Tuesday, April 17, 2012

Mac Users need to update Java AGAIN

If you're running an Apple Mac with OS X 10.6 or later, you need to make sure your software is up-to-date, as Apple has updated Java again.  Sorry, OS X 10.5 and earlier users, you're out of luck, and it doesn't look like Apple is ever going to patch these older versions.  Users of older Macs should uninstall or disable Java ASAP as there is an unpatched vulnerability that makes you subject to drive-by infection.

AFAICT Apple has abandoned users of Tiger and Leopard (v10.5).  Apple expects users to pay to upgrade at least to OS X 10.6 (Snow Leopard) or 10.7 (Lion).  If your computer won't run one of those, too bad, so sad, please give Apple more money for a newer Mac (or switch to Linux, which is free).  BUT see the last item below for more info on what you can do if you're using an old Mac.

Third Apple Java update rids infections and turns off Java - SC Magazine
Apple has released a third Java update related to the outbreak Flashback, but this time, the patch comes with a detection and removal capability for the prolific trojan.
ISC Diary | Flashback Trojan Removal Tool Released
Published: 2012-04-14
Earlier in the week Apple released a Java update which included software to remove the Flashback Trojan from OS X Lion machines running Java.

The Flashback Trojan removal tool is now also available for OS X Lion machines not running Java. This Flashback malware removal tool is available through the OS X Software Update tool, or from Apple's downloads site at http://www.apple.com/support/downloads/.
About the security content of Java for OS X 2012-003 and Java for Mac OS X 10.6 Update 8
This document describes the security content of Java for OS X 2012-003 and Java for Mac OS X 10.6 Update 8, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.
About the security content of Flashback malware removal tool
Available for: OS X v10.7 or later without Java installed

I just came across this interesting note -- and if I were a home user, I would certainly be using OpenDNS instead of Comcast's DNS or Qwest's DNS:

OpenDNS´s Allison Rhodes reports that OpenDNS ... is blocking the Flashback Trojan. People not yet using OpenDNS need only to set up the service on their wireless router, computer or device to secure their computers and devices from the attack.

... Even for those people who find their machine has already been infected by Flashback, Rhodes maintains, enabling OpenDNS will prevent the malware from connecting to its command and control and causing your machine any damage.

To set up the OpenDNS free service, you need simply create an account, choose your router or computer and follow the step-by-step instructions. Note that setting up OpenDNS on your router will protect all devices connecting to the Internet through your WiFi network, and Windows users should use OpenDNS, too.

For more information, visit http://blog.opendns.com/

Seen here: Free mini-apps to check your Mac for Flashback malware infection AppleTell.

Thursday, April 12, 2012

Patch Tuesday April 2012 - Critical updates for Windows, Office and Adobe Reader

I'm not seeing any negative feedback on the Patch Tuesday updates from this month, so go ahead and update.  Updates apply to both Microsoft Windows/Office and Adobe Reader/Acrobat 9/5 and 10.x.  ISC/SANS have rated most of the Microsoft patches as "Critical", which means they are either being exploited on a targeted basis or exploits are imminent.  The Bad Guys *_will_* be taking advantage of unpatched machines in the next few weeks.  The Krebs-on-Security entry below has the most user-friendly and descriptive write-up.  Links to the official Microsoft and Adobe security bulletins are below for the nerds among you.

Microsoft warns of 'limited, targeted attacks' against Windows vulnerability | ZDNet

By | April 10, 2012, 11:52am PDT

Summary: The vulnerability under attack exists in Windows Common Controls and can be exploited to launch remote code execution attacks if a user simply surfs to a malicious website.

Microsoft today shipped patches for at least 11 documented security vulnerabilities, including one that’s already being hit with “limited, targeted attacks.”

The vulnerability under attack — now fixed today with the MS12-027 bulletin — exists in Windows Common Controls and can be exploited to launch remote code execution attacks if a user simply surfs to a malicious website.

The vulnerability is caused when the MSCOMCTL.OCX ActiveX control, while being used in Internet Explorer, corrupts the system state in such a way as to allow an attacker to execute arbitrary code.

