Thursday, December 11, 2014

Adobe Critical Security Updates For:
Acrobat, Reader and Flash
plus ColdFusion

--
Another second-Tuesday-of-the-month, another bunch of Adobe critical security updates.



I) Adobe Acrobat and Adobe Reader


Security Updates available for Adobe Reader and Acrobat

Details

Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address vulnerabilities that could potentially allow an attacker to take over the affected system.  Adobe recommends users update their product installations to the latest versions:

Users of Adobe Reader XI (11.0.09) and earlier versions should update to version 11.0.10.
Users of Adobe Reader X (10.1.12) and earlier versions should update to version 10.1.13.
Users of Adobe Acrobat XI (11.0.09) and earlier versions should update to version 11.0.10.
Users of Adobe Acrobat X (10.1.12) and earlier versions should update to version 10.1.13
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2014-8454, CVE-2014-8455, CVE-2014-9165).

These updates resolve heap-based buffer overflow vulnerabilities that could lead to code execution (CVE-2014-8457, CVE-2014-8460, CVE-2014-9159).

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2014-8449).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, CVE-2014-8461, CVE-2014-9158).

These updates resolve a time-of-check time-of-use (TOCTOU) race condition that could be exploited to allow arbitrary write access to the file system (CVE-2014-9150).

These updates resolve an improper implementation of a Javascript API that could lead to information disclosure (CVE-2014-8448, CVE-2014-8451).

These updates resolve a vulnerability in the handling of XML external entities that could lead to information disclosure (CVE-2014-8452).

These updates resolve vulnerabilities that could be exploited to circumvent the same-origin policy (CVE-2014-8453).  
Update Adobe Acrobat HERE:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

Update Reader HERE:

https://get.adobe.com/reader/



II) Adobe Flash Player


Security updates available for Adobe Flash Player

Details

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:

Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 16.0.0.235.
Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.259.
Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.425.
Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to the current version.

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-0587, CVE-2014-9164).

These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2014-8443).

These updates resolve a stack-based buffer overflow vulnerability that could lead to code execution (CVE-2014-9163).

These updates resolve an information disclosure vulnerability (CVE-2014-9162).

These updates resolve a vulnerability that could be exploited to circumvent the same-origin policy (CVE-2014-0580). 
Download Flash Player HERE:
https://get.adobe.com/flashplayer/



III) ColdFusion


Security Update: Hotfixes available for ColdFusion

Details

Adobe has released security hotfixes for ColdFusion versions 11 and 10.  These hotfixes address a resource consumption issue that could potentially result in a denial of service (CVE-2014-9166).
Update instructions and further details are HERE:

ColdFusion 10 Update 15


ColdFusion 11 Update 3



--

Saturday, December 6, 2014

The Safari Security Update That Wasn't:
Whatever Happened to 8.0.1, 7.1.1 and 6.2.1???

~~
[UPDATE 2014-12-11: Apple has now released Safari 8.0.2, 7.1.2 and 6.2.2. I'll be writing them up as soon as their security document is posted online. In the meantime, I'm going to guess that the ~mysterious~ security document for 8.0.1, 7.1.1 and 6.2.1 applies.]
~~

It's a 
~mystery~


Dateline: December 3rd, 2014 at 5:01 pm EST. 


I received a notice by email that Apple had released security updates of Safari, versions 8.0.1, 7.1.1 and 6.2.1. Because I was using OS X 10.10.1 Yosemite at the time, I managed to get Safari 8.0.1 installed and running just before it suddenly...


~vanished~


...off the Internet. Gone too were 7.1.1 and 6.2.1. The trio have never been seen again!


And yet on December 4th, 2014, the security announcement I had received by email ~mysteriously~ appeared on the Internet and has remained there ever since as an ominous spectre reminding the reader of what was, but is not, but may someday be.

Brave readers can glimpse this ~mysterious~ document themselves, before it too...

~vanishes~


Don't bother searching the net for the three updates. They aren't there. They aren't anywhere! ...Except on one of my Yosemite volumes. I played with 8.0.1 for about an hour and sensed nothing wrong. I had no idea that I was playing with something DEAD. Never once did I intuit that I was surfing the net with something that didn't exist, not in life as we know it. Now I'm unsure if I should run 8.0.1 again. I'm scared!


If the authorities rediscover these updates in the corporeal world, I'll be examining them closely in order to determine if their security patches are the same as those that ~vanished~ or if they are instead 
doppelgängers!




~~

[BTW: I have to comment, isn't it soooo Apple to have a security update released, then wait days for its security document to be released on the net.... While here we have a security update release that Apple pulled, and yet its security document remains on the net?! Why can't Apple coordinate its security updates AND its security documents? Is that so hard? Is it Apple???]

