Tuesday, February 25, 2014

Apple's SSL Certificate Verification Bypass Flaw,
Part II

--
…And… The Fix Is Out!

Apple has provided four security updates today, one of which is OS X 10.9.2 update. I'll skip Security Update 2014-001, Safari 6.1.2 update and Safari 7.0.3 update for the moment as they are not directly applicable to the SSL security flaw.

What have we here, among the several security updates in 10.9.2?
Data Security

Available for:  OS X Mavericks 10.9 and 10.9.1

Impact:  An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description:  Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

CVE-ID
CVE-2014-1266
√ That's the fix for the SSL flaw, aka CVE-2014-1266.

I'm glad that's over!

Update ASAP please! I'm off to do it myself right now.

I'll chatter about the other security updates, as well as the other security fixes in 10.9.2, a bit later.


--

Monday, February 24, 2014

Apple's SSL Certificate Verification Bypass Flaw,
Part I

--

[Addendum and additional information added 2014-02-25 ~11:00 AM]

At the moment, there is a lot of swirling information about a security vulnerability in Apple software that allows hackers to surveil users on the Internet, among other things. It is a form of 'Man In The Middle' hack. It involves bypassing SSL certificate verification, allowing hackers to fake an SSL connection between the user, themselves, and the user's intended Internet connection. There is a lot of misinformation and outright nonsense out on the Internet, making this a very muddy topic. I'm waiting for a shoe or two to drop regarding this situation before commenting about it further.

Therefore, I'll be writing up a Part II regarding the problem as the mud settles.


In the meantime, Apple has provided three fixes so far for this problem. Each of the updates in the list are linked to their Apple security notes:


1) iOS 7.0.6 Update.


2) iOS 6.1.6 Update.


3) Apple TV 6.0.2 Update.


Common to all three updates is the following:

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.


CVE-ID


CVE-2014-1266 
To reiterate, that's three updates. For reasons I cannot comprehend, only one or two of these updates are being reported in the news, which is part of the reason I don't trust many reports regarding this situation. I have an extremely low opinion of technology journalism these days. Quite a lot of it is outright abysmal.

There are a couple purported tests available for OS X Safari to verify whether it also has this SSL security flaw. The ImperialViolet website, linked below, provides one of them. From reports, as well as my personal experience, Safari 6.x does NOT have the SSL flaw. However, Safari 7 DOES have the SSL flaw. Note that Safari 7 is exclusive to OS X 10.9 Mavericks. Apple has acknowledged that the problem exists. There is a report that an Apple internally distributed beta of the fix is being tested. I'm expecting a public beta this week, if not the entire fix. We shall see.


* [New information: The flaw is in OS X 10.9 itself, not any particular application. Any applications that access Apple's system level Security.Framework are potentially all affected. For more information, see the Addendum below.]

There has already been some chatter about this SSL flaw being a method of NSA surveillance of Apple users. I currently believe that is not the case, specifically because the flaw is so recent. It is not found in versions of Safari on iOS, OS X, or the equivalent software on Apple TV that are more than a year old, to use a simple round number. Therefore, I've set my paranoia switch to 'simmer' regarding this hypothesis.


Two further things: 


- Please do NOT confuse this situation with the simple use of unsecured Wi-Fi hotspots whereby anyone's granny can sniff your Internet connection via Wireshark, or other hacker tools. It is NOT the same thing. This SSL flaw requires a lot more sophistication and can take place even on secured Wi-Fi hotspot connections or other SSL connections, including at home.

- Using a 'reverse firewall', such as Little Snitch or Intego's Net Barrier, will catch any bogus port call outs from Safari that are common with this SSL flaw. Just remember to not approve them when they pop up. This can help prevent an SSL hacker from exploiting your machine.

When Apple's SSL fix for OS X is released, I'll be writing more about the subject.


Meanwhile:

Here are some reading links to assist in understanding the background of the problem:

https://en.wikipedia.org/wiki/Secure_Sockets_Layer


https://en.wikipedia.org/wiki/Ssl_certificate


https://www.imperialviolet.org/2014/02/22/applebug.html


http://www.macworld.com/article/2099987/what-you-need-to-know-about-apples-ssl-bug.html



L8R!


:-Derek

--
ADDENDUM

Introduction

I have several net friends who are involved with Mac security, all of whom circle around the ClamXav project by Mark Allan. I want to thank Mark for starting our group. Today I have to particularly thank member Al Varnell for helping me out with details regarding the Apple SSL flaw. Al is an incredible behind-the-scenes asset to the Mac community.

What's New

Those who have read through the most recent rendition of MacWorld's article about the Apple SSL flaw have learned about some interesting new details. I'm simply going to list them here in the addendum to this article:

1) The Apple SSL Flaw is part of the operating systems themselves. Specific applications are affected because they access Apple's security framework. The flawed file with the problem is in unpatched recent versions of iOS 6, iOS 7, Apple TV OS and OS X 10.9. The first three OS versions have been patched. We're still waiting for the OS X 10.9 patch.

