Java malware goes live, begins affecting, Mac OS X, Windows, Linux systems

Posted by:
Date: Wednesday, July 11th, 2012, 10:47
Category: News, security, Software

On the plus side, this keeps a security department employed.

Per F-Secure, a new form of browser-based cross-platform malware can give hackers remote access to computers running Apple’s OS X, Microsoft’s Windows, and even Linux.

The multi-platform backdoor malware was disclosed this week by security firm F-Secure. It was originally discovered on a Colombian Transport website, and relies on social engineering to trick users into running a Java Archive file, meaning it is not likely to be a major threat.

However, its cross-platform design is unique. If users grant permission to the Java Archive, the malware will secretly determine whether the user is running a Mac, a Windows PC, or a Linux machine. When running on a Mac, the malware will remotely connect to an IP address through port 8080 to obtain additional code to execute.

Anti-virus maker Sophos said on Wednesday that the new malware has the potential to affect a higher number of people because of its multi-platform strategy. Typically, malware and viruses target Windows PCs, as they represent the overwhelming majority of computers.

“Once it has found out which operating system you are running, the Java class file will download the appropriate flavor of malware, with the intention of opening a backdoor that will give hackers remote access to your computer,” explained Graham Cluley, senior technology consultant with Sophos.

On a Mac, the new malware is defined as “Backdoor:OSX/GetShell.A. According to F-Secure, it is a PowerPC binary, which means users running a modern, Intel-based Mac must also have Rosetta installed.

While rare, cross-platform malware attacks are not unheard of. In 2010, a Trojan known as “trojan.osx.boonana.a” was a Java-based exploit that affected both Macs running OS X, as well as Windows PCs.

As Apple’s Mac platform has grown in popularity and outpaced the PC market as a whole, the OS X platform has become a bigger target for hackers. Last month, Apple opted to tone down promotional language on its website that once claimed the Mac “doesn’t get PC viruses.” Apple’s website now says that OS X is “built to be safe.”

That change was made just a few months after more than 600,000 Macs were estimated to have been infected by a trojan horse named “Flashback.” More than half of the Macs believed to be infected by the botnet were found in the U.S. alone before Apple aggressively released a series of software updates to quash the malware.

Stay tuned for additional details as they become available.

Upcoming OS X 10.8 (Mountain Lion) to feature automatic security updates

Posted by:
Date: Tuesday, June 26th, 2012, 06:26
Category: News, security, Software

If you don’t click “Software Update” that often, Apple will do it for you come Mountain Lion.

On Monday, Apple indicated that the company’s upcoming OS X Mountain Lion will feature an automatic security check feature that will ensure users have the most up-to-date software protection amid a growing number of Mac-targeted malware.

As reported by AppleInsider, an update to the Mountain Lion Developer Preview shows a new automated system that runs a daily check with Apple’s servers to make sure OS X 10.8 users have the most current security patches and protections against known malware and viruses.

Called “OS X Security Update Test 1.0,” the automated feature will run either daily or whenever a Mac restarts and has the ability to download and install updates in the background, making the task of manually performing checks less of a necessity.

The new feature also creates a “more secure connection” to Apple’s servers possibly hinting to new encryption technology or more stringent default settings. Also included are the usual stability and general updates for the operating system set for launch in July.

Apple is making security a priority in the next iteration of OS X to counter new threats that continue to crop up as Macs gain a larger user base. In April the highly-publicized Flashback trojan used a Java exploit to spread onto an estimated 600,000 Macs around the world prompting Apple to release both a Java disabler for Safari and a standalone malware uninstaller.

In a related action, Apple notedly toned down the language of its OS X web page, changing the statement that the Mac “doesn’t get PC viruses” to “It’s built to be safe.”

Coming exactly one week after OS X Mountain Lion Developer Preview 4 was released, the new Security Update is available through the Mac App Store and comes in at 1.15 GB.

Stay tuned for additional details as they become available.

GreenPois0n Absinthe 2.0 jailbreak for iOS 5.1.1 goes live, allows for untethered jailbreaking

Posted by:
Date: Friday, May 25th, 2012, 06:10
Category: Hack, iOS, iPad, iPhone, iPod, security

Per Boy Genius Report, the GreenPois0n Absinthe 2.0 jailbreak for iOS 5.1.1 has been released.

