Monday, December 28, 2015

Adobe Flash/AIR Exploit In-The-Wild!
Critical Flash/AIR Updates Released

--

The all-too-familiar story: The single most dangerous software on the Internet has been exploited in-the-wild yet-again. The exploit is of CVE-2015-8651 (not yet documented at Mitre.org as of this date).

Adobe has provided the following security updates:

Flash v20.0.0.267

AIR v20.0.0.233

Adobe's security bulletin is HERE.
Summary

Adobe has released security updates for Adobe Flash Player.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2015-8651 is being used in limited, targeted attacks. . . .
Vulnerability Details

These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-8644).

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2015-8651).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-8634, CVE-2015-8635, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, CVE-2015-8650).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-8459, CVE-2015-8460, CVE-2015-8636, CVE-2015-8645).
And as usual: If you don't need Adobe Flash, uninstall it and never reinstall it again. Adobe's instructions for uninstalling Flash are HERE. Adobe's instructions for uninstalling AIR are about halfway down the page HERE.

--

Saturday, November 21, 2015

MacUpdate Interviewed By MacNN:
What's up with the 'MacUpdate Installer'?

--

MacNN has published an excellent story, well worth reading, about the changes going on at MacUpdate.com. Specifically discussed is the switch out of actual application installers for the 'MacUpdate Installer' that attempts to install more than what the user intended, to be gentle about the issue. Our pal Thomas Reed of Malwarebytes is featured as well as the founder of MacUpdate, J. Mueller:

MacUpdate tests changes in face of challenging specialist market
Optional additional installs, app discovery at forefront of changes
- updated 04:00 pm EST, Fri November 20, 2015
. . . "Fear not," Mueller said in response to a question about whether long-time users should be concerned about MacUpdate's testing of similar techniques. "We are not planning to go in the same direction [as CNET and Softonic]. We are learning about this process ... and testing it on only one percent of our hosted apps. We are focused on problem-solving, and the Mac community is very important to us." He added that more information would be made available to users once the testing phase is further along, but that the goal of the optional install offers is to learn about how the process works, how users who see it respond to it, and how to avoid the mistakes rivals have made."
I hope that is indeed the case.

Apart from the unintended installations foisted on MacUpdate users and the scary requirement of your admin password, both highly NOT recommended practices, what I don't like is that the user does NOT end up with the actual application installer. The 'MacUpdate Installer' does all the installing for the user. There is no opportunity to KEEP the desired installer. I personally do not deal with that.

Why do I want to keep the actual update installer?

1) I have three Macs I run simultaneously with a total of five different partitions I maintain. I don't typically install applications on just one Mac. I usually install on two Macs. Going through the MacUpdate Installer adware foisting process twice is not in my interest.

2) I archive ALL the current update installers for applications. I collect them on my main Mac in a 'Move Out' folder, along with all the contemporary research I've been collecting from the net. I usually weed out the older update installers and only keep the latest. Periodically, I then write all of this data out to optical disk for permanent storage. I then catalogue each new disk collection into a database of my entire collection. Whenever I want some piece of software from back in the past, I search the catalogue and it tells me where to find it. This system has saved me many headaches and has often saved my backside.

Needless to say, hanging onto a bunch of MacUpdate Installers that do NOT incorporate the desired actual installer is NOT going to work for me. I want nothing to do with them.

Thankfully, as you'll read in MacNN's article, paying (and at the moment logging-in) members of MacUpdate are kindly prevented from having to deal with the MacUpdate Installer rubbish. For now, I can entirely avoid the problem by simply logging in. MacUpdate also know I've bought piles of software through them as a member. I have no reason to feel I am not contributing to their financial success.

Would I become a full fledged, fee paying member of MacUpdate.com? I don't know of any valid reason to do so. I would never use their MacUpdate Desktop software specifically because of the reasons I want to keep update installers. Recently, MacUpdate Desktop has greatly improved and can be VERY useful! I'm grateful MacUpdate finally got it into good shape. (It used to be extremely clunky). But I don't need it or want it.


~ ~ ~ ~ ~

This situation will play out in the months to come. I'm grateful that the folks at MacUpdate are being professional about this situation and at least promise not to inadvertently or purposely install crapware of hardcore malware onto user's Macs. There are good intentions. But I personally find nothing to appreciate about the MacUpdate Installer system.

