Updates for OS X and iOS

Apple today released updates for OS X Yosemite and iOS 8.
As usual it is recommended to install these updates as they include a slew of security patches but also bug fixes and enhancements.
Some users may also see a separate security update available (Security Update 2015-004) and/or a Safari update (6.2.5 or 7.1.5).

The list of security patches, fixes and enhancements is long so rather than listing them all, here are some links:

OS X 10.10.3 Update (General Info) (Security Content) (Download)
OS X 10.10.3 Combo Update (General Info) (Security Content) (Download)

Security Update 2015-004 for Mountain Lion (Download)
Security Update 2015-004 for Mavericks (Download)

Download size can vary depending on the source. The download site lists file sizes of 1.52GB for the 10.10.3 Update and 2GB for the 10.10.3 Combo Update. OS X Server’s Software Update service lists 2.6GB for the regular update and 2.3GB for the Combo Update. Use the links above to go to Apple’s download page, use Software Update on Mountain Lion and Mavericks or use the App Store’s Updates tab on Yosemite to get these updates and Safari as well.

iOS 8.3 was also released and includes a long long list of fixes and enhancements, info on that can be found here.

As always, back up your Mac and iOS device before installing any updates.

Posted in Security Tagged with: , , , , , , , ,

Apple releases security updates, iOS 8.2 and Apple TV 7.1

(Updates may not be available yet for download. They should be available to everyone before the end of the day)

Apple today released a security update for it’s most recent three OS X systems, iOS 8.2 and Apple TV 7.1 which also includes security fixes.

For OS X 10.8.5 Mountain Lion, 10.9.5 Mavericks and 10.10.2 Yosemite users the update “Security Update 2015-002″ is available and (depending on the version of OS X you use) contains security fixes for iCloud Keychain, the Kernel and Secure Transport. The Secure Transport patch addresses the recently discovered FREAK vulnerability.

iOS 8.2 is available for iPhone 4S and later and addresses vulnerabilities in SMS Messaging, iCloud Keychain and Secure Transport.

Apple TV 7.1 update also addresses the FREAK vulnerability.

All users are recommended to install the security update on Mac and iOS update on applicable devices. Mac users can use their usual Software Update methods, iOS users can update through iTunes or by going to Settings > General > Software Update. Back up your Mac or iDevice before installing updates just as a precaution.

More info on Security Update 2015-002
More Info on the security contents of iOS 8.2
More info on the security content of Apple TV 7.1

Of course iOS 8.2 is not just about security patches. There is improved stability for several apps and processes, bug fixes, Apple Watch support and Health App improvements.

Posted in Security Tagged with: , , ,

Java installs adware. If you allow it. Relax people.

Java is now bundled with an Ask.com toolbar. The web is blowing up about it. “Beware”, “Adware”, “shady”, “Sneaking” and other terms are used. Is this just a hype or is there something to these claims? Let’s find out.

I set up a brand new Virtual Machine, installed all the latest updates, the latest browsers, the latest versions of Flash Player and Little Snitch. I downloaded the latest version of Java directly from it’s source; oracle.com. When the download is selected it leads to the Java.com website (https://www.java.com/en/download/). The latest version at the time is Version 8 Update 40.

Adware is free software sponsored by ads. Toolbars are usually a form of adware. I use free software that is sponsored by ads on my Mac and my iPhone, nothing wrong with adware. When Adware starts to act like spyware and injecting ads in places it should not be, then there’s a problem.

I ran the Java installer and found clear mention of the Ask.com toolbar with two options:
– Set Ask as my default search provider
– Set Ask.com as my browser home page and new tabs page

If these boxes are unchecked, you guessed it, just Java is installed. But let’s behave like the typical user and click “Next” as fast as we can, completely ignoring all the information the installer provides.

The toolbar is installed in Safari and both the default search and home pages are changed to ask.com. Firefox users (as we should all be imo) get a warning stating a 3rd party is attempting to modify Firefox. You must allow it to be activated. If you do not allow this, the add-on will be installed but de-activated by Firefox. It does however change your default home page and search engine.

Here is what I’ve found:
– If you READ the installer information this toolbar will never make it on to your system.
– If you did manage to just click “Next” and get the toolbar installed, Firefox warns you about it and you must provide additional approval to activate the toolbar. Safari users are stuck with the toolbar immediately.
– Your new Ask.com homepage clearly shows links to how you can reset your homepage or remove the toolbar. They do not try to hide it.
– The toolbar does not inject ads anywhere they should not be.
– There are no additional processes running because of the toolbar.
– No dubious server connections are made by the toolbar.
– Tt takes 10 seconds to reset your home page, search engine and uninstall the toolbar in Safari.
– It takes 19 seconds to reset your home page, search engine and remove the toolbar from Firefox.
– It takes a minute to delete the few files left in the Library folder.

So, is it the worth the hype? Absolutely not. Clickbait mostly in my opinion.

Oracle did not do anything “shady”. Oracle did not “sneak” this toolbar in there. Does Ask.com suck as a search service? Absolutely. Is it annoying to have to reset and uninstall the Ask.com materials after you failed to properly read an installer? Sure, but that’s on you. Is there data theft, ad injection, horrible unspeakable things happening? No. As with all installers, read the information that’s provided. Don’t brainlessly click things you shouldn’t be clicking and you can avoid most of this stuff.

Posted in Security Tagged with: , ,

Old Mac trojan returns

For the past few days I’ve been keeping an eye on reports stating an old Mac trojan, OpinionSpy, is back. Intego has indeed confirmed the old trojan has found it’s way back to the Mac platform. This time through downloads from download.cnet.com. The application “Free Video Cutter Joiner” will install additional contents if you allow it to. With most people just clicking through installers as fast as they can to get to the good stuff, additional content like this can easily be overlooked.

I have obtained all the samples associated with the above mentioned file and a few others, they will be included in the antivirus test during the next update. In the mean time, watch out for any content from cnet.com and download.com and the following names:
– Free Video Cutter Joiner
– Free MP3 Cutter Joiner
– Audio Converter Mac
– Video Converter Mac
– PremierOpinion
– DVDVideoMedia
See any of these names in a file or website, stay clear for now.

If you use Little Snitch, and you should, look out for any connection attempts to:
– securestudies.com
– premieropinion.com
or any of their subdomains.

More info here.

Posted in Security Tagged with: , ,

New Flash Player version available

An updated Flash Player, version 16.0.0.305, is now available for download on the Adobe website. This version patches the zero-day exploit I mentioned a few days ago. All users that have Flash Player installed should update asap. If you had previously disabled Flash Player just reverse the instruction I gave in the previously mentioned article.

For now users that have Flash Player installed appear to be safe once again. That is until the next vulnerabilities are found which won’t take too long. If you do not absolutely need Flash Player on your system, consider removing it completely. You’ll be much safer out there.

Posted in Security Tagged with: , , ,

Apple releases updated FlashBack Malware removal tools

It appears Apple has quietly released an updated tool in the fight against fake Flash Player installers. Two updates showed up today:
Flashback Removal Security Update 1.0, released 02/02/2015 5:09 PM – “This update removes the most common variants of the Flashback malware.” This update also disables the Java plug-in in Safari.
Flashback malware removal tool 1.0, released 02/02/2015 5:09 PM – “This update removes the most common variants of the Flashback malware. This update contains the same malware removal tool as Java for OS X 2012-003. This update is recommended for all Mac users who do not have Java installed”

While both updates appear to do the same thing judging from their descriptions, a look at the installer shows the differences.

Flashback malware removal tool 1.0 installs the actual Flashback malware hunter, an agent called “MRTAgent.app” in System/Library/CoreServices. The app does not appear to activate until the next restart. At that point two files in /System/Library/LaunchAgents (com.apple.mrt.uiagent.plist) and System/Library/LaunchDeamons (com.apple.mrt.plist) will activate the app and take care of the Flashback ma
Flashback Removal Security Update 1.0 installs the MRTgent app and related files but also an app that disables Java called “JavaDisabler.app” in System/Library/CoreServices. An additional file is added to the System LaunchAgents folder “com.apple.javadisabler.plist”.

