Wednesday, April 24, 2013

Java Suckage Alert:
Update now or get PWNed,
New exploit in-the-wild

-
Dan Goodin at Ars Technica pointed out a new Java exploit in-the-wild. It only hits those users who are not up-to-date with the latest versions of Java from Apple and Oracle. So if you use Java on the Internet and you have installed the latest update, you're fine. (^_^)

If you use Java on the Internet and you have NOT installed the latest versions of Java: UPDATE NOW BUDDY! Or get PWNed. (0_o)

Java users beware: Exploit circulating for just-patched critical flaw
If you haven't installed last week's Java update, now would be a good time.
In the past few days, attack code targeting one of the many remote-code-execution vulnerabilities fixed in Java 7 Update 21 was folded into either the folded into the RedKit or CrimeBoss exploit kit. By Sunday, that attack code was being actively unleashed on unsuspecting end users, according to a short blog post published by a researcher from antivirus provider F-Secure.
Apple's current Java 6 updates are here:

http://support.apple.com/downloads/DL1573/en_US/JavaForMacOSX10.6.Update15.dmg

http://support.apple.com/downloads/DL1572/en_US/JavaForOSX2013-003.dmg

Oracle's current Java 7 update is here:

http://www.java.com/en/download/mac_download.jsp


Monday, April 22, 2013

STOP CISPA
TAKE ACTION

-

SANS INSTITUTE
2013-04-20

US House Passes CISPA, But White House Has Said It Will Veto the Bill (April 16 & 18, 2013)
In a 288-127 vote on Thursday, April 18, the US House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA). The bill would allow email and Internet providers to share information with the government. CISPA now goes to the Senate, where its fate is questionable given the White House's position that it will veto CISPA as-is. One of the administration's concerns is that CISPA does not require private entities to strip irrelevant personal data from information shared with government agencies or other private sector entities. Legislators tried, unsuccessfully, to add an amendment to CISPA which would have ensured that companies' terms of use and privacy policies would continue to be valid and enforceable. Critics of CISPA say it "poses a major threat to Fourth Amendment rights."

Administration's Statement on CISPA:

[Editor's Note (Murray): The House followed the money and ignored the popular opposition to this bill.  CISPA offers sweeping immunity to business, far beyond what is necessary to accomplish its objectives.  It invites abuse.]

Electronic Frontier Foundation
2013-04-18

U.S. House of Representatives Shamefully Passes CISPA; Internet Freedom Advocates Prepare for a Battle in the Senate


https://www.eff.org/deeplinks/2013/04/us-house-representatives-shamefully-passes-cispa-internet-freedom-advocates

Today, Internet freedom advocates everywhere turned their eyes to the U.S. House of Representatives as that legislative body considered the Cyber Intelligence Sharing and Protection Act.  
For the second year in a row,  the House voted to approve CISPA, a bill that would allow companies to bypass all existing privacy law to spy on communications and pass sensitive user data to the government.  EFF condemns the vote in the House and vows to continue the fight in the Senate.
"CISPA is a poorly drafted bill that would provide a gaping exception to bedrock privacy law,” EFF Senior Staff Attorney Kurt Opsahl said. “While we all agree that our nation needs to address pressing Internet security issues, this bill sacrifices online privacy while failing to take common-sense steps to improve security."
The legislation passed 288-127, despite a veto threat from Pres. Barack Obama, who expressed serious concerns about the danger CISPA poses to civil liberties.
"This bill undermines the privacy of millions of Internet users,” said Rainey Reitman, EFF Activism Director.  “Hundreds of thousands of Internet users opposed this bill, joining the White House and Internet security experts in voicing concerns about the civil liberties ramifications of CISPA.  We’re committed to taking this fight to the Senate and fighting to ensure no law which would be so detrimental to online privacy is passed on our watch.”
EFF extends its deep gratitude to the many organization that have worked with us on this campaign and the tens of thousand of EFF members who helped us by contacting Congress to oppose CISPA. We look forward to continuing to fight by your side in defense of civil liberties as CISPA moves to the Senate.

