Monday, May 14, 2018

Critical Out-Of-Band Adobe Security Updates!
And ongoing minor Mac concerns...

Adobe has just announced to critical updates for Adobe Acrobat and Reader and Adobe Photoshop CC. The announcements are linked and summarized below:
APSB18-09: Security update available for the Adobe Acrobat and Reader

Originally posted: May 14, 2018

Summary: Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical vulnerabilities, and successful exploitation could lead to arbitrary code execution in the context of the current user. Adobe recommends that customers apply the appropriate update using the instructions provided in the "Solution" section of the security bulletin.

Priority Rating: Adobe categorizes this update as priority 1.

APSB18-17: Security updates available for Adobe Photoshop CC

Originally posted: May 14, 2018

Summary: Adobe has released updates for Photoshop CC for Windows and macOS. These updates resolve a critical vulnerability in Photoshop CC 19.1.3 and earlier 19.x versions, as well as 18.1.3 and earlier 18.x versions. Successful exploitation could lead to arbitrary code execution in the context of the current user. Adobe recommends that customers apply the appropriate update using the instructions provided in the "Solution" section of the security bulletin.

Priority Rating: Adobe categorizes these updates as priority 3.
The new patched versions are:

• Acrobat DC and Acrobat Reader DC v2018.011.20040
• Acrobat 2017 and Acrobat Reader DC 2017 v2017.011.30080
• Acrobat DC (Classic 2015) and Acrobat Reader DC (Classic 2015) v2015.006.30418

• Photoshop CC 2018 v19.1.4
• Photoshop CC 2017 v18.1.4

Update IMMEDIATELY. Exploits have not been reported by Adobe to be in-the-wild. But the Acrobat patches are of highest priority and plentiful.

There was also the usual monthly security patch of awful Adobe Flash on 'Patch Tuesday', the second Tuesday of the month. Several other security patches were released as well. The list of Adobe's latest security patch updates can always been found here:

- - - -

What Else Is Up?

There aren't many Mac security concerns at the moment. In the mean time, I highly recommend everyone obtain and use the free Malwarebytes Anti-Malware application, run it and keep it up-to-date. My colleague Thomas Reed has been doing a great job enabling it to find all current adware and PUPs (potentially unwanted programs) as well as the few active Mac malware.

Up and coming is Thomas Reed's Malwarebytes for iOS, seeing as Thomas is now in charge of mobile security as well as Mac security at Malwarebytes. The free version of the app will assist iOS device users with ad blocking and text message filtering. The Premier version will help protect users from malicious cell phone calls and malicious web sites. The app is currently in beta.

There isn't any active malware of iOS these days. Subsequently, Apple has removed and forbidden any apps that scan for iOS malware. Meanwhile, Apple has identified and removed several apps that surveil users from its App Store. They are in violation of Apple's iOS programming rules. It's disconcerting that these apps were originally approved and allowed to run on user devices. Thankfully, Apple has caught up with their oversight and removed the problem.

The biggest security hole in the entire Mac and iOS security system remains the same as last year: Rogue developers who've paid for Apple security certificates then applied those certificates to malicious software. The consequences of this security hole in Apple's certification system pop up all over the world from time to time. I wish these rogue certificates were an impossibility. However, Apple's only solution for now is to pull these certificates, making the malicious applications essentially inert. Stolen certificates from enterprise developers remains a problem. But Apple appears to have taken better control of them as I have not heard of any enterprise certificates being applied to malicious software in 2018. Let's hope it stays that way.

Spectre & Meltdown 

Of GREAT concern to every Intel and AMD CPU user is the ever evolving and elaborating Spectre (speculative execution) hardware security vulnerability catastrophe. Apple, as well as other computer manufacturers, have been responding as best they can in coordination with Intel and AMD. But the Spectre problems are profound and have no full solution in sight. Fortunately, exploiting Spectre is relatively difficult and no major exploitation has been reported in-the-wild. As this catastrophe unfolds, be certain to keep up-to-date with Apple security patches.

Of related concern has been the Meltdown vulnerability in Intel, AMD, ARM (Apple A-Series) and IBM Power CPUs. Meltdown has been easier to mitigate and has not become a concern on Mac computers. Just be certain you're up-to-date with Apple security updates.

