Monday, January 28, 2013

Just Turn Java Off:
'Very High' Security Setting

[Updated 2012-01-29. Thank you to my net pal Al for editing corrections and inspiring me to document the difference between old Mozilla browsers and new.]

Is there a smiley for rolling one's eyes? Maybe this will do: (@_@)

Stupid, lazy, incompetent Oracle:

The open source community couldn't do any worse than Oracle's worthless support for Java.

Go and read this NOW:

Java’s new “very high” security mode can't protect you from malware

by Dan Goodin - Jan 28 2013, 1:55pm EST
Security researchers have uncovered a newly discovered bug in Oracle's Java framework that allows attackers to bypass important security protections designed to prevent malware attacks. . .
The security bypass was only tested on Windows. But expect it to be fully functional on Mac Java as well.
Oracle representatives didn't immediately respond to an e-mail seeking comment for this post. In addition to shoring up the quality of the Java code base, many security professionals have called on Oracle to communicate more quickly and effectively when it learns of new vulnerabilities in recent versions of its software.
What a concept: Oracle caring and reacting effectively in a timely manner. We can dream.

Just Turn Java Off

That means turn Java OFF, and leave it off, in ALL your web browsers until you have ALREADY loaded a website where you require Java. At that point you can reload the web page for full Java plugin functionality. Then remember to turn Java OFF again BEFORE you leave that website.

Other ways to Just Turn Java Off :

The quick and dirty reversible method is to:

A) Quit all your web browsers.
B) Go here: /Library/Internet Plug-ins/
C) Find 'JavaAppletPlugin.plugin' AND 'JavaEmbeddingPlugin.bundle' (if present).
D) Toss them somewhere else to disable them from loading into your web browsers. This will require an Administrator password. (Be certain you've actually MOVED the plugin files, not simply copied them!) I keep the Java files in a folder inside /Library I have named 'Internet Plug-Ins (Disabled)'. I can move them back into /Library/Internet Plug-ins/ whenever I like in order to restore functionality.
E) At that point you can boot your web browsers and damnable Java can't load, so you're safe.

The PERMANENT method for removing Java (except for Firefox) is to:

Go here and follow Oracle's instructions:

Or, if you would like more complete instructions, there is one added file you can remove at your discretion:

A - D) As above. Except toss the Java files into your Trash and empty it, as found in Oracle's instructions.
E) Go here: /Library/PreferencePanes/
F) Find the alias file labeled 'JavaControlPanel.prefpane' and trash it. It's left over refuse of no worth to anyone.

Stop there. You're done.

Yes, there are other Java files on your Mac, but they are from Apple. Don't touch them. This includes the 'Java' folder inside /Library and the other files aliased from that folder. Apple and other apps use Java within your Mac's operating system. (Java isn't just for the Internet), None of these apps and services are affected by Oracle and their continuing circus of blundering and carelessness. You're safe.

BTW: I still cannot turn Java off via the 'checkbox' provided in Oracle's 'Control Panel' for 7u11. It is permanently ON. I've tested it on 10.7.5, 10.8.2 and the 10.8.3 beta. It's broken under both the 'User' tab and the 'System' tab. Oracle know it. Their workaround for 10.8.2 FAILed for me. Therefore, the only solution is to turn Java off in all your web browsers or simply remove the plugin from your /Library/Internet Plug-ins/ folder and restart your web browsers.


Stupid, lazy, incompetent Oracle. (0_o)



Firefox and other Mozilla related apps: 

Summary: All of the above instructions still apply, as long as you are using the most current version of Firefox.

However, some people still use older versions of Mozilla apps AND Firefox still links to old, wrong, out-of-date instructions for updating Java. Therefore, I've added this addendum to help prevent confusion:

Old (less secure) versions of Mozilla applications embedded Java plugins within the applications themselves. Updates were required from the website.

Current and recent versions of Mozilla applications now access the same Java plugin installed into OS X via the Oracle Java installer. IOW: There is no longer any separate version of the Java plugin used by Mozilla apps. 

