Monday, August 27, 2012

Don't Use Current Java!
New Zero-Day Java Exploits
Are In-The-Wild


[UPDATE #3 ! - 2012-09-01]

Yes, the newly patched version of Java '7', v1.7 Update 7, has yet-another zero-day security hole!!!

This is unbelievable. 

Some people out there are:

1) Out to kill Java via malware.
2) Out to kill Java via crap coding.

Take your pick.

Read it and weep for poor, insecure, creaky old Java, the programming language that couldn't catch a break.

Security Explorations, the Polish security startup that discovered the Java SE 7 vulnerabilities that have been the targets of recent web-based exploits, has spotted a new flaw that affects the patched version of Java released this Thursday....
Security Explorations founder and CEO Adam Gowdiak was able to confirm that the defect does affect Java SE 7 Update 7, which Oracle released this week as a rare out-of-band patch.... 
As in the case of the earlier vulnerabilities, Gowdiak says, this flaw allows an attacker to bypass the Java security sandbox completely, making it possible to install malware or execute malicious code on affected systems. 
Unlike the earlier vulnerabilities, no known exploit of the new flaw has yet been found in the wild, but Gowdiak says he included proof-of-concept code with the report to demonstrate that an exploit is indeed possible....
For the time being, given the apparent similarity of this flaw to the ones previously reported, users are advised to either disable Java in their browsers or uninstall it completely to avoid falling prey to any future exploits. 
Bolding and italics are mine, added for emphasis.

You know the drill.
or never install it in the first place.

If you MUST use Java, at this point the only safe version is the last one provided via Apple for OS X 10.7 and 10.8, version 1.6.0 33-b03-424. Otherwise, forget about using Java on the Internet until further notice.

After reviewing the current data, including CVE-2012-4681, I know of NO safe version of Java "6" or Java "7" available. That INCLUDES Apple's last Java update, v1.6 Update 33! Maybe Java 6 Update 35, recently provided by Oracle, is safe. But that is not-at-all clear. We're going to have to wait for more details about this latest zero-day discovery. Most certainly, there is no safe version of Java "7" at this time.

When more of this saga is revealed, I promise to break it out into a separate article.

Hey Oracle: Can we have a rest now? Please?


[UPDATE #2 ! - 2012-08-31]

Oracle has released a newer version of Java for OS X than the nasty, security hole riddled version noted below. This update theoretically patches the current zero-day exploits. Note that this is NOT an Apple update to Java. Apple is no longer supporting or installing Java. Oracle is now the sole source.

Bad Java = Java "7", version 1.7 Update 6.
New Java = Java "7", version 1.7 Update 7.

NOTE: Nothing indicates that New Java Update 7 is going to be any more secure than Bad Java Update 6, which was even less secure than Bad Java Update 5.

Just Say No To Java.

IMHO Oracle has turned the Java project into a dangerous mess. We can no longer expect any future version of Java to be secure. That dream era is over. You have been warned.

If you just gotta install the latest Oracle version of Java for OS X, you will find it here:

Download Java for Mac OS X


[UPDATE #1 ! - 2012-08-29]

A second zero-day security hole has been discovered in the current version of Java! Read all about it:

Second Java zero-day exploit uncovered

“The beauty of this bug class is that it provides 100 percent reliability and is multiplatform,” Esteban Guillardoy, a developer at Immunity, said Tuesday in announcing the discovery of the second bug. “Hence this will shortly become the penetration test Swiss knife for the next couple of years.” 
Users of Java, which is installed in billions of devices worldwide, are notorious for not staying up to date with patches. Rapid7 estimates that 65 percent of the installations today are unpatched. However, this time around, people with the latest version of Java were the ones most open to attack.

Turn Java OFF on your Macs. Just leave it that way until or unless it's absolutely required. That is the future of Java on ALL computer platforms, not just Macs. Java used to be heralded as 'secure!' So long to that vacuous dream.

I suspect there are more Java fun and games yet to come. I'll post as I learn about them.


Extra! Extra!

Hopefully you've figured out that Java is now just another source of 3rd party security holes. Java is NOT secure. Java is now the single most dangerous 3rd party software you can run on your Mac. So Don't Use Java!

The latest, current version of Java, on any platform, has a new zero-day exploit that is already being exploited in the wild. Turn Java OFF!

Here is Intego's coverage of the story, as of today:

The exploit in all major browsers and appears to work on some versions of Linux, OS X 10.7 and higher, as well as Windows, if you’re using the latest version of Java.... At this time there is no patch available for this exploit, so it’s highly recommend that you disable Java until this vulnerability has been fixed.

If/when this exploit is discovered to be used against Macs, I will post here. For now, don't take any chances: Leave Java disabled!