Friday, April 19, 2013

Useful Mac Security Articles, 2013-04-19

--
On the right margin of the Mac-Security blog, I have provided a list of 'Friends of Mac-Security', They are useful sources of information for all Mac users interested in computer security.

I believe it will also be useful for me to point out specific articles relevant to Mac security. Here are a few articles I consider to be useful for today:

1) Dan Goodin @ Ars Technica:

Yes, “design flaw” in 1Password is a problem, just not for end users
It may very well be time for a new and improved hashing function.

I've recommended using 1Password many times. I've also pointed out the critical importance of using diabolical passwords. The single weakest link in any encryption scheme is the password you use to access it. This is the classic user vs LUSER problem.

Dan's article goes into some depth about how good quality encryption works, and sometimes doesn't work.

2) Articles about Apple's new versions of Safari for OS X 10.6, 10.7 and 10.8:

Apple adds site-by-site Java support to Safari for OS X 10.6
The latest version of Safari gives Snow Leopard users more control over what Java content is displayed.

Topher Kessler discusses the surprising and excellent action by Apple to provide new Java security to OS X 10.6 Snow Leopard users in Safari v5.1.9. Please also note that this same support is provided in Safari v6.0.4 for OS X 10.7 and 10.8.

Apple Safari Now Offers Per-Site Java Enabling

Joshua Long at Intego goes into further detail regarding the Java security added to Safari v5.1.9 and v6.0.4.

3) Thomas Reed discusses the current influx of adware on the Mac platform:

Yontoo: adware or malware?