You can access Mozilla's current Java instructions here:

Remaining Confusion: Unfortunately, if you go into the current version of Firefox (v18.0.1), check the Add-Ons Manager and open the Plugins tab, you'll find WRONG instructions (linked to 'Check to see if your plugins are up to date') for updating the Java Embedding Plugin. Firefox v18.0.1 says it includes Java Embedding Plugin v1.0-JEP- while the most recent version at SourceForge is v0.9.7.5. Ignore this. There is no actual way to update to v0.9.7.5 AND it doesn't matter. Instead, follow Mozilla's instructions linked above. That is all.

Just make certain that Firefox's Java Embedding Plugin is 'disabled' in Add-Ons Manager. You can 'enable' it again when you want to use Java on a specific website. Disable it again before you leave that website, the same as usual.


iOS 6.1: BIG Security Fixes


iOS 6.1 was posted today. It contains BIG security fixes which I consider to be critical. This update is available for iPhone 3GS through iPhone 5; iPod Touch 4 through iPod Touch 5; iPad 2 through iPad 4. (Sorry iPad 1 users!).

If you check out the notes provided in iTunes, you'd never know about any security fixes unless you clicked the link at the end of Apple's brief notes:
For information on the security content of this update, please visit this website:
Which then provides a link to here:
About the security content of iOS 6.1 Software Update 
There are, according to my count, 28 security patches. MANY of them are critically dangerous.

Thankfully, Apple provide nice summaries of the CVE issues involved (as opposed to our pals at Oracle regarding Java :-P).

My quick list of problems fixed by iOS 6.1, 
with my comments in [brackets]:


Identity Services: Bypass of certificate authorization of an AppleID.

International Components for Unicode: Malicious website cross-site scripting attack.

Kernel: Faulty kernel memory access.

Security: Interception of user credentials and further information due to bad TURKTRUST issued security certificates. [DC- Oh look, yet-another BAD security certificate authority]

StoreKit: Smart App Banner automatic re-enablement of user disabled JavaScript.

WebKit Memory Corruption: 20 memory corruption flaws allowing unexpected application termination or arbitrary code execution. [DC- IOW, potential PWNing of your WebKit browser]

WebKit Content Pasting Validation: Pasting of content onto malicious websites leading to cross-site scripting attack.

WebKit Frame Elements: A cross-site scripting issue in the handling of frame elements leading to cross-site scripting attack.

WiFi: Temporary disablement of WiFi by a remote attacker on the same WiFi network. Caused by Broadcom's BCM4325 and BCM4329 firmware reading out of bounds when handling 802.11i information elements.


No surprise, the majority of issues involve memory management flaws, the continuing plague of modern programming languages and methods.

I suggest updating ASAP. It's always a good idea to have some free space available on your iOS device, especially when updating iOS.

Today I thankfully have not run into any bogged down access to the update. But my iPod Touch 4 booted five times before the update was complete. There is also a new setup process for iCloud required after the update. All went well.

Oh and BTW: The number of malware affecting iOS remains at zero.
(Unless of course you've cracked your iOS device. Then you're on your own. The number of affecting malware is unknown.)


Friday, January 18, 2013

Java Security Tips @ MacFixIt

[Updated 2012-01-20]

My Mac security friend Topher Kessler has posted a great article at MacFixIt with some tips about keeping your computer safe from the ongoing Java lunacy.

