iOS and OS X updates with security fixes released.

Today Apple released updates for iOS and OS X. The iOS update, 7.1.1, contains bug fixes for Touch ID, keyboard responsiveness and 19 security patches and the OS X update focusses on just security.

The Apple TV got a similar security update today.

All the updates fix a rather important SSL bug that allows a man-in-the-middle attacker to intercept secure SSL traffic. The update is available for Lion, Mountain Lion and Mavericks users and should be installed as soon as possible.

This is not related to the now famous heartbleed bug. Apple products and software is not, and wasn’t at any point, vulnerable to this bug unless a custom version of OpenSSL was installed by the user or came bundled with user installed software.

On iOS devices go to Settings > Software Update or connect the device to iTunes. Mac users can get the update through the Software Update menu or the App Store.

Update: A base station firmware update was also released for AirPort Extreme and AirPort Time Capsule base stations with 802.11ac. This update also addresses an SSL bug.

Tagged with: , , , ,
Posted in Security

Mac How-to, tips, hints and troubleshooting

I have always had a lot of fun helping other people out with their Mac issues. I still do. Over the years I have had several websites that focus on helping out Mac users one way or another. Some survived, others have not.

Providing tips, tricks, ways to troubleshoot and fix is something I have also attempted on a few of my websites and while it started off strong, it faded fast because I did not keep it up to date or relevant. So finally I gave up and left it to those with the experience and time needed to do it right while I focused on other types of content, like the blog you are looking at now.

Last month another website popped up. This site belongs to Topher Kessler whom you may know from CNET’s MacFixIt blog or even the Apple Support Forums. To quote from this new site, called MacIssues:

This Web site is MacIssues.com, a troubleshooting and how-to resource for Apple Macintosh hardware and software, as well as iOS devices.
This site’s focus is on regular troubleshooting articles for how to fix your Mac, customize and tweak it, and use it to best serve your needs. Content is directed for all users, and may be basic details of the OS X interface, through to more complex uses of the OS X Terminal and OS underpinnings.
This site is intended to be a collective effort of the community, so while regular content will be posted, user suggestions, tips, hints, and fixes are welcomed.

As someone that troubleshoots and repairs Mac and iOS issues every day I see great value in websites like these. Even if you currently do not experience any issues, swing by and have a look at the content that’s already there. The site also has a user forum where ideas, suggestions and questions can flow free. The site is new so give it some time to develop. If Topher’s past with MacFixIt is any indication this site will become a very useful resource in the future.

As I mentioned, I have had similar websites in the past and know how much time and effort it takes to keep it relevant and interesting. Tip of the hat to Mr. Kessler for starting fresh, I have no doubt it’ll work out.

Tagged with: , , , ,
Posted in Just an update

A year of AV testing

A little under a year has passed since I took over the AV testing from AppleSerialNumberInfo.com. It has taken up tremendous amounts of time and took a little while to evolve into what it is today. I think by now I have the hang of it though and figured out a good way to test thoroughly, reliably and frequently. For me to do this I had to drop the individual AV product reviews that focused on behavior, resource usage, interface and more as it simply took up way too much time. By focusing purely on the detection of malware I am able to use my time much more efficiently and get much more testing done.

I appreciate all the feedback and help I have gotten from readers all over the world that continue to make this test better!

So, after a year, are there any trends? Have I collected enough data to definitively state a product is the best or the worst? Actually, I haven’t. But I will share what I have observed so far, taken from 22 tests done over the past year.
Continue reading “A year of AV testing” »

Tagged with: , , ,
Posted in Security

Catastrophic bug in OpenSSL

A bug was discovered in OpenSSL, CVE-2014-0160, that has since been named “The Heartbleed Bug”. If you have not heard about this, have a look at this website that explains the bug in detail much better than I can with my limited understanding of crypto. In short:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The bug is said to affect 2 out of 3 web servers on the internet which is a staggering amount. This can include your website hosting server, your banks web server, email server etc etc. What’s worse is that this bug has been around since 2011 and those that have potentially been exploiting this bug have gone undetected as exploits leave no trace on the affected server. OpenSSl is an open source piece of software that is used all over the world including OS X. However, from what I can tell, all versions of OS X are not affected by this bug.

The vulnerability was introduced in OpenSSL version 1.0.1 in early 2012 and was not fixed until April 7th of this year when version 1.0.1g was released. Luckily, Apple had decided to deprecate OpenSSL from it’s systems in 2012 due to stability issues. The last version of OpenSSL shipped by Apple was 0.9.8y which is still included in the latest 10.9.2 Mavericks. OpenSSL has also never been provided as a part of iOS. This goes for both Client and Server versions of OS X.

