Apple blocks certain Java plug-ins, goes through security protocols yet again

Posted by:
Date: Friday, August 30th, 2013, 08:46
Category: News, security, Software

As nifty and useful as Java tends to be, its security nightmares remain.

And you should probably download and install the most recent version possible.

Per The Mac Observer, Apple blocked the Java 6 and Java 7 plug-ins for the third time this year over Mac users on Thursday over more potential security threats. Mac users running versions of Java that are earlier than version 6 update 51 and version 7 update 25 can no longer run Java code on their computer until they update to a newer version.

Apple hasn’t uninstalled Java from user’s Macs, and instead has simply disabled the older versions of the plug-in, which means apps and websites that rely on Java either won’t work or will be partially non-functional. Users running newer versions of the plug-ins aren’t affected.

This isn’t the first time this year Apple has remotely disabled older versions of Java over security-related issues. For Mac owners that don’t actually need Java, you can uninstall it, or at least find out exactly which version is living on your Mac, by following along with TMO’s handy guide.

Apple has taken to remotely disabling older versions of Java on user’s Macs, and will also auto-disable the plug-in when it hasn’t been used for at least 30 days. You can also disable Java yourself in Safari’s preferences.

Apple has stopped maintaining Java on its own and has handed that task off to Oracle, which also happens to be the company that develops the Java platform. Assuming you need Java on your Mac, you can find the latest version at Oracle’s Java website.

Stay tuned for additional details as they become available.

Researcher draws attention to long-standing security vulnerability in OS X operating systems

Posted by:
Date: Thursday, August 29th, 2013, 10:19
Category: News, security, Software

applelogo_silver

After five months, it might be time to fix this sucker…

Per mitre.org and Ars Technica, a unaddressed bug in Apple’s Mac OS X discovered five months ago allows hackers to bypass the usual authentication measures by tweaking specific clock and user timestamp settings, granting near unlimited access to a computer’s files.

While the security flaw has been around for nearly half a year, a new module created by developers of testing software Metasploit makes it easier to exploit the vulnerability in Macs.

The bug revolves around a Unix program called sudo, which allows or disallows users operational access based on privilege levels. Top tier privileges grant access to files belonging to other users’ files, though that level of control is password protected.

Instead of inputting a password, the flaw works around authentication by setting a computer’s clock to Jan. 1, 1970, or what is referred to as the Unix epoch. Unix time starts at zero hours on this date and is the basis for calculations. By resetting a Mac’s clock, as well as the sudo user timestamp, to epoch, time restrictions and privilege limitations can be bypassed.

“The bug is significant because it allows any user-level compromise to become root, which in turn exposes things like clear-text passwords from Keychain and makes it possible for the intruder to install a permanent rootkit,” said H.D. Moore, founder of the open-source Metasploit and chief research officer at security firm Rapid7.

Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings. As a result, all versions of the operating system from OS X 10.7 to the current 10.8.4 are affected. The same problem exists in Linux builds, but many of those iterations password protect clock changes.

While powerful, the bypass method has limitations. In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before. As noted by the National Vulnerability Database, the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.

Apple has yet to respond or issue a patch for the bug.

“I believe Apple should take this more seriously but am not surprised with the slow response given their history of responding to vulnerabilities in the open source tools they package,” Moore said.

Stay tuned for additional details as they become available.

Georgia Institute of Technology security researchers prove App Store security flaw via “Jekyll and Hyde” attack

Posted by:
Date: Tuesday, August 20th, 2013, 07:18
Category: iOS, News, security, Software

The good news is that it’s getting a bit harder to sneak malware into the App Store.

The bad news is that it can still be done and Apple might need to invest in more security/screening features.

Per 9to5Mac and Ars Technica, researchers from the Georgia Institute of Technology managed to get a malicious app approved by Apple and included in the App Store by using a ‘Jekyll & Hyde’ approach, where the behaviour of a benign app was remotely changed after it had been approved and installed.

It appeared to be a harmless app that Apple reviewers accepted into the iOS App Store. They were later able to update the app to carry out a variety of malicious actions without triggering any security alarms. The app, which the researchers titled “Jekyll,” worked by taking the binary code that had already been digitally signed by Apple and rearranging it in a way that gave it new and malicious behaviors.

The researchers presented their findings in a paper at the USENIX Security Forum.

“Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process. Once the app passes the review and is installed on an end user’s device, it can be instructed to carry out the intended attacks. The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.”

An Apple spokesman stated that changes have been made to iOS as a result of the exploit, but it’s not yet clear whether the change is to iOS 7 or the older iOS 5 and 6 versions that had been attacked. The researchers only left their app in the store for a few minutes and said that it was not downloaded by anyone outside the project in that time.

Apple Senior Vice President Phil Schiller tweeted back in March about a study revealing the rising incidences of malware on Android. The study showed that Android accounted for 79 percent of all mobile malware in 2012, while iOS came in at less than 1 percent.

Stay tuned for additional details as they become available.

Adobe releases Flash Player 11.8.800.146 beta

Posted by:
Date: Friday, August 16th, 2013, 09:19
Category: News, security, Software

When in doubt, there’s always the public beta to make things a bit better.

On Thursday, Adobe released Flash Player 11.8.800.115 for Mac OS X, an 18 megabyte download via MacUpdate. The new version adds the following fixes and changes:

- Includes new features as well as enhancements and bug fixes related to security, stability, performance, and device compatibility.

The Adobe Flash Player 11.8.800.146 beta requires an Intel-based Mac running Mac OS X 10.6 or later to install and run.

If you’ve tried the new Flash Player and have any feedback to offer, please let us know in the comments.

