Tuesday, June 29, 2010

They're Here!
Adobe CRITICAL Updates:
Acrobat & Reader & Flash Player

--
As promised, Adobe skipped their dopey 'quarterly' security update schedule and pushed out updates to Adobe Acrobat, Reader and Flash Player before the end of June. Gee thanks. Let's hope this incident puts the 'quarterly' security update stooopidity in the grave where it belongs.

Before I send you to the sources, I get to be a grumbling curmudgeon. Be warned that Adobe made the process of updating Adobe Acrobat, Reader and Flash Player yet-another PITA with a number of pages to click through to just download the things. So apparently, whoever made Adobe updating the most heinous process in the entire computer community, has not yet been fired from the company.
What A Shame.

For your pleasure, I have dug through the pages of Adobe bureaucratic garbage for you in order to provide direct download URLs:

Acrobat 9.3.3 Pro update

Adobe Reader 9.3.3 update for Intel Macs

Adobe Reader 9.3.3 update for PPC Macs

Adobe Flash Player 10.1.53.64

The simple URL for Flash Player is courtesy of my pals at VersionTracker.com

REMINDER: If you have installed the Mac OS X 10.6.4 update and/or Apple Security Update 2010-004, you have NOT NOT NOT updated to this CRITICAL latest version of Flash Player. Apple only included the old dangerous version. Thankfully, Apple's updater does not remove the newer version if you already installed it.

THEREFORE: If you haven't already, you must DIY install the Adobe Flash Player version 10.1.53.64. Apple won't do it for you. I don't know why! They just won't.
--

Thursday, June 17, 2010

Apple's Flash Player Plug-in Update Blunder
in the 10.6.4 Update

--
According to MacFixIt.com, Apple made one big preventable blunder in the Mac OS X 10.6.4 update. They included the previous, exploited in-the-wild, version of the Adobe Flash plug-in, version 10.0.45.2. My guess is that this is the version they've been using in the beta of 10.6.4 and they neglected to swap in last week's security patched version 10.1.53.64. That's a very naughty oversight by Apple!

Therefore, if you have not done so already, go grab the very latest installer for the Adobe Flash Player, v10.1.53.64, and install it. Apple didn't give it to you! You can grab it HERE.

Thankfully, Apple's 10.6.4 update installer is smart enough not to remove the updated version of the Flash Player plug-in. Mine stayed intact.

Dear Apple. Considering the well deserved abuse Adobe have had to endure for their blundering crap programming, it would be advisable to avoid blunders of your own and keep up with Adobe's updates! Until this Flash plug-in version oversight happened, Adobe had no legitimate reason to criticize Apple. Now it looks like you're ignoring Adobe's meagre efforts to put things right again. That's not good. You've also needlessly endangered the security of your customers!

Meanwhile, keep an eye out for the Acrobat and Adobe Reader security patch updates that should be showing up any week now...
(o_0)
--

Tuesday, June 15, 2010

Apple Security Update 2010-004
/ Mac OS X v10.6.4

--
UPDATED 2010-06-17. Please read item #3 in the summary list below!
--
June 15th Apple kindly emailed me their list of security fixes in Security Update 2010-004, which in incorporated into the Mac OS X 10.6.4 update. Later in the day Apple posted the full report HERE.

Below is my summary of patches:

1) Three CUPS patches. (Cross-site request forgery; a cupsd bug; a web interface bug).

2) A Desktop Services patch. (Corrects a bug when applying permissions to enclosed items).

3) OOPS! Apple neglected to keep up with Adobe's Flash Player and instead installs the older hacked in-the-wild version! This is a very bad oversight by Apple! If you haven't already, you must DIY install the latest Flash Player update HERE. Be certain to do it NOW.

Thankfully Apple's update installer does not remove an updated version of the Flash Player plug-in. No damage done.

***(The dangerous version of the Adobe Flash Player plug-in is 10.0.45.2. The security patched version is 10.1.53.64. You can check the version at: /Library/Internet Plug-Ins/Flash Player.plugin).