Even though Macs and iOS devices are safe from this particular bug, there are still many servers out there that do not run OS X and/or have chosen to upgrade the OpenSSL on their OS X machines themselves. Connecting to these vulnerable servers can still compromise the data that is supposed to be encrypted. Now that the word is out, administrators all over the world are scrambling to update their versions of OpenSSL but it is a race against the clock. As with all newly discovered vulnerabilities there are many people out there that are eager to exploit them before they get fixed. Exploits have already been demonstrated and discussed for Yahoo Mail for example. Any server that has not updated their OpenSSL to version 1.0.1g will remain vulnerable and unfortunately there will be many that take their time updating, if ever. There is a way to use a current version and still patch it to fix the vulnerability. Apparently recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag is equally effective.

It is recommended to check with the companies/services you use if this bug was a concern and if so, if it has been patched. If it has indeed been patched, change passwords immediately. Changing passwords before the bug is patched is useless as the new password can be compromised just as easily as the old one. Luckily most responsible companies and services are doing everything they can to update their OpenSSL versions and proudly let their customers know this process is underway or completed. For all others, follow up yourself.

For years we assumed this portion of the internet was safe, only to be proven it was not later. Now that there is a fix we can all go back to believing it’s safe, or can we? Probably not. By now we all know that the illusion of safety is just that, an illusion. Ed Snowden has opened our eyes to that. More vulnerabilities will be discovered in systems we trust, not just OpenSSL. As we are not psychics we won’t know what these vulnerabilities will be so it’s hard to prepare but there are some ways you can better protect yourself.

In this particular case, let’s say your mailserver is running a vulnerable version of OpenSSL, and someone has exploited it. That person now has your name and password. If you use the same password for other sites and services, that person can now potentially access those as well, even though those other servers were not vulnerable to this particular bug. So, always use different passwords for different sites and services. This way if one is compromised, the other should be safe. I have covered passwords before here, here and here. Luckily the severs hosting this website, our email, my bank and other services I use have all patched and/or updated their servers.

Update: Something I had not even thought about was brought to my attention by this article. Indeed most modems, routers, firewalls and other network equipment use OpenSSL as well. Disabling remote management features on most common home routers should be enough to protect yourself from this particular bug but this will not be easy on modems, which use SSL connections that allow your Internet Service Provider secure access remotely when you call tech support about an issue.

If readers have more information on this that may be relevant please do not hesitate to leave comments.

More info:
- Business Insider
- CNN

Tagged with: , , ,
Posted in Security

Adobe updates Flash Player

Adobe released updates to it’s Flash Player versions for Mac, Windows and Linux today. Update your versions as soon as possible via System Preferences > Flash Player > Advanced or download a fresh copy from the Adobe website.

The full bulletin can be found here.

Update: Read the comments to this post to find out more about this particular update. Thanks Al for the heads up.

Tagged with: ,
Posted in Security

New version of VirusBarrier included in test

X8Naturally one day after I update the test I find out Intego has released a new version of VirusBarrier, X8. Serves me right for not paying closer attention. Some of the new features listed are:

  • New:  Revised and polished User Interface to improve the customer experience
  • New:  Low priority scan setting to enhance system performance while scanning
  • New:  Audible alerts on scan completion
  • New:  Scan information available from Mac OS X Notification Center
  • New:  Easy-to-use Setup Assistant for first time users
  • New:  Improved scanning performance and malware detection

I immediately downloaded it, installed it into a virtual machine crawling with nasties and let it rip. Here are my findings:

I like the interface, it’s clean, simple and seems more responsive.
The X8 trial is crippled, meaning it will find malware but any cleaning or quarantine features are disabled. So when malware is found you are forced to “Trust” it as it is the only action available. In my opinion a “Cancel” button alongside the other options would have been better.

After entering a license code and restarting the app the test was underway. Not surprisingly the results are near identical to the previous 2013 (X7) version however I did experience a few more issues with stability. If samples were encountered that could not be cleaned, the status window would just show a spinning gear that simply lasts forever. X8 has to be force quit and restarted. However after a force quit the software becomes mostly useless as it’s suddenly unable to detect anything. So the whole Mac needs to be restarted. This happened a few times while working on the samples from 2007 and 2013.

When dropping multiple folders onto the X8 interface it will give separate prompts for each folder scanned. Occasionally after repairing a found infection it will just continue scanning that folder in the sidebar even though it is already finished. This happens to the last folder that is scanned 9 out of 10 times. Again a restart of the application is needed to clear this up or just scanning something else will cause X8 to snap out of it too.

X8 has issues cleaning .pkg and .app files leaving more than half as much files to be cleaned by the user compared to the previous version.

Overall this new release of VirusBarrier is a little rough around the edges but has great detection results still. Even with the few issues I found and the few samples that were missed X8 is still 5% better (in this test) than the current runner-up, Avast.