President Obama, Tim Cook, others meet to discuss PRISM surveillance

Posted by:
Date: Friday, August 9th, 2013, 07:54
Category: News, security

324963-nsa-prism

It’s not the happiest topic, but they’re meeting to discuss it.

On Thursday, President Obama met with Tim Cook and other tech executives from companies like Google and AT&T to discuss government surveillance according to Politico.

Civil liberties leaders were also at the closed-door meeting. The White House declined to comment about the details of the meeting, and all the attendees also declined to comment to Politico about any specifics. However, a White House aide did tell Politico:

“This is one of a number of discussions the administration is having with experts and stakeholders in response to the president’s directive to have a national dialogue about how to best protect privacy in a digital era, including how to respect privacy while defending our national security.”

These meetings are no doubt in response to the PRISM document leaks that occurred in June. These documents revealed that major tech companies may be cooperating with the US government to gather surveillance data about its users.

Stay tuned for additional details as they become available.

Microsoft releases Office 2011 14.3.6 update

Posted by:
Date: Wednesday, July 17th, 2013, 12:30
Category: News, security, Software

An update’s an update.

Microsoft on Wednesday released version 14.3.6 of its Microsoft Office 2011 suite for the Mac. The update, a 113 megabyte download, features the following changes:
- This update fixes an issue in which Outlook repeatedly tried to send messages that exceeded certain server-side size limits from the Outbox. Now, messages that exceed these size limits are put in the local Drafts folder after three unsuccessful attempts to send the messages.

- This update fixes an issue in which syncing a folder from which many messages were deleted on another client frequently caused Microsoft Outlook for Mac to freeze.

- This update fixes an issue that causes Word to be unable to save files to an SMB share.

- Full release notes can be found here.

The update can also be located and installed via the Microsoft AutoUpdate feature.

Microsoft Office 2011 14.3.6 requires an Intel-based Mac running Mac OS X 10.5.8 or later to install and run.

If you’ve tried the new version and have any feedback to offer, let us know in the comments.

Apple releases Security Update 2013-003 for Mountain Lion users

Posted by:
Date: Wednesday, July 3rd, 2013, 06:38
Category: News, security, Software

You might want to snag this.

Per the Mac Observer, Apple released Security Update 2013-003 for Mountain Lion on Tuesday.

The update’s specific security changes can be found here.

Security Update 2013-003 showed up earlier in the day on Tuesday, but quickly disappeared from Apple’s site. It reappeared late in the afternoon with a “1.0″ appended to the update’s name in Software Update on the Mac App Store, where it’s available now and is also available as a 20.84 megabyte download and requires OS X 10.8.4 or later to install and run.

If you’ve tried the update and have any feedback to offer about it, please let us know in the comments.

iOS 7 developer beta incorporates password disable feature

Posted by:
Date: Wednesday, June 26th, 2013, 07:00
Category: iOS, News, security, Software

ios7logo

As mentioned before, it’s the beta versions that point out the cool stuff on the horizon.

Per AppleInsider, Apple’s latest beta build of iOS 7 makes it more difficult for thieves to get away with stealing an iOS device by requiring a user’s password to be entered when disabling the “Find My iPhone” functionality.

The new feature, found in pre-release builds of iOS 7 made available to developers, also applies to the iPad. Users can open the Settings application, choose iCloud, then “Find My iPhone,” and flipping the switch to off brings up a password prompt.

The addition addresses a potential issue that users have noticed for years, since the “Find My iPhone” functionality came to iOS 4 in 2010. With iOS 7, users who may not feel the need to utilize the passcode lock screen can still enjoy added security for the Find My iPhone feature, making it more difficult for a thief to turn it off.

Of course, someone who has stolen an iPhone or iPad could simply turn off the device, or remove a SIM card. But the new feature is just an added level of security for those who may be unfortunate enough to have their device stolen.

Still, not a bad addition.

Please let us know what you think of this in the comments.

Apple releases Java 2013-004 update for Mac OS X 10.7, 10.8 operating systems

Posted by:
Date: Wednesday, June 19th, 2013, 05:00
Category: News, security, Software

applelogo_silver

A well-timed security update never hurts.

On Wednesday, Apple released its Java 2013-004 update for its Mac OS X 10.7 and 10.8 operating systems. The update, a 64 megabyte download, adds the following fixes and changes:
- Java for OS X 2013-004 supersedes all previous versions of Java for OS X.

- This release updates the Apple-provided system Java SE 6 to version 1.6.0_51 and is for OS X versions 10.7 or later.

- This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled “Missing plug-in” to go download the latest version of the Java applet plug-in from Oracle.

- This update also removes the Java Preferences application, which is no longer required to configure applet settings.

The Java 2013-004 update requires an Intel-based Mac running Mac OS X 10.7 to install and run. If you’ve installed this new update and have any feedback to offer, please let us know in the comments.

Apple releases Java for Mac OS X 10.6 Update 16

Posted by:
Date: Tuesday, June 18th, 2013, 14:07
Category: News, security, Software

applelogo_silver

This might come in handy.

On Tuesday, Apple released Java for Mac OS X 10.6 Update 16, a security update that stands as a 69.48 megabyte download and offers the following fixes and changes:

- This update enables website-by-website control of the Java plug-in within Safari 5.1.9 or later, and supersedes all previous versions of Java for Mac OS X v10.6.

- This release updates the Apple-provided system Java SE 6 to version 1.6.0_51 for Mac OS X v10.6.

The update requires an Intel-based Mac running Mac OS X 10.6.8 or later to install and run.

The updates can be located, snagged and installed via the Software Update feature built into the Mac OS X operating system.

If you’ve tried the updates and have any feedback to offer, please let us know in the comments.