Tuesday, December 11, 2012

Java 1.7 Update 10 (AKA Java 7u10)
Is Available From Oracle

On November 29, 2012, Oracle released Java 7u10 (v1.7 Update 10) for Mac. I discovered it by accident. Apparently, inevitably, suitably, few Mac users now bother with Java.

Here is where you can get the latest version of Java 7:


Venture back through my previous posts for rants about how much Java sucks, how it's the most dangerous software you can install on your Mac, how a drive-by Java malware infection zombied ~600,000 Macs this past summer and how you should never run it except on specific trusted websites. If you don't need Java, either turn it OFF in your web browsers or uninstall it.


I) Release Notes

Oracle buried its 7u10 release notes under three layers of links. But I have spared you frustration and provided it here:


Mac Relevant Highlights:
This update release contains the following enhancements:
- Additional Certified System Configurations
- Security Feature Enhancements
. . .
For JDK 7u10 release, the following additional system configurations have been certified: 
Mac OS X 10.8
. . . 
The JDK 7u10 release includes the following enhancements: 
The ability to disable any Java application from running in the browser. This mode can be set in the Java Control Panel.... 
The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Four levels of security are supported. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument. 
New dialogs to warn you when the JRE is insecure (either expired or below the security baseline) and needs to be updated.
. . .
Known Issues. . . 
Area: deploy
Synopsis: System level disable switch does not work on Mac OS_X (10.8) platform. 
On some systems running Mac OS X Mountain Lion (version 10.8), applying system level switch from the Java Control Panel to enable or disable Java does not work even though the correct credentials have been provided. 
The workaround is to delete the file /Library/Application Support/Oracle/Java/Info.plist and then reinstall the JRE. . . 

II) Visible changes in this version:

The Java System Preferences pane is still Mac illiterate, opening its own separate 'Java Control Panel' application. What is Oracle's problem?! (0_o)

1) The 'General' tab now has an 'About...' button.

2) The 'Security' tab has a new GUI. Sadly, it is reminiscent of Windows. But at least it's simple. Here is a screenshot:

As you can see, I recommend setting the 'Security Level' on 'Very High'. 

Do NOT use the 'Medium (recommended)' setting unless your web browser is specifically at a trusted website. When you're done with that website, REMEMBER to set Security back to 'Very High' and just leave it there. I also recommend turning Java OFF in all your web browsers. This is the only way to stay verifiably safe from Java drive-by malware.

Stay safe!

Monday, December 10, 2012

Versus The Limits of Human Comprehension
Versus The Anti-Security Rats

This past week I listened to a US NPR (National Public Radio) program on the Diane Rehm Show entitled 'The Illusion of Online Security'. Despite the fact that the program featured terrific security expert Kevin Mitnick, among others, it was worthless garbage chatter. I personally sent off two simple and direct email questions to the program in order to get the discussion above the level of coffee talk, but both were ignored. I asked about multi-factor authentication, specifically the concept of using something we KNOW, such as a password, and something we HAVE, such as a Yubikey. But apparently, from what little was said about multi-factor authentication, the subject flew far over the heads of everyone in the discussion but Kevin. I felt sorry for Kevin, as he reiterated several times the key problems with today's Internet security, and not once did I have any sense he had penetrated the skulls of the others speaking. I wished I had been there to help Kevin speak to the issues on something closer to the level of their comprehension. But I realized they were simply not going to understand.

The concept of technology being beyond the comprehension of average people is very old. I remember the 1970 book 'Future Shock' by Alvin Tofler. It was a fanciful adventure in FUD, mixed with some bits of actual futurism, designed to sell books. It was also made into TV special to add illustration to its sensation. One thing it did manage to portray well has been the inability of the human mind to comprehend the full complexity of our world. As we watch the ramifications of the damage our species wreaks upon our miracle planet, how can any of us comprehend a solution beyond our individual lives? It is too much for any one mind to grasp. Similarly, today's technology is well beyond the comprehension of most human beings. Understanding it all is simply NOT going to happen among the average populace. There is no solution any of us can comprehend beyond making certain we are safe and secure within our individual lives.

For those of us who can and wish to understand the issue of passwords on the Internet, I want to pass along a nicely concise article entitled "How Attackers Steal Passwords" by Joe Golton. It is well worth a good read to both yourself and anyone willing to listen. I'll be reading it to the local PC user group where I often teach.

I must add to Joe's list of 9 methods of stealing passwords Number 10: Illegal government surveillance in violation of your personal privacy rights. In the USA this pertains specifically to violation of the Fourth Amendment of the US Constitution. We might as well be realistic. Illegal US government surveillance of US citizens on US soil is a constant, ongoing event at this time. This isn't the place to discuss the politics of why. It is simply a fact we must consider. It is also one reason I will be discussing tools for encryption of personal data in future articles.

Related articles by Joe Golton are:

'A Guide to Using Passwords Without Distraction.'

'Which Password Manager?'


Wednesday, December 5, 2012

Mac Security Information Resource List

[Updated 2012-12-05 7:43 pm]
The purpose of this list is to point out Mac security information resources we can all use. I am adding the most directly useful of the Mac security web locations to my "Friends Of Mac-Security" list on the right of the blog page for your convenience. Please do NOT count on my blog as a summary of any of these resources. I have neither time nor ambition to meet that expectation. Instead please visit these all of these sites directly.

NOTE: Please add to my list via your comments. I will be updating this article with your suggests, giving you credit for your contributions. They are always appreciated.

This list is in no order of priority. I'll leave that to you. But I will start with my net friend Thomas Reed, with whom I collaborate. Together, with a group of writers, developers and others who work with malware, we attempt to keep a complete list of active Mac malware which we present on our perspective websites.

I) Thomas' Tech Corner

Thomas's terrifically useful website, like this blog, is entirely an act of altruism to the Mac community. He attempts to keep track of all the currently active Mac malware, as do I. We will be collaborating in the future to share our collected list of malware with out via both our websites. Thomas is also involved with anti-malware software analysis. I highly recommend his interesting article Mac anti-virus detection rates.
    n. The quality of unselfish concern for the welfare of others.
II) Brian Krebs: Kreb on Security

Brian wrote about computers for the Washington Post through 2009. We benefit from his, again altruistic, contributions to the computer security community via his terrific web blog. His work has been exemplary. He does not focus on Mac security. However, he's one of the very best independent resources on computer security issues, many of which are directly applicable to Mac users.

