Oracle releases patch for Java 1.7, works to close hole on discovered security flaw

Posted by:
Date: Friday, August 31st, 2012, 06:33
Category: News, security, Software

With any luck, the patch fixed the issue.

Per AppleInsider, Oracle on Thursday released a patch for the Java 1.7 runtime, plugging a recently discovered security hole that allowed malware to take over any operating system when a user visits a malicious website.

In an update to its “CVE-2012-4681″ security alert, Oracle addressed three separate vulnerabilities and one “security-in-depth” issue affecting Java 7.

It was reported on Monday that a new zero-day exploit had been discovered and proven to be effective within the Java 1.7 runtime, which includes the latest Java 7 update, in browsers on any operating system.

According to researchers, the flaw allows malware to breach the security of a Mac or PC by having a user visit a compromised website hosting the attack code. Because Java came bundled with older versions of OS X like Leopard or Snow Leopard, Macs running the legacy software are potentially more vulnerable to the attack than those with the latest 10.8 Mountain Lion.

Apple removed Java from OS X last year with the release of 10.7 Lion after a security flaw in Oracle’s software allowed the infamous Flashback trojan to affect a reported 600,000 Macs. As a safety precaution, users must now authenticate browser requests to download and install Java, proactively blocking potential exploits.

From Oracle’s alert:
“If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system. Note that this malware may in some instances be detected by current antivirus signatures upon its installation.”

The patch for Java 1.7 can be downloaded directly from Oracle’s java.com web site, while more information about the security issues can be found at the company’s security page

Stay tuned for additional details as they become available.

Analyst: Java 1.7 zero-day less likely to affect Mac users due to lack of current installed base on platform

Posted by:
Date: Wednesday, August 29th, 2012, 07:53
Category: News, security

Yesterday, we posted as to a new Java vulnerability that could open the gates for additional malware on the Mac.

Today, there’s some better news regarding this.

Per The Unofficial Apple Weblog, online backup service CrashPlan co-founder Matthew Dornquist had the following to offer about the new Java vulnerability and what it could mean for the Mac.

In a recent study of a random sample of 200K recent users; Dornquist’s numbers showed that the overwhelming majority of CrashPlan’s Mac users are on Java 1.6 (92%) and a small minority on the older 1.5 version. The percentage on the 1.7 version targeted by the malware? Approximately zero.

Research shop FireEye identified a Java zero-day exploit this weekend that is already targeting fully patched versions of the Java JRE version 1.7 running on Windows machines. The exploit attempts to install a dropper executable (Dropper.MsPMs) on the machines it attacks. In theory, a separate dropper could be crafted to attack Mac or Linux systems, although none has yet been observed in the wild.

That’s a reason for Mac users to rest a little more easily, but it’s not the big one. As noted by CNET, the vulnerable edition of the JRE — 1.7 — isn’t installed by default in a stock configuration of OS X. The Java that Apple delivers on Snow Leopard, Lion and Mountain Lion is JRE 1.6 (and on Lion and Mountain Lion, it’s only installed on demand when needed to run Java applications); in order to be on 1.7 and be theoretically susceptible, you’d have to install the Oracle beta build manually.

If you did install the Oracle build and you’re concerned about the new exploit, you can disable the Java plugin in each of your browsers individually, or uninstall 1.7 entirely. While it bears repeating that there is no evidence of a Mac payload for this exploit at this time, if you don’t have a specific reason to run the new version then it’s probably safest to stick with JRE 1.6 instead (or turn off Java completely if you don’t need it). In response to past exploits including Flashback, Apple’s Java web plugin is now set to auto-disable when it isn’t used for some time, further reducing the attack surface for Mac users.

So, yeah, try to avoid manually updating to Java 1.7 on your Mac until this is sorted out and we’ll have additional details as they become available.

