Saturday, June 5, 2010

A busy week: Mac spyware, Banking trojans, Adobe Flash+Reader warning, Open Office patched, more.

I've seen multiple reports of spyware in Mac software:

Security firm discovers spyware in Mac software
Intego, makers of security and privacy apps for the Mac, warned on Tuesday that some Mac software include a new piece of invasive spyware. Macworld has obtained a preliminary list of the applications with the spyware.

In a press release, Intego states that a number of apps and screen savers distributed through sites like MacUpdate, VersionTracker, and Softpedia are installing a little more software than users bargain for; Apple's Mac OS X Downloads site also contained entries for some of the apps, though the download links appear to now be inactive. The spyware in question is called OSX/OpinionSpy and it's a variant of Windows spyware that has existed since 2008.

As to the spyware's invasive actions, it allegedly dupes users into handing over their admin passwords with a dialog claiming that it "market research" software will be installed to collect browsing and purchasing history. OSX/OpinionSpy then installs a process called "PremierOpinion" that runs as root. Intego says the spyware then opens an HTTP backdoor on port 8254, scans all accessible local and networked volumes, and injects code into Safari, Firefox, and iChat in memory (meaning it doesn't alter the applications themselves). It also regularly transmits encrypted data to a variety of servers, which contains e-mail addresses, iChat message headers, and URLs--as well as potentially personal data like usernames, passwords, credit card numbers, bookmarks, and browsing history.

OSX/OpinionSpy can also upgrade itself automatically with no user intervention and relaunch itself via Mac OS X's launchd, the system-wide process that manages a number of automated systems, background daemons, and launch processes. Furthermore, upon uninstalling the original program, OSX/OpinionSpy remains installed on your Mac.
Read more at the link about, including some nasty "Terms of Service" or EULA conditions of the spyware. Additional reports are here:

Using Windows for a Day Cost Mac User $100,000 — Krebs on Security
David Green normally only accessed his company’s online bank account from his trusty Mac laptop. Then one day this April while he was home sick, Green found himself needing to authorize a transfer of money out of his firm’s account. Trouble was, he’d left his Mac at work. So he decided to log in to the company’s bank account using his wife’s Windows PC.

Unfortunately for Green, that PC was the same computer his kids used to browse the Web, chat, and play games online. It was also the same computer that organized thieves had already compromised with a password-stealing Trojan horse program.

A few days later, the crooks used those same credentials to steal nearly $100,000 from the company’s online accounts, sending the money in sub- $10,000 and sub-$5,000 chunks to 14 individuals across the United States.


Unlike consumers, businesses that lose money as a result of stolen online banking credentials usually are left holding the bag. As such, I’ve frequently advised small business owners to avoid banking on Windows systems, since all of the malicious software currently being used by these criminals to steal e-banking credentials simply fails to run on anything other than Windows. What’s more, the tools these crooks are using — mainly the Zeus Trojan — almost always outpace anti-virus detection at least by a few days, and by then it’s usually too late.

But the advice about banking on a dedicated, non-Windows machine only works if you follow it all the time. As this incident shows, it does no good for small business owners to use a Live CD or a Mac or some other approach only some of the time.
I don't do online banking for my business. Period.

Sunbelt Blog: Infected rogue spam uses Adobe update lure
Alert reader David McSpadden notified Sunbelt of the following spear-phishing attempt that was sent to users, appearing to come from their system administrator. [The PDF contains a link to the executable for the user to download.]

“If you already received this information before and action has been taken, then please ignore.

“This important information about a security vulnerability requires your immediate attention!

“All systems detected using Adobe products have been sent out this e-mail and are all requested to update their systems urgently.

“Kindly follow the instructions in the e-mail as forwarded below.

“Failure to comply will result in all financial and non financial loss to be a liability of the receiver.

“Please treat this e-mail as a matter of urgency. No further follow up warning will be sent.

“**This e-mail is a computer generated e-mail from and does not require a reply**

“--- On Fri, 5/28/10, Rxxxxxx Bxxxxxx <> wrote: ---
From: Rxxxxxx Bxxxxxx <>
To: Administrator <>
Subject: Adobe Security Update
Date: Friday, May 28, 2010, 11:24 AM

Sophisticated phishing ("social engineering") attacks like this are why you want a professional to take care of updating your company computers instead of relying on your users to do it.

Attackers exploiting new Flash bug, Adobe warns
A new, critical bug in Adobe's Flash Player is giving some attackers a back door into victims computers, Adobe warned late Friday.

The bug affects Adobe Flash Player version and earlier on all operating systems, including Windows, Macintosh and Linux. It is also found in the latest versions of the widely used Reader and Acrobat software, Adobe said. "There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat," Adobe said in its security advisory.
VMware View on NetApp Storage: Download now

When exploited, the flaw can cause Adobe's software to crash, but it can also give attackers control of the computer, Adobe said.
Official Adobe Bulletin: Adobe - Security Advisories: Security Advisory for Flash Player, Adobe Reader and Acrobat
A critical vulnerability exists in Adobe Flash Player and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat. This advisory will be updated once a schedule has been determined for releasing a fix.
Affected software versions

Adobe Flash Player, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris
Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX

The Flash Player 10.1 Release Candidate available at does not appear to be vulnerable.
Adobe Reader and Acrobat 8.x are confirmed not vulnerable.

Adobe Flash Player
The Flash Player 10.1 Release Candidate available at does not appear to be vulnerable.

Adobe Reader and Acrobat
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.
Other stories reporting on this: 3.2.1 Fixes Bugs and Vulnerabilities
OpenOffice's latest version is available for Windows, Mac OS, Linux and Solaris systems. This release fixes 5 potential vulnerabilities, adds more stability and speed but no new features. The security bulletin is posted here.

Microsoft issued an advance notice for a mega-Patch Tuesday on June 8

Microsoft Releases Advance Notification for June Security Bulletin
added June 4, 2010 at 08:16 am

Microsoft has issued a Security Bulletin Advance Notification, indicating that its June release will contain ten bulletins. Three of these bulletins will have the severity rating of critical and will be for Microsoft Windows and Internet Explorer. The remaining bulletins will have the severity rating of important and will be for Microsoft Windows, Microsoft Office, and Microsoft Sharepoint Services. Release of these bulletins is scheduled for Tuesday, June 8, 2010.

US-CERT will provide additional information as it becomes available.

Today's links:

No comments: