Monday, December 12, 2016

Apple Adds 'Junk' Option To iCloud Calendar:
Spam Rats Exterminated

--

Apple has kindly responded, in part, to the Calendar spam nightmare. They've now provided a couple ways to 'Junk' the spam directly inside the iCloud Calendar rather than forcing victims to 'Accept', 'Decline' or 'Maybe' the spam, none of which were acceptable options.


Apple activates iCloud.com Calendar spam reporting feature
By AppleInsider Staff 
Sunday, December 11, 2016, 09:31 pm PT (12:31 am ET)
Apple on Sunday instituted a new junk content reporting feature on its iCloud.com web portal, the first step in what appears to be an activation of countermeasures against iCloud Calendar spam invites users began to receive in volume last month.
There are two ways to attack invitation spam in the iCloud Calendar.


(Click to enlarge)

In the screenshot above, we notice the invitation spam via both a Calendar entry, marked as A, and the Notifications counter at the bottom of the window, marked as B. AppleInsider, in the article linked above, has described how to use the Notifications counter to 'Junk' the invitation spam. I'm going to describe how to perform the same function using the invitation spam Calendar entry.



(Click to enlarge)

In the screenshot above, I've double-clicked the invitation spam entry in my Calendar. The result is a detailed information sub-window. I prefer this approach for removing invitation spam specifically because of the details provided. The text in the sub-window is a bit scrambled, but we can make out some typical signs of spam. The sender is Chinese. The invitation spam was sent to victims on an alphabetical spam-it list. The invitation spam directs the victim to an unfamiliar website.


Note that Apple has added 'Report Junk' link beneath the text "This sender is not in your contacts." Click "Report Junk" and this new sub-window appears:



(Click to enlarge)

Click 'OK' and the deed is done! The invitation spam will be safely removed from both the Calendar and the Notifications counter. Extermination achieved. Perform this procedure on further invitation spam. When you're done, your Calendar will be clean and back to normal.



(Click to enlarge)

It is assumed at this time that Apple is using Calendar 'Junk' reports to create a 'Black List' that will keep future invitation spam out of the Calendar. Because of the very similar coding used for email spam, I expect Apple will eventually combine both their email spam and Calendar invitation spam filtering systems. We'll see.


WHAT'S LEFT TO FIX


1) Apple still has to provide a 'Junk' reporting method in both the macOS and iOS Calendar applications.


2) Apple still has to provide a fix for Photo Sharing invitation spam.


Little steps to solve big problems.



--

Tuesday, November 29, 2016

Permanent Solution To Calendar Spam Attacks!

--

Over the US Thanksgiving holiday weekend, I was bombarded with two further Calendar spam rat attacks foisting fraudulent flotsam from China. I happily dispatched them with the previously prescribed method, no dangerous 'decline' required.

But better yet! Yesterday (11-29) Sean Gallagher of Ars Technica posted a permanent solution to Calendar spam rat attacks that works the charm. It shoves off spam 'invitations' (infestations) into the Mail application instead, where the crapulent assaults will be forced through your spam filtration system, killing them dead. 


√ Spam rat exterminated.



How to stop the wave of Apple Calendar invite spam
Deleting them just encourages them—and confirms your address is live.
Sean Gallagher, Ars Technica, 2016-11-28

Here is my slightly simplified set of instructions. Note that this must be performed on a desktop/laptop computer. It will not work using iOS!


1) Sign in (log in) to your iCloud account at:


https://www.icloud.com




2) Click on the Calendar icon.



3) When your Calendar page is loaded, look down at the bottom left for the gear symbol. Click on it and choose 'Preferences'.




4) In the Preferences sub-window, click on the 'Advanced' tab.




5) In the bottom section of the 'Advanced' window, labeled 'Invitations', you'll see the default radio button setting is 'In-app notifications'. Click instead 'Email to ...' your iCloud email address. (Ignore 'Use this option if...).



6) Click 'Save' in the bottom right.