Apple has provided a document about Spectre and Meltdown and its mitigations here:

About speculative execution vulnerabilities in ARM-based and Intel CPUs

iMore has kindly provided further information here:

'Meltdown' and 'Spectre' FAQ: What Mac and iOS users need to know about the Intel, AMD, and ARM flaw

Continuing and evolving is exploitation of the DRAM Rowhammer phenomenon. It affects all DDR3 and DDR4 SDRAM. It affects all modern Mac computers. There is no for solution for this problem. The phenomenon is a product of the ever shrinking and subsequently spatially intimate physical components of RAM chips. Some attempts at using software mitigations have been tried and more are forthcoming. But the problem has not been solved. Fortunately, there have not been any active exploits on Mac or iOS hardware. If an exploit is reported, I'll be posting.

Newly discovered is a method of exploiting Rowhammer using GPU memory chips on Android devices. The exploit is called GLitch and can be triggered by malicious JavaScript embedded into web pages.  So far, there has been no similar exploit discovered for iOS devices.

APFS: Not Ready For Prime Time 

In March, there was concern over a severe programming bug found in Apple's as yet unfinished APFS file system, exploitable on devices running macOS 10.13 and 10.13.1 High Sierra. The bug allowed a simple command in the OS terminal to reveal the administrative password for an APFS encrypted Mac device. The exploitation command could be enacted either by direct physical access to the Mac or via malicious code on a web page. Macs running macOS 10.13.2 and higher have been patched against this security bug. More about this situation can be found here:

Apple macOS Bug Reveals Passwords for APFS Encrypted Volumes in Plaintext
It should be noted that you would not find the password in the plaintext when converting a non-APFS drive to APFS and then encrypting the drive.
My advice regarding APFS, the new Apple File System, remains the same: Don't use it. 

• The finished APFS specification has not been released to developers or the public.

• APFS is still incompatible with Fusion drives.

• There continue to be problems accessing APFS partitions from HFS+ Macs, despite Apple's attempts to provide a solution.

• There is no complete method for repairing APFS systems apart from Apple's meagre Disk Utility application. Micromat was the first and currently only disk utility developer to provide partial repair support for APFS in TechTool Pro 9.6+. But Micromat make it clear that it is not a complete APFS repair solution. All disk utility developers point out that the reason for this delay continues to be Apple and their unwillingness / inability to provide finished APFS specification documentation.

IOW: APFS is not a finished standard. It is not ready for prime time. IMHO, it is to be avoided.

Meanwhile, Apple says:
When you install macOS High Sierra on the Mac volume of a solid-state drive (SSD) or other all-flash storage device, that volume is automatically converted to APFS. Fusion Drives, traditional hard disk drives (HDDs), and non-Mac volumes aren’t converted. You can’t opt out of the transition to APFS.
Wrong. There is a solution to Apple's forced conversion of HFS+ to APFS when installing High Sierra. I suggest enacting this solution unless you have some compelling reason to experiment with APFS. You can read about the solution here:

How to Skip Converting to APFS When Installing macOS High Sierra
Despite the Apple support article saying that you can’t opt out of the transition to APFS, it turns out that you can skip APFS if you choose to start the installer from the command line of Mac OS and give a directive to skip file system conversion.

Potentially helpful for those who have converted to APFS is the free downloadable APFS Retrofit Kit available from Paragon:
If you work on a Mac computer with macOS 10.10 to 10.12 and want to read APFS-formatted HDD, SSD or flash drives, you need APFS Retrofit Kit for macOS by Paragon Software. 
Paragon is working to provide the kit for Windows and Linux users as well. Due to my concern that APFS is an unfinished standard, use Paragon's kit with caution. 

And as ever, Make A Backup before engaging in any computer device adventure. It will save your butt. It's the #1 Rule of Computing!


Stay safe out there kids.


~ ~ ~ ~ ~ 

Addendum Reading Assignment:

How many ways can a PDF mess up your PC? 47 in this Adobe update alone
Tons of critical fixes for Reader, Acrobat and Photoshop