Absinthe works on A4-powered devices and A5 ones, like the iPhone 4S and new iPad. It won’t work on the iPad 2, however and the JailbreakUntethered site has explanations on how to get this going on your device.

If you’ve tried the jailbreak and have any feedback, please let us know in the comments.

Apple releases Flashback removal tool for Mac OS X 10.5.x operating systems

Posted by:
Date: Tuesday, May 15th, 2012, 05:21
Category: News, security, Software

If you’ve yet to upgrade to Mac OS X 10.6 or Mac OS X 10.7, there’s some good news.

Per Macworld, Apple on Monday released a pair of security updates for the older operating system: Leopard Security Update 2012-003 and Flashback Removal Security Update.

The Leopard Security Update disables older versions of Adobe Flash Player that don’t contain the latest security updates, prompting you to upgrade instead. That mirrors an update Apple offered for Safari on Snow Leopard and Lion last week.

The Flashback Removal Security Update finds and removes the most common variants of that malware; the updater may need to restart your Mac to complete the removal of any malware.

Both updates are available directly from Apple’s website or via Mac OS X’s Software Update feature and require Mac OS X 10.5.8 to install and run.

If you’ve tried the updates/malware removal tools and have any feedback to offer, please let us know in the comments.

Kaspersky Lab to help advice Apple on Mac OS X security

Posted by:
Date: Monday, May 14th, 2012, 10:08
Category: News, security, Software

It never hurts to ask for a helping hand.

Per computing.co.uk, Apple has invited Kaspersky Lab to consult on potential OS X security issues following the aftermath of the largest malware outbreak on the platform.

Kaspersky has begun analyzing the OS X platform at Apple’s request, the company’s chief technology officer, Nikolai Grebennikov, said in an interview with Computing. The Kaspersky executive has publicly called Apple out for not taking security seriously enough.

“Mac OS is really vulnerable, and Apple recently invited us to improve its security,” Grebennikov said. We’ve begun an analysis of its vulnerabilities, and the malware targeting it.”

As one specific security issue with OS X, he noted that Apple has blocked Oracle from directly updating Java on the Mac. Instead, Apple handles the updates, and they typically arrive months after Oracle issues its own patches.

Mac-centric Java development is set to move to Oracle following the latest runtime updates built in-house at Apple. Apple dropped Java from the default installation of OS X 10.7 Lion after the company announced its plans to deprecate the software’s release from the Mac platform.

In April, Oracle released its first Java Development Kit and JavaFX Software Development Kit for Mac users. They arrived one and a half years after Apple announced the depreciation of its own edition of Java for Mac.

Kaspersky’s newfound partnership with Apple comes on the heels of the Flashback malware botnet, which was believed to have infected hundreds of thousands of Macs at its peak. The presence of Flashback was greatly diminished after Apple released a series of software updates to squash the malware, including a Java update and a separate removal tool.

Grebennikov cited the Flashback malware as “a huge sign that Apple’s security model isn’t perfect.” He also predicted that the first malware targeting Apple’s iOS mobile operating system, which powers the iPhone and iPad, will arrive in the next “year or so.”

Stay tuned for additional details as they become available.

Safari 5.1.7 nixes outdated Flash versions, focuses on security-based issues

Posted by:
Date: Thursday, May 10th, 2012, 06:32
Category: News, security, Software

safarilogo.jpg

When in doubt, go with the update.

Per AppleInsider, Apple on Wednesday released an update to its Safari web browser that automatically disables old versions of Adobe’s Flash Player as they don’t have the most up-do-date security features.

After pushing out OS X Lion 10.7.4 which included Safari version 5.1.6, Apple rolled out a separate update for the browser that can be downloaded by Mac OS X 10.7.3, Mac OS X 10.7.4 and Windows users.

According to the Safari 5.1.7 support page, the update is meant to disable older versions of Flash that pose a security risk as they lack the latest vulnerability patches.

