Wednesday, February 27, 2013

New Adobe Flash Exploits In-The-Wild,
New Critical Adobe Flash Update:
v11.6.602.171

--

Wow. Yet another Adobe Flash update, the third so far this year. Two of the three patched CVE security holes are being actively exploited in-the-wild, making this update CRITICAL.

Where to download the latest version of Flash, in this case v11.6.602.171:

http://get.adobe.com/flashplayer/

Adobe's related security reports:

Today, a Security Bulletin (APSB13-08) has been posted to address security issues in Adobe Flash Player 11.6.602.168 and earlier versions for Windows, Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh, and Adobe Flash Player 11.2.202.270 and earlier versions for Linux.

Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target Flash Player in Firefox.

Adobe recommends users apply the updates for their product installations.

Security Bulletin (APSB13-08)
  • Users of Adobe Flash Player 11.6.602.168 and earlier versions for Windows and Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh should update to Adobe Flash Player 11.6.602.171.
  • Users of Adobe Flash Player 11.2.202.270 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.273.
  • Adobe Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Windows, Macintosh and Linux.
  • Adobe Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest version of Internet Explorer 10, which will include Adobe Flash Player 11.6.602.171 for Windows.
. . .
This update resolves a permissions issue with the Flash Player Firefox sandbox (CVE-2013-0643).

This update resolves a vulnerability in the ExternalInterface ActionScript feature, which can be exploited to execute malicious code (CVE-2013-0648).

This update resolves a buffer overflow vulnerability in a Flash Player broker service, which can be used to execute malicious code (CVE-2013-0504).

Stop Adobe Flash In Your Web Browser!

Because of drive-by infections via malicious Flash files, I HIGHLY recommend stopping Flash files dead in your web browsers until YOU approve them running. I have updated my list of web browser Flash blocking add-ons/extensions:

Safari: ClickToFlash, Plugin Customs

Firefox: Flashblock, NoScript

Chromium: Flashblock, FlashControl, SafeScript (ScriptNo)

Opera: Use the Preferences:Advanced:Content:"Enable plug-ins only on demand" checkbox. Also sort of useful is NotScripts(Note: NotScripts is kind of a PITA to setup, but works once you have your JavaScript cache set, as prescribed, to 5000K).

:-Derek




--

Wednesday, February 20, 2013

Java Updates!
- From Apple: JRE v6u41 for OS X 10.6.8 - 10.8,
with a Java malware removal tool!
- From Apple: Java Plug-in v6u41 for OS X 10.6 (only).
- From Oracle: Java v7u15

--
Before I begin, let me clear up a major cause of confusion. This will help us understand exactly what's going on with these three different updates, two from Apple and one from Oracle:

Java 101, Short Bus Version:


There are two aspects of Java in OS X:


1) The JRE, Java Runtime Engine. Apple provides this in all versions of OS X and will continue to do so as long as Java survives as a viable programming language. The JRE is used primarily for Java applications. It is NOT the same thing as:


2) The Java web browser plug-in. The plug-in uses its own Java engine, not necessarily any of the JRE Apple provides. There are exceptions and you can ignore them for the sake of simplicity.


~~~


There are two concurrent versions of Java under development:


1) Java 6. The actual version number is Java 1.6. Every time it is updated it is given a 'u' or 'update' number. Today's update is Java 1.6 update 41, aka Java 6u41. Yes, this numbering system is stupid. Blame the now defunct Sun Microsystems. Oracle merely kept their convention.


2) Java 7. This is a progressed version of Java with added capabilities beyond version 6. Some consider it a 'beta' branch of Java. That is baloney. It is a full fledged version of Java. But most definitely this branch of Java is experimental. That's different from 'beta'. Yes, that's confusing. And yes, Java 7 really means Java 1.7, it has 'u' or 'update' numbers, yes this numbering system is stupid, blame Sun Microsystems, not Oracle.


~~~~~~~~~~~~~~~~~~


The Three Java Updates:


I)  Java for Mac OS X 10.6 Update 13

Apple has released a Java update specifically for OS X 10.6.8. It is available via Software Update. You can read about it and download it here:

http://support.apple.com/kb/DL1573


Its security details are available here:


http://support.apple.com/kb/HT5647


What is provided:


A) Java JRE 6u41, along with updated other files that are part of Apple's system level JRE for OS X.