With the latest security holes coming to light, many are recommending removing Java entirely from your system. If you don't want to go that far, here are some things you can do.
Lately Java has been getting a bit of bad press, thanks to several consecutive security holes that have been exploited by malware developers. One notable occurrence was the Flashback malware threat that affected a number of OS X users, which (though due in part to Apple's negligence about Java upkeep) was rooted in the Java runtime. More recently, Java 7 has seen a new zero-day vulnerability that has been circulating in exploit kits. 
In response to these threats, many in the tech community have recommended that people uninstall Java altogether. However, this can be impractical for some, as many people need Java to run applications, including Web apps and a number of technical and creative development tools. . . .
For Safari users, one of Topher's ideas is superior to simply turning off Java in the Safari Preferences. It's the add-on ClickToPlugin. It allows you to turn on or off any Internet plug-in for Safari:

What is useful about this option is that ClickToPlugin doesn't just shut down Java. Instead, it (usually) provides you the ability to click on Java content in order to allow it to run. I'm finding this method of Java control to be a bit messy. But it's another option if you don't want to have to sit-and-wait for the goofy/buggy Java 'Control Panel' to load so you can change security modes.

NEW: As you'll see in my added comment below (read for details), the ClickToPlugin add-0n for Safari is NOT adequate for blocking Java applets from running in the browser.

Therefore, I cannot recommend bothering with ClickToPlugin for blocking Java. So it's back to the mantra:

Just Turn Java Off


Tuesday, January 15, 2013

Red October LUVS Java,
A Match Made In Hell


It turns out that the Red October malware racket, started in 2007, has been doing its dirty work thanks to Oracle's crap attention to Java security. I hate you Oracle. I hate you very much.

Unearthed attack site reveals some inner workings of espionage malware.
Attackers behind a massive espionage malware campaign that went undetected for five years relied in part on a vulnerability in the widely deployed Java software framework to ensnare their victims, a security researcher said.
The unknown attackers infected computers operated by the Russian Federation, Iran, the US, and at least 36 other countries. They used highly targeted malware to collect what's believed to be hundreds of terabytes of sensitive data, according to researchers from antivirus provider Kaspersky Lab. The success of the covert operation is largely the result of malware and phishing e-mails that were highly customized for each victim.  
Now, Aviv Raff, CTO of Israel-based Seculert, said he has uncovered a website used to infect some of the victims of Operation Red October (as the campaign has been dubbed). The website exploited a critical Java vulnerability identified as CVE-2011-3544, allowing the attackers to surreptitiously execute malicious code on visitors' computers. Although Oracle developers patched the bug in October of 2011, the malicious Java archive file was compiled the following February. . . .
CVE-2011-3544 affects Mac OS X 10.6 through 10.7.2.

The best description of CVE-2011-3544 is at SecurityTracker.

SecurityFocus lists the vulnerable operating system versions.


In general, if you are and administering Macs with potential LUSER Factor problems:

1) Always force your users to have Standard accounts, never Admin accounts.
2) Lock the Java settings to the minimum required to run the Java apps required.
3) Unless you know your users require Java, it's a great idea to simply uninstall Java.
4) Keep your potential LUSER machines up-to-date; No slacking allowed on your part.

Ideally, if you are working with Macs running OS X 10.6 - 10.7.2, uninstall Java in order to remain safe.

In any case, if you're not at a trusted website:

Just Turn Java Off.


Monday, January 14, 2013

Operation Red October:
Look what the Red Hacker Alliance
has been up to for the last few years!

The Red Hacker Alliance (aka the Chinese government) wrote exploits for the newly discovered 'Operation Red October' global malware racket that's been running since 2007. Surprise. (O_0)

Massive espionage malware targeting governments undetected for 5 years

 "Red October" command-and-control setup more sophisticated than that of Flame.
While the malware developers spoke Russian, many of the exploits used to hijack victim computers were initially developed by Chinese hackers.
And we still give China 'Most Favored Nation' Status. Why? Does China own the USA or something?
Red October is also notable for the broad array of devices it targets. Beside PCs and computer workstations, it's capable of stealing data from iPhones and Nokia and Windows Mobile smartphones, along with Cisco enterprise network equipment. It can also retrieve data from removable disk drives, including files that have already been deleted, thanks to a custom file recovery procedure.
IOW Folks: 'Red October' has been active on:

I) Macs

II) iOS Devices.
The discovery of Red October opens yet another chapter in the just-begun era of highly advanced espionage malware that already included Duqu, Flame, and Gauss. With its high degree of customization and its ability to evade detection for five years, the operation has rivaled previous espionage campaigns including the Aurora attacks that hit Google and dozens of other large companies three years ago. 
"All of these are very well-coordinated, very professionally run projects," Baumgartner said. "There's not enough evidence to link it to a nation-state, but certainly this level of interest and multi-year, ongoing campaign puts it up there with something like Flame and Duqu in the amount of effort it takes to seek out those targets and infiltrate the networks."