Safari 5.1.7 will scan a Mac’s Flash assets for out-of-date software, disable it if found and inform the user via a dialog box. A link to Adobe’s website is integrated into the dialog so that users can easily locate and install the most current Flash Player.

If users need to roll back to a previous version of Flash, they must navigate to the “/Library/Internet Plug-Ins (Disabled)” folder on their Mac, drag “Flash Player.plugin” into the active “/Library/Internet Plug-Ins” folder and restart the browser.

Apple has become increasingly leery about third-party applications, perhaps due to the recent Flashback malware debacle that affected more than 600,000 Macs worldwide. One of the trojan’s first iterations was discovered in 2011 when it disguised itself as a Flash Installer, though the exploit had nothing to do with Adobe’s software.

Most recently, Apple released a Java update to cope with Flashback and even created a dedicated removal tool for those Mac owners who didn’t already have Java installed on their computers.

The Safari update comes in at 44.98MB download and can be acquired via Mac OS X’s Software Update feature.

Stay tuned for additional details as they become available.

Apple releases Security Update 2012-002 for Mac OS X 10.6 operating systems

Posted by:
Date: Thursday, May 10th, 2012, 06:23
Category: News, security, Software

snowleopard

Amidst yesterday’s update-o-rama, the Mac OS X 10.6 side of things received some attention as well.

On Wednesday, Apple released Security Update 2012-002, a patch designed to take care of the following security details highlighted here.

The update, which is designed for both Mac OS X 10.6 Client and Mac OS X 10.6 Server, weighs in as a 239 megabyte download and can also be located and installed via Mac OS X’s Software Update feature.

Security Update 2012-002 requires Mac OS X 10.6.8 or later to install and run.

Security companies estimate that Flashback infection rate is remaining steady, advise users to run update/malware removal tools

Posted by:
Date: Wednesday, May 9th, 2012, 06:18
Category: News, security, Software

Ok, guys, it’s time to update your Mac and help bring down the Flashback trojan malware infection rate.

Per CNET, following an effort to estimate how many Macs remain infected with the Flashback malware, the data from these monitoring efforts have suggested that despite early reports of the malware levels sinking rapidly from efforts by Apple, news organizations, and anti-malware companies, the levels of infections appears to be remaining constant.

The spread Flashback malware was facilitated by a neglected security hole in Apple’s Java runtime for OS X, and at its peak had infected around one percent of Mac systems. To tackle the spread of the malware, initially news organizations covered methods for manually removing the malware, followed by security companies issuing malware removal tools to facilitate this process. Apple then released a series of Java updates to close the vulnerability and also scan for and remove known instances of the malware.

During the time of these infections, security companies set up sinkhole servers and other techniques to monitor the network traffic from the Flashback infections, and determine how many unique computers had been infected with the malware. Following the peak of the malware infection on August 6, initial reports from the anti-malware efforts suggested the infection rates had dropped significantly, with the number of infected Macs decreasing to a reported low of 30,000 in 10 days. However, despite these claims the malware has remained active, and adjustments have had to be made to these numbers.

Following the reports of success at tackling the malware, security company Dr. Web revealed errors in the malware estimation calculations and suggested that the number of infected systems was in fact much higher. Security companies followed this news with more conservative estimates that suggested a more shallow fall in the malware, to an estimated 140,000 systems in late April.

Despite the higher numbers, the number of malware infections did fall from its peak, though while some have hoped the number to fall far lower, the malware appears to have fallen to a revolving infection rate of just over 100,000 Mac systems. In a new report by Intego, the company claims that in the past week it has observed the following numbers from its sinkhole operation:

04/30/2012 – 102,769 infected Macs

05/01/2012 – 96,948 infected Macs

05/02/2012 – 103,779 infected Macs

05/03/2012 – 121,826 infected Macs

05/04/2012 – 102,375 infected Macs

05/05/2012 – 118,593 infected Macs

05/06/2012 – 113,909 infected Macs

Intego notes that these numbers are only the active infections it monitors on a day-to-day basis, and is not the total number of Macs infected. The malware is only active when a user logs in and thereby suggests that this activity difference reflects a steady state variance in when people are using their Macs, which will revolve as Macs are used more in some parts of the world than at others. Therefore the total number of infected systems will likely be much higher at around the 140,000 of previous recent estimates.