Microsoft is calling on Windows users to apply this bulletin as a priority because of the high-risk of code execution attacks.
Patch Tuesday April 2012 – Critical updates for Windows, Office and Adobe Reader | Naked Security
This month Microsoft has released six patches, four critical, for eleven vulnerabilities in Office, Windows and various server products. ...

Adobe, not wanting to feel left out, also delivered fixes for four vulnerabilities in Adobe Reader and Acrobat versions 9 and X.

All four vulnerabilities can lead to remote code execution, so I advise everyone be sure to update to Reader/Acrobat 10.1.3.

Adobe, Microsoft Issue Critical Updates — Krebs on Security
Adobe and Microsoft today each issued critical updates to plug security holes in their products. The patch batch from Microsoft fixes at least 11 flaws in Windows and Windows software. Adobe’s update tackles four vulnerabilities that are present in current versions of Adobe Acrobat and Reader.

Seven of the 11 bugs Microsoft fixed with today’s release earned its most serious “critical” rating, which Microsoft assigns to flaws that it believes attackers or malware could leverage to break into systems without any help from users. In its security bulletin summary for April 2012, Microsoft says it expects miscreants to quickly develop reliable exploits capable of leveraging at least four of the vulnerabilities.

Among those is an interesting weakness (MS12-024) in the way that Windows handles signed portable executable (PE) files. According to Symantec, this flaw is interesting because it lets attackers modify signed PE files undetected.

“In addition, the attacker doesn’t need to worry about controlling memory; once the user runs the content, the device has been infected,” wrote John Harrison, group product manager for Symantec Security Response. “The most common attack will probably be a scenario in which a site offers a free download of a specific program that appears to be legitimately signed.”

Wolfgang Kandek, chief technology officer for vulnerability management firm Qualys, is particularly worried about MS12-027, because the weakness spans an unusually wide range of Microsoft products. Microsoft agrees, calling this patch the highest priority security update this month.

“What makes this bulletin stand out is that Microsoft is aware of attacks in the wild against it and it affects an unsually wide-range of Microsoft products, including Office 2003 through 2010 on Windows, SQL Server 2000 through 2008 R2, BizTalk Server 2002, Commerce Server 2002 through 2009 R2, Visual FoxPro 8 and Visual Basic 6 Runtime,” Kandek said. “Attackers have been embedding the exploit for the underlying vulnerability (CVE-2012-0158) into an RTF document and enticing the target into opening the file, most commonly by attaching it to an e-mail. Another possible vector is through web browsing, but the component can potentially be attacked through any of the mentioned applications.”

ISC Diary | Microsoft April 2012 Black Tuesday Update - Overview
Published: 2012-04-10,
Last Updated: 2012-04-11 01:57:49 UTC
by Swa Frantzen (Version: 1)
Overview of the April 2012 Microsoft patches and their status.
Adobe warns of Reader X security holes | ZDNet

By | April 11, 2012, 11:26am PDT

Summary: Adobe ships patches for flaws that could cause the application to crash and potentially allow an attacker to take control of the affected system.

Adobe’s flagship PDF Reader/Acrobat software contains multiple security vulnerabilities that expose computer users to dangerous hacker attacks.

Adobe warned about the vulnerabilities in a security bulletin that contained patches for Windows, Mac OS X and Linux users.

Microsoft Security Bulletin Summary for March 2012
Adobe - Security Bulletins: APSB12-08 - Security updates available for Adobe Reader and Acrobat

Friday, April 6, 2012

Apple releases a SECOND OS X patch in a week; more patches on Tuesday

If you are running Apple Mac computers with OS X, you need to patch your system software.  There is a world-wide botnet of OS X computers that have been infected through an unpatched vulnerability in Apple's version of Java.  The earlier patch fixed Java.  We don't yet know what the second patch fixes, although there are reports it's an update to the first patch.  Read the linked pages below for more info.

