Apple patches Bash vulnerability

Since late last week the internet has been buzzing about something named Shellshock. The Bash shell is something most users will never know or hear about, it runs under the hood of OS X and other major operating systems and is critical for a lot of tasks. The flaw that was discovered last week allows an attacker to basically take over your machine if certain conditions are met and was already being exploited online shortly after it’s discovery.

Apple stated that most Mac users were safe from Shellshock as remote services like web sharing are disabled by default. OS X Server users were not mentioned but I consider them to be at far more risk as it is much easier to set up and enable a web server or other remote services. However this bug was serious enough to get Apple’s immediate attention and today they released a software patch “OS X bash Update 1.0″. Strangely this update can not be found through the normal software update process but has to be downloaded from Apple’s website.

The patch was released for the last three operating systems and can be found here:
OS X 10.7 Lion
OS X 10.8 Mountain Lion
OS X 10.9 Mavericks
No restart is required to install this security patch.

All Mac users running any of those OS X versions should download and install immediately.
The fact that this update is not available through the Software Update menu or App Store is a concern. This means that a lot of OS X user may never install the update. Hopefully this will be corrected.

Posted in Security Tagged with: , , , , , ,

Apple updates

Last week was a busy one and not just because of the new iPhone 6 and 6 plus.

OS X 10.9.5 was released and is loaded with security fixes. A few of the noteworthy ones are:
– CoreGraphics, a maliciously crafted PDF could lead to an information disclosure or code execution.
– Intel Graphics Driver, IOAcceleratorFamily and Libnotify, a malicious application may be able to execute arbitrary code with system privileges.
– OpenSSL, just think back on recent OpenSSL issues to get an idea of how critical this is.
Overall, 10.9.5 is a very important update because of the security fixes that are included and is recommended for all Mavericks users. The full list of security fixes included can be found here. 44 total.

OS X 10.9.5 includes the security fixes of Safari 7.0.6. However for the latest Safari version a separate update was released alongside OS X 10.9.5.
Safari 6.2 (Mountain Lion users) and Safari 7.1 (Mavericks users) include some important fixes. The biggest issue that was fixes is one where a man in the middle could intercept user credentials. All the details can be found here.

Apple also released separate security updates for Lion, Lion Server and Mountain Lion, Security Update 2014-004. These updates include some or most of the fixes described above which are included in 10.9.5.

All of these updates can be obtained by running Software Update on your Macs (Apple menu > Software Update or App Store > Updates).
If you prefer to download and install manually, here are all the links:
OS X 10.9.5 (275.5 MB)
OS X 10.9.5 Update (Combo) (982.3 MB)
Security Update 2014-004 (Mountain Lion) (139.3 MB)
Security Update 2014-004 (Lion) (144.5 MB)
Security Update 2014-004 Server (Lion) (194.8 MB)

The Server app also received updates containing security fixes. To read more, have a look at these links:
Mavericks users.
Mountain Lion users.

Last but not least, iOS 8. Besides a ton of new features there were a ton of security fixes and improvements as well. If your hardware can handle it (iPhone 5 and up, iPhone 4S not recommended) definitely update your iOS device. The list is too long for me to mention all the fixes so just have a look here.

Posted in Security Tagged with: , , , , , ,

Be sure you are prepared for iOS8

This exact article was published a year ago when iOS 7 was released. I have edited it where needed and republished it so you can be ready for tomorrow’s upgrade to iOS 8.

Tomorrow Apple’s iOS 8 will be available to the public. The next few days you’ll hear a lot of the following:
– I love it! It’s amazing!
– It’s great but….
– Where did all my *name data* go?!
– My *name app* doesn’t work anymore!
– My phone is messed up now!
– I hate it, I wish I could go back.

As always there will be people from all of the above camps out there. You won’t know what camp you’ll be in until you install iOS 8 so it’s important to prepare properly so you won’t lose data and/or can downgrade back to iOS 7. If you upgrade, love it and don’t experience a single issue, great. Then you’ll have done all of the following for nothing but hey, better safe than sorry :) Let’s begin.
Continue reading “Be sure you are prepared for iOS8” »

Posted in Just an update Tagged with: , , ,

Security updates for safari and Adobe.

Today Apple released updates for Safari on Lion, Mountain Lion and Mavericks. All users are recommended to update.

