New “MAC Defender” malware variant surfaces, works way around recent security update

Posted by:
Date: Thursday, June 2nd, 2011, 04:10
Category: News, security, Software

Only one day after Apple released a security update for Mac OS X to address the “MAC Defender” malware, a new variant of the bogus antivirus software has been spotted in the wild.

Per ZDNet, the new variation of MAC Defender, named “Mdinstall.pkg,” has been crafted to bypass the new malware-blocking code made available by Apple. That update for Mac OS X, Security Update 2011-003, was released on Tuesday.

“The file has a date and time stamp from last night at 9:24PM Pacific time,” Bott wrote. That’s less than 8 hours after Apple’s security update was released. On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.

“As PC virus experts know, this cat-and-mouse game can go on indefinitely. Your move, Apple.”

Security Update 2011-003 included changes to the File Quarantine feature found in Mac OS X 10.6 Snow Leopard. It includes anti-malware definitions within the operating system itself, and examines external files downloaded within Mail, iChat, Safari, or other quarantine-aware applications.

The MACDefender malware first gained attention in early May, when it was spotted by an antivirus company. The program automatically downloads in Web browsers through JavaScript and originally required users to enter an administrator password, but a more recent variant does not ask for a password.

Some reports have suggested that the “MAC Defender” malware has spread quickly, with Bott earlier citing an anonymous AppleCare representative that apparently said the “overwhelming majority” of recent calls to Apple were related to the malware. Last week, Apple posted instructions on its site informing users on how to remove the malware.

Stay tuned for additional details as they become available.

Apple releases Security Update 2011-003, removes Mac Defender malware

Posted by:
Date: Wednesday, June 1st, 2011, 03:15
Category: News, security, Software

Beating the expected arrival date (the Mac OS X 10.6.8 update had been anticipated to take care of this), Apple has released Security Update 2011-003, which adds malware detection and removal for the “MAC Defender” scam and delivers a daily update mechanism for updating subsequent malware definitions.

Per AppleInsider, the 2.3 megabyte security update for Mac OS X 10.6.7 is available as a direct download or via Mac OS X’s Software Update feature. Installing the update does not require a system reboot.

The update adds malware discovery and removal for MAC Defender and all of its known variants, using the simple malware file quarantine feature that was first added to Mac OS X 10.6 Snow Leopard.

The Mac OS X file quarantine feature examines external files downloaded within Mail, iChat, Safari or other file quarantine-aware applications, warning users of downloads that match the definition of malware.

In addition to adding a definition for the latest “MAC Defender” trojan horse to warn users that the download should be deleted, the new security update adds a daily malware definitions check to make subsequent malware attempts even easier for Apple to protect it users from.

Users can opt out of the daily malware definitions update check by unchecking the new “Automatically update safe downloads list” checkbox in Security Preferences.

If you’ve tried the update and have any feedback to offer, let us know.

New version of “Mac Defender” malware found, lacks administrator password requirement

Posted by:
Date: Thursday, May 26th, 2011, 03:05
Category: News, security, Software

Somewhere, the guys who created this program really DO have a bridge to try and sell you…

Per security firm Intego, a new, more dangerous variant of “MAC Defender,” dubbed “Mac Guard,” has been discovered, the new malware variant lacking the requirement of an administrator password to install.

The discovery was announced on Wednesday, the company commenting that “the first part is a downloader, a tool that, after installation, downloads a payload from a web server,” the security firm said.

“As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site,” the firm continued.

No administrator’s password is required to install the application, and if users have Safari’s “Open ‘safe’ files after downloading option checked, the package will open Apple’s Mac OS X installer, and users will see a standard installation screen. However, at this point users must still agree to install the “MAC Defender” malware.

The second part of the malware is a new version called “MacGuard.” The avRunner application automatically downloads “MacGuard,” which, like its predecessor, aims to trick users into providing credit card numbers in exchange for supposedly ridding a users’ systems of “infected” files for a given license fee.

This week, Apple posted a support document on its web site explaining how to remove the “MAC Defender” malware. The company also revealed it will release an update to its Mac OS X operating system that will automatically find and remove the malware.