Brian also, like myself, has had a run-in with the Red Hacker Alliance as they used to be called. This Chinese hacker group is now simply called the Chinese government. Brian also points out that one of the former RHA members is now involved with, ironically and ominously, an Chinese 'anti'-malware company called 'Anvisoft'. Here's his article on the subject: Infamous Hacker Heading Chinese Antivirus Firm?
   n. An active effort to promote human welfare; humanitarianactivity. In this sense, it is an action, not merely a state of mind. [PJC]

Rich is the Mac security expert at venerable TidBITS. His correspondence has personally helped me learn a great deal about Mac computer security. He's a terrific fellow and great resource. Rich is not the only contributor to his Securosis Blog. Nor is his blog specific only to Mac computers. Like Brian Krebs, Rich is extremely knowledgable about the entire field of computer security and highly recommended for general knowledge.

Rich's Mac security specific articles typically turn up at the TidBITS website and in the weekly TidBITs newsletter, available for sign up HERE.

Rich is also a contributor to the Macworld Mac Security Superguide, available through TidBITS Publishing.

IV) MacWorld Security

I've been a paying subscriber to MacWorld magazine for nearly two decades (electronic version preferred). I very much enjoy other Mac magazines and websites. But I consistently come back to MacWorld as my best general Mac resource. Their writing is excellent. The magazine itself still lags a full month behind reality. But the website is terrifically up-to-date. Recently their website has gone through a hellish beta period of revision. However, it appears to have settled into usefulness again, including its Security website area. I would never count on MacWorld as any sort of definitive source of Mac security news. Much of it is second hand. None of it is provocative or particularly insightful. However, they keep track of the big issues and write about them effectively.

V) Topher Kessler at MacFixIt

Topher is another member of the Mac security interest group to which I belong. I used to be a paying member at MacFixIt and have been reading Topher's terrific articles for years. He frequently writes about Mac malware and Mac security strategies. I've found his insights to be extremely valuable.

VI) Intego's Mac Security Blog

I've had a very positive relationship with the folks at Intego. I still prefer their VirusBarrier X6 to the alternatives I've tested and continue to be a paying user. Their Mac Security Blog has been the best commercial source of Mac Security news I've found. Lately the blog has been expanding in some odd directions that have concerned me. You may find my comments there stating so. Nonetheless, their Mac security reports have consistently been on target, timely and insightful.

I continue to wish Intego would publish a list of known active Mac malware! They won't, sigh. No one will. It's the usual 'secret malware', 'go get your own' competition within the commercial anti-malware industry that irks me to no end. And yet, Intego have gone out of their way to help me whenever I've had specific malware questions. I am extremely grateful for their work within the Mac community and look forward to their supporting them in the future.

V) The NakedSecurity blog at Sophos

The Sophos blog covers a lot of computer security news and issues. As such, you're likely to find their articles to be slightly more obscure for the average Mac user. Nonetheless, I find their articles to be timely and interesting. They dive deep into what's going on in computer security today. For example, they're a great place to keep up with the latest DIY malware kits, aka Exploit Kits and Hacker Tools. All of this is increasingly relevant to Mac users as the cyber criminals in China, Russia, Iran and elsewhere become more Mac literate and more desperate to abuse both users and LUSERS alike.


That's it for my quick Mac Security Information Resource List. Here are links to additional resources I recommend for those who wish to know more about computer security:

Steve Gibson's 'Security Now' podcast @TwIT.TV
The Ed Bott Report
Jeremiah Grossman's Whitehat Security Blog
• The Fishbowl: Dr. Charlie Miller's Weblog
Trail of Bits: Dino Dai Zovi's Blog
Adobe's PSIRT Blog

If you have other great computer security information resources, please post them in the comments!

Share and Enjoy,


Friday, November 30, 2012

Mac-Security Blog Status Report 2012-11

Apologies to regular readers of this blog. I've been extremely distracted by a multitude of personal stuff that has a higher priority. Therefore, I'm extremely behind keeping up with current Mac computer security.

I also have to admit to burnout from having to deal with the current state of computer security in general. The current state of overall computer security is: ABYSMAL.

Then add to that a consistent, dare I say totalitarian inspired, interest by our Corporate Oligarchy and the governments they puppet, as well as other lunatic organizations (such as the Communist party in China) to SURVEIL our every move on the Internet to our detriment and their deceitful gain. Not good. I'm no fan of FUD or paranoia. So when this rubbish thinking becomes justified, it's annoying.

When I started this blog back in 2007, the entire point was to create the first, one simple place to keep up with Mac computer security. I was hoping it would only be the first and there would be other, far more professional locations where all of us could keep up with Mac security. I've run into one other person with the same goal as myself. Just one! That is Thomas Reed of "Thomas' Tech Corner".

Thomas and I are part of a great group of writers, developers and tech fanatics who study, work with and chat about Mac computer security. Our group was started by ClamXav mastermind and altruistic developer Mark Allan. As a gestalt, we attempt to keep track of exactly what is going on with Mac security over time. We also work HARD to keep the ClamAV malware definitions up-to-date with all the Mac malware definitions, with only partial success.

I'm going to be collaborating with Thomas to create ongoing lists of active malware for Mac to share here and at Thomas's site.

But both of us are finding the task of creating a complete list to be EXTREMELY daunting. The reason why is complex. But the worse reason is specifically because ALL of the commercial anti-malware development companies treat malware as if it was their personal property, go get your own, we're not sharing. Therefore, it is IMPOSSIBLE to know all the current Mac malware. I find that to be idiotic, unprofessional and shocking. No surprise around here.

Here's a fun example:
I have in my possession one piece of malware that NO ONE has made public. It is not universally identified among the Mac anti-malware vendors. It is a root kit. Root kits are potentially the most dangerous form of malware for computers because they actively hide from any form of malware detection. Our group is still trying to make heads or tails about what's going on with this specific malware. I can tell you that it is detected by at least Intego's Virus Barrier X6 as 'Rubilyn.A' but is also known as 'Xorsysct!.A'. Why isn't this root kit public knowledge? Beats me! Intego has published nothing about it. I tested the malware in VBX6 and was happy to find it detected. But they have nothing to share in public about it? Why? I am hoping that has changed by the time you read this blog entry.