Java vulnerability discovered, researchers warn of potential new malware for Mac OS X platform

Posted by:
Date: Tuesday, August 28th, 2012, 06:53
Category: News, security, Software

You’ll never lack a job in IT security…

Per Computerworld, researchers announced on Monday that hackers are taking advantage of a zero-day vulnerability in Oracle’s Java 7, with the newly discovered flaw able to exploit any platform, including Apple’s OS X.

According to Tod Beardsley, engineering manager for open-source testing framework Metasploit, hackers can use the bug to compromise any system through a web browser running the latest Java software.

While there have yet to be reports of the new exploit affecting Macs, Errata Security confirmed the Metasploit exploit is effective against the latest Java 1.7 runtime on Apple’s latest OS X 10.8 Mountain Lion.

Mac users running older versions of OS X, like Snow Leopard or Leopard, could be more vulnerable as those operating systems came bundled with Java, however the new exploit is actually in Oracle’s latest software, dubbed “Update 6.”

“The vulnerability is not in Java 6, it’s in new functionality in Java 7,” said Beardsley.

He went on to call the bug “super dangerous” and said a potential piece of malware can feasibly compromise the security of a Mac by simply having a user visit a website that is host to the attack code. This means both purpose-built malicious sites as well as those which have been hacked can compromise a system.

“What is more worrisome is the potential for this to be used by other malware developers in the near future,” said antivirus vendor Intego. “Java applets have been part of the installation process for almost every malware attack on OS X this year.”

As Oracle has not yet released a patch for the exploit, Beardsley recommends users disable Java until one is pushed out.

Mac users can visit Java’s site here to check if they have the 1.7 runtime installed. Alternately, the “Java Preferences” application can also be used to make sure the software is disabled.

The new flaw is the latest in a number of security holes found in Java code on OS X, including the infamous Flashback trojan that reportedly affected some 600,000 Macs worldwide. Apple released a removal tool specifically tailored for the malware, later disabling the Java runtime in subsequent versions of Safari. Java was removed from OS X when Lion was released last year, forcing users to authorize a browser request to download and install the software if an applet for the runtime appears.

Stay tuned for additional details as they become available.

Apple advocates use of iMessage in wake of SMS bug discovery

Posted by:
Date: Monday, August 20th, 2012, 07:11
Category: iPhone, News, security, Software

Ok, this is going to require a fix.

Following a discovery last week wherein Pod2G uncovered a SMS flaw in iOS that lets someone send a spoofed SMS (in this scenario, the SMS would appear to be from a trusted source, but the response would actually be sent to someone else), the cool cats at Engadget reached out to Apple for comment and received the following reply:

“Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.”

Stay tuned for additional details as they become available and with any luck, a fix should be en route soon.

Adobe releases Flash Player 11.3.300.271 update

Posted by:
Date: Tuesday, August 14th, 2012, 15:39
Category: News, security, Software

adobelogo

Late Wednesday, Adobe released Flash Player 11.3.300.271 for Mac OS X, a 11.6 megabyte download via MacUpdate. The new version adds a slew of security fixes outlined here.

Flash Player 11.3.300.271 requires an Intel-based Mac running Mac OS X 10.6 or later to install and run.

If you’ve tried the new version and have any feedback, please feel free to hurl your two cents in via the comments.

Yahoo details password theft hack, explains which accounts are at risk

Posted by:
Date: Monday, July 16th, 2012, 11:59
Category: News, security

So…this was awkward…

Following up on last week’s hack in which more than 450,000 passwords were stolen from one of its many services, Internet service Yahoo has stated that “We have…now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users,” the company announced in a post to its blog early Friday.

Yahoo has offered no specific information about the attack, how it was carried out or even when. It confirmed the attack Thursday.

Per Computerworld, the hacker group D33Ds Company took responsibility for the breach, saying it had exploited a basic SQL injection vulnerability in a Yahoo service to steal the usernames and passwords associated with 453,000 accounts. The group published the passwords and email addresses on the Web.

Yahoo also confirmed that the stolen account credentials belonged to registered users of its Yahoo Contributor Network, which was previously known as Associated Content.

