Macintosh Security

Apple Security Update 2011-005: DigiNotar Certificates Revocation

2011-09-09T16:11:00.000-04:00

--
This Apple Security Update is for Mac OS X 10.6 Snow Leopard and 10.7 Lion. I believe at this point we can forget about further 10.5 Leopard updates. But emergencies do happen.

Here is where you can read all about it:

About Security Update 2011-005

What's it all about? It's about the CRISIS of fraudulent SSL security certificates issued by the DigiNotar in the Netherlands, as well as other certificate authorities.

This will NOT be the last of the security certificate revocations. Expect another from Apple in sort order. The full extent of this CRISIS is still unknown and has most certainly not been stopped or contained. This may end up being the biggest Internet security crisis of the year.

Read more about it in my detailed article to follow.

ZeoBIT MacKeeper Crapware Marketing Moron Attack

2011-08-30T19:48:00.006-04:00

--
Yesterday I got hit with my first ZeoBIT MacKeeper bomber page while searching on Google. I call it a 'bomber' page because it uses JavaScript (the sworn enemy of web security) to force a popup page into your web browser, despite your popup settings. When the nasty page appeared and blared its rhetoric at me, I thought I must have found a new version of MAC Defender. But no, this is a legal Mac software suite being foisted at you via offensive marketing moron methods.

The nasty ZeoBIT MacKeeper popup page attempted to tell me that the Google result page I had open was considered potentially dangerous. Right. Therefore, I used Google again to find out what this crapware really was. I was pleased to discover that my net colleague Thomas Reed had created an excellent write-up about this crapware last week. Thomas and I work together in a Mac malware discussion group on the net. Enjoy:

Beware MacKeeper

I also found an article about MacKeeper provided by Daniel Feeney:

MacKeeper, a rather slimy tale

To quote one comment from Daniel's initial review of MacKeeper:

Mostly what they do is take existing features of your operating system and put it in one place, and make you pay for the privilege. Add in their aggressive marketing, the fact it uses Wine (classic half-assed windows developers trying to cash in on gullible Mac users), and the reports of horrible system performance after installing this crap, and well, do you really want to deal with it?

Needless to say:
I suggest that NO ONE install MacKeeper or believe a word ZeoBIT spew at you via their marketing moron attack methods.

[Marketing Moron: Any human who uses abusive or disrespectful methods of selling or promoting a product or service. Antonym: Marketing Maven. Use in a sentence: 'The decay of the modern business practices is morbidly illustrated by the unprecedented increase of marketing morons, self-destructive brigands who treat customers with contempt. ]

China Shows Their Cyber Warfare Cards, Oops

2011-08-22T19:04:00.002-04:00

--
The hilarity.

Red China has been hacking into USA computers, as part of what has been a declared cyber war, since 1998, the year they were provided 'Most Favored Nation' status. In 2007 the US feds finally couldn't hide this fact any longer after they found their Windows computers exposed to the Internet had been invaded with bots that were feeding every available bit of data back to Red China.

So I am laughing away at this bizarro news report via Neowin.net:

China accidently leaks Cyber Warfare software, US IP addresses being exploited

Well DUH! (0_o)

The source article at ThePochTimes.com is here:

Slip-Up in Chinese Military TV Show Reveals More Than Intended

Piece shows cyber warfare against US entities

There is no big revelation here except for people with their heads buried in the sand. Also, I'm not so sure China made a booboo here. I think they just don't care. China knows perfectly well that thoughful people of the USA know that China has been hacking us since 1998. China knows that we uncovered their internal memo, circa 2007, formally declaring cyber war against the USA. We know the Chinese government financially backed the Red Hacker Alliance. Officially China says 'no', but who cares? They lie. We know they lie. They know we know they lie... (>_<)

'Here world, check out our cyber war hackware. Enjoy yourselves. HaHaHa.'

The ACTUAL issue here is what the H E L L are the US feds are going to do about it?!

AND:
What are YOU going to do about it?
Buy more cheap crap from China?
Feed the Chinese military machine?
Help herald in the next Chinese empire?

I'm not, if I can help it.

And good luck to me with that endeavor! The USA is firmly latched onto the teet of cheap labor from China. The US Vice President was just over there making all nice to the commy dictators in order to persuade them to keep propping up the US debt despite recent Tea Party boobery.

What is an informed public to do when our US Corporate Oligarchy prevent the rule of the sane?
--

Adobe CRITICAL Security Updates for August!

2011-08-09T22:18:00.000-04:00

Adobe released another slew of 'Critical' security updates today. Here's the lineup:

- Adobe Shockwave Player - Update to v11.6.1.629. (Be careful which version you install, either 32-bit or 64-bit, to match the bit mode being used by your web browsers. If one version fails, uninstall it and try the other). Numerous memory corruption (buffer overflow) vulnerabilities.

- Adobe Flash Media Server - Update to v4.0.3 or v3.5.7. Memory corruption (buffer overflow) vulnerability.

- Adobe AIR - Update to version v2.7.1. (Apparently required as part of the Adobe Flash Player update).

- Adobe Flash Player - Update to v10.3.186.5. Numerous memory corruption (buffer overflow) vulnerabilities and a cross-site information disclosure vulnerability.

- Adobe Photoshop CS5 - Update via CS5/CS5.1 Standard Multiplugin Update. Malicious GIF file vulnerability.

- Adobe RoboHelp / RoboHelp Server - RoboHelp v9.0.1.262 users are NOT vulnerable. Earlier RoboHelp 9 users update via APSB11-23_1.zip. RoboHelp 8 users update via APSB11-23_2.zip. Cross-site scripting attack vulnerability.

You can access links to all the security announcements and update files here:

Adobe Product Security Incident Response Team (PSIRT) Blog

--

New: Trojan.OSX.BASH/QHost.WB.A, Posing as FlashPlayer.pkg Installer (heehee!)

2011-08-05T22:37:00.000-04:00

--
F-Secure has posted news about a new Trojan horse for Mac OS X. It is currently being called "BASH/QHost.WB". Using the standard malware naming system, the official name should be Trojan.OSX.BASH/QHost.WB.A. So far I am unaware of why it is being given a 3-part name. Most likely there will be the usual proliferation of other names across the anti-malware community before a final name is established.

F-Secure's report is well documented and worth reading here:

Trojan: BASH/QHost.WB

Why I'm laughing, heehee: Of all the software to fake for Mac OS X, it is HILARIOUS that these malware rats chose the Adobe FlashPlayer installer. Is there any more hated software for Mac OS X than Adobe Flash?! Oops. I don't see this Trojan becoming very proliferated. But there are always victims, so it is worth documenting what this thing does.

So far there is no documentation as to where the Trojan is found. As usual, double-check the source of ALL your software. NEVER install anything you've been sent or randomly picked up off the net without verifying it as legitimate. Obviously, the safest place to pick up the Adobe FlashPlayer software is directly from Adobe. Also keep in mind that Adobe FlashPlayer has historically been found to be profoundly insecure. Be absolutely certain you are installing the most recent version of FlashPlayer and check Adobe at least once a month for security updates.

When installing the fake FlashPlayer.pkg file, it looks like Apple's standard installer, fooling you that it is legitimate.

After installation, Trojan.OSX.BASH/QHost.WB.A takes over your 'hosts' file and damages it to dump your web browsers to a phishing site located in the Netherlands. The malware can easily damage the hosts file for further fake forwarding in the future. (Say that 10 times!). The Mac OS X hosts file is located here:

/private/etc/hosts

You can read about the purpose of the hosts file here:

Hosts (file) @ Wikipedia

The current version hijacks a series of Google web addresses. If you read F-Secure's notes you'll see that there are detectable differences between the real Google pages and the fake phishing pages.

Using the phishing site results in bogus search results. Clicking on the result URLs only returns you back to the phishing site. Meanwhile, however, the bogus site nails your browser with a series of pop-up pages which it grabs from a nefarious remote server.

At this time, the pop-up remote server is not providing any information to the phishing site. Possibly, this is a prototype malware being used either for demonstration purposes or to prove a hacking method to the hacking community. No doubt we will know more about the situation in the near future.

Most likely, Apple will be integrating a signature for Trojan.OSX.BASH/QHost.WB.A into their XProtect anti-malware system in Mac OS X 10.6 and 10.7. At the moment of my posting this article, Apple has not yet updated their XProtect.plist file.

Share and Enjoy!

:-Derek

Infamous SPAMRAT 'Spamford' Indicted, Facing A Possible 16 Years In Jail :-D

2011-08-05T13:47:00.001-04:00

I'm a veteran SPAMRAT hunter / destroyer. I've killed off so many SPAMRATS, I'm convinced I'm on their 'Do Not Spam' list for fear that I'll hunt them down and eliminate them. I very rarely receive SPAM in my email these days. Instead, I get verification and thank you notes from ISPs when they shut down SPAMRATS I've reported.

Therefore, it is with great glee that I read over the past couple days that the single most infamous SPAMMER of all time is facing a possible 16 years in jail for his nefarious damage to the Internet. Who's the SPAMRAT? It's Sanford 'Spamford' Wallace. He represents the ultimate Marketing Moron, an idiot who literally hates his customers and bombs them with marketing manure at every opportunity with no conscience, no respect for the consequences. I'd go so far as to label him and his ilk psychopathic, but don't consider me any expert on psychology.

Spamford's trial is scheduled to start August 22nd. Below are a few articles about the story so far.

Spam King Sanford Wallace Indicted for Facebook Spam

Infamous spam king could get prison time for Facebook spamming, phishing

Sanford Wallace @ Wikipedia

If you'd like to become a SPAMRAT hunter as well, here's a great place to start. I've been a paying contributor since 1998:

SpamCop.net

Every chunk of SPAM you turn in to SpamCop.net is verified, reported to affected ISPs, the offender listed on a SPAM blacklist provided free to the public. I've heard SPAMRATS rant in public about how much they hate SpamCop.net. Relish that thought. Contribute to the cause.

;-Derek

McAfee Figures Out That Red China Has Been Hacking The USA For Five Years

2011-08-03T11:01:00.006-04:00

Red China has been hacking the USA government since 1998, the year China was given 'Most Favored Nation' status. 1998 was the year the roots of China's government hacking gathered together and formed 'The Red Hacker Alliance'. It used to be that the Red Chinese government denied paying The Red Hacker Alliance for its services. These days TRHA has simply been integrated directly into the Chinese government. They no longer operate as in independent entity.

The USA government was forced to admit China's activity in 2007 after the public was informed that government Windows OS computers connected to the Internet had been infected with bot malware that was feeding ALL available USA government documents directly to China. An internal Chinese memo was also uncovered around that time which declared a cyber war against the USA.

And now we get to read that McAfee figured out, here in 2011, that Red China has been hacking the USA for the last five years. Incredible DUH Factor:

China Implicated in Massive Five-Year Long Cyberattack

Travel back to some of my earliest posts in this blog for more about the history of Red China's declared Cyber War against the USA. Here's a relevant article from 2006, five years ago:

'Red Hackers Alliance' seen behind attacks on U.S. sites

Here's a link to a post I made over at Soft32.com's Mac forum on May 31, 2007:

China Escalates Cyber War Against The World

As I quoted from the SANS Institute's NewsBites newsletter, Volume 9, Number 43:

--DoD Report: China Bolstering Cyber Warfare Capabilities (May 28 & 29, 2007)
China "has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks," according to a recent report from the US Defense Department (DoD). In previous years, the Pentagon's annual report to Congress on China's military power has indicated that China was focusing on defensive measures, so the shift to offensive tactics merits attention.

So where have you been for five years McAfee? And why does the tech press think McAfee's late revelation is news?

Here are a further few China cyber war articles from way back when:

May 30, 2007

Cyber Warfare: Beyond Estonia-Russia, Rise of China's 5th Dimension Cyber Army for the 21st Century

September 14, 2007

China emerges as leader in cyberwarfare

October 9, 2009

Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation

CONCLUSION: Think about Red China screwing over the USA as well as the rest of the world the next time you buy cheap stuff 'Made In China'. Wonder why the USA still provides Red China with 'Most Favored Nation' status considering the fact that China has declared war against us. Think about the motives of the traitorous Corporate Oligarchy that really rules the USA government.

Current Mac Malware, 2011-07: Introduction

2011-07-08T16:20:00.000-04:00

In order to help Mac users understand the current state of malware on the platform, I am providing a review of each current form. This will not be an exhaustive review, but should help relieve much misunderstanding and concern about the ongoing, many years old, anti-Apple security FUD Fest.

I will be going through the malware in reverse chronological order, featuring the most current concerns first and the oldies but gnarlies last.

The first thing to know is that technically, ALL currently active Mac malware are Trojan horses. That means that they are entirely inert until such time as a user (or 'LUSER', in cynical terminology) inadvertently installs them.

I am NOT including any hacker tools or 'legal' spyware in my details articles. These require a third party to be able to physically access your computer and directly install them for their nefarious purposes. You won't personally be in any danger of installing them unless a hacker or IT administrator directs you to do so. They require hackers or administrators to access your computer in order for them to do any harm. I may address these forms of software at another time. I am more concerned about what YOU might mistakenly install.

THE LIST:

1) Trojan.OSX.MACDefender.A - O [15 strains]

2) Trojan.OSX.BlackHoleRAT.A - C [3 strains]

3) Trojan.OSX.Boonana.A

4) Trojan.OSX.OpinionSpy.A - B [2 strains]

5) Trojan.OSX.iServices.A - C [3 strains]

6) Trojan.OSX.PokerStealer.A

7) Trojan.OSX.RSPlug.A - Q [17 strains]

The total number of Mac malware species are 7.
The total number of Mac malware strains are 42.

The 'Malware' Hacker Tools I Am Leaving Out:

'Trojan'.OSX.Lamzev.A

'Trojan'.OSX.Hellraiser.A - D [4 strains]

There are a number of inert malware as well as 'Proof of Concept' malware of no concern which I have also left out of my list. You may find them on other lists but you won't find them infecting anyone with up-to-date computers, apart for test computers in a lab. (A famous example of 'Proof of Concept' malware is Trojan.OSX.Oomp.A, aka Trojan.OSX.Leap.A. It is of no consequence or importance).

If you'd like a list of current 'legal' spyware, I suggest the list kindly provided at the MacScan/SecureMac site.

Note that, due to the lack of adherence to standards within the anti-malware community, there are a lot of name variations for the exact same malware. In the case of the MAC Defender Trojan I discovered 15 different names. I am not including them here in my list as these alternative names are irrelevant and needlessly confusing. What I have listed here are the 'official' names from my point of view as well as those whom I consider to be professional experts and original malware discoverers in the field. However, I will be listing a number of the alternative names in my subsequent articles that provide details about each of the current malware species.

As ever, I request corrections to my information. If I have missed a malware species or strain, please let me know asap. Much appreciated!

World Laughs At China's Blundered Trickery

2011-07-01T17:38:00.004-04:00

There are few things as carthartic as a good laugh in the face of deceitful intent.

Just in time to counter 'China Chip-gate', officials of the totalitarian 'communist' nation are caught using blundered Photoshop trickery for a publicity photo. The press is all abuzz about the magical picture where three Huili country officials are miraculously floating inches above the road they are inspecting.

Such is the level of attention to facts and honesty in the current Chinese culture. (0_o)

Joyfully, the ongoing response around the world has been to copy and paste the Huili officials into various other scenarios. Do a search on the terms 'Huili officials' and you'll get a boatload. Check back often for new configurations. ;-)

Google: Huili officials

Here is an article about the hilarity that includes an incredible number of creative examples:

Floating Chinese Government Officials Inspect New Road

For your own photo trickery pleasure, I have provided rough .PNG images of the three Huili officials, with invisible backgrounds. Just drag them out of the article into your favorite scenario! It's fun. Post your images to the internet and be sure to put 'Huili officials' in the title.

Share and Enjoy,

;-Derek

China Laughs At US Federal Security

2011-06-29T01:25:00.011-04:00

Way back in 2007, when I started this blog, I had a run in with the members of China's 'Red Hacker Alliance'. I reposted their history and reiterated hacker crimes they'd been pulling against the USA since 1998, the year China was given 'Most Favored Nation' status. 2007 was the year the US feds finally admitted the reality of the situation, after the Chinese government memo declaring 'Technology War' on the USA became public knowledge, after the US feds discovered that every one of their computers connected to the Internet had been botted by Chinese malware, sending to China ever piece of accessible data.

•••

Now here we are 4 (FOUR) years later and THIS happens:

The Navy Bought Fake Chinese Microchips That Could Have Disarmed U.S. Missiles

If left undiscovered the result could have rendered useless U.S. missiles and killed the signal from aircraft that tells everyone whether it's friend or foe.

Who can blame China for laughing?

•••

How about the Obama administration offers me the CIO cabinet position? I couldn't possibly do any worse.
--

More Critical Adobe Security Updates blahblahblah

2011-06-10T03:41:00.000-04:00

--
If you haven't gotten the hang of it yet, despite Adobe's scheduled quarterly updates to their software, they've been pushing out security updates at the rate of about once a month. March was no exception. April was no exception. May was no exception. I didn't bother to announce them all here because it has become all so predictable that I figure everyone knows to watch for them coming.

And now it's June. Here comes the quarterly update, like we care that it's quarterly. Why Adobe bother with his BS is beyond my comprehension. I personally think they're nuts over there.

So here we go, the quarterly update announcement is HERE. The quarterly update comes out Tuesday, June 14th. As per usual, it is a CRITICAL security update. It will be for both Adobe Reader and Adobe Acrobat.

If you'd like to keep track of when future 'out of band' (non-quarterly, once a month) security updates from Adobe are released, the two best web locations are:

Adobe Security Bulletins and Advisories

Adobe Product Security Incident Response Team (PSIRT) Blog

Predictable as these 'out-of-band' critical security updates have become over the last full year, keep in mind that if you use Adobe's stuff, it is important to keep up-to-date with their security patches if you want to keep your Mac as safe as possible.

Over and out.
--

The CARO Malware Naming Scheme

2011-06-04T03:01:00.005-04:00

In 2009, amidst my trying to sort out why malware naming is chaotic within the anti-malware community, I came across an elegant malware naming system from CARO (The Computer AntiVirus Researcher's Organization) that is considered the standard. It has no competing proposed system apart from the 'whatever' mess practiced by the various anti-malware researchers/companies.

