Monday, September 29, 2014

Coverage Of:
Apple's Bash 'ShellShock' Bugs Patchfest

--
[UPDATES:
-> 2014-09-29 at 9:00 pm EDT. Some language altered. 'SCORE KEEPING!' section added.
-> 9:30 pm EDT. Updated CVE data and links in 'SCORE KEEPING!' section.
-> 2014-09-30 at 6:45 pm EDT. Added the 'FURTHER INFORMATION!' section with links to two SANS presentations on the Bash bugs. Added the 'ALERT' section with advice to server and client Mac users and a link to Rich Mogul's relevant article. Also added: A link to Adam Engst's 'How to Test Bash for Shellshock Vulnerabilities.']

ALERT: Active exploits are in-the-wild for Bash bug CVEs that have NOT yet been patched by Apple! These exploits are specific to UNIX (including OS X) servers exposed to the Internet. All admins should be applying every latest official Bash patch relevant to their servers as they are released. This is imperative. 

Client Mac users, however, generally have no major worries (as of yet). Nonetheless, here is an excellent strategy to help prevent potential exploits (with thanks to Rich Mogul):

1) Have your OS X Firewall running! Its tab is located in the Security & Privacy System Preferences pane.
2) Turn OFF Guest User access in the Users & Groups System Preferences pane.
3) Turn OFF Remote Login in the Sharing System Preferences pane.
~4) Not so critical, but useful: Check ON 'Block all incoming connections'. This setting is located in the Security & Privacy System Preferences pane, under the Firewall tab, under the 'Firewall Option' button. Note Apple's warning when you activate this setting! It will block ALL sharing services, which will itself cause problems on your LAN (local area network). If you aren't using a LAN, check it on.

Welcome to the Patchfest! 

This is where I'll be listing all the Bash 'ShellShock' Bugs CVEs and Apple patches as they are released.

1) 2014-09-29, 6:30 pm:

Apple has released its FIRST patch for the Bash security bugs. It patches two out of six known and published Bash security flaws. As such, expect further Apple Bash patchs in the very near future.

Here is Apple's Security Report, which includes links to the first available patches. I've added formatting and bolding to provide focus points.
APPLE-SA-2014-09-29-1 OS X bash Update 1.0
OS X bash Update 1.0 is now available and addresses the following:

Bash

Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5,  OS X Mavericks v10.9.5

Impact: In certain configurations, a remote attacker may be able to execute arbitrary  shell commands

Description: An issue existed in Bash's parsing of environment variables. This issue was  addressed through improved environment variable parsing by better detecting the end of  the function statement.

This update also incorporated the suggested CVE-2014-7169 change, which resets the  parser state.

In addition, this update added a new namespace for exported functions by creating a  function decorator to prevent unintended header passthrough to Bash. The names of all  environment variables that introduce function definitions are required to have a  prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via  HTTP headers.

CVE-ID
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy

OS X bash Update 1.0 may be obtained from the following webpages:
http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X Mavericks

To check that bash has been updated:
* Open Terminal
* Execute this command:
bash --version
* The version after applying this update will be:
OS X Mavericks:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222
NOTE: Not all currently knows Bash CVEs have been patched! The remaining CVEs must wait to be patched another day...

You can look up CVE reports using links under the 'Friends of Mac-Security' on the right of this page. But I will be providing links to CVE reports as the become known to me. Check out the 'SCORE KEEPING!' section below.

~ ~ ~ ~ ~ 

SCORE KEEPING!

[Last updated 2014-09-29 at 9:30 pm EDT]

Here is the current list of Bash bug CVEs. I'll be updating it as I learn more and as Apple patches each CVE. Note that this list is 'to the best of my knowledge'. CVEs not yet listed at NIST remain nebulous, strange and abstract in the aether, unverifiable by mere mortals on planet Earth. So don't hold me to them.

CVE-2014-6271 (√ Patched by Apple 2014-09-29)
http://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

CVE-2014-7169 (√ Patched by Apple 2014-09-29)
http://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

CVE-2014-6278 (Unpatched. No description. Not yet listed at NIST)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-6278

~ ~ ~ ~ ~

FURTHER INFORMATION!

