The update is for both Mac and Windows versions. Adobe don't note any in-the-wild exploits at this point. But as per usual, keep up to date with App and OS security patches!
--

Tuesday, August 24, 2010

Apple Security Update 2010-005

--
Apple have released FOUR versions of Security Update 2010-005. The versions are linked below:

Mac OS X Snow Leopard Client - 80.63 MB

Mac OS X Snow Leopard Server - 136.86 MB

Mac OS X Leopard Client - 211.88 MB

Mac OS X Leopard Server - 418.92 MB

The general downloads page can be found HERE.

You can read about the security patches HERE.

My quick summary:

There are 8 security patches.

-> 2 PHP patches: One patches a buffer overflow vulnerability regarding maliciously crafted PNG image files. The other updates PHP to version v5.3.2, which itself provides a variety of security patches to such things as further buffer overflow vulnerabilities.

-> 1 Samba patch: A buffer overflow...

-> 1 Apple Type Services (ATS) patch: A vulnerability to maliciously crafted embedded fonts due to a buffer overflow...

-> 1 CFNetwork patch: Prevents a man-in-the-middle attack that could redirect network connections and intercept a user's sensitive information such as their user credentials.

-> 1 ClamAV patch: Updates the versions of ClamAV in Mac OS X Server 10.5 and 10.6 to version 0.96.1, solving multiple vulnerabilities.

-> 1 CoreGraphics patch: A heap buffer overflow due to maliciously crafted PDF files. (Presumably this is related to a similar problem in iOS v4.0).

-> 1 libsecurity patch: Improves the handling of certificate host names, preventing a website impersonation attack.
--

Thursday, August 19, 2010

Adobe 'Out Of Band' CRITICAL Updates Parade:
Acrobat and Reader v9.3.4

--
And the parade marches on. At last we have the latest in CRITICAL Adobe security hole updates. This time the updates are for Adobe Acrobat and Adobe Reader. GET THEM NOW!

Because the process of getting to actual download links at the Adobe site is a huge PITA, here are direct URLs for English Intel Mac users. Send me virtual luv:

Acrobat Reader v9.3.4 update

Adobe Acrobat 9.3.4 Pro update

The general update page for all other users and versions is HERE.

What's so CRITICAL? The update's security bulletin is HERE.

To quote Adobe:

These updates address CVE-2010-2862, which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. They also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-16.
My summary:

1) The updates patch memory corruption vulnerabilities that could lead to hacked code execution on your Mac and/or program crashes. IOW its more of the same old buffer overflow problem that plagues current computer coding in general. (As found in CVE-2010-2862).

Quoting from the CVE:

Integer overflow in CoolType.dll in Adobe Reader 8.2.3 and 9.3.3, and Acrobat 9.3.3, allows remote attackers to execute arbitrary code via a TrueType font with a large maxCompositePoints value in a Maximum Profile (maxp) table.

2) They solve a social engineering attack security hole via PDF files that could lead to hacked code execution on your Mac. (As found in CVE-2010-1240).

Quoting from the CVE:

Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message.
~~~~~~~~~~

BTW: Looking up CVE reports is easy, if snooze inducing. Just go to the National Vulnerability Database site (at the National Institute of Standards and Technology) and search on the CVE number. Here is the URL to get you started:

National Vulnerability Database (NVD) Search Vulnerabilities

And now for a rant:

If you're wondering why these simple and specific CVE searches take a long time (zzzzz) to resolve, it's the decrepit US government. It's Microsoft Windows. It's ancient old PCs the government is too cheap to replace, cranking away on stuff that takes any modern Mac a microsecond. (But of course, the government did manage to fund the infamous 'Bridge To Nowhere' in Alaska, hardy har har, porky pork, oinky oink, so long Ted Stevens you parasite).

I was once offered a job at the Department of Wildlife. I took one look at their computers and wondered what would be the appropriate response: Running away screaming OR sauntering out laughing?

In any case, if you've ever wondered why it's so incredibly easy for The Red Hacker Alliance in Red China and other such scum to hack into US government computers, look no further for your answer. Much as I hated the Bush League, much as I'd like to support the Obama Era, this stupid state of affairs continues. Note the fact that the Obama Administration hired ex-Microsoft executives and coders to help them solve their computer security crisis. That's right! They hired the CAUSE of the problem to SOLVE the problem.
(o_0)

Hmm. What would be the appropriate response? I'll leave it to you to decide.

CUL8R!
Stay safe.
Stay secure.
Don't touch my cookies.

;-Derek
--

Friday, August 13, 2010

Adobe Flash, AIR, PDF, Acrobat and Reader:
Security Statistics Sources

--
Earlier today, I was helping out a reader at MacDailyNews.com who had the following question:
'BSOD' asks: "Does anyone have statistics on exactly how many security holes have been opened up by Flash, Air, and PDF? I think that we need to see that stat."
My answer is of general interest. Therefore, I am posting it here for your reading pleasure:
You can dig around at the CVE site for each of them. CVE stands for Common Vulnerabilities and Exposures. It keeps track of each reported software security problem:

http://cve.mitre.org/

Wikipedia.org also covers each of them and gives a general description of their security:

Adobe Flash: "As of May 17, 2010, The Flash Player has 77 CVE entries, 34 of which have been ranked with a high severity (leading to arbitrary code execution), and 40 ranked medium."

Adobe PDF: "On March 30, 2010 security researcher Didier Stevens reported an "exploit" that causes an arbitrary executable to be run when a PDF file is opened, after the user accepts a warning prompt. The exploit works in several different PDF viewers including Adobe Reader and Foxit Reader."

And, earlier this year Adobe were embarrassed into creating the Adobe Product Security Incident Response Tearm (PSIRT). You can keep up with their blog here:

http://blogs.adobe.com/psirt/

Adobe maintain their Security Bulletins and Advisories page, going back to 2005, here:

http://www.adobe.com/support/security/

• There are approximately 88 Adobe Flash security bulletins.
• There are 6 Adobe PDF security bulletins.
• There are over 100 Adobe Acrobat security bulletins.
• There are over 100 Adobe Reader security bulletins.
• The only Adobe AIR related bulletin is the Adobe Flash bulletin from June 10, 2010.

Thursday, August 12, 2010

Update:
Secunia Half Year Report 2010
& QuickTime Hell

--
In a previous article, entitled "Desperate Propaganda..." I had a rant-fest regarding a PC World FUD-fest regarding Apple security. The author, Preston Gralla, managed to spew out this line of deceit:

:-Q****** "The security company Secunia reports that Apple products have more vulnerabilities than those of any other company."

This was clearly taken as a hit at all Apple products. What was missing was any reference to the context of the source Secunia report, which you can read HERE. I knew better, having been an avid Secunia reader since 2005. In fact, the only Apple products noted in the report were QuickTime and iTunes on Microsoft Windows. Secunia didn't cover any other Apple products.

When I read through the entire Secunia Report I found nothing of relevance to Mac OS X except the fact that the Apple apps discussed are prone to the same problems on Mac OS X as well as Windows.

QuickTime Hell

In previous articles I've covered the major problems with QuickTime, the biggest culprit of Apple security holes. It is used in iTunes, thus making iTunes just as vulnerable. In summary, QuickTime stumbles over malicious ECMAScript (aka 'JavaScript') and coding errors that allow malicious buffer overflows.