Recently I have been volunteering time with a group of other Mac security geeks as we try to keep track of what is going on with the Trojan.OSX.MAC Defender scamware series and provide malware signatures to the ClamAV Open Source project. One of our members was musing about applying the biological taxonomy system to malware naming. I wrote back that malware naming doesn't successfully fit within that system. Instead I described the CARO Scheme while tossing in a few of my usual rants about chaos in the anti-malware community. For those interested, here is my description of the CARO Scheme:

~~~~~~~~~~

There is an standard malware naming system called the 'CARO Malware Naming Scheme'. Despite its existence and age, it is generally ignored in favor of chaos. As the description article itself states:

No matter how good a naming standard, it is mostly worthless if nobody is using it. And, as experience has demonstrated, some anti–virus producers would fol- low their own malware naming scheme in royal disregard of any proposed standards.

You can read about the CAROS scheme here:

http://www.people.frisk-software.com/~bontchev/papers/naming.html

To quote:

The general format of a Full CARO Malware Name is

[(type)://][(platform)/](family)[.(group)][.(length)].(variant)[(modifiers)][!(comment)]

where the items in square brackets are optional. According to this format, only the family name and the variant name of a piece of malware are mandatory and, as we shall see later, even the variant name can be omitted when reporting it. The Full Name is white space–delimited. That is, it cannot contain white space (i.e., space, tab, car- riage return, line feed), and there is a white space before and after it.

Here is the general CARO approach:

1) The name starts with the type of malware. For Macs, all the malware are Trojan horses. Therefore, they all begin with 'Trojan' followed by a period.

Due to the mixed types of malware being created these days, this can get messy. Some malware these days are Trojans that infect the target with a bot, which itself is a worm by way of spewing SPAM or DDOS attackes. This is the case with the iServices Trojan. But I believe the best approach here is to name the malware type as that which is initially presented to the target computer. Therefore, Trojan works in all the current Mac cases.

However, I still argue that hacker tools are NOT Trojans. They're just hacker tools. They are only infected onto computers by way of 'LUSER' behavior whereby a hacker inadvertently has physical access to the target computer.

2) The malware type is followed by the target OS name. In our case it is 'OSX'. Previous to Mac OS X, the term 'MacOS' was used. But since Mac OS X is certified UNIX, the term 'Mac' is being dropped and only 'OSX remains. The OS name is followed by another period.

3) The third part of the name is supposed to be left to whomever first discovers the malware in the wild and chooses a name for it.

For example, Andrew Welch (of Ambrosia Software) was the first person to fully describe and name the proof-of-concept Trojan which he named "Oompa-Loompa" or simply "Oomp". Using his variation on the Caro scheme, the resulting name was:

Trojan/OSX/Oomp-A

But Symantec has more clout than Andrew and after his work pushed out the name 'leap' instead, resulting in their name of it:

Trojan.OSX.Leap.A

4) The fourth part of the name specifies the variant, starting with A through Z, proceeding to AA through ZZ, etc. Therefore, at this point we have (I think):

Trojan.OSX.MAC Defender.A

Trojan.OSX.MAC Defender.B

Trojan.OSX.MAC Defender.C

Trojan.OSX.MAC Defender.D

Unfortunately, it is left up to interpretation as to what constitutes a new variant. As I noted over the weekend, I've seen MAC Defender.E listed, for reasons I cannot explain. With the two new proven varients, apparently that naming source would be up to MAC Defender.G at least, at this point.

I like Shawn's idea about digging into the actual Trojan app's Contents directory to check out the guts of each potentially new 'variant'. The web page GUI variations are clearly of little importance compared to the actual Trojan app variations.

5) If there are further details about a specific malware, they are typically put in parentheses after the variant identifying letter. For the MAC Defender variants this would include all the names for the installer files and the various names the Trojan application gives itself. Therefore, we could have:

Trojan.OSX.MAC Defender.B (aka Apple Security Center, aka Apple Web Security...)

~~~~~~

I have never seen the Caro scheme used exactly in the original proposed format. But the general approach of focusing from abstract to specific has remained in most of the offshoots of the scheme. Typically, the separators between the naming items are simply periods, as in:

Trojan.OSX.MAC Defender.A

Intego stick to this specific pattern.

Microsoft use a colon instead of the first period, resulting in:

Trojan:OSX.MAC Defender.A

See:

http://www.scribd.com/doc/55285854/37/Appendix-A-Threat-Naming-Conventions

Some companies choose to use forward slashes and dashes in their malware naming, resulting for example in:

Trojan/OSX/MAC Defender-A

Overall, because this is what I call 'The Wild West Era' of the anti-malware community, malware naming chaos reigns. There are commonly three publicly published names from various anti-malware researchers/companies for exactly the same malware. In the case of MAC Defender I've counted over 15 names at VirusTotal for what may only be MAC Defender.A.

I hope my lecture was helpful. ;-)

:-Derek
--

XProtect from Apple, New MAC Defender variant: Excellent Summary from Sophos!

2011-06-02T15:40:00.002-04:00

--
Early this AM Sophos published an EXCELLENT article about Apple's XProtect software. XProtect is part of Mac OS X 10.6 Snow Leopard (not 10.5 Leopard, sorry). It was updated as part of Apple Security Update 2011-003 this past week. It now automatically checks every 24 hours for new malware signatures from Apple. It's terrific! Except the malware rats immediately responded with a new work around version of the MAC Defender (the correct spelling) Trojan horse series. And that sucks.

Read all about it!

Apple to malware authors: Tag, you're It!

. . . Apple's XProtect is not a full anti-virus product with on-access scanning. XProtect only scans files that are marked by browsers and other tools as having been downloaded from the internet.

If the bad guys can continually mutate the download, XProtect will not detect it and will not scan the files downloaded by this retrieval program. Additionally, XProtect is a very rudimentary signature-based scanner that cannot handle sophisticated generic update definitions. . .

Keep in mind folks that this is a series of Trojan horses. Our computer's worst security flaw isn't Mac OS X! It's you and me. WE install Trojan horses, not our computer. Trojan horses are the bane of EVERY computer. Every Windows box, every Mac, every Linux box, etc., is vulnerable to Trojan horses.

Therefore, the 'Security Through Obscurity' ignorant FUD trolls can take a nap. Trojan horses do not apply. (And why is that? Read the paragraph above over and over until it sinks into your empty troll heads).

What IS new is that social engineering malware rats have hit the Mac in a persistent wave. If Mac LUSERS weren't falling for their fake anti-malware, they wouldn't bother. It's time for we the Mac users to grow up and pay attention to EVERYTHING we click and EVERYTHING we install.

There are psychopaths (aka malware rats, Neo-Con-Jobs, TardPartiers, The Red Hacker Alliance, etc.) out there in the world. They want EVERYTHING they can lay their self-destructive claws and fangs on. Nothing is sacred. We are the target, as well as themselves. That munching sound is them eating your computer, while their own insecurities eat them.

The Rules Of Computing: Keeping Your Mac Secure

2011-05-19T18:07:00.009-04:00

--
When I was a computer newbie, what I heard repeatedly was "The Number One Rule Of Computing is Make A Backup!" I've been working on an extended list beyond one item in order to help newer newbies consider further aspects of their computer experience that can help save them in a crisis. I don't consider my list definitive or even finished. But I like the list enough to publish it as a starting guide. So here I go:

The Rules Of Computing

1) Make a backup. Have two backup strategies. One strategy regularly backs up your crucial data to local external media away from your computer. The other strategy backup up this same data to an off-site location, such as in 'the cloud' or onto external media you take to a separate location each day. The idea is to have an off-site backup in case your computer site burns to the ground. Backups are also your first and best defense against malware damage and hardware failures. If you don't back up your data, you get what you deserve.

2) Verify all software before installing it. Verify your software source is reliable and that the software itself is reliable. Look up the software title on the Internet using a search engine to discover if it has been reported as problematic. Download software from reliable sources such as VersionTracker, MacUpdate, Major Geeks, etc. Don’t ever blindly install emailed software. It could be malware.

3) Verify that websites you visit are legitimate. This third rule is difficult to implement on your own. Use tools provided inside web browsers, as well as add-on browser extensions, that help you check websites you visit against a blacklist of known bad websites. One of the most popular ways of spreading malware at this time is via 'drive-by' infections via JavaScript and Java. Don't ever blindly click on web links in email. The could be sending you to a malware infection or identity phishing website.

4) Keep your computer up-to-date with the most recent security updates. Apple provide security updates on a regular basis. Security Preferences, built into Mac OS X, should let you know when an update is available. You can also open Security Preferences yourself and have it check for you.

5) Use a 'Standard' account when surfing the Internet or using your Mac on any network. Do NOT use an 'Administrator' account in these situations. This is not a cure all to prevent your Mac from becoming hacked or malware infected. But it adds a terrific layer of security to help prevent malicious root access to your computer.

6) Password protect your user account. Make sure your account password is not a dictionary word or you'll be hacked in no time flat. Use something long and obscure that you can remember but that you expect no one could guess. To this day I run into people who tell me 'But I'm the only one who uses my computer!'. Cure your ignorance please. There is NO excuse for not protecting your computer with a password. If you don't protect your user account, you get what you deserve.

Yes, I'm that mean and cruel when it comes to computer security. There are wonderful security strategies and tools that Apple provide, such as Time Machine, Disk Utility, Standard user accounts and password protection. If you don't put them to use, I have no sympathy! If you have questions about how to make them work for you, write to me, talk to Mac users you know, contact users on the Internet or at your local Mac user group. These tools are not difficult. They are important and they are FREE.

A Few Further Strategies:

I'm only going to list these strategies as they are more complicated and involved to install and get running. What's important is that they are available, they are also FREE, and they may well save you from giving away data to the bad guys.

A) FileVault. You will find it inside the Security System Preferences. It lets you transparently encrypt your entire user account folder so no one can ever get to your data without knowing the decryption password. This is rock solid encryption you can rely upon. Apple will be providing an option for encrypting your ENTIRE computer hard drive in Mac OS X 10.7 Lion. I personally consider whold drive encryption to be overkill. But it is considered to be critical in Enterprise business situations. Note that there are some minor dysfunctions that result from encrypting your user account. But if you have critical data, it is an excellent security tool.

B) Firmware Password. Apple provide a utility to set their Firmware Password Utility on all Mac OS X installation DVDs. It adds another layer of security to keep the bad guys out of your computer. Sadly, it is not fool proof. A tech savvy bad guy can work around it. Encryption is a much more effective tool. Also note that you lose some minor computer functionality when you use a firmware password.

C) GnuPG, aka GNU Privacy Guard. I have been using GPG for many years at this point. I'm a fairly infamous critic of the bugs that have should up in the related tools from time to time. Also note that GnuPG has a steep learning curve and can be a bit frustrating. However, it is a FREE and brilliant tool with many users. You can encrypt and password protect anything you like. The Apple Mail tool lets you digitally sign all your email in order to verify exactly who you are to those who receive your email. You can encrypt your email such that no one can read it in transit over the Internet. It lets you create any number of encryption keys as well as collect public keys from your friends and acquaintances. And more! If you want to be serious about encryption, GPG is excellent. These days it also has a terrific group of developers dedicated to keeping it bug free and up-to-date.

D) Disk Utility. Among the many features of the Mac OS X Disk Utility application is the ability to create encrypted, password protected .sparseimage files. I absolutely love this feature and use a sparseimage I created all day, every day. I have my sparseimage open every time I log into my user account. I provide the decryption password and it sits on my desktop like a disk volume. Anything I put into it is encrypted and unavailable to anyone but me as soon as I close the disk image. Because its a sparseimage, it can grow to as large a size as you choose as you add more into it. Recently the DropBox application and server have become notorious because nothing-at-all is encrypted when you use it. That can be very bad. However, I work around this problem by putting only my sparseimage file into my drop box. No one has any access to anything I have in my DropBox ever, thanks to this great tool.

E) Anti-Malware applications. I own, use and love Intego's VirusBarrier X6 ($50). There aren't any better anti-malware applications, period. But I have to pay for malware signatures every year. If you are a professional user, VirusBarrier is well worth the cost.

If you're a casual computer user, paying for anti-malware is a bit less critical. I've worked fairly closely with Mark Allan and friends who develop and support the FREE program ClamXav. There was a time when I had quite the run-in with the ClamAV Open Source project because most volunteers there cared not-a-whit about Mac OS X. But gradually Mark and I managed to turn a few heads and encourage them to get up-to-date with current Mac malware. At this point in time I can tell you that just about all current Mac malware is being detected by ClamAV. Therefore, I highly recommend downloading, installing and running ClamXav from time to time if you are concerned about malware. The GUI Mark provides is excellent.

Also, if you own Snow Leopard Cache Cleaner ($15) you will find that it includes its own implementation of ClamAV, also highly recommended. I no longer recommend free iAntiVirus as it is now out-of-date and less effective than the ClamAV alternatives.

There are plenty more security tools and strategies, both free and for a fee. But the above is a good start with reasonable coverage.

For the extra security conscious, as ever I highly recommend the TWiT.tv podcast 'Security Now' with the most excellent Steve Gibson. It gets highly technical but is wonderfully presented and very contemporary. You can look up the podcast in iTunes or visit its dedicated webpage at:

http://GRC.com/SecurityNow

:-Derek
--

US NSA (National Security Agency): 'Hardening Tips for Mac OS X 10.6 Snow Leopard'

2011-05-19T16:57:00.000-04:00

I believe I mentioned this publication last year. I was reminded of it by a tweet from Dr. Charlie Miller today:

NSA's hardening tips for OS X 10.6 < looks like a good way to make things randomly stop working.

Oh dear. But the brochure has helped me today to finish up my current 6 Rules Of Computing list, which I will post as my next article.

Overall, the NSA's 'tips' are fine and useful. But they go a bit mental over trivial points. Some examples:

A) Their section entitled: "Au Revoir, Bonjour!" is TechTardy from my POV. They suggest using a Terminal command to turn Bonjour off. Ignore it. Bonjour is an innovation I personally love. It has nothing (so far) to do with compromising a Mac's security.

B) Their section entitled "Disable Bluetooth and AirPort Devices" is whacked. I'm all for killing off Bluetooth technology, which I despise as decrepit, low bandwidth, buggy and insecure. But to have the NSA say you need a "certified technician" to remove your Bluetooth hardware is absurd. Equally, their suggestions about disabling AirPort are strange and likely to lead to unnecessary confusion.

C) Their redundant "Disable IPv6 and AirPort when Not Needed" section continues the strange and confusing. There is no reason to disable IPv6 at all. In fact, a year from now we are all going to find IPv6 to be essential when surfing the web.

Etcetera.

The weak points in the brochure continue to dismay my trust in US government comprehension of contemporary technology. I've railed against NSA technology ignorance before and at this rate I expect I'll be railing on them for years to come.
--

FUD! FUD! FUD! FUD! Anti-Apple Security FUD for the last SEVEN and a half years! Hee hee hee!

2011-05-19T16:18:00.000-04:00

So what does computer security FUD actually signify? Insecurity on the part of those who perpetrate it.

If you haven't read it already, here is a wonderfully insulting article about the ongoing anti-Apple security FUD Fest. It is from John Gruber of DaringFireball.net:

Wolf!

Hey, I learned something new! It was NOT Symantec who kicked off the FUD Fest in March 2005! It was Eric Hellweg, October 2004, in an article entitled "Hackers Target Apple? Congratulations!"

Let's stroll down nostalgia lane and read some of what Mr. Hellweg perpetrated:

The Apple community has, since its inception, been largely immune to nefarious hackers bent on spreading harm. If you are a Windows user, as I am, you know the routine. You complain about the latest spyware or virus attack, and Apple devotees respond with good-natured teasing — they don’t have worry about such nonsense. Well, now they do.

Predictably, posts on various Apple-related message boards have been offering varying levels of concern, ranging from mild disappointment to utter gloom. I think this reaction is fundamentally misguided. MAC users should not be upset about this malware news; they should rejoice.

What is really going on here? It's called Defective Rationalization, Deceptive 'Truth', or more popularly, the act of being an Apologist. From WordNet:

apologist

n : a person who argues to defend or justify some policy or institution; "an apologist for capital punishment" [syn: vindicator, justifier]

What is being 'justified' or 'vindicated' by all the anti-Apple security FUD, hate, cynicism and doom mongering?

Windows

Here is what I consider to be the definitive publication on the subject:

The World's safest Operating System

London, UK - 19 February 2004, 17:30 GMT - A study by the mi2g Intelligence Unit reveals that the world's safest and most secure online server Operating System (OS) is proving to be the Open Source family of BSD (Berkley Software Distribution) and the Mac OS X based on Darwin. The study also reveals that Linux has become the most breached online server OS in the government and non-government spheres for the first time, while the number of successful hacker attacks against Microsoft Windows based servers have fallen consistently for the last ten months.

That was in 2004. Since that time, to be fair, Microsoft got more serious about security with Windows Vista. They refined their security features in Windows 7ista. These two operating systems have been significantly more secure thanks to features like ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). These are security features that Apple has yet to perfect in Mac OS X. And yet, even Windows 7 has enough security holes to keep the the Windows operating system on the bottom of the OS security list.

(One example: The Canonical Display Driver security bug in 64-bit Windows 7, May 2010).

Let's perform a brief Compare and Contrast exercise:

New Mac OS X malware this past week, as reported by Sophos:

• OSX/FakeAV-DPU: 4 variations of a scamware anti-malware Trojan horse (MAC Defender, MacSecurity, MacProtector...).

New Windows malware on May 10th, as reported by Sophos:

• Troj/Hiloti-BZ
• Troj/FakeAV-DPV
• Troj/Avent-RNY
• Troj/DwnLdr-JAZ
• Troj/SpyEye-AJ
• Troj/Agent-RNZ
• Troj/FakeAV-DPT
• Troj/JavaDI-CF
• TrojDwnLDR-JAY

New Windows malware May 11th, as reported by Sophos:

• Troj/Mdrop-DKE
• Troj/Sasfis-O
• Troj/Zbot-AOY
• Troj/Zbot-AOW
• W32/Womble-E
• Troj/VB-FGD
• Troj/FakeAV-DFF
• Troj/SWFLdr-W
• W32/RorpiaMem-A
• Troj/Agent-RNT
• Troj/DwnLdr-JAE
• Troj/FakeAV-DPS

Get the idea? That's about 70 new malware per week for Windows compared to 1 new malware per week for Mac OS X, and that's a heavy week for Mac malware. That's a rough ratio of 70 : 1. Keep in mind that the current ratio of Windows market share to Mac market share is about 87% : 10% or about 8.7 : 1. Note how the malware ratio is not tracking the market share ratio.

What if we compare the total number of currently active Windows malware to the current number of active Mac OS X malware?

Finding any published number appears to be impossible. I have what I consider a definitive number of currently active Mac OS X malware because I collect data on all of them as they appear in the wild. That number is 30, as of today anyway. That generously includes four variations of the scamware anti-malware app originally called MAC Defender.

To come up with a number for Windows malware, I had to do a bit of work. First I went to Symantec's Threat Explorer and collected the numbers they provided from A-Z. I then subtracted the number of Mac OS X malware in their list. That total of Windows malware detected by Symantec, as of today, is 39,335. Why this number is so small compared to other estimates is up to Symantec. I don't mind!

39,335 : 30 = 1311.17 : 1

That's about 1311 x more malware for Windows than for Mac OS X.

Using our market share ratio of 8.7 : 1, let's create a proportion equasion of malware on a per user basis. This means, if the number of users of both operating systems was equal, how many more malware are there for Windows than for Mac OS X?