B) Java Plug-in 6u41. It is OFF by default in all web browsers that access it. These days, as far as I am aware, no web browsers provide their own version of the Java plug-in. All of them use the version of the plug-in installed into OS X.


C) Apple's Java malware removal tool. This tool is run during the installation process. It provides NO FEEDBACK to the user if it finds and removes any Java malware. Yes, this is stupid. Blame Apple. But at least the removal tool is there, and apparently it works just fine.


What you need to know after the installation:


Quoting from Apple's documentation:

On systems that have not already installed Java for Mac OS X 10.6 update 9 or later, this update will configure web browsers to not automatically run Java applets. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page. If no applets have been run for an extended period of time, the Java web plug-in will deactivate. 
IOW: The Java plug-in is OFF by default. It turns itself OFF again automatically after some unspecified period of time. If you want to use it on a web page, look for the 'Inactive plug-in' notice and click it to reactivate the plug-in for that unspecified period of time.

My added advice: It's a great idea to turn the Java plug-in OFF again before leaving every web page due to possible drive-by Java infections from malicious web pages. Leave it OFF until you visit another page where you require it.


~~~


II) Java for OS X 2013-001

Apple has released a Java update specifically for OS X 10.7 and 10.8. It is available via Software Update. You can read about it and download it here:

http://support.apple.com/kb/DL1572



Its security details are available here, maybe:

http://support.apple.com/kb/HT5666


Why 'maybe'? Apple has yanked the security page link off their 'Apple Security Updates' page, which is:


rant
I have no idea why why this security page link was yanked by Apple. I am so UNimpressed with Apple's documentation team that I suspect someone accidentally sat on their keyboard, accidentally deleted it and no one noticed. *snark* In any case, the security page is still at Apple's website! I thankfully just happen to have the link, despite Apple's goofiness, and there you go. You're welcome.

If Apple's documentation team has a coherent editor at the helm, I haven't noticed. Yes, I've ranted at Apple about their lousy documentation team extensively. Apple don't reply. Apple apparently don't care. It's been this way for over a year. I could easily do a better job and I have meagre skills at editing. IASSOTS, etc.
 /rant

What is provided:

A) Java JRE 6u41, along with updated other files that are part of Apple's system level JRE for OS X.

B) REMOVAL of any Java plug-in you have installed. You are left with NONE. You will see an alias in your /Library/Internet Plug-ins/ folder titled "JavaAppletPlugin.plugin" that leads into Apple's JRE installed into OS X. But it is NOT a plug-in. It merely triggers the "Missing plug-in" dialog discussed below. Again: No plug-in. It's gone, gone, gone.

C) Apple's Java malware removal tool. This tool is run during the installation process. It provides NO FEEDBACK to the user if it finds and removes any Java malware. Yes, this is stupid. Blame Apple. But at least the removal tool is there, and apparently it works just fine.

What you need to know after the installation:

Quoting from Apple's documentation:
This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a webpage, click on the region labeled "Missing plug-in" to go download the latest version of the Java applet plug-in from Oracle.
The plug-in you would be installing would be Oracle's most recent version of the Java 7 plug-in. Not Java 6! Java 7.

But if you want to install the current version of Oracle's Java plug-in, please read on...


~~~


III) Oracle's Java Plug-In 7u15

Oracle has provided their latest security patched version of the Java plug-in. It should ONLY be installed into OS X 10.7 and 10.8, NOT OS X 10.6. Again: NOT 10.6. OK?

It's the usual cruddy Oracle plug-in and Java System Preferences pane. I'm not going to review the thing here today. Maybe next week.

Remember to jam the security level to VERY HIGH. Then disable it anyway by removing it from your /Library/Internet Plug-ins folder to some other save place, such as a folder named 'Internet Plug-ins (disabled)'. Do NOT trust the security settings. They were proven to be total garbage last month and probably still are. Do NOT attempt to turn off the plug-in within its preference pane. You're wasting your time. Just remove the thing. THEN restart your web browser.

ALSO, just to be extra careful, turn Java OFF in ALL your various web browsers.

