Apple hires Kristin Paget to help strengthen OS X’s security protocols

Posted by:
Date: Friday, December 7th, 2012, 07:59
Category: News, security, Software

applelogo_silver

If you’re going to be a target for hackers, you might want to hire someone with extensive experience for a company that’s long been a target…

Per Wired, tt was discovered on Thursday that famed hacker and former Microsoft employee Kristin Paget is now working for Apple as a core operating system security researcher, suggesting the Cupertino company is beefing up OS X safeguards amid recent Mac-directed malware attacks.

When employed by Microsoft, Paget worked alongside a small team of hackers tasked to find security holes in Windows Vista before the OS was released to the public in 2007. The group apparently found so many flaws that Vista’s launch date was pushed back while fixes were put in place.

According to her LinkedIn profile, as of September, Paget is listed as being a “Core OS Security Researcher at Apple” based out of Cupertino. Previously, she held the position of chief hacker at security firm Recursion Ventures, but said in June that she wanted to find a job building “security-focused hardware.”

Paget, formerly known as Chris Paget, gained notoriety for a number of hacker feats of strength, including a cellphone call-intercepting station at the Defcon hacker conference and a long-range RFID identifier duplication device.

While the hacker’s responsibilites at Apple remain unknown, it can be speculated that she will be working to thwart future attacks like the Flashback trojan that affected an estimated 600,000 Macs in April. Most recently, a piece of Mac-targeted malware similar to Flashback was found embedded in a webpage dedicated to the Dalai Lama.

“Dockster” trojan for the Mac goes into the wild, plays on the same Java vulnerability as “Flashback”

Posted by:
Date: Tuesday, December 4th, 2012, 08:57
Category: News, security, Software

Ok, this shouldn’t be happening again.

Per F-Secure, a new piece of malware that takes advantage of a well-documented Java vulnerability has been found on a website dedicated to the Dalai Lama, with the trojan able to install itself on an unwitting Mac user’s computer to capture keystrokes and other sensitive data.

Dubbed “Dockster,” the malware was first found by antivirus and security firm Intego to have been uploaded to the VirusTotal detection service on Nov. 30. At the time of its discovery, the remote address associated with trojan was not active, possibly indicating that the code’s creators were testing whether it would be detected, but as of this writing the malicious code is now “in the wild.”

Similar to the Flashback exploit from September 2011, Dockster leverages the same Java vulnerability to drop the backdoor onto a Mac, which then executes code to create an agent that feeds keylogs and other sensitive information to an off-site server.

In the case of Flashback, which was also discovered by Intego, a reported 600,000 Macs were affected before both Apple and Oracle released a Java patches to remove the malware and protect against future attacks.

Although the newly-found Dockster takes advantage of an already fixed weakness, users who haven’t yet updated their Macs or are running older software may still be at risk.

In which case, try to ensure that your friends and family with older, pre-OS X 10.6 software are up to date and be careful out there.

Twitter sends out e-mails to significant number users needing passwords on “compromised accounts”

Posted by:
Date: Thursday, November 8th, 2012, 07:40
Category: News, security, Software

If you found that your Twitter password was reset, there’s a valid reason for it.

Per CNET and the TweetSmarter blog, an unknown number of Twitter users have received a genuine e-mail from the company warning they should change their password as soon as possible.

In the e-mail, the microblogging company noted: “Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.”

The company did not say in the e-mail that there has been a hack, a breach of data, or anything out of the ordinary, however. At this stage, it’s unclear how many have been affected or what’s caused the mass e-mailing of its users.

A post on Wednesday noted that in some cases when “large numbers of Twitter accounts have been hijacked,” the company sends out these e-mails en masse, even sending messages to accounts that may not have been affected by any hack or hijack to err on the side of caution.

So far, a few high profile accounts have noted interference, including David Mitchell, who said:

“Got an e-mail from twitter telling me that my password had to be changed because they thought my account had been hacked,” adding in another tweet: “So I’ve changed it, but the only evidence of hacking I can find is that my tweet about my Observer column last Sun has disappeared. Weird.”

Stay tuned for additional details as they become available.

Google Chrome updated to 23.0.1271.64

Posted by:
Date: Wednesday, November 7th, 2012, 08:53
Category: News, security, Software

google-chrome-logo

It’s the bug fixes that make a difference.