This is only one example of many of what I am calling the 'SECRET MALWARE' bull shit going on within the anti-malware industry.

Let's go mental: Is this part of our well-known governmental attempt to circumvent US Constitutional rights to privacy via undetectable root kit malware? How the hell would I know? But that's what this industrial secrecy stinks of in my humble uninformed opinion. At the very least, it's more of the same old UNprofessional behavior I've found consistent within the anti-malware business.

Therefore, I'm getting burned out.

As a result, my future posts may not be as thorough, as frequent, or effective as in the past. I can't pretend to be fulfilling the manifesto for my blog.

You've probably heard all this sort of burn out blether-fest in the past from other information sources. Just know that I constantly have Mac security going on around my head because I enjoy the subject. I am selectively deciding what small contributions I can make via this blog to Mac user's understanding of Mac security. I'm sticking around, but not as effectively as I would prefer.

Therefore, I'm going to be putting together a list of my favorite Mac security information sources, such as Thomas's website, for your benefit. They're where I first go to learn what's going on. Hopefully, they will help fill in your need for knowledge of Mac security while I decrease down my involvement. Coming up next!

Thank you for your interest.

:-Derek Currie


Friday, October 19, 2012

Oracle Java For Mac FAIL x10,
Installing Oracle's Version Of Java

[Updated 2012-10-23 @6:30 pm]

I have installed Oracle's Java for Mac. I now hate Oracle, seriously hate Oracle.

What's ahead is a long, nasty soap opera of FAIL. Let me save you time and cut to the quick:

Disabling Oracle's Java:

If you've installed the current version of Oracle's Java for OS X, v1.2 update 9, there is only one way to turn it off in your system: REMOVE IT from your root level Internet Plugins directory. Here's how:

1) Shut down your web browsers.

2) Navigate to:
/Library/Internet Plug-ins/

3) Remove/move these two files:


I have set up a folder where I store them called 'Internet Plug-ins (disabled)'. You have to do the Admin authorization stuff to move these files around.

4) Start your web browser again and surf around, carefree, not worried that another Java sandbox security hole getting your Mac PWNed.

OR: You could turn Java off in all your web browsers.

Now leave Java off all the time unless you desperately need to use it, in which case, reverse the above process.

Here's a good ArsTechnica article about the current state of Java:

And now for:

The Long, Sad, Hatred-Of-Oracle Inspiring Story Of The Java For Mac FAIL:

A Frightening Cautionary Tale, Just In Time For Halloween:

[Please note that all the images in this article can be clicked to expand them to normal readable size.]

I had to visit my ISP's website last night in order to contact them regarding the catastrophic mess they had made of both my cable TV signal and my Internet bandwidth. Horror of horrors, their live online support interface requires Java. Here is what I saw when I tried to use their interface:

See that little button that says 'Get JRE Plugin'? This is the one Apple tells us to expect after we have uninstalled Java from our OS X 10.7 and 10.8 systems. If we wish to proceed and install Java, we click the button and are sent to the Oracle Java website to download the OS X Java installer.

Except THE BUTTON DOESN'T DO ANYTHING. I clicked away in Safari and nothing happened at all, ever. It doesn't work. It's inert. That's FAIL #1.

So I went over to Oracle's Java website all on my own, dug around for the version of Java they offer for OS X, and went into shock when I discovered that it was Java 1.7 update 6, an old crusty entirely UNSAFE, yer gonna get your Mac PWNed version. That's FAIL #2.

[NOTE, October 23rd Addendum: Immediately after I first posted this article, Oracle saw fit to remove the olde Java 1.7 update 6 installer and instead directly provide Java 1.7 update 9. Thank you to reader Franklin for bringing this to my attention. This negates 'FAIL #2'. However, if you scroll down to the Comments, you'll see that Oracle STILL has a bad web page, apparently from 1998 (!), that states Apple is going to provide a Java plug-in. I ran into this page using an ordinary, logical Google search of "oracle java for mac download". This bogus Oracle page was the #1 link result. Read it and weep:
Java Plug-In Mac Download Page 
What the?! I cannot comprehend how a company can be so incredibly careless. This ridiculously olde, decrepit page at Oracle constitutes the new FAIL #2. Therefore, I have not changed the title of this article. Hopefully Oracle will respond by pointing victims of this idiocy to the Java.com website where Oracle does indeed provide the latest version of Java's plug-in for Mac.]

But I downloaded and installed it anyway, hoping it would upgrade itself. I ran the installer. The first pane of the installer proclaims the following propaganda:

'Java provides safe and secure access to the world of amazing Java content.' blahblahblah.
Right. That's why Apple dumped Java and we had NO 'safe and secure' version of Java for the entirety of the summer of 2012 on into mid-October. Nice try Oracle. That's FAIL #3.

After the Java installation, thankfully it alerted me to download the latest updated version. Kewlness:

After the update installed, I tried to figure out how to set the Java preferences. There is NO 'Java Preferences' app in Utilities any more. Instead, Oracle installs a System Preferences pane in the root Library folder. I'd read about that being the case, so fine. This is what I saw when I opened the Java preferences pane:

'The Java Control Panel opens in a separate window.'
WHAT? Oracle were too lazy to write an actual preference pane? They think Macs still have 'control panels'? That's FAIL #4.

So, I waited around for the 'control panel' to decide to open, tickticktick, yawn, what's on TV, and then it shows up:

Fine, a common tabbed window for Mac. I started searching around for how to turn Java on and off, similar to what Apple's now defunct 'Java Preferences' app used to do. I discover what I wanted is under the ridiculously named 'Java' tab. What? Everything here is Java! Huh? That's FAIL #5.

The 'Java' (duh!) tab comes up and it looks like this:

Oh look, an award worthy user interface that does nothing-at-all but make you dig even deeper to actually get anywhere. That's FAIL #6.

I am forced to hit the 'View...' button in order to get past the bureaucracy. This is what appears:

Hey! A checkbox to uncheck! Yeah!