-> Today (2014-09-30) the SANS Institute posted and updated a 13 minute video presentation by Johannes B. Ullrich, Ph.D., about the Bash bugs situation (as of this moment). SANS offer:
- An audio presentation.
- A video presentation at YouTube with audio and slides.
- A PDF of notes.
- PowerPoint slides.
All are available HERE.

-> Wednesday (2014-10-01) at 3:00 EDT (19:00:00 UTC) SANS will be offering a 'webinar' with Johannes Ullrich and Chris Wysopal. It is entitled "Shell Shock - What you need to know." Here is the notification they sent out on Tuesday afternoon:


***************  Sponsored By Veracode  ***************

Shell Shock - What you need to know:
Wednesday, October 01 at 3:00 PM EDT (19:00:00 UTC) - There is speculation that Shellshock, the latest vulnerability in a long line of major discoveries, will be more catastrophic than Heartbleed. During this webinar, Johannes Ullrich, SANS and Chris Wysopal, co-founder and CTO of Veracode, will outline what you need to know about Shellshock. They will also explain how you can respond to this specific vulnerability and what you can do to prepare for the inevitable future vulnerability discoveries.


************************************************************

-> Adam Engst of TidBITS has created a great page entitled "How To Test Bash for Shellshock Vulnerabilities". It is an elaboration upon the work on my Bash coverage here. He will be updating it if/when further Bash CVEs are made public. Thank you Adam!

I wrote to Adam Engst tonight about what a terrific gestalt of helpful people we have within the Mac community, including himself and Rich Mogul. Links to a lot of other helpful Mac gestalt members are listed under 'Friends of Mac-Security' on the right of this page.

Share and Enjoy,


:-Derek
--

Ongoing Crazy Security Issues:
Nothing Much And Too Much To Say

--

INTRODUCTION

There are a great many computer security issues going on these days. The increase in ongoing security issues over this past spring and summer could be called an ongoing explosion of mushroom cloud proportions. The number of ongoing issues is quite literally overwhelming. As a computer security watcher, researcher, analyzer, commentator and teacher, I'm intimidated by having so much to comprehend.

Should I be writing about all of this within the context of this my Macintosh Security blog?

Because of my manifesto for this blog, my answer is no. I wish to write here only about directly dangerous issues to Apple computer users. I also wish to write articles that provide useful information, summaries and teaching Apple computer users. I have no interest in being redundant to other people's blog work on the Internet, except in an effort to bring their work to the attention of others. I also focus what I write here at average Apple computer users. My goal is to take the complicated and translate it into information that can be both comprehended and used by average Apple computer users. Let folks like me comb through the, frankly chaotic, world of geek level information and summarize it down into something readable by mere humans.


WHAT TO SAY WHEN THERE'S NOTHING MUCH AND TOO MUCH TO SAY

Without directly helpful information to share, despite the exploding mushroom cloud of ongoing computer security issues, I say nothing. I do this because I despise FUD! Needless FEAR, UNCERTAINTY and DOUBT are worthless. They're used a methods of manipulation and propaganda. These nasty tools are used to drive we humans into a state of despair and desperation, what I call 'Desperation Mode' whereby we will blunder our way into actions that suit the manifestos of the scum humans who are manipulating them. I have zero interest in playing these self-destructive, disrespectful games.

Therefore, when the only affect of my writing would be to create FUD, I don't write. I'm very happy to rip the mask off off FUD! I'm pleased when I can point out and satirize FUD. But I never see a point in messing up others by making my own FUD.

However, I believe it is useful to at least point out what's going on in the background while I wait for something useful to provide here in the blog. There's nothing much to say, but here's what's cooking:


WHAT COOKING ON THE APPLE COMPUTER SECURITY STOVE?

It's difficult to create a priority list regarding these subjects. What's more important? What's a more imminent problem? So I'm not going to bother. I'm simply going to list them as I see fit in the moment.