Thomas' last article provides instructions for removing the ChatZum adware.


~~~~~~~~~~~~~

Note: I have made the choice to not follow or write about adware at this blog. Technically, adware is not dangerous and is only a meagre form of malware. Focusing on serious Mac security concerns takes enough of my time and effort. However, I will be providing useful links to articles about adware, such as those by Thomas Reed.

The circle of Mac security watchers to which I belong, many members of which are on my list of 'Friends of Mac-Security', keeps a close eye on adware. Therefore, my blog will be useful for at least a list of source information about ongoing problems with adware.

The best approach regarding adware is to treat it as Trojan horses, software that is inflicted upon victims by what I call 'marketing morons'. They are disrespectful people who are willing to use any method possible to shove their advertisements in front of our eyes, very much like spam rats. The fact that we users typically respond to this garbage with desires and actions of retribution is apparently beyond their comprehension. I put such people on the level of malware rats, therefore I will be referring to them as 'adware rats'. As with all 'rats', I actively recommend their avoidance and extermination. 

At its worst, adware will drastically slow down a computer. This is typically because the adware is poorly written, hogging both the CPU and the network. I've hunted down and removed adware on Windows computers, finding its removal to be greatly beneficial. Such adware is innocently installed onto computers by less security savvy users who found some software or other to be of interest, worth installing, and the adware tagged along as an entirely unintended infection.

On the Mac, semi-adware has had a spotty history. In my experience, installing the free DivX software has been a glaring example whereby it used to inflict the installment of Google's Chrome web browser without warning. Chrome, of course, is a method Google uses to surveil users across the Internet via Tracking Cookies. Therefore, I have zero interest in Chrome on my Macs. Instead, I use the Chromium browser which does not automatically inflict Google's surveillance upon users as long as they do not log into Google and they ALSO dump all Tracking Cookies, manually or automatically. One cookie control program I recommend is SweetP Productions 'Cookie' application, which works with a variety of web browsers. Alternatively, try using SweetP Production's free 'Safari Cookies' Safari extension. There are other Tracking Cookie control alternatives for most web browsers.

Summary

As usual, be careful to install only software you have verified to be safe. Three safe Mac software sources I enjoy using are VersionTracker, MacUpdate and of course Apple's Mac App Store. 

CNET, who own and run VersionTracker, has been known to inflict adware upon Windows users. However, CNET's adware has not, so far, been inflicted upon Mac users. Let's hope it stays that way, otherwise expect my personal retribution.

:-Derek
--

Wednesday, April 17, 2013

Java Critical Updates:
Apple: Java 10.6 Update 15 (Java 6u45)
Apple: Java 2013-002 (Java 6u45)
Oracle: Java 7u21

--
[Updated 10:30 pm 2013-04-17 to reflect the correct version of Java provided by Apple, 6u45]

There was a scheduled Java update on Tuesday 2013-04-16. Both Apple and Oracle provided updates. Here is the list:

From Apple

1) Java for Mac OS X 10.6 Update 15

Available via Software Update. This updates Mac OS X 10.6 Snow Leopard users to Java version 6 update 45, aka 6u45.

Apple's security content document:

http://support.apple.com/kb/HT5734

2) Java for OS X 2013-002

Available via Software Update. This updates OS X 10.7 Lion and 10.8 Mountain Lion users to Java version 6 update 45, aka 6u45.

Apple's security content document:

http://support.apple.com/kb/HT5734


From Oracle

Java 7 update 21, aka 7u21

Available directly from Oracle via the link above. 


Oracle Java SE Critical Patch Update Advisory - April 2013:

http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html


PROBLEM WITH APPLE'S 2013-002 UPDATE

Apparently, it is NOT up-to-date!

Apple states that it is providing Java 6 update 45. However, their documentation is not listing the patching of all the known CVE security holes Oracle lists for Java 6 update 43 and below. I have documented the difference ahead.

[Note that earlier in the day it was not clear that Apple had updated beyond Java 6 update 43. Now apparently their documentation is making it clear that Java 6 update 45 is indeed what is provided. Apologies if I added to the confusion!]

Therefore, if you have OS X 10.7.3 or higher on you Mac, and you use Java while browsing the Internet, I STRONGLY suggest installing Oracle's Java 7 update 21 (7u21) on top of Apple's update.


Current Java CVE Issues

Oracle's Java 7u21 patches 42 CVE security holes. Apple's Java 6u45 patches 21 CVE security holes.

You can access Oracle's Java SE Risk Matrix here:

http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html#AppendixJAVA

I'm going to restate Oracle's list of CVEs below in order to point out what has been patched and what remains unpatched in each of the updates from Oracle and Apple. Those that are in bold have been patched by both Oracle's 7u21 update and Apple's 6u42 update. Those in plain text have only been updated in Oracle's 7u21 update. At the end of the list is one CVE in italics that was patched by Apple's 6u42 update but is not listed in Oracle's 7u21 update and remains listed but 'unspecified' in the CVE databases. Those listed in red affect Java 7 only, not Java 6.