As for MacUpdate.com, the website, as long as there is a convenient and friendly way for me to avoid the MacUpdate Installer, I'm happy and will continue to help them out with reviews and purchase their deals whenever possible. They've been a terrific asset to the Mac community.

:-Derek


--

Wednesday, November 11, 2015

Adobe Update Day:
Flash v19.0.0.245,
AIR v19.0.0.241

--

Another second-Tuesday-of-the-month, another set of Adobe updates. Happily, at this time there are no zero-day exploits out in the wild. Hurray.

The Adobe Security Bulletin is HERE.
Vulnerability Details
  • These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-7659).
  • These updates resolve a security bypass vulnerability that could be exploited to write arbitrary data to the file system under user permissions (CVE-2015-7662).
  • These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7660, CVE-2015-7661, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, CVE-2015-8046).
You can download the latest version of Adobe Flash HERE.

You can  download the latest version of Adobe AIR HERE.

As usual, if you don't need Adobe Flash, it is extremely wise to UNinstall it. Flash is the single most dangerous software on the Mac platform. Instructions for uninstalling Adobe Flash are HERE.

 Stay safe out there kids.

-- 

Friday, November 6, 2015

Updating List Of MacUpdate
Adware Infested Installers


 

[Updates: 
- Chrome and Calibre added. Thanks to Morse and mrflick! 
- Dropbox added. List alphabetized. Direct links to developer download pages added.
Please add more in the comments as you find them.
- 2015-11-18: MacUpdate swapped "Install" vs "Download" on ALL their product pages. Apparently, this is some marketing strategy to shove people into using their MacUpdate Desktop application. This verifies that they have some marketing moron helping them to ruin their website. I personally suggest getting rid of said marketing moron influence ASAP, dear MacUpdate, before they kill you.]

November 5th, it was determined that MacUpdate has stopped foisting their 'MacUpdate Installer' adware installer on users who have logged in.

November 6th, I was able to verify ongoing adware infestations and add a couple more infested installers to the list by NOT logging in to MacUpdate. Therefore...

Advice: Log into MacUpdate to avoid the adware installers (at least for the time being!).

Here is the updating list of adware infested installers at MacUpdate, in chronological order of discovery:

AppCleaner
BetterTouchTool 
Calibre
Chrome 
Cyberduck 
Dropbox
FileZilla
Firefox
GitHub Desktop
iBackup Viewer
MPlayerX
Onyx
Skype
VLC

Link to this article if you'd like to keep track of the list. I'll be adding to it as I find or verify reports of adware infested installers at MacUpdate. The current list is thanks to reports from Thomas Reed, Neartheredrocks and myself. Please comment if you find further infested installers. Thanks.

Please remember to NEVER install anything via an obvious adware installer. What is really installed CANNOT be trusted. The fact that these adware installers require your Admin password makes them potentially dangerous to the welfare of your Mac.

Instead, go to the website of the software developer directly and download from there. Direct links to developer download pages are provided in the list above.

-- 

[Footnote: I have ALL of the adware installers I note in this list. I've verified them. I can provide these adware installers to anyone interested in further verification or conducting research. :-Derek]


-- 

Thursday, November 5, 2015

Further Observations Regarding
The Adware Infestation At MacUpdate

--
My colleague Thomas Reed was the one who first tipped me off about the beginning of the adware infestation at MacUpdate. He and I are part of a group started by Mark Thomas of ClamXav who share and consult with one another regarding Mac security. Thomas, as I hope many of you know, has been at the forefront of studying, detecting and removing adware within the Mac community. He's been a constant asset to myself and others for many years. His AdwareMedic application was a breakthrough. His addition to the team at Malwarebytes has been a well deserved accolade. His software is now part of Malwarebytes Anti-Malware for Mac.

Thomas Reed has been keeping track of MacUpdate adware in his own blog at Malwarebytes. It's well worth reading his article here. You can read about the initial discovery of what's going on at MacUpdate along side Thomas' useful insights:

Has MacUpdate fallen to the adware plague?
Following Mr. Urdaneta’s hints, I sought out the Skype page on the MacUpdate site and downloaded the app. The result was a file named Skype Installer.dmg, which seems legit on first glance. However, opening this disk image file results in a MacUpdate installer,
very similar to the adware-riddled custom installers used by sites like Download.com and Softonic. . . .
 Note that between Thomas and myself, we've found that the MacUpdate adware installer flips between a number of different adware installations. I've witness the attempt to install Yahoo! adware as well as MacBooster.