~~

Tuesday, November 25, 2014

Yet Another November Critical
Adobe Flash Patch

--

Today, Adobe updated Flash to version 15.0.0.239. It is a critical second patch for CVE-2-14-8439, involving bad memory management code. Adobe's Security Bulletin is available here:

http://helpx.adobe.com/security/products/flash-player/apsb14-26.html

These updates provide additional hardening against a vulnerability in the handling of a dereferenced memory pointer that could lead to code execution (CVE-2014-8439).  A mitigation was previously introduced for this issue in the October 14, 2014 release. 
The update is available here:

http://get.adobe.com/flashplayer/


--


Monday, November 17, 2014

Security Patches: OS X 10.10.1, iOS 8.1.1
& Apple TV 7.0.2

--
Intro: I get all conflicted about what to do when ordinary old security updates are released. I don't want to write a diatribe. But I should highlight their release. So I decided to just announce them as they show up, without munificent exposition or graphical profundity (unless I feel like it).

Today Apple released software updates with the following security patches


OS X 10.10.1 Yosemite: 

APPLE-SA-2014-11-17-2 OS X Yosemite 10.10.1

OS X 10.10.1 is now available and addresses the following:

CFNetwork
Available for:  OS X Yosemite v10.10
Impact:  Website cache may not be fully cleared after leaving private browsing
Description:  A privacy issue existed where browsing data could remain in the cache after leaving private browsing. This issue was addressed through a change in caching behavior. 
CVE-ID
CVE-2014-4460

Spotlight
Available for:  OS X Yosemite v10.10
Impact:  Unnecessary information is included as part of the initial connection between Spotlight or Safari and the Spotlight Suggestions servers
Description:  The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user's approximate location before a user entered a query. This issue was addressed by removing this information from the initial connection and only sending the user's approximate location as part of queries. 
CVE-ID
CVE-2014-4453 : Ashkan Soltani

System Profiler About This Mac
Available for:  OS X Yosemite v10.10
Impact:  Unnecessary information is included as part of a connection to Apple to determine the system model
Description:  The request made by About This Mac to determine the model of the system and direct users to the correct help resources included unnecessary cookies. This issue was addressed by removing cookies from the connection.
CVE-ID
CVE-2014-4458 : Landon Fuller of Plausible Labs

WebKit
Available for:  OS X Yosemite v10.10
Impact:  Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description:  A use after free issue existed in the handling of page objects. This issue was addressed through improved memory management. 
CVE-ID
CVE-2014-4459

iOS 8.1.1: 

APPLE-SA-2014-11-17-1 iOS 8.1.1
iOS 8.1.1 is now available and addresses the following:CFNetwork

Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  Website cache may not be fully cleared after leaving private browsing
Description:  A privacy issue existed where browsing data could remain in the cache after leaving private browsing. This issue was addressed through a change in caching behavior. 
CVE-ID
CVE-2014-4460

dyld
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  A local user may be able to execute unsigned code Description:  A state management issue existed in the handling of Mach-O executable files with overlapping segments. This issue was addressed through improved validation of segment sizes. 
CVE-ID
CVE-2014-4455 : @PanguTeam

Kernel
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in the handling of certain metadata fields of IOSharedDataQueue objects. This issue was addressed through relocation of the metadata. 
CVE-ID
CVE-2014-4461 : @PanguTeam

Lock Screen
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  An attacker in possession of a device may exceed the maximum number of failed passcode attempts
Description:  In some circumstances, the failed passcode attempt limit was not enforced. This issue was addressed through additional enforcement of this limit.
CVE-ID
CVE-2014-4451 : Stuart Ryan of University of Technology, Sydney

Lock Screen
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  A person with physical access to the phone may be able to access photos in the Photo Library
Description:  The Leave a Message option in FaceTime may have allowed viewing and sending photos from the device. This issue was addressed through improved state management.
CVE-ID
CVE-2014-4463

Sandbox Profiles
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  A malicious application may be able to launch arbitrary binaries on a trusted device
Description:  A permissions issue existed with the debugging functionality for iOS that allowed the spawning of applications on trusted devices that were not being debugged. This was addressed by changes to debugserver's sandbox.
CVE-ID
CVE-2014-4457 : @PanguTeam

Spotlight
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  Unnecessary information is included as part of the initial connection between Spotlight or Safari and the Spotlight Suggestions servers
Description:  The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user's approximate location before a user entered a query. This issue was addressed by removing this information from the initial connection and only sending the user's approximate location as part of queries. CVE-ID
CVE-2014-4453 : Ashkan Soltani 
WebKit
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description:  Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
CVE-ID
CVE-2014-4452
CVE-2014-4462

Apple TV 7.0.2: 
APPLE-SA-2014-11-17-3 Apple TV 7.0.2
Apple TV 7.0.2 is now available and addresses the following:

Apple TV
Available for:  Apple TV 3rd generation and later Impact:  An attacker with a privileged network position may cause an unexpected application termination or arbitrary code execution Description:  Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
CVE-ID
CVE-2014-4452
CVE-2014-4462

Apple TV
Available for:  Apple TV 3rd generation and later Impact:  A local user may be able to execute unsigned code Description:  A state management issue existed in the handling of Mach-O executable files with overlapping segments. This issue was addressed through improved validation of segment sizes.
CVE-ID
CVE-2014-4455 : @PanguTeam

Apple TV
Available for:  Apple TV 3rd generation and later Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in the handling of certain metadata fields of IOSharedDataQueue objects. This issue was addressed through relocation of the metadata.
CVE-ID
CVE-2014-4461 : @PanguTeam

Security documents for all Apple security patches can be found (eventually) at:


https://support.apple.com/kb/HT1222


[Happy news! Apple has revamped the Apple Security Updates page. Hopefully, this means they will be taking it more seriously in the future. That would be a good thing.]