In OS X 10.9, here is the path for the specific problem file:

/System/Library/Frameworks/Security.framework/Versions/A/Security

The bad code is located in the Secure Transport section of the Security file.

2) Because the flaw affects this Apple framework, any application using the framework is potentially vulnerable. Security expert Ashkan Soltani determined that all of the following OS X 10.9 applications are potentially affected:

Safari
Calendar
FaceTime
Keynote
Mail
Twitter
iBooks
Software Update
ApplePushService

Apparently, Safari is affected because of its use of WebKit, which also uses this framework. Therefore, any OS X application using WebKit is also potentially affected by the flaw. Note that the flaw is NOT in WebKit itself, at least according to current information. Again, this is an Apple OS flaw only.

Here is a list of applications that use WebKit, all of which are potentially affected by the flaw:


Please do not go into panic mode regarding all of the affected applications. There have been only a few reports of the flaw being exploited in the wild. If you're worried, while we wait for the OS X 10.9 fix, simply use non-WebKit applications, such as Firefox and recent versions of Chromium or Opera. (iCab currently uses WebKit).
--

Saturday, February 22, 2014

Broken Blogspot Comment System

--

A friend has pointed out to me that comments here at Blogger/Blogspot are not working reliably.

Therefore, apologies to anyone who has been attempting to respond to my posts.

I'm not seeing the comment post requests at my end. I'm not willing to open up comments without approval because I absolutely despise spam, which is the inevitable result of open comment posting. Additionally, I don't like cleaning up other people's messes, especially spam.

Getting Google to pay attention to problems is difficult. My experience is that they'd rather insult you than fix their blunders. It's called 'bad attitude'. But I'll have a go at reporting the problem to them, wearing my garlic garland, silver cross and all.

Again: Apologies.

:-Derek


--

Thursday, February 20, 2014

A Second February Adobe Flash Critical Update:
Another Exploit Is In The Wild.
Update to v12.0.0.70 ASAP

--

For the second time this month, Adobe has provided an out-of-band (unscheduled) critical update of Adobe Flash Player software. The new version is 12.0.0.70. Please update NOW:

http://get.adobe.com/flashplayer/

Adobe AIR is not affected, except for the AIR SDK and Compiler, for which there is also a critical update:

http://www.adobe.com/devnet/air/air-sdk-download.html

Adobe's Flash & AIR security bulletin can be found here:

http://helpx.adobe.com/security/products/flash-player/apsb14-07.html
Adobe is aware of reports that an exploit for CVE-2014-0502 exists in the wild, and recommends users update their product installations to the latest versions.
. . .
These updates resolve a stack overflow vulnerability that could result in arbitrary code execution (CVE-2014-0498).

These updates resolve a memory leak vulnerability that could be used to defeat memory address layout randomization (CVE-2014-0499).

These updates resolve a double free vulnerability that could result in arbitrary code execution (CVE-2014-0502).
As usual: 
Be certain to use a Flash blocking extension in ALL your web browsers. Thankfully, Apple's latest versions of Safari automatically block Flash until user approval. Safari 7, exclusive to OS X 10.9 Mavericks, provides Flash sandboxing. iCab also automatically blocks Flash until approval. Adobe Flash is second only to Oracle Java as the most dangerous software to run on the Internet in OS X. Please take these dangers seriously.

Be safe, share and enjoy!

:-Derek
--

Monday, February 10, 2014

New Trojan.OSX.CoinThief.A;
New Anti-Malware Effectiveness Test Results

--


Thomas Reed has tested and described a new Mac Trojan horse named Trojan.OSX.CoinThief.A. You can read his analysis here:

New CoinThief malware

CoinThief.A was first reported by SecureMac here:

New Apple Mac Trojan Called OSX/CoinThief Discovered
+ + +

The Safe Mac's Anti-Malware Tests

Also of interest at Thomas's 'The Safe Mac' site is his recent article:

Mac anti-virus testing 2014

Thomas tested 20 anti-malware programs, from free to paid, against 188 Mac malware samples and compared the results. If you're looking for the best options in Mac anti-malware, his article is an excellent place to start.

I was pleased to see that Intego's Virus Barrier topped this list. It remains my favorite of the paid anti-malware applications for both usability and the dedication of their staff to Mac security. But I must point out that Sophos' free single-user anti-malware application did very well. Sophos also remains dedicated to Mac security.

I continue to be disappointed that the ClamAV project doesn't take Mac security entirely seriously. Everyone involved with ClamXav has done and still does their utmost to get every possible Mac malware signature into ClamAV, several times over. That includes Mark Allan and friends, such as Thomas Reed and myself. *sigh*


--

Security Spread's Anti-Malware Tests:

For further details, here is a whopping huge chart of various anti-malware applications versus specific malware samples, both inert and active:

http://securityspread.com/detection-rate-results/


If you're going to pour over their most recent testing chart, I suggest downloading its PDF first as it can be very annoying to read via web browsers.