No more 'invitation' infestations into your Calendar. But note! Any legitimate Calendar invitations will also be sent to your email account. Therefore, be careful when perusing your email to watch for invitations you'd like to accept. In Mail you can choose to have them added to your Calendar.


When you receive spam rat 'invitations' in Mail you can simply mark them as 'Junk'. More garbage from the same spam rats should in future be flung into your 'Junk' without your having to ask.


Reporting Calendar 'Invitation' Spam:


I had a chat with tech support over at SpamCop.net about Calendar 'invitation' spam. They kindly declined to recode their spam reporting website software to accept this new spam variety and instead referred me to another organization that might take up the challenge. But the fix Sean Gallagher provided solves the problem. I can in future toss off 'invitation' spam to SpamCop directly from Mail.


Remaining problem, iCloud Photo Sharing spam:


Sadly, there is no similar preference fix to stop iCloud Photo Sharing spam. That one is Apple's burden to solve.



--

Friday, November 18, 2016

The New Spam Rat Vectors:
Calendar and Photo Sharing

--

Today, I ran into one of the new spam rat vectors. Without any approval on my part, a two day event was shoved into my Calendar for today and tomorrow. It came from a persistent source of spam that attempts to foist ads for fake Chinese Ray-Ban sunglasses before my eyes. I've received (and reported to SpamCop.net) quite a few of their spam emails. Now they're using this new vector to get attention. How they pulled off the spam is new to me! The thing was sent via my iCloud.com account.

It should be easy to Delete anything inserted into the macOS Calendar. Right? That's the intuitive thing to do. Apple of course provide that option if you use the contextual menu while clicking on the spam calendar event. Except it's NOT delete at all. We're forced to either 'Cancel' and keep the spam or 'Decline' the event. When we 'Decline' the event, this is the same as shouting to the spam rat 'HEY! I'M A LIVE BODY! SPAM ME SOME MORE!' That's the very last thing we want to do. The spam rats will spam us further as a direct result of hitting 'Decline'.

The only recourse available is to ignore the Calendar spam. It will sit there in your Calendar forever. I hate that.

Result: Apple has inadvertently allowed a spam vector we cannot avoid! That has to end. I'll be sending Apple a kindly request to end this madness immediately. I'll also be corresponding with SpamCop.net to see if they can incorporate the reporting of such spam into their system. At the moment, their interface has no idea what to do with this kind of spam, despite the URL for the spam rat being incorporated in the 'Invite' code.

Meanwhile, similar spam is reported to be infesting iCloud Photo Sharing. Another great one Apple. :-P

Thankfully, there is a solution to this stupid spam problem in Calendar. I've provided some links to articles with the solution below. Sadly, there is not yet any solution the stupid spam problem in iCloud Photo Sharing. The best you can do is turn off iCloud Photo Sharing. When a solution arrives or Apple get their act together, I'll post again.

If you can read Dutch, this is the first website to figure out how to kill off the stupid spam problem in Calendars:

appletips, 2016-11-08

Both 9TO5MAC and TechTimes have provided translations of the solution as well as discussion:

9TO5MAC, 2016-11-09
Performing the steps below will move the spam invitation to a separate calendar, and from there, that calendar can be deleted. Thus, removing the spam invitation without having to hit “Decline” on the actual notification. . . .
Anu Passary, Tech Times, 2016-11-09
Any Solution For iCloud Photo Sharing Spam?The only option is to turn off the feature completely. To do so follow these steps: . . .
~ ~ ~ ~ ~