4) A Folder Manager patch. (Repairs a symlink bug).

5) A Help Viewer patch. (Yet-another JavaScript security hole. I hate JavaScript).

6) An iChat patch. (AIM related. Repairs a file path handling bug).

7) An ImageIO patch. (A buffer overflow problem with TIFF files).

8) Three Kerberos patchs. (Buffer overflow; ticket handling bug; KDC request bug).

9) A libcurl patch. (Buffer overflow).

10) Two Network Authorization patches. (A NetAuthSysAgent patch for operation authorization privileges; format string bugs in afp, cifs and smb).

11) An Open Directory patch. (Man-in-the-middle attack via an unprotected server connection).

12) A Printer Setup patch. (Bug in handling a shared printing service).

13) A Printing patch. (Buffer overflow in the cgtexttops CUPS filter).

14) A Ruby patch. (WEBrick bug with a JavaScript security hole. Did I mention I hate JavaScript?)

15) An SMB File Server patch. (An Apple Samba symbolic links bug).

16) A SquirrelMail update. (Cross-site scripting insecurity, among several other problem).

17) A Wiki Server patch. (Cross-site scripting attack security hole).

∑ = 23 security patches.

As of this post, I have not yet installed 10.6.4. Keep an eye on MacFixIt for problem reports.

Before you update, remember to follow the routine: (1) Back up (2) Repair your boot volume, including disk permissions. (3) Download and install the 'Combo' version of the update for best results (4) After reboot, repair your disk permissions again. (Lately Apple have missed cleaning up a number of permissions errors after their updates. Adobe always leaves a permissions mess behind, which will be most certainly be the case with the Flash plug-in update).
--

Sunday, June 6, 2010

Kewl Article @ MacWorld.com:
'Quick tips to foil Mac break-in attempts'

--
Dan Moren at MacWorld has posted a useful article about attempts to break into Mac accounts along with useful tips to stop their success:

Quick tips to foil Mac break-in attempts

No computer on the Internet is immune from attempts to break into accounts. In Dan's case, the attempts failed but managed to lock up his computer. I've had similar experiences with my own Internet server.
--

Saturday, June 5, 2010

VLC Update!
Version 1.0.6 Is Available

--
[-->Please note that the link for VLC v1.0.6 was inexplicably taken down from the VLC Intel nightly builds site, leaving only the link for v1.1rc, the 64-Bit branch, which is buggy. The only linked version at the standard Mac download page is v1.0.5, which you do NOT want to use due to security flaws. I'm attempting to get the VLC gang to reinstate the v1.0.6 link. In the meantime, v1.1rc generally works fine except for a crash-at-Quit bug, which thankfully is entirely ignorable. :-Derek]
--
UPDATE!

Hey kids. I found that in April some terrific folks on the Mac side of the VLC project have gotten things going again and have provided an update past VLC v1.0.5. You can download the lastest version of VLC at the source page for VLC media player Mac OS X Intel nightly builds. (Sorry PPC users, you are SOL).

Be sure to read the notes at the top of the page very carefully! What you probably want is the latest version of the 1.0-branch-intel stable series. Ignore the gibberish numbers in the file names. When you see '107' in the name it does NOT mean 'version 1.0.7'. ATM the latest version is v1.0.6.

There is a new branch available at the site called '1.1'. It is currently in beta and has some bugs. Thankfully it brings back 64-Bit VLC to the Mac.

Thank you very much to the Mac crew at the VLC project for great, dedicated work! Keep in mind everyone that VLC is an Open Source project, which means all the work is being donated by the developers.
--

New Adobe Security Holes:
Get Pwned Via Flash Player, Acrobat
or Adobe Reader

--
RISK: CRITICAL
--

Adobe have posted a warning that current versions of Flash Player, Acrobat and Adobe Reader have a DANGEROUS security hole that is currently being exploited out in the wild. Here are some reading sources:

Security Advisory for Flash Player, Adobe Reader and Acrobat

Adobe Warns of Critical Flaw in Flash, Acrobat & Reader

The first article above is direct from Adobe. The second article is analysis by Brian Krebs, a professional computer security journalist.