Except the checkbox is inert. Remember the earlier inert 'Get JRE Plugin' button! Winner programming here! And guess what! The corresponding checkboxes for BOTH 'User' and 'System' don't work! That's FAIL #7 and FAIL #8.

That's 8 Oracle Java FAILs. Eight. Not ready for prime time crapware: That's what this garbage is. That's why I now hate, seriously hate, Oracle. What incredibly lazy, careless, obtuse, inept, dumbass programmers from hell.

-> So what do you do when you want to turn Java OFF?!
See the start of this article for instructions.

To hell with Oracle. To hell with Java.

But we're not finished! Where are the more detailed security settings? Under the 'Security' tab? No! What you'll find there are settings for certificates. You want to go under the 'Advanced' tab, then scroll down to 'Security'. That's FAIL #9.

But first, look just above 'Security' and do this:

* Under 'Application Installation' you must choose 'Never install'.

Why? Because this specific setting stops DEAD the ability of drive-by malware to install itself onto your Mac via sandbox-broken Java. Could this cause a problem? Maybe. You might well find yourself scrambling to change this setting to 'Install if hinted' instead, but only on a website you TRUST. Otherwise, leave this set to 'Never install'. Please.

Now we at last get to the 'Security' settings. I suggest the following, with my added notes in brackets:

√ Allow user to grant permissions to signed content
- Allow user to grant permissions to content from an untrusted authority
√ Use certificates and keys in browser keystone
√ Don't prompt for client certificate selection when no certificates or only one exists
√ Warn if site certificate does not match hostename
- Show site certificate from server even if it is valid [Turning this on is fine]
√ Show sandbox warning banner
√ Allow user to accept JNLP Security requests
√ Check certificates for revocation using Certificate Revocation Lists (CRLs) [Shame on Oracle for not have this turned on by default! Dunderheads!]
√ Enable online certificate validation
√ Enable list of trusted publishers
√ Enable blacklist revocation check [of course!]
- Enable caching password for authentication [risky, not advisable]
√ Use SSL 3.0
√ Use TLS 1.2 [Yes, 1.2, not earlier. Again, shame on Oracle for not making this the default! Dummies!]

And now for our final FAIL. This one's worth a good laugh. Under 'Miscellaneous' it offers the checkbox "Place Java icon in system tray". It doesn't matter if you check in on or check it off. It doesn't do anything. It doesn't put a Java icon in your menu bar or anywhere else. It's total crap. Only Windows has a 'system tray'. So what's a Windows setting doing here on a Mac? It's just an excuse for Oracle to hand us an even 10 FAILs. 10 fingers, 10 toes, 10 FAILs. Whatever. Thanks for being so attentive to the OS X platform Oracle. I hate you.

[NOTE, October 23 Addendum: Reader Franklin kindly pointed out that the 'system tray' checkbox DOES do something. It puts a Java icon at the far right of the menu bar whenever Java is actually running on your Mac. Thus my hatred of, and low opinion of Oracle is slightly abated. However, lazily mis-naming the Mac menu bar, which was established by Apple over 10 years before the Windows 'system tray', still constitutes a remarkable FAIL by Oracle's programmers. Therefore, I continue to call this FAIL #10 and have not changed the title of the article. 

Please get with it and catch up Oracle. It's the "menu bar" and it is as old as the very first Macintosh computer, IOW 1984. Then add to that the fact that the "menu bar" also existed on the Apple LISA (1983)


The menu bar is an Apple innovation and improvement upon the Xerox Star OS, which instead put the menu bar at the top of individual windows, as found in today's Microsoft Windows OS.]

Warning: Phishing Rats Want Your Apple ID

Today an article came to my attention that is of extreme relevance. It's about an ongoing Phishing Rat campaign using social engineering to steal Apple IDs. After all the intermittent reports I've heard about Apple IDs being stolen, including within my family (ahem), this appears to be the prime source of the problem:

The Websense® ThreatSeeker® Network has detected a phishing campaign whose potential victims are holders of an Apple ID account. . . . The phishing campaign begins with an email message like this one, informing the recipient of a "suspended" Apple ID...

Please read the article. Clearly this phishing campaign is a prime source of LUSER behavior leading to robbery of Apple accounts and everything that goes with them.

IF you receive one of these Apple ID 'suspended' phishing emails, please report it to:


When you report phishing email, please be sure to include the entire email, including full headers, in your report to Apple. Reporting phishing email to the scammed company source is the best way to stop dead any phishing campaign. The entire Apple user community will appreciate your rat extermination assistance.

It is also useful to report phishing email as spam to your ISP or one of the spam blacklist websites, such as SpamCop.

Wednesday, October 17, 2012

Java Security Update!
Apple's JRE 1.6 update 37 Is Available Today

[Updated 2012-10-17 @3:26 pm ET]

Be sure to update today to Apple's JRE (Java Runtime Engine) version 1.6 update 37. It restores Java for Mac back to secure usability, for the moment anyway. The update is available for OS X 10.6, 10.7 and 10.8.

This installer is DIFFERENT in that it REMOVES the Java plugin from Mac OS X. After the installation you will NOT be able to run Java in any OS X web browsers. Instead, when Java is required at a website, you will be offered the opportunity to download Oracle's version of the plugin. Here are Apple's provided notes about the installer:

Java for OS X 2012-006 delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_37. 
This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled "Missing plug-in" to go download the latest version of the Java applet plug-in from Oracle.
Apple's 'About' pages regarding the Java updates for OS X 10.7 and 10.8 (but not 10.6) further point out that:
This update also removes the Java Preferences application, which is no longer required to configure applet settings.
You can check out a detailed analysis of the update by my colleague Topher Kessler at MacFixIt here:

Java Preferences missing after latest OS X Java update
While the Preferences utility is missing, this may be a simple oversight on Apple's part.

Cross your fingers and toes that the sandboxing in Java will stay fixed for the long term future and we won't have to worry about our Macs being PWNed simply because Java is running in our web browser.

If/when new Java security holes are discovered, I'll be posting here.

Friday, October 12, 2012

Danger! Security Hole In Firefox 16.0.0,
Get 16.0.1 Update Now!
(And assorted other stuff)

Hi Kids!