The descriptions and links on both updates point to older support pages, no mention is made anywhere that I could find about updated signatures or other changes. The documentation for the removal tool points to this page which was last updated on November 8, 2014. The documentation for the Security Update points to this page which was updated last around the same time as the other page, November 19, 2014.

Until someone digs around in these installers to see what’s new it’s unknown which variants specifically are targeted. It may be the recently discovered OSX.IronCore.A, Apple had already updated their XProtect with the signature in December. The fact that the update references the “Java for OS X 2012-003″ update that was released in 2012 is a bit confusing. Though I was able to see and download the updates using Software Update Server, none of the Macs on my network appear to be interested in the updates. If you do see these updates appear in your App Store, it’s a good idea to install them. If I find out more details about these updates I’ll post a follow-up.

Posted in Security Tagged with: , ,

New Flash zero-day also targets Mac users

Adobe released a security advisory today. Flash Player versions 16.0.0.296 (current version) and earlier are vulnerable to an exploit that can cause a crash which allows an attacker to take control of the affected system. This vulnerability is already being exploited in the wild and no patch is available at this time.

We recommend disabling Flash Player until this issues has been patched. Here’s how to do this:
Safari: Open the Safari Preferences and go to the “Security” tab. At the bottom where it says “Internet Plug-ins” click the button “Website Settings”. Click on the “Adobe Flash Player” plug-in and you’ll see a list of allowed websites. If any websites show in this list, click on them once and then remove them by using the “-” button. Set the setting “When visiting other websites:” to “Block”.
Firefox: From the menu bar, Tools menu, select “Add-ons”. Click on the Plugins tab in the left column and set “Shockwave Flash” to “Never Activate” (This should be set to “Ask to Activate” by default for enhanced security on any other day).

The best way is to completely uninstall Flash from your system. I have not had Flash installed for a long time and rarely run in to any websites that require it. To remove Flash from your system download the uninstaller here.

Adobe expects to patch this issue later this week but no timeframe was provided.

Posted in Security Tagged with: , , , ,

Apple updates Yosemite and Safari

Today Apple released the second update to the latest OS X, 10.10.2.
While the detailed list of security fixes in this update has not yet been released we know from other sources that Apple fixed the Thunderstrike exploit, briefly mentioned in my last post, and three of the vulnerabilities reported by Google last week. Also resolved is an issue where Spotlight would load remote email contents even if Mail itself had this disabled. Some of the other fixes in this release address poor Wi-Fi performance, slow loading webpages, the ability to browse iCloud Drive in Time Machine and Safari stability and security improvements.

Separate Safari updates were released for 10.8 Mountain Lion and 10.9 Mavericks users. Both updates address stability and security. Mountain Lion users will see their version of Safari updated to 6.2.3 and Mavericks users to 7.1.3. Four WebKit issues were addressed in these updates. Safari 8.0.3 for Yosemite users is included in the OS X 10.10.2 update.

Also released was Security Update 2015-001 which “is recommended for all users and improves the security of OS X.” The update is available for 10.9.5 Mavericks users and is included in the OS X 10.10.2 update for Yosemite users. Issues addressed are AFP file sharing, bluetooth, network cache, CoreGraphics and other vulnerabilities. It’s quite a list which can be found here.

It is recommended to update your backups before installing these (or any) updates. In the case of a second OS X release I personally like to download and apply the combo update, this typically has resolved more of the ‘new OS’ bugs than simply running the single version update. At the time of writing the combo update and the above mentioned updates are not available for direct download. Keep an eye on the Apple downloads page where the combo update should pop up soon.

Posted in Security Tagged with: , , , , ,

Just an update (and a bit of a rant ;)

Happy new year everyone and thank you for your support, tips, samples and more over the past year.