Yahoo Contributor Network is a platform that generates high-volume, low-cost content by letting writers, photographers, and others share their work with Yahoo members and earn money based on the traffic their content generates. Users who contribute to the network are required to sign in using a Yahoo, Google or Facebook ID.

Associated Content, which was founded in 2005, was bought by Yahoo for just over US$100 million in May 2010. Yahoo renamed the service in late 2011, when it also launched Yahoo Voices, a portal where users access content posted by the Yahoo Contributor Network.

According to Yahoo, only people who registered as providers with Associated Content before the 2010 acquisition were affected by the password theft. “[The] compromised file was a standalone file that was not used to grant access to Yahoo! systems and services,” Yahoo maintained.

Just under a third of the stolen passwords were linked to accounts registered to a yahoo.com email address, security company Rapid7 said Thursday. Significant chunks of the file, however, were composed of Gmail (23.6 percent of all accounts) and Hotmail (12.2 percent) addresses.

All users with older Associated Content accounts, no matter the email address used, should immediately change the passwords for those email accounts as well as any identical or similar passwords used to secure other online services or websites, security experts have said.

Rapid7 security researcher Marcus Carey said yesterday that the file published by D33Ds included 123 government email accounts—ones ending with “.gov”—and 235 military-related addresses (ending with “.mil”). Among the government email accounts, Carey found several associated with the FBI, the Transportation Security Administration (TSA) and the Department of Homeland Security (DHS).

Security experts have been scathing in their criticism of Yahoo, in large part because the passwords were stored in plain-text, making the hackers’ job of exploiting the stolen accounts a breeze.

Thursday, Mark Bower, a data protection expert and executive at Voltage Security, said, “It’s utter negligence to store passwords in the clear.”

Also on Thursday, Rob Rachwald, director of security strategy at Imperva, took Yahoo to the woodshed. “To add insult to injury, the passwords were stored in clear text and not hashed (encoded),” Rachwald wrote in a blog post. “One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide.”

In its Friday blog, Yahoo again apologized to users affected by the password theft.

Stay tuned for additional details as they become available…and it never hurts to change your password every so often.

Mac OS X 10.7 (Lion) currently impervious to new Java malware, older operating systems remain susceptible

Posted by:
Date: Thursday, July 12th, 2012, 09:43
Category: News, security, Software

Following up on yesterday’s new Java malware story, there’s some good news: if you’re running Mac OS X 10.7 (Lion), you’re in the clear.

Per Macworld, the new Java malware was discovered on a compromised Colombian Transport website, with a bit of social engineering thrown in for good measure: You need to approve the installation of a Java applet, which OS X will warn you is from a root certificate that “is not trusted,” to get infected.

Once authorized, the exploit downloads additional malicious code from the Web. Security firm Sophos says that the malware then attempts to open a backdoor on your computer, through which hackers could remotely access the machine.

Because the Mac version of the malware runs as a PowerPC app, only Macs that can run PowerPC software are at risk. Since Lion (and Mountain Lion) no longer include Rosetta, the technology that allows Intel-based Macs to run PowerPC software, computers running those versions of Mac OS X cannot be infected.

Mac users may not too fondly experience some flashbacks to the insidious Flashback Trojan horse that affected even fully up-to-date Macs, since Apple hadn’t kept up with Java security updates as rigorously as its competitors. Starting in late April, Java developer Oracle began issuing security updates directly to Mac users at the same time those updates became available for other platforms, bypassing Apple.

Stay tuned for additional details as they become available.

Java malware goes live, begins affecting, Mac OS X, Windows, Linux systems

Posted by:
Date: Wednesday, July 11th, 2012, 10:47
Category: News, security, Software

On the plus side, this keeps a security department employed.

Per F-Secure, a new form of browser-based cross-platform malware can give hackers remote access to computers running Apple’s OS X, Microsoft’s Windows, and even Linux.

The multi-platform backdoor malware was disclosed this week by security firm F-Secure. It was originally discovered on a Colombian Transport website, and relies on social engineering to trick users into running a Java Archive file, meaning it is not likely to be a major threat.