A quick note: Mozilla rapidly discovered a security hole in Firefox (and Thunderbird) version 16.0.0 on all platforms, including Android. Therefore, either download the latest update (currently 16.0.1) or allow Firefox (and Thunderbird) to update themselves immediately the next time you use them. You can read about the situation here:



1) Java Update WHEN?! 

It appears that Oracle are (irresponsibly, IMHO) going to wait until their scheduled Tuesday, October 16th date for updating Java to something safe. So watch for it that day specifically from Oracle. If you don't want or need to deal with the hassle of Oracle's clunky version, hang on until Apple provide their more OS X friendly version via Software Update / The App Store. Or better yet, write off Java as dangerous crapware and never use it again! We wish. Hopefully the current danger will end and we can all go back to simply swearing at Java for being so slow.

2) This is the weekend I am going to finish off my 2012 malware review. I'll start the list again from scratch for the sake of simplicity. We also have another couple new minor malware to add to the list. Also, I'm going to consign some further oldie stuff to the 'inert' bin, as you'll see. Thank you for waiting!

3) If you are not doing so already, go visit MacHeist.com and have some fun. MacHeist 4 is the BIGGEST and most fun Heist EVER. The free mission prizes are trés kewl. As of today we are starting on 'nanoMission 4'. So catch up and get some discount coins for The Big Heist coming up! MacHeist is seriously one of the most unique, fun and charitable events of the Mac platform. The missions have been astoundingly well designed with everything having a jaunty, puzzling and mysterious steampunk theme. There is nothing equivalent or as kewl on those other computer platforms! And it's all free! ...That is, until we get to the Big Final Heist. You shall crave to ogle the digital devices concealed within the confines of the culminating, capacious cyclopean vault...!

Share and Enjoy,


Wednesday, September 26, 2012

Java: Unsafe At Any Version:
Sandboxing is essentially gone

According to the latest testing, there is no safe version of Java available. This affects Java versions 5, 6 and 7 in entirety. The latest version of Java from Apple, v1.6 update 35, is included.

The problem: Sandboxing in Java is no longer reliable. Methods of bypassing the sandbox are being consistently discovered. As a result, website malware applets are able to break through into victim's computers and zombie/bot/PWN them with the user's privileges. If the user is running as Administrator, the machine is entirely controlled.

Conclusion: Turn Java OFF when surfing the web.

I've covered how to turn Java off on OS X in previous posts. You can either:

1) Use the Java Preferences app in your Utilities folder, which is what I recommend.


2) Turn Java off within each individual web browser, which is better than nothing, but prone to user failure.

Only turn Java on when you have already gone to a trusted website that REQUIRES Java. Turn it off again BEFORE you leave that website.

Another approach is to use one specific browser, with Java turned on, for browsing ONLY trusted websites that require Java. Quit the browser before you leave those websites.


All of the recent Java sandbox vulnerabilities are being reported by a Polish software security firm named Security Explorations. Yesterday's Java vulnerability was announced at SecLists.org. They provide a timeline of their vulnerability announcements HERE.


Below is a set of links to various articles describing the situation. This issue is best discussed via an interview with Security Explorations CEO Adam Gowdiak in an article by Darlene Storm of Computerworld, which I placed at the top of the list:


Oracle will begin this year's JavaOne 2012 conference on September 30th. That would be the soonest we would see another Java update. The next 'scheduled' update for Java is October 16th. Presumably Apple is poised to release the OS X rendition of that update soon thereafter. (Apple and Oracle have made the OS X JRE, Java Runtime Engine, an open source project).


If all of Security Exploration's reports are correct, I consider sandboxing in Java to be fundamentally broken and unreliable. That this has been the case way back to Java 1.5.x (aka 'Java 5') is a stunner. I haven't kept up with changes in Java over the past several years as I had given up on it as a superior programming language. Clearly, Java has fallen down on its fundamental security goals. I'm not sure it is ever going to get back up. Oracle has proven that they don't have the interest or stamina to provide Java with the serious attention it requires. As I've pointed out frequently, when a company creates a standard periodic security update schedule, you know they're not being realistic. This has been the case with Microsoft and Adobe for years and is repeating itself with Oracle.

I'm not ringing a death knell, but the situation does indicate that there must be a fundamental rewrite of the JRE foundation code for sandboxing. It's not working. It's time for Java 2.0.

Wednesday, September 5, 2012

Apple Releases Patched Java 6, v1.6 Update 35

For the moment, Java is 'safe' again. Apple has provided for Mac users the latest patched version of Java 6, which apparently does not include any of the drive-by infection security holes found plentiful in recent versions of Java 7 as well as older versions of Java 6.

There are two different Java updates:

I) For OS X 10.6 Snow Leopard you'll want to install 'Java for Mac OS X 10.6 Update 10'. You can read about it and download it HERE.
This update configures web browsers to not automatically run Java applets. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page. If no applets have been run for an extended period of time, the Java web plug-in will deactivate. 
Please quit any web browsers and Java applications before installing this update.
II) For OS X 10.7 Lion and 10.8 Mountain Lion you'll want to install 'Java for OS X 2012-05'. You can read about it and download it HERE.
This update configures the Java plug-in to deactivate when no applets are run for an extended period of time. If the prior update named "Java for OS X 2012-004" was not installed, this update will disable the Java web plug-in immediately. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page.
Please quit any web browsers and Java applications before installing this update.
Again Note: There is NO safe version of Java 7 (v1.7) available for OS X at this time. If you have installed it, you might as well uninstall it and instead install the appropriate Java 6 update from above.

I've noted a lot of confusion on the net about the Java drive-by infection problems. They do NOT affect your use of software on your Mac as long as that software is not accessing the Internet. The only way you can become infected is by browsing the Internet with the Java plug-in activated. To entirely avoid this situation, simply turn Java OFF using the Java Preferences app found inside your Utilities folder. I have covered this subject previously.

If you have Java installed and you must use Java somewhere on the Internet, here is the best strategy:

1) Be sure Java is ON in the Java Preferences app, found inside your Utilities folder.

2) Be sure Java is OFF inside your web browser's preferences for normal web surfing.

3) Visit the website where you must use Java.

4) Turn Java ON using your browsers preferences.

5) Reload the web page and go to work.