For those interested in the code buried behind these spam abominations, here is what I received (with personal and potentially dangerous data removed, as indicated in italic brackets):
BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Apple Inc.//Mac OS X 10.12.1//EN
CALSCALE:GREGORIAN
BEGIN:VEVENT
TRANSP:TRANSPARENT
DTEND;VALUE=DATE:20161120
LAST-MODIFIED:20161118T134030Z
ORGANIZER;CN="黄周朝":/aMjUwNTI0MjYwNzgyNTA1Mqtter-QwRgjzoGWqFbNhgT2wV1SrD6
 t8E_Di4m4H-sa/principal/
UID:7F700ED9-2C8B-DE19-5648-34298F6E1BD9
DTSTAMP:20161118T134034Z
DESCRIPTION:[URL of spam rat removed] $19.99 Ray-ban&Oakley Sunglasses Onli
 ne.Up To 80% Off Sunglasses.Compare And Save.
SEQUENCE:0
X-APPLE-TRAVEL-ADVISORY-BEHAVIOR:AUTOMATIC
SUMMARY:$19.99 Ray-ban&Oakley Sunglasses Online.Up To 80% Off Sunglasses
 .Compare And Save. [URL of spam rat removed]
DTSTART;VALUE=DATE:20161118
CREATED:20161118T141038Z
ATTENDEE;CUTYPE=INDIVIDUAL;PARTSTAT=NEEDS-ACTION;ROLE=REQ-PARTICIPANT;RS
 VP=TRUE:mailto:[Victim at icloud.com]
ATTENDEE;CUTYPE=INDIVIDUAL;PARTSTAT=NEEDS-ACTION;ROLE=REQ-PARTICIPANT;RS
 VP=TRUE:mailto:[Victim at gmail.com]
ATTENDEE;CUTYPE=INDIVIDUAL;PARTSTAT=NEEDS-ACTION;ROLE=REQ-PARTICIPANT;RS
 VP=TRUE:mailto:[Victim at hotmail.com]
ATTENDEE;CUTYPE=INDIVIDUAL;PARTSTAT=NEEDS-ACTION;ROLE=REQ-PARTICIPANT;RS
 VP=TRUE:mailto:[Victim at icloud.com]
ATTENDEE;CUTYPE=INDIVIDUAL;PARTSTAT=NEEDS-ACTION;ROLE=REQ-PARTICIPANT;RS
 VP=TRUE:mailto:[Victim at icloud.com]
ATTENDEE;CUTYPE=INDIVIDUAL;PARTSTAT=NEEDS-ACTION;ROLE=REQ-PARTICIPANT;RS
 VP=TRUE:mailto:[Victim at yahoo.com]
ATTENDEE;CUTYPE=INDIVIDUAL;PARTSTAT=NEEDS-ACTION;ROLE=REQ-PARTICIPANT;RS
 VP=TRUE:mailto:[Victim at gmail.com]
ATTENDEE;CUTYPE=INDIVIDUAL;PARTSTAT=NEEDS-ACTION;ROLE=REQ-PARTICIPANT;RS
 VP=TRUE:mailto:[Victim at gmail.com]
ATTENDEE;CUTYPE=INDIVIDUAL;PARTSTAT=NEEDS-ACTION;ROLE=REQ-PARTICIPANT;RS
 VP=TRUE:mailto:[Victim at icloud.com]
ATTENDEE;CN="[Victim]";CUTYPE=INDIVIDUAL;EMAIL="[Victim at icloud.com]";PARTSTAT=NEEDS-ACTION;ROLE=REQ-PARTICIPANT;RSVP=TRUE:/aMTEyMDgzMTQxM
 TIwODMxNG5OQKIRBVWuL0Ah_fCetZ3Z3V61ZwF1SPf_pZtFhpme/principal/
ATTENDEE;CN="黄周朝";CUTYPE=INDIVIDUAL;EMAIL="[Nonsensical email address]";PARTSTA
 T=ACCEPTED;ROLE=CHAIR:/aMjUwNTI0MjYwNzgyNTA1Mqtter-QwRgjzoGWqFbNhgT2wV1S
 rD6t8E_Di4m4H-sa/principal/
BEGIN:VALARM
X-WR-ALARMUID:BCE20FBE-0652-41A3-9224-A9C3E37720AA
UID:BCE20FBE-0652-41A3-9224-A9C3E37720AA
TRIGGER:-PT15H
X-APPLE-DEFAULT-ALARM:TRUE
ATTACH;VALUE=URI:Basso
ACTION:AUDIO
END:VALARM
END:VEVENT
END:VCALENDAR
The victim email addresses were apparently copied and pasted alphabetically from a distributed spam-it list. The victim IDs in this case all started with 'derek'-something. The victim email addresses were not exclusive to iCloud, as I've indicated above.