Oracle's Internet Browser Java Plug-in:

Java remains the single most dangerous software you can run via the Internet. If you don't need to, then don't. Uninstall the Java Plug-in. Only install the Java plug-in if you run into a website that requires you to use it. Even then, use Java security features in your web browsers as well as Java security add-ons. Apple has made the most recent versions of Safari extremely save against abusive Java code. It's not perfect. Using the features can be intimidating and dysfunctional. But they are entirely worth using. I strongly suggest reading up on Safari's new Java control preference features as well as similar features in other browsers. I may provide my own write up about these settings in the future.

One good change I can point to is Oracle's ongoing efforts to babysit Java by informing users when their installed version of the Java Plug-in is out-of-date. This is no substitute of the sandboxing of Java, as was originally intended by Java's creators Sun Microsystems. But's it's better than letting nasty little brat Java run around without a nanny to swat it when it's being naughty.


Adobe's Reader, Flash, AIR and Shockwave software:

Adobe's Internet freeware remains the second most dangerous software you can run on the Internet. If you don't need to use it, then don't. Instead, uninstall it. Only install Adobe's freeware if you run into website that requires you to us it. Even then, use Adobe plug-in security features in your web browsers as well as Adobe plug-in security add-ons. At this point, these features are no longer intimidating or dysfunctional. In general, they work quite well and are entirely worth using! Read up on the Adobe plug-in control preference features available within web browsers if you have questions about what they're doing.

I personally cannot stand the invasiveness of Adobe's update notification and installation features. Instead, as an advanced Mac user, I keep up with available updates on my own. Doing the same is a lot to ask of average Mac users. Therefore, it may well be best to allow Adobe's root level Launch Agent to run on your system so it can help keep you up-to-date. It's up to the user to choose what to do. Adobe's update notification is available in their installers if you'd like to use it.


Heartbleed Bug:

I've written up a couple articles about the dangerous and ongoing problems with old implementations of OpenSSL. This problem is going to live on for years, not kidding. It's entirely curable! However, oblivious, careless and lazy server administrators aren't bothering. Therefore, this problem periodically does damage. There are now convenient hacker tools to take advantage of Heartbleed. They are scripted. You get them running, walk away, come back later and analyze the successfully harvested data. There are also analysis tools to help hackers patch together the 64-bit chunks of harvested data into a completed puzzle. If that puzzle contains exploitable user data, it is either exploited by the hacker or posted online for sale to crooks. The exploitable data can include anything from your mother's maiden name to a victim's card numbers and PIN.

Every single Internet server containing the Heartbleed Bug has now been documented. If an Internet server administrator does not know if their server is exploitable, they should be fired or sued in civil court. I strongly expect such lawsuits to begin appearing this coming year. It's all about responsibility.


Bash Shell 'ShellShock' Bugfest:

This is, for the moment, a dangerous problem for those running OS X server's that are directly exposed to the Internet. If you're behind a router, you are probably safe in the short term. I know full well that eventually there will be PWNing ('owning', taking over or zombieing) of routers and OS X client users. I'll address those exploits if or when they become evident. For now, only OS X Internet servers are at risk.

Describing this problem is a challenge because in and of itself it is turning into a mushroom cloud of security flaws. I'll simply say that Bash (Bourne-again shell) is a UNIX shell used by OS X, OS X applications and OS X users to access CLI (character line interface) applications that are installed in the OS X system. It is old, poorly vetted, incredibly insecure software. Oddly, its numerous security flaws were unknown, at least in public, for many years. Over the past few days, the report of one single security bug in Bash has lead to the revelation that Bash has an undetermined plethora of security bugs. So far, I know of two security updates for Bash that have been made available over the past few days. But they do NOT solve the ongoing revelations of further security flaws.

The result is that Bash itself is not fit for use on servers exposed to the Internet. The result, at the moment, is a debate and study of either:

1) Playing 'whack-a-mole' by daily patching Bash as each new security flaw is discovered.
OR
2) Using an adequate replacement of the Bash shell.
OR
3) Taking affected servers OFF the Internet until a full and final solution is developed.

Meanwhile: Bash Internet exploit tools have already been made available to hackers, and they're being used.