I haven’t forgotten about this blog and I still keep my eye on any potential threats that require awareness. The past few months have just been very uneventful when it comes to Mac security. One issue I jumped on immediately was the recent NTP vulnerability but as I was writing the article I realized Apple pushed out this update to all supported Macs. With all clients being updated automatically I felt a post about the issue had little value. Flash player updates have been coming out at a fairly steady pace, every reader should know by now to update as soon as the system prompts for it so these updates also required no posting from my end.

Malware has not been an issue recently so there have been no AV test updates since October. Updating these tests every time a new piece of Adware is found would keep me busy full time so I wasn’t going to do that either. I also have been stretched very thin working on a lot of other projects that have been taking up almost all of my time. I would have made the time to report on anything significant but there have not been significant things to report on. One of the potentially big things I have been keeping my eye on since December is Thunderstrike. Currently still a proof of concept (PoC) but definitely something Apple needs to act on fast. Basically someone found a way to infect a Mac at the firmware level using a modified thunderbolt accessory. Once infected you can reinstall, replace the hard drive, install antivirus and other tools… it won’t help. The Mac belongs to the attacker as it controls the firmware and the firmware loads before anything else. More information can be found here and the original presentation can be found here (YouTube link). Other projects involving the exploiting of graphics cards (GPU’s) is something I also keep track of but not much has happened recently in that arena. Hacks of sites and services, exploits of certain software etc etc. I’m monitoring it all so I can report on it and let you know ASAP if relevant.

This post is to break the silence and to let you all know I’m still around, keeping my eyes and ears open every day and as soon as something post-worthy comes along you’ll definitely see an article :)

I have also been playing with OS X 10.10 Yosemite since it’s release. Continue reading “Just an update (and a bit of a rant ;)” »

Posted in Just an update, Security

Knock Knock, who’s there?

I saw an interesting video today which talks about the kinds of OS X malware and the ways they can persist. Now when it comes to ways that OS X malware can keep itself alive even after a reboot there is nothing new in this video, however the tool that was created by the author Patrick Wardle is pretty cool. Basically it checks all the locations and ways malware is known to be persistent. The known LaunchDeamons and LaunchAgents, browser plugins/extensions and Login Items are all checked but it goes a little deeper than that. Code is also checked, like plist files’ use of “RunAtLoad” or “KeepAlive” which could indicate persistent malware.

The tool is currently in Beta and command line only but worth checking out if you want to learn more about what goes on under the OS X hood. Or maybe you suspect a malware infection and your antivirus product is coming up dry. If you know me you know my opinion of OS X’s built-in anti malware tools X-Protect and Gatekeeper; They are fairly useless. Antivirus applications perform much better and have a much better chance at offering you protection but again, these products are (just like X-Protect) reactive. Based on signatures, hashes, location data and file names they almost always offer protection after the fact. True heuristics is very hard to find in OS X products which is sad because that may offer the best possible protection as it is proactive, not reactive. The Knock Knock tool can be easily extended with new plugins. If a new way of persistence is discovered, a simple python plugin can be written and added to the Knock Knock functionality.

I ran the tool on my Mac and found nothing that shouldn’t be there. When I ran the tool on an infected Mac however, it was able to point out a huge amount of malware. VSearch, Genieo, iWorm, CoinThief, CodecM, Revir, a ton of browser plugins, a keylogger and much more were found to be persistent in one way or another. Over 50 total. Now of course this tool is not an antivirus application. It doesn’t monitor your Mac constantly and it doesn’t tell you “this file belongs to this malware” but I like the functionality it offers. You’ll need to know a bit about OS X, which file belongs and which doesn’t. What is a possible threat and needs further investigating and what is harmless. However for those that want to learn more about their Mac’s internals, think they are infected with malware or research malware, this is a nice tool to add to the collection. If the developer keeps working on this tool, possibly give it a GUI and make it run on a Mac all the time, this would be a great way to keep an eye on your system.

The video can be found here.
The slides for the video can be found here.
Knock Knock can be downloaded here.

Posted in Security Tagged with: , ,

Malware Detection Rate Results

Last updated:
Sunday October 5th, 6:40PM EST
436 Samples, 44 Applications
#1 Avast
#2 Intego
#3 Norman
Get it here.