Thursday, June 7, 2018

Another In-The-Wild Adobe Flash Exploit,
Another Out-Of-Band Update

--

Same old story. Flash is being exploited in-the-wild again. Adobe has pushed out another unscheduled Flash update. The new version is Adobe Flash 30.0.0.113. Update ASAP if you don't already have Flash automatic update running. Or simply tip the Flash Internet plugin into your Trash and empty it.

Security updates available for Flash Player | APSB18-19
Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 29.0.0.171 and earlier versions.  Successful exploitation could lead to arbitrary code execution in the context of the current user. 
Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.
And Adobe has also pushed out at the same time Adobe AIR 30.0.0.107. So far, the update has no security update document.

Remember to ONLY download Adobe stuff DIRECTLY from Adobe. Never, ever, ever trust any Adobe installers that are shoved at you by any website. They're 100% fake and a prominent source of malware infection.

Those Adobe download pages are:

Adobe Flash: https://get.adobe.com/flashplayer/
Adobe AIR: https://get.adobe.com/air/
Adobe Reader DC: https://get.adobe.com/reader/
Adobe Shockwave: https://get.adobe.com/shockwave/

--

Monday, May 14, 2018

Critical Out-Of-Band Adobe Security Updates!
And ongoing minor Mac concerns...

--
Adobe has just announced to critical updates for Adobe Acrobat and Reader and Adobe Photoshop CC. The announcements are linked and summarized below:
APSB18-09: Security update available for the Adobe Acrobat and Reader

Originally posted: May 14, 2018

Summary: Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical vulnerabilities, and successful exploitation could lead to arbitrary code execution in the context of the current user. Adobe recommends that customers apply the appropriate update using the instructions provided in the "Solution" section of the security bulletin.

Priority Rating: Adobe categorizes this update as priority 1.


APSB18-17: Security updates available for Adobe Photoshop CC

Originally posted: May 14, 2018

Summary: Adobe has released updates for Photoshop CC for Windows and macOS. These updates resolve a critical vulnerability in Photoshop CC 19.1.3 and earlier 19.x versions, as well as 18.1.3 and earlier 18.x versions. Successful exploitation could lead to arbitrary code execution in the context of the current user. Adobe recommends that customers apply the appropriate update using the instructions provided in the "Solution" section of the security bulletin.


Priority Rating: Adobe categorizes these updates as priority 3.
The new patched versions are:

• Acrobat DC and Acrobat Reader DC v2018.011.20040
• Acrobat 2017 and Acrobat Reader DC 2017 v2017.011.30080
• Acrobat DC (Classic 2015) and Acrobat Reader DC (Classic 2015) v2015.006.30418

• Photoshop CC 2018 v19.1.4
• Photoshop CC 2017 v18.1.4

Update IMMEDIATELY. Exploits have not been reported by Adobe to be in-the-wild. But the Acrobat patches are of highest priority and plentiful.

There was also the usual monthly security patch of awful Adobe Flash on 'Patch Tuesday', the second Tuesday of the month. Several other security patches were released as well. The list of Adobe's latest security patch updates can always been found here:

https://helpx.adobe.com/security.html

- - - -



What Else Is Up?

There aren't many Mac security concerns at the moment. In the mean time, I highly recommend everyone obtain and use the free Malwarebytes Anti-Malware application, run it and keep it up-to-date. My colleague Thomas Reed has been doing a great job enabling it to find all current adware and PUPs (potentially unwanted programs) as well as the few active Mac malware.

Up and coming is Thomas Reed's Malwarebytes for iOS, seeing as Thomas is now in charge of mobile security as well as Mac security at Malwarebytes. The free version of the app will assist iOS device users with ad blocking and text message filtering. The Premier version will help protect users from malicious cell phone calls and malicious web sites. The app is currently in beta.

There isn't any active malware of iOS these days. Subsequently, Apple has removed and forbidden any apps that scan for iOS malware. Meanwhile, Apple has identified and removed several apps that surveil users from its App Store. They are in violation of Apple's iOS programming rules. It's disconcerting that these apps were originally approved and allowed to run on user devices. Thankfully, Apple has caught up with their oversight and removed the problem.

The biggest security hole in the entire Mac and iOS security system remains the same as last year: Rogue developers who've paid for Apple security certificates then applied those certificates to malicious software. The consequences of this security hole in Apple's certification system pop up all over the world from time to time. I wish these rogue certificates were an impossibility. However, Apple's only solution for now is to pull these certificates, making the malicious applications essentially inert. Stolen certificates from enterprise developers remains a problem. But Apple appears to have taken better control of them as I have not heard of any enterprise certificates being applied to malicious software in 2018. Let's hope it stays that way.

Spectre & Meltdown 



Of GREAT concern to every Intel and AMD CPU user is the ever evolving and elaborating Spectre (speculative execution) hardware security vulnerability catastrophe. Apple, as well as other computer manufacturers, have been responding as best they can in coordination with Intel and AMD. But the Spectre problems are profound and have no full solution in sight. Fortunately, exploiting Spectre is relatively difficult and no major exploitation has been reported in-the-wild. As this catastrophe unfolds, be certain to keep up-to-date with Apple security patches.

Of related concern has been the Meltdown vulnerability in Intel, AMD, ARM (Apple A-Series) and IBM Power CPUs. Meltdown has been easier to mitigate and has not become a concern on Mac computers. Just be certain you're up-to-date with Apple security updates.