The update addresses 7 webkit memory corruption issues that could lead to arbitrary code execution when visiting a malicious crafted website.

The updates can be obtained by running Software Update from the apple menu or opening the Updates tab of the Mac App Store.

Yesterday, patch tuesday, security updates were released for Adobe Flash Player, Adobe Reader and Adobe AIR.
If you have any of these products installed, check for updates as soon as you can. More information can be found here.

Posted in Security

Antivirus detection rate results update

Alright, it’s been a few months but I finally had some time to update the test.

A few changes have been made to the test environment:
– As the majority of Mac users now use 10.9 Mavericks the virtual machines were all rebuilt from scratch using the latest version of Mavericks (10.9.4). Upgrading the existing VM’s proved problematic and I was not happy with the results so starting fresh was the best option.
– In re-infecting the new VM’s I had a good chance to test Gatekeeper in it’s default setting too (Mac App Store & Identified Developers only). The results were added in a separate column next to XProtect. It shows that OS X does a decent job at blocking malware, 40% of all samples, but since it can easily be bypassed and malware has been seen signed with a valid developer ID Mac users should not rely on Gatekeeper to stay safe. The same goes for XProtect of course which does a lousy job in general.
– Flash Player, Java, Firefox, Chrome and Opera were installed and will be kept up to date with every test.
– VM resources remained the same. 4 CPU Cores, 4 GB RAM and ample drive space on a dedicated SSD.
– Little Snitch is no longer being used in the virtual environments as it may impact the behavior of certain malware. Instead VM’s now use their own ethernet cable that leads to a Mac with internet sharing enabled. On that Mac Little Snitch is active so connection attempts can still be monitored. As far as the VM knows it is connected to the internet and has no monitoring software present but on the other Mac I can still see exactly which types of connections are being made and where to. So far in testing this has worked well. For a more detailed analysis, if needed, this setup also allows me to utilize other tools without impacting the virtual environment.
– The older 10.8 virtual machines were updated with the latest samples and software and will be kept around if needed for testing.
– The applications that have a detection rate of 90% or higher has doubled since the test started. I felt this was a good time to make this the new standard. Whereas previous tests showed the top as being 80% or higher AV, this has now been raised to 90%. I might even make the top performing category 95% and better soon. Why should we not expect the best of applications that claim they protect us, right?

Some observations in this test:
– Avast kept running the virtual machine into the ground as soon as the installer was finished so I used the old 10.8 VM instead. This was also completely unresponsive and crashed after the Avast install. I used an archived installer from the beginning of the year, this installed without issues. From there I could update to their new version 9 and run the test. I don’t know if this is because of the virtual environment or if their latest installer behaves the same on actual Macs. Use caution.

– I’m very happy to see F-Secure finally released an actual application, it seems they take Mac users seriously now. Their previous products were not very stable and definitely did not run well in virtual environments, this has changed. The application has preferences that reside in the System Preferences window, the scan results are clear and the interface is neat. There are no options when it comes to scan settings. Whatever is found is trashed immediately, no questions asked, or labeled as riskware and left for you to clean. Real-time scanning can not be disabled. Apart from a few minor issues with the interface like the scan being completed but the progress bar being stuck at 98% the application performed well.

– Something I liked a lot about ESET version 6 was it’s notifications the operating system was out of date. The Vm did not have the latest iTunes update installed and, while not critical for the OS, this is a great feature to have. I have not seen this from any of the previous ESET products.

– MacKeeper was not willing to provide me with a trial license (needed to update virus definitions). A supervisor will let me know within a week if I can get one, they will also let me know if I should exclude them from the test going forward. I’m certainly not postponing the test for a week to wait for that license so their results were not updated.

– I was unable to get BitDefender (app store version) to scan. It downloaded ok, definitions updates and the app launched fine. However when I clicked any of the scan buttons the app would just sit there and do nothing. Reboots, reinstalls, fresh VM and even an actual Mac running OS X 10.9.4 all had the same result. As the app was last updated two years ago it may simply no longer be compatible with Mavericks. I’ll test some more in the near future. If I can not get it to work I will revert back to the 10.8 VM for this particular app and continue it’s testing.

– After ClamXav’s last sudden improvements I had high hopes for this test. Sadly it did not improve as much as I had hoped.

Other notes:
I’m considering making the trace detection results count towards the final percentage. Trace files are present on systems that are already infected and the original file that caused the infection may be long gone (an installer or downloaded file of some kind).