Tests with and without the new “Scan with low priority” setting show no differences in CPU usage at all on the quad-core virtual machine. Perhaps older Core 2 Duo machines will see a benefit to using this feature but any Macs with an i5 or newer processor have no need for this as far as I can tell.

For current VirusBarrier 2013 and even VirusBarrier X6 users I’d say hold off on upgrading for a little while until the bugs are ironed out. For those that do want to give it a try you can find it here.

The detection results can be found in the PDF. Current X6 users can enjoy great protection as long as the virus definitions are kept up to date. The only reason these users will have to upgrade to a newer version is incompatibility with future versions of OSX but I hear from X6 users it runs just fine on 10.9 Mavericks. VirusBarrier X6 has proven itself by now so I see no need for future testing of this discontinued product.

Tagged with: , , , , ,
Posted in Security

Malware detection rates updated

Sorry for the wait folks, I’ve been quite busy lately. Finally got around to updating the antivirus test, the results can be found here.

The virtual machines were updated with the latest available software (still OS X 10.8.5 though), plugins and some new malware.
New software since last test:
- iTunes 11.1.5
- Security Update 2014-001
- Mac App Store Update 1.0
- Latest Browsers
• Firefox 28, automatically disabled the Codec-M add-on.
• Chrome 33.0.1750.152
• Opera 20.0.1387.82
New plugins since last test:
- Flash Player 12.0.0.77
- Java Version 7 Update 51 (re-installed)
New malware since last test:
- Tored (2009)
- DevilRobber / Miner (2011)
- Musminim / BlackHole (2011)
- Tsunami / Kaiten (2011)
- Dockster / Maljava (2012)
- GetShell (2012)
- SMSSend (2012)
- LaoShu.A (2014)
- Careto / Mask (2014)
- CoinThief (2014)
- NetWeird / WireNet (2014)
- VSearch (2014)
Total samples are now 420

I also introduced some false positives. These are files that are very closes to infected samples but are actually harmless. An antivirus application should not detect any of them. This list will grow in future tests. MD5 hashes were added to the trace files where available, these can be found in the far right side of the PDF.

NetWeird, even though most samples are blocked by XProtect now, was still able to install itself on the system as the invisible folder ‘.Install’ with the Host file in it was found in my home directory.

A new AV was added called Max Secure Antivirus.

In January ClamXav had asked to be re-tested as they made some significant changes to their product. I tested ClamXav again and indeed they have noticeably improved their detection rates. With the updates and improvements the ClamXav team have made, their AV now finds themselves amongst the top.

There’s more work to be done but this update at least brings the AV with 80% or more up to date. The rest will be done soon.

Tagged with: , , ,
Posted in Security

Safari Updates

Apple released updates for Safari 6 and 7. The versions, once installed, are 6.1.3 and 7.0.3. Apart from a few enhancements there are also some security fixes. The full list of enhancements can be found in the update description in the App Store and the security content can be found here.

Tagged with: ,
Posted in Security

Could it be? USB Syncing of Contacts and Calendars returns in Mavericks?

An article on MacRumors today tells us that Apple has re-enabled the syncing of Contacts and Calendars in a beta version of iTunes 11.1.6. Whether this feature is back because of the iTunes beta or the latest developer seed of Mavericks 10.9.3 is unknown but it has a lot of people very excited, including myself.

Since the USB sync of Contacts and Calendars was lost when Mavericks was installed I decided to set up my own server instead. This has been a great learning experience but given the choice I would prefer to sync with a USB cable. It looks like soon this will be a possibility again. I found an application currently in beta a short while ago called SyncMate 5 and shared this with others who did not like the idea of being forced to use iCloud as an alternative. Overall the response was good and quite a few were happy with it including myself. However nothing is better than the built-in functionality to sync over USB, so if Apple is really giving us the local sync feature back applications like SyncMate and server solutions will probably be dropped by those that only adopted it as a replacement for local sync.

I will keep running my server to test/experiment and maybe even replace USB sync at some point but it will be whenever I am ready, not when Apple decides I am ready :)

Tagged with: , , , ,
Posted in Just an update

Firefox updated. New features and Security fixes.

Firefox
Today Mozilla released Firefox version 28 for Mac, Linux, Windows and Android. Mac users can now enjoy Notification Center support and other additions. This release also had several security fixes; 5 critical, 3 high, 7 moderate and 3 low priority. To update your Firefox go to the Firefox menu and select “About Firefox”. The about window will show you the current version and if your version needs updating. You can also get the latest version directly from the Mozilla website.

The full changelog can be found here. If you are only interested in the security fixes you can find those here.

Tagged with: , , ,
Posted in Security

Malware Detection Rate Results

Last updated:
Friday April 5th, 2:54PM EST
420 Samples, 43 Applications
#1 Intego
#2 Avast
#3 Dr.Web
Get it here.

Previous posts