Saturday, August 31, 2013

Java 6 UNSAFE At Any Version:
*Shoot On Sight!*
It's Java 7 Update 25 or nothing.


The Java experience over the last couple years has been like living in a horror movie. Once Oracle got their hands on Java, they ruined it. Shame on you Oracle! I hate you.

This past week, Apple used their XProtect technology, found in OS X 10.6.8 onwards, to block all versions of Java earlier than 6u51. Here is Apple's security announcement from Thursday:
APPLE-SA-2013-08-29-1 OS X: Java Web plug-in blocked
Due to multiple security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to:

Java 6 update 51
Java 7 update 25

More information on Apple-provided updates is available at

Information on blocked web plug-ins will be posted to:
OK. Except that's not good enough! According to Information Week, there is NO safe version of Java 6:

Hackers Target Java 6 With Security Exploits 
Mathew J. Schwartz | August 26, 2013 11:35 AM | Information Week
Warning to anyone still using Java 6: Upgrade now to Java 7 to avoid being compromised by active attacks.

That alert came via F-Secure anti-malware analyst Timo Hirvonen, who reported finding an in-the-wild exploit actively targeting an unpatched vulnerability in Java 6 following the recent publication of related proof-of-concept (POC) attack code. The Java runtime environment (JRE) bug (CVE-2013-2463), was publicly revealed when Oracle released Java 7 update 25 in June 2013, which remains the most recent version of Java. . . .

The safe bet now is to expect no new Java 6 updates. Oracle's Java 6 download page reads: "Updates for Java 6 are no longer available to the public. Oracle offers updates to Java 6 only for customers who have purchased Java support or have Oracle products that require Java 6."

According to statistics released in March 2013, at least 47% of all Java users in the United States were still running Java version 6.

What risk do Java 6 users now face from the new vulnerability that's being exploited? According to vulnerability information provider Secunia, the bug could be "exploited by malicious local users to disclose certain sensitive information, manipulate certain data, and gain escalated privileges and by malicious people to conduct spoofing attacks, disclose certain sensitive information, manipulate certain data, cause a DoS (denial of service), bypass certain security restrictions, and compromise a vulnerable system."

If you are running ANY version of the JavaAppletsPlugin.plugin that is older than version 7u25, TRASH IT! Then restart any web browser you may have open.

Not kidding here folks! You do not want to get PWNed.

Here is where to find your Java plugin on OS X:

/Library/Internet Plug-ins/JavaAppletPlugin.plugin

Check the version number of the plugin via Get Info (⌘-I). If you see anything except "Java 7 Update 25", then doom shall reign upon your computer! You have been warned.


As per Mathew J. Schwartz' article at Information Week:
While Java 6 is now under the gun, the latest version of Java 7 also sports at least one serious unpatched vulnerability. Fortunately, however, no technical details about that vulnerability have been publicly released. The bug, dubbed "issue 69," was discovered by veteran Java bug hunter Adam Gowdiak, CEO of Polish research firm Security Explorations, and reported to Oracle on July 18, 2013.
IOW: There is already a known security hole in even Java 7 Update 25.

Therefore, even if you MUST use Java on the Web, the very safest thing to do is to: 
Just Turn Java OFF.

Here is where Oracle now lets you, at long last, turn Java off inside its 'Control Panel' on OS X:

Here's how to get there:

1) Open 'System Preferences...' from the Apple Menu.

2) If you have Java 7 Update 25 installed, you'll see the 'Java' System Preferences button in the bottom 'Other' section of the window. CLICK IT.

3) The 'Java' Preferences pane opens, except it then insists upon running its 'Java Control Panel' in Java as a separate window. (o_0)

4) Click on the 'Security' tab. That will bring up the interface pictured above.

5) If you don't already have the 'Security Level' jammed up to 'Very High', do that FIRST. (You do NOT want it set any lower unless you are at a specifically known safe web page. Of course remember to jam it back UP to 'Very High' again BEFORE you leave that specific web page).

6) Then check OFF the box near the top that is labeled "Enable Java content in the browser". IOW: There should be NO check mark in that box, as seen in the interface pictured above. I have the cursor in the picture pointing at the box.

7) Click the 'Apply' button on the bottom right of the window.

8) Click the OK button. The Java Preferences will close.