--

Tuesday, November 11, 2014

Another MASSIVE CRITICAL
Adobe Flash / AIR Security Patch
Plus Shockwave Patch!

--

Today ('Patch Tuesday') Adobe pushed out a MASSIVE security patch for Adobe Flash (v15.0.0.223) and AIR (v15.0.0.356). They also pushed out an update to Adobe Shockwave (v12.1.4.154). Whether the Shockwave update includes an update to its out-dated Flash support remains unknown. We can wish.

Here is Adobe's Security Bulletin:


http://helpx.adobe.com/security/products/flash-player/apsb14-24.html


The 18 CVE's patched:


CVE-2014-0573
CVE-2014-0574
CVE-2014-0576
CVE-2014-0577
CVE-2014-0581
CVE-2014-0582
CVE-2014-0583
CVE-2014-0584
CVE-2014-0585
CVE-2014-0586
CVE-2014-0588
CVE-2014-0589
CVE-2014-0590
CVE-2014-8437
CVE-2014-8438
CVE-2014-8440
CVE-2014-8441
CVE-2014-8442

Adobe's summary:
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-0576, CVE-2014-0581, CVE-2014-8440, CVE-2014-8441). 
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2014-0573, CVE-2014-0588, CVE-2014-8438). 
These updates resolve a double free vulnerability that could lead to code execution (CVE-2014-0574). 
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2014-0577, CVE-2014-0584, CVE-2014-0585, CVE-2014-0586, CVE-2014-0590). 
These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2014-0582, CVE-2014-0589).
These updates resolve an information disclosure vulnerability that could be exploited to disclose session tokens (CVE-2014-8437).
These updates resolve a heap buffer overflow vulnerability that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-0583). 
These updates resolve a permission issue that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-8442).
Where to grab the updates:

https://get.adobe.com/flashplayer/

https://get.adobe.com/air/
https://get.adobe.com/shockwave/

Needless to say: 
Adobe freeware is some of the most DANGEROUS software you can install on your Mac. Just say NO unless you really need it. If you do need it, be happy that Apple has built into recent versions of OS X requirements that you update to the latest version. But to be extra safe, use a browser extension that keeps Flash and Shockwave content OFF until you personally approve it to run.

I am so sick of Adobe's security FAIL.
:-Q*****




--

Thursday, November 6, 2014

Wirelurker Malware's Butt Gets Kicked Good!
(Free Detection Script!)

--

Early this AM the net waves were abuzz about a discovery made by Palo Alto Networks. It's OS X malware named Wirelurker (aka 'MacHook') that is capable of cross-infecting both jailbroken AND non-jailbroken iOS devices. That's a new species of malware for the Apple community. 

Topher Kessler and Thomas Reed have excellent coverage of the Wirelurker malware at their websites:

New WireLurker malware infects Mac OS X and iOS

Apple responds to 'Wirelurker' threat, revokes developer certificates

What's great is how Apple responded and stomped this thing dead in less than 24 hours!

Free Wirelurker Detection

Palo Alto Networks has provided a FREE detection script that runs in the Terminal HERE.

If you're not used to working in the Terminal, please do not attempt this script. If you ARE used to working in the terminal, this is dirt easy. Be sure to read the ReadME first, follow the instructions and it starts cooking, seeking Wirelurker. It will likely take a few minutes as it searches through all your applications for infection. If you've got the bug, follow the result instructions.

The Moral Of The Story

There are two olde lessons to learn from Wirelurker:

1) Don't Install Warez
If the software you're downloading and installing has been compromised, you'll be compromised too. Welcome to infection. You've been Trojaned.

2) Don't Jailbreak Your iOS Gear!
Thanks to Apple's rapid response, all non-jailbroken iOS gear can no longer be infected with Wirelurker. HOWEVER, all jailbroken iOS gear is still susceptible to Wirelurker, as well as the handful of other jailbroken iOS malware out in-the-wild. If you care about the security of your iOS gear, you care not for jailbreaking software.

[UPDATE!] Here is a HIGHER VOLTAGE discussion of Wirelurker from Jonathan Zdziarski, for those interested. (Italics mine):

What You Need to Know About WireLurker
It would greatly behoove Apple to address this situation with more than a certificate revocation; I’m not scared of WireLurker, but I am concerned that this technique could be weaponized in the future, and be a viable means of attack on public and private sector machines. It could easily be attached to any software download in-transit across non-encrypted HTTP, such as an Adobe Flash download or other software download. Social engineering would also help to make juicy targets out of people likely to click on links from IT departments or install software on their Mac. There are a number of potentially more dangerous uses for WireLurker, and unfortunately many of them will go unnoticed by Apple in time to revoke a certificate. It would be a much better solution to address the underlying design issues that make this possible.