I find some of the samples in Security Spread's testing to be unusual if not silly. For example, the 'Opener' script was never anything but a concept. It never qualified as actual malware. The list also offers no malware strain delineation. Then there's the inexplicable inclusion of anti-malware application MacKeeper, which I would never recommend as an option due to their predatory, deceitful marketing strategies as well as consistent reports of it being more deleterious than helpful to Mac usability. As usual, it pays to shop around and compare malware lists, test results and the reputations of the folks doing the testing.

Anyway, it's good to see Intego's Virus Barrier again was at the top of the list in Security Spread's testing.


--

Malware Lists:

Of slight interest, here is Security Spread's rendition of the history of Mac malware:

http://securityspread.com/history-of-mac-malware/

This list is by no means complete! The list of Mac OS (pre-Mac OS X) malware is worthless. Nearly 50 malware are missing. (o_0) Many of the listed OS X era malware were mere proof-of-concept malware, never found in the wild. Again, there is no listing of malware strains is provided. Their naming protocol for malware is incomplete and provides no transmission vector indication. And so forth. But it's a list of sorts and is therefore sort of useful. 

 Thomas Reed provides his own list of OS X malware at his 'The Safe Mac' website:

http://www.thesafemac.com/mmg-catalog/

I keep my own personal list of OS X malware, but it too is not perfect. I keep it in order to have a historical count of Mac malware as well as to provide a file system where I can store related malware articles as I find them. However, I've discovered that posting such a list is beyond the intentional scope of this blog, so I no longer bother to collate it for public viewing. Instead, Thomas Reed and I share notes and I leave the public list maintenance to him. (Thank you Thomas!)

Another drawback about such lists is that, with time, malware becomes inert on various versions of OS X. For example, anyone with OS X 10.6.8 and above has Apple's XProtect system installed as part of the system. XProtect has made a vast variety of OS X malware inert. This means that for those versions of OS X, there's very little active malware in the wild. The only reason I posted this article about CoinThief.A is that XProtect has not yet (as of this moment anyway) been updated to identify it on Mac systems. CoinThief.A and the newly discovered Crisis.C would literally be the only two OS X malware on any up-to-date active Mac malware list at this moment. Therefore, I prefer simple blog posting alerts about new malware.

Bored yet? I find this stuff interesting. Be glad I don't dump the gory details on you. Some of that stuff puts me to sleep. Happy dreams ~ ~ ~

:-Derek
--


[Credits: The creepy hand used in the Bitcoin graphic I concocted is by ze ice. The original can be found here:

Tuesday, February 4, 2014

Adobe Flash Critical Out-Of-Band Update;
A Zero-Day Exploit Is In The Wild.
Apple responds…

--

[Apple's response added in the Addendum below! 2014-02-05 1:10 AM]

Today, Adobe has pushed out a critical out-of-band (earlier than scheduled) update to Flash Player. (Apparently, Adobe AIR is not affected). The update is Adobe Flash Player v12.0.0.44.  If you are using Flash Player, please grab the update now:

http://get.adobe.com/flashplayer/

Adobe's security bulletin is here:

http://helpx.adobe.com/security/products/flash-player/apsb14-04.html
Adobe has released security updates for Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.335 and earlier versions for Linux. These updates address a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system.

Adobe is aware of reports that an exploit for this vulnerability exists in the wild, and recommends users update their product installations to the latest versions.
. . .
Adobe has released security updates for Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.335 and earlier versions for Linux. These updates address a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system. Adobe is aware of reports that an exploit for this vulnerability exists in the wild, and recommends users update their product installations to the latest versions.
. . .
These updates resolve an integer underflow vulnerability that could be exploited to execute arbitrary code on the affected system (CVE-2014-0497).
Assuming the word 'underflow' is not a typo, this is new to me. Here is one explanation of a data 'underflow' vulnerability versus an overflow:

https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Integer_Overflow/Underflow

I dug around for further explanation of CVE-2014-0497, but nothing more is available at this time, which is common with zero-day exploits.

Here are a couple articles covering this Flash Player update:

Adobe Pushes Fix for Flash Zero-Day Attack

Adobe releases unscheduled Flash update to patch critical zero-day threat
Attack code for integer underflow bug is already circulating in the wild.

Again: If you're using Adobe Flash Player, please update now.


--

Addendum:

Apple has responded to this latest Adobe Flash Player security FAIL by blocking all previous versions of Flash Player via its XProtect system, integrated into recent versions of OS X:
APPLE-SA-2014-02-04-1 OS X: Flash Player plug-in blocked

Due to security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to Flash Player 12.0.0.44.

Information on blocked web plug-ins will be posted to:

This message is signed with Apple's Product Security PGP key, and details are available at:
Thank you Apple!


--