Late Tuesday, Google released a beta of version 23.0.1271.64 of its Chrome web browser. The update, a 56.5 megabyte download, adds the following fixes and changes:

- Medium CVE-2012-5127: Integer overflow leading to out-of-bounds read in WebP handling. Credit to Phil Turnbull.

- High CVE-2012-5116: Use-after-free in SVG filter handling. Credit to miaubiz.

- [Mac OS only] [149717] High CVE-2012-5118: Integer bounds check issue in GPU command buffers. Credit to miaubiz.

- High CVE-2012-5121: Use-after-free in video layout. Credit to Atte Kettunen of OUSPG.

- Low CVE-2012-5117: Inappropriate load of SVG subresource in img context. Credit to Felix Groebert of the Google Security Team.

- Medium CVE-2012-5119: Race condition in Pepper buffer handling. Credit to Fermin Serna of the Google Security Team.

- Medium CVE-2012-5122: Bad cast in input handling. Credit to Google Chrome Security Team (Inferno).

- Medium CVE-2012-5123: Out-of-bounds reads in Skia. Credit to Google Chrome Security Team (Inferno).

- High CVE-2012-5124: Memory corruption in texture handling. Credit to Al Patrick of the Chromium development community.

- Medium CVE-2012-5125: Use-after-free in extension tab handling. Credit to Alexander Potapenko of the Chromium development community.

- Medium CVE-2012-5126: Use-after-free in plug-in placeholder handling. Credit to Google Chrome Security Team (Inferno).

- High CVE-2012-5128: Bad write in v8. Credit to Google Chrome Security Team (Cris Neckar).

Google Chrome 23.0.1271.64 requires an Intel-based Mac with Mac OS X 10.5 or later to install and run. If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Apple releases Safari 6.0.2 update

Posted by:
Date: Friday, November 2nd, 2012, 07:37
Category: News, security, Software

safarilogo.jpg

You can’t knock a timely security update.

On Thursday, Apple released Safari 6.0.2, an update to its web browser. The new version, a 40.2 megabyte download, includes the following fixes and new features:

- Safari 6.0.2 is a security update for which complete details can be found here.

Safari 6.0.2 requires an Intel-based Mac running Mac OS X 10.7.5 or later to install and run and can also be located and downloaded via Mac OS X’s Software Update feature. If you’ve tried the new version and have any feedback to offer, please let us know.

Adobe releases Flash Player 11.4.402.287 update

Posted by:
Date: Monday, October 8th, 2012, 08:33
Category: News, security, Software

adobelogo

On Monday, Adobe released Flash Player 11.4.402.287 for Mac OS X, a 11.9 megabyte download via MacUpdate. The new version is for Adobe Flash Player 11.4.402.265 and earlier versions and adds the following fixes and changes:

- Fixes for critical vulnerabilities identified in Security Bulletin APSB12-22.

Flash Player 11.4.402.287 requires an Intel-based Mac running Mac OS X 10.6 or later to install and run.

If you’ve tried the new version and have any feedback, please feel free to hurl your two cents in via the comments.

Apple Security Update 2012-004 out the door for Mac OS X 10.6.x operating systems

Posted by:
Date: Thursday, September 20th, 2012, 07:07
Category: News, security, Software

applelogo_silver

You can’t go wrong with a timely security update.

Late Wednesday, Apple released Security Update 2012-004, the company’s most recent security update for its Mac OS X 10.6.x (Snow Leopard) operating systems.

The update, a 2.36 megabyte download, offers a series of fixes and changes detailed here.

Security Update 2012-004 requires an Intel-based Mac running Mac OS X 10.6.8 or later to install and run.

Apple releases Java for Mac OS X 10.6 Update 10, Java for OS X Lion 2012-005

Posted by:
Date: Thursday, September 6th, 2012, 06:18
Category: News, security, Software

applelogo_silver

If there’s a Java update out there, it might be worth snagging.

Per the cool cats at The Mac Observer, Apple updated Java for OS X Lion and Mountain Lion Wednesday with the release of Java for OS X 2012-005 along with the release of Apple Java for Mac OS X 10.6 Update 10. The updates, which vary in terms of download size given the version used, tweak Java controls by automatically turning the Java plugin off when no Java applets have been run for an extended period of time.