--

Monday, September 29, 2014

Coverage Of:
Apple's Bash 'ShellShock' Bugs Patchfest

--
[UPDATES:
-> 2014-09-29 at 9:00 pm EDT. Some language altered. 'SCORE KEEPING!' section added.
-> 9:30 pm EDT. Updated CVE data and links in 'SCORE KEEPING!' section.
-> 2014-09-30 at 6:45 pm EDT. Added the 'FURTHER INFORMATION!' section with links to two SANS presentations on the Bash bugs. Added the 'ALERT' section with advice to server and client Mac users and a link to Rich Mogul's relevant article. Also added: A link to Adam Engst's 'How to Test Bash for Shellshock Vulnerabilities.']

ALERT: Active exploits are in-the-wild for Bash bug CVEs that have NOT yet been patched by Apple! These exploits are specific to UNIX (including OS X) servers exposed to the Internet. All admins should be applying every latest official Bash patch relevant to their servers as they are released. This is imperative. 

Client Mac users, however, generally have no major worries (as of yet). Nonetheless, here is an excellent strategy to help prevent potential exploits (with thanks to Rich Mogul):

1) Have your OS X Firewall running! Its tab is located in the Security & Privacy System Preferences pane.
2) Turn OFF Guest User access in the Users & Groups System Preferences pane.
3) Turn OFF Remote Login in the Sharing System Preferences pane.
~4) Not so critical, but useful: Check ON 'Block all incoming connections'. This setting is located in the Security & Privacy System Preferences pane, under the Firewall tab, under the 'Firewall Option' button. Note Apple's warning when you activate this setting! It will block ALL sharing services, which will itself cause problems on your LAN (local area network). If you aren't using a LAN, check it on.

Welcome to the Patchfest! 

This is where I'll be listing all the Bash 'ShellShock' Bugs CVEs and Apple patches as they are released.

1) 2014-09-29, 6:30 pm:

Apple has released its FIRST patch for the Bash security bugs. It patches two out of six known and published Bash security flaws. As such, expect further Apple Bash patchs in the very near future.

Here is Apple's Security Report, which includes links to the first available patches. I've added formatting and bolding to provide focus points.
APPLE-SA-2014-09-29-1 OS X bash Update 1.0
OS X bash Update 1.0 is now available and addresses the following:

Bash

Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5,  OS X Mavericks v10.9.5

Impact: In certain configurations, a remote attacker may be able to execute arbitrary  shell commands

Description: An issue existed in Bash's parsing of environment variables. This issue was  addressed through improved environment variable parsing by better detecting the end of  the function statement.

This update also incorporated the suggested CVE-2014-7169 change, which resets the  parser state.

In addition, this update added a new namespace for exported functions by creating a  function decorator to prevent unintended header passthrough to Bash. The names of all  environment variables that introduce function definitions are required to have a  prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via  HTTP headers.

CVE-ID
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy

OS X bash Update 1.0 may be obtained from the following webpages:
http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X Mavericks

To check that bash has been updated:
* Open Terminal
* Execute this command:
bash --version
* The version after applying this update will be:
OS X Mavericks:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222
NOTE: Not all currently knows Bash CVEs have been patched! The remaining CVEs must wait to be patched another day...

You can look up CVE reports using links under the 'Friends of Mac-Security' on the right of this page. But I will be providing links to CVE reports as the become known to me. Check out the 'SCORE KEEPING!' section below.

~ ~ ~ ~ ~ 

SCORE KEEPING!

[Last updated 2014-09-29 at 9:30 pm EDT]

Here is the current list of Bash bug CVEs. I'll be updating it as I learn more and as Apple patches each CVE. Note that this list is 'to the best of my knowledge'. CVEs not yet listed at NIST remain nebulous, strange and abstract in the aether, unverifiable by mere mortals on planet Earth. So don't hold me to them.

CVE-2014-6271 (√ Patched by Apple 2014-09-29)
http://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

CVE-2014-7169 (√ Patched by Apple 2014-09-29)
http://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

CVE-2014-6278 (Unpatched. No description. Not yet listed at NIST)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-6278

~ ~ ~ ~ ~

FURTHER INFORMATION!

-> Today (2014-09-30) the SANS Institute posted and updated a 13 minute video presentation by Johannes B. Ullrich, Ph.D., about the Bash bugs situation (as of this moment). SANS offer:
- An audio presentation.
- A video presentation at YouTube with audio and slides.
- A PDF of notes.
- PowerPoint slides.
All are available HERE.