6) When you have finished working with that website, turn Java OFF again using the browser's preferences.

I note that Apple discuss how installation of today's Java updates automatically turns Java off. Apple recommend "clicking the region labeled "Inactive plug-in" on a web page" when you need to run Java on that website.

I do NOT like Apple's idea at all as it leaves Java running when we leave that website and surf elsewhere. We do NOT want to go wandering around the web with Java enabled, specifically due to the possibility of yet-another Java drive-by infection security hole being discovered and exploited. My method above is a bit more annoying, but it is SAFE, unlike Apple's potentially dangerous method.

If at some point Apple automatically disable Java every time we leave a website, then we will be safe. Until that time, we're going to have to re-disable Java ourselves.

Just to be clear: No, Apple is not saying they are disabling Java on every new web page. All Apple is doing is deactivating Java "if no applets have been run for an extended period of time." That is all. That is NOT good enough. Please take this warning seriously.

At least we can now go back to using Java. But Java's reputation has become so incredibly poor, thanks to crapcoding at the Java project, that it is well worth remaining wary of using it on the Internet. Using Java while not on the Internet should be fine at this time. There are currently no Trojan horses for OS X that exploit Java security holes.

I hope this helps. If there are questions, please comment below or check out the links I provided in my previous article about this ongoing problem.

Saturday, September 1, 2012

'Legal' Spyware Abuse In World Dictatorships.
And Elsewhere? ->The FinFisher Spyware


While I catch my breath from the Java scandals and we wait for me to finish my yearly Mac malware review...

This was too good to pass up:

Google engineer finds British spyware on PCs and smartphones
FinSpy turning up in dictatorships across the world
By Iain Thomson in San Francisco • 31st August 2012 23:30 GMT • The Register
Two security researchers have found new evidence that legitimate spyware sold by British firm Gamma International appears to be being used by some of the most repressive regimes in the world. 
Google security engineer Morgan Marquis-Boire and Berkeley student Bill Marczak were investigating spyware found in email attachments to several Bahraini activists. In their analysis they identified the spyware infecting not only PCs but a broad range of smartphones, including iOS, Android, RIM, Symbian, and Windows Phone 7 handsets...
Parallel research by computer investigators at Rapid7 found command and control software servers for the FinSpy code running in Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, Mongolia, Latvia, and the United Arab Emirates, with another server in the US running on Amazon's EC2 cloud systems. Less than 24 hours after the research was published, the team noted that several of these servers were shut down.
The gritty code details can be found here:

August 29, 2012 • The Citizen Lab
It was developed for Arm7, built against iOS SDK 5.1 on OSX 10.7.3 and it appears that it will run on iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up... 
This application appears to provide functionality for call logging...
And here:

Analysis of the FinFisher Lawful Interception Malware
Posted by Claudio Guarnieri, Aug 8, 2012 6:31:35 AM • Security Street, RAPID7
It's all over the news once again: lawful interception malware discovered in the wild being used by government organizations for intelligence and surveillance activities. We saw it last year when the Chaos Computer Club unveiled a trojan being used by the federal government in Germany, WikiLeaks released a collection of related documents in the Spy Files, we read about an alleged offer from Gamma Group to provide the toolkit FinFisher to the Egyptian government, and we are reading once again now with the same one being delivered to human rights activists in Bahrain along with some spearphishing attacks. 
We all are very aware of a rising market of Western companies developing and selling malware for the use of government organizations all around the world, but whenever one of these products is found in other geographical areas, the potential political and ethical implications tend to generate interest...
Uh oh.

The method of infecting devices/computers with this 'legal' spyware is not clear. Theoretically, it has to be physically installed onto the devices, either by hand or over a network by someone with administrative access. But it has been used via a Trojan horse.

We've seen FinFisher before on the OS X platform. In the past, FinFisher infected OS X machines via a security hole in the iTunes updater that allowed FinFisher to fake itself as a Trojan horse iTunes Update. That security hole existed for YEARS in iTunes before Apple patched it at the end of 2011. Not Apple's finest security hour.

I've written about 'legal' spyware previously. The one application dedicated to detecting and removing spyware on the Mac platform is MacScan. Unfortunately, MacScan does NOT at this point in time, detect FinFisher. I suspect this will be corrected ASAP, because I will be pestering them. ;-) The MacScan/SecureMac folks have a spyware list and discussion available HERE. I'm no big fan of MacScan as it requires repeated scans in order to catch everything on your system. But for detecting spyware, this is THE application. They provide a free demo version. The program is easy to use.

Some other anti-malware apps are also capable of finding and removing spyware. Check the developer's website for details. I know that Intego's OS X and iOS anti-malware apps scan for and remove related spyware. Because of this iOS spyware revelation, I'm going to begin testing Intego's VirusBarrier iOS for review. Apparently, Intego's VirusBarrier for iOS has not yet been optimized to detect actual spyware FOR iOS. I'll be chatting with Intego about this situation, now that we know about the abuse of the FinFisher spyware.

No doubt there will be further revelations about the abuse of FinFisher and other 'legal' spyware applications. I'll post when something directly relevant to all OS X and iOS users appears.

C U soon with the other half of my 2012 malware summary. Fur shur. No doubt. Not kidding. Count on it. Be seeing you.


Monday, August 27, 2012

Don't Use Current Java!
New Zero-Day Java Exploits
Are In-The-Wild


[UPDATE #3 ! - 2012-09-01]

Yes, the newly patched version of Java '7', v1.7 Update 7, has yet-another zero-day security hole!!!

This is unbelievable. 

Some people out there are:

1) Out to kill Java via malware.
2) Out to kill Java via crap coding.

Take your pick.

Read it and weep for poor, insecure, creaky old Java, the programming language that couldn't catch a break.

Security Explorations, the Polish security startup that discovered the Java SE 7 vulnerabilities that have been the targets of recent web-based exploits, has spotted a new flaw that affects the patched version of Java released this Thursday....
Security Explorations founder and CEO Adam Gowdiak was able to confirm that the defect does affect Java SE 7 Update 7, which Oracle released this week as a rare out-of-band patch.... 
As in the case of the earlier vulnerabilities, Gowdiak says, this flaw allows an attacker to bypass the Java security sandbox completely, making it possible to install malware or execute malicious code on affected systems. 
Unlike the earlier vulnerabilities, no known exploit of the new flaw has yet been found in the wild, but Gowdiak says he included proof-of-concept code with the report to demonstrate that an exploit is indeed possible....
For the time being, given the apparent similarity of this flaw to the ones previously reported, users are advised to either disable Java in their browsers or uninstall it completely to avoid falling prey to any future exploits. 
Bolding and italics are mine, added for emphasis.