As a reminder: If you ever chose to install Java at all, you can TURN OFF Java on the Internet using the Java Preferences app you'll find in your Utilities folder. An illustration is below. If you are running OS X 10.8+, you may find Java has already been turned off for you. This is now a function of OS X whereby it automatically turns off the Java plug-in if you have not used it recently.

Of course, some websites demand the use of Java. In those cases only, go into the Java Preferences and turn it on, then reload the page requiring Java. I highly recommend leaving the Java Preferences app open and running until you decide to leave that website in order to remind you to turn Java OFF again!

Stay safe! And be sure your backups, both on and off site, are up-to-date.


Saturday, August 25, 2012

Mac Malware Roundup: 2012-08-24
Part I


Mac users have had the busiest and most detrimental year of malware in its history, and there are still four more months to go. The usual FUD explanation for the influx is the usual, 'Security Through Obscurity', that bogus doomsaying slogan first perpetrated against Macs back in 2005 by Symantec. No. Sorry! Even if you count up all the currently active Mac malware, which I estimate to be at worst about 87 (depending upon which version of OS X you're using), that number is a few orders of magnitude lower than the number of active malware for Windows on a per-user basis. IOW: The 'Security Through Obscurity' FUD remains unviable. (If you want the raw numbers and math, by all means ask me. You'll also find my methodology explained in previous posts on the subject).

So why has their been an increase in Mac malware this year? Much of it is coming out of Russia, presumably the Russian Mafia. Apple is now the most successful computer and electronics company both on the planet and in history. That gives Apple prestige and visibility. Much of the Windows-victim world has noticed and bought themselves Apple hardware and software. Therefore, malware rats have taken an interest in figuring out how to infect Macs alongside Windows boxes. For the most part, their efforts have been blundering and inconsequential. 

But then this happened:

One piece of malware, a version from the Flashback bot malware series from March, was surreptitiously planted on several websites across the world and was able to self-install itself (via a 'Drive-By' infection enabled by Java) onto an estimated 600,000 Macs. That Is Scandalous!  It was certainly the fault of the Java open source/Oracle project for creating the security hole. But the biggest blame goes to Apple and their idealistic assumption that Oracle was going to assist them in keeping the Mac Java RTM (runtime machine) up-to-date. It didn't happen. The well known, already exploited in-the-wild Java security hole sat wide open for more than two months before Apple got around to patching it. Even then, Apple blundered around with the patch process, leaving OS X 10.4 and older users out-in-the-cold. The 10.5 removal tool Apple provided was flaky at best and didn't provide any future protection. That's Apple security at its absolute WORST. Incredi-FAIL!

Has Microsoft done worse? Damned right! And frequently! So don't hold them in any esteem. But this is the very first time Apple has dropped the security ball on a monumental scale. The last count I could find estimated that at least 40,000 Macs remained infected with that version of Flashback, despite Apple's efforts. Within the history of the Mac community, that's unprecedented. 

Despite this catastrophe, Apple has continued its consistent improvement of OS X security in its release of OS X 10.8 Mountain Lion. Its Gatekeeper security certificate technology is able to, theoretically, stop all future Trojan horse malware infection. Apple has improved and tightened up its ASLR technology (address space layout randomization). Apple, at long bloody last, provides WPA2 encrypted Internet sharing. BSD UNIX, which is the source core of OS X, remains the single most secure OS on the planet. Meanwhile, Apple has made efforts to keep security hole ridden third party software off OS X. This includes Apple's never including Adobe's infamously insecure software with its installations. Instead, Apple offers their PDF enabled Preview software, to replace Adobe Reader. Apple provide their HTML5 enabled Safari web browser to help replace Adobe Flash. Thanks to the Java/Flashback malware infection fiasco, Apple now also turns off Java on a periodic basis, if you choose to install Java at all. Add to that Apple's insistence upon all software provided at the Apple Mac App Store using sandboxing, whereby apps have limited API access and capabilities.

What nasties still remain at large, enabling malware rats to infect and PWN Macs?

1) ECMAScript, aka 'JavaScript' and 'JScript' and 'ActiveScript'.
2) Bad PHP web programming.
3) Inherent SQL database security holes.
4) Inherently poor memory management (buffer overflows...) in nearly all our current, antiquated programming languages.
5) The LUSER Factor, aka LUSER Syndrome.
6) Human coding errors.
7) Deliberate software backdoors.
8) Government and company mandated user surveillance, frequently aka privacy infringement and spying.
9) The unexpected...

IOW: Don't expect any human written or accessible operating system to be totally, reliably secure. Not gonna happen. Security is going to remain a constant concern to all computer users.