1311 / 1 = (8.7 / 1) * X

X = 150.69 per user

That means, on a per user basis, there are about 150 times more malware for Windows.

150x ! ! !

And this does not equate to poorer Windows security because why?

Oh and so much for the 'Security Through Obscurity' baloney. What's obscure is the number of Mac malware as well as the intelligence of STO proponents.

FACT: There is no such thing as a perfect operating system. Mac OS X has security holes discovered and patched on a regular basis.

FACT: Since I noticed the start of the anti-Apple security FUD Fest in 2005, Apple have exponentially increased their attention to security. I like that. Thank you FUDsters and hackers!!!

FACT: I've never encountered a Mac OS X malware infection. I run an up-to-date copy of Intego Virus Barrier X6 to verify this fact. I have also run VirusBarrier X6 against a collection of malware provided to me by friends. It works.

FACT: Nearly all Mac OS X malware requires social engineering / LUSER behavior in order to be installed on a Mac. There are no viruses or worms for Mac OS X. There are no malware that exploits any Mac OS X security hole.

FACT: The vast majority of hacks and cracks into Mac OS X have been either through 3rd party software, such as Flash, PDFs and JavaScript, or through Apple's Achilles Heel of insecurity: QuickTime.

If you're a Windows apologist and would like to dispute my numbers or information, please post a comment. (Troll posts will be tossed).

Meanwhile, here is a reiteration of my often stated complaint against Apple's worst security flaw:

HEY APPLE!

Why didn't you finish the 64-bit rewrite of QuickTime X LAST YEAR?!?!?!

Where the H E L L is it?!

Seriously! What is your problem Apple?! You're going to stick us with 32-bit QuickTime 7 again in Mac OS X 10.7 Lion? In a fully 64-bit operating system? Disgraceful.

Removing Scamware: Generic Instructions

2011-05-10T16:42:00.006-04:00

With the ongoing FAKE anti-virus scamware (rogueware/scareware) rat attack, I thought it would be useful to provide a generic set of instructions for removing these annoying and illegal programs. Clearly the rats perpetrating this garbage are persistent. As of May 8th there are three versions of this scam. Therefore, keeping these instructions generic is all the more useful. If you have any questions, please comment below and I'll do my best to update these instructions to provide better clarity.

BTW: Thanks to the folks at MacScan for getting the ball rolling with their instructions for removing the MAC Defender scamware.

How To Remove Scamware (v1.0.0):

Introduction: There are three concerns when removing scamware. The first is stopping the currently running scamware process. The second is removing the application. The third is removing any reference to application in your startup process files. You will see these three concerns addressed below. (Note that this removal procedure does NOT apply to rootkit infections, which require a more complicated removal procedure).

Stomping Steps:

1) Note the name of the scamware (rogueware) you have inadvertently installed.

2) Run the Activity Monitor program, located in your Applications/Utilities folder. Be certain that the pop-up menu at the top of the app's window is set to "All Processes".

3) Filter or scan down the list of active processes for the name of the scamware. In the case of "MAC Defender", the process is named 'MacDefender'. Similar process names most likely will apply to other scamware. (Note: It is easier to scan the list of processes if you click the "Process Name" column header in order to sort the process names alphabetically).

4) Click on the name of the scamware process to highlight it.

5) At the top left of the app window, click on the "Quit Process" button. It looks like a red stop sign.

6) In the resulting drop-down box, click on "Force Quit". That stops the scamware process from running in your computer, for the moment. You can Quit Activity Monitor at this point.

7) Navigate using the Finder to the Applications folder. It is likely that somewhere in this folder will be the application file for the scamware. Either Search for it or scan down the list of applications (including inside the Utilities folder) to find it.

8) Click on the name of the scamware. Drag it to your Trash. Empty your trash. (Note that if you attempt to empty the trash while the scamware is still running, the system will stop you. Quit the scamware process first via Activity Monitor).

9) Remove any reference to the scamware from your startup process list: You can do this by opening your System Preferences the opening the 'Accounts' preferences pane. Along the top of the pane you will see two tab buttons. Click on 'Login Items'.

10) Scan down the list of Login Items until you see the name of the scamware. Click on the name to highlight it.

11) Click on the minus sign (-) below the list in order to remove the scamware from your Login Items. You're done.

That may be all you need to do to get rid of the thing. There are other ways for malware in general to infect themselves into your system. If further search and navigation methods are required to remove further traces of the scamware, I will add them to the instructions above and progress the version number of these instructions another iteration.

Hope that helps!

:-Derek

"Mac Security" Scamware: Variations on a Fake

2011-05-05T17:43:00.001-04:00

How I love the hunt!

Today's prey is an Internet rat known as species 'Scamware stupidicus'.

The rats who brought you the scamware (rogueware) "MAC Defender" (see my previous blog post) have now tweaked their code slightly and renamed the thing "Mac Security" with an installer entitled "BestMacAntivirus2011.mpkg.zip" which expands to the installer file "MacSecurity.mpkg". Expect there to be other name variations.

Good old Intego discovered this new variation, posting an article and a "How It Works" video here:

Intego Discovers New Variants of Mac Defender Fake Antivirus

You can directly watch the video on YouTube HERE.

Intego have updated their Virus Barrier malware signatures to detect this new rodent excrement.

What is hilarious about this scamware is the LAZINESS of the hacker rats who wrote it. The interface for the scamware is that of Microsoft WINDOWS!!! Hardy har. If you've used Windows in the last decade, you'll spot it immediately as BOGUS.

At this time the dangers are:

A) You fork out $money$ to buy useless garbage.

B) You give away your CREDIT CARD to criminals. It's a good as posting your card publicly on the Internet.

C) You give away your computer's PASSWORD. (This is now clearly evident from Intego's provided video). Consider yourself as good as PWNed (i.e. botted, i.e. zombied, i.e. no longer in control of your computer). So far the Trojan horse software is 'empty', containing nothing dangerous. But it could! Most likely, future variations will.

As with all current Mac malware, this POS relies upon social engineering, aka LUSER behavior, to entice the user to install it. Don't do that!

To keep ourselves safe, let's chant the mantra of...

The Top Two Rules Of Computing:

I) Make A Backup.

II) Verify All Software Before Installing It Or Running It.

(I'm considering using the following as Rule III:
III) Verify all links before clicking them).

Happy shooting!
--

FAKE "MAC Defender" Scamware Attack via infected Webpages

2011-05-04T13:53:00.004-04:00

What is 'scamware'? (Also known as 'rogueware'). It is a form of malware that pretends to be something it is NOT in order to use social engineering / LUSER behavior to get you to install actual malware. The most numerous kind of scamware occurs on the Internet where you visit a web page and start getting bombarded with messages on your screen that you have been "INFECTED" with whatever, when in fact you have NOT. If you are, let's be blunt, foolish enough to allow your web browser to automatically download software, or even worse, if you allow your web browser to actually OPEN what you automatically download, you're a prime sucker for scamware. Don't do that!

This is the very first instance of actual working scamware for Mac OS X that I am aware of. The most excellent SANS NewsBites Volume 13 Number 35 newsletter issue provides an announcement of the situation as well as resource links. You can sign up for the free SANS newsletters HERE. (I occasionally have disagreements with SANS over their FUD publishing and spelling, but overall they're a terrific resource).

DETAILS

The Scamware: "MAC Defender" (Note the spelling difference from 'MacDefender', which is an actual program developed in Germany, sadly hurt by bad publicity created due to the 'MAC Defender' scamware).

The Infection Vector: Web pages.

The Setup:

1) Through nefarious means, the scamware tosses messages on your screen that you Mac has been infected with something. It insists that you pay $money$ to install the scamware Trojan horse in order to remove the fake 'infection'. Here is an illustration kindly provided by PCWorld.com.

2) If you foolishly allow your web browser to download software, the infected web page will IMMEDIATELY auto-download the Trojan horse to your Mac. THIS IS BAD!

3) If you foolishly allow your web browser to open software it has automatically downloaded, the Trojan horse will automatically open. THIS IS VERY BAD!

4) If you happily never allow auto-anything, then you could still be coerced into clicking the download link for the scamware Trojan horse. Worse yet, you might even open the Trojan horse on your computer. DON'T DO THAT!

At the moment, this scamware attack is occurring at a variety of web pages related to the killing of terrorism scourge Osama Bin Laden. Be extra special watchful at such websites for this scamware.

The STING: You fork over $money$ and your CREDIT CARD information for what is worthless garbage software that does nothing at all. Your credit card has just been stolen.

Note how I still call this scamware a 'Trojan horse'. There are two reasons why. First, it's not what it pretends to be, despite it being an 'empty' Trojan horse. Second, the scamware could easily contain one of the current actual Mac OS X Trojan horses, three of which are capable of botting your Mac. And that's very very bad.

How to Protect Yourself:

A) The Second Rule of Computing! Verify the authenticity and legitimacy of absolutely every piece of software you are tempted to install. In this case, you'll save yourself spending $money$ on worthless garbage as well as your credit card information. Also, seeing as there are currently 28 different Trojan horses for Mac OS X, (26 actually, if you exclude the hacker tools), you'll be preventing yourself from getting infected for real.

Adding to SANS Editor Northcutt's comments in NewsBites, dangerous malware can be hidden in nearly any piece of software. This includes anything you are sent (via email or chat, etc.) or anything at any Internet location.

B) Don't auto anything! That means no auto-download or auto-open. Turn all such features OFF in your web browsers and other Internet related applications. (All such features should be removed from all programs as they are inherently dangerous).

C) Use a decent anti-malware application to protect you from infected web pages. As usual, I recommend Intego VirusBarrier X6, which I own and use and enjoy (usually) and want to marry. When you connect to an potentially dangerous web page, VirusBarrier stops it from loading and warns you of a detected threat. You are able to choose to ignore, block, or add the page to your 'Trusted Sites'.

Here are links with further details for your reading pleasure:

Fake AV Targets Mac OS X Through Poisoned Search Links

Fake "MAC Defender" antivirus app scams users for money, CC numbers

Fake security software takes aim at Mac users

Intego Security Memo – MAC Defender Fake Antivirus Program Targets Mac Users

Fake "MAC Defender" Brings Malware to Macs

Bogus MAC Defender malware campaign targets Mac users using Google Images

Apple Support Communities: Search for 'MACDefender'

(Please note that I corrected the name of this scamware in a few of the the titles above. I see no point in perpetuating misspelling. Thank you as ever to Intego and ars technica for correct spelling ;-).

Adobe Critical Updates Again: Acrobat Reader 10.0.3 & Adobe Acrobat X 10.0.3 (Out-Of-Band but ahead of schedule!)

2011-04-21T22:21:00.000-04:00

--
You can read about it HERE and HERE.

You can directly download the Adobe Reader 10.0.3 update HERE.

You can directly download the Adobe Acrobat X 10.0.3 update HERE.

The security flaws involved are those Adobe posted on April 11th in the second article linked above. These are the promised updates of Reader and Acrobat, ahead of schedule by four days. Thank you Adobe!

Computer PWNing through the use of PDFs and Flash media is thick and fast these days, particularly on Windows, including Windows 7 (7ista). I have read speculation that hackers have a pile of 'zero-day' Adobe security hole hacks that are being used one after the other as Adobe provide patch after patch, trying to keep up. Note that it is possible to at least compromise a Mac using similar cracking methods and Trojan horses.

THEREFORE, user beware. I wrote in detail about precautions and protections available if you must use PDFs and/or Flash. Simply scroll back through my previous blog posts.

:-Derek
--

CRITICAL Patches for: Adobe Flash Player & Acrobat Pro & Adobe Reader & Adobe AIR (Out-Of-Band!)

2011-04-17T19:54:00.000-04:00

--
Sorting through this flock of updates is confusing. Therefore, for the sake of simplicity, I've thrashed through the Adobe mess for you. Below you will find links to relevant Adobe announcements as well as direct links to the update installers, lead with a *:

I) Adobe Reader & Adobe Acrobat 10.0.2 Updates:

Security updates available for Adobe Reader and Acrobat

*Adobe Reader 10.0.2 update for Macintosh

*Adobe Acrobat 10.0.2 Pro update for Macintosh

II) Adobe Flash Player 10.2.159.1 & Adobe AIR 2.6.19140 Updates:

Security update available for Adobe Flash Player [& Adobe AIR]

*Adobe Flash Player 10.2.159.1 for Macintosh

*Adobe AIR 2.6.19140 update for Macintosh

NOTE: I tacked "[& Adobe AIR]" onto the link to the Flash announcement because it is the only place you'll find it stated that an update of Adobe AIR is available and required. (0_o)

I swear there's lead in the water at Adobe. I wish they'd get their act back together.
--

No Finished 64-Bit QuickTime X For You! Mac OS X Lion Still Requires QuickTime 7

2011-04-16T15:23:00.010-04:00

--
In the true spirit of Apple users, I get seriously pissed off when Apple screw up badly. And OMG has Apple screwed up this time:

In a rather wacked-out article by FairerPlatform, we learned that Apple is only barely upgrading QuickTime 10 in Mac OS X 10.7 Lion. This forces We-The-Technos to continue to (I can't believe this) STILL INSTALL QUICKTIME 7.x.

I can't vent my frustration and rage any better than what I posted over at MacDailyNews:

A very well deserved RANT at Apple:

OMFG APPLE! WTF is wrong with you guys that you STILL CAN’T FINISH QUICKTIME 10!?!?!?!?!

This is when Apple users justifiably get PISSED-THE-HELL-OFF at Apple.

Let’s get real here:

1) There never has been any ‘QuickTime 10.0.x’. There has only been QuickTime 10.0.0.0.0.0. Apple dumped QT 10.0 on us in 2009 and left the buggy thing laying there with no improvements to follow! THAT SUCKS!

2) Now we apparently are going to get a mere token of an upgrade with 10.1.0 that still cannot come close to the functionality of QuickTime 7.x Pro, therefore, we STILL HAVE TO INSTALL QUICKTIME 7.x!!!!!! THAT SUCKS TOO!

Besides the CRAP functionality of QuickTime 10, and the fact that QuickTime 7.x is only 32-bit, there is one other CRITICAL reason to RANT for Apple to actually FINISH QuickTime 10:

SECURITY!!!

Q: What Apple software has the single WORST SECURITY? It’s not Mac OS X folks.

A: It’s QUICKTIME as in QuickTime 7.x!

MOVE YOUR LAZY ASSES APPLE and FINISH 64-bit QUICKTIME 10 RIGHT NOW!!!! It should have been finished A YEAR AGO!!!!!

I hope other Apple users are equally pissed off at this stoooopidity from Apple. (And folks, I NEVER troll).

Did I adequately get my annoyance across? Will Apple be adequately shamed? Do you think Apple will get the clue that I noticed their laziness?

Clearly, this is NOT going to be the year of full, 64-bit secure Quicktime. The waiting drags on and on...

:-P
---

Warning: New Adobe Flash Flaw

2011-04-12T20:48:00.004-04:00

--
Another month, another Adobe Flash security flaw. The following is a full quote from the most excellent SANS NewsBites Vol. 13 Number 29:

--Adobe Warns of Zero-Day Flaw in Flash
(April 11, 2011)
Adobe has issued a warning of a zero-day vulnerability in Flash Player that is being actively exploited in targeted attacks. The vulnerability can be used to take control of computers or to cause them to crash. The attack is spreading as a Flash (.swf) file embedded in a Microsoft Word (.doc) file that arrives as an attachment. Adobe did not say when a patch will be available.
Internet Storm Center:
http://isc.sans.edu/diary/Yet+another+Adobe+Flash+Reader+Acrobat+0+day/10696
http://news.cnet.com/8301-27080_3-20052894-245.html?tag=mncol;title
http://www.zdnet.com/blog/security/adobe-warns-of-new-flash-player-zero-day-attack/8524
http://www.computerworld.com/s/article/921572/Adobe_confirms_critical_Flash_zero_day_bug
[Editor's Note (Ullrich): In the past, I have observed users using Flash games embedded in Excel and Word documents to bypass corporate controls to prevent users from running these games. It may be a good awareness item to note the particular danger of these embedded flash files.]

You can sign up for the SANS Institute newsletters HERE.

I've also been reading about computers being PWNed via infected PDFs and Flash embedded in Excel spreadsheets.

My advice continues to be adherence to the Rules of Computing #1 and #2:

1) Make A Backup. Every day. Two of them. One on site. One off site.

2) Verify every file and application you receive or gather off the Internet as LEGITIMATE before you open it. That means doing homework. It's worth it.

Then add to that:

A) Avoidance of automatically running anything embedded in PDFs or Excel or Word or PowerPoint presentations you receive. Make sure YOU are in control of what runs when and where. No automatic anything. Make yourself the boss of your computer. The LUSER Factor remains a large problem for all of us. But we humans have a lot better scrutiny than a brainless computer program.

B) Don't Use Flash! Or at the very least use one of the many great utilities to stop Flash from running until YOU decide you want to run it. Also use utilities that KILL Flash cookies. These utilities include: The Safari Cookies extension. ClickToFlash.The Flashblock add-on for Firefox. The NoScript add-on for Firefox. The FlashFrozen application.

OF INTEREST: I read this week about a new Adobe initiative that will allow combining Flash with PHP in order to create non-Adobe Air apps for smart phones and all iOS devices. My initial response, knowing the poor security of both technologies, is OMFG. But rather than get all FUDed out, let's simply see what happens.

Stay safe. Stay secure. Laugh at the FUD. Enjoy the facts.

:-Derek
--

BBC: "US cyber war defences 'very thin', Pentagon Warns"

2011-03-17T03:31:00.004-04:00

A quick post to note an article that finally points out the big DUH: That the US government has terrible cyber-security. It is well known, certainly if you've been following my posts, that the US government has been repeatedly PWNed by Red China since 1998. The US feds only admit, however, to being PWNed since 2007 when they discovered all their computers attached to the Internet had been infected with bots that were feeding every piece of their data over to Red China. It was also uncovered around that time that Red China had been circulating an internal memo declaring 'cyber war' on the USA. This is our #1 trading partner benefiting from 'Most Favored Nation' status. The mind boggles.

It's a good and short read, important if only because the Pentagon has finally come clean about their incredible LACK of readiness in the ongoing cyber-security warz.

US cyber war defences 'very thin', Pentagon Warns

And yes, despite FUD to the contrary, the US feds would be remarkably better off if only they would dump Windows and, chant along with me:

GET A MAC

Red China says: "Thank you USA for using Windows!" (0_o)

Mac OS X is far from perfect. But Windows is far from adequate. Mac OS X remains the single safest GUI operating system on the planet. Only OpenBSD and FreeBSD have better security reputations. Sorry Linux.
--

Mac Security Status Report, Part II

2011-03-15T22:07:00.005-04:00

--
Internet Privacy Tools

One of the quietly astounding developments on the Mac platform is the arrival of terrific tools for establishing real privacy on the Internet. 2010 was rife with stories about how our privacy and even our identity was being stripped away by everyone from the Corporate Oligarchy to the legitimate US federal government. You'd think we were still living under the thrall of The Bush League Era, the assault on privacy has been so persistent and thorough. But serious tools for reestablishing US Constitution guaranteed privacy rights are here and they work. I would go so far as to say that 2010 established an Internet revolution of user privacy. I could not be more pleased.