What a PITA.

Yes, Apple has very kindly and wisely provided Safari v6.0.5 and higher that automatically stops Java from working on web pages without specific user approval. What a great feature! But I'm providing the instructions above for those who wish to be extra safe. That means you the user take the extra step to make certain no Java malware is going to be able to attack your machine. Consider it paranoia if you will. But this added safety, short of removing the Java plug-in entirely, is available for you to use. It's what I'm using on my Macs.

Meanwhile, when the current known security hole in Java 7u25 begins being exploited in the wild, watch for yet-another Java security update!

Did I mention that I hate you Oracle? :-P


Thursday, August 29, 2013

The Safe Mac's Malware Dictionary


My net bud/colleague Thomas Reed has published a Malware Dictionary at his website, The Safe Mac. You can access his Malware Dictionary here:

The Safe Mac : Malware Dictionary

Here's a list of terms featured in Thomas's Malware Dictionary:

black hat hacker
click fraud
command-and-control server
cross-site scripting
denial-of-service (and distributed denial-of-service)
drive-by download
false positive
in the wild
on-access scanning
on-demand scanning
proof of concept
watering hole
white hat hacker

I've added a link to The Safe Mac : Malware Dictionary on the right side of the page under Friends of Mac-Security.

Wednesday, August 28, 2013

iOS (and Android) Security Leaks Uncovered


Dan Goodin, one of the reliable writers at Ars Technica, has posted an article discussing an academic paper published by scientists at Microsoft Research and Indiana University. It's well worth a read:

iOS and Android weaknesses allow stealthy pilfering of website credentials
Scientists call on Apple and Google to mitigate "origin crossing" attacks.
Both OSes fail to ensure that browser cookies, document files, and other sensitive content from one Internet domain are off-limits to scripts controlled by a second address without explicit permission....
. . .
"Our research shows that in the absence of such protection, the mobile channels can be easily abused to gain unauthorized access to a user's sensitive resources," the researchers—who besides Wang, included Rui Wang and Shuo Chen of Microsoft and Luyi Xing of Indiana University—wrote. "We found five cross-origin issues in popular [software development kits] and high-profile apps such as Facebook and Dropbox, which can be exploited to steal their users' authentication credentials and other confidential information such as 'text' input. Moreover, without the OS support for origin-based protection, not only is app development shown to be prone to such cross-origin flaws, but the developer may also have trouble fixing the flaws even after they are discovered."
(Bolding above mine).

From my POV, it has been known for years that using iOS meant a restriction on user-added security. Therefore, for example, you are being tracked over the Internet using most iOS web browsers. Whereas, I have total control over Tracking Cookies on my Macs. This means, your privacy as well as security is being compromised whenever you're on iOS, as opposed to the added security measures possible on OS X.

But what's discussed in the article goes to a much deeper point where even the iOS SDK, via Xcode, is instantiating these security flaws into developer applications. That's very bad and means this problem is not going to be solved simply by an iOS update. Xcode has got to be upgraded, then all the applications that have instantiated the security flaw code will have to be recompiled and redistributed in updates.

As ever, I'm grateful to researchers who uncover these problem. This isn't another memory management mess. It's something new to me and required a couple readings to understand. I expect we'll be hearing more about this problem as developers sort out whether their apps are vulnerable or not.

~ ~ ~ ~ ~

[Ars trolls postscript: Lately I've been extremely displeased with what I call 'ars trolls' and unprofessional writers at Ars Technica. You can read my recent documentation of their shameful behavior HERE. However, I have consistently found Dan Goodin and the other computer security writers at Ars Technica to be excellent. I continue to recommend their work.]


Saturday, August 17, 2013

Apple's iOS App Store FAILs Recent
Proof-Of-Concept Malware Test,
Apple Adjusts iOS In Response

Just a quickie post to point out a recent proof-of-concept test of the Apple iOS App Store:

Remotely Assembled Malware Blows Past Apple’s Screening Process
Research unmasks a weakness of Apple’s App Store: new apps apparently are run for only a few seconds before approval.
- By David Talbot on August 15, 2013, MIT Technology Review
 “The app did a phone-home when it was installed, asking for commands. This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed,” says Long Lu, a Stony Brook University researcher who was part of the team at Georgia Tech, led by Tielei Wang, that wrote the Apple-fooling app.
. . . 
The paper was slated for a talk Friday at the Usenix conference in Washington, D.C. Tom Neumayr, an Apple spokesman, said the company made some changes to its iOS mobile operating system in response to issues identified in the paper. Neumayr would not comment on the app-review process.
As ever: Apple is never perfect. They're simply better than the alternatives. Nonetheless, I wish Apple was more proactive, performing intense security testing on their own software rather than waiting for a breach like every other software developer. That's why I champion the white hat hackers and their cattle prodding of Apple's security efforts.