More exciting revelations to come, no doubt.

Why do we humans hate each other so vehemently?
What is our problem?
Why are we DRIVEN to self-hatred and self-destruction?
And no, it's not some ethereal demons out-to-get-us.
This is OUR problem and OURS to solve.
WE CHOOSE this insanity.
There's no one else to blame or to end it.
I get philosophical like that.

Java 7u11 Is Out And Inadequate

[Updated 2012-01-28]

Oracle rushed out Java 1.7 update 11 over the weekend.

1) It still has well known, published, publicly acknowledged security holes. IOW: It's still entirely dangerous. Don't use Java unless you have to. Meanwhile:

Just Turn Java Off.

2) Apple's quick response (despite the nasty bug when DIY running XProtect Updater) was EXCELLENT. I applaud Apple for speed and efficiency. This is Apple on-their-toes and I like it!

3) That stupid, moronic Java 'Control Panel' bug that my 11 year old nephew could solve, whereby the 'Enabled' checkbox is ON forever, no matter what, continues. I hate you Oracle, you blithering idiots:

4) --> UPDATE NOTE from 2013-01-28:
It has been found that the "Very High" Security Level setting is INEFFECTIVE! It does NOT block malware. Consider it USELESS! Read ahead to my article:

Just Turn Java Off: 'Very High' Security Setting NOT EFFECTIVE!

 Therefore, here is how you effectively turn OFF Java in its 'Control Panel' until you have already navigated to a website you know is safe for running Java:

Set it and leave it on the 'Very High' Security Level. There is no excuse for setting it on anything else unless you know you're on a safe site. Then before you leave that site, turn it back up to 'Very High'. I can't stress this enough. 'Very High'. No, not me! The Java Security Level!


With the help of my Mac security friend Sean O'Connell, I'll be providing some further safety settings for the 'Advanced' tab later.

Just Turn Java Off. 
It's that bad.


Friday, January 11, 2013

NOTE: New 'Java 7' Security Hole
Apparently Affects ALL Java, v4 through 7

The bleeding edge news


I'm reading assertions on the net that today's zero day Java security hole is NOT limited to Java 7, but all the way back to Java 4.

IOW: There is no safety in older versions of Java.

I'll post more after the chaos has settled down and we have clear information.

Just Turn Java OFF.


Apple Disables Java 7
In Response To New Malware

GO Apple! I like it... EXCEPT! There's a problem.

First the good news:

What a day. Check out this article at MacRumors:

As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.
So Apple, paying attention to the situation, did THIS:

Apple used its built-in XProtect system to disable ALL versions of Java 7. No versions of Java 7 will be allowed to run until Oracle provides an update. MacRumors lists the XProtect XML code that blacklists the Java 7 Internet plug-in.

XProtect will NOT allow a Java 7 plug-in to work until Oracle update past the current version, Java 1.7 update 10 beta 18 (AKA 7u10b18).

How to verify you have the updated Xprotect.plist file:

Navigate in the Finder to here:


There you will find the file "XProtect.plist". Do a Get Info on the file to discover its 'Created' date. You'll want to see either today's date (Friday, January 11, 2012...) or later. If you see a date circa "December 13, 2012..." you do NOT have the update. You are looking at the previous version of the .plist file, NOT the updated version.

NOT what you want.
A NOT updated XProtect.plist file.

