Apple releases updates for OS X and iOS

While you’re reading this, have your Time Machine or other backup running.

Today Apple released software updates for OS X and iOS. The update for iOS is 8.4 and it’s main purpose is the introduction of iTunes Music but as always some security related issues were addressed as well. A total of 35 security issues were fixed making this more than just a music service update. Back up your iOS devices to iCloud or iTunes and install the update when you can. Read the installer for all the details on what the update has to offer.

For OS X users we got a new version of Safari. Available for users of OS X 10.8.5, 10.9.5 and 10.10.3. While only 4 WebKit issues were addressed, they are not insignificant:
•  A maliciously crafted website can access the WebSQL databases of other websites.
•  Visiting a maliciously crafted website may lead to account account takeover.
• Clicking a maliciously crafted link in a PDF embedded in a webpage may lead to cookie theft or user information leakage.
• Visiting a maliciously crafted webpage may lead to an unexpected application termination or arbitrary code execution.
By installing this update, Mountain Lion users will get Safari 6.2.7, Mavericks users will get Safari 7.1.7 and Yosemite users will get Safari 8.0.7. It is recommended to install this update soon, specially if Safari is your primary browser.

Also released today was OS X Yosemite 10.10.4. Fixing a whopping 79 security issues it is recommended you install this update as soon as you can. A few of the security fixes are:
• (Admin Framework) A process may gain admin privileges without proper authentication.
• (Admin Framework) A non-admin user may obtain admin rights.
• (Admin Framework) An attacker may abuse Directory Utility to gain root privileges.
• (ATS) Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution.
• (Bluetooth) A malicious application may be able to execute arbitrary code with system privileges.
• (Certificate Trust Policy) An attacker with a privileged network position may be able to intercept network traffic.
• (EFI) A malicious application with root privileges may be able to modify EFI flash memory.
• (EFI) A malicious application may induce memory corruption to escalate privileges.
The list goes on and on. While I have not confirmed this yet, some or all of the included security fixes address the recently discussed XARA vulnerabilities which makes this (amongst many reasons) a great update. The included EFI fixes address a serious vulnerability that were recently found and could compromise a Mac. Another reason a lot of people are excited about the 10.10.4 update is the return of mDNSResponder. Starting with OS X 10.10 Apple replaced the process with Discoveryd, a move that was ill advised since the very beginning but Apple did it anyway. A host of network related issues, high CPU usage, battery life problems, wake from sleep issues and more were attributed to this new process. It’s finally gone making folks very excited to see all those issues (hopefully) disappear. If you experienced any of these issues, Wi-Fi issues and network issues in general, this update might solve your woes. I am hoping the removal of the dreaded Discoveryd process will return my OS X server to something worth having.

That brings us to the next update specifically for OS X 10.8 Mountain Lion and 10.9 Mavericks users. It’s called “Mac EFI Security Update 2015-001″ and addresses the same EFI vulnerability mentioned above. While OS X 10.10 Yosemite users have this EFI fix included in the 10.10.4 update, users of older OS X versions must install this stand-alone update. Backing up your data before any update is a good idea but with EFI Firmware updates, make extra sure your backup is recent and in working order. A software update gone bad can be fixed with a reinstall. A firmware update gone bad can result in your Mac becoming a brick with no way to reinstall. I have updated over 65 machines this afternoon without a single issue but you never know. Better safe than sorry.

Update your backups and start installing updates!

Posted in Security Tagged with: , , , , ,

XARA sets it’s sights on OS X and iOS

Researchers have discovered “a series of high-impact security weaknesses, which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps’ sensitive data.” Sounds ominous huh? It is.

The researchers built a malicious app, submitted it to Apple, beat all the tests and security screenings and got the app into the App Store. This app was able to snatch data from the keychain (where all your passwords live on a Mac) using a very simple trick. Your keychain allows the sharing of resources. Your stored facebook password for example can be accessed by other applications if you allow it. This app created a false entry for facebook stored login credentials. Next time the user actually logs in to facebook the login details are stored in the keychain entry created by the malicious app. Now the app has your facebook login credentials. You can imagine a truly malicious app by malware creators will go after your entire keychain and harvest whatever it can. They routed their app through Apple to make a point but of course malware can come from any source.