You know the drill.
or never install it in the first place.

If you MUST use Java, at this point the only safe version is the last one provided via Apple for OS X 10.7 and 10.8, version 1.6.0 33-b03-424. Otherwise, forget about using Java on the Internet until further notice.

After reviewing the current data, including CVE-2012-4681, I know of NO safe version of Java "6" or Java "7" available. That INCLUDES Apple's last Java update, v1.6 Update 33! Maybe Java 6 Update 35, recently provided by Oracle, is safe. But that is not-at-all clear. We're going to have to wait for more details about this latest zero-day discovery. Most certainly, there is no safe version of Java "7" at this time.

When more of this saga is revealed, I promise to break it out into a separate article.

Hey Oracle: Can we have a rest now? Please?


[UPDATE #2 ! - 2012-08-31]

Oracle has released a newer version of Java for OS X than the nasty, security hole riddled version noted below. This update theoretically patches the current zero-day exploits. Note that this is NOT an Apple update to Java. Apple is no longer supporting or installing Java. Oracle is now the sole source.

Bad Java = Java "7", version 1.7 Update 6.
New Java = Java "7", version 1.7 Update 7.

NOTE: Nothing indicates that New Java Update 7 is going to be any more secure than Bad Java Update 6, which was even less secure than Bad Java Update 5.

Just Say No To Java.

IMHO Oracle has turned the Java project into a dangerous mess. We can no longer expect any future version of Java to be secure. That dream era is over. You have been warned.

If you just gotta install the latest Oracle version of Java for OS X, you will find it here:

Download Java for Mac OS X


[UPDATE #1 ! - 2012-08-29]

A second zero-day security hole has been discovered in the current version of Java! Read all about it:

Second Java zero-day exploit uncovered

“The beauty of this bug class is that it provides 100 percent reliability and is multiplatform,” Esteban Guillardoy, a developer at Immunity, said Tuesday in announcing the discovery of the second bug. “Hence this will shortly become the penetration test Swiss knife for the next couple of years.” 
Users of Java, which is installed in billions of devices worldwide, are notorious for not staying up to date with patches. Rapid7 estimates that 65 percent of the installations today are unpatched. However, this time around, people with the latest version of Java were the ones most open to attack.

Turn Java OFF on your Macs. Just leave it that way until or unless it's absolutely required. That is the future of Java on ALL computer platforms, not just Macs. Java used to be heralded as 'secure!' So long to that vacuous dream.

I suspect there are more Java fun and games yet to come. I'll post as I learn about them.


Extra! Extra!

Hopefully you've figured out that Java is now just another source of 3rd party security holes. Java is NOT secure. Java is now the single most dangerous 3rd party software you can run on your Mac. So Don't Use Java!

The latest, current version of Java, on any platform, has a new zero-day exploit that is already being exploited in the wild. Turn Java OFF!

Here is Intego's coverage of the story, as of today:

The exploit in all major browsers and appears to work on some versions of Linux, OS X 10.7 and higher, as well as Windows, if you’re using the latest version of Java.... At this time there is no patch available for this exploit, so it’s highly recommend that you disable Java until this vulnerability has been fixed.

If/when this exploit is discovered to be used against Macs, I will post here. For now, don't take any chances: Leave Java disabled!

As a reminder: If you ever chose to install Java at all, you can TURN OFF Java on the Internet using the Java Preferences app you'll find in your Utilities folder. An illustration is below. If you are running OS X 10.8+, you may find Java has already been turned off for you. This is now a function of OS X whereby it automatically turns off the Java plug-in if you have not used it recently.

Of course, some websites demand the use of Java. In those cases only, go into the Java Preferences and turn it on, then reload the page requiring Java. I highly recommend leaving the Java Preferences app open and running until you decide to leave that website in order to remind you to turn Java OFF again!

Stay safe! And be sure your backups, both on and off site, are up-to-date.


Saturday, August 25, 2012

Mac Malware Roundup: 2012-08-24
Part I


Mac users have had the busiest and most detrimental year of malware in its history, and there are still four more months to go. The usual FUD explanation for the influx is the usual, 'Security Through Obscurity', that bogus doomsaying slogan first perpetrated against Macs back in 2005 by Symantec. No. Sorry! Even if you count up all the currently active Mac malware, which I estimate to be at worst about 87 (depending upon which version of OS X you're using), that number is a few orders of magnitude lower than the number of active malware for Windows on a per-user basis. IOW: The 'Security Through Obscurity' FUD remains unviable. (If you want the raw numbers and math, by all means ask me. You'll also find my methodology explained in previous posts on the subject).

So why has their been an increase in Mac malware this year? Much of it is coming out of Russia, presumably the Russian Mafia. Apple is now the most successful computer and electronics company both on the planet and in history. That gives Apple prestige and visibility. Much of the Windows-victim world has noticed and bought themselves Apple hardware and software. Therefore, malware rats have taken an interest in figuring out how to infect Macs alongside Windows boxes. For the most part, their efforts have been blundering and inconsequential. 

But then this happened:

One piece of malware, a version from the Flashback bot malware series from March, was surreptitiously planted on several websites across the world and was able to self-install itself (via a 'Drive-By' infection enabled by Java) onto an estimated 600,000 Macs. That Is Scandalous!  It was certainly the fault of the Java open source/Oracle project for creating the security hole. But the biggest blame goes to Apple and their idealistic assumption that Oracle was going to assist them in keeping the Mac Java RTM (runtime machine) up-to-date. It didn't happen. The well known, already exploited in-the-wild Java security hole sat wide open for more than two months before Apple got around to patching it. Even then, Apple blundered around with the patch process, leaving OS X 10.4 and older users out-in-the-cold. The 10.5 removal tool Apple provided was flaky at best and didn't provide any future protection. That's Apple security at its absolute WORST. Incredi-FAIL!