Here are a few of the wonderful privacy tools and events from 2010. Keep in mind that much of this has been in the works for years and that there are more privacy tools on the way:

1) The Onion/Tor/Vidalia Project: The "Onion Router" project began back in 2002 as a method for concealing Internet user's identity and network activity, preventing surveillance and traffic analysis. Amazingly, the project was originally supported by the US Naval Research Laboratory. In 2004 the Electronic Frontier Foundation (EFF) began supporting the project, providing important guidance and solidification of the project's manifesto. In 2006 the Tor Project was established as a non-profit organization gathering and providing all financial support.

There are a number of FREE pieces of software that make use of the Tor Network. The prime program is Vidalia, aka 'Tor'. This is the software that runs the show. If you use Firefox, you will also need to install the Tor Button add-on. The next useful tool is a web page called "Check". It will verify for you whether you have Tor properly running on your system and web browser. Of side interest are a few other tools such as the Tor Browser Bundle (currently in beta for Mac OS X), and the Firefox add-on FoxyProxy.

Learning how to use Tor is difficult. Try to find someone who understands it to help you out. It is very much 'geek' level technology with meagre documentation and lots of obscure tricks required to use it to the fullest. With patience you'll find that Tor is astounding, effective and important for maintaining real Net Neutrality and user privacy.

In the near future I will be providing a long promised Mac specific article about how to use Tor for overcoming media marketing blackouts on the Internet. Keep an eye on my MacSmarticles blog. If you wish very hard, you may find me providing a series of articles about how to use Tor, translating geek-speak into intermediate Mac user lingo.

2) Ghostery: This is a FREE tracking cookie and web-bug tracking system. The tracker list is frequently updated and is very thorough from my experience. It runs on-the-fly killing off inter-website tracking systems. As you move from page to page it provides you with a small window listing all the detected and blocked tracking sources. As you use Ghostery you will seriously astounded at the amount of tracking/surveillance being perpetrated at you. Maybe you don't care. Maybe you're in marketing and you believe anti-tracking tools are evil. Personally, I love Ghostery and won't leave my home page without it.

Here is what the Ghostery developers have to say about it:

Be a web detective.

Ghostery is your window into the invisible web – tags, web bugs, pixels and beacons that are included on web pages in order to get an idea of your online behavior.

Ghostery tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity...

There are THREE versions of Ghostery that work on Mac. One is the Firefox add-on. Another is the Safari extension. The last version is for Google Chrome. You can access all versions of Ghostery HERE.

3) Safari Cookies: This is an indispensable FREE add-on for Safari. It works great with Ghostery and provides further functionality. It has three main functions:

It allows you to create a website Cookie white list while killing off everything else.
It allows you to create a Flash Cookie white list while killing off everything else.
It allows you to create a website Database white list while killing off everything else. (I bet you didn't even know that websites could dump database information into your web browser! Very nasty).

Important: Do NOT use versions 1.6.4 - 1.6.7 of Safari Cookies. I've been in contact with the developer about their bugs and he most kindly has overcome them all with version 1.6.8 onwards. Now that it is working again, I cannot recommend Safari Cookies enough. Many thanks to SweetP Productions!

4) ECMAScript/JavaScript Prevention Tools: JavaScript is both a boon and a plague on the Internet. JavaScript allows such nifty things as Ajax coding on web pages. And yet, frequent readers of this blog know that I would very much enjoy JavaScript being erased from history and replaced with a scripting language that is actually and reliably SECURE. IOW: JavaScript is a gateway for malware and OS pwning. The blame for this catastrophic mess lies with three sources:

Netscape, who invented Mocha, renamed LiveScript, the original name of 'JavaScript' before marketing-morons were allowed to license and inflict the utterly confusing and wrong 'Java' name into its title. (I despise marketing-morons. Have you noticed that? I worked with them every day for five long, stressful, infuriating years at Eastman Kodak, gawd help me. But I rant...).
Microsoft, who inflicted their own typical insecure crapcode into JavaScript in the form of a monstrosity they call 'JScript'. Until recently, if you had attempted to resolve a web page that was designed using Microsoft's worst-in-class web design program 'FrontPage' you found the result to be a disaster. JScript was the main culprit. These days most web browsers comprehend JScript. But it remains a prime cause of hit-and-run website malware infections. Microsoft trolls will find this statement infuriating I exaggerate not. Just be glad that Mac users don't also have to contend with ActiveX, yet-another insecure Microsoft scripting language. (The Mozilla Project used to support Active-X but a couple years back banned it from any of their browsers for the benefit of their users and future generations of Internet users, amen).
Adobe, who own what was once Macromedia, who perpetrated an insecure scripting language called ActionScript. It is mainly used in Flash and SWF embedded web pages, is one reason why Flash hacking is well known as a prime method for pwning Mac OS X. It is also one of the many reasons why Apple wisely banned Flash from their iDevices. It is also a prime source of malware for the Google Android OS.

Preventing this toxic brew of dangerous scripting languages from ruining your Internet browsing experience has become increasingly crutial. That is why I champion browser add-ons that let you choose when or whether to load JavaScript. Here are a few of the JavaScript prevention tools for Mac web browsers:

• NoScript: This celebrated FREE Firefox add-on from InformAction is brilliant. It is frequently updated to keep up with the lastest in scripting crapcode. And it not only protects you from evil JavaScript! It also protects you from evil Java, Flash and other insecure web plug-in code that may be out to infect or pwn you. This add-on is one of the prime reasons to dump all your other web browsers and go 100% Firefox. I kid you not. Much as I like Safari, when I want first class web security, I use Firefox with both NoScript and Ghostery running. Get it. Use it. Enjoy!

• JavaScript Blacklist: This is a rather meagre FREE Open Source add-on JavaScript killer for Safari. It allows you to block JavaScript from any web domain. Sadly, it is little more than proof-of-concept with a teeny-weeny 2.5 inch text box for inputting your blocked website list. The best way to use it is to create your list in a text editor then copy and paste it into the teeny-weeny box. Whenever you want to add to your list, edit your text file then copy and paste again. There is no point in bothering to do any editing within JavaScript Blacklist itself. If you can deal with its shortcomings, this is a nice add-on for Safari fans like myself.

If you're ambitious, there are places to find lists of websites know to be infected with dangerous JavaScript. Ideally you could hack together a list from NoScript. But you'll find the task arduous. Don't bother.

5) Open Wi-Fi Router Defense Tools:

HTTPS Everywhere

This is a Firefox extension/add-on that specifically counters the hackware Firesheep extension/add-on. You can read about Firesheep here:

Firesheep

The general concept of this hacker war is that every website must stop using mere http connections and move over to https, SSL encrypted connections. HTTPS forces on SSL at websites exploited by Firesheep that are known to offer it.

6) Evercookie Defense Tools:

The 'Evercookie' is a concept developed this past year that threatens even the most obsessive of personal privacy web surfers. You can read about it here:

Evercookie

The basic concept is that there are multiple files tossed onto our computer as we surf the Internet. What we call browser 'cookies' are only one form. Using the Everycookie concept, a personal privacy parasite needs only one of these several files to track us across the Internet. And any one of these files can be used to respawn all the others. Therefore, with the Evercookie system, real personal privacy requires deleting every single one of these tracking files from your web browser

The best tool to combat the Evercookie so far, that I am aware of, is the BetterPrivacy extension/add-on for Firefox. You can read about hit and download it here:

BetterPrivacy

~~~~~~~~~~~~~

There are further Internet privacy tools a plenty! But this shortlist covers the best of them and will get you going. I know! These tools don't fully solve the 'Evercookie' dilemma. But I don't know anything that does, not yet anyway. Hopefully an Evercookie killing tool is in store for us in 2011.

Coming up in Part III will be my version of a comprehensive list of currently active malware for Mac OS X, including all their various names. All of them are either Trojan horses or hacker tools. I am also looking forward to putting together an article on Mac OS X 10.7 Lion security, which so far sounds like a decent improvement. Stay tuned!
--

CRITICAL Zero-Day Security Exploit In-The-Wild: Adobe Flash & Adobe Acrobat & Adobe Reader

2011-03-15T15:41:00.005-04:00

--
Q: So Adobe! How's that quarterly 'in-band' update schedule working for you?
A: Um...

After a nice break from The Summer Of Security Holes, we are back on track with CRITICAL Adobe zero-day exploits. This one hits ALL versions of Adobe Flash (v10.2.152.33 on down) on ALL OS platforms, except of course Apple's iOS which does not allow Flash content. Now perhaps skeptics can understand why. It also hits versions 10.0.1 on down through v9.x of Adobe Reader and Adobe Acrobat on Mac and Windows.

Here is the security advisory from Adobe.

This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system.

Here is an article by Electronista.

Given the popularity of the Flash platform, it would seem that this could be a somewhat difficult situation to manage.

Here is the advisory from Adobe's PSIRT (Adobe Product Security Incident Response Team) blog.

We are in the process of finalizing a fix for the issue and expect to make available an update . . . during the week of March 21, 2011.

And here are even more details from yet-another Adobe security blog, this time called ASSET (Adobe Secure Software Engineering Team).

We currently plan to address CVE-2011-0609 in Adobe Reader X with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.... We determined that the above patch schedule would allow us to provide the best balance of risk mitigation and admin/update costs for our customers.

Translation: Watch for patches of Adobe Flash Player, Adobe Acrobat and Adobe Reader v9.x (not 10.x) the week of March 21, 2011. There will be NO patch for Acrobat Reader v10.x until the scheduled quarterly "in-band" date of June 14, 2011. There is an explanation of this inexplicable schedule in the ASSET article.

The currently known exploit is a Microsoft Excel (XLS) file sent via email to victims. Embedded within this file is a Trojan horse Flash file (SWF). Adobe does not explicitly state that this specific file is directed only at Windows users. However, the details they provide refer only to using 'Protected Mode' in Adobe Reader, which is a Windows-only feature. Therefore, I can infer that this is a Windows-only exploit file.

Other exploits are possible. Therefore, until Adobe patch this hole, beware of Flash in general, either as straight Flash files OR embedded in another file type.

My solutions:

A) Use one of the many Flash blocking extensions in your web browsers AT ALL TIMES.

B) As a corollary of The Second Rule Of Computing:

Only open files emailed to you AFTER you have verified that their source is legitimate.
Only click on embedded Flash on web sites that have been verified to be legitimate.

C) Don't use Adobe Reader. Use Apple's Preview application.

D) If you just 'have to' use Adobe Reader: Be sure you are using 'Enhanced Security' inside the Preferences. You'll find it listed under 'Security (Enhanced)'. Note that this is enabled by default when you first install Adobe Reader.

E) Or to be totally safe: Remove Adobe Flash, Adobe Acrobat and Adobe Reader from your computer.

Q: Does this make the Internet more dangerous than ever?
A: You bet!

Q: Why does the Internet have to be such an annoying pain?
A: Bad coding practices by developers as well as poor code documentation, critical to cleaning up bad code.

Theoretically, newer coding students are being taught how to avoid computer memory security holes. However, even if they are diligent at writing 'perfect' code, other problems persist in the code languages themselves. For example, the Java code language was created specifically to never be able to exploit the user's computer. And yet it does. As I ever rant: We are still in The Stone Age Of Computing.

Q: Are Mac users really vulnerable to this security exploit?
A: Absolutely!

Keep in mind that this is not an Apple or Mac OS X problem. This is an Adobe problem. It is their software that is being exploited and ends up damaging the computer. There is nothing Apple can do to prevent Flash exploits apart from ban Flash, which is thankfully the case with all Apple iOS devices.

Meanwhile, whether this exploit will be targeted specifically at Macs is entirely up to the evil scumbag hackers writing the exploit code. If I hear of a Mac specific exploit file, I will post here.
--

New Baby Trojan: Trojan.OSX.MusMinim.a aka Blackhole RAT (aka darkComet, aka MusMinim)

2011-02-28T14:00:00.005-05:00

A new baby Trojan has arrived on the Mac OS X platform, as discovered by Sophos. It is the 28th currently known active malware for Mac OS X (according to my counting). Transforming the Sophos name for the Trojan into the proper naming convention, its official name is 'supposed' to be:

Trojan.OSX.MusMinim.a

But of course it has a bunch of other names, in keeping with the chaotic nature of the computer security community, which has agreed upon a malware naming convention but rarely bothers with it because of the vast array of competitive egos in the business as well as a general lack of professionalism. As for me, I'm going to use its proper name, I expect Intego also will, and I hope you will too.

[Update: Intego are only calling the Trojan 'Black Hole RAT'. Sigh.... But at least Intego have indicated this is only a hacking tool, (as is the 'Hellraiser' malware), not much of a threat. You can read their analysis HERE. Intego point out a further description of the Trojan HERE.]

Sophos provide their take onTrojan.OSX.MusMinim.a in this article:

Mac OS X backdoor Trojan, now in beta?

RAT stands for Remote Administration Tool, (NOT 'Remote Access Trojan' as Sophos calls it; Thank you to Intego for the correction). In other words it creates a back door into the infected computer. Because it is strictly a Trojan horse (as is technically all Mac malware at this point in time), it requires user failure in order to be installed.

Therefore, the Number 2 Rule of Computing:

Always verify the validity of software you install.

And what is the Number 1 Rule of Computing?

Always make a backup.

That way you always have a fall back in case your machine becomes infected or dies.

I'll be writing more about Trojan.OSX.MusMinim.a in an upcoming summary of the 28 current Mac OS X malware.
--

Little Snitch $14.99, (Regular Price $$29.95) This Weekend

2011-01-29T13:52:00.002-05:00

--
MacUpdate is offering Little Snitch from Objective Development, a beloved 'reverse firewall' for Mac OS X, at almost HALF-PRICE this weekend. That's $14.99. (Regular price is $29.95) Go get it here:

http://www.mupromo.com/deal/1421/7024/little-snitch

I use it non-stop and love the thing. It has gotten consistently easier to use over time. I also have an older version running on my FTP server 24/7. If you're worried about being pwned, this will stop all communication from malware back to the Bot Wrangler. No botnet for you! It's also perfect for stopping all 'phoning home' by pesky applications.

MUPromo's offer drops dead at midnight on Sunday, January 30, 2011. But you may be able to get it for a lower discount during the following week. Check the MUPromo website for details.

Note: If you use the 'reverse firewall' in Intego's VirusBarrier v10.6, you don't need Little Snitch.
--

Sophos Top tips for Mac OS X security - Part 1 And my commentary

2011-01-27T13:51:00.000-05:00

--
While I polish up Parts II and III of my 2010 Mac security summary, here is an article Sophos posted on Christmas day. It is the first in a series of articles to help Mac users secure their Macs. For advanced users, this is old news.

Top tips for Mac OS X security - Part 1

For users new to the concepts in this article, it is important to note that each added layer of security typically adds a layer of difficulty for the user. Using the points from this article, here are some useful examples:

1) Disable Automatic Login: This is absolutely critical. But it means there is not automatic logging in and booting of your user account ever again. That is a GREAT thing for security. But there are always newbies who complain. I say tough. But I'm a grizzly old meanie when it comes to personal responsibility. If you are of a more personable personality, talk over with your users exactly what happens when a hacker accesses their computer: Everything of yours is now their's. Everything. Once people think about that, they tend to want to protect their computer.

2) Set a Firmware Password: This is incredibly brilliant for stopping that big, Huge GAPING SECURITY HOLE in Mac OS X: Booting onto anyone's Mac via any compatible Mac OS X installation disc. Once booted from these discs, it is dirt easy to remove and change the Administrator account password. Once changed, that Mac is PWNED! Setting a firmware password stops that DEAD. However! There are other results as well. These include losing the ability to easily change your Startup Disc. You can't boot with the Option key down to change startup discs. You can't simply click on a new volume in the Startup Disc preference pane. The result can be quite annoying if you frequently change them, for example to use another volume on your Mac for repairing your main boot volume, which I do regularly.

3) Encryption is a good idea:

--3A) Boot Drives:

On Mac OS X you are allowed to use FileVault (found in the Security preference pane) to encrypt your User accounts. If you have critical data that should NEVER fall into other people's hands, this encryption is CRITICAL! Do it. However! You've got to consider some consequences:

First, you can no longer access that volume from another boot volume. No more repairing it from elsewhere.

Second, you MUST keep all your critical data specifically in your User account and NOT anywhere else on your boot volume. Again, only the contents of your user account Home folder is encrypted.

Third, updating Mac OS X to a new version is a bit more of a PITA if items in your Home folder have to be updated.

Fourth, there is a minor slowdown of your machine due to the constant decryption of your data then reencryption of new data.

And you'll find other minor annoyances.

If you have a critical machine, all of three of these steps are important. Think of the added user annoyances as added 'Cost Of Doing Business' that you cannot do without. Live with them and appreciate that they provide you with solid and important security.

Question: Is it important to encrypt your entire hard drive?

Answer: NO, not if you keep ALL your critical data inside your Home folder. Everything else on your hard drive should not be of any consequence. All of it should be files and folders and apps that anyone could obtain any day of the week. Therefore, getting them off your computer is trivial. What you must protect is UNIQUE data that only you and trusted colleagues should ever see.

Question: But, but, but, some security expert firm says blahblahblah!!!

Answer: They are either being extremists or they want to sell you something. For example, Sophos use their article to try to sell you their 'SafeGuard Disk Encryption for Mac' that encrypts absolutely everything on your Mac. If you see a point in further slowing down your Mac and keeping publicly accessible System files away from bad guys, fine. Go buy it. I personally see no reason for it.

The only possible exceptions I can imagine are if you are a developer or software tester who has something unique installed into their system, such as a custom .KEXT extension file, that there is no way on Earth you want anyone to obtain. Then I'd encrypt everything.

--3B) External Drives:

YES! Encrypt them! They have your data on them. This includes everything from CDs you burn to DVDs to Flash drives to attached hard drives. ENCRYPT THEM ALL!

There are lots of great programs to accomplish this for you, many of which are simple Drag And Drop apps that encrypt then put the encrypted file onto your external drive for you. Some of them will alert you if you attempt to put anything unencrypted onto a drive, 'user-minder' apps if you will. These are great to have.

--3C) Wi-Fi Encryption:

YES OF COURSE! It is so easy to forget that free Wi-Fi spots continue to provide ZERO PRIVACY. If you don't have to sign in to a Wi-Fi spot, your data and/or your cookies to websites are IN THE CLEAR, meaning you can expect them to be stolen by anyone else also connected to that router. This is why the Firesheep hacking tool was made public: To force people, Wi-Fi spot owners and website owners to WAKE UP and force encryption or account privacy at all times. Very very slowly the world is catching on. But I fully expect encryption/privacy cluelessness to last well on into the very distant future. Some people are never going to understand. That includes members of my own family! Be nice to them and if need be, set up encryption and privacy on their routers for them.

As Sophos publish further Mac OS X security tips I will provide further links and further commentary.

Share and Enjoy!
--

GnuPG Project In Chaos: Avoid For Now

2011-01-08T00:54:00.000-05:00

. . .
Apologies to readers for taking a long break. I've started writing again today. This first post of the year is extremely sad for me personally:

I was once quite a champion of GnuPG for Mac, put up with the massive geek factor and had it working perfectly. But these days GnuPG is broken on Mac OS X 10.6.x. Don't bother playing with it unless you're one of the developers, it's that nasty at the moment.

I've attempted many times over the last full year to help the project, saw great hope last spring, only to have hope dashed this winter with a cacophony of developer infighting, endlessly frustrated would-be users, censored list posts, and chaos all round. I have never seen this before and hope I never do again. RUN AWAY from this software for now, until... (all join hands and pray) ...someone sane takes over the project and straightens out the bloody mess. Until then, I wish the project well.

(;_;)

QuickTime v7.6.9 Update For 10.5.8 & Windows

2010-12-08T13:39:00.005-05:00

~~
On December 7, 2010 Apple released QuickTime version 7.6.9 for Mac OS X 10.5.8 and Windows XP, Vista and 7ista. No update is required for Mac OS X 10.6.8 users. It contains 15 security patches, some for both Windows and Mac OS X, a couple are Windows only. As usual, most of these vulnerabilities are due to memory overflow programming errors. You can read about the security patchs at:

About the security content of QuickTime 7.6.9

I'm a bit concerned at the moment that Apple have this update listed as being for only Windows. This is INCORRECT. Hopefully Apple will correct their error today. Most likely they will add a separate listing for the Mac OS X 10.5.8 version.

According to Apple:

QuickTime is incorporated into Mac OS X v10.6 and later.
QuickTime 7.6.9 is not presented to systems running
Mac OS X v10.6 or later.

I double-checked and verified that all of these CVE issues have already been patched in 10.6.8. Therefore, be certain that your installation of Snow Leopard is up-to-date.

If you've read my previous posts you know that Apple's QuickTime is the very least secure of Apple's software. A great deal of the problem has to do with JavaScript/ECMAScript Hell, as I call it. As usual, I consider JavaScript to be the bane of the Internet and wish it would be entirely scrapped and replaced with a secure scripting language. Read back in my posts if you're interested in my rants about why JavaScript is a catastrophe.

Below is a quick summary of the security holes patched in QuickTime v7. Click on the CVE numbers for further details.

Common Vulnerabilities and Exposures IDs Patched:

CVE-2010-3787 - Heap-based buffer overflow in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JP2 image.

CVE-2010-3788 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of JP2 image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JP2 file.

CVE-2010-3789 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted AVI file.

CVE-2010-3790 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file.

CVE-2010-3791 - Buffer overflow in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MPEG movie file.

CVE-2010-3792 - Integer signedness error in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MPEG movie file.

CVE-2010-3793 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Sorenson movie file.

CVE-2010-3794 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of FlashPix image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted FlashPix file.

CVE-2010-3795 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of GIF image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GIF file.

CVE-2010-3800 - Viewing a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution.

CVE-2010-3801 - Viewing a maliciously crafted FlashPix image may lead to an unexpected application termination or arbitrary code execution.

CVE-2010-3802 - Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution.

CVE-2010-1508 - Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Windows only.

CVE-2010-0530 - A local user may have access to sensitive information. Windows only.

CVE-2010-4009 - Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.

Note: Not all of the CVE numbers have been listed at the National Vulnerability Database. Therefore, I instead provided links to their references at the Common Vulnerabilities and Exposures site. Check back at the CVE site as these CVEs progress beyond 'candidate' status.

Share and Enjoy!

:-D
~~

Mac Security Status Report, Part I

2010-11-28T16:36:00.018-05:00

--
Introduction:

As a non-expert at computer security, it's a bit silly to believe I can provide any comprehensive report of current Mac security. However, I don't see anyone else bothering. Instead I see a variety of niche groups and niche skill sets involved with Mac Security but not pulling the pieces together. I also hear incessant vacuous FUD attacks from frustrated sources who wish Mac OS X was even remotely as unsafe as Windows blatantly is. It's plain old propaganda, not unlike the worthless political rhetoric in the media attempting to divide people through the promotion of fiction and fear. :-P

Therefore, I'm not going to worry about the areas in which I have lack of insight. Instead I'm going to take a stab at it and do what I do best: Examine the overall system of Mac security, provide some relevant details, then offer my summary and conclusions. Never rely on only one source of information about anything. Lord help anyone who uses Fox News as their soul political information source. Equally, lord help anyone who uses my work as their soul Mac security information source.

I) A Critical Mac Problem, Inadvertently Provided Via My Pet Troll:

The IT Ignorance Factor

Every source of difficult information has its trolls. It's difficult for Windows users to face Mac OS X security facts. Mac OS X is the #3 safest operating system available. The two better operating systems are OpenBSD and FreeBSD. It is no coincidence that Mac OS X is built upon an Open Source foundation that is based in part on pieces of both OpenBSD and FreeBSD.

This upsets my pet troll very much and makes him angry. This month he calls himself 'Tom' the troll. He is an anonymous coward reader of the blog, unwilling to let anyone know who he is or his stake in propagandizing Windows over Mac. It's all entirely dull and predictable to me. Occasionally my pet troll attempts to post FUD commentaries into my blog. I take a look at them, laugh a while, then step back and consider what pieces of his dishonest propagandist point of view could be useful to me. This time he wanted me to listen to the 'woe is we' rantings of one Roger Grimes, a Windows apologist and security analyst paid by Microsoft. You can listen to this fellow yourself at:

SecureABit.com

Scroll down to episode #67 of their podcast. Most of the dull program includes commentary from Mr. Grimes.

This fellow pulls the usual pro-Microsoft, anti-Apple myth mongering and propagandist garbage. What is unique in my experience is his defeatist attitude regarding computer security. He says essentially that we're all screwed no matter what, but OpenBSD is the best we've got for operating systems, but darn it's too difficult to use for mere mortals, so use Windows. (o_0) Oh that makes (no) sense! He then tosses out 'The Grimes Corollary' that restates the 'Security Through Obscurity' myth. Been there, killed that, yawned.

However, I was able to pull out of Mr. Grimes' rants one useful comment. It is this: Enterprise IT technologists don't adequately, or in a timely manner, patch the computers under their care. They also allow their users to use simplistic passwords that are easily cracked. This is most particularly evident on Enterprise Mac computers. The reason why is simple: Enterprise IT technologists rarely bother to learn Mac security or enforce it. Therefore, Mr. Grimes tells his tale of enjoying visiting businesses that integrate Macs because so commonly the machines are not up-to-date with security patches and are using easily guessed passwords. I would assume he uses a dictionary attack program against them, which these days are extremely fast and effective. He also keeps track of all the reported Mac vulnerabilities and uses them against unpatched machines.

So here we have Macs, the safest GUI OS based computers available, being easily cracked via very basic techniques that anyone's granny could use. This is shameful. Mr. Grimes would like to blame the users for this state of affairs. But of course it is the IT technologists and the IT managers who are entirely to blame. Never, ever, expect a business user to be any kind of technology security expert. To do so is to literally invite into your business The LUSER Factor. I've covered this issue many times in the past. It is the main reason why Mac OS X has any malware at all and is the reason that nearly all Mac OS X malware are Trojan horses.

There is more going on in the Enterprise than just problems of 'the user', or what's 'between the chair and the keyboard'. In business the computer is a tool, and the tool master is the IT expert in charge of that tool. This leads me to create another descriptive phrase that I call The IT Ignorance Factor. This problem occurs due to a multitude of factors. I'll toss out a few of them:

A) The business does not provide adequate time and resources for adequate computer maintenance. IT people often pull out their hair trying to get biznizz types to comprehend technology. But the fact remains that not keeping computers maintained means directly damaging the company. There are multitudes of tales of woe. Here is one from today concerning the shockingly computer ignorant US federal government:

US embassy cables leak sparks global diplomatic crisis

If the government's IT 'experts' had been on the ball, this could not have happened. I strongly suspect that they were kept off the ball with the help of bad management. This is when IT technologists must become educators and stop the 'boss' from being an 'ass'.

B) Laziness. Clearly most IT technologists live in the Windows world. Why bother to learn that other platform if they don't have to. You've heard this illogic before.

C) Fear. It sounds odd, but many IT technologists have trouble enough dealing with Windows hell. They're scared to get involved with another platform, making things even more complicated, or so they illogically believe.

D) Arrogance. Most Mac users have met the know-it-all geek who is a gawd of Windows and sneers at Macs. Then of course when someone defends the Mac these stick-up-their-ass bozoids accuse Mac users of going all 'religious' or counter 'arrogant', ad nauseam.... Therefore, of course such creatures are not going to bother to learn or apply proper Mac security methods.

There are of course more excuses and failings involved. Post your faves in the comments if you like.

    

Thus ends Part I. Further parts of my Mac Security Status of 2010 will include a summary of all the current active Mac malware, a summary of the consistent types of security vulnerabilities in Mac OS X, and a summary of the non-Apple security threats against Mac OS X. I'll be covering the Koobface/Boonana worm, the 'Evercookie' technique and how to combat it, as well as further coverage of the ongoing foolish attempt by the US federal government to backdoor every computer data encryption method.
--

Adobe CRITICAL Security Update Of The Month Club

2010-11-17T02:04:00.006-05:00

--
And now for something useful:

Adobe have posted their promised CRITICAL "out-of-band" security updates for Adobe Acrobat and Adobe Reader. The new versions are 9.4.1. If you use either of these applications, get the security updates now. Proof-of-concept exploits for the previous versions have been available for weeks.

You can read about the CRITICAL security updates here:

Security updates available for Adobe Reader and Acrobat

The direct download URLs, to save you from suffering Adobe's lunatic website:

Adobe Acrobat 9.4.1 Pro update

Adobe Reader 9.4.1 update - PPC

Adobe Reader 9.4.1 update - Intel

See you back here next month for the latest in "out-of-band" CRITICAL Adobe security updates!

Stay safe, stay secure, laugh at the FUD.
--

Hilarious Anti-Apple Security FUD Attack! By eWeek!

2010-11-17T01:36:00.005-05:00

--
Lots going on this week, with me gathering up news from all corners. But when I see something as hilarious as this, I have to post it ASAP. It's one of the infamous slide show articles over at eWeek. What is hilarious is that it says nothing that wasn't shouted to the rafters in 2005 by Symantec when they were trying to prop up their worst-in-class anti-malware application for Mac OS X. What I am posting here is verbatim. I did NOT add any capitals. The SHOUTING is all their's:

Security: Mac Malware Attacks Prompt Security Vendors to Rush Out Antivirus Tools

By Fahmida Y. Rashid on 2010-11-12
SECURITY VENDORS ARE SAYING THAT ATTACKS ON THE MAC ARE NOW SIGNIFICANT ENOUGH THAT APPLE USERS SHOULD INVEST IN ANTIVIRUS SOFTWARE FOR WHAT WAS ONCE THE "INVULNERABLE" PLATFORM. WITH KOOBFACE VARIANT BOONANA FRESH IN PEOPLE'S MINDS, THE CONCEPT OF A VIRUS ATTACKING MACS SEEMS LESS LAUGHABLE THAN IT DID EVEN TWO YEARS AGO. "MAC USERS MUST REMEMBER THAT LESS TARGETED IS NOT THE SAME AS INVULNERABLE," SAID RICHARD WANG, MANAGER OF SOPHOSLABS. THE THREAT IS STILL NOT THAT PREVALENT, WITH ONLY "ONE TO TWO" ATTACKS ON MACS EACH WEEK, COMPARED WITH THE "TENS OF THOUSANDS" PER DAY AGAINST WINDOWS PCS. MAC OS X HAS ONLY 10.6 PERCENT MARKET SHARE IN THE UNITED STATES, ACCORDING TO IDC AND GARTNER, BUT THE DAY HACKERS WILL FIND THE PLATFORM WORTH TARGETING IS NOT FAR OFF, VENDORS SAID. MAC ANTIVIRUS SOFTWARE IS NOT NEW, BUT IT USED TO HAVE A BAD REPUTATION FOR BEING RESOURCE-HUNGRY AND INCONVENIENT. THAT'S SOON TO CHANGE AS VENDORS RELEASE NEW MAC ANTIVIRUS TOOLS THAT ARE QUITE UNOBTRUSIVE. HERE ARE SOME OF THEM...

OMFG! MAC USERS ARE ALL GONNA DIE!

My usual point: NEVER has anyone but trolls said Mac OS X was "invulnerable" or anything similar. It's a propaganda trick: Make up a nasty, indicting quote with no attribution provided. Yes, Fahmida Y. Rashid of eWeek and Richard Wang of Sophos are acting like assholes. But this trick has been pulled countless times. Therefore, they're acting like unoriginal assholes. Just laugh.

I could do my usual lecture about the insane nature of the 'Security Through Obscurity' myth. If you care, go back a few years in my posts. Just know that Windows has over 1000x more malware than Mac OS X on a per user basis, which blows the stupid myth off the planet. Such silliness. But that's what happens when Marketing Morons get desperate to sell Sell SELL!
--

Firesheep Wi-Fi Warz

2010-11-10T23:24:00.019-05:00

--
The Sheeple Are Burning

October 25 a hackertool was released for Firefox in the form of an add-on called Firesheep. It is extremely easy to install and use on Mac, Linux and Windows versions of Firefox. (I will not provide the link. Sorry.) It provides casual Firefox web browser users to spy on and doppelganger anyone who is connected to the Internet via a shared, open Wi-Fi connection. Simply connect your computer to the same open Wi-Fi connection and commence surveillance and identity theft.

It performs its dirty deeds by way of coopting the cookies being sent in the clear from any victim's computer. It is not a thorough form of identity theft, but it adequate while the hacker's computer remains within that open WiFi connection. IDs and passwords are typically not sent in the clear. However, the Firesheep add-on is able copy out of the air the cookies any user is sending to any website. The contents of the cookies may remain completely incomprehensible to the hacker. All that is required is the contents of that cookie to literally "BE" the intercepted victim. This means the hacker can access any active website connections and fake being that person through the use of their intercepted cookies. The hacker can do ANYTHING on those websites AS the victim. If at any point the website asks for password verification, such as when buying items from Amazon.com, the hacker is thwarted. Their identity theft stops dead at that point. However, anything else goes. This can create incredible havoc on the Internet.

At the point in time of this article being posted, well over HALF A MILLION PEOPLE have downloaded Firesheep. That essentially says it is becoming universal, endangering ALL unencrypted Wi-Fi connections to the Internet. And that was the purpose of creating and providing this add-on to the entire computer community.

The creator of this hacker tool is a Black Hat, which is to say that he bulldozes improvements in computer security by providing the means of exploiting a security hole to the world at large without any prior warning to anyone. To use a very mild metaphor, it is the equivalent of 'Tough Love' for computer users and software developers. In this case the desired effect is to lock up ALL Wi-Fi connections via encryption, ending forever open Wi-Fi connections.

There are two cures for this dilemma:

1) All websites must provide SSL encrypted connections at all times, not simply when a user logs in. This means that all websites would stop using merely HTTP connections and instead use only HTTPS connections between themselves and their users. This adds some minor overhead burdens but is entirely feasible. How long it will take the entire World Wide Web to catch up is the big question. The hope is that it will be immediate. But we're dealing with humanity here, therefore...

2) All Wi-Fi connections must require WPA account encryption. This means that all users of an 'open' Wi-Fi connection site must have and use a password in order to access the Wi-Fi hub. Surprisingly, this is an incredibly simple thing to do with nearly all modern routers. (Older routers that only use WEP encryption are SOL). Everyone making a connection to the router can use the exact same password! Routers know the MAC address of every device that connects to them. This allows them to keep each and every connection entirely separate. The fact that each connection uses the same password provides almost perfect separation of users while providing unbreakable (at this time anyway) encryption.

Here's how #2 cure would work at Starbucks: A simple sign is provided at the counter that says something to the effect of "To access Starbucks' Wi-Fi connection, please use the password 'starbucks'." That's it! Simple.

Since Firesheep was let loose for the average computer user, there have been plenty of happy stories of users speaking to the manager of shops that provide free Wi-Fi and asking them to turn on WPA account encryption. For anyone familiar with setting up Wi-Fi routers, turning on WPA is trivial. The shop managers have been happily changing their router setup and killing off the Firesheep threat. I strongly suggest that you do the same EVERYWHERE you go with your Wi-Fi device.

WEP encryption, unfortunately, was created in haste and provides NO SECURITY. It is trivial for hackers to obtain tools that can break into WEP encryption within less than a minute. It is expected, in fact, that future versions of Firesheep or similar hacker tools will include a WEP cracking tool.

The Next Best Thing To A Cure

I knew further shoes were going to drop regarding this subject. I just found out this evening that a helper tool has been provided by Zscaler that can warn you when there are Firesheep prowling around in an open Wi-Fi connection. Once again it is a Firefox add-on. Its name is Blacksheep. (Why black? Read back in the article about Black Hat hackers.)

Below is a quote from our pals at the SANS Institute from SANS NewsBites Vol. 12 Num. 89:

--Firefox Extension Warns users When Others are Using FireSheep (November 8, 2010)
Researchers have released an extension for Firefox that detects when computers on a local area network are using FireSheep, a tool that steals unencrypted cookies from websites. Called BlackSheep, the extension alerts users by displaying a message telling them that someone is using FireSheep and providing the LAN IP address of the FireSheep user. FireSheep was created and released to draw attention to the lack of encryption for session cookies on many popular websites.
http://www.theregister.co.uk/2010/11/08/firesheep_detection_tool/
[Editor's Note (Northcutt): Interesting, dueling plug-ins. For the moment this is quite limited as you can install FireSheep and BlackSheep on the same computer only if you use different Firefox profiles. The duel would be over unencrypted LANs:
http://www.zscaler.com/blacksheep.html ]

The Blacksheep add-on page provides instructions and a video showing it in action.

Also of interest: Microsoft, Intego and other anti-malware providers have added Firesheep to their list of detected 'malware'. This is IMHO a weak move as Firesheep is NOT malware. It is a hacker tool that requires deliberate installation by the hacker and has no user-based malware behavior whatsoever. However, parents or employers would be interested to know about the hacker behavior of their children or employees.

Do NOT consider Blacksheep to be any kind of cure! It is merely a defensive tool when you're STUCK at an unencrypted Wi-Fi spot, such as the Airport or wherever they are too clueless to turn on WPA encryption, or they don't know how, or they're stuck with worthless WEP encryption on their router. Do NOT consider Blacksheep to be thorough defense! It is not. I personally would only use it out of desperation.

The single best defenses against having your cookies stolen and your ID doppelgangered when you're STUCK in an open Wi-Fi spot are to:

1) Never log into anywhere that does not provide end-to-end HTTPS/SSL encryption. An example would be Google's GMail. You can't turn off HTTPS at the GMail site if you try! That's the way it should be everywhere.

2) Remember that eMail provides NO SECURITY apart from possibly an SSL connection to and from your eMail server. Otherwise, everything you email is in the clear for anyone to read. These days I think of some dorky, bored CIA/NEA/FBI human intercepting everything I email and reading it. I even write them little notes from time to time to set off their keyword alarms just to wake them up. Unconstitutional as it is to invade any US citizen's privacy, the Bush League set the precedence for breaking the law anyway, and sadly the Obama administration is goose stepping right along to the same deranged tune. I have further rants on such subjects at my zunipus blog.

The safest thing to do when you're STUCK at an open Wi-Fi spot is to merely browse happy, smiley, shiny websites for fun, not for work, not for financial interactions, not anywhere a hacker could steal your identity. With Firesheep they are you anywhere you go on the web.

Stay safe kids! And watch out for sheep.

;-Derek
--

Smartphone Bank App Security Problems

2010-11-10T23:02:00.007-05:00

--
The benefit of Apple having a closed App Store is their scrutiny of all applications submitted. This has helped maintain a superior security record for the iPhone versus any Android phone. However, a big hole in Apple's vetting system has become evident whereby all smartphone users have been put in danger by poorly designed and coded banking applications. Thank you to the SANS Institute for bringing this issue to my attention on in SANS NewsBites Vol. 12 Num. 89:

--Security Flaws in Smartphone Banking Apps (November 5, 2010)
Researchers have found that several banking applications for Android and iPhone contain security flaws that store account information in plaintext. Attackers could potentially steal sensitive data by luring users to maliciously crafted websites designed to find the information. Of the seven applications inspected in the study, just one, from the Vanguard Group, did not store information in plaintext. The institutions were notified of the problems and reportedly have taken steps to fix the flaws.
http://www.wired.com/threatlevel/2010/11/bank-apps-for-phones/
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=228200291
[Editor's Note (Pescatore): The Android phone world seems to be trying to compete with the iPhone by saying "Droid does anything - no restrictive App Store." The reality is that the Apple iPhone could actually compete by making the bar a bit higher for iPhone apps, to make sure that the apps don't do silly things like storing account info or passwords in the clear on the phone. I think users are very comfortable with "only" having 20 Tetris games to choose from if they know that none of the 20 are going to send their information to identity thieves.]

Dear Apple,

Please vet submitted Apps more thoroughly for security flaws. Much appreciated!

Dear Google,

'Anything goes' does not trump application security.
--

Evercookie, Koobface boonana worm Trojan, Firesheep and MORE! Oh My

2010-11-05T02:02:00.016-04:00

--
There are four ongoing scary security monsters threatening ALL the popular computer platforms this month. But that I mean they affect Mac, Linux and Windows. At the moment, there is nothing dire or critical about them. But each of them is nasty in their own way.

I've been holding off tackling each of them in order to gather day-by-day new information and to wait for 'the other shoe' to drop from each of them. I expect they're all going to be annoying aspects of our computer lives for quite some time to come. I'll be devoting an article to each of them individually. But first I want to introduce you to our gang of circus animals:

I) A round of applause for the Black Hat creation known as the EVERCOOKIE. Essentially, it is a collective set of methods for spying on your web browser behavior, able to renew itself despite actions you take to prevent it. Stopping this monster can be annoying and complicated. I'll discuss the currently known tricks.

II) Next up in circus ring number 2 is the latest in Java insecurity. As per usual, the utterly chaotic computer security community can't agree upon a name for the thing. Having reviewed the data, I am going with the name Intego are using: Koobface. Because of its various activities, it can be called a worm, a Trojan horse, a root kit, a back door AND a bot. Because its primary interface to the user (or 'LUSER' in this case) is as a Trojan horse, I am unofficially going to refer to it as Trojan.OSX.Koobface.A. Apparently a second version has just been discovered, which I will call Trojan.OSX.Koobface.B. Meanwhile, you are bound to see the exact same thing also called the 'Boonana' Trojan. (o_0)

III) In the third ring of our circus of naughtiness is Firesheep, the Black Hat extension for Firefox that simplifies the long standing ability to spy on and doppelganger anyone connected within the same unencrypted WiFi connection. It's not just for hackers any more! This one piece of software has sparked an Internet encryption revolution, or so I'd like to believe.

IV) But wait! That's not all! Get a load of the latest idiotic idea from The Corporate Oligarchy! They want government access to ALL things encrypted. Say goodbye to Internet privacy! George Orwell's '1984' Big Brother has arrived and you're going to want to kick him in the balls! Anti-privacy efforts have become that invasive and deviant. The control freaks are out to run our lives.
(>_<) ACK!

So hang onto your propeller beanies while, during the next few days, I cover each of these gnarly subjects relevant to the future of Macintosh computer security.

Oh fracking my!
--

Adobe Flash Player 10.1.102.64 CRITICAL Update

2010-11-04T20:09:00.003-04:00

--
THIS MONTH'S critical Adobe Flash Player update for Mac OS X is available a few days ahead of schedule. Thank you Adobe! It patches 18 security holes.

Security update available for Adobe Flash Player

Critical vulnerabilities have been identified in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.95.1 for Android. These vulnerabilities, including CVE-2010-3654 referenced in Security Advisory APSA10-05, could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.1.102.64. We expect to make available an update for Flash Player 10.x for Android by November 9, 2010. . .

The download link is HERE.

NOTE: We're still waiting for CRITICAL security updates for Adobe Reader 9.4 and Adobe Acrobat 9.4. You can read details about the ongoing security problems HERE.
--

Adobe Flash, Reader and Acrobat CRITICAL Security Hole Of The Month Club

2010-10-29T00:26:00.005-04:00

--
Another month, and other Adobe software security hole exploit. If you still use Flash, pay attention! This security hole is currently being exploited In-The-Wild.

Affected:

-> Adobe Flash Player 10.1.85.3 and earlier

-> Adobe Reader 9.4 and earlier 9.x versions

-> Adobe Acrobat 9.4 and earlier 9.x versions

Hackers exploit newest Flash zero-day bug

Those reports came from Mila Parkour, an independent security researcher who notified Adobe early today after spotting and then analyzing a malicious PDF file. According to Parkour, the rigged PDF document exploits the Flash bug in Reader, then drops a Trojan horse and other malware on the victimized machine.

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat

This issue is described in CVE-2010-3654.

Adobe provide a workaround in their 'Security Advisory' article linked above. They have promised to fix the security hole by November 9th.

Darn, Adobe blew their quarterly update schedule yet again. Can you comprehend why Adobe still believe in 'scheduled' security updates?
(o_0)

Firefox v3.6.12 Released <- Important security patch

2010-10-28T00:19:00.006-04:00

--
Just gotta love the Mozilla developers! Within A DAY Firefox has been updated to repair a nasty JavaScript security hole being exploited out In-The-Wild. So go grab the thing and update NOW:

Firefox v3.6.12 (English, US)

Thank you Mozilla!
--

Firefox v3.5 & v3.6 Zero-Day Exploit: JavaScript Hell

2010-10-27T17:03:00.005-04:00

--
An active zero-day exploit of Firefox versions 3.5 and 3.6 been found In-The-Wild. (The current version of Firefox is v3.6.11). Specifically, the Nobel Peace Prize website injects malware into victim computers via a newly discovered Firefox security hole. So far, the malware being injected is the Windows-only Trojan horse Belmoo-A. However, the injected malware could just as easily be any of the current Mac OS X Trojans.

Note of course that Trojan horses are inert until a 'LUSER' runs and installs them, providing it with their computer's Administrator password.

Firefox are aware of the situation and are working on a patch. In the meantime, they recommend the workaround of disabling JavaScript (aka ECMAScript), or installing and using the Firefox add-on NoScript. I use NoScript. I love it! I never leave my homepage without it.

As per usual, JavaScript is the bane of the Internet. However, Java isn't fairing too well either, much to everyone's dismay. I'll be writing about Java's security ills early next month.
--

U2 can B Incognito On The InterWebs!

2010-10-13T21:33:00.011-04:00

--
I was just thinking of this today: InterWeb surveillance. Being not exactly friendly toward the "We Must Know ALL!" attitude of the US government and marketing morons, along with "The Customer Is CRIMINAL" attitude of the Corporate Oligarchy, I simply want to be left the frack alone to my personal privacy. No one ever has the right to 'watch' me. I don't deal with peeping pervs at my house, or over the InterTubes.

Therefore, I don't deal with Google collecting data on me wherever I go on the net. I've written about Tracking Cookies here on the blog and how to subvert them. But I get really tired of various websites still attempting to load Google Analytics.

Then I clicked over to Intego's Mac Security Blog this evening. (You'd think they'd pay me for all the PR I give them! ;-) To my synchronistic joy I found a great little article about a niffy kewl Safari extension that does ALL the Google blocking for me. It blocks FaceBook surveillance as well! And here it is:

INCOGNITO

Incognito is a Safari extension that prevents Google and Facebook from following you on the web.

It's a jungle out there
When browsing the web, you are continuously being tracked. Not only by the websites you are visiting, but also by major companies that embed their 'content' into other websites through ads and analytics.
As a result, companies like Google and Facebook have an almost complete picture of your online activity.

Your online counterspy
Incognito protects your privacy by blocking Google Adsense and Google Analytics on non-Google pages. In addition, it allows you to optionally block Facebook content on third-party websites as well as embedded YouTube movies outside of the YouTube website.

No ad-blocker
Although effectively blocking Google Adwords, Incognito is no dedicated ad-blocker. It simply prevents companies from gathering information outside of their own website.

It's FREE.

A similar tool for Firefox is Google Sharing.

The Firefox Addon for the GoogleSharing system. GoogleSharing ultimately aims to provide a level of anonymity that will prevent google from tracking your searches, movements, and what websites you visit.

It's also FREE.

BTW: I also use Safari AdBlocker. And Safari Cookies. I also frequently use software from The Tor Project (formerly The Onion Project), including Vidalia and Tor Button for Firefox, which provides excellent proxy anonymity on the TubeWebs.

IOW: I am the boss of my Internet browsing, not the government, not Google, not the Red Hacker Alliance, not hacker/crackers, not Apple, not Microsoft, not the Neo-Con-Jobs, not nobody, not no how but ME. It is in keeping with my Positive Anarchy point of view. I make all the honest, responsible choices I wish to with total disregard for the extraneous interests of others. Control freaks: Go have an aneurism over it. :-P

Speaking of which: Over at my MacSmarticles blog this coming month, I'm going to be providing lesson articles on how to setup and use Tor, via Vidalia and Tor Button for Firefox. Sorting out how to use tools is a huge PITA if you're not a computer geek. Therefore, I shall be translating the methods into human-speak for mere mortals. Because this is geek level technology, it's still a bit time consuming. But once you get the hang of the protocol and set it all up for the first time, it ain't no big deal.

You too can be 100% INCOGNITO on the Webnets!