AND, if you have to use Java on a specific website, remember to turn it OFF again BEFORE you leave that website. This is critical and can save your butt. Java is that dangerous.

~~~

And yes, Apple had some computers at their offices get infected with the recent Java drive-by infection malware. So did some computers at Facebook and Twitter. So did probably LOTS of computers! That's why Apple is providing the Java malware removal tool in their Java installers.

And no, neither Apple, nor Facebook, nor Twitter got 'hacked' or had any data stolen. The infections were limited to just the specific computers that hit the drive-by infections via the web. That is all. No horror story here.

~~~

Recommendation! Watch this week's 'Security Now!' podcast. It has a GREAT interview with one of my security heroes, Brian Krebs. You can find the video and audio versions of the podcast at TWiT.tv or iTunes. The small bandwidth audio and transcript versions of the podcast are at GRC.com. I was listening live today over at TWiT.tv and was extremely impressed. Brian talks at great length about his adventures in the 'underweb' as he calls it, hobnobbing with the malware rats and script kiddies. Lots of scary fun.

~~~

Sorry about no fun graphics today. I'm taking the rest of the week off, no matter what security FAIL hits town. Have fun. Be safe. Grow and become better. Enjoy.

:-Derek
--

Adobe Patches Reader and Acrobat to v11.0.02,
as promised

--
I've already covered the recent Acrobat and Reader exploits after Adobe announced the problems.

Today Adobe posted updates with patches for the exploited security holes. They are available at the usual sources.

Don't use Adobe Reader, Acrobat, Flash, AIR, Shockwave unless you really really have to! All of these Adobe free software systems have been long term security hole infestations and they show no sign of stopping the steady stream of problems. UNINSTALL THEM and use an alternative OR use something that blocks them until such time as you personally approve them to run on a site by site basis. That's an annoying compromise, but it works well.

Now back to my analyzing Apple's Java update, coming later today.

:-Derek (still has a headache).
--

Monday, February 18, 2013

China's Red Hacker Alliance:
Integrated Into China's Military
(and personal philosophical observations)

--
One of the first subjects I started following in my Mac-Security blog, back in 2007, was the incessant cracking and botting of USA government computers by our 'Most Favored Nation' pals in China. It had started back in 1998 with the consolidation of Chinese hackers into the 'Red Hacker Alliance' and has continued ever onward. It wasn't until 2007 that the US government admitted they were being cracked by China, despite nine years of clear evidence of the problem.

Back in 2007 it was clear that the Red Hacker Alliance was financially supported, if not outright directed, by the central Chinese government. After Chinese cracking and botting of government computers had hit the news headlines, the Red Hacker Alliance performed a Duck-And-Cover manoeuvre and disappeared off the Internet. It was assumed that they were simply absorbed into the Chinese government.

Another five years later and at last it is public knowledge that the Red Hacker Alliance was absorbed into the Chinese military. Here's an article published today by the New York Times on the subject, discussing a report that will be formally published Tuesday, 2013-02-18:

Chinese Army Unit Is Seen as Tied to Hacking Against U.S.

About bloody time the USA noticed. If I have managed to give you the impression that the US government is DEADLY SLOW and incoherent regarding Internet security, I have succeeded with my point. I cannot fathom that this slothful response to China is due to 'protecting the public' from such scary information. No, I consider this to be plain old TechTard computer security illiteracy and incompetence.

However, there have been intelligent efforts to deal with the Chinese situation within some parts of the US government. I was able to verify a few years ago that at least part of the US military was well aware of the fact that China is the USA's most dangerous enemy country. Not the excremental fake Muslim lunatic murderers in the Middle East; Not the totalitarian slave hell hole nation of North Korea; Not Russia: Criminal Nation. No, it's China: Criminal Nation.