Has Microsoft done worse? Damned right! And frequently! So don't hold them in any esteem. But this is the very first time Apple has dropped the security ball on a monumental scale. The last count I could find estimated that at least 40,000 Macs remained infected with that version of Flashback, despite Apple's efforts. Within the history of the Mac community, that's unprecedented. 

Despite this catastrophe, Apple has continued its consistent improvement of OS X security in its release of OS X 10.8 Mountain Lion. Its Gatekeeper security certificate technology is able to, theoretically, stop all future Trojan horse malware infection. Apple has improved and tightened up its ASLR technology (address space layout randomization). Apple, at long bloody last, provides WPA2 encrypted Internet sharing. BSD UNIX, which is the source core of OS X, remains the single most secure OS on the planet. Meanwhile, Apple has made efforts to keep security hole ridden third party software off OS X. This includes Apple's never including Adobe's infamously insecure software with its installations. Instead, Apple offers their PDF enabled Preview software, to replace Adobe Reader. Apple provide their HTML5 enabled Safari web browser to help replace Adobe Flash. Thanks to the Java/Flashback malware infection fiasco, Apple now also turns off Java on a periodic basis, if you choose to install Java at all. Add to that Apple's insistence upon all software provided at the Apple Mac App Store using sandboxing, whereby apps have limited API access and capabilities.

What nasties still remain at large, enabling malware rats to infect and PWN Macs?

1) ECMAScript, aka 'JavaScript' and 'JScript' and 'ActiveScript'.
2) Bad PHP web programming.
3) Inherent SQL database security holes.
4) Inherently poor memory management (buffer overflows...) in nearly all our current, antiquated programming languages.
5) The LUSER Factor, aka LUSER Syndrome.
6) Human coding errors.
7) Deliberate software backdoors.
8) Government and company mandated user surveillance, frequently aka privacy infringement and spying.
9) The unexpected...

IOW: Don't expect any human written or accessible operating system to be totally, reliably secure. Not gonna happen. Security is going to remain a constant concern to all computer users.


You can read through my previous list of Mac malware, posted 2011-07, HERE:

A quick summary list:

1) Trojan.OSX.MACDefender.A - O [15 strains]
2) Trojan.OSX.BlackHoleRAT.A - C [3 strains]
3) Trojan.OSX.Boonana.A
4) Trojan.OSX.OpinionSpy.A - B [2 strains]
5) Trojan.OSX.iServices.A - C [3 strains]
6) Trojan.OSX.PokerStealer.A
7) Trojan.OSX.RSPlug.A - Q [17 strains]

The total number of Mac malware species was 7.
The total number of Mac malware strains was 42.

Note that some of the malware in this list have aliases, which I have not provided. The names here are considered the 'standard' names despite claims to the contrary from childishly warring anti-malware companies. I also avoid including hacking tools in my list as they require direct access to user accounts in order to be installed and are not offered as Trojan horses.

Arguably, the RSPlug and BlackHoleRAT malware are now inert and need not be listed. The worst of the above malware was the iServices series. Infections occurred via 'spiked' warez versions of Adobe software and Apple iWork software, possibly others. iServices infections lead to a Mac botnet estimated to be over 10,000 Macs in number. iServices used to be the #1 Mac infection in history, previous to the 60x larger Java/Flashback infection this year.

2011-08 -> 2012-08

As I did last year, I'm going to proceed in reverse chronological order. Please note that my list is not definitive. Because of the competition and secrecy of anti-malware companies, I find it very difficult to keep track of all the versions and aliases of Mac malware. 

My list is, however, extensively researched and compared with that of my net friend and colleague Thomas Reed. You can access Thomas' security blog HERE. Thomas' Mac Malware Guide, including his Mac Malware Catalog, is HERE. You'll find that Thomas takes a different approach to Mac malware from me, which is entirely intentional and useful. You'll also find that Thomas provides more complete and up-to-date coverage of ongoing Mac malware infections than I. He's a terrific resource.

Thomas Reed and I are part of a terrific eList group of Mac specialists, writers and coders from around the world who keep track of ongoing Mac malware. We also work to keep the ClamAV project up-to-date with the latest mac malware signatures. I'll be sharing more about our group at another time.

1) Trojan/Backdoor.OSX.NetweirdRC.A 

Currently: Low Concern.

NetWeirdRC was first described and named by Intego on August 22, 2012. Their original article is available here:

An Analysis of the Cross-Platform Backdoor NetWeirdRC

Another alias being used is simply 'NetWeird'. I always stick with the name provided by the first people to discover new malware.

NetWeirdRC is essentially a malware kit being provided to malware rats for $60 over the Internet. It is designed to infect and bot either Windows or Mac computers. This is not the first time such kits have been created and offered for sale, as we will see ahead. This is, however, the first time such a kit has been offered at such a cheap price. Earlier in the year we learned about an iOS security vulnerability purported to be sold to our surveillance maniacal US federal government for $250,000. (Please note: For all we know, this was just another bogus or propagandist rumor).

At this time, it is not evident that NetWeirdRC is being actively used in-the-wild. However, it is likely to be used in the near future and is therefore of concern. The method of infection could be either as a Trojan horse offered to Mac users via social engineering. Or it could simply be used as a hacking tool to backdoor a Mac.

Thankfully, this first version of NetWeirdRC is buggy and incomplete. That may be why it is being sold on the cheap. Rebooting an infected computer makes it inert. When it is running, it acts as a bot, phoning home for Bot Wrangler instructions. Any 'reverse firewall' software, such as Little Snitch or VirusBarrier X, will catch the phoning home and stop it. As a bot, it of course PWNs (owns, or entirely takes over) the infected machine and can theoretically do anything with and to it. At this time, its activities have been restricted to downloading and installing new files (which could include new malware infections), performing remote Bot Wrangler commands, grabbing and sending screenshots, gathering and sending system and installed software information, as well as stealing encrypted passwords from email programs and web browsers. See the Intego article for further details.

This malware is easy to detect and remove. Most current anti-malware software should be able to stop infection as well as remove it.

2) Trojan.OSX.Crisis.A (aka Morcut, JVDrop, Remote Control System DaVinci)

-->Please continue on to Part II