The nightmare of the matter is that this installer asks for your ADMINISTRATOR PASSWORD, which means you're giving this malware access to the deepest depths of your Mac home. DON'T DO IT! Anything-at-all could be installed after you've provided that password to the malware.

I have a name I use for people who foist nastiness on potential customers:

Marketing Morons.

The marketing folks who seriously care about the welfare of their collaborators, their customers, are called:

Marketing Mavens. 

~ ~ ~ ~ ~

I'll be adding further observations of the infestation as I find them and consider them helpful and relevant.
--

Tuesday, November 3, 2015

A Reply From MacUpdate
+ A Short Term Workaround
++ The Best Adware Removal Tool

--

Following my suggestion, I wrote to the staff at MacUpdate.com about their new adware installer infestation strategy. You know my opinion of the situation, so I'm not going to critique what they said except to point out that it is an extremely polished reply, indicating that someone such as an ad agency is holding their hand through this despicable transition. That's very interesting.
Hi Derek,

This is a new way were approaching a select few of of our apps by adding special offers to the downloads. The feedback helps us out a lot.

If you're a paid member at MacUpdate, you can go to the Preferences tab of your profile and deselect the "Show Banner Ads," then click "Apply All Changes." This will turn off the banner ads that are on our website, as well as the special offers that appear in a few of our downloads. The download links only show you offers and nothing is installed without your permission. You're able to decline the offers if you do not wish to have them.

If you're a user of MacUpdate Desktop, you can perform one-click installs, which eliminates the special offers. If you're not a member of MacUpdate Desktop you can learn more about it and become one here: http://www.macupdate.com/desktop

Please let us know if you have any further questions.

Cheers,

Joel Lockard
Content/Support
MacUpdate
 PLEASE: Write your own message to MacUpdate regarding their adware installer. Their contact URL is:

http://support.macupdate.com/contact/

~ ~ ~ ~ ~

So, brainstorming what to do amidst this LOSS of the last bastion on dedicated Mac software updates, outside of the Apple App Store, here are some concepts:

I) Watch what you receive as downloads from MacUpdate. Typically, the page for an application at MacUpdate lists the size of the installer download.  If what you get is NOT that size, or more specifically if what you get is between 1.6 and 1.8 MB in size, you most likely got screwed with the MacUpdate Installer of adware.

It doesn't hurt to open the .DMG file and verify that you've been screwed with MacUpdate Installer.

If you got screwed, I highly recommend ejecting the .DMG and trashing the adware installer. I NEVER suggest navigating your way through the minefield of adware installers. You want the real, source installer for your applications. That is NOT what you got. Therefore...

II) Go back to the application's page on MacUpdate and click on the developer's link. You may get shuffled off to some page at MacUpdate about the developer. That's not what you want. Typically, the REAL link to the developer is on such pages. Go THERE instead, find and download the actual update installer.

III) Before you download the actual update installer, grab the URL for the download page from your web browser (typically small site icon on the far left side of the URL listing in the browser) and drag the resulting .webloc link file to a folder that accompanies the application. 

I've done this sort of thing for years. Every application on my Macs either has its own devoted folder with the application and all related files, OR I leave the application in the root of the Applications folder and create a 'stuff' folder specific to the application. For example:

Firefox is kept in the root of my Applications folder. But sitting next to it in List View is a folder I created called "Firefox stuff". Inside that folder I keep notes about Firefox add-ons, documentation I've found on the net... and a .webloc file for the downloads page for Firefox over at Mozilla.org. If I want to download the latest Firefox version, I just double-click the .webloc file and it opens the page in my default web browser. Simple.

IV) Theoretically, we as a group of Mac security fanatics could create a simple blog page somewhere that is a simple list of all Mac applications and the corresponding developer download page for each of those applications. To begin with, we could list the Mac applications that are being screwed with at MacUpdate. If we're confronted with an adware installer, we could go to that simple page, search for the application we want, then click the link to its downloads page.

The result is that MacUpdate can continue to be used for its non-screwed over functionality, such as listing new updates, new release notes, reviews and comments. But the nasty adware installer process can be entirely avoided.

