Researcher draws attention to long-standing security vulnerability in OS X operating systems

Posted by:
Date: Thursday, August 29th, 2013, 10:19
Category: News, security, Software

applelogo_silver

After five months, it might be time to fix this sucker…

Per mitre.org and Ars Technica, a unaddressed bug in Apple’s Mac OS X discovered five months ago allows hackers to bypass the usual authentication measures by tweaking specific clock and user timestamp settings, granting near unlimited access to a computer’s files.

While the security flaw has been around for nearly half a year, a new module created by developers of testing software Metasploit makes it easier to exploit the vulnerability in Macs.

The bug revolves around a Unix program called sudo, which allows or disallows users operational access based on privilege levels. Top tier privileges grant access to files belonging to other users’ files, though that level of control is password protected.

Instead of inputting a password, the flaw works around authentication by setting a computer’s clock to Jan. 1, 1970, or what is referred to as the Unix epoch. Unix time starts at zero hours on this date and is the basis for calculations. By resetting a Mac’s clock, as well as the sudo user timestamp, to epoch, time restrictions and privilege limitations can be bypassed.

“The bug is significant because it allows any user-level compromise to become root, which in turn exposes things like clear-text passwords from Keychain and makes it possible for the intruder to install a permanent rootkit,” said H.D. Moore, founder of the open-source Metasploit and chief research officer at security firm Rapid7.

Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings. As a result, all versions of the operating system from OS X 10.7 to the current 10.8.4 are affected. The same problem exists in Linux builds, but many of those iterations password protect clock changes.

While powerful, the bypass method has limitations. In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