Replacing Apple's installed version of the Bash shell is a huge PITA unless you understand exactly why and what you're doing. I cannot recommend bothering with it unless you're an advanced user who knows how to use the CLI to run their Mac. It is such a huge PITA the I have consistently run into Mac computer geeks who have posted WRONG and INCOMPLETE instructions for replacing Apple's Bash shell. When the geeks can't get it right, no way should average Mac users touch it.

Thankfully, as I indicated above, no average Mac users need bother to worry about the Bash shell security flaws affecting their computer. Only OS X server administrators need worry about it, for now. This may well change! If the Bash problems aren't solved in a hurry, there will no doubt be related attacks on average user's routers and Trojan horses to abuse their Macs, if not outright PWN them. That's a worry for another day, if it happens at all. Meanwhile, we sit and wait for the experts to thrash through the Bash source code and clean up the potentially catastrophic mess buried therein.

There are piles of ongoing, constantly going out-of-date articles about the Bash ShellShock bugs. Keeping up will drive you nuts. If you're that kind of person, be sure to read only the most up-to-date articles AND be sure to read from a variety of sources. That's the only way to know what's actually going on at-the-moment. Bash analysis is constantly revealing new problems. New exploits are constantly showing up on the net.

Here's one very good overview, for today anyway, of the Bash ShellShock bugfest, posted by Intego:

http://www.intego.com/mac-security-blog/shellshock-vulnerability-what-mac-os-x-users-need-to-know/


Retail POS POS Device Malware:

"POS" has two meanings relevant to this problem. The first meaning is 'Point Of Sale' regarding devices that are used to collect customer payment data, be they Chip and PIN card readers or magnetic strip card readers. (To be clear, if a POS device has this problem, using Chip and PIN solves nothing-at-all. Don't be fooled by claims to the contrary). The second meaning is an deliberate punning obscenity which I'll leave you to translate. I use this obscenity because these devices are an obscenity of bad technology.

This is another curable security problem that lazy, stupid, cheap retailers are NOT patching. The stupidity involved is stunning and beyond comprehension. From my point of view, this catastrophe fits perfectly into my concepts of 'bad biznizz'. These are companies who literally don't give a rat's about their customers, to say the least, to state the obvious. They don't know how to run their businesses. They are distinctly anti-capitalist in their attitudes and their obliviousness. I'd like to be kind and say that these companies may only, innocently, be ignorant of the technology they're using to enable their businesses. But that is NOT the case. They know exactly what technology they're using and they are making the choice to IGNORE the requirements of owning and using that technology.

I've previously written about the source of this problem. My quick summary is this:
1) These devices user Windows XP Embedded as their operating system.
2) Windows XP exposes all collected data in-the-clear (having no encryption) in RAM on these machines.
3) Hackers on the Internet search for and find routes by which they are able to BOT (aka PWN) all the POS devices networked within victim company. They also BOT at least one node server computer within the same network.
4) The malicious malware hacking onto these machines sits in wait, watching all the data revealed in RAM, then sends that data off to a server node within the network of the infected companies. The collected data is then sent over the Internet to the hacker bot wranglers out on the Internet.
5) The collected data is then analyzed. Personal data is extracted. This data includes everything read into the retail POS devices, including card numbers and PIN numbers. (Yes, this includes Chip and PIN card data).
6) This personal data is then either used or sold on the Internet to crooks.

After the initial catastrophic revelations of this problem, (thank you Target, Neiman Marcus, ad nauseam), security updates were provided by Microsoft to update these archaic Windows XP Embedded devices. The updates did NOT solve the problem of in-the-clear exposure of personal data in RAM. They won't be able to solve that problem! But these patches have at least been swatting at each specific variant of malware being used to PWN these POS devices.

Except, a great many companies are NOT updating their POS devices. This is inexcusable. This is irresponsible. This constitutes customer abuse, as future court cases will no doubt prove. And of course, this is bad biznizz. The biggest recent new revelation of PWNed POS devices and the subsequent sales of customer personal data over the Internet, has come from the willfully stupid company Home Depot. The latest figure I have read is that Home Depot literally gave away 56 MILLION customer card accounts. Unforgivable.