~~~~~~~~~~~~~

MenInBlack
The Stranglers
© 1979

We're not here to destroy
We are here to employ

We have come to make you function
So we can eat at our functions

We are the meninblack ...

Information can destroy
So we'll treat you just like toys

Healthy livestock so we can eat
Human flesh is porky meat...

We are the meninblack...

We don't approve of artificial food
We grow you for our own good

First we gave you the wheel
Then we made you live to kill

So the best stock will survive
We eat you all alive

We are the meninblack ...
~~

October Adobe Security Updates: Acrobat, Reader and AIR

2010-10-06T12:41:00.009-04:00

--
Rather quietly, in keeping with Adobe's bad PR attitude, their latest 'CRITICAL' security updates have hit the net. Below are some direct links to help you past the clickity-click-click garbage you have to endure when going through Adobe's home page.

I) Adobe Acrobat Pro v9.4.0 update

IIa) Adobe Reader v9.4.0 update - multiple languages INTEL version

IIb) Adobe Reader v9.4.0 update - multiple languages PPC version

III) Adobe AIR v2.0.4.13090 update

And of course you've already installed Adobe Flash Player v10.1.0 update from two weeks ago, right?

What's been fixed?

Adobe Acrobat and Reader:

This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

--Quoting from CVE-2010-2883:

Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.3.4 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information.

Adobe AIR: Beats me! As of today, Adobe have provided NO release notes for AIR v2.0.4. Imagine my cynicism. When Adobe bother to provide release notes, they will appear HERE .

Can anyone spare Adobe an anvil? Mine's in for repair. ;-)

And now it's time for a laugh! Every month this summer Adobe have had 'CRITICAL' security flaws discovered and patched in Acrobat, Reader and Flash Player. There have also been two updates to Adobe Air. Despite this situation, Adobe still hold to the bizarro naive notion of 'quarterly updates'. Here is their message to the world regarding this situation, as of today:

Note that today’s updates represent an accelerated release of the quarterly security update originally scheduled for October 12, 2010. With this accelerated schedule, Adobe will not release additional updates for Adobe Reader and Acrobat on October 12, 2010. The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.

Right. So we'll all meet back here on February 8th. Sure. Everything will be safe and sound until then! Uh huh.

We know better. See you back here next month!
;-P
--

Adobe Flash Player Updated is to v10.1.85.3

2010-09-21T23:27:00.004-04:00

--
Adobe has successfully hidden from the public, apart from at their two security pages, the fact that a 'Critical' security update was posted to to their website on Monday. The Adobe website simply says you're downloading version 10.1, same as last weeek, which is a worthless statement!

So, grumble, let me do their job for them and let you know that:

A) The current version of Adobe Flash Player for Mac that is up on the Adobe website IS indeed the promised updated version.

B) The previous version of 'Flash Player.plugin' was 10.1.82.76.

C) The new updated version you're installing is 10.1.85.3.

The inevitable rant:

Why this has to be a secret is beyond comprehension. I sniff the scent of some Marketing Moron at Adobe in the air who is attempting spin control by hiding the fact that Adobe has had to provide 'out of band' security updates to Adobe Flash Player EVERY MONTH THIS SUMMER. Sorry marketing kiddies, but facts are facts. You are directly damaging customers by hiding updates from them. This is why I call you Marketing Morons! Get it? Drop an anvil on your head, or whatever it takes, and turn yourselves into beneficial Marketing Mavens and HELP YOUR CUSTOMERS! Otherwise get out of the business and benefit the world by your absence.
--

Adobe Flash Player Security Update: Moved Up To Monday, September 20th

2010-09-18T03:58:00.005-04:00

--
Adobe have announced that they've moved up the critical security update for Flash Player to Monday, September 20, 2010.

Be sure to grab the update ASAP as the security hole it patches (CVE-2010-2884) is being exploited in-the-wild on at least Windows boxes. So far no known exploit is being used on Mac OS X.

You can read Adobe's announcement here:

Schedule Update to Security Advisory for Adobe Flash Player (APSA 10-03)

Meanwhile, the critical security updates for Adobe Reader and Acrobat remain scheduled for the week of October 4, 2010.

--

NEWEST-New CRITICAL Adobe Security Holes déjà vu déjà vu déjà vu...

2010-09-14T12:21:00.012-04:00

--
Question: What is the point of 'in band' quarterly Adobe security updates when this stuff keeps repeating month after month after month?

SHORT VERSION:

Don't use Adobe Reader, Adobe Acrobat, or Adobe Flash until yet-another-nother set of 'out-of-band' security updates are available. Each of these applications have NEW security holes that are being exploited IN THE WILD.

[...Hysterical laughter is heard from some distant room...]

Temporary fix options:

A) PDF Viewing

Use Preview, provided with Mac OS X, for all PDF file reading.

Delete the Adobe PDF Viewer Internet plug-in. You will find it here:

/Library/Internet Plug-ins/AdobePDFViewer.plugin

Delete Adobe Reader 9. You will find it here:

/Library/Applications/Adobe Reader 9

B) Flash Playing

Control Flash in your web browser and/or delete Flash Player:

There are several options for taking control of Flash in your web browser. I personally use ClickToFlash for Safari and other WebKit browsers, as well as Flashblock for FireFox.

OR

Just delete Adobe Flash Player from your computer.

How to remove Adobe Flash Player:

Check to see if you have the 'uninstall_flash_player_osx.dmg' file and run it. It should be located here:

/Applications/Adobe Flash Player/uninstall_flash_player_osx.dmg

OR

You can find and remove the Flash web plug-in files here:

/Library/Internet Plug-Ins/Flash Player.plugin

/Library/Internet Plug-ins/flashplayer.xpt

After deleting Adobe Flash Player files, be sure to Quit then restart your web browsers in order to clean Flash Player out of memory.

~~~~~~~~~~~~~~

LONG VERSION:

Just when you thought your Adobe apps were safe, this dark sense of wariness creeps into your subconsciousness followed by a sense of déjà vu as you read the latest news. I'll let Adobe give you the bad news. Here are the two pages at Adobe where you can find their security announcements:

Adobe Product Security Incident Response Team (PSIRT)

Adobe Security Bulletins and Advisories

The latest Adobe bad news déjà vu déjà vu déja vu (with added emphasis mine):

I) Security Advisory for Adobe Reader and Acrobat (APSA10-02)

Release date: September 8, 2010

Last updated: September 13, 2010

Vulnerability identifier: APSA10-02

CVE number: CVE-2010-2883

Platform: All

SUMMARY

A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

We are in the process of finalizing a fix for the issue and expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.

Please note that these Adobe Reader and Acrobat updates represent an accelerated release of the next quarterly security update originally scheduled for October 12, 2010. With this accelerated schedule, we do not plan to release any new updates for Adobe Reader and Acrobat on October 12, 2010.

AFFECTED SOFTWARE VERSIONS

Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh

MITIGATIONS

Current exploits in the wild target the Windows platform. Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited. For more information on EMET and implementing this mitigation, please refer to the Microsoft Security Research and Defense blog. Note that due to the time-sensitive nature of this issue, testing of the functional compatibility of this mitigation has been limited. Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.

SEVERITY RATING

Adobe categorizes this as a critical issue.

DETAILS

A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of public exploit code for this vulnerability.

Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.

We are in the process of finalizing a fix for the issue and expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010. These updates will also address the issue referenced in Security Advisory APSA10-03 (CVE-2010-2884).

Please note that these Adobe Reader and Acrobat updates represent an accelerated release of the next quarterly security updates originally scheduled for October 12, 2010. With this accelerated schedule, we do not plan to release any new updates for Adobe Reader and Acrobat on October 12, 2010.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.

ACKNOWLEDGMENTS

Adobe would like to thank Mila Parkour of http://contagiodump.blogspot.com for working on this issue with Adobe to help protect our customers.

REVISIONS

September 13, 2010 - Updated information on the release schedule, and that the releases represent the next quarterly security update (originally scheduled for October 12, 2010).
September 10, 2010 - Added the Mitigations section with instructions for a mitigation option for Windows users.
September 8, 2010 - Advisory released.

II) Security Advisory for Adobe Flash Player (APSA 10-03)

Release date: September 13, 2010

Vulnerability identifier: APSA10-03

CVE number: CVE-2010-2884

Platform: All

SUMMARY

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.

We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.

AFFECTED SOFTWARE VERSIONS

Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android
Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh

SEVERITY RATING

Adobe categorizes this as a critical issue.

DETAILS

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.

We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.

Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL:

http://blogs.adobe.com/psirt

or by subscribing to the RSS feed here:

http://blogs.adobe.com/psirt/atom.xml

ACKNOWLEDGMENTS

Adobe would like to thank Steven Adair of the Shadowserver Foundation for working with us on this issue with Adobe to help protect our customers.