The above described method is just one of the cross-app resource access (XARA) attacks that were performed. WebSocket and Scheme were also tested and did not fare well. Even the implementation of sandboxing (making sure each app stays in it’s own confined space and can’t access data it shouldn’t) Apple uses was found to be flawed “exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID.” The Bundle ID is is a unique identifier for each app that comes from the App Store. Applications that use bundled helper apps like 1Password have a Bundle ID but the helper app does not. In the case of 1Password that would be the browser extension. The researchers found that they were able to intercept traffic between 1Password and the browser extension, giving them access to the things you don’t want anyone to access.

1Password has been working on this issue for a while and has yet to find a fix. All they can do is recommend users always keep their 1Password Mini running and pay attention to what you install. The reason for their first suggestion is that the researchers launched the malware before 1Password Mini and were able to accomplish the intercept of sensitive data. If 1Password Mini launches right when you log in to your Mac, the malware should not be able to get between 1Password Mini and the browser extension. Agilebits full discussion on this topic can be found here.

To allow applications to communicate with their helpers they often set up a server. In the case of 1Password, the application runs a server and opens a few different ports waiting for requests from the browser extension. That inter-app communication is the weak link. It might even be the communication between the 1Password Mini and the 1Password app, I’m not sure. Either way, there is no fix as of yet. Disabling the browser extension won’t help, disabling 1Password Mini won’t help and clearing all names and passwords from your system and keeping them in a notepad is not only a very bad idea, it’s just impractical.

“Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications.” the reearchers pointed out. To see just how widespread these issues were, they developed a scanner that automatically analyzed OS X and iOS app binaries.

“In our study, we ran the analyzer on 1,612 most popular MAC apps and 200 iOS apps, and found that more than 88.6% of the apps using those mechanisms and channels are completely exposed to the XARA attacks, and every app’s container directory has been fully disclosed. The consequences are dire: for example, on the latest Mac OS X 10.10.3, our sandboxed app successfully retrieved from the system’s keychain the passwords and se- cret tokens of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome; from various IPC channels, we intercepted user passwords maintained by the popular 1Password app (ranked 3rd by the MAC App Store) and the secret token of Evernote (ranked 3rd in the free “Productivity” apps); also, through exploiting the BID vulnerability, our app collected all the private notes under Evernote and all the photos under WeChat. We reported our findings to Apple and other software vendors, who all acknowledged their importance.”

Affected apps and services include iCloud, Gmail, Google Drive, Facebook, Twitter, Chrome, 1Password, Evernote, Pushbullet, Dropbox, Instagram, WhatsApp, Pinterest, Dashlane, AnyDo, Pocket and several others.
XARA

I can go on and on sharing every step of the research, rag on Apple for not fixing these issues (they have known since October 2014) and get into the technicalities but for now all you need to know is this:
• These vulnerabilities are huge and there is no fix.
• Now that the news is out, bad guys will jump on this and implement it in their malware.
• Right now no known malware uses these techniques.
• Malicious apps can come from any source, including the App Store.

Until more is known and Apple provides a fix, continue using your best practices.
• Don’t install software unless you absolutely need it.
• Whatever you do install should come from a well known reputable developer and only from original sources (developer website or App Store).
• Use Little Snitch. Any malicious application that uses these techniques will have to send your stolen data somewhere. Little Snitch will show you that outgoing connection attempt and if it’s something you don’t recognize or find suspicious, block it. In theory, even if you were to be infected with this type of malware, the stolen data will remain on your system.

Unfortunately iOS does not have a Little Snitch and was found to be vulnerable as well, though not as much as OS X. So be extra careful with what you install on your iDevice.

[UPDATE] Friday June 19th.
Apple has commented stating: “Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store,” an Apple spokesperson told iMore. “We have additional fixes in progress and are working with the researchers to investigate the claims in their paper.”

The full report can be found here. (PDF, Links to Google Drive)
A youtube video that shows how one of the exploits can work can be seen here.
A youtube video that shows how a WebSocket attack against 1Password is done can be seen here.
And how to steal iCloud tokens in a Keychain attack… here.

Posted in Security Tagged with: , , , , ,

Knock Knock, me again!

Last October I wrote an article about Knock Knock, a tool that checks common hiding places of malware. You can read this article here. Overall a good tool but it was command line only. Immediately after writing the article I was asked both in the comments and via email to do a follow up piece with instructions on how to use it. I said I would but I never got around to it. The article ended with me saying the following “If the developer keeps working on this tool, possibly give it a GUI and make it run on a Mac all the time, this would be a great way to keep an eye on your system.”.