-> Wednesday (2014-10-01) at 3:00 EDT (19:00:00 UTC) SANS will be offering a 'webinar' with Johannes Ullrich and Chris Wysopal. It is entitled "Shell Shock - What you need to know." Here is the notification they sent out on Tuesday afternoon:


***************  Sponsored By Veracode  ***************

Shell Shock - What you need to know:
Wednesday, October 01 at 3:00 PM EDT (19:00:00 UTC) - There is speculation that Shellshock, the latest vulnerability in a long line of major discoveries, will be more catastrophic than Heartbleed. During this webinar, Johannes Ullrich, SANS and Chris Wysopal, co-founder and CTO of Veracode, will outline what you need to know about Shellshock. They will also explain how you can respond to this specific vulnerability and what you can do to prepare for the inevitable future vulnerability discoveries.


************************************************************

-> Adam Engst of TidBITS has created a great page entitled "How To Test Bash for Shellshock Vulnerabilities". It is an elaboration upon the work on my Bash coverage here. He will be updating it if/when further Bash CVEs are made public. Thank you Adam!

I wrote to Adam Engst tonight about what a terrific gestalt of helpful people we have within the Mac community, including himself and Rich Mogul. Links to a lot of other helpful Mac gestalt members are listed under 'Friends of Mac-Security' on the right of this page.

Share and Enjoy,


:-Derek
--

Ongoing Crazy Security Issues:
Nothing Much And Too Much To Say

--

INTRODUCTION

There are a great many computer security issues going on these days. The increase in ongoing security issues over this past spring and summer could be called an ongoing explosion of mushroom cloud proportions. The number of ongoing issues is quite literally overwhelming. As a computer security watcher, researcher, analyzer, commentator and teacher, I'm intimidated by having so much to comprehend.

Should I be writing about all of this within the context of this my Macintosh Security blog?

Because of my manifesto for this blog, my answer is no. I wish to write here only about directly dangerous issues to Apple computer users. I also wish to write articles that provide useful information, summaries and teaching Apple computer users. I have no interest in being redundant to other people's blog work on the Internet, except in an effort to bring their work to the attention of others. I also focus what I write here at average Apple computer users. My goal is to take the complicated and translate it into information that can be both comprehended and used by average Apple computer users. Let folks like me comb through the, frankly chaotic, world of geek level information and summarize it down into something readable by mere humans.


WHAT TO SAY WHEN THERE'S NOTHING MUCH AND TOO MUCH TO SAY

Without directly helpful information to share, despite the exploding mushroom cloud of ongoing computer security issues, I say nothing. I do this because I despise FUD! Needless FEAR, UNCERTAINTY and DOUBT are worthless. They're used a methods of manipulation and propaganda. These nasty tools are used to drive we humans into a state of despair and desperation, what I call 'Desperation Mode' whereby we will blunder our way into actions that suit the manifestos of the scum humans who are manipulating them. I have zero interest in playing these self-destructive, disrespectful games.

Therefore, when the only affect of my writing would be to create FUD, I don't write. I'm very happy to rip the mask off off FUD! I'm pleased when I can point out and satirize FUD. But I never see a point in messing up others by making my own FUD.

However, I believe it is useful to at least point out what's going on in the background while I wait for something useful to provide here in the blog. There's nothing much to say, but here's what's cooking:


WHAT COOKING ON THE APPLE COMPUTER SECURITY STOVE?

It's difficult to create a priority list regarding these subjects. What's more important? What's a more imminent problem? So I'm not going to bother. I'm simply going to list them as I see fit in the moment.


Oracle's Internet Browser Java Plug-in:

Java remains the single most dangerous software you can run via the Internet. If you don't need to, then don't. Uninstall the Java Plug-in. Only install the Java plug-in if you run into a website that requires you to use it. Even then, use Java security features in your web browsers as well as Java security add-ons. Apple has made the most recent versions of Safari extremely save against abusive Java code. It's not perfect. Using the features can be intimidating and dysfunctional. But they are entirely worth using. I strongly suggest reading up on Safari's new Java control preference features as well as similar features in other browsers. I may provide my own write up about these settings in the future.

One good change I can point to is Oracle's ongoing efforts to babysit Java by informing users when their installed version of the Java Plug-in is out-of-date. This is no substitute of the sandboxing of Java, as was originally intended by Java's creators Sun Microsystems. But's it's better than letting nasty little brat Java run around without a nanny to swat it when it's being naughty.


Adobe's Reader, Flash, AIR and Shockwave software:

Adobe's Internet freeware remains the second most dangerous software you can run on the Internet. If you don't need to use it, then don't. Instead, uninstall it. Only install Adobe's freeware if you run into website that requires you to us it. Even then, use Adobe plug-in security features in your web browsers as well as Adobe plug-in security add-ons. At this point, these features are no longer intimidating or dysfunctional. In general, they work quite well and are entirely worth using! Read up on the Adobe plug-in control preference features available within web browsers if you have questions about what they're doing.

I personally cannot stand the invasiveness of Adobe's update notification and installation features. Instead, as an advanced Mac user, I keep up with available updates on my own. Doing the same is a lot to ask of average Mac users. Therefore, it may well be best to allow Adobe's root level Launch Agent to run on your system so it can help keep you up-to-date. It's up to the user to choose what to do. Adobe's update notification is available in their installers if you'd like to use it.