How to force an update of your XProtect.plist file:

Navigate in the Finder (using the menu command Go/Go to Folder...) to here:


There you will find the file "XProtectUpdater". If you have Administrator privileges on your Mac, you can simply double-click this file to run it. You'll see the Terminal app open. It will then perform the UNIX process built into XProtectUpdater.

Now for the PROBLEM:

At the moment, I can't get XProtectUpdater to update my XProtect.plist file on a Mac running 10.7.5. That's not good.

(We're into the realm of super geeky, nasty CLI, character line interface, hell here. I despise CLIs and the associated geekiness that goes with them. That's MY problem. YOUR results will no doubt vary).

Here is what I am consistently seeing in the Terminal after I invoke XProtectUpdater:
2013-01-11 15:29:30.053 XProtectUpdater[91712:707] Unable to verify signature: Error Code=-20044 "The operation couldn’t be completed. ( error -20044.)" UserInfo=0x7ff2ba606f60 {FailingMethod=SecManifestVerifySignature}
I get these same results if I:

A) Double-click XProtectUpdater
B) Drop XProtectUpdater on the Terminal window and invoke it
C) Use 'sudo', space, then invoke XProtectUpdater

This is apparently a security problem over at, NOT on my machine UNLESS Apple has only provided the XProtect.plist update for OS X 10.8, which is a distinct possibility.

If other folks have further insights into this problem, please post a comment.

Today's Java BS has burned me out. But tomorrow I will be checking for new information as well as testing XProtectUpdater on my 10.8.x systems. If you run into this same problem updating your XProtect.plist file, stick to the mantra:

Just Turn Java OFF.

If you don't know how, travel on down the blog to my previous articles about Java 7.


That New Java 7 Malware
You've Been Waiting For!

[Updated 2012-01-28]

That didn't take long! Sophos has reported the name of the new in-the-wild Java 7 exploit is:

Translated into the official malware naming system (that nearly everyone ignores), the name would be:


Naming such malware as a 'Trojan horse' is debatable as it is a drive-by infection not requiring anything more than a user visiting a website with the Java plug-in left insecure. I suspect this is why Sophos reports the malware as 'Mal'. I personally would advocate for calling it:


In any case, the malware is here and dangerous.

Just Turn Java OFF.

--> UPDATE NOTE from 2013-01-28:
It has been found that the "Very High" Security Level setting is INEFFECTIVE! It does NOT block malware. Consider it USELESS! Read ahead to my article:

Just Turn Java Off: 'Very High' Security Setting NOT EFFECTIVE!

Or if you must use Java, at least get used to keeping its Security setting at 'Very High' as of Java v1.7 update 10, aka 7u10. 

Sophos provides a picture that indicates using the 'High' setting. That's baloney. Just leave it on 'Very High' until you're at a trusted web page. Don't forget to turn it back to 'Very High' BEFORE you leave that web page. And yes kids, this is a big PITA. Blame Oracle.

Also, Sophos made an error when they stated:
A single check-box can be used to disable the web plugin entirely...

That continues to NOT be true on the OS X version of the Java 7u10 'Control Panel'. Oracle know about it. They attempted to provide a workaround that was specific to OS X 10.8.x. But from my experience, Oracle's workaround was a FAIL. Hopefully Oracle will figure out how to allow mere humans to uncheck a checkbox in their next rendition of Java 7. 

Sheesh. :-P


New Java 7 Exploit In The Wild,
Coming Soon To A Mac Near You!

Just Turn Java OFF.

Oracle's Java 7, ALL versions (v1.7 update 10, aka 7u10, on down), has a newly discovered security hole that is being exploited in-the-wild on Linux, Windows and UNIX. That 'UNIX' exploit means malware will immediately be coming to Mac.

Surprised? Not me!