Today I received an email from the Knock Knock creator, Patrick Wardle, to say that he had done just that. Knock Knock now has a neat user interface which will make it a lot easier and more fun (for nerds like me anyway) to use. On top of that he integrated VirusTotal so you can see if a particular file is thought of as malware. VirusTotal is not foolproof and may not show a detection for everything but it can certainly give a good indication as to whether a file should be investigated further.

Let’s take it for a spin and see what we got!
If you prefer to explore for yourself, download Knock Knock here.

The application is a very light 1.5MB and the UI is very clean. I tested the app on my main system first (OS X 10.10.3). Simply clicking the “Start Scan” button immediately resulted in a permission request dialog asking me if Knock Knock could access confidential information from the Safari Extensions List. I allowed it once, then did another scan and denied the access. Allow or Deny, the scan still shows you results for browser extensions, the only difference is that Safari results are omitted if you deny the access. I believe you can safely allow this access. Knock Knock only attempted to make one connection to a remote server during and after the scan, to Google for the VirusTotal results. The connection to “ghs-svc-https-c46.ghs-ssl.googlehosted.com” was blocked by my Little Snitch so initially I did not get any VirusTotal results. If you block any and all Google related connections, Knock Knock still functions. You just miss out on the VirusTotal results which could help you if you are new at this.

Knock Knock showed me a little over 30 results which were all clean. This list may seem small but this is because Knock Knock omits OS and known items. If you want the full list, every kernel extension and login item, click the gear and check “show os/known items”. Then run the scan again. If you do not want to confuse yourself, stick with the default settings. In the preferences you can also disable VirusTotal integration and enable the app to save the results for you. If enabled, there will be a “kkFindings.txt” in your downloads folder after a scan. Make sure you rename that text file if you want to save the results as Knock Knock will overwrite that same file with the next scan results. A little colored lock icon also shows if a found file is signed or unsigned which can be helpful.

Everything looks and works well on a clean system. No abnormal CPU or memory usage, no hangs or freezes. Let’s see how it handles an infected OS.

Thanks to the VirusTotal integration it’s very obvious if something is detected. Knock Knock will mark the category that has potentially infected items in bright red and the individual suspect files show their VirusTotal score in red as well. As mentioned before, VirusTotal is not foolproof so as expected a lot of files were not flagged as malware. To be clear, Knock Knock showed them all, VirusTotal just didn’t flag them. The files that you want gone can easily be exposed with the “show” icon which will take you to the Finder location of that file.
I did notice on the infected system (OS X 10.9.5) Knock Knock did not prompt me for access to Safari Extensions and no Safari extensions were listed in the scan results even though Safari is heavily infected with all kinds of malware. It did find Chrome and Firefox extensions. Even with this small issue, I still recommend at least trying Knock Knock 1.0.0. Keep it on your system if you like it/find it helpful and just like AdwareMedic, run it periodically to see if anything shows up that raises red flags.

Knock Knock is not an all-in-one security solution, such solutions do not exist. As mentioned before, the best security comes in layers and Knock Knock is certainly one of many layers worth having.

UPDATE: Patrick sent me an email today where he told me the issue with Safari extensions on older systems was resolved. Knock Knock 1.2.2 can be downloaded at the link below.

Previous writeup on Knock Knock.
Knock Knock download and basic instructions.
Also mentioned: AdwareMedic
Also mentioned: Little Snitch

Posted in Security Tagged with: , ,

Comments temporarily disabled – Updated

Due to a serious vulnerability discovered in the WordPress platform, comments have been disabled throughout the entire site. As soon as WordPress offers a patch comments will be re-enabled.

Update:
WordPress has not addressed this issue yet but thanks to a workaround limiting the comment size by Arnaud I was able to allow comments again.

Update 2:
WordPress has rolled out an update with a patch for the issue.

Posted in Security Tagged with: ,

Updates for OS X and iOS

Apple today released updates for OS X Yosemite and iOS 8.
As usual it is recommended to install these updates as they include a slew of security patches but also bug fixes and enhancements.
Some users may also see a separate security update available (Security Update 2015-004) and/or a Safari update (6.2.5 or 7.1.5).