~~~~~~~~~~~

And now for another rant:

This past week we learned that the first version of Adobe Flash Player had been released for the Google Android OS for smartphones. We also learned that it is a dreadfully buggy, slow, battery consuming POS. Now we learn, if you read through the Adobe bulletins above, that Flash for Android has a 'critical' security hole.

These two Adobe Flash problems were known over a year ago. Dr. Charlie Miller warned us that Flash is the single biggest source of pwnage security holes on the Mac OS X platform. Steve Jobs made it clear that Flash for Mac is a resource hog, verifiable by anyone with a brain (which apparently is not the case with Adobe's current CEO). It is no surprise that Flash turns out to be a resource hog, running as slow as a one-legged dog on Android.

Conclusion: It's time for Flash to die.

Then what?

Contrary to popular mythology, there is no perfect replacement for Flash. The HTML5 video spec promises to replace one niche for Flash with a totally free-forever video playing alternative. (Yes kids. The patent holders for H.264 are giving it away for everyone forever). However, actual Flash applications will be more difficult to replace. These include games, slideshows, web page embedded applications, etc.

Once upon a time we dreamed that Java would take up these roles, and perhaps it may someday. But for now, Java is considered much more difficult to program than Flash, slow to run, and Java has its own security problems. Ideally a Java app building program, as easy as Flash, will appear and will use stringent security protocols, secure memory management and decent speed along with restrained CPU access. It could happen! For all I know, such a Java app builder already exists. Please post a comment if you have related information.

In the meantime, I'm supported the death sentence for Adobe Flash.

Share and Enjoy,

:-Derek
--

Adobe 'Out Of Band' CRITICAL Update Parade: Shockwave Player v11.5.8.612

2010-08-25T15:16:00.005-04:00

--
Adobe continues their parade of CRITICAL security updates with Shockwave Player v11.5.8.612. Thankfully, you only have to make one click on one page to download it. (Someone over there is getting the clue). And get this! (Don't go into shock!) It's 64-bit! Here is the download page link:

Shockwave Player v11.5.8.612

You can read about the security patches HERE.

To quote Adobe:

The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.

My quick summary:

There are 20 security patches.

-> 16 patches are for memory corruption vulnerabilities (aka buffer overflow bugs).

-> 2 patches are for DOS (denial of service) attack issues.

-> 1 patch is for a pointer offset vulnerability.

-> 1 patch is for an integer overflow vulnerability (aka buffer...).

The update is for both Mac and Windows versions. Adobe don't note any in-the-wild exploits at this point. But as per usual, keep up to date with App and OS security patches!
--

Apple Security Update 2010-005

2010-08-24T18:09:00.006-04:00

--
Apple have released FOUR versions of Security Update 2010-005. The versions are linked below:

Mac OS X Snow Leopard Client - 80.63 MB

Mac OS X Snow Leopard Server - 136.86 MB

Mac OS X Leopard Client - 211.88 MB

Mac OS X Leopard Server - 418.92 MB

The general downloads page can be found HERE.

You can read about the security patches HERE.

My quick summary:

There are 8 security patches.

-> 2 PHP patches: One patches a buffer overflow vulnerability regarding maliciously crafted PNG image files. The other updates PHP to version v5.3.2, which itself provides a variety of security patches to such things as further buffer overflow vulnerabilities.

-> 1 Samba patch: A buffer overflow...

-> 1 Apple Type Services (ATS) patch: A vulnerability to maliciously crafted embedded fonts due to a buffer overflow...

-> 1 CFNetwork patch: Prevents a man-in-the-middle attack that could redirect network connections and intercept a user's sensitive information such as their user credentials.

-> 1 ClamAV patch: Updates the versions of ClamAV in Mac OS X Server 10.5 and 10.6 to version 0.96.1, solving multiple vulnerabilities.

-> 1 CoreGraphics patch: A heap buffer overflow due to maliciously crafted PDF files. (Presumably this is related to a similar problem in iOS v4.0).

-> 1 libsecurity patch: Improves the handling of certificate host names, preventing a website impersonation attack.
--

Adobe 'Out Of Band' CRITICAL Updates Parade: Acrobat and Reader v9.3.4

2010-08-19T13:56:00.013-04:00

--
And the parade marches on. At last we have the latest in CRITICAL Adobe security hole updates. This time the updates are for Adobe Acrobat and Adobe Reader. GET THEM NOW!

Because the process of getting to actual download links at the Adobe site is a huge PITA, here are direct URLs for English Intel Mac users. Send me virtual luv:

Acrobat Reader v9.3.4 update

Adobe Acrobat 9.3.4 Pro update

The general update page for all other users and versions is HERE.

What's so CRITICAL? The update's security bulletin is HERE.

To quote Adobe:

These updates address CVE-2010-2862, which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. They also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-16.

My summary:

1) The updates patch memory corruption vulnerabilities that could lead to hacked code execution on your Mac and/or program crashes. IOW its more of the same old buffer overflow problem that plagues current computer coding in general. (As found in CVE-2010-2862).

Quoting from the CVE:

Integer overflow in CoolType.dll in Adobe Reader 8.2.3 and 9.3.3, and Acrobat 9.3.3, allows remote attackers to execute arbitrary code via a TrueType font with a large maxCompositePoints value in a Maximum Profile (maxp) table.

2) They solve a social engineering attack security hole via PDF files that could lead to hacked code execution on your Mac. (As found in CVE-2010-1240).

Quoting from the CVE:

Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message.

~~~~~~~~~~

BTW: Looking up CVE reports is easy, if snooze inducing. Just go to the National Vulnerability Database site (at the National Institute of Standards and Technology) and search on the CVE number. Here is the URL to get you started:

National Vulnerability Database (NVD) Search Vulnerabilities

And now for a rant:

If you're wondering why these simple and specific CVE searches take a long time (zzzzz) to resolve, it's the decrepit US government. It's Microsoft Windows. It's ancient old PCs the government is too cheap to replace, cranking away on stuff that takes any modern Mac a microsecond. (But of course, the government did manage to fund the infamous 'Bridge To Nowhere' in Alaska, hardy har har, porky pork, oinky oink, so long Ted Stevens you parasite).

I was once offered a job at the Department of Wildlife. I took one look at their computers and wondered what would be the appropriate response: Running away screaming OR sauntering out laughing?

In any case, if you've ever wondered why it's so incredibly easy for The Red Hacker Alliance in Red China and other such scum to hack into US government computers, look no further for your answer. Much as I hated the Bush League, much as I'd like to support the Obama Era, this stupid state of affairs continues. Note the fact that the Obama Administration hired ex-Microsoft executives and coders to help them solve their computer security crisis. That's right! They hired the CAUSE of the problem to SOLVE the problem.
(o_0)

Hmm. What would be the appropriate response? I'll leave it to you to decide.

CUL8R!
Stay safe.
Stay secure.
Don't touch my cookies.

;-Derek
--

Adobe Flash, AIR, PDF, Acrobat and Reader: Security Statistics Sources

2010-08-13T06:04:00.004-04:00

--
Earlier today, I was helping out a reader at MacDailyNews.com who had the following question:

'BSOD' asks: "Does anyone have statistics on exactly how many security holes have been opened up by Flash, Air, and PDF? I think that we need to see that stat."

My answer is of general interest. Therefore, I am posting it here for your reading pleasure:

You can dig around at the CVE site for each of them. CVE stands for Common Vulnerabilities and Exposures. It keeps track of each reported software security problem:

http://cve.mitre.org/

Wikipedia.org also covers each of them and gives a general description of their security:

Adobe Flash: "As of May 17, 2010, The Flash Player has 77 CVE entries, 34 of which have been ranked with a high severity (leading to arbitrary code execution), and 40 ranked medium."

Adobe PDF: "On March 30, 2010 security researcher Didier Stevens reported an "exploit" that causes an arbitrary executable to be run when a PDF file is opened, after the user accepts a warning prompt. The exploit works in several different PDF viewers including Adobe Reader and Foxit Reader."

And, earlier this year Adobe were embarrassed into creating the Adobe Product Security Incident Response Tearm (PSIRT). You can keep up with their blog here:

http://blogs.adobe.com/psirt/

Adobe maintain their Security Bulletins and Advisories page, going back to 2005, here:

http://www.adobe.com/support/security/

• There are approximately 88 Adobe Flash security bulletins.
• There are 6 Adobe PDF security bulletins.
• There are over 100 Adobe Acrobat security bulletins.
• There are over 100 Adobe Reader security bulletins.
• The only Adobe AIR related bulletin is the Adobe Flash bulletin from June 10, 2010.

Update: Secunia Half Year Report 2010 & QuickTime Hell

2010-08-12T13:26:00.005-04:00

--
In a previous article, entitled "Desperate Propaganda..." I had a rant-fest regarding a PC World FUD-fest regarding Apple security. The author, Preston Gralla, managed to spew out this line of deceit:

:-Q****** "The security company Secunia reports that Apple products have more vulnerabilities than those of any other company."

This was clearly taken as a hit at all Apple products. What was missing was any reference to the context of the source Secunia report, which you can read HERE. I knew better, having been an avid Secunia reader since 2005. In fact, the only Apple products noted in the report were QuickTime and iTunes on Microsoft Windows. Secunia didn't cover any other Apple products.

When I read through the entire Secunia Report I found nothing of relevance to Mac OS X except the fact that the Apple apps discussed are prone to the same problems on Mac OS X as well as Windows.

QuickTime Hell

In previous articles I've covered the major problems with QuickTime, the biggest culprit of Apple security holes. It is used in iTunes, thus making iTunes just as vulnerable. In summary, QuickTime stumbles over malicious ECMAScript (aka 'JavaScript') and coding errors that allow malicious buffer overflows.

Supposedly Apple has been overhauling QuickTime. The first peak at it has been QuickTime Player X. But as far as any user can tell, the QuickTime X project is stalled at version 1.0.0. What we have on Snow Leopard is entirely inadequate, incomplete and buggy. Serious QuickTime users are required to also install QuickTime version 7, the current version of which is 7.6.6.

Hopefully Apple will get back to work on revising QuickTime now that iOS 4 has been completed and released.
--

To: 'hip' Re: iMac_Sux.dmg

2010-08-11T18:28:00.010-04:00

--
Recently a reader nicked as 'hip' sent me the URL to an evil crapware file entitled 'iMac_Sux.dmg'. Here is his full message with the exclusion of the URL for downloading the file:

Wanna crash an iMac?
Just mount this .dmg file, then have a look at what MassStorageCamera is doing.
It will be consuming all RAM and processors!!

I am not providing the URL in order to avoid being accused of distributing the thing.

Thank you 'hip'! I checked out the website where the file is located and enjoyed it. I particularly enjoyed the page quotations from The Hipcrime Vocab by Chad C. Mulligan. The insights are refreshing after living amidst the Neo-Con-Job / Tea Party / FuxNews / News Corp / Rupert Murdock Regime gibberish age within the USA where intelligent thoughts and verifiable facts are out of fashion.

I ran the .dmg and it did exactly as expected, without crashing my MacBook 2 GHz from 2006-11. It also auto-opened the 'CameraWindow' application that I installed for my Canon camera. I checked through the code within the .dmg and am going to 'guestimate' that the resource scripting near the end is instructing Mac OS X to treat the entire boot volume as a camera image volume. I was too bizy and lazy to dig further.

Clearly this is a very simple call being made within the .dmg that fools Mac OS X into thinking the opening .dmg volume is a camera. Fascinating. The fault of course is in MassStorageCamera for being allowed to eat your Mac alive. As I've pointed out previously, even Intego's VirusBarrier application has race condition bugs.

My POV: I've studied coding as well as code project management. Coding these days is typically for applications, etc., that are so vast that no single human being can comprehend them. The result is coding-by-committee which in and of itself is a guaranteed mess. There is also the eternal pressure of 'Do Less With Less' from clueless biznizz management and nagging clients, none of whom comprehend the escalating difficulties of coding. Then there is the basic crappiness of the archaic coding languages we still use these days. Anything based on 'C' coding is going to have plenty of problems if only from buffer overflows, the single largest coding plague of our day. We're also stuck with ECMAScript for Internet scripting (which incorporates LiveScript/JavaScript, the JScript abomination from Microsoft and the ActiveScript mess from Adobe). Java continues to FAIL to live up to the hype, causing its own security and memory problems. Then there are the eternal security holes in PHP and SMB on and on.

I'm not at all surprised that Apple missed the bug inherent in the 'iMac_Sux.dmg' file. I can easily see them being aware of it and tossing it on the back burner if only because it does not represent a security or major crashing problem. Similar CPU and RAM devouring buggy code has been around for many years. What sucks most is when system calls can crash the entire computer. Not having an iMac around to play with, I can't verify that this file crashes the machine. But I am going to guess that with current Intel iMacs it does not.

Dr. Charlie Miller and Dino Dai Zovi have the current best Mac hacking & cracking & pwning etc. book available for Mac OS X entitled 'The Mac Hacker's Handbook'. Both of them have Twitter accounts to follow. Both are very amusing to read. Dr. Miller is brilliant at coming up with methods for testing and breaking into Mac OS X. This past spring he won yet another Pwn2Own contest. He gave a presentation at Black Hat this last week where, among other things, he revealed yet-another security hole in Adobe Acrobat and Reader.

Here is a fun interview with Dr. Miller from March:

http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own/

CONCLUSION: Expect security holes. Expect coding errors. There is no such thing as a perfect coder. There is no such thing as a perfect application or operating system.

I'll also add my usual coda: The only people I've ever heard or read saying that 'Macs never have security problems' are either NEWBIES or TROLLS. One of course never takes seriously the word of either of these species of human. It is well worth keeping track of Mac security. It is also well worth sorting out Mac security FUD from FACT.

BTW: Considering all of the above, what are the chances that humans will ever create Turing Test verifiable Artificial Intelligence? Not in my lifetime! No SkyNet worries.
;-D
--

New CRITICAL Adobe Flash Player v10.1.82.76 & Adobe Air v2.0.3 Updates

2010-08-11T18:02:00.005-04:00

--
Today Adobe updated Flash Player to version 10.1.82.76 and Adobe Air to version 2.0.3. The updates patch 6 CRITICAL security holes. Here are the security patch details:

Critical vulnerabilities have been identified in Adobe Flash Player version 10.1.53.64 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-0209).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2188).

This update resolves multiple memory corruption vulnerabilities that could lead to code execution (CVE-2010-2213).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2214).

This update resolves a vulnerability that could lead to a click-jacking attack. (CVE-2010-2215).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2216).

Adobe recommends users of Adobe Flash Player 10.1.53.64 and earlier versions update to Adobe Flash Player 10.1.82.76. Adobe recommends users of Adobe AIR 2.0.2.12610 and earlier versions update to Adobe AIR 2.0.3.

The download links are provided on Adobe's Security Bulletin page HERE.

Lately, Adobe's Flash Player has been considered the most dangerous application for Mac OS X from a security point of view. It is important to keep track of ALL Adobe updates at this point in time. We are still waiting for NEW updates to Adobe Acrobat and Adobe Reader that patch security holes announced last week HERE.
--

Desperate Propaganda, aka FUD, in the Anti-Malware Community

2010-07-24T17:02:00.013-04:00

--
We are living not only the 'The Age of Triva' as I call it, but 'The Age of the Marketing Moron'. Marketing Morons treat the customers and clients as worthless scum only valuable for their money.

Lately I have been wondering if biznizz skoolz deliberately teach their MBA candidates how to be effective psychopaths. Who is better at abusing other humans than a psychopath? I read this past week that an estimated 10% of biznizz executivez are psychopaths because it is such an in-demand mental illness for the creation and execution of biznizz ambitions. Imagine that. Variations of Bernie Madoff may be running your company. No wonder we're in a lingering economic depression.

[Note: I use the terms 'biznizz', 'executivez', 'skoolz' etc. whenever discussing deceitful aberrations from respectable forms of the subject. Deliberately distorted spelling is an enjoyable method of both sarcasm and laughter.]

Last week Intego pulled a FUD (Fear, Uncertainty and Doubt) move with their monstrosity 'Learn About Mac Malware'. This week it is being reported, by PC World, that Secunia have joined the anti-Apple security FUD circus. I'll decide that for myself in a future article. For now, it's of interest to take a look at the utter bullshite perpetrated by PC World. It doesn't get much more stooopid:

Security Firm: Apple Has More Security Holes Than Microsoft

The first sentence in this article gives away the show. This is FUD:

Here's another blow to those insist that Apple products are rock solid and unhackable

As I wrote to PC World:

No one says "Apple products are rock solid and unhackable" except YOU PC World. It is an invented club with which to slam and abuse Mac users. It's called desperate propaganda, aka FUD

I also wrote to PC World, and posted at FaceBook:

Facts (vs FUD) regarding Macintosh security:

Number of Mac OS X viruses: 0
Number of Mac OS X worms: 0
Number of illegal Mac OS X spyware: 1
Number of Mac OS X Trojan horses: 23

Compare that to the number for Windows and decide for yourself.

No one ever said Mac OS X was perfect (except trolls). But it remains the single most secure GUI operating system available. The only operating systems that are more secure:
- OpenBSD
- FreeBSD

And Mac OS X contains elements of both these operating systems. No coincidence.

Suggestion: Do your homework before posting about Mac OS X.

Here is a ticked-off post I made over at MacDailyNews regarding this FUD:

ANTI-FUD:

I receive EVERY Secunia report they publish via eMail.

Want to know what they publish every week? A GIGANTIC PILE of Windows vulnerabilities and extremely few Mac OS X vulnerabilities, as in about 1 (ONE) per month, at a guess.

This FUD attack 'by Secunia' [by PC World!] is made utterly hilarious by their own publications. Don't believe me. Go look for yourself:

http://secunia.com

Examine the home page. What do you see Highlighted there? Today:
- Microsoft Windows Shell Shortcut Parsing Vulnerability
- Apple iTunes "itpc:" Handling Buffer Overflow [That is SPECIFIC to WINDOWS ONLY]
- Microsoft Windows MFC Document Title Updating Buffer Overflow

Is there ANYTHING there related to Mac OS X? NO!

So what's with the FUD?

--> The fact that nearly the entire Anti-Malware Community lives off the security FAILures of Windows. Therefore, obviously, everyone MUST USE WINDOWS in order to keep them all employed!

∑ = Pure Adulterated PROPAGANDA

And no folks. There is nothing perfect about Mac OS X security. It just happens to be the most reliable of any GUI OS on the market. The only OSes with better security reputations are:
- OpenBSD
- FreeBSD

And oh look. Mac OS X contains elements of BOTH these OSes.

Hey FUD mongers: GET BENT.

Meanwhile, you can take a look at the Secunia report that inspired the FUD. It is a PDF file:

Secunia Half Year Report 2010

Seeing as PC World has no interest in factual Macintosh security information, and may well be spinning FUD regarding Secunia, I'm going to give the report a read myself. If I find anything of interest to Mac users, I'll post.

Share and Enjoy!
--

Firefox Add-On Security Alert! Mozilla Sniffer, CoolPreviews, Master Filer

2010-07-15T17:57:00.009-04:00

--
Graham Cluley at Sophos.com has provided a great article at his blog about BAD Add-Ons for Firefox. The most recent is nasty spyware, another is infected with a spyware Trojan horse, and the last has a potentially dangerous security hole that could lead to PWNing your machine:

Mozilla pulls password-sniffing Firefox add-on

All of these Firefox Add-Ons have been blocked from distribution by Mozilla. But if you happen to have them laying around or have installed them: Kill them.

Mozilla Sniffer: It has been available since June 6, 2010. It spies on Internet passwords you enter in Firefox and sends them to nefarious fiends.

Master Filer: The infected version has been available since earlier in 2010. It is infected with the LdPinch Trojan horse, which also steals your Internet passwords and sends them to nefarious fiends.

CoolPreviews: Versions 1.0 through 3.0.1 have a demonstrated security vulnerability that could allow run malicious code on your computer. (Sounds like a typical buffer overflow problem). Proof-of-concept code has been created that demonstrates how to perform the hack. Therefore, it is critical to update to the latest version of CoolPreviews.

There have been other BAD Add-Ons as well, all of which Mozilla have blocked from distribution.

As a side note:

This same sort of problem has been plaguing the Android community whereby anyone can post anything as an application, including crapware and malware. As with Mozilla, Google have no formal system for approving or filtering bad software apart from reports from users. Therefore, it is likely that a number of people are going to be victims of BAD software before it is removed from distribution.

To be honest, this lack of formal software scrutiny system is what we are all used to in the general computer community. The best workarounds have been the use of websites like MacUpdate, VersionTracker, TuCows, MajorGeeks, etc., where either the site managers or other users have tried and rated the software.

For better or worse, Apple now use a formal scrutiny system at their App Store for the iPhone, iPod Touch and iPad. If you download a CrapApp onto your iOS device, you can point fingers at Apple for messing up. Microsoft have had a copycat scrutiny system for their Zune thing app store and plan the same thing for their Windows Phone 7ista OS thingies. Meanwhile, for all other devices, it is that mean old adage: Caveat emptor, IOW Downloader Beware.
--

Intego Errors! Marketing Vs Fact, Money Vs Reality

2010-07-13T23:08:00.016-04:00

--
Kids. Didn't I tell you the computer anti-malware community was 'unprofessional'? Here we go again.

For shame Intego! Publishing FUD to sell your anti-malware software. For shame!

I like the folks at Intego a lot. But this is the SECOND time they have outright FUDed the public for the sake of making sales of their indeed superior anti-malware software. Note that this is entirely in line with our current era of PROPAGANDA at the expense of both facts and reality. I DESPISE FUD! I DESPISE PROPAGANDA! If you check out my zunipus blog you'll see I'm well versed on the subject.

This very WRONG page of information was posted at the Intego website this week. It makes me want to gag. It's crap like this that inspires me to keep writing my own, independent, 'hey look at me I have a brain in my head', Mac-Security blog:

Intego: Learn About Mac Malware

The Post-Mortum:

I) This page claims to provide a "clear explanation of what types of viruses and malware are a danger for Mac OS X."

Bullshit.

There is nothing 'clear' about FUDing customers and confusing them with ignorant information. If you haven't already spotted the garbage on this page, read on.

II) The Mac picture provided on the page, with its arrows to various malware, includes the word "Botnet". This is WRONG. There is no such thing as a 'botnet' form of malware. A 'botnet' is the result of having many computers infected with BOT malware. The software that infects your computer is called a 'bot.' Not a 'botnet'. A BOT!

III) The paragraph entitled "MAC VIRUS" is WRONG. There are NO viruses for Mac OS X. There never have been any viruses for Mac OS X. So this paragraph must be proceeded with the word:

NO

The description of viruses by Intego in this wrongful paragraph is entirely inadequate. Read these instead:

Computer Virus
or
What is virus?

In fact there are dozens of pages on the Internet that have superior descriptions of computer viruses. Google "What is a computer virus?"

IV) Examining the wrongful "MAC VIRUS" paragraph we see two wrongful examples. They are NOT viruses. Here is what they REALLY are: PROOF OF CONCEPT malware. Did you see 'Proof Of Concept' listed as a type of malware in Intego's illustration? No. Why? Because they are only demonstration malware that are NOT released into the wild, cannot replicate in the wild, and are only created to prove a software security problem. They are HARMLESS to one and all except on test machines used for EXPERIMENTATION. Anyone telling you that Proof of Concept malware will ever appear on your machine at any time, except within an experimentation situation, are FUDing you. FUD = a classic form of propaganda known as FEAR, UNCERTAINTY and DOUBT.

You can read about FUD here:

Fear, uncertainty and doubt (FUD) is a tactic of rhetoric and fallacy used in sales, marketing, public relations, politics and propaganda.

If you'd like to read about Proof Of Concept malware, check these out:

Proof of concept

Prototype

What is proof-of-concept virus?

And for fun, here is what these two Proof of Concept malware actually do:

A) OSX.MacArena.A - Here is a quotation from 2006 from Kaspersky's Securelist.com:

"Macarena was the first attempt to create a virus for Mac OS X that infects mach-o format executable files. The virus only infects files in the current directory and only runs on Intel platforms, i.e. it does not pose a threat to machines with ppc architecture. These malicious programs are purely proof of concept code, i.e. they demonstrate that such programs can be created."

Darn. This thing can only self-propagate within its own current directory. Wow. So scary. It is NOT in the wild. It does NOTHING to harm your computer. Not-a-thing.

B) "OSX/Oomp-A or Leap.A" - First off, note use of two different names for the exact same thing, AND the total lack of conformity to the published malware naming standard. I'd be ticked off, except this is again harmless proof of concept malware, so who cares. Here is an article from Macworld, published in 2006, about what is ACTUALLY called the "Oompa-Loompa Trojan" by the first person to publicly describe it, Andrew Welch of Ambrosia Software:

Reports emerge of Mac OS X Trojan horse or worm

"Reports indicate that someone has let loose a “Trojan horse” or worm for Mac OS X users. The program is hidden within a package that purportedly contains screenshots of Apple’s as-yet unannounced next major revision to Mac OS X. Whether it’s a Trojan horse or worm seems to vary depending on the source of the information."

Do you see the word 'virus' in this description? NO.

"So-called Trojan horses are differentiated from viruses because they masquerade as a regular application or file and do not replicate themselves arbitrarily."

Ah! So NOT a virus!

"Anti-virus software maker Sophos takes issue with this description claiming this is the “first ever virus for Mac OS X.”

Traveling over to the Sophos page, what do we see in the TITLE of their article?

"First ever virus for Mac OS X discovered
OSX/Leap-A worm spreads via iChat instant messaging software"

So it's a 'worm', and NOT actually a virus. That's what Sophos are actually saying.

But I thought proof of concept OSX.MacArena.A was "the first attempt to create a virus"!!!

Are you getting the idea of how chaotic the anti-malware community can be?

And guess what folks. Ooompa-Loompa was made entirely INERT with the next Apple revision of iChat. So be scared. Be VERY scared!

And no, it's NOT a virus. No, it CANNOT replicate itself in-the-wild. This thing can only replicate via iChat within a LAN. That means it hasn't even got a clue what the Internet is. Got that? NOT-IN-THE-WILD at all. It can't get there. There was only ever ONE place it was ever found on the Internet, at that was in a forum at a Mac rumor website.

V) Then we move along to the wrongful paragraph about BOTs. I'm perfectly happy to ALSO call them by other malware names. But the ONLY bots for Macs exist in the form of Trojan horses. There are three of them: Trojan.OSX.iServices.A - C, which is to say that there are versions A, B and C. They have only ever been found, as Intego indicate, within the installers of pirated software. These include pirated copies of Apple iWork and Adobe Photoshop CS4.

Once Macs were infected, via these pirated installers, with the bots, the computers were then 'zombied' or 'botted'. Via communication over the Internet, these machines then joined into what is called a 'botnet'. In early 2009 there was a guestimate that the resulting botnet contained over 10,000 Macs, which indicates the popularity of pirated software. The only published attack carried out by this botnet that I am aware of was a DDOS, or Distributed Denial of Service attack. I've never heard or read about it again. But note that this malware is indeed still in-the-wild and can infect you.

VI) Then we get to the WORM section: Note how Intego don't list any for Mac. That's because THERE AREN'T ANY for Mac, except as Proof of Concept malware. Yawn. Therefore, this section also requires the removal of the 'YES' to be replaced with:

NO

The description of worms here is poor. Reading this stuff you'd think they were the same thing as viruses. They aren't. Read this from Wikipedia.org:

Computer worm

"Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer."

The main, if not only, point of a worm is self-replication. Whereas, the point of a virus is not merely to replicate but to DAMAGE.