I will be working on updating the rest of the application results in the upcoming week or two.

The results can be found here.

Posted in Security Tagged with: , ,

Antivirus test results updated tomorrow

When I was getting ready to upload the PDF and observations my internet decided to take the rest of the night off. Testing of the top performing AV (80% or higher detection rate) has been completed, the results will be uploaded tomorrow hopefully. Intego lost the number 1 spot in the list but judging from past performance they should bounce back pretty soon.

Some samples were added, some work on the VM’s was done and I may be excluding one of the products from the test soon. For all the details, check back tomorrow night!

Posted in Security Tagged with: , ,

OS X updated, Safari updated, iCloud enabled 2 factor authentication

It was a busy day for Apple. The following updates were released:

OS X 10.9.4
The OS X Mavericks 10.9.4 Update is recommended for all Mavericks users. It improves the stability, compatibility, and security of your Mac.
This update:

  • Fixes an issue that prevented some Macs from automatically connecting to known Wi-Fi networks
  • Fixes issue causing the background or Apple logo to appear incorrectly on startup
  • Improves the reliability of waking from sleep
  • Includes Safari 7.0.5

The update also contained some security patches which Apple believes, as usual, are not worth mentioning in the release notes. 19 security related issues were resolved and some of them, in my opinion, were quite nasty. Opening a maliciously crafted zip file could lead to arbitrary code execution (copyfile), remote attackers could gain access to another user’s session (curl), An attacker with access to a system may be able to recover
Apple ID credentials (iBooks Commerce) and A malicious application may be able to execute arbitrary code with system privileges (launchd). Also a not so minor issue with Secure Transport that allowed two bytes of memory could be disclosed to a remote attacker. Two bytes is not much but a few bytes disclosed to the wrong person can do a whole lot of damage, just think back to the Heartbleed fiasco. There is more to this list and if you want to read it you can find it here (this URL usually takes a while to be updated by Apple).

Safari  6.1.5 and 7.0.5
12 security issues were patched in Safari, all WebKit related. From memory corruptions that could be exploited to malicious websites being able to access local files on your Mac. The full list can be found here.

Apple also released updates for iOS 7. The update, 7.1.2, is available for iPhone 4 and later and squashed some nasty bugs too. All together 44 security related issues were addressed including fun stuff like someone being able to bypass Activation Lock or exceed the maximum number of failed passcode attempts. Someone could also gain access to the application that was open before the phone was locked. Mail attachments were not encrypted so they could be extracted and Find My iPhone could be disabled without an iCloud password. The full list can be found here.

An Apple TV update, 6.1.2, was also released containing security patches.

Last but certainly not least, Apple finally enabled two factor authentication for iCloud accounts. Something that was enabled for Apple ID’s in March 2013. This applies to and the web apps in it. Once enabled, attempting to access contents will require you to enter an additional code that is sent to a trusted device. To enable the feature, sign in with your iCloud ID on the Apple ID website. Once signed in go to “Password and Security” where you enable two-step verification.

I highly recommend you install all available updates mentioned and enable two factor (or two-step as Apple likes to call it) authentication sooner rather than later as well. Of course use common sense and back up all important data before applying updates. I have not had any issues but better safe than sorry :)

To get your hands on these updates use Apple menu > Software Update, Open the App Store and click the Updates tab or search for them on the Apple Downloads page. On your iDevices open Settings > General > Software Updates.

Posted in Security Tagged with: , , , , ,

Comcast starts to enable public WiFi Hotspots (using your modem)

I first learned about the Public Hotspot feature a year ago when I wrote about the Comcast modem I had and what a security nightmare it was. Since then I have owned and tested roughly 12 Comcast provided modems before finally purchasing my own. Public Hotspot enables users with XFinity modems to broadcast a second wifi signal, this signal can be picked up by other Comcast customers and joined for wifi anywhere they go. A few days ago this feature was enabled for 50,000 Comcast customers in Houston, Texas and will be enabled for millions of homes across the country by the end of the year according to Comcast.

Comcast has been replacing older modems with their new all-in-one boxes for a few years now. These little black towers usually manufactured by Arris and Technicolor have built-in wifi capabilities, allow connection of phones and faxes, have a battery backup and a firewall. Wifi is on by default and all a user has to do to join is connect to the preset network with a password that is on a sticker on the back or bottom of the modem. No other settings have to be tweaked, it’s connect and enjoy your internet/phone. The public hotspot feature will be enabled remotely by Comcast, you don’t have to do anything and may not even be aware of it happening.