I've had some of the Red Hacker Alliance kids point out to me that the USA is the biggest espionage country on the planet, that the USA has been spying on China much longer than China has been spying on the USA, and so forth. China is justified to spy back. Certainly, since 2007, we've seen USA (and Israeli) spyware and malware targeted at countries around the world for various purposes. The Stuxnet worm is an example from 2011. We've heard of much more malware espionage since then.

It's SPY vs SPY game playing and it appears to be inevitable.

What's different about China: Criminal Nation, is their vehement hatred and bad attitude toward nearly everything. The Chinese government treats its citizens as meat units, alive only to do the government's bidding. (As opposed to the USA where it is 'supposed' to be the other way around. Except darn, now the USA is nothing more than a Corporate Oligarchy despite a few remaining frills of democracy). The Chinese culture in general despises the USA. For years it was known that exploits of the Red Hacker Alliance were published in Chinese magazines and met with cheers from the admiring Chinese populace. We also know that, as is usual with any 'communist' system, personal incentive is crushed by the Chinese government, driving the citizenry to find their own personal incentives by way of crime. The result has been an accelerating Chinese culture of lies, deceit, robbery, ripoff, fakery, con-jobs, destruction of nearly extinct Earth animals for the sake of temporary profit..., any form of crime imaginable. Sadly, the Chinese bad attitude and criminal behavior also extends into its system of espionage, where the entire point is to own and ruin the rest of the world. I find no evidence to the contrary. China has become the world's troll.

Please don't ever believe I have any less respect for the Chinese people than I do for every other worthwhile, kind and caring human beings on our miracle planet. But as a systems analysis specialist, I can point at the current Chinese culture and state 'This Is Diseased' just as easily as i can point at my own USA Corporate Oligarchy 'government' and state 'This Is Diseased'.

Danger: Philosophy Ahead

IMHO we're in the midst of yet-another, nothing new from the pages of human history, espionage war between two factions of stupid psychopaths. And We The People get to watch... and suffer from the irresponsible consequences. :-P

There are ways for decent human beings to work well together and kick the psychopathic behavioral problems OUT of our cultures. How about we expend time, money, effort and lives toward this far superior goal, instead of the self-destructive screwing-over of everything that moves? What is it with our human self-destructive imperative? Do we want to survive as a species? Do we want there to be life on miracle planet Earth? Or not? :-(

I get philosophical like that.
--


Thursday, February 14, 2013

Adobe Reader and Acrobat Exploits:
Security Advisory

--

Over the past few days there have been abstract rumblings about in-the-wild exploits of the current versions of Adobe Reader and Acrobat. At the moment, the full details have not been made public. But Adobe has released a Security Advisory to all Reader and Acrobat users:

Security Advisory for Adobe Reader and Acrobat (APSA13-02)
A Security Advisory (APSA13-02) has been posted in regards to critical vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message.

Adobe is in the process of working on a fix for these issues and will update this advisory when a date for the fix has been determined.

Adobe will continue to provide updates on this issue via the Security Advisory section of the Adobe website as well as the Adobe PSIRT blog.

This posting is provided “AS IS” with no warranties and confers no rights.
Meanwhile! Dan Goodin of Ars Technica posted a related article that includes a workaround for the problem:

Thanks, Adobe. Protection for critical zero-day exploit not on by default
Reader protected view: Like car airbags that work only if owners flip a switch.
According to an advisory Adobe published Wednesday night, the "protected view" feature prevents the current attacks from working—but only if it's manually enabled. To turn it on, access Preferences > Security (Enhanced) and then check the "Files from potentially unsafe locations," or even the "All files" option. Then click OK. There's also a way for administrators to enable protected view on Windows machines across their organization.

The revelation is significant because it means users aren't protected when using the default version of the widely used document reader.