Heartbleed Bug:

I've written up a couple articles about the dangerous and ongoing problems with old implementations of OpenSSL. This problem is going to live on for years, not kidding. It's entirely curable! However, oblivious, careless and lazy server administrators aren't bothering. Therefore, this problem periodically does damage. There are now convenient hacker tools to take advantage of Heartbleed. They are scripted. You get them running, walk away, come back later and analyze the successfully harvested data. There are also analysis tools to help hackers patch together the 64-bit chunks of harvested data into a completed puzzle. If that puzzle contains exploitable user data, it is either exploited by the hacker or posted online for sale to crooks. The exploitable data can include anything from your mother's maiden name to a victim's card numbers and PIN.

Every single Internet server containing the Heartbleed Bug has now been documented. If an Internet server administrator does not know if their server is exploitable, they should be fired or sued in civil court. I strongly expect such lawsuits to begin appearing this coming year. It's all about responsibility.


Bash Shell 'ShellShock' Bugfest:

This is, for the moment, a dangerous problem for those running OS X server's that are directly exposed to the Internet. If you're behind a router, you are probably safe in the short term. I know full well that eventually there will be PWNing ('owning', taking over or zombieing) of routers and OS X client users. I'll address those exploits if or when they become evident. For now, only OS X Internet servers are at risk.

Describing this problem is a challenge because in and of itself it is turning into a mushroom cloud of security flaws. I'll simply say that Bash (Bourne-again shell) is a UNIX shell used by OS X, OS X applications and OS X users to access CLI (character line interface) applications that are installed in the OS X system. It is old, poorly vetted, incredibly insecure software. Oddly, its numerous security flaws were unknown, at least in public, for many years. Over the past few days, the report of one single security bug in Bash has lead to the revelation that Bash has an undetermined plethora of security bugs. So far, I know of two security updates for Bash that have been made available over the past few days. But they do NOT solve the ongoing revelations of further security flaws.

The result is that Bash itself is not fit for use on servers exposed to the Internet. The result, at the moment, is a debate and study of either:

1) Playing 'whack-a-mole' by daily patching Bash as each new security flaw is discovered.
OR
2) Using an adequate replacement of the Bash shell.
OR
3) Taking affected servers OFF the Internet until a full and final solution is developed.

Meanwhile: Bash Internet exploit tools have already been made available to hackers, and they're being used.

Replacing Apple's installed version of the Bash shell is a huge PITA unless you understand exactly why and what you're doing. I cannot recommend bothering with it unless you're an advanced user who knows how to use the CLI to run their Mac. It is such a huge PITA the I have consistently run into Mac computer geeks who have posted WRONG and INCOMPLETE instructions for replacing Apple's Bash shell. When the geeks can't get it right, no way should average Mac users touch it.

Thankfully, as I indicated above, no average Mac users need bother to worry about the Bash shell security flaws affecting their computer. Only OS X server administrators need worry about it, for now. This may well change! If the Bash problems aren't solved in a hurry, there will no doubt be related attacks on average user's routers and Trojan horses to abuse their Macs, if not outright PWN them. That's a worry for another day, if it happens at all. Meanwhile, we sit and wait for the experts to thrash through the Bash source code and clean up the potentially catastrophic mess buried therein.

There are piles of ongoing, constantly going out-of-date articles about the Bash ShellShock bugs. Keeping up will drive you nuts. If you're that kind of person, be sure to read only the most up-to-date articles AND be sure to read from a variety of sources. That's the only way to know what's actually going on at-the-moment. Bash analysis is constantly revealing new problems. New exploits are constantly showing up on the net.

Here's one very good overview, for today anyway, of the Bash ShellShock bugfest, posted by Intego:

http://www.intego.com/mac-security-blog/shellshock-vulnerability-what-mac-os-x-users-need-to-know/


Retail POS POS Device Malware:

"POS" has two meanings relevant to this problem. The first meaning is 'Point Of Sale' regarding devices that are used to collect customer payment data, be they Chip and PIN card readers or magnetic strip card readers. (To be clear, if a POS device has this problem, using Chip and PIN solves nothing-at-all. Don't be fooled by claims to the contrary). The second meaning is an deliberate punning obscenity which I'll leave you to translate. I use this obscenity because these devices are an obscenity of bad technology.

This is another curable security problem that lazy, stupid, cheap retailers are NOT patching. The stupidity involved is stunning and beyond comprehension. From my point of view, this catastrophe fits perfectly into my concepts of 'bad biznizz'. These are companies who literally don't give a rat's about their customers, to say the least, to state the obvious. They don't know how to run their businesses. They are distinctly anti-capitalist in their attitudes and their obliviousness. I'd like to be kind and say that these companies may only, innocently, be ignorant of the technology they're using to enable their businesses. But that is NOT the case. They know exactly what technology they're using and they are making the choice to IGNORE the requirements of owning and using that technology.