NOT affected: Version 8.x of Acrobat and Adobe Reader. If you've got them, you can dig them out and use them safely.

You can keep track of the progress in patching this latest set of Adobe holes at either of these sites:

Adobe Security Bulletins and Advisories

Adobe Product Security Incident Response Team (PSIRT)

Because this set of security holes has been found to be exploited in the wild, I can only advise that you do NOT use any of the affected Adobe products with ANY files you encounter via the Internet.

1) Get a plugin for your web browser that TURNS OFF FLASH. (They are available for both WebKit and Mozilla based browsers). Use it and don't watch any Flash until a finished update is provided by Adobe.

2) Only open your own, or verified safe PDF files via Acrobat or Adobe Reader.

If you want to be super-duper safe, trash the Adobe Flash Plugin. You will find it here on your Mac:

/Library/Internet Plug-ins/Flash Player.plugin

Wait until the finished v10.1 Flash Player plugin has been released and install it at that time. The current unsafe Mac version of Adobe Flash Player is v10.0.45.2. When the finished version of Flash Player v10.1 is available, you will find it HERE.
--

Wednesday, June 2, 2010

OSX/OpinionSpy:
Mac's First Illegal Spyware
Part I

--
RISK: HIGH
--


Introduction:

Up to this point in time, Mac OS X has only had 'legal', publicly available 'spyware'. The most common kind has been keyloggers installed by Mac network administrators into client accounts to keep track of what the client user is doing on the computer and on the Internet. You can grab a list of known 'legal' spyware over at the MacScan website. You can also search for them (using the terms 'spyware' and 'keylogger') at any of the shareware sites, such as VersionTracker.com and MacUpdate.com.

Ten years into the life of Mac OS X we now have our very first actual malware version of spyware. And it's a nasty one.

OSX/OpinionSpy:

I seriously doubt OSX/OpinionSpy is going to be the official name of this spyware. Using the current malware naming standard, my best guess is that it will end up being called Trojan.OSX.OpinionSpy.A. But don't quote me. I am calling it a Trojan horse form of spyware because of its method of infection. It requires you, the user, to install it by providing it with your administrator password. Once it has the admin password it can do what it likes, as is typical with the current crop of Mac Trojans. For now, I will stick with the name Intego have given it.

Thanks to Intego's vigilance in detecting and studying malware for the Mac, we now have some reasonable details about this spyware. We know what it does and we know a lot about where it comes from. At the time of this posting, Intego have two articles in their series on OSX/OpinionSpy:

Intego Security Alert: OSX/OpinionSpy Spyware Installed by Freely Distributed Mac Applications

Further Information about the OSX/OpinionSpy Spyware

NetworkWorld has joined in the research efforts and has come up with a preliminary list of applications that include OSX/OpinionSpy with their installation:

Intego updates Mac users on OSX/OpinionSpy Spyware threat

It might be useful to repeatedly check the article above for further additions to the list. I will also be publishing a continually updating list here in Part II of my own blog series on this malware.


What OSX/OpinionSpy Does:

Read the Intego articles for full details. Below is a very brief summary of what they have discovered:

1) At this time, the infected installers are downloadable from any of the shareware sites as well as from the source developer sites.

2) The download website or the installer may or may not tell you know that the spyware, calling itself a 'market research' program, is included in the installer. If you are warned, obviously don't install the software. I personally cannot abide any form or marketing research data collection on my computers. Sadly, the field of marketing is too full of parasites, aka what I call Marketing Morons (versus beneficial Marketing Mavens) to ever trust your data with anyone.

3) Once the Trojan horse is installed, it takes over your computer with full Root access. At that point it can do anything-at-all to your computer.

4) The basic behavior of OSX/OpinionSpy is that of most spyware applications. It collects masses of data about your computer and sends it off to a collection hub for evaluation and potential distribution to others. This can include all your account IDs and passwords, all your web surfing history, bookmarks, address book data, email addresses, literally everything about you that exists on your computer and on your local network. This is a very thorough method of Phishing you, aka stealing your identity. Plenty of criminals would gladly put your identity to work for nefarious purposes.