So Apple! What's with the sloppy attention to security lately? Wake up! You're making Google look good. And that's bad.


--

Monday, November 7, 2016

Apple's iOS App Store Faceplant:
Infiltration of Hundreds of Fake Apps

--

Faceplant:

An unintentional result of a risky or stupid activity whereby a person becomes fully inverted from the normal upright position while one or more parts of the face impact the ground simultaneously with the full weight of the body.

A faceplant (also face plant) is like doing a handstand except with no hands so all that's left is your face.

~ ~ ~

Apple is in the midst of an unprecedented faceplant whereby a reported hundreds of FAKE apps have been steadily infiltrating the iOS App Store. This of course is NEVER supposed to happen. Preventing this from happening is the single biggest point of using the iOS App Store. Consider the safety reputation of the Apple iOS App Store severely damaged. This is shameful of Apple. Consider me disgusted.

Below, I've posted links to relevant articles. I'll post further links if this situation worsens.

Fake shopping apps are invading the iPhone
New York Post
James Covert, October 30, 2016
... A slew of knockoff shopping apps have quietly infiltrated Apple’s App Store in recent months, looking to lure unsuspecting iPhone owners with bogus deals on everything from jewelry to designer duds.

The fake apps mimic the look of legit apps — and have proliferated since this summer, experts said.

It didn’t help that earlier this month, Apple introduced search ads in its App Store. The fake apps are buying search terms, it would appear, to increase their exposure to consumers.

The crooks are looking to tap into the fast-growing market for mobile sales, which last year leaped 56 percent to $49.2 billion, according to comScore. . . .

Beware, iPhone Users: Fake Retail Apps Are Surging Before Holidays
New York Times
By Vindu Goel, November. 6, 2016
Hundreds of fake retail and product apps have popped up in Apple’s App Store in recent weeks — just in time to deceive holiday shoppers.

The counterfeiters have masqueraded as retail chains like Dollar Tree and Foot Locker, big department stores like Dillard’s and Nordstrom, online product bazaars like Zappos.com and Polyvore, and luxury-goods makers like Jimmy Choo, Christian Dior and Salvatore Ferragamo.

“We’re seeing a barrage of fake apps,” said Chris Mason, chief executive of Branding Brand, a Pittsburgh company that helps retailers build and maintain apps. He said his company constantly tracks new shopping apps, and this was the first time it had seen so many counterfeit iPhone apps emerge in a short period of time.

But there are serious risks to using a fake app. Entering credit card information opens a customer to potential financial fraud. Some fake apps contain malware that can steal personal information or even lock the phone until the user pays a ransom. And some fakes encourage users to log in using their Facebook credentials, potentially exposing sensitive personal information.

The rogue apps, most of which came from developers in China, slipped through Apple’s process for reviewing every app before it is published. . . .
~ ~ ~

Be safe out there kids! At the moment, Apple doesn't have your back. (-_-) zzz

--

Wednesday, July 27, 2016

PAC Attacks When Using HTTPS!
VPN To The Rescue

--

Introduction: What I discuss below fits within the realm of computer networking. As such, it is complicated, has a learning curve and may require homework, time and patience to understand. However, as usual, I've tried to translate the technology into something reasonably easy to comprehend and I've provided some useful reference links.

Open Wi-Fi Hotspots Are Not Our Friend


Using open, no password required, hot spot Wi-Fi routers is dangerous. It's trivial for anyone also on the router to spy on all your Internet activity. There are several tools for the hack job on all computer platforms. So what do you do?