Tuesday, August 6, 2013

TorBrowser Security HELL:
Manually Update TorBrowser to
v2.3.25-10 or above NOW!


If you are a TorBrowser user and have not updated it since June 2013, it is URGENT, CRITICAL, IMPORTANT that you manually (automatic update FAILs!) to the most recent version NOW! Got that? NOW!

There is a nasty bug in TorBrowser whereby the version of Firefox it uses will NOT update you to the latest version. It literally LIES to you that you have the latest version. My screenshot image above proves this! If that version happens to be Firefox v17.0.6, you are living in Security HELL. Tor is betraying you and letting evil SURVEILLANCE RATS compromise your anonymity. IOW: It's a total Tor FAIL.

Therefore, if you are using TorBrowser v2.3.25-8 or -9 you must MANUALLY go to the Tor website, download the latest version and install it NOW!

Because I attempt to keep this blog on the level of an average Mac user, and because this SEVERE compromising of TorBrowser has been vastly covered elsewhere, I'm not going to provide details here. Instead, here is a series of links describing the problem as well as theories as to who the evil SURVEILLANCE RATS might be:

Tor security advisory: Old Tor Browser Bundles vulnerable

Investigating Security Vulnerability Report

- Mozilla Security Blog

Attackers wield Firefox exploit to uncloak anonymous Tor users

Publicly available exploit threatens all Tor users unless they take action now. 
-Dan Goodin @ars technica

Update: Researchers say Tor-targeted malware phoned home to NSA

JavaScript attack had a hard-coded IP address that traced back to NSA address block. 
-Sean Gallagher @ars technica

There we go

by Cryptocloud_Team » 05 Aug 2013 13:34

To the TOR Project:

The TorBrowser project is not working. You have GOT to either keep up with EVERY Firefox update or program in a SERIOUS auto-updating system. REMOVE the LIAR code in your implementation of Firefox that tells the user it is up-to-date with the browser when it is NOT!

IOW: Using TorBrowser is DANGEROUS, potentially a way to HURT users rather than protect them. Therefore, immediate change in the project is REQUIRED NOW. You can't delay and expect TorBrowser to maintain its reputation. It won't. It will be marked as a FAILed project. Consider my warning here as one very deliberate mark AGAINST TorBrowser. I'll continue to rail on about this problem UNTIL you fix it permanently. I'm that vehement about real Internet user security. 

Please communicate with me and my Mac security interest group about this situation. We'd be pleased to assist.

:-Derek Currie

Critical Adobe Security Update:
Digital Editions v2.0.1


We now have another insecure Adobe application to worry about. This time it's Adobe Digital Editions.

Adobe WHAT?

Here is how Adobe describes their application-with-critical-security-holes, Digital Editions:
Adobe® Digital Editions software offers an engaging way to view and manage eBooks and other digital publications. Use it to download and purchase digital content, which can be read both online and offline. Transfer copy-protected eBooks from your personal computer to other computers or devices. Organize your eBooks into a custom library and annotate pages. Digital Editions also supports industry-standard eBook formats, including PDF/A and EPUB.
For those who care, and those who use Digital Editions, here is the Security Bulletin:
Adobe has released a security update for Adobe Digital Editions for Windows and Macintosh.  This update addresses a vulnerability in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installation using the instructions provided in the solution section above.

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2013-1377).
Yes, another bad memory management security hole, the #1 source of security holes in modern coding.

And yes, another way for a mere application on your Mac to allow a malware rat to 'take control' of your entire computer. It doesn't get worse. (o_0)That's a terrific reason to NOT install Digital Editions, or if you can, uninstall it until Adobe get their act together and seriously sandbox the thing.