You can read through my previous list of Mac malware, posted 2011-07, HERE:

A quick summary list:

1) Trojan.OSX.MACDefender.A - O [15 strains]
2) Trojan.OSX.BlackHoleRAT.A - C [3 strains]
3) Trojan.OSX.Boonana.A
4) Trojan.OSX.OpinionSpy.A - B [2 strains]
5) Trojan.OSX.iServices.A - C [3 strains]
6) Trojan.OSX.PokerStealer.A
7) Trojan.OSX.RSPlug.A - Q [17 strains]

The total number of Mac malware species was 7.
The total number of Mac malware strains was 42.

Note that some of the malware in this list have aliases, which I have not provided. The names here are considered the 'standard' names despite claims to the contrary from childishly warring anti-malware companies. I also avoid including hacking tools in my list as they require direct access to user accounts in order to be installed and are not offered as Trojan horses.

Arguably, the RSPlug and BlackHoleRAT malware are now inert and need not be listed. The worst of the above malware was the iServices series. Infections occurred via 'spiked' warez versions of Adobe software and Apple iWork software, possibly others. iServices infections lead to a Mac botnet estimated to be over 10,000 Macs in number. iServices used to be the #1 Mac infection in history, previous to the 60x larger Java/Flashback infection this year.

2011-08 -> 2012-08

As I did last year, I'm going to proceed in reverse chronological order. Please note that my list is not definitive. Because of the competition and secrecy of anti-malware companies, I find it very difficult to keep track of all the versions and aliases of Mac malware. 

My list is, however, extensively researched and compared with that of my net friend and colleague Thomas Reed. You can access Thomas' security blog HERE. Thomas' Mac Malware Guide, including his Mac Malware Catalog, is HERE. You'll find that Thomas takes a different approach to Mac malware from me, which is entirely intentional and useful. You'll also find that Thomas provides more complete and up-to-date coverage of ongoing Mac malware infections than I. He's a terrific resource.

Thomas Reed and I are part of a terrific eList group of Mac specialists, writers and coders from around the world who keep track of ongoing Mac malware. We also work to keep the ClamAV project up-to-date with the latest mac malware signatures. I'll be sharing more about our group at another time.

1) Trojan/Backdoor.OSX.NetweirdRC.A 

Currently: Low Concern.

NetWeirdRC was first described and named by Intego on August 22, 2012. Their original article is available here:

An Analysis of the Cross-Platform Backdoor NetWeirdRC

Another alias being used is simply 'NetWeird'. I always stick with the name provided by the first people to discover new malware.

NetWeirdRC is essentially a malware kit being provided to malware rats for $60 over the Internet. It is designed to infect and bot either Windows or Mac computers. This is not the first time such kits have been created and offered for sale, as we will see ahead. This is, however, the first time such a kit has been offered at such a cheap price. Earlier in the year we learned about an iOS security vulnerability purported to be sold to our surveillance maniacal US federal government for $250,000. (Please note: For all we know, this was just another bogus or propagandist rumor).

At this time, it is not evident that NetWeirdRC is being actively used in-the-wild. However, it is likely to be used in the near future and is therefore of concern. The method of infection could be either as a Trojan horse offered to Mac users via social engineering. Or it could simply be used as a hacking tool to backdoor a Mac.

Thankfully, this first version of NetWeirdRC is buggy and incomplete. That may be why it is being sold on the cheap. Rebooting an infected computer makes it inert. When it is running, it acts as a bot, phoning home for Bot Wrangler instructions. Any 'reverse firewall' software, such as Little Snitch or VirusBarrier X, will catch the phoning home and stop it. As a bot, it of course PWNs (owns, or entirely takes over) the infected machine and can theoretically do anything with and to it. At this time, its activities have been restricted to downloading and installing new files (which could include new malware infections), performing remote Bot Wrangler commands, grabbing and sending screenshots, gathering and sending system and installed software information, as well as stealing encrypted passwords from email programs and web browsers. See the Intego article for further details.

This malware is easy to detect and remove. Most current anti-malware software should be able to stop infection as well as remove it.

2) Trojan.OSX.Crisis.A (aka Morcut, JVDrop, Remote Control System DaVinci)

-->Please continue on to Part II

Tuesday, August 21, 2012

FAST New Adobe Flash & AIR Updates!

Excellent. Adobe has heeded the call and tossed us another set of Adobe Flash Player and AIR updates exactly one week after the previous updates. THANK YOU ADOBE! This is the way to do business.

Why am I all happy inside? Because it is the priority of professional software developers to patch security holes ASAP and immediately get them out to their users. This is how we frustrate malware rats and inspire in them a sense of utter futility and worthlessness. I like that!

The other half of the happiness equation of course is having computer users download and install these ASAP updates ASAP! Thankfully, Adobe has trashed their obnoxious old software update system and streamlined it into something much more user-friendly. So hopefully, lots of Adobe Flash and AIR users are receiving notices or automatic installations of this new update. This is how we fight and stamp out the LUSER Syndrome that enables social engineering malware infections.