I've previously written about the source of this problem. My quick summary is this:
1) These devices user Windows XP Embedded as their operating system.
2) Windows XP exposes all collected data in-the-clear (having no encryption) in RAM on these machines.
3) Hackers on the Internet search for and find routes by which they are able to BOT (aka PWN) all the POS devices networked within victim company. They also BOT at least one node server computer within the same network.
4) The malicious malware hacking onto these machines sits in wait, watching all the data revealed in RAM, then sends that data off to a server node within the network of the infected companies. The collected data is then sent over the Internet to the hacker bot wranglers out on the Internet.
5) The collected data is then analyzed. Personal data is extracted. This data includes everything read into the retail POS devices, including card numbers and PIN numbers. (Yes, this includes Chip and PIN card data).
6) This personal data is then either used or sold on the Internet to crooks.

After the initial catastrophic revelations of this problem, (thank you Target, Neiman Marcus, ad nauseam), security updates were provided by Microsoft to update these archaic Windows XP Embedded devices. The updates did NOT solve the problem of in-the-clear exposure of personal data in RAM. They won't be able to solve that problem! But these patches have at least been swatting at each specific variant of malware being used to PWN these POS devices.

Except, a great many companies are NOT updating their POS devices. This is inexcusable. This is irresponsible. This constitutes customer abuse, as future court cases will no doubt prove. And of course, this is bad biznizz. The biggest recent new revelation of PWNed POS devices and the subsequent sales of customer personal data over the Internet, has come from the willfully stupid company Home Depot. The latest figure I have read is that Home Depot literally gave away 56 MILLION customer card accounts. Unforgivable.

New revelations of retail POS POS device PWNing are happening at an incredible rate. These revelations are not stopping. The number of worthless companies who are ignoring this problem is incomprehensible. Everyone loses, from the companies to the banks to the disrespected customers. The only winners are the hacker crooks. And yet this problem is NOT abating.

Obviously, this problem has no direct impact on Apple computer users. It does impact every credit and debit card user, many of whom are Apple computer users. Therefore, it's relevant here at this blog. Expect more of this curable security nightmare well on into the future.

The ultimate solution to in-the-clear data in RAM is end-to-end encryption. We're going to be hearing references to this concept also well on into the future until such time as it become the DEFAULT in the retail industry. And again: Chip and PIN cards do NOT solve this problem. They have nothing to do with it. Magnetic stripe cards have nothing to do with it. Insecure POS devices and bad biznizziz are the problem.


And so forth...

The above are the big ongoing problems. There are smaller problems as well, the most prominent of which is:

ADWARE. My colleague Thomas Reed is brilliantly covering the adware problem and has created a detection and removal tool AdwareMedic which I highly recommend! I've been a beta-tester for Thomas's adware tool and have been thoroughly impressed. If you've been the victim of adware, head over to Thomas' The Safe Mac website for both documentation and the solution. Bravo Thomas!

Thomas's The Safe Mac website covers many Apple computer security issues that I don't. I'd check out Thomas's site side-by-side with mine. Thomas maintains what we both consider the definitive list of both old and new Mac malware. Because Thomas and I belong to a great group of malware researchers and writers created by Mark Allen, the creator of the terrific ClamXav anti-malware, many of us on the Internet are coordinating our work and publications. You'll find all of these colleagues listed on the right side of this page under 'Friends of Mac-Security'. I recommend the work of all of them.

For malware detection and removal I recommend that all Mac users check out and support ClamXav. It's donationware, free to download and use, well worth every installing on every Mac. It finds and removes the vast majority of not only Mac malware, but also Windows and Linux malware. It's a gem of the Mac community. ClamXav is available from the Apple App Store. I strongly suggest instead downloading it directly from Mark's ClamXav website as that version includes efficient, non-invasive real-time malware scanning. This feature means you can automatically scan every file you download from the Internet. If you wish, you can aim ClamXav's real-time specifically at your Downloads folder, a terrific way to catch Trojan horses and break social engineering by malware rats. (Unfortunately, at this time Apple does not allow real-time scanning in apps offered at the App Store).

There are a number of excellent commercial anti-malware programs. My personal favorites are from Intego and Sophos. Many people prefer anti-malware from F-Secure and Avast. (I would have put Kaspersky AV in this list. But Eugene Kaspersky's outrageous Mac security FUD mongering on his blog this week killed my enthusiasm dead. What a shill! What a Symantec-clone!)

[Update 2014-10-28: I added Avast to the preferred list above. My apologies for not putting it there in the first place. A good friend of mine considers Avast to have the best free anti-malware application available. My blunder: Confusing it with another free anti-malware app that was infesting victims with adware.]

There are also some awful anti-malware programs. I personally suggest staying away from, Symantec's Norton™ AntiVirus , PCTools iAntiVirus, and MacKeeper. I've found these applications to generally be inadequate, buggy, out-of-date or outright abusive to users.