However, its cross-platform design is unique. If users grant permission to the Java Archive, the malware will secretly determine whether the user is running a Mac, a Windows PC, or a Linux machine. When running on a Mac, the malware will remotely connect to an IP address through port 8080 to obtain additional code to execute.

Anti-virus maker Sophos said on Wednesday that the new malware has the potential to affect a higher number of people because of its multi-platform strategy. Typically, malware and viruses target Windows PCs, as they represent the overwhelming majority of computers.

“Once it has found out which operating system you are running, the Java class file will download the appropriate flavor of malware, with the intention of opening a backdoor that will give hackers remote access to your computer,” explained Graham Cluley, senior technology consultant with Sophos.

On a Mac, the new malware is defined as “Backdoor:OSX/GetShell.A. According to F-Secure, it is a PowerPC binary, which means users running a modern, Intel-based Mac must also have Rosetta installed.

While rare, cross-platform malware attacks are not unheard of. In 2010, a Trojan known as “trojan.osx.boonana.a” was a Java-based exploit that affected both Macs running OS X, as well as Windows PCs.

As Apple’s Mac platform has grown in popularity and outpaced the PC market as a whole, the OS X platform has become a bigger target for hackers. Last month, Apple opted to tone down promotional language on its website that once claimed the Mac “doesn’t get PC viruses.” Apple’s website now says that OS X is “built to be safe.”

That change was made just a few months after more than 600,000 Macs were estimated to have been infected by a trojan horse named “Flashback.” More than half of the Macs believed to be infected by the botnet were found in the U.S. alone before Apple aggressively released a series of software updates to quash the malware.

Stay tuned for additional details as they become available.

Upcoming OS X 10.8 (Mountain Lion) to feature automatic security updates

Posted by:
Date: Tuesday, June 26th, 2012, 06:26
Category: News, security, Software

If you don’t click “Software Update” that often, Apple will do it for you come Mountain Lion.

On Monday, Apple indicated that the company’s upcoming OS X Mountain Lion will feature an automatic security check feature that will ensure users have the most up-to-date software protection amid a growing number of Mac-targeted malware.

As reported by AppleInsider, an update to the Mountain Lion Developer Preview shows a new automated system that runs a daily check with Apple’s servers to make sure OS X 10.8 users have the most current security patches and protections against known malware and viruses.

Called “OS X Security Update Test 1.0,” the automated feature will run either daily or whenever a Mac restarts and has the ability to download and install updates in the background, making the task of manually performing checks less of a necessity.

The new feature also creates a “more secure connection” to Apple’s servers possibly hinting to new encryption technology or more stringent default settings. Also included are the usual stability and general updates for the operating system set for launch in July.

Apple is making security a priority in the next iteration of OS X to counter new threats that continue to crop up as Macs gain a larger user base. In April the highly-publicized Flashback trojan used a Java exploit to spread onto an estimated 600,000 Macs around the world prompting Apple to release both a Java disabler for Safari and a standalone malware uninstaller.

In a related action, Apple notedly toned down the language of its OS X web page, changing the statement that the Mac “doesn’t get PC viruses” to “It’s built to be safe.”

Coming exactly one week after OS X Mountain Lion Developer Preview 4 was released, the new Security Update is available through the Mac App Store and comes in at 1.15 GB.

Stay tuned for additional details as they become available.

GreenPois0n Absinthe 2.0 jailbreak for iOS 5.1.1 goes live, allows for untethered jailbreaking

Posted by:
Date: Friday, May 25th, 2012, 06:10
Category: Hack, iOS, iPad, iPhone, iPod, security

Per Boy Genius Report, the GreenPois0n Absinthe 2.0 jailbreak for iOS 5.1.1 has been released.

Absinthe works on A4-powered devices and A5 ones, like the iPhone 4S and new iPad. It won’t work on the iPad 2, however and the JailbreakUntethered site has explanations on how to get this going on your device.

If you’ve tried the jailbreak and have any feedback, please let us know in the comments.