And remember: ONLY download software from trusted sites (like VersionTracker/CNET and MacUpDate) or directly from the developer. No mystery site downloading of anything, ever!

The Updates:

I) Adobe Flash Player v11.4.402.265

The security bulletin is available HERE. The update patches CVE-2012-4163, 4164, 4165, 4166, 4167 and 4168. These security holes involve memory corruption flaws, an integer overflow and a cross-domain information leak. IOW: Critical for Macs.

II) Adobe AIR v3.4.0.2540

The security bulletin is inexplicably the one listed for Adobe Flash Player, huh? It is available HERE. If you are an Adobe AIR developer, there is also an SDK security update available HERE. Apparently, this new version of AIR patches all the same CVE security holes as the new version of Flash Player listed above. If you use Adobe AIR, this update = Critical for Macs.

As usual, don't count on me to keep track of or post about every critical security update from developers, including Adobe. Instead my point is commentary as well as the occasional nag to keep your software up-to-date in order to optimize your computer security. Oh and, always keep your backups, both local and off-site, up-to-date!

Share and Enjoy,

Tuesday, August 14, 2012

Adobe Update Day!
The first on-time
scheduled update day.

For the very first time, Adobe has been able to hold onto its security updates until its scheduled quarterly update day. Imagine that! No zero-day Adobe exploits have shown up in the last few months, allowing Adobe to actually release its intended slew of security updates as intended. They've been attempting this feat for years. Applause please for the incomparable Adobe! ;-)

Here are the updates:

I) Adobe Flash Player v11.3.300.271

The security bulletin is available HERE. The update patches CVE-2012-1535. The security hole involves maliciously crafted Word documents on the Internet that target the ActiveX version of Flash Player for Internet Explorer on Windows. (ActiveX is a wide open door to computer security exploits. Never use it). Apparently, this exploit can nail Mac users who are using ActiveX as well, although Adobe have not made this clear. IOW: Non-critical for Macs.

BTW: August 15, 2012 is The Death Of Flash Day for Android devices. *smirk*

II) Adobe Shockwave Player v11.6.6.636

The security bulletin is available HERE. The update patches CVE-2012-2043, 2044, 2045, 2046 and 2047. All of these security holes involved memory corruption, aka the usual memory management chaos inherent in today's primitive programming languages. IOW: Critical for Macs.

II) Adobe Reader and Adobe Acrobat v10.1.4

The security bulletin is available HERE. The update patches an enormous slew of CVE issues. Here's the list: CVE-2012-1525, 2049, 2050, 2051, 4147, 4148, 4149, 4150, 4151, 4152, 4153, 4154, 4155, 4156, 4157, 4158, 4159, 4160, 4161, 4162. These security holes involve a stack overflow, buffer overflow, a heap overflow and quite a few memory corruption coding problems: aka more of the same memory management chaos inherent in today's primitive programming languages blahblahblah. IOW: CRITICAL for Macs.

Get your updates today! If Adobe manages to keep a cap on new security holes, watch for another set of scheduled updates in November 2012.


Q: Do I believe scheduled security update days are a good idea?

A: HELL NO! They're convenient for the snoozing developer as well as lazy IT employees. The only good schedule is ASAP patching of security holes AS THEY'RE DISCOVERED. The idea is to keep malware rats off-balance and frustrated. Scheduled security updates only enable malware rats to enjoy the rewards of their dirty deeds while their computer victims are forced to sit around and wait for a cure. That's ridiculous. Don't let anyone tell you different! Lazy is lousy. Convenience is chaos. Professionals know better.
-- In Top Form!


A couple months back I wrote:
If I discover SpamCop's automation to again be working perfectly or I hear further details from the folks at SpamCop, I will report here.
Here I am reporting that over the past month I have had nothing but SUCCESS with the GUI at I am so happy the troubled times have ended and that returns as strong and able as ever in the brave effort to wipe out SpamRats.

And as ever, I want to shout out a THANK YOU! to the Marketing Mavens of our business world who know that customers are an essential part of the system, not its victims. In an actual/factual economic system that calls itself 'capitalist', everyone is required to be respected and to offer respect. It is the Marketing Mavens who drive that spirit of respect.

And to the self-destructive, parasitic Marketing Morons with no conscience or respect for anyone: It's an illness folks! GET SOME HELP! And get out of business! Your self-destructive behavior is never welcome in a healthy capitalist system. Those of us who demand healthy capitalism really ARE out to get you. Your paranoia is entirely justified. We want to remove you from our lives. is one of our methods for ridding us of your antisocial personality disorder. Look it up please.

Enough drama for this post! Onward to a happy post about a successful Adobe Update Day.