Using HTTPS on the Web is one generally reliable way to encrypt your connections, resulting in hacker spies seeing only gibberish pass between your computer and your destination. That's great, except a lot of servers still use old SSL (Secure Sockets Layer) protocols that are no longer secure, and there are older browser applications that still allow the use of SSL. The replacement technology is TLS (Transport Layer Security) and is considerably safer, albeit not perfect as of yet. For general Web access at a Wi-Fi hotspot, HTTPS via TLS should be adequate.


Except this happened:


New attack bypasses HTTPS protection on Macs, Windows, and Linux
Hack can be carried out by operators of Wi-Fi hotspots, where HTTPs is needed most.
- DAN GOODIN, Ars Technica - 7/26/2016, 1:14 PM
The most likely way the attack might be carried out is for a network operator to send a malicious response when a computer uses the dynamic host configuration protocol to connect to a network. Besides issuing addresses, DHCP can be used to help set up a proxy server that browsers will use when trying to access certain URLs. This attack technique works by forcing the browser to obtain a proxy autoconfig (PAC) file, which specifies the types of URLs that should trigger use of the proxy. Because the malicious PAC code receives the request before the HTTPS connection is established, the attackers obtain the entire URL in plaintext....
(Emphasis mine).

This is a fairly sophisticated attack for the moment. But again could be made trivial with proliferated hacking tools.


So now what do we do?


If you're a casual web browsing user who doesn't mind having your URL connections surveilled in public, you wait for web browser and server updates to solve this problem.


VPN


If you're a professional who must NOT be surveilled in your work online, you enroll into a VPN (Virtual Private Network) service. I won't go into the techy details. But a good VPN service allows you to encrypt every little thing you do on the Internet from wherever you are, on whatever router you're using, out to a server run by the VPS server somewhere else on the planet. You can typically choose your exit server from a list provided by the VPN service. After you exit the VPN server out to the actual Internet, no one can trace back who you are. None of your data is visible at your Wi-Fi router location. Everything is encrypted through the VPN service. Problem solved.


There are many VPN services available. Some of them offer 'Life Time Membership' for a reasonable price. There is typically one VPN service or another running a special offer via a one of the 'Deal' websites / email lists at any point in time.


As examples, I'm on the MacAppware and 9To5Toys 'Deal' lists, which are part of a network of 'Deal' services run through StackCommerce. They offer a variety of hardware, software and service 'Deals' at special discount prices, typically for a limited period of time. If you see something you like on the lists, you check it out. If you like it, you buy it. (Please note how I am deliberately not providing URLs as I am not selling or recommending any of these services. Do a search on their names and you'll find them).


Continuing these examples: 9To5Toys is currently offering both a 3-year subscription and full lifetime subscription to Tiger VPN for decent prices. MacAppware is currently featuring five different VPN service discounts. They include HideMyAss!, Hotspot Shield Elite, PureVPN, and VPN Unlimited.


The closest I'll come to a recommendation is to say that I have a friend who swears by HideMyAss! He regularly uses it to stream sports game video from Europe with great results. I have a lifetime membership with proXPN that works fine for my purposes.


One limiting factor with VPNs is speed, aka bandwidth. Obviously, you run into this factor when you're streaming a lot of data at once, for example when watching video. If that's what you want to do via VPN, it pays to shop around for the fastest service. Be sure to verify that what you read about a VPN service is real. For example, PureVPN calls itself "The World's Fastest VPN." Maybe it is or maybe it isn't. Check out a number of reviews to find out what users have experienced according to their usage of the VPN.


Another limiting factor is which VPN connection protocols the services offer. They may use OpenVPN and/or PPTP (Point-to-Point Tunneling Protocol). It's important to know what your hardware and OS can handle. Some cannot, for example, deal with OpenVPN. Therefore, in this case, you don't want a VPN service that only offers OpenVPN. You'll want one that offers PPTP. Many provide both.