Apple has provided a document about Spectre and Meltdown and its mitigations here:

About speculative execution vulnerabilities in ARM-based and Intel CPUs

iMore has kindly provided further information here:

'Meltdown' and 'Spectre' FAQ: What Mac and iOS users need to know about the Intel, AMD, and ARM flaw

Rowhammer
Continuing and evolving is exploitation of the DRAM Rowhammer phenomenon. It affects all DDR3 and DDR4 SDRAM. It affects all modern Mac computers. There is no for solution for this problem. The phenomenon is a product of the ever shrinking and subsequently spatially intimate physical components of RAM chips. Some attempts at using software mitigations have been tried and more are forthcoming. But the problem has not been solved. Fortunately, there have not been any active exploits on Mac or iOS hardware. If an exploit is reported, I'll be posting.

Newly discovered is a method of exploiting Rowhammer using GPU memory chips on Android devices. The exploit is called GLitch and can be triggered by malicious JavaScript embedded into web pages.  So far, there has been no similar exploit discovered for iOS devices.

APFS: Not Ready For Prime Time 


In March, there was concern over a severe programming bug found in Apple's as yet unfinished APFS file system, exploitable on devices running macOS 10.13 and 10.13.1 High Sierra. The bug allowed a simple command in the OS terminal to reveal the administrative password for an APFS encrypted Mac device. The exploitation command could be enacted either by direct physical access to the Mac or via malicious code on a web page. Macs running macOS 10.13.2 and higher have been patched against this security bug. More about this situation can be found here:

Apple macOS Bug Reveals Passwords for APFS Encrypted Volumes in Plaintext
It should be noted that you would not find the password in the plaintext when converting a non-APFS drive to APFS and then encrypting the drive.
My advice regarding APFS, the new Apple File System, remains the same: Don't use it. 

• The finished APFS specification has not been released to developers or the public.

• APFS is still incompatible with Fusion drives.

• There continue to be problems accessing APFS partitions from HFS+ Macs, despite Apple's attempts to provide a solution.

• There is no complete method for repairing APFS systems apart from Apple's meagre Disk Utility application. Micromat was the first and currently only disk utility developer to provide partial repair support for APFS in TechTool Pro 9.6+. But Micromat make it clear that it is not a complete APFS repair solution. All disk utility developers point out that the reason for this delay continues to be Apple and their unwillingness / inability to provide finished APFS specification documentation.

IOW: APFS is not a finished standard. It is not ready for prime time. IMHO, it is to be avoided.

Meanwhile, Apple says:
When you install macOS High Sierra on the Mac volume of a solid-state drive (SSD) or other all-flash storage device, that volume is automatically converted to APFS. Fusion Drives, traditional hard disk drives (HDDs), and non-Mac volumes aren’t converted. You can’t opt out of the transition to APFS.
Wrong. There is a solution to Apple's forced conversion of HFS+ to APFS when installing High Sierra. I suggest enacting this solution unless you have some compelling reason to experiment with APFS. You can read about the solution here:

How to Skip Converting to APFS When Installing macOS High Sierra
Despite the Apple support article saying that you can’t opt out of the transition to APFS, it turns out that you can skip APFS if you choose to start the installer from the command line of Mac OS and give a directive to skip file system conversion.



Potentially helpful for those who have converted to APFS is the free downloadable APFS Retrofit Kit available from Paragon:
If you work on a Mac computer with macOS 10.10 to 10.12 and want to read APFS-formatted HDD, SSD or flash drives, you need APFS Retrofit Kit for macOS by Paragon Software. 
Paragon is working to provide the kit for Windows and Linux users as well. Due to my concern that APFS is an unfinished standard, use Paragon's kit with caution. 

And as ever, Make A Backup before engaging in any computer device adventure. It will save your butt. It's the #1 Rule of Computing!

HEY APPLE! FINISH APFS ALREADY! Sheesh. 

Stay safe out there kids.

:-Derek

~ ~ ~ ~ ~ 


Addendum Reading Assignment:

How many ways can a PDF mess up your PC? 47 in this Adobe update alone
Tons of critical fixes for Reader, Acrobat and Photoshop
--

Sunday, February 4, 2018

Active Adobe Flash Zero-Day Exploit Active
In-The-Wild

--

Same old story. Don't Use Flash v28.0.0.137 (or earlier) until Adobe provides an update! The update should be out this coming week. Keep an eye out.

The current known attack vector, CVE-2018-4878, is a malicious Microsoft Excel document containing a malware Flash object which, when opened, triggers the installation of ROKRAT, (Remote Administration Tool), capable of taking over the infected computer. At this time, the infection vector is assumed to have originated in North Korea and is primarily targeting South Korea.

Adobe's Security Advisory:
A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

Adobe will address this vulnerability in a release planned for the week of February 5.
More about the exploit from Dan Goodin at Ars Technica:

An Adobe Flash 0day is being actively exploited in the wild
Adobe plans to have a fix for the critical flaw next week.
... While the number of in-the-wild attacks exploiting Flash zerodays has dropped significantly over the past year or two, the risk posed by the Adobe media player remains unacceptably high relative to the benefit it provides most users. And now that word of the vulnerability is circulating, it wouldn't be surprising for other groups to use it against a much wider audience.
[Note that Ars Technica quotes the CVE as "2018-4877" as opposed to 2018-4878. I consider '2018-4877' to be a typo. Sadly, as usual, Dan's article is being quoted verbatim around the Internet along with the wrong CVE number. Stick with CVE-2018-4878, the CVE identified by Adobe. Because of the precautions taken at CVE.Mitre.org, it's impossible to identify the differences between these two CVE numbers until after the current zero-day as been patched. Meanwhile, the NIST (National Standards of and Technology) CVE database doesn't yet list either number. Bureaucracy at work. Zzzz.]

CONCLUSIONS:

Don't use Microsoft Excel
Don't use Adobe Flash

:-Derek

--