New revelations of retail POS POS device PWNing are happening at an incredible rate. These revelations are not stopping. The number of worthless companies who are ignoring this problem is incomprehensible. Everyone loses, from the companies to the banks to the disrespected customers. The only winners are the hacker crooks. And yet this problem is NOT abating.

Obviously, this problem has no direct impact on Apple computer users. It does impact every credit and debit card user, many of whom are Apple computer users. Therefore, it's relevant here at this blog. Expect more of this curable security nightmare well on into the future.

The ultimate solution to in-the-clear data in RAM is end-to-end encryption. We're going to be hearing references to this concept also well on into the future until such time as it become the DEFAULT in the retail industry. And again: Chip and PIN cards do NOT solve this problem. They have nothing to do with it. Magnetic stripe cards have nothing to do with it. Insecure POS devices and bad biznizziz are the problem.


And so forth...

The above are the big ongoing problems. There are smaller problems as well, the most prominent of which is:

ADWARE. My colleague Thomas Reed is brilliantly covering the adware problem and has created a detection and removal tool AdwareMedic which I highly recommend! I've been a beta-tester for Thomas's adware tool and have been thoroughly impressed. If you've been the victim of adware, head over to Thomas' The Safe Mac website for both documentation and the solution. Bravo Thomas!

Thomas's The Safe Mac website covers many Apple computer security issues that I don't. I'd check out Thomas's site side-by-side with mine. Thomas maintains what we both consider the definitive list of both old and new Mac malware. Because Thomas and I belong to a great group of malware researchers and writers created by Mark Allen, the creator of the terrific ClamXav anti-malware, many of us on the Internet are coordinating our work and publications. You'll find all of these colleagues listed on the right side of this page under 'Friends of Mac-Security'. I recommend the work of all of them.

For malware detection and removal I recommend that all Mac users check out and support ClamXav. It's donationware, free to download and use, well worth every installing on every Mac. It finds and removes the vast majority of not only Mac malware, but also Windows and Linux malware. It's a gem of the Mac community. ClamXav is available from the Apple App Store. I strongly suggest instead downloading it directly from Mark's ClamXav website as that version includes efficient, non-invasive real-time malware scanning. This feature means you can automatically scan every file you download from the Internet. If you wish, you can aim ClamXav's real-time specifically at your Downloads folder, a terrific way to catch Trojan horses and break social engineering by malware rats. (Unfortunately, at this time Apple does not allow real-time scanning in apps offered at the App Store).

There are a number of excellent commercial anti-malware programs. My personal favorites are from Intego and Sophos. Many people prefer anti-malware from F-Secure and Avast. (I would have put Kaspersky AV in this list. But Eugene Kaspersky's outrageous Mac security FUD mongering on his blog this week killed my enthusiasm dead. What a shill! What a Symantec-clone!)

[Update 2014-10-28: I added Avast to the preferred list above. My apologies for not putting it there in the first place. A good friend of mine considers Avast to have the best free anti-malware application available. My blunder: Confusing it with another free anti-malware app that was infesting victims with adware.]

There are also some awful anti-malware programs. I personally suggest staying away from, Symantec's Norton™ AntiVirus , PCTools iAntiVirus, and MacKeeper. I've found these applications to generally be inadequate, buggy, out-of-date or outright abusive to users.

For detecting both legal and illegal spyware, any of the recommended commercial anti-malware programs can be useful. The MacScan shareware application specifically targets spyware. However, I have never been impressed by the thoroughness of it's scans. Therefore, if you believe it might be useful, be sure to test it before buying it.

As usual, the very best overall advice I can offer is to:

1) Make A Backup! It's the #1 Rule of Computing. If you don't backup, you deserve what you get.
2) Keep Up-To-Date! This is particularly important for Apple software.
3) Before You Update OS X, be sure to:

  • Repair your boot volume.
  • Repair your boot volume's permissions.

(Yes, repair your permissions. It's not crucial, but it can be extremely useful).


Thus ends today's mind dump.

I hope you find this useful, versus merely mind-numbing.

:-Derek