Note: I personally don't have the time or interest in doing the work required to maintain such a page. I'm happy to play admin, but I'd leave the updating and expansion of such a page to fellow admins.

~ ~ ~ ~ ~
Adware = Malware. That's the fact of the matter. I'm not going to debate the issue.

In the case of the 'MacUpdate Installer' adware vehicle, its particular malware name is:

Adware.OSX.InstallMiez.A

As per usual, some may anti-malware providers give it a different name. But that is the most commonly used 'official' name. 


I've seen references to it going back to August of this year. I note that it has been infested into fake installers for many different applications, but also into WAREZ and KEYGEN software. So if you're pirating stuff, surprise. 

Reading through its installer dialog, it is quite clear that it was NOT written by someone whose first language is English. The spelling and grammatical errors suggest to me someone in Eastern Europe or Israel. But that's not for certain. Rather than guess any further, I'm going to wait for further analysis of this thing from the security experts. It may be associated with an adware distribution company or an advertising agency.


So You've Installed Adware. Now What?!

 You download and run the free version of Malwarebytes Anti-Malware. The majority of it was developed by my colleague Thomas Reed. He now works for Malwarebytes and his excellent AdwareMedic application has become Malwarebytes Anti-Malware. You can download it from here:

Malwarebytes Anti-Malware 

Install it. Run it. Let it update its malware definitions off the Internet. Then hit the 'Scan' button. It will go searching through your system to find all reported Mac adware and help you remove the awful stuff.

If you've used AdwareMedic before, you'll notice that Malwarebytes Anti-Malware takes a bit longer to run. That's because the proliferation of adware on Mac has been accelerating.

If your adware infestation hasn't been removed, be sure to click 'Next Steps' inside Malwarebytes Anti-Malware for documentation about what to try next, including sending a system summary to Malwarebytes in order to track down new adware and where it infects itself.

The 'Get Help' button in Malwarebytes Anti-malware offers its 12 page User Guide.

Note that most of the other commercial anti-malware applications will also identify this adware, including my fave, Intego VirusBarrier. 

I'll continue to watch this situation and provide further information and suggestions when I believe they'd be relevant and helpful.

Stay safe and free of marketing morons! (As opposed to beloved marketing mavens).

:-Derek 


--

Monday, November 2, 2015

DANGER! MacUpdate.com Is Now Foisting Adware

--

 [UPDATE: I have added 5 further adware installer replacements the list.]

This is profoundly sad.

• On October 30, 2015, MacUpdate.com pulled the link to the real Skype update installer and substituted their adware installer entitled 'MacUpdate Installer'. I have a copy of this adware installer if folks would like a look at it. MacUpdate has since removed the adware installer and returned the link for Skype.

• Today, November 2, 2015, MacUpdate.com has now removed the link to Firefox and replaced it with their adware installer, again entitled 'MacUpdate Installer'. Adding hurt to harm, the Firefox page is three versions out-of-date! It lists Firefox v41.0, doesn't acknowledge the two updates since then and is clueless about the fact that Firefox 42.0 was released today!

• Further research at the MacUpdate.com website has revealed that direct links to downloads have been replaced with the 'MacUpdate Installer' adware installer:
  • AppCleaner
  • BetterTouchTool
  • FileZilla_3
  • MPlayerX
  • Picasa
MacUpdate.com has lost its professionalism.

MacUpdate.com no longer provides up-to-date software update links.

MacUpdate now hurts its users with an adware installer. IOW its users are now its product. It is selling its users to ad agencies via adware installation.

I've written this post as a brief alert:

MacUpdate.com Users BEWARE!

In further posts, I'll be covering this horrific corruption of MacUpdate.com in detail.

SUGGESTION:
Write to the staff of MacUpdate.com and tell them what you think of their adware installer:

http://support.macupdate.com/contact/


--

Tuesday, October 27, 2015

Critical Adobe Shockwave Update v12.2.1.171

--

I personally don't see the point in bothering to have the Adobe Shockwave Internet plug-in installed at this point in time. I recommend UNinstalling it and leaving it that way. Adobe is constantly behind in keeping it's instance of Adobe Flash up-to-date, making Shockwave dangerous.

But if you have to have the Shockwave plug-in, here you go. A new critical update, released 'out-of-band', meaning that this it is important to install it NOW, if you're going to bother.