Intego has further noted that despite the initial impact in the malware’s activity by community efforts, the numbers appear to no longer be declining and show indications that they may even be increasing. Intego speculates the reason for this is that a small percentage of users have not taken any effort to either update their systems, but it may be more than just updating. Apple has only offered updates and malware removal options for OS X 10.6 and above (its supported versions). However, this malware will infect systems with older versions of OS X, so even if the older versions have been kept up to date, they will be left vulnerable without Apple issuing a proper Java fix. Not only can they still contain the malware, but they also will be subject to new infections by any of its variants.

In short, if you have a Mac running Mac OS X 10.6 or later, please update the Java updates via Mac OS X’s built-in Software Update feature. And for Apple, well, a Flashback removal update for Mac OS X versions previous to Mac OS X 10.6 or later wouldn’t hurt…

Security hole found in FileVault under Mac OS X 10.7.3

Posted by:
Date: Tuesday, May 8th, 2012, 06:04
Category: News, security, Software

Ok, this isn’t the best news in the world…

Per Crytome, Apple’s legacy FileVault Mac encryption system in OS X 10.7.3 has a security flaw that could allow malicious users to access stored passwords. According to the post, the issue only applies in specific configurations to users who have updated to OS X 10.7.3, in which a system-wide debug file that displays login passwords in plain text is created.

“Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012,” Emery explained.

The login data can also be viewed by booting a Mac into FireWire disk mode and reading it by opening the drive as a disk. The information can also be accessed by booting the Lion recovery partition and using the available superuser shell to mount the main file system partition.

Users can protect themselves from these methods by using the whole disk encryption capabilities of FileVault 2. Emery explained that this requires that a user know at least one login password before they can access the main partition of the disk.

Further protection can be achieved by setting a firmware password that must be supplied before a user can boot the recover partition or external media, or enter firewire disk mode.

“Having the password logged in the clear in an admin readable file *COMPLETELY* breaks a security model — not uncommon in families — where different users of a particular machine are isolated from each other and cannot access each others’ files or login as each other with some degree of assurance of security,” Emery wrote.

The bug was introduced with Apple’s OS X 10.7.3 update, which was issued in early February. The latest version of Lion came with Wi-Fi connectivity fixes and Windows file sharing compatibility.

Stay tuned for additional details as they become available.

Symantec estimates Flashback trojan could have netted authors $10,000 a day during its peak

Posted by:
Date: Tuesday, May 1st, 2012, 09:58
Category: News, security, Software

Ok, so maybe crime DOES pay…

Per Symantec’s company blog, the malware known as “Flashback” that was believed to have infected hundreds of thousands of Macs may have paid out as much as US$10,000 a day to its authors.

The estimate comes from Symantec, which said in a post to its official blog that the primary motivation behind the malware was money. The Flashback Trojan includes an ad-clicking component that will load itself into the three major browsers for Mac — Safari, Firefox and Chrome — and generate revenue for the attackers.

“Flashback specifically targets queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click,” Symantec explained.

Peering into the Trojan’s code, the security firm found a redirected URL that generates the authors of the code 8 cents per click. If a user conducts a Google search, Flashback will “hijack” the ad click from Google, taking money away from the search giant and granting “untold sums” to the authors of the Trojan.

A previous analysis of a different Trojan found that a botnet with just 25,000 infections could generate up to US$450 per day. At its peak, the Flashback Trojan was estimated to have infected 600,000 Macs worldwide, which means the authors could have earned as much as US$10,000 per day.

The presence of Flashback has greatly diminished since Apple released a series of software updates last month aimed at squashing the malware, including a Java update and a separate removal tool.

The Flashback Trojan was first discovered by another security firm, Intego, last September. The software attempts to trick users into installing it by appearing as Adobe’s Flash Player installer package.

Stay tuned for additional details as they become available and if you haven’t downloaded and installed Apple’s anti-flashback removal tool via Mac OS X’s Software Update feature, there’s no time like the present.