Apple’s patch notes also specify that if users hadn’t installed the previous version of Java (Java for for OS X Lion 2012-004), that the Java plugin will be disabled immediately.

The releases add the following fixes and changes:

- Delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_35.

The updates can be located, snagged and installed with Mac OS X’s Software Update feature.

Java for Mac OS X 10.6 Update 10 requires an Intel-based Mac running Mac OS X 10.6 or later to install and run while the Java for OS X Lion 2012-005 update requires an Intel-based Mac running Mac OS X 10.7 or later to install and run.

If you’ve tried the updates and have any feedback to offer, please let us know in the comments.

Oracle releases patch for Java 1.7, works to close hole on discovered security flaw

Posted by:
Date: Friday, August 31st, 2012, 06:33
Category: News, security, Software

With any luck, the patch fixed the issue.

Per AppleInsider, Oracle on Thursday released a patch for the Java 1.7 runtime, plugging a recently discovered security hole that allowed malware to take over any operating system when a user visits a malicious website.

In an update to its “CVE-2012-4681″ security alert, Oracle addressed three separate vulnerabilities and one “security-in-depth” issue affecting Java 7.

It was reported on Monday that a new zero-day exploit had been discovered and proven to be effective within the Java 1.7 runtime, which includes the latest Java 7 update, in browsers on any operating system.

According to researchers, the flaw allows malware to breach the security of a Mac or PC by having a user visit a compromised website hosting the attack code. Because Java came bundled with older versions of OS X like Leopard or Snow Leopard, Macs running the legacy software are potentially more vulnerable to the attack than those with the latest 10.8 Mountain Lion.

Apple removed Java from OS X last year with the release of 10.7 Lion after a security flaw in Oracle’s software allowed the infamous Flashback trojan to affect a reported 600,000 Macs. As a safety precaution, users must now authenticate browser requests to download and install Java, proactively blocking potential exploits.

From Oracle’s alert:
“If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system. Note that this malware may in some instances be detected by current antivirus signatures upon its installation.”

The patch for Java 1.7 can be downloaded directly from Oracle’s java.com web site, while more information about the security issues can be found at the company’s security page

Stay tuned for additional details as they become available.

Analyst: Java 1.7 zero-day less likely to affect Mac users due to lack of current installed base on platform

Posted by:
Date: Wednesday, August 29th, 2012, 07:53
Category: News, security

Yesterday, we posted as to a new Java vulnerability that could open the gates for additional malware on the Mac.

Today, there’s some better news regarding this.

Per The Unofficial Apple Weblog, online backup service CrashPlan co-founder Matthew Dornquist had the following to offer about the new Java vulnerability and what it could mean for the Mac.

In a recent study of a random sample of 200K recent users; Dornquist’s numbers showed that the overwhelming majority of CrashPlan’s Mac users are on Java 1.6 (92%) and a small minority on the older 1.5 version. The percentage on the 1.7 version targeted by the malware? Approximately zero.

Research shop FireEye identified a Java zero-day exploit this weekend that is already targeting fully patched versions of the Java JRE version 1.7 running on Windows machines. The exploit attempts to install a dropper executable (Dropper.MsPMs) on the machines it attacks. In theory, a separate dropper could be crafted to attack Mac or Linux systems, although none has yet been observed in the wild.

That’s a reason for Mac users to rest a little more easily, but it’s not the big one. As noted by CNET, the vulnerable edition of the JRE — 1.7 — isn’t installed by default in a stock configuration of OS X. The Java that Apple delivers on Snow Leopard, Lion and Mountain Lion is JRE 1.6 (and on Lion and Mountain Lion, it’s only installed on demand when needed to run Java applications); in order to be on 1.7 and be theoretically susceptible, you’d have to install the Oracle beta build manually.

If you did install the Oracle build and you’re concerned about the new exploit, you can disable the Java plugin in each of your browsers individually, or uninstall 1.7 entirely. While it bears repeating that there is no evidence of a Mac payload for this exploit at this time, if you don’t have a specific reason to run the new version then it’s probably safest to stick with JRE 1.6 instead (or turn off Java completely if you don’t need it). In response to past exploits including Flashback, Apple’s Java web plugin is now set to auto-disable when it isn’t used for some time, further reducing the attack surface for Mac users.

So, yeah, try to avoid manually updating to Java 1.7 on your Mac until this is sorted out and we’ll have additional details as they become available.