~~~~~~
I know Intego are not going to be pleased that I've ripped apart this blatant propaganda / FUD piece. To be honest, I'm really miffed that I, a non-professional in the Mac malware field, end up having to point out these ERRORS and FUD. If dimwit security amateur me knows full well the bullshit in this Intego article, why the hell are the 'professionals' at Intego publishing it?!

My proposal:

Dear Intego,

FIRE your Marketing Manager. Dishonest marketing damages your company's reputation. Witness Adobe.

And please don't bother writing to me to attempt to explain the bullshit in your article! Just take the article down, remove it, kill it. Then get a serious professional at Intego, (I know they exist! I've talked to them!), to write a seriously HELPFUL, HONEST and INFORMATIVE article that misleads no one and educates everyone. THAT will bolster your reputation and sales. Not this FUD crap.

Where's my aspirin?
--

Windows Users ONLY:Adobe Screw Up Yet-Again!Acrobat & Reader UpdatesDON'T Fix PDF Security Hole

2010-07-13T22:36:00.006-04:00

--
For Frack's sake! Adobe = Idiotic Security.

I'm patience counting again: 1 - 2 - 3 . . .

NOTE: This is ONLY a Windows user problem. We Mac OS X users can sit back and gasp. But we are NOT affected (as far as we can tell at this time).

We know Adobe security is bad. We know their attitude toward their security problems is bad. But now we can verify that Adobe are indeed idiots at security. This incident throws their security incompetence into a whole other ballpark.

Enough ranting from me. Windows Users, read and weap this message from Intego:

Last Adobe Reader and Acrobat Update Doesn’t Fix PDF Bug

"... It turns out that Adobe’s fix was not enough. Adobe is aware of the issue and will be issuing an update to the update soon."

Keep in mind, Mac users, that if you use Windows you ARE affected. This means if you load Windows via virtualization or natively via Boot Camp. This PDF exploit is active in-the-wild. Beware.

Again, only Acrobat 8 and Reader 8 are safe. You can roll back to those versions and you're fine. It's Windows versions 9.x that are being exploited. Do NOT use them at this time on the Internet. Do NOT use them with any PDF file that you have not verified as 100% authentic and safe.

And of course, if you're affected, write Adobe a great big 'Thank You' note for being so kind, caring and conscientious toward their customers. /s

[Newbies: "/s" designates sarcasm]
--

They're Here!Adobe CRITICAL Updates:Acrobat & Reader & Flash Player

2010-06-29T18:24:00.007-04:00

--
As promised, Adobe skipped their dopey 'quarterly' security update schedule and pushed out updates to Adobe Acrobat, Reader and Flash Player before the end of June. Gee thanks. Let's hope this incident puts the 'quarterly' security update stooopidity in the grave where it belongs.

Before I send you to the sources, I get to be a grumbling curmudgeon. Be warned that Adobe made the process of updating Adobe Acrobat, Reader and Flash Player yet-another PITA with a number of pages to click through to just download the things. So apparently, whoever made Adobe updating the most heinous process in the entire computer community, has not yet been fired from the company.
What A Shame.

For your pleasure, I have dug through the pages of Adobe bureaucratic garbage for you in order to provide direct download URLs:

Acrobat 9.3.3 Pro update

Adobe Reader 9.3.3 update for Intel Macs

Adobe Reader 9.3.3 update for PPC Macs

Adobe Flash Player 10.1.53.64

The simple URL for Flash Player is courtesy of my pals at VersionTracker.com

REMINDER: If you have installed the Mac OS X 10.6.4 update and/or Apple Security Update 2010-004, you have NOT NOT NOT updated to this CRITICAL latest version of Flash Player. Apple only included the old dangerous version. Thankfully, Apple's updater does not remove the newer version if you already installed it.

THEREFORE: If you haven't already, you must DIY install the Adobe Flash Player version 10.1.53.64. Apple won't do it for you. I don't know why! They just won't.
--

Apple's Flash Player Plug-in Update Blunderin the 10.6.4 Update

2010-06-17T22:24:00.008-04:00

--
According to MacFixIt.com, Apple made one big preventable blunder in the Mac OS X 10.6.4 update. They included the previous, exploited in-the-wild, version of the Adobe Flash plug-in, version 10.0.45.2. My guess is that this is the version they've been using in the beta of 10.6.4 and they neglected to swap in last week's security patched version 10.1.53.64. That's a very naughty oversight by Apple!

Therefore, if you have not done so already, go grab the very latest installer for the Adobe Flash Player, v10.1.53.64, and install it. Apple didn't give it to you! You can grab it HERE.

Thankfully, Apple's 10.6.4 update installer is smart enough not to remove the updated version of the Flash Player plug-in. Mine stayed intact.

Dear Apple. Considering the well deserved abuse Adobe have had to endure for their blundering crap programming, it would be advisable to avoid blunders of your own and keep up with Adobe's updates! Until this Flash plug-in version oversight happened, Adobe had no legitimate reason to criticize Apple. Now it looks like you're ignoring Adobe's meagre efforts to put things right again. That's not good. You've also needlessly endangered the security of your customers!

Meanwhile, keep an eye out for the Acrobat and Adobe Reader security patch updates that should be showing up any week now...
(o_0)
--

Apple Security Update 2010-004/ Mac OS X v10.6.4

2010-06-15T18:45:00.007-04:00

--
UPDATED 2010-06-17. Please read item #3 in the summary list below!
--
June 15th Apple kindly emailed me their list of security fixes in Security Update 2010-004, which in incorporated into the Mac OS X 10.6.4 update. Later in the day Apple posted the full report HERE.

Below is my summary of patches:

1) Three CUPS patches. (Cross-site request forgery; a cupsd bug; a web interface bug).

2) A Desktop Services patch. (Corrects a bug when applying permissions to enclosed items).

3) OOPS! Apple neglected to keep up with Adobe's Flash Player and instead installs the older hacked in-the-wild version! This is a very bad oversight by Apple! If you haven't already, you must DIY install the latest Flash Player update HERE. Be certain to do it NOW.

Thankfully Apple's update installer does not remove an updated version of the Flash Player plug-in. No damage done.

***(The dangerous version of the Adobe Flash Player plug-in is 10.0.45.2. The security patched version is 10.1.53.64. You can check the version at: /Library/Internet Plug-Ins/Flash Player.plugin).

4) A Folder Manager patch. (Repairs a symlink bug).

5) A Help Viewer patch. (Yet-another JavaScript security hole. I hate JavaScript).

6) An iChat patch. (AIM related. Repairs a file path handling bug).

7) An ImageIO patch. (A buffer overflow problem with TIFF files).

8) Three Kerberos patchs. (Buffer overflow; ticket handling bug; KDC request bug).

9) A libcurl patch. (Buffer overflow).

10) Two Network Authorization patches. (A NetAuthSysAgent patch for operation authorization privileges; format string bugs in afp, cifs and smb).

11) An Open Directory patch. (Man-in-the-middle attack via an unprotected server connection).

12) A Printer Setup patch. (Bug in handling a shared printing service).

13) A Printing patch. (Buffer overflow in the cgtexttops CUPS filter).

14) A Ruby patch. (WEBrick bug with a JavaScript security hole. Did I mention I hate JavaScript?)

15) An SMB File Server patch. (An Apple Samba symbolic links bug).

16) A SquirrelMail update. (Cross-site scripting insecurity, among several other problem).

17) A Wiki Server patch. (Cross-site scripting attack security hole).

∑ = 23 security patches.

As of this post, I have not yet installed 10.6.4. Keep an eye on MacFixIt for problem reports.

Before you update, remember to follow the routine: (1) Back up (2) Repair your boot volume, including disk permissions. (3) Download and install the 'Combo' version of the update for best results (4) After reboot, repair your disk permissions again. (Lately Apple have missed cleaning up a number of permissions errors after their updates. Adobe always leaves a permissions mess behind, which will be most certainly be the case with the Flash plug-in update).
--

Kewl Article @ MacWorld.com:'Quick tips to foil Mac break-in attempts'

2010-06-06T01:52:00.003-04:00

--
Dan Moren at MacWorld has posted a useful article about attempts to break into Mac accounts along with useful tips to stop their success:

Quick tips to foil Mac break-in attempts

No computer on the Internet is immune from attempts to break into accounts. In Dan's case, the attempts failed but managed to lock up his computer. I've had similar experiences with my own Internet server.
--

VLC Update!Version 1.0.6 Is Available

2010-06-05T11:23:00.004-04:00

--
[-->Please note that the link for VLC v1.0.6 was inexplicably taken down from the VLC Intel nightly builds site, leaving only the link for v1.1rc, the 64-Bit branch, which is buggy. The only linked version at the standard Mac download page is v1.0.5, which you do NOT want to use due to security flaws. I'm attempting to get the VLC gang to reinstate the v1.0.6 link. In the meantime, v1.1rc generally works fine except for a crash-at-Quit bug, which thankfully is entirely ignorable. :-Derek]
--
UPDATE!

Hey kids. I found that in April some terrific folks on the Mac side of the VLC project have gotten things going again and have provided an update past VLC v1.0.5. You can download the lastest version of VLC at the source page for VLC media player Mac OS X Intel nightly builds. (Sorry PPC users, you are SOL).

Be sure to read the notes at the top of the page very carefully! What you probably want is the latest version of the 1.0-branch-intel stable series. Ignore the gibberish numbers in the file names. When you see '107' in the name it does NOT mean 'version 1.0.7'. ATM the latest version is v1.0.6.

There is a new branch available at the site called '1.1'. It is currently in beta and has some bugs. Thankfully it brings back 64-Bit VLC to the Mac.

Thank you very much to the Mac crew at the VLC project for great, dedicated work! Keep in mind everyone that VLC is an Open Source project, which means all the work is being donated by the developers.
--