The list of security patches, fixes and enhancements is long so rather than listing them all, here are some links:

OS X 10.10.3 Update (General Info) (Security Content) (Download)
OS X 10.10.3 Combo Update (General Info) (Security Content) (Download)

Security Update 2015-004 for Mountain Lion (Download)
Security Update 2015-004 for Mavericks (Download)

Download size can vary depending on the source. The download site lists file sizes of 1.52GB for the 10.10.3 Update and 2GB for the 10.10.3 Combo Update. OS X Server’s Software Update service lists 2.6GB for the regular update and 2.3GB for the Combo Update. Use the links above to go to Apple’s download page, use Software Update on Mountain Lion and Mavericks or use the App Store’s Updates tab on Yosemite to get these updates and Safari as well.

iOS 8.3 was also released and includes a long long list of fixes and enhancements, info on that can be found here.

As always, back up your Mac and iOS device before installing any updates.

Posted in Security Tagged with: , , , , , , , ,

Apple releases security updates, iOS 8.2 and Apple TV 7.1

(Updates may not be available yet for download. They should be available to everyone before the end of the day)

Apple today released a security update for it’s most recent three OS X systems, iOS 8.2 and Apple TV 7.1 which also includes security fixes.

For OS X 10.8.5 Mountain Lion, 10.9.5 Mavericks and 10.10.2 Yosemite users the update “Security Update 2015-002″ is available and (depending on the version of OS X you use) contains security fixes for iCloud Keychain, the Kernel and Secure Transport. The Secure Transport patch addresses the recently discovered FREAK vulnerability.

iOS 8.2 is available for iPhone 4S and later and addresses vulnerabilities in SMS Messaging, iCloud Keychain and Secure Transport.

Apple TV 7.1 update also addresses the FREAK vulnerability.

All users are recommended to install the security update on Mac and iOS update on applicable devices. Mac users can use their usual Software Update methods, iOS users can update through iTunes or by going to Settings > General > Software Update. Back up your Mac or iDevice before installing updates just as a precaution.

More info on Security Update 2015-002
More Info on the security contents of iOS 8.2
More info on the security content of Apple TV 7.1

Of course iOS 8.2 is not just about security patches. There is improved stability for several apps and processes, bug fixes, Apple Watch support and Health App improvements.

Posted in Security Tagged with: , , ,

Java installs adware. If you allow it. Relax people.

Java is now bundled with an Ask.com toolbar. The web is blowing up about it. “Beware”, “Adware”, “shady”, “Sneaking” and other terms are used. Is this just a hype or is there something to these claims? Let’s find out.

I set up a brand new Virtual Machine, installed all the latest updates, the latest browsers, the latest versions of Flash Player and Little Snitch. I downloaded the latest version of Java directly from it’s source; oracle.com. When the download is selected it leads to the Java.com website (https://www.java.com/en/download/). The latest version at the time is Version 8 Update 40.

Adware is free software sponsored by ads. Toolbars are usually a form of adware. I use free software that is sponsored by ads on my Mac and my iPhone, nothing wrong with adware. When Adware starts to act like spyware and injecting ads in places it should not be, then there’s a problem.

I ran the Java installer and found clear mention of the Ask.com toolbar with two options:
– Set Ask as my default search provider
– Set Ask.com as my browser home page and new tabs page

If these boxes are unchecked, you guessed it, just Java is installed. But let’s behave like the typical user and click “Next” as fast as we can, completely ignoring all the information the installer provides.

The toolbar is installed in Safari and both the default search and home pages are changed to ask.com. Firefox users (as we should all be imo) get a warning stating a 3rd party is attempting to modify Firefox. You must allow it to be activated. If you do not allow this, the add-on will be installed but de-activated by Firefox. It does however change your default home page and search engine.

Here is what I’ve found:
– If you READ the installer information this toolbar will never make it on to your system.
– If you did manage to just click “Next” and get the toolbar installed, Firefox warns you about it and you must provide additional approval to activate the toolbar. Safari users are stuck with the toolbar immediately.
– Your new Ask.com homepage clearly shows links to how you can reset your homepage or remove the toolbar. They do not try to hide it.
– The toolbar does not inject ads anywhere they should not be.
– There are no additional processes running because of the toolbar.
– No dubious server connections are made by the toolbar.
– Tt takes 10 seconds to reset your home page, search engine and uninstall the toolbar in Safari.
– It takes 19 seconds to reset your home page, search engine and remove the toolbar from Firefox.
– It takes a minute to delete the few files left in the Library folder.