Some reports have suggested that the “MAC Defender” malware has spread quickly, with one anonymous AppleCare representative claiming that the “overwhelming majority” of recent calls to Apple were related to the malware. The software was first discovered early this month, also by Intego.

While the original variant was categorized as a “low” threat because it requires users to type in an administrator password, the latest version is considered more dangerous, and was ranked with a “medium” risk.

The malware has spread through search engines like Google via a method known as “SEO poisoning.” Using this technique, phony sites are designed to game search engine algorithms and show up when users search for certain topics.

“MAC Defender” trojan goes live, prompts users for credit card information

Posted by:
Date: Tuesday, May 3rd, 2011, 04:20
Category: News, security, Software

Security firm Intego announced Monday that a fake antivirus program for Mac OS X has been discovered in the wild. While the threat potential remains low, inexperienced users could be fooled into paying to remove fake viruses “detected” by the software, and in the process, could end up giving credit card information to scammers.

Per Ars Technica, the fake antivirus software calls itself “MAC Defender,” perhaps the first hint that it should not be trusted (Apple makes “Macs,” not “MACs”). The developers have incorporated what’s known as “SEO poisoning” to make links to the software show up at the top of search results in Google and other search engines. Clicking the links that show up in search results brings up a fake Windows screen that tells the user a virus has been “detected,” another clue that something is fishy. JavaScript code then automatically downloads a zipped installer for MAC Defender.

If the “Open ‘safe’ files after downloading” option is turned on in Safari, the installer will be unzipped and run. Since the installer requires a user password, it won’t install without user interaction. However, inexperienced users may be fooled into thinking the software is legitimate.

Intego notes that the application is visually well designed and doesn’t have numerous misspellings or other errors common to such malware on Windows, though it does seem to contain some sketchy grammar. The software will periodically display Growl alerts that various fake malware has been detected, and also periodically opens porn websites in the default browser, perhaps leading a user to believe the detected malware “threats” are real. Users are then directed to an insecure website to pay for a license and “clean” the malware infections. However, buying the license merely stops the fake alerts from popping up, but your money and credit card info is now in the hands of hackers.

While MAC Defender wouldn’t likely fool an experienced user, Intego notes that its appearance in the wild is yet another opportunity to detail some useful security precautions. Don’t let your browser automatically open downloads. If your browser asks if you want to run an installer even though you didn’t try to download one, click “cancel.” And never give your password to run installers you aren’t 100% sure about.

On a final note, if you or anyone you know happens to know who created this thing, feel free to kick them in the shins at your earliest convenience.

Apple addresses security concerns with QuickTime 7.6.9 update for Mac OS X 10.5.x operating systems

Posted by:
Date: Wednesday, December 8th, 2010, 05:14
Category: News, security, Software

quicktimelogo.jpg

Per the cool cats over at CNET, Apple has updated its Quicktime software, now at version 7.6.9, to fix vulnerabilities where a maliciously designed file could execute arbitrary code or lead to the application terminating.

As Apple describes in its knowledge base article:
“Description: A heap buffer overflow exists in QuickTime’s handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.5. Credit to Nils of MWR InfoSecurity, and Will Dormann of the CERT/CC, for reporting this issue.”

Also included in this security update are fixes to maliciously crafted avi file types, other movie file types, FlashPix image files, GIF image files, or PICT image files, as well as a possibility that local users may have access to sensitive information on certain Windows machines.
The update is for Mac users running Mac OS X 10.5.8 or Server 10.5.8. For more information, visit the entire security update article.

As usual, the update can be located, snagged and installed via Mac OS X’s Software Update feature.

If you’ve tried the update and noticed any major changes, let us know in the comments.

Apple explains iOS 4.2 security fixes

Posted by:
Date: Wednesday, November 24th, 2010, 08:41
Category: News, security, Software

Following Apple’s Monday release of iOS 4.2 for iPads, iPhones and iPod touch devices, the company outlined its security fixes in a Knowledge Base entry posted online.

Per Macworld, many of the patches protect against malicious attackers running code on your device, which could in theory be used for all sorts of malicious purposes. Vulnerabilities were corrected for WebKit, Configuration Profiles, CoreGraphics, FreeType (in PDF rendering), and more to prevent against this type of attack.

iOS 4.2 also includes a fix for iAd content display, to prevent attackers in what Apple calls “a privileged network position” to force phone calls from your device without your permission. A separate fix for Mail corrects an issue where carefully-crafted HTML emails could track whether you viewed a message, even if you had turned off remote image loading in Settings.