CVE-2013-0422 describes the security hole as:
Unspecified vulnerability in Oracle Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via unknown vectors, possibly related to "permissions of certain Java classes," as exploited in the wild in January 2013, and as demonstrated by Blackhole and Nuclear Pack.
SecurityTracker provides further details:
A remote user can create specially crafted Java content that, when loaded by the target user, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. 
This vulnerability is being actively exploited. 
Several exploit kits include an exploit for this vulnerability....  
No solution was available at the time of this entry.
The source report about in-the-wild exploit malware can be found here:

Quoting the article:
Hundreds of thousands of hits daily where i found it. This could be a mayhem. I think it's better to make some noise about it.
I'll post when the 'mayhem' hits the Mac community, which will likely be any minute now...

Wednesday, January 9, 2013

Adobe Updates:
Flash Player v11.5.502.146,
Reader and Acrobat v11.0.01,
Air v3.5.0.1060

Adobe provided updates on January 7th, 2013 for Reader, Acrobat, AIR and Flash Player. ALL of these updates include security patches. LOTS of security patches!


Adobe Flash Player v11.5.502.146:

Adobe AIR v3.5.0.1060:

Adobe Reader v11.0.01:

Adobe Acrobat v11.0.01:


Adobe Flash Player: 
Visit this web page:

Adobe AIR: 

Visit this web page for instructions:

Adobe Reader: 

Within Reader, choose Help > Check for Updates.

Adobe Acrobat:

Within Acrobat, choose Help > Check for Updates.


Adobe Flash Player v11.5.502.146 and Adobe Air v3.5.0.160, Security Bulletin APSB13-01

Adobe Reader and Acrobat v11.0.01, Security Bulletin APSB13-02

The security bulletin for Flash Player and Air is listed as being only for Flash Player. And yet it's not. (0_o) It's about BOTH. So be sure you update both. Get your act together Adobe!


Adobe Flash Player and AIR:
These updates address a vulnerability that could cause a crash and potentially allow an attacker to take control of the affected system.
Details about this security hole can be found in CVE-2013-0630, which has not yet been detailed as of today. SecurityFocus lists the CVE as a "Remote Buffer Overflow Vulnerability", IOW the usual.

Adobe Reader and Acrobat:
CVE numbers: CVE-2012-1530, CVE-2013-0601, CVE-2013-0602, CVE-2013-0603, CVE-2013-0604, CVE-2013-0605, CVE-2013-0606, CVE-2013-0607, CVE-2013-0608, CVE-2013-0609, CVE-2013-0610, CVE-2013-0611, CVE-2013-0612, CVE-2013-0613, CVE-2013-0614, CVE-2013-0615, CVE-2013-0616, CVE-2013-0617, CVE-2013-0618, CVE-2013-0619, CVE-2013-0620, CVE-2013-0621, CVE-2013-0622, CVE-2013-0623, CVE-2013-0624, CVE-2013-0626, CVE-2013-0627
The total is 27 security holes. Adobe is listing them all as 'Priority 2', which they describe as:
This update resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for instance, within 30 days).
Again, none of these CVE reports yet offer any details as of today. If you use a search engine and input each CVE number you can find some dirt on them from various sources. Feeling in a magnanimous masochistic mood, I dug up some general descriptions of the CVEs. 

SecurityTracker describes all but the first CVE here:

Adobe Acrobat/Reader Multiple Flaws Lets Remote Users Execute Arbitrary Code and Local Users Gain Elevated Privileges
Description:   Multiple vulnerabilities were reported in Adobe Acrobat/Reader. A remote user can cause arbitrary code to be executed on the target user's system. A local user can obtain elevated privileges on the target system. A user can bypass security restrictions. 
A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.
The security problems involve the usual memory overflow problems, a "use-after-free" [which is new to me], local errors, elevated privileges and security restriction bypasses. Oh dear. Not pretty.

IOW: There is no indication of Reader or Acrobat settling into safe and secure mode. The security flaws just keep on coming! Avoid both Adobe Reader and Acrobat as much as possible. 

Apple's Preview app is adequate for most reading and annotation purposes, and it hasn't demonstrated any of Adobe's circus of security holes.

There is also a plethora of alternatives to Adobe Acrobat available for Mac. The alternatives include, in no particular order:

Share and Enjoy!