Second source confirms: 1 in 100 Macs are infected by Flashback | ZDNet

By | April 6, 2012, 3:10pm PDT

Summary: A second source has now confirmed previously reported research: at least 600,000 Macs worldwide are infected with the Flashback malware downloader. That’s a staggering number, representing about 1% of the installed base of Macs. So what’s next?

Two independent sources have now confirmed that at least 600,000 Macs worldwide have been infected with the malware downloader called Flashback.

That number is not just an estimate. It’s a count of unique hardware IDs reporting in to a command-and-control server.
Apple releases another update to quell Flashback spread - SC Magazine

Apple released a second security update on Friday in its continuing battle against the Flashback trojan, which already has infected nearly 650,000 Macs worldwide.

The computing giant may have found a glitch in its first update for Java,
which contained a vulnerability that enabled the spread of Flashback.
That forced Apple to follow up with a second patch, which is only for
Mac OS X 10.7 (Lion), according to a blog post from security firm Intego.

ISC Diary | Another OS X Java Patch
Published: 2012-04-06,
Last Updated: 2012-04-06 16:33:36 UTC
Only a couple days after releasing the critically late Java patch (2012-001), Apple released another Java update. At this point, Apple's site doesn't mention what this new patch fixes, or why it was released. But eventually, you may see details at http://support.apple.com/kb/HT1222 . Too bad that Apple isn't getting its security house in order. It appears that OS X has reached a level of market penetration that would require a company with a meaningful security response capability behind it.

Just a couple of additional pointers for OS X security:

- Sophos is making a free Antivirus product for OS X. I am running it for a few months now without bad side effects. http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx
Just so Windows users don't feel left out, they should get ready for a busy week next week.  Reports are that a critical security hole in IE is being patched.  And next Tuesday is also Adobe's "Patch Tuesday"; they have announced critical patches for Adobe Reader and Adobe Acrobat 9 and 10 will be released then.

ISC Diary | Microsoft April Patch Tuesday Pre-Announcement (6 Patches)
Microsoft April Patch Tuesday Pre-Announcement (6 Patches): http://technet.microsoft.com/en-us/security/bulletin/ms12-apr
Adobe - Security Advisories: APSB12-08 - Prenotification Security Advisory for Adobe Reader and Acrobat
Adobe is planning to release security updates for Adobe Reader X (10.1.2) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Linux, and Adobe Acrobat X (10.1.2) and earlier versions for Windows and Macintosh on Tuesday, April 10, 2012.

Wednesday, April 4, 2012

Urgent Fix for Zero-Day Mac Java Flaw

If you run a Mac or know someone who does, please patch your Mac or tell them to patch theirs!

Urgent Fix for Zero-Day Mac Java Flaw — Krebs on Security
Apple on Monday released a critical update to its version of Java for Mac OS X that plugs at least a dozen security holes in the program. More importantly, the patch mends a flaw that attackers have recently pounced on to broadly deploy malicious software, both on Windows and Mac systems.

The update, Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7, sews up an extremely serious security vulnerability (CVE-2012-0507) that miscreants recently rolled into automated exploit kits designed to deploy malware to Windows users. But in the past few days, information has surfaced to suggest that the same flaw has been used with great success by the Flashback Trojan to infect large numbers of Mac computers with malware.

The revelations come from Russian security firm Dr.Web, which reports that the Flashback Trojan has successfully infected more than 550,000 Macs, most which it said were U.S. based systems (hat tip to Adrian Sanabria).

Flashback is an increasingly sophisticated malware strain that sniffs network traffic in search of user names and passwords. Early versions of it prompted Mac users to enter their password before it would run, but the most recent strains will happily infect vulnerable Mac systems without requiring a password, writes Ars Technica, among others. F-Secure has additional useful information on this Trojan attack here.


I can’t stress this point strongly enough: If you don’t need Java, remove it from your system, whether you are a Mac or Windows user. If you need further convincing of my reasons for this recommendation, I’d encourage you to browse through some of my past Java-related posts.

Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple’s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun. The current custodian of Java – Oracle Corp. – first issued an update to plug this flaw and others back on Feb. 17.

The article continues with more details at the Krebs-on-Security site and has an informative world map showing the distribution of infections on Macs.