My XFinity modem was an Arris and after writing about it a year ago I started doing a few tests. One of these tests was to see if wifi was really disabled when Comcast support told me it was. Turns out, it wasn’t. I found it dodgy that I could not disable wifi myself, I had to call Comcast support to have it done. Why would I not be allowed to disable wifi myself? Once Comcast disabled the built-in wifi I noticed the little wifi light on the front of the modem turned off, this means the wifi is disabled according to Comcast. I grabbed an RF meter and reading were off the charts! It was not my AirPort Extreme because it was off, it was not my house phone because I turned that off, same for cellphones, bluetooth devices and wifi on the computers. There was no source of RF radiation in my house. Yet here it was a strong wifi signal pumping out of my modem that blanketed the entire house. I could faintly pick up the neighbors cordless phones and wifi routers and the smart meter outside was quite strong too but this signal was by far the strongest. I unplugged the modem and the signal kept going, I pulled the battery from the modem and finally the signal stopped.

I called Comcast and they assured me wifi was off. I asked them if it may be the public hotspot feature (I saw no other explanation) but they said that feature had not been activated in my area yet. I scanned the wifi bands and found no networks I could join yet the signal was there and it was stronger than my AirPort Extreme when it’s enabled. Comcast had no explanation so they sent me a new modem. The new modem had the same issue. I went through 7 modems and they all had the same issue. Then modem 8 arrived and once wifi was disabled there was no rogue signal. This was a Technicolor model TC8305. However the modem dropped the connection several times a day and would take hours to reconnect after a power drop (the Technicolors do not come with a battery whereas the Arris models do). Comcast support admitted the Technicolors are a nightmare with their wonky firmware and changing a single settings usually requires multiple restarts or resets. So modem 9 was sent which was an Arris and of course had the same rogue signal issue. Modem 10 was another Technicolor (no rogue signal) but was worse than the first, it bricked completely after Comcast tried to change a setting. Modems 11 and 12 were Technicolors (models TC8305 and TC8305C) which functioned so poorly I gave up and purchased my own modem instead. A modem I have complete control over, doesn’t have built-in anything that can go rogue on me and takes up a lot less space. A Motorola SURFboard eXtreme Cable Modem SB6141. The Comcast provided modems also re-enabled wifi after a reboot or if unrelated settings were changed.

I have several reasons not to trust Comcast but this rogue wifi signal business was it for me. Now they started enabling the public hotspot feature and though they tell people it is secure and won’t impact your speed, I do not believe it. I guess time will tell. The wifi is generated by the same hardware box as your own wifi (if you use XFinity’s preset wifi) so access to that public wifi means access to your modem. I can think of a few scenarios where this can go wrong and as more homes have this public signal enabled it will become easier for those with ill intent to start poking and prodding at it until a vulnerability is found. Also, this signal may interfere with your own wifi, impacting range and or speed. Not to mention this will be a nightmare for those that are sensitive to RF radiation and/or simply want to stay away from wifi for health reasons.

You can disable the public hotspot feature by following the steps posted here. If it will truly be disabled and stay disabled I don’t know, you’ll have to check with an RF meter to be sure. You certainly can’t take their word for it is what I have found.

Posted in Security Tagged with: , ,

Macworld UK reviews several Mac AV applications

A little while ago I received an email from Andrew Harrison, technical editor for Macworld and several other publications. He mentioned how he was putting together a test of Mac security software and wanted to know if my AV test results could be used. Naturally I gave the OK but in the back of my head I was a little concerned. I rarely agree with security software reviews. They are usually written by people with little to no understanding of the product, the market, the way testing should be done or they just go at it half-assed. Others are biased and/or paid to write a favorable review about a certain product and end up with a page full of nonsense. Come to think of it, I don’t recall reading a Mac AV/Security review I agree with at all.

After a few emails back and forth my mind was put at ease. Mr. Harrison asked the right questions and even found a small flaw in my test results PDF I was not aware of (kudos for going through that entire Numbers document, his eyes must have stung by the time he was done. And that flaw in the results PDF will be fixed asap).

Last week the reviews started to find their way onto the Macworld UK website. On my way to work I spotted the first one “Avast Free AntiVirus for Mac 8.0 review”. I read it and let out a sigh of relief, it was a good and to the point review! Yes, I got excited. To read the reviews have a look at the following links:
Avast Free AntiVirus for Mac 8.0 review: Comprehensive AntiVirus suite for Mac users
Avira for Mac review: Good malware-spotting skills with a tidy user interface
ClamXav 2 review: Free and open-source AntiVirus solution for Mac, Windows and Linux
ESET Cyber Security for Mac review: Sophisticated security application with good malware detection
Intego Mac Internet Security X8 review: Consistently scores highly for spotting malware
Kaspersky Internet Security for Mac review: Relatively capable in Malware protection

Or read the full piece with the reviews included here.

They mention the good and the bad and focus on the things that matter: Company background, Application history, design, features and performance. These are the reviews I’d want a Mac user to find online. The vast majority of Mac users still believe Macs can’t be infected by malware mostly because that’s the most prevalent myth in Mac history. Unfortunately most people don’t question this and when they do they are likely to run into someone that believes in the same myth. The small amount of people that are determined to find out if this myth is true or not will dig deeper and find sites like mine and reviews like those I just mentioned. Freshly unplugged from the Matrix, that’s the kind of content I want them to find first. Of course it’s a battle that is far from over. It’s the internet after all and sad as it is, bullshit and misinformation outnumber the good stuff by many petabytes. Fortunately the Macworld UK reviews may find their way to the printed magazines as well. This should get the information to a good amount of users and at least create some awareness.

Check out the reviews and keep an eye out for others that may follow. A fun fact, the review Mr. Harrison wrote for the Crucial M550 SSD is the one that made me order a Crucial drive. That same drive currently hosts the virtual machines that are used for the antivirus testing :)

Posted in Security Tagged with: , , ,

Avast forum hacked, user names, email addresses and passwords compromised.

Earlier tonight I received the following email:

Dear Jay,

The AVAST forum is currently offline and will remain so for a brief period. It was hacked over this past weekend and user nicknames, user names, email addresses and hashed (one-way encrypted) passwords were compromised. Even though the passwords were hashed, it could be possible for a sophisticated thief to derive many of the passwords. If you use the same password and user names to log into any other sites, please change those passwords immediately. Once our forum is back online, all users will be required to set new passwords as the compromised passwords will no longer work.

This issue only affects our community-support forum. No payment, license, or financial systems or other data were compromised.

We are now rebuilding the forum and moving it to a different software platform. When it returns, it will be faster and more secure. This forum for many years has been hosted on a third-party software platform and how the attacker breached the forum is not yet known. However, we do believe that the attack just occurred and we detected it essentially immediately.

We realize that it is serious to have these usernames stolen and regret the concern and inconvenience it causes you. However, this is an isolated third-party system and your sensitive data remains secure.

All the best,

Ondrej Vlcek
COO AVAST Software

I applaud the fast response and notification of their users, something many other companies don’t do unless they are caught or criticized. By now you should know better than to use the same password on different sites but if you do, and you also had an account on the Avast forums, change the passwords immediately.Using tools like 1Password to have a random and strong password generated for you is recommended. A one-way encryption without salt is easy to break with moderately powerful hardware so before this week is over the majority of stolen passwords will be decrypted by the hackers.

On june 17th I received the following email:

A few days ago we informed you that the AVAST forum was attacked and because of that, we took the forum offline to improve its structure and security. It is now back up and more secure.
We decided to rebuild the forum on the same software platform we used before, but we enhanced the security on our side. We added our own login technology with SSL encryption. With this encryption, passwords will not be saved in our forum database. This means that your password cannot be compromised.
The AVAST forum is an extremely important part of our business. Our members not only solve issues identified by other members, but give us valuable insight that helps us improve our business and our products. We are extremely grateful for your participation, and we hope that you will rejoin the forum and continue providing your unique insight.
To start using the new AVAST forum, please create a new password at link. We recommend that you use a different password from the one you used for the old forum.
Again, we regret any inconvenience this may have caused you and thank you for your contributions.
All the best,
Ondrej Vlcek
COO AVAST Software

Posted in Security Tagged with: , ,

Malware Detection Rate Results

Last updated:
Tuesday July 15th, 10:39PM EST
430 Samples, 43 Applications
#1 Avast
#2 Intego
Get it here.