HOWEVER, that is not where this spyware stops.

5) It is capable of restarting itself if its process is stopped on your Mac. It is also capable of reinfecting your Mac despite you having deleted any one of the applications it has infected.

6) It opens an HTTP backdoor into your Mac using port 8254.

7) It upgrades itself with new variants of itself, or any other malware it chooses to install. So far one new variant called 'PremierOpinion' has already been discovered.

8) It eats your CPU cycles while it scans your computer files and sends out files and data to the 'bot wrangler' hub. (Typically these hubs are anonymous IRC rooms setup by the bot wrangler).

9) It intercepts and analyzes all data packets coming into and going out of your Mac.

10) It injects code, aka infects itself into the RAM space used by running applications. It also gathers data from application memory space, such as IDs, passwords, credit card numbers, PINs, etc.

11) It occasionally provides an interface for asking users for information it would like to learn, essentially Phishing for your identity via bogus surveys.

12) It is capable of crashing or stopping Macs it has infected, requiring the user to Force-Reboot their computer. Potentially it has corrupted your boot drive.

No doubt, further details about its behavior will be discovered. Considering that this spyware runs with Root authority, you might as well describe it has having botted, zombied or pwned your Mac. This is the worst possible infection situation.


Detection And Prevention:

Intego today provided a 'threat filter' (aka malware signature) update for active versions of VirusBarrier versions 10.5 and 10.6.

As with any Trojan horse, only install software on your Mac that you have verified to be legitimate and malware free. Intego recommend having 'real time scanning' running in their anti-malware application. Another option is to individually scan all application installers you download before you install them. If you fail to use either of these precautions, you should perform a full scan of your Mac.

Using a reverse firewall is also extremely helpful. I use Little Snitch. Intego also include a reverse firewall in VirusBarrier v10.6. In particular, keep an eye out for any application accessing ports 80, 443 and 8254. Personally, I set up a denial rule for 'All Applications' attempting to send data out of port 8254. This is unlikely to entirely block the actions of the spyware, but it can't hurt. This port is very rarely used.

Reverse firewalls also make it easy to scan down a list of applications with rules you have set for accessing your network or the Internet. This can help you identify whether you have some odd or foreign application making connections. If you find one, it is likely useful for you to scan your Mac for all instances of the spyware.

It is also useful to delete mysterious applications from your reverse firewall rules list in order to keep an eye on their further requests for network and Internet access.


Other Anti-Malware applications:

At the moment, only Intego VirusBarrier is able to detect and fully remove this malware. As usual, VirusBarrier is the only commercial anti-malware application I can recommend.

I'm going to keep an eye out for detection and removal by other anti-malware apps. Of the free options it is doubtful that ClamAV (via ClamXav) will detect this malware in the near future. iAntiVirus so far not does detect OSX/OpinionSpy, but I expect they shortly will.

A blog at Sophos describes the experience of running one of the screensaver spyware installers from 7art:

Mac OS X OpinionSpy – same old, same old

In keeping with the chaotic nature of the anti-malware community, Sophos are ignoring the published malware naming standard, calling this malware simply "OpinionSpy". They are also describing it as "monitorware" as opposed to spyware. Yeah, whatever guys.
(o_0)
[Patience requires that I start counting to 10, again...]


Infected Installers:

With time I will be posting a periodically updating list of dangerous installers that will infect your Mac. This will constitute Part II of my blog series on OSX/OpinionSpy. For the moment, the general shortlist is:

A) ANY screensaver installer from 7art-screensavers.com, version 2.6 or above. So far, 29 of their screensavers have been found to be vectors for installing this spyware.

B) The installer for 'MishInc FLV to MP3' available from the MishInc.info website.

I don't know if Intego have contacted VersionTracker or MacUpdate about these dangerous application installers. I will be writing to both of them tomorrow to make certain they know what is going on. If you are a fan of other shareware download sites, please contact them as well.

Stay safe. Stay secure.

:-Derek