From a security point of view, at the moment it is safer to use PPTP. OpenVPN has had a series of security compromises and was at one point assumed to be hackable. The OpenVPN has been good about patching known security flaws, but they have recently been discovered on a regular basis. Meanwhile, PPTP is considered by some to be 'broken'. Microsoft recommends using a more recent and superior alternative protocol called L2TP/IPSec, with which I am somewhat unfamiliar. If a VPN offers it, consider using it instead of PPTP.


I could link here to a comparison chart of these three protocols, but what I found online was not up-to-date and would therefore be misleading. From a fanatical security perspective, it may be that all three of these protocols are hackable IF someone wants to target specifically YOU.  VPN attacks are sophisticated and take time to enact. As such, for general professional use, any of these three VPN protocols is adequate. Open source advocates of course prefer OpenVPN because its protocol is entirely available for scrutiny and theoretically that means the security holes are found and patched more readily. Meanwhile, Microsoft has been involved with both PPTP and L2TP/IPSec, which may give users a reason to cringe. You decide.


Nice things about good VPN services: 


First, my VPN rates the quality/speed of their own servers day-to-day. I'm in New York. So you'd think connecting to their New York City server would be great! It used to be. Now it's rated on the bottom of their connection listing. IOW it's the last server I want to use. Instead, I typically use the Chicago server, which is in the top third of their connection list. I often visit sites within the UK, in which case I use their London server. Thankfully, that is also in the top third of their connection list at this time. 


Meanwhile, if I want to use an exit server in or near Japan, forget it! There aren't any. That could have killed my interest in their VPN service, if it mattered to me. The closest server is in Singapore, and its near the bottom of the connection list. IOW: It may be important to know what servers a VPN offers, according to your purposes.


Second, my VPN regularly changes its servers in cases where they are being blocked by ISPs. My VPN application grabs the latest list of available servers every day, which prevents me for connection to what amounts to a dead server. 


Why are VPN servers blocked? This gets into a controversy regarding copyright, marketing and costs. To give you at least a rough idea of how and why this can happen: Imagine you're the BBC in the UK. Someone uses VPN to connect to a London server. The IP address of that server is broadcast to every website to which you connect. It's obviously a British IP address, so you look to be British. Therefore, you can access all British web content as a British citizen. You have full access to all BBC web media, including any of their posted TV program streams. What can be 'bad' about that is that: (A) You may not actually be in Britain. You're using a VPN. (B) If you aren't British, you have no access to British copyrighted media. (C) BBC marketing people may go maniacal that you're breaking through an artificial marketing zone barrier to access media directly in the UK. (D) You haven't paid the taxes that support the BBC. Therefore, the BBC is motivated to find and have blocked all VPN servers within the UK.




Then there's that annoying totalitarianism issue where FAILed governments abuse their citizens, rather than serve them. Check this out:


Countries Where VPN Use is Prohibited
WHAT COUNTRIES HAVE BANNED THE USE OF VPN?
VPN is typically banned in countries that have authoritative laws, such as China, North Korea and Iran. With limited access to a majority of online content, in order to unblock blocked websites, citizens, tourists and expats in those countries typically resort to the use of proxy servers and VPN software. 
WHY HAVE THESE COUNTRIES MADE VPN USAGE ILLEGAL?
Some countries have banned the use of Virtual Private Networks so that they can maintain a bird’s eye view on all online movement made by their citizens, who the governments of these countries consider as nonconformists, as well as to control the information their citizens have access to by censoring websites with liberal or opposing views. VPNs allow to bypass censorship and keep all online activities confidential.
Such is our species. I thoroughly recommend deposing all such governments. That's what revolutions are for. We all deserve personal freedom and privacy, no exceptions (apart from the crooks and crazies).

So what about DNSCrypt?