Therefore, if you must use Reader or Acrobat, turn on Security (Enhanced) to turn off the exploited security hole. ("√ Enable Enhanced Security").

Otherwise, please use OTHER apps for creating and reading PDF files in order to stay safe from the continuing Adobe security hell.

Me? I've uninstalled Reader and gave up on Acrobat years ago. I still love PDFs! Just not PDFs made by or read by Adobe stuff.



---




Tuesday, February 12, 2013

Adobe Flash Update 11.6.602.167,
Adobe AIR Update 3.6.0.599,
Adobe Shockwave Update 12.0.0.112,
-->All Critical

--

For the second time in two weeks, Adobe has released a critical update of the Flash Player software, version 11.6.602.167. It patches 17 CVE security flaws. Update NOW.

Adobe also released critical updates of AIR version 3.6.0.599, which addresses the same 17 CVE security flaws as the Flash update, and Shockwave version 12.0.0.112, which patches two CVE security flaws. Update NOW.

Download Links:

http://www.adobe.com/go/getflash

http://get.adobe.com/shockwave/

Adobe's related Security Bulletins:

Flash and AIR:

Shockwave:

Adobe Flash and Adobe AIR CVE Security Patches:

CVE-2013-1372 
CVE-2013-0645 
CVE-2013-1373 
CVE-2013-1369 
CVE-2013-1370 
CVE-2013-1366 
CVE-2013-0649 
CVE-2013-1365 
CVE-2013-1374 
CVE-2013-1368 
CVE-2013-0642 
CVE-2013-0644 
CVE-2013-0647 
CVE-2013-1367 
CVE-2013-0639 
CVE-2013-0638 
CVE-2013-0637
Adobe has released security updates for Adobe Flash Player 11.5.502.149 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.262 and earlier versions for Linux, Adobe Flash Player 11.1.115.37 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.32 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

This update resolves buffer overflow vulnerabilities that could lead to code execution (CVE-2013-1372, CVE-2013-0645, CVE-2013-1373, CVE-2013-1369, CVE-2013-1370, CVE-2013-1366, CVE-2013-1365, CVE-2013-1368, CVE-2013-0642, CVE-2013-1367).

This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2013-0649, CVE-2013-1374, CVE-2013-0644).

This update resolves an integer overflow vulnerability that could lead to code execution (CVE-2013-0639).

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2013-0638, CVE-2013-0647).

This update resolves a vulnerability that could result in information disclosure (CVE-2013-0637). 
  Adobe Shockwave CVE Security Patches:

CVE-2013-0635
CVE-2013-0636
Adobe has released a security update for Adobe Shockwave Player 11.6.8.638 and earlier versions on the Windows and Macintosh operating systems.  This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.  Adobe recommends users of Adobe Shockwave Player 11.6.8.638 and earlier versions update to Adobe Shockwave Player 12.0.0.112 using the instructions provided in the "Solution" section above.

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2013-0635).

This update resolves a stack overflow vulnerability that could lead to code execution (CVE-2013-0636).

Friday, February 8, 2013

Meanwhile, In Windows World...

--

Every now and then it's worth a minute's time to reflect upon the relative calm, safety and security of using OS X and other Apple software versus that Microsoft stuff. Yes, Linux is kewl too! You'll never catch me dissing Linux! But you will find me laughing up my sleeve every time I read WINDOWS HORROR STORIES like this:

Every single Internet Explorer at risk of drive-by hacks until Patch Tuesday   
FIFTY-SEVEN gaping holes closed this month
By John Leyden, The Register
In all, the soon-to-be-patched vulnerabilities exist in the Windows operating system, Internet Explorer web browser, Microsoft Server Software, Microsoft Office and the .NET framework.

The Redmond giant normally bundles together fixes for Internet Explorer bugs into a single monthly update, but February's Patch Tuesday release will feature two bulletins both addressing critical IE vulnerabilities. All versions of IE from 6 to 10, including the ARM port running on Windows RT on the Surface tablet, will need patching. . .
If you use Windows, this is well worth a read. Patch Tuesday even includes a patch for a vulnerability all the way back to Windows XP. If the Internet gets particularly bogged down on Tuesday, February 12th, you'll know why. It's Patch Tuesday!

No trolls! Apple is never perfect. They've had their own bad months as well. It's just that Apple does it better than everyone else. Deny that at your peril. (^_^) And may it stay that way forever.

:-Derek



Thursday, February 7, 2013

Adobe Flash Update 11.5.502.149
CRITICAL Security Patches

--