Here is Adobe's Security Bulletin for Shockwave v12.2.1.171:


https://helpx.adobe.com/security/products/shockwave/apsb15-26.html

Vulnerability Details 
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2015-7649). 
The CVE is not listed at Mitre.org at this time.

Here is Adobe's Shockwave download page: 

https://get.adobe.com/shockwave/



--

Friday, October 16, 2015

IMPERATIVE Adobe Flash Security Update v19.0.0.226
No updates yet for AIR or Shockwave

--

HAPPY NEWS (???)

Adobe provided an emergency release of Flash v19.0.0.226 today, which patches the current zero-day exploit going on in-the-wild. You can read the Adobe Security Bulletin about it here:

https://helpx.adobe.com/security/products/flash-player/apsb15-27.html
Vulnerability Details 
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2015-7645, CVE-2015-7647, CVE-2015-7648).
Whether you want to actually reinstall Flash is another matter.

CVE-2015-7645 was the security vulnerability being actively exploited on the Internet.

NOTE: Adobe AIR and Shockwave have NOT yet been updated with this patched version of Flash! Therefore, Do No Use AIR or SHOCKWAVE at this time.

As usual: Keep in mind that Adobe AIR and Shockwave both integrate Flash and remain vulnerable to its security exploits until they too are updated. In the case of Shockwave, Adobe has been outrageously lax in keeping it up-to-date. I highly recommend trashing Shockwave permanently and doubt you're going to miss it.




~ ~ ~ ~ ~


Here's something ScARy for Halloween!
Check this out.
It's from 2009.
But may be just as true today.



Happy PWNing!

--

Wednesday, October 14, 2015

Urgent: UNINSTALL FLASH & AIR NOW
Zero-day Exploit In-The-Wild

--

[UPDATE: Adobe has provided a Security Bulletin regarding this zero-day exploit. As of yet there is NO replacement for Flash. So follow the instructions from Adobe linked below in order to remain safe. A patched version of Flash/AIR is promised for the week of October 19th.

The new Adobe Security Bulletin is available HERE.
Summary

A critical vulnerability (CVE-2015-7645) has been identified in Adobe Flash Player 19.0.0.207 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for this vulnerability is being used in limited, targeted attacks.  Adobe expects to make an update available during the week of October 19.   
Keep in mind that the affected versions of Flash are ALSO integrated into Adobe AIR. Therefore, be certain to delete/update them BOTH.

As for Adobe Shockwave: It ALSO integrates Flash! My personal advice is to trash Shockwave and never re-install it again. It's essentially dead on the Internet at this point. Unless you run into something, somehow requiring Shockwave, just keep it OUT of your /Library/Internet Plug-ins/ folder forever more.

I'll post further as this situation evolves.

:-Derek ]
~ ~ ~ ~ ~

What happened:

New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries
- October 13, 2015 at 11:57 am, Trend Micro
Trend Micro researchers have discovered that the attackers behind Pawn Storm are using a new Adobe Flash zero-day exploit in their latest campaign. Pawn Storm is a long-running cyber-espionage campaign known for its high-profile targets and usage of the first Java zero-day we’ve seen in the last couple of years. The affected vulnerability has since been assigned the CVE number CVE-2015-7645. . . .
New Flash flaw lets you beat White House and NATO security
Flaw flings phish Pawn Storm gang tried to get past the great and the good
- 14 Oct 2015 at 05:18 GMT, Richard Chirgwin, The Register 
Trend's analysts reckon the zero-day works on Adobe Flash Player versions 19.0.0.185 and 19.0.0.207, the latter meaning the vulnerability is present in the most current version of the hopefully-soon-to-be-lamented piece of bugware.

The company emphasises that just because other versions aren't listed doesn't mean they're not vulnerable.

Phishing messages sent to “several ministries of foreign affairs” have links to exploit sites, the company says, warning people to look out for the following subject lines:

  • Suicide car bomb targets NATO troop convoy Kabul
  • Syrian troops make gains as Putin defends air strikes
  • Israel launches airstrikes on targets in Gaza
  • Russia warns of response to reported US nuke buildup in Turkey, Europe
  • US military reports 75 US-trained rebels return Syria
The URLs involved in the latest exploit are, Trend says, similar to those Pawn Storm tried against NATO and the White House in April. ®
Note that yesterday's NEW version of Flash is affected, that being Flash v19.0.0.207. Therefore, AIR v19.0.0.213 is also affected.