CVE-2013-2383
CVE-2013-2384
CVE-2013-1569
CVE-2013-2434
CVE-2013-2432
CVE-2013-2420
CVE-2013-1491
CVE-2013-1558
CVE-2013-2440
CVE-2013-2435
CVE-2013-2431
CVE-2013-2425
CVE-2013-1518
CVE-2013-2414
CVE-2013-2428
CVE-2013-2427
CVE-2013-2422
CVE-2013-1537
CVE-2013-1557
CVE-2013-2421
CVE-2013-0402
CVE-2013-2426
CVE-2013-2436
CVE-2013-1488
CVE-2013-2394
CVE-2013-2430
CVE-2013-2429
CVE-2013-1563
CVE-2013-2439
CVE-2013-0401
CVE-2013-2419
CVE-2013-2424
CVE-2013-1561
CVE-2013-1564
CVE-2013-2438
CVE-2013-2417
CVE-2013-2418
CVE-2013-2416
CVE-2013-2433
CVE-2013-1540
CVE-2013-2423
CVE-2013-2415

Apple Only:
CVE-2013-2437


Summary: If I can believe both Apple and Oracle's lists of patched CVEs, this means that the following CVE security holes REMAIN in Apple's Java 6u45 update:

CVE-2013-1518 - Unspecified details.

CVE-2013-2439 - Unspecified details.

CVE-2013-0401
Oracle Java 7 Update 17, and possibly other versions, allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013.
CVE-2013-2418 - Unspecified details.

Again note: Documentation confusion indicates these four CVEs were not patched by Apple's Java 6u45 update. Ideally, I'd like to verify that this is the fact in the near future. I'm hoping this discrepancy in documentation is straightened out.


CONCLUSION:

If you want to surf the net with Java running, and you're using OS X 10.7.3 or higher, please install Apple's Java 6u45 update FIRST, then install Oracle's Java 7u21 update.

We know full well that there are still unpatched security holes in Java 7u21. Therefore, it is CRITICAL to 'Just Turn Java Off' until you have loaded a trusted web page. Then turn Java ON and reload that page. Before you leave that page, 'Just Turn Java Off' again. I've covered how to turn Java on and off in previous posts.


STUPID NEWS:

Oracle has REMOVED the checkboxes for turning Java On and Off as of Java 7u21. Therefore, I can't rant about their dysfunctionality any longer, Oracle gave up trying to get their checkboxes to work, and apparently Oracle no longer even pretends there is a way to turn Java off inside its own control panel. Stupid deluxe. I have to wonder if Oracle itself understands Java well enough to get dead simple checkboxes to work.

I find this to be incredibly shameful.

Oracle: I HATE YOU.

And Apple: Either your documentation of patched CVEs is incomplete, or Oracle has provided an erroneous list of current CVEs! Either way, I'd feel more secure knowing the four 'unpatched' CVEs I list above actually had been patched by 6u45, or that they were actually inapplicable to 6u45. I'm left confused as to the full state of affairs. No wonder newbies and regular users find these updates confusing.


--

Wednesday, April 10, 2013

Adobe Patch Tuesday!
Shockwave Player,
Flash / AIR
and ColdFusion

--
Adobe pumped out a bunch of security patches on Tuesday, 2013-04-09. Here's the list:

1) Shockwave Player 12.0.2.122

Where to download:

http://get.adobe.com/shockwave/

Adobe Security Bulletin:

http://www.adobe.com/support/security/bulletins/apsb13-12.html

CVE Security Holes Patched:

CVE-2013-1383 - "a buffer overflow vulnerability that could lead to code execution"

CVE-2013-1384, CVE-2013-1386 - "memory corruption vulnerabilities that could lead to code execution"

CVE-2013-1385 - "a memory leakage vulnerability that could be exploited to reduce the effectiveness of address space randomization"

2) Flash Player 11.7.700.169

Where to download:
http://get.adobe.com/flashplayer/

Adobe Security Bulletin:

http://www.adobe.com/support/security/bulletins/apsb13-11.html

CVE Security Holes Patched:

CVE-2013-2555 - "an integer overflow vulnerability that could lead to code execution"

CVE-2013-1378, CVE-2013-1380 - "memory corruption vulnerabilities that could lead to code execution"

CVE-2013-1379 - "a memory corruption vulnerability caused by Flash Player improperly initializing certain pointer arrays, which could lead to code execution"

3) AIR 3.7.0.1530

Where to download:


Adobe Security Bulletin:

http://www.adobe.com/support/security/bulletins/apsb13-11.html


CVE Security Holes Patched (same as Flash Player above):

CVE-2013-2555 - "an integer overflow vulnerability that could lead to code execution"

CVE-2013-1378, CVE-2013-1380 - "memory corruption vulnerabilities that could lead to code execution"

CVE-2013-1379 - "a memory corruption vulnerability caused by Flash Player improperly initializing certain pointer arrays, which could lead to code execution"

4) ColdFusion Security Hotfix APSB13-10

Download and Installation Instructions:

http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-10.html

Adobe Security Bulletin:
http://www.adobe.com/support/security/bulletins/apsb13-10.html

CVE Security Holes Patched:

CVE-2013-1387 - "a vulnerability that could be exploited to impersonate an authenticated user"

CVE-2013-1388 - "a vulnerability that could be exploited by an unauthorized user to gain access to the ColdFusion administrator console"

Summary: 

Shockwave, Flash and AIR security holes are all related to bad memory management, the usual plague of modern coding.

ColdFusion has two authentication security holes.

Coming Up:

Oracle is scheduled to post a new version of the Java 7 browser plugin on Tuesday, 2013-04-16. Rumor has it that Oracle is holding onto over 50 known security holes in Java 7. Let's see how many they bother to patch this time. I'm not optimistic. :-P