Another month, another Adobe Flash update. This one squashes two CVE security holes, both of which are being exploited in-the-wild. If you're already on the Adobe Flash v11.x track, this update is CRITICAL. As my net pal Al pointed out to me: This is the first-ever zero-day drive-by Flash exploit hitting the OS X platform!

IOW: GET THIS UPDATE NOW!

http://www.adobe.com/support/security/bulletins/apsb13-04.html

http://get.adobe.com/flashplayer/

CVE-2013-0633
Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.
CVE-2013-0634
Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.

As usual, if you use Microsoft's ActiveX in your browser on Windows, you're insane. If you work for a business that relies upon ActiveX, they're insane. Get rid of it. It's a wide open gateway for malware. A Microsoft technology! :-P



Meanwhile on Mac: Great! Now we have to worry about malicious .SWF infected websites! Remind you of Java hell much? Sheesh.

MY ADVICE:

Get one of the plentiful add-ons for your web browser that KILL Flash until such time as you approve of it playing.

Safari: Get the ClickToFlash add-on. It's easy to use and offers lots of nifty-kewl other features, such as downloading and white listing. (It's cousin add-on is ClickToPlugin. Sadly, the developer has pointed out that ClickToPlugin is NOT effective at blocking all Java applets. Darn!)

Firefox: Get the Flashblock add-on. It's also easy. It will also block Silverlight if you choose, and it has a white list. Alternatively, go hard core and get the incredible NoScript add-on, which also blocks all Flash until you click to approve. NoScript takes some getting used to, but is terrific software for staying safe on the Internet. (Thank you Georgio Maone!)

Chromium: (I refuse to use Chrome because I don't trust Google's tracking). Chromium browsers apparently are not affected by the Flash drive-by infection, but just in case: Again get the Flashblock extension. It has the same features as the Firefox version. (There is no NoScript version of Chromium at this time, but there are rumors...).

If there are similar anti-Flash plug-ins for other browsers, please comment!




Monday, February 4, 2013

CVE System Expands,
Adjusting To Increasing Security Flaw Discovery

--
My hero/nemesis

This article caught my eye as it features Dr. Charlie Miller, noted expert on Mac computer security:


Flaw Flood Busts Bug Bank

By Brian Krebs, 2013-02-03
http://krebsonsecurity.com/2013/02/flaw-flood-busts-bug-bank/
...Charlie Miller, a well-known bug finder and big proponent of researchers getting paid for finding flaws, said these numbers also reflect the reality that it is getting harder to find major bugs in big-name products from companies like Apple and Microsoft. Miller said if vulnerability numbers are increasing year over year, it is because more people are looking at more products.

“Vulnerabilities in ‘things we care about,’ by which I mean things that we personally use or will personally have to patch, have either gone down or haven’t gone up much,” Miller said. “The products that have been hammered on for a long time tend to be getting pretty secure.  Its all these new things nobody has ever audited that are accounting for all the new bugs.  Its pretty easy to find vulnerabilities in products that have never undergone security review and I think this is what we are seeing.”

CVE stands for Common Vulnerabilities and Exposures, as used in the term: CVE Index. The home page for the CVE Index is located at the Mitre Corporation website here:


http://cve.mitre.org/cve/


You can also look up CVE reports at the US National Vulnerability Database website (if you can get their clunky page to load!) located here:


http://web.nvd.nist.gov/view/vuln/search


Or, try digging around on their (clunky!) website here:


http://nvd.nist.gov


I often end up finding more thorough information about specific CVE reports at Security Focus and Security Tracker. Thank you to both!


 The big change in the CVE Index system is the expansion of their numbering to allow for  999,999 CVE reports per year, improving upon the current system allowing for only 9,999 reports per year.


Clearly, searching for software vulnerabilities has become a profitable business for both white and black hat hackers as well as malware rats. The CVE Index is the default system for documenting security holes, essential for serving up hearty helpings of fried malware and malware rats.




--

Saturday, February 2, 2013

Ars Technica's Useful Article:
The Basics On Malware

--