Also note: It is possible to run non-Internet downloaded Flash and AIR content without worry. But be wary of using either on anything from the Internet.


It's going to be interesting how Apple responds to this situation. They're going to, at long last, have to deactivate Flash on all supported versions of OS X, with NO safe version to replace it. Steve Jobs must by laughing in the aether.

No doubt, Adobe is scrambling today to get out another patched version of Flash to replace their dangerous current version. What a mess.


Uninstall instructions from Adobe:

Uninstall Flash Player | Mac OS

Removing Adobe AIR

After uninstalling Flash and AIR, RESTART your running web browsers,

Please do this RIGHT NOW. If you have more than one Mac, be certain to dump Flash and AIR there as well. 

Keep an eye out for Adobe's next update, or dump Flash and AIR entirely.


:-Derek

--

Tuesday, October 13, 2015

It's Adobe Critical Updates Day!
Flash & AIR have 13 CVE patches,
Acrobat & Reader have 51 patches!!!

--

[URGENT UPDATE: These new, current versions of Adobe Flash and AIR have a zero-day vulnerability out-in-the-wild! DO NOT USE FLASH AT ALL at this point in time! Seriously! I'm going to post an article after this one that provides some information. In the meantime: UNINSTALL FLASH NOW please!

Uninstall instructions from Adobe:

Uninstall Flash Player | Mac OS

Removing Adobe AIR

After uninstalling Flash and AIR, RESTART your running web browsers,

Please do this RIGHT NOW. If you have more than one Mac, be certain to dump Flash and AIR there as well. 

More to follow.]
~ ~ ~ ~ ~

It's the second-Tuesday-of-the-month, which means it's time for a bombardment of Adobe security patches! This month's pile of patches is truly astonishing. Keep in mind that this isn't the only day of the month Adobe provides security updates. This past month, Adobe pushed out two separate groups of security updates.

Here are today's Adobe security bulletins:


Adobe Flash and AIR


Adobe Acrobat and Reader


Here are the linked Adobe updates:


Adobe Flash, Desktop v19.0.0.207

Adobe Flash, Extended Support v18.0.0.252 (Scroll down to 'Flash Player Archives')

Adobe AIR v19.0.0.213


Adobe Acrobat DC and DC Reader 'Continuous' v2015.009.20069

Adobe Acrobat DC and DC Reader 'Classic' v2015.006.30094
Adobe Acrobat and Reader XI Desktop v11.0.13
Adobe Acrobat and Reader X Desktop v10.1.16

CVE Patches:

[I'm not linking the listed CVEs (Common Vulnerabilities and Exposures) this month as the list is massive and I'm rather busy at my end at the moment. The link to look up CVEs is at the right of this page.]


Adobe Flash and AIR
Vulnerability Details

These updates resolve a vulnerability that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2015-7628).

These updates include a defense-in-depth feature in the Flash broker API (CVE-2015-5569).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-7629, CVE-2015-7631, CVE-2015-7643, CVE-2015-7644).

These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2015-7632).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-7625, CVE-2015-7626, CVE-2015-7627, CVE-2015-7630, CVE-2015-7633, CVE-2015-7634).
Adobe Acrobat and Reader
Vulnerability Details

These updates resolve a buffer overflow vulnerability that could lead to information disclosure (CVE-2015-6692).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-6689, CVE-2015-6688, CVE-2015-6690, CVE-2015-7615, CVE-2015-7617, CVE-2015-6687, CVE-2015-6684, CVE-2015-6691, CVE-2015-7621, CVE-2015-5586, CVE-2015-6683).

These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-6696, CVE-2015-6698).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-6685, CVE-2015-6693, CVE-2015-6694, CVE-2015-6695, CVE-2015-6686, CVE-2015-7622).

These updates resolve memory leak vulnerabilities (CVE-2015-6699, CVE-2015-6700, CVE-2015-6701, CVE-2015-6702, CVE-2015-6703, CVE-2015-6704, CVE-2015-6697).

These updates resolve security bypass vulnerabilities that could lead to information disclosure (CVE-2015-5583, CVE-2015-6705, CVE-2015-6706, CVE-2015-7624).