So, is it the worth the hype? Absolutely not. Clickbait mostly in my opinion.

Oracle did not do anything “shady”. Oracle did not “sneak” this toolbar in there. Does Ask.com suck as a search service? Absolutely. Is it annoying to have to reset and uninstall the Ask.com materials after you failed to properly read an installer? Sure, but that’s on you. Is there data theft, ad injection, horrible unspeakable things happening? No. As with all installers, read the information that’s provided. Don’t brainlessly click things you shouldn’t be clicking and you can avoid most of this stuff.

Posted in Security Tagged with: , ,

Old Mac trojan returns

For the past few days I’ve been keeping an eye on reports stating an old Mac trojan, OpinionSpy, is back. Intego has indeed confirmed the old trojan has found it’s way back to the Mac platform. This time through downloads from download.cnet.com. The application “Free Video Cutter Joiner” will install additional contents if you allow it to. With most people just clicking through installers as fast as they can to get to the good stuff, additional content like this can easily be overlooked.

I have obtained all the samples associated with the above mentioned file and a few others, they will be included in the antivirus test during the next update. In the mean time, watch out for any content from cnet.com and download.com and the following names:
– Free Video Cutter Joiner
– Free MP3 Cutter Joiner
– Audio Converter Mac
– Video Converter Mac
– PremierOpinion
– DVDVideoMedia
See any of these names in a file or website, stay clear for now.

If you use Little Snitch, and you should, look out for any connection attempts to:
– securestudies.com
– premieropinion.com
or any of their subdomains.

More info here.

Posted in Security Tagged with: , ,

New Flash Player version available

An updated Flash Player, version 16.0.0.305, is now available for download on the Adobe website. This version patches the zero-day exploit I mentioned a few days ago. All users that have Flash Player installed should update asap. If you had previously disabled Flash Player just reverse the instruction I gave in the previously mentioned article.

For now users that have Flash Player installed appear to be safe once again. That is until the next vulnerabilities are found which won’t take too long. If you do not absolutely need Flash Player on your system, consider removing it completely. You’ll be much safer out there.

Posted in Security Tagged with: , , ,

Apple releases updated FlashBack Malware removal tools

It appears Apple has quietly released an updated tool in the fight against fake Flash Player installers. Two updates showed up today:
Flashback Removal Security Update 1.0, released 02/02/2015 5:09 PM – “This update removes the most common variants of the Flashback malware.” This update also disables the Java plug-in in Safari.
Flashback malware removal tool 1.0, released 02/02/2015 5:09 PM – “This update removes the most common variants of the Flashback malware. This update contains the same malware removal tool as Java for OS X 2012-003. This update is recommended for all Mac users who do not have Java installed”

While both updates appear to do the same thing judging from their descriptions, a look at the installer shows the differences.

Flashback malware removal tool 1.0 installs the actual Flashback malware hunter, an agent called “MRTAgent.app” in System/Library/CoreServices. The app does not appear to activate until the next restart. At that point two files in /System/Library/LaunchAgents (com.apple.mrt.uiagent.plist) and System/Library/LaunchDeamons (com.apple.mrt.plist) will activate the app and take care of the Flashback ma
Flashback Removal Security Update 1.0 installs the MRTgent app and related files but also an app that disables Java called “JavaDisabler.app” in System/Library/CoreServices. An additional file is added to the System LaunchAgents folder “com.apple.javadisabler.plist”.

The descriptions and links on both updates point to older support pages, no mention is made anywhere that I could find about updated signatures or other changes. The documentation for the removal tool points to this page which was last updated on November 8, 2014. The documentation for the Security Update points to this page which was updated last around the same time as the other page, November 19, 2014.

Until someone digs around in these installers to see what’s new it’s unknown which variants specifically are targeted. It may be the recently discovered OSX.IronCore.A, Apple had already updated their XProtect with the signature in December. The fact that the update references the “Java for OS X 2012-003″ update that was released in 2012 is a bit confusing. Though I was able to see and download the updates using Software Update Server, none of the Macs on my network appear to be interested in the updates. If you do see these updates appear in your App Store, it’s a good idea to install them. If I find out more details about these updates I’ll post a follow-up.

Posted in Security Tagged with: , ,

Malware Detection Rate Results

Last updated:
Sunday October 5th, 6:40PM EST
436 Samples, 44 Applications
#1 Avast
#2 Intego
#3 Norman
Get it here.