February 1, 2013, Jon Bordkin of Ars Technica posted a useful article about malware, well worth reading. It is entitled:

Viruses, Trojans, and worms, oh my: The basics on malware
Mobile malware may be trendy, but PC malware is still the big problem.

Here are my notes relating to the article:


A) Backups: Note how the #1 Rule of Computing: Make-A-Backup, saves your hide in nearly all cases of malware infection. That's why I also call it The #1 Rule Of Computer Security. I especially enjoy the ability to access a backup in the case of ransomware. Some malware rat is holding your computer hostage! And you don't care! You've got backups.


B) Multi-Malware: Note how viruses (as a form of malware) are essentially defunct in our modern era. They're old sentimental tech. Instead, everything else is being used in a variety of mix-and-match combinations. It is increasingly harder to define malware as just one form or another.


C) Social Engineering: Note how Social Engineering is being tied into just about all malware infection strategies. This is because the single least secure part of ANY system involving humans is: Humans. It's The LUSER Factor upon which the malware rats are depending. You get fooled, the rats PWN you. Therefore, software solutions are no longer enough. These days, training computer users is MORE important. That's one reason I write this blog.


D) ECMAScript: I take exception with the chart that lists "HTML/JavaScript". The conclusions of the chart are correct, except this specific malware vector is mislabeled.
  1. There is no such thing as HTML malware. HTML is entirely benign and hopefully will stay that way. It's the other code embedded inside the HTML that's dangerous, NOT the HTML.
  2. 'JavaScript' is a quaint misnomer these days. It is now adequately referred to only as ECMAScript. Actual JavaScript, that inanely named web scripting language created by Netscape, is only one part of ECMAScript. The two other major components are ActionScript, perpetrated by Macromedia (now Adobe), and JScript, perpetrated by Microsoft. ECMAScript is continuing to expand and include other forms of Internet scripting as well. The term 'JavaScript' isn't disappearing. But keep in mind that it is an outdated and inadequate term that actually refers to ECMAScript.
Therefore, the chart term "HTML/JavaScript" actually refers to ECMAScript.


E) Malware Rats: Replace the phrase "cat-and-mouse game" with "cat-and-rat game". Mice are too cute to refer to malware perpetrators.
;-)


F) FUD Alert! Replace the ignorant phrase "Apple's Mac computers, long seen as safe havens because of their low market share..." with "Apple's Mac computers, long seen as safe havens because of their superior UNIX OS security...". That's the fact of the matter.

Jon Bordkin is sadly only reciting disproven mythological FUD. I have personally disproved 'Security Through Obscurity' FUD, as applied to Macs, on several occasions. You'll find I did so years back on this blog. You won't ever find anyone proving the Mac STS FUD to have any basis in fact because there aren't any supporting facts. Instead, you will find that all BSD based UNIX OSes are consistently found to be the most secure operating systems available, as determined by both reputation and testing. That includes OS X, which is certified UNIX.

If anyone would like me to rip the ignorant 'Security Through Obscurity' bullshit to shreds again with contemporary data, just let me know. I'll even let you provide the data, as long as its factual and current. That's a dare. (^_^)


G) Bad Code: My personal phrase about modern software development is: Modern code development is well beyond the comprehension of any one human being. This unfortunate fact is proven every day.

One fun ramification of this problem is that if we ever do create an actual 'Artificial Intelligence' (AI) system, we can be certain that it will be severely deranged. IOW: SkyNet would be buggy-as-hell and extremely self-destructive. Whether SkyNet would be capable of cleaning up its own coding bugs is another matter. ;-)


H) Rootkits: OS X hasn't had any rootkits worth noting. However, there IS anti-rootkit software available for OS X, if you're interested! Rootkits may well be worth our attention in time. Here is where you can read about and download the latest version of RootKit Hunter:

http://rkhunter.sourceforge.net

If rootkits become of concern to Mac users, expect me to provide articles about how to install, use and interpret RootKit Hunter. For now, my writing about rootkits would only add unnecessary concern and confusion.