I use DNSCrypt on all my Macs. I've had no trouble with it and it kindly encrypts all my DNS lookups for free. It works hella better than my IPS's DNS servers! (Time Warner Cable :-P). Thank you OpenDNS and Cisco! It prevents any open Wi-Fi hotspot hackers from seeing what websites I want to visit. It even prevents your ISP or anyone else from surveilling your DNS lookups.

Except DNSCrypt won't help with the PAC attacks on HTTPS. Sorry! The resulting IP address still ends up in-the-clear when using the PAC hack. Nonetheless, DNSCrypt is a great precaution and works extremely well. Finishing DNSCrypt took years of annoying betas. Now it's something approaching perfection. Highly recommended.

Questions? Further reference requests? Please drop me a comment below.

:-Derek


--

Wednesday, July 20, 2016

Critical Little Snitch Update to v3.6.4!

--

Today, Objective Development released a critical update of Little Snitch to version 3.6.4. Update ASAP!

Here are the release notes from the installer:
Little Snitch 3.6.4 
This update fixes critical issues. Please update as soon as possible!
  • Added IKEv2 VPN support to Automatic Profile Switching detection.
  • Fixed: A critical bug enabling potential attackers to circumvent the Little Snitch network filter (thanks to @osxreverser for the report).
  • Fixed: Under rare circumstances Fast User Switching causes all connection without rules to be denied without showing an alert.
  • Fixed: Alerts triggered via “ask rule” sometimes produce rules with “Until Quit” instead of “Once” lifetime.
  • Fixed: Rare crash when searching for rules or suggestions in Little Snitch Configuration.
  • Other bugfixes and improvements.
I've made certain that MacUpdate and MajorGeeks Mac (the two download sites I still use) have been notified. If you haven't used Little Snitch, you can find out more about this excellent 'reverse firewall' program HERE. It has a learning curve well worth climbing if you want to stop applications from phoning home or stop potential bot infections dead in their tracks. Intego's NetBarrier has similar functionality.
--

Wednesday, July 13, 2016

'Backdoor.MAC.Eleanor' Is Now XProtected!

--

Yes! Apple has updated XProtect to guard against OSX.Trojan.Eleanor.A.

XProtect is Apple's built-in anti-malware system. It was first integrated into OS X 10.7 Snow Leopard and is regularly and automatically updated over the Internet.

Apple has been a bit slow updating XProtect to ward off evil adware. But, with nagging from the field, Apple eventually catches up. Alongside Eleanor, Apple has also provided protection against the adware OSX.Hmining.A.2

Grateful thanks to my right-hand Mac security pal Al Varnell for helping out, as ever!

--

Tuesday, July 12, 2016

Happy Adobe Security Update Day For July

--

Second Tuesday of the month, the day when Adobe lets loose all the security patches they've been saving up for the past month. (0_o) On this Tue2, Adobe is serving updates for:

Adobe Flash - 52 critical CVEs patched


Adobe Acrobat and Reader  - 32 critical CVEs patched


Adobe XMP Tool for Java - 1 CVE patched


The links above lead to accompanying Adobe security bulletins.


So where's the required Adobe AIR update? After all, Adobe Flash is integrated into Adobe AIR! Nothing new. That's worrying. If you're running AIR, be sure to have it self-check for updates!


Where to get the security updates:


Adobe Flash

Adobe Acrobat
Adobe Reader
Adobe XMP Tool for Java


The Gory Details

Adobe Flash Vulnerability Details

These updates resolve a race condition vulnerability that could lead to information disclosure (CVE-2016-4247).

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-4223, CVE-2016-4224, CVE-2016-4225).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222, CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4248).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-4249).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4172, CVE-2016-4175, CVE-2016-4179, CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183, CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221, CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, CVE-2016-4245, CVE-2016-4246).

These updates resolve a memory leak vulnerability (CVE-2016-4232).

These updates resolve stack corruption vulnerabilities that could lead to code execution (CVE-2016-4176, CVE-2016-4177).

These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2016-4178).

Adobe Acrobat and Reader Vulnerability Details

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2016-4210).