Supposedly Apple has been overhauling QuickTime. The first peak at it has been QuickTime Player X. But as far as any user can tell, the QuickTime X project is stalled at version 1.0.0. What we have on Snow Leopard is entirely inadequate, incomplete and buggy. Serious QuickTime users are required to also install QuickTime version 7, the current version of which is 7.6.6.

Hopefully Apple will get back to work on revising QuickTime now that iOS 4 has been completed and released.
--

Wednesday, August 11, 2010

To: 'hip'
Re: iMac_Sux.dmg

--
Recently a reader nicked as 'hip' sent me the URL to an evil crapware file entitled 'iMac_Sux.dmg'. Here is his full message with the exclusion of the URL for downloading the file:
Wanna crash an iMac?
Just mount this .dmg file, then have a look at what MassStorageCamera is doing.
It will be consuming all RAM and processors!!
I am not providing the URL in order to avoid being accused of distributing the thing.

Thank you 'hip'! I checked out the website where the file is located and enjoyed it. I particularly enjoyed the page quotations from The Hipcrime Vocab by Chad C. Mulligan. The insights are refreshing after living amidst the Neo-Con-Job / Tea Party / FuxNews / News Corp / Rupert Murdock Regime gibberish age within the USA where intelligent thoughts and verifiable facts are out of fashion.

I ran the .dmg and it did exactly as expected, without crashing my MacBook 2 GHz from 2006-11. It also auto-opened the 'CameraWindow' application that I installed for my Canon camera. I checked through the code within the .dmg and am going to 'guestimate' that the resource scripting near the end is instructing Mac OS X to treat the entire boot volume as a camera image volume. I was too bizy and lazy to dig further.

Clearly this is a very simple call being made within the .dmg that fools Mac OS X into thinking the opening .dmg volume is a camera. Fascinating. The fault of course is in MassStorageCamera for being allowed to eat your Mac alive. As I've pointed out previously, even Intego's VirusBarrier application has race condition bugs.

My POV: I've studied coding as well as code project management. Coding these days is typically for applications, etc., that are so vast that no single human being can comprehend them. The result is coding-by-committee which in and of itself is a guaranteed mess. There is also the eternal pressure of 'Do Less With Less' from clueless biznizz management and nagging clients, none of whom comprehend the escalating difficulties of coding. Then there is the basic crappiness of the archaic coding languages we still use these days. Anything based on 'C' coding is going to have plenty of problems if only from buffer overflows, the single largest coding plague of our day. We're also stuck with ECMAScript for Internet scripting (which incorporates LiveScript/JavaScript, the JScript abomination from Microsoft and the ActiveScript mess from Adobe). Java continues to FAIL to live up to the hype, causing its own security and memory problems. Then there are the eternal security holes in PHP and SMB on and on.

I'm not at all surprised that Apple missed the bug inherent in the 'iMac_Sux.dmg' file. I can easily see them being aware of it and tossing it on the back burner if only because it does not represent a security or major crashing problem. Similar CPU and RAM devouring buggy code has been around for many years. What sucks most is when system calls can crash the entire computer. Not having an iMac around to play with, I can't verify that this file crashes the machine. But I am going to guess that with current Intel iMacs it does not.

Dr. Charlie Miller and Dino Dai Zovi have the current best Mac hacking & cracking & pwning etc. book available for Mac OS X entitled 'The Mac Hacker's Handbook'. Both of them have Twitter accounts to follow. Both are very amusing to read. Dr. Miller is brilliant at coming up with methods for testing and breaking into Mac OS X. This past spring he won yet another Pwn2Own contest. He gave a presentation at Black Hat this last week where, among other things, he revealed yet-another security hole in Adobe Acrobat and Reader.

Here is a fun interview with Dr. Miller from March:

http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own/

CONCLUSION: Expect security holes. Expect coding errors. There is no such thing as a perfect coder. There is no such thing as a perfect application or operating system.

I'll also add my usual coda: The only people I've ever heard or read saying that 'Macs never have security problems' are either NEWBIES or TROLLS. One of course never takes seriously the word of either of these species of human. It is well worth keeping track of Mac security. It is also well worth sorting out Mac security FUD from FACT.

BTW: Considering all of the above, what are the chances that humans will ever create Turing Test verifiable Artificial Intelligence? Not in my lifetime! No SkyNet worries.
;-D
--