~~~~~~~~~~~~~

Also of interest:

Andrew Cunningham at Ars Technica has written an earlier companion article, also worth reading. It is entitled:

Keep it secret, keep it safe: A beginner's guide to Web safety
Understanding encryption is key to protecting yourself on the Web.

If readers are interested in me writing about encryption software for Macs, please let me know.

:-Derek



Apple Releases Java 6u39
for OS X 10.6 Snow Leopard

--
Today Apple released their Java update for users of OS X 10.6 Snow Leopard. It is listed as 'Java for Mac OS X 10.6 Update 12'. The version of Java provided is 6u39, AKA Java 1.6 Update 39.

Apple's Java update is available via Software Update from within OS X 10.6.

For the moment, you can also download 10.6 Update 12 at the link below. HOWEVER, please note that ALL the information on the page is WRONG and out-of-date. (0_o) Hopefully this will be corrected by the time you visit the page. For now, only use the page for the download link! Ignore everything else and just click the 'download' button:

http://support.apple.com/kb/DL1573

At this time, there is no security information available about this update at Apple's website. Apple has so far failed to update their 'Apple security updates' page with this update. (0_o) Hopefully they will have caught up with themselves by the time you visit their security page:

http://support.apple.com/kb/HT1222

Thankfully, Apple has emailed the security details about this update, which I have provided below:
APPLE-SA-2013-02-01-1 Java for Mac OS X v10.6 Update 12
Java for Mac OS X v10.6 Update 12 is now available and addresses thefollowing: 
Java 
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8Impact:  Multiple vulnerabilities in Java 1.6.0_37Description:  Multiple vulnerabilities exist in Java 1.6.0_37, themost serious of which may allow an untrusted Java applet to executearbitrary code outside the Java sandbox. Visiting a web pagecontaining a maliciously crafted untrusted Java applet may lead toarbitrary code execution with the privileges of the current user.These issues are addressed by updating to Java version 1.6.0_39.Further information is available via the Java website at: 
http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html 
CVE-ID 
CVE-2012-3213
CVE-2012-3342
CVE-2013-0351
CVE-2013-0409
CVE-2013-0419
CVE-2013-0423
CVE-2013-0424
CVE-2013-0425
CVE-2013-0426
CVE-2013-0427
CVE-2013-0428
CVE-2013-0429
CVE-2013-0432
CVE-2013-0433
CVE-2013-0434
CVE-2013-0435
CVE-2013-0438
CVE-2013-0440
CVE-2013-0441
CVE-2013-0442
CVE-2013-0443
CVE-2013-0445
CVE-2013-0446
CVE-2013-0450
CVE-2013-1473
CVE-2013-1475
CVE-2013-1476
CVE-2013-1478
CVE-2013-1480
CVE-2013-1481

Java for Mac OS X 10.6 Update 12 may be obtainedfrom the Software Update pane in System Preferences orApple's Software Downloads web site: 
http://www.apple.com/support/downloads/ 
The download file is named: JavaForMacOSX10.6.dmg 
Its SHA-1 digest is: 0c790491ca22ee009086ee1ec1f1b358024dd83e
Information will also be posted to the Apple Security Updatesweb site: 
http://support.apple.com/kb/HT1222 
This message is signed with Apple's Product Security PGP key, and details are available at:
https://www.apple.com/support/security/pgp/

________________________________ 
Security-announce mailing list
(Security-announce@lists.apple.com)
--


Oracle Java 7u13 Released


Oracle has patched a huge slew of security holes in their JRE, releasing Java 7u13 (aka v1.7 Update 13). A total of 50 CVE security holes have been patched.

You can download the latest Oracle release of Java for Mac here:

http://www.java.com/en/download/mac_download.jsp

You can read about the security patches in 7u13 and related information here:

http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

Be sure to use Oracle's web page, linked above, for downloading Java. Today I ran into a Mac software download site that was linking to Java 7u11, NOT 7u13, a deadly error. (Ahem CNET!).

The 'user' and 'system' checkboxes inside Oracle's Java 'Control Panel' still don't work! You still can't turn off Java except in your web browsers. This is IDIOTIC. I continue to hate you Oracle, you lazy lousy developers.

If you dare to use Java, at least jam the "Security Level" up to 'Very High' until you're already at a trusted website that requires Java. Lower the security level to whatever works on that page after it is reloaded. Remember to jam the security level back up to 'Very High' again before you leave the page. OR alternatively, turn Java entirely off inside each web browser.

I fully expect Java to demonstrate more dangerous security holes leading to more zero day exploits. The Java sandboxing system is a FAILure, is broken and has NOT been replaced. Java remains the single most DANGEROUS software you can install and run on your Mac if you use the Internet. Please be careful. Please don't be a 'LUSER'.

Java requires two things:

1) A total rewrite of its sandboxing system so that it actually works.

2) The donation of the entire Java project to OPEN SOURCE.

I don't trust Oracle. I suggest you don't trust them either. Open source isn't perfect. But there remain a lot of Java enthusiasts out in the world who would LOVE to rewrite and repair the Java JRE and language into something that once again deserves respect. I don't believe that's ever going to happen in Oracle's hands.

Watch for my upcoming tips on ideal Java 'Control Panel' Advanced settings.