The update also addresses a situation where your MobileMe password could become visible to an outside user in a privileged network position when using the Photos app to send images to the service. iOS 4.2 also corrects a race condition that could force the Reset Safari option to take a full 30 seconds to remove your saved Web passwords–during which time a speedy user with access to your device could still log in to those sites.

So, there you have it. And if you’ve noticed any major changes in iOS that you’d like to comment on, let us know.

Apple release Security Update 2010-007 update for Mac OS X 10.5 operating systems

Posted by:
Date: Friday, November 12th, 2010, 05:27
Category: News, security, Software

On Wednesday, Apple released Security Update 2010-007, bringing the same security patches included in the recent Mac OS X 10.6.5 release to Macs running 10.5 Leopard client or server versions.

Per Macworld, the more prominent fixes included in the update is a fix for a bug in Apple Type Services which could allow the downloading of a maliciously crafted font file to lead to arbitrary code execution. That bug, originally caught by security firm Core Security, was similar to a vulnerability in Apple’s iOS that allowed hackers to jailbreak devices running that software. Apple patched the flaw in an iOS update

In addition to fixing the font bug, 2010-007 brings an updated version of Adobe’s Flash Player plug-in (numbered 10.1.102.64) which patches a number of security vulnerabilities, some of which could lead to arbitrary code execution. Patches are also included for a number of holes in QuickTime, Time Machine, Safari RSS, Quick Look, and several of OS X’s other underlying systems.

The Leopard client version of Security Update 2010-007 is a 240.74 megabyte download while the server version is a 448.10 megabyte download. If you’re running an eligible system, the relevant update should appear via Mac OS X’s Software Update feature.

If you’ve tried the update and noticed any major changes, please let us know.

Security researchers locate additional iPhone security hole, publish findings

Posted by:
Date: Thursday, May 27th, 2010, 04:02
Category: iPhone, News, security

3gs.jpg

Even if you feel absolutely secure in entering your PIN every time you unlock your iPhone, there may still be some security shortfalls. Per a blog post by Bernd Marienfeldt, Marienfeldt and fellow security wonk Jim Herbeck have discovered that plugging even a fully up-to-date, non-jailbroken iPhone 3GS into a computer running Ubuntu Lucid Lynx allows nearly full read access to the phone’s storage even when it’s locked.

The belief is that they’re just a buffer overflow away from full write access as well, which would surely open the door to making calls. Bernd believes the iPhone’s lack of data encryption for content is a real problem, and also cites the inability to digitally sign e-mails as reasons why the iPhone is still not ready for prime time in the enterprise.

Still, better that these guys found it and put the evidence in front of Apple than another party locate the security hole.

Stay tuned for additional details as they become available.

Apple releases Security Update 2010-003 for Mac OS X 10.5, 10.6 operating systems

Posted by:
Date: Thursday, April 15th, 2010, 04:40
Category: security, Software

applelogo_silver

Following up on a slew of recent software updates, Apple released Security Update 2010-003 on Wednesday. The update, which varies in size between 6.2 and 208 megabytes depending on the version used and fixes assorted security holes described here.

The update, as usual, can be located, snagged and installed Mac OS X’s Software Update feature.

Security Update 2010-003 requires Mac OS X 10.5 or later to install and run.

If you’ve installed the update and noticed any changes, let us know.

Apple releases Security Update 2010-002 for Mac OS X 10.5.x

Posted by:
Date: Tuesday, March 30th, 2010, 03:26
Category: security, Software

applelogo_silver

Following yesterday’s release of the Mac OS X 10.6.3 update for Mac OS X 10.6 (Snow Leopard) users, Apple also released Security Update 2010-002, a 208 megabyte download that incorporates previous security updates have been incorporated into this security update and essentially brings Mac OS X 10.5.x to the same security standard as Mac OS X 10.6.3.

For a full list of the changes, click here.

As usual, the update can also be located, snagged and installed via Mac OS X’s Software Update feature.

Security Update 2010-002 requires Mac OS X 10.5 or later to install and run.