These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2016-4190).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-4209).

These updates resolve various methods to bypass restrictions on Javascript API execution (CVE-2016-4215).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4189, CVE-2016-4191, CVE-2016-4192, CVE-2016-4193, CVE-2016-4194, CVE-2016-4195, CVE-2016-4196, CVE-2016-4197, CVE-2016-4198, CVE-2016-4199, CVE-2016-4200, CVE-2016-4201, CVE-2016-4202, CVE-2016-4203, CVE-2016-4204, CVE-2016-4205, CVE-2016-4206, CVE-2016-4207, CVE-2016-4208, CVE-2016-4211, CVE-2016-4212, CVE-2016-4213, CVE-2016-4214, CVE-2016-4250, CVE-2016-4251, CVE-2016-4252).

Adobe XMP Tool for Java Vulnerability Details

This update resolves an issue associated with the parsing of crafted XML external entities in XMPCore that could lead to information disclosure (CVE-2016-4216).
Stay safe out there kids!

--

Wednesday, July 6, 2016

Beware New Mac Malware: 'Backdoor.MAC.Eleanor'

--

[Updated: 2016-07-07 @1:50 am ET with additional references]

This malware should more properly be named OSX.Trojan.Eleanor.A. In the field, it is being called Backdoor.MAC.Eleanor by BitDefender LABS. It is being served up to victims at a number of websites, including apparently MacUpdate.com. BEWARE!

I'll create my own write up about the malware as further details are available. For now, here are some excellent sources of information about Eleanor:


Bitdefender LABS


Backdoor.MAC.Eleanor Grants Attackers Full Access to Mac Systems
A. Description: 
- - The application name is EasyDoc Converter.app, and its main functionality should be to convert documents, but it does anything but that. . . .
9To5Mac

New Mac malware in the wild, Backdoor.MAC.Elanor – can steal data, execute code, control webcam

More about Eleanor from my colleague Thomas Reed over at Malwarebytes:

When the app is opened, it runs a shell script whose first task is to check for the presence of Little Snitch. . . . If LittleSnitch is not present, and if the malware has not already been installed, it then installs three LaunchAgents in the user folder plus a hidden folder full of executable files. All these items have names that attempt to make them seem like Dropbox components....
Interestingly, this app’s page on MacUpdate has ratings submitted by users between 2014 and March 26, 2016, all but one of which are 4.5 or 5 stars. Since this malware appears to have first “turned on” in April, I suspect that the real EasyDoc Converter may have been abandoned by its developer and somehow obtained by malware authors....
If you have Malwarebytes Anti-Malware for Mac, it will detect this malware as OSX.Backdoor.Eleanor.
I.E. the free Malwarebytes Anti-Malware for Mac already detects Eleanor. Use the link in the quote above.

And, Dan Goodin of Ars Technica posted an article about Eleanor as well as a couple other pests: Pellit and Keydnap. I'm waiting for more details about these last two before I bother writing about them.


~ ~

Keep in mind that such malware can have ANY name. Therefore, don't simply avoid 'EasyDoc Converter'. Watch out for ALL software that is not signed by an Apple approved developer via ANY source.


Safety Step: Verify that you at least have Apple's Gateway setup this way in System Preferences...: Security & Privacy: General:




IOW: Don't have 'Anywhere' selected. 
(If you're using macOS 10.12 Sierra, you won't even see 'Anywhere' available).

Until this malware is blocked by Apple, do NOT override Gateway and open unsigned software. 


IOW: If you have Gateway setup properly, you attempt to open something you downloaded and OS X protests that the software may be insecure, do NOT open it. Take the advice of OS X. This will keep you safe from the Eleanor malware. Set the questionable software aside until protection against Eleanor is provided by Apple via its XProtect system. I'll report when XProtect has been updated against Eleanor.


Further helpful information from Apple:


About the "Are you sure you want to open it?" alert (File Quarantine / Known Malware Detection) in OS X

:-Derek



--