These updates resolve various methods to bypass restrictions on Javascript API execution (CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-7614, CVE-2015-7616, CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7618, CVE-2015-7619, CVE-2015-7620, CVE-2015-7623, CVE-2015-6713, CVE-2015-6714, CVE-2015-6715).
WARNING:

As ever, running software over the Internet can be dangerous. The most dangerous software to use are the Adobe Flash, Adobe Shockwave and Oracle Java browser plug-ins. If you don't need them, either trash them or pull them out of your system and put them intp a 'disabled' folder. You can find all of these plug-ins here:


/Library/Internet Plug-ins/


Adobe Acrobat and Reader can be dangerous if you're using them to read PDF files you've downloaded from the Internet. The safest way to run either of these programs is with 'Enhanced Security' (Security 'Enhanced') turned ON in their preferences. Even then, as noted in the CVE list above, that may not protect you from malicious PDF files.


Also dangerous, for the same reason, are the Adobe PDF Viewer plug-ins for web browsers. As with the other dangerous plug-ins noted above, either trash them or put them into a 'disabled' folder. If you have a specific reason to use the Viewer plug-ins, then you're stuck with them. However, for the vast majority of people there is NO reason to use them. All web browsers have their own built-in PDF viewer functions. You can find the Adobe PDF Viewer plug-ins here:


/Library/Internet Plug-ins/AdobePDFViewer.plugin

/Library/Internet Plug-ins/AdobePDFViewerNPAPI.plugin

~ ~ ~ ~ ~

As usual:

The #1 Rule of Computing and Security is:


MAKE A BACKUP!


Backups allow you to restore your computer back to health if it gets PWNed (zombied/botted) or otherwise compromised on the Internet.


There are many articles on the Internet about computer backup strategies. Here are a three articles and two ebooks specific to Mac backups:


Bulletproof backups: When you absolutely can't lose any data


Apple: Backing up your Mac hard drive


Apple Support Communities: Most commonly used backup methods


Backing Up Your Mac: A Joe On Tech Guide


TAKE CONTROL OF Security for Mac Users


Stay safe out there kids!



--

Wednesday, September 23, 2015

Critical Adobe Flash & AIR Out-Of-Band Updates

--

I watched the update installers appear online...

Adobe Flash v19.0.0.195


Adobe AIR v19.0.0.190


But no Adobe Security Bulletins appeared to determine whether they were security updates or not. Then... POP! Adobe bothered to let us know, a bit LATE. 


23 CVEs have been patched. I've provided CVE links below for those currently listed:

Security updates available for Adobe Flash Player

(and AIR)
September 21, 2015
Vulnerability Details

These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-5573).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-5570, CVE-2015-5574, CVE-2015-5581, CVE-2015-5584, CVE-2015-6682).

These updates resolve buffer overflow vulnerabilities that could lead to code execution (CVE-2015-6676, CVE-2015-6678).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-5575, CVE-2015-5577, CVE-2015-5578, CVE-2015-5580, CVE-2015-5582, CVE-2015-5588, CVE-2015-6677).

These updates include additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs  (CVE-2015-5571).

These updates resolve a memory leak vulnerability (CVE-2015-5576). 
These updates include further hardening to a mitigation to defend against vector length corruptions  (CVE-2015-5568).

These updates resolve stack corruption vulnerabilities that could lead to code execution (CVE-2015-5567, CVE-2015-5579).

These updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2015-5587).

These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2015-5572).

These updates resolve a vulnerability that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2015-6679).
There aren't any zero-day exploits currently listed. However, when Adobe pushes out a security update that isn't on the second Tuesday of the month, you can count on there being an imminent exploit.

So UPDATE NOW!


As usual, if you don't use Adobe Flash (which is increasingly being replaced with HTML5) then remove the Internet Plugin from your OS X system! Apple has built in a couple methods of protecting users from awful Adobe Flash in Safari. But when surfing the Internet using ANY web browser, be sure to install a Flash blocker add-on/extension into your web browser! There is no WORSE software you can run on the Internet than Flash. It has surpassed awful Oracle Java in danger. You never want Flash automatically running in any web page.


And also as usual: The #1 Rule of both computing and computer security is:



With backups, we can restore our systems back to pre-infection status.





--