For detecting both legal and illegal spyware, any of the recommended commercial anti-malware programs can be useful. The MacScan shareware application specifically targets spyware. However, I have never been impressed by the thoroughness of it's scans. Therefore, if you believe it might be useful, be sure to test it before buying it.

As usual, the very best overall advice I can offer is to:

1) Make A Backup! It's the #1 Rule of Computing. If you don't backup, you deserve what you get.
2) Keep Up-To-Date! This is particularly important for Apple software.
3) Before You Update OS X, be sure to:

  • Repair your boot volume.
  • Repair your boot volume's permissions.

(Yes, repair your permissions. It's not crucial, but it can be extremely useful).


Thus ends today's mind dump.

I hope you find this useful, versus merely mind-numbing.

:-Derek


Friday, August 22, 2014

What Life's Like On The Other Side:
Fragmandroid Illustrated

--

I've never been one to start computer warz, only to satirize them and righteously defend Apple when they deserve it. But I saw this graphic today and have to share it. Warning: It's nauseating.

This isn't the latest in boring modern art demonstration of how to paint a rectangle. This is a graphic showing the fragmentation of Google's Android operating system, per device. Click to to view the graphic in its full incredible gory. 

Google let this happen. Damn them.

And there's lots MORE. You'll find further interactive graphics and explanation over at OpenSignal's brilliant article:


As I posted over at MacDailyNews' summary article on the subject, pointedly in Google's direction:

OMF: How did you allow this to happen Google? HOW?

Smugness your way out of this catastrophe of technology. Nausea provoking. A rat’s nest of insecurity.

Thank you OpenSignal for so elegantly and blatantly pointing out what life's like on the other side. There's not much green over that hill! Good gawd.

Meanwhile, here's iOS situation in comparison to versions of Android in the wild:


What is there to say?
Except, hurray for iOS.
--


Wednesday, August 13, 2014

CRITICAL New Adobe and Apple Updates:
Adobe Flash, Adobe AIR and Apple Safari

--

Both Apple and Adobe have provided critical updates this week:

I. ADOBE UPDATES

Adobe Flash v14.0.0.176
Adobe AIR v14.0.0.178

Adobe released 'second Tuesday of the month' updates for Adobe Reader, Adobe Flash and Adobe AIR. Both Flash and AIR include CRITICAL security updates for OS X users.

Adobe's security bulletin for Flash and AIR can be found HERE.

These updates resolve memory leakage vulnerabilities that could be used to bypass memory address randomization (CVE-2014-0540, CVE-2014-0542, CVE-2014-0543, CVE-2014-0544, CVE-2014-0545). These updates resolve a security bypass vulnerability (CVE-2014-0541). These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2014-0538).
Keep in mind that every security update of Flash means there is also a security update of AIR.


II. APPLE UPDATES

Apple Safari v6.1.6
Apple Safari v7.0.6

Both updates are available using "Software Update" in the Apple menu of OS X. Quoting from Apple's security content documentation for the updates: 
WebKit

Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.4

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
IOW: The usual bad memory management security holes, the curse of contemporary coding. I'm hoping that Apple's new Swift programming language will end this trend.

The CVEs patched are: 

CVE-2014-1384
CVE-2014-1385
CVE-2014-1386
CVE-2014-1387
CVE-2014-1388
CVE-2014-1389
CVE-2014-1390




* You can check out CVEs (Common Vulnerabilities and Exposures) using the "CVE Search" link on the right of this page.

--

Wednesday, August 6, 2014

Upcoming Changes In Apple's Gatekeeper Security

--

Apple started providing 'Gatekeeper' with OS X 10.7.x. You can see its settings in the Security & Privacy preference pane, under the General tab.


It's a bad idea to have it set to allow applications from 'Anywhere'. Don't do that! But I find it too restrictive to only download from the Mac App Store. I continue to use many wonderful apps that are never going to be available directly from Apple. Therefore, I personally prefer to leave Gatekeeper set to allow apps from the "Mac App Store and identified developers."

What's changing in the OS X Mavericks 10.9.5 update as well as 10.10 Yosemite is further scrutiny of the "identified developers." The GUI for Gatekeeper will remain the same. But developers are going to have to take an extra step with their applications in order to allow their security certificates to get past the 'Gatekeeper'. Users may well find that many previously 'identified' application security certificates won't pass muster and will cause OS X to reject them.

You can read the gory details in Apple's Technical Note TN2206: OS X Code Signing In Depth. Skip ahead through the document to the section heading Changes in OS X 10.9.5 and Yosemite Developer Preview 5.
If your team is using an older version of OS X to build your code, re-sign your app using OS X version 10.9 or later using the codesign tool to create version 2 signatures. Apps signed with version 2 signatures will work on older versions of OS X….  
Important: To ensure your current and upcoming releases work properly with Gatekeeper, test on OS X version 10.10 (Seed 5 or later) and OS X version 10.9.5.
There are several articles discussing this change. Here is one, cited over at MacDailyNews, from Richard Mallion at the AmSys blog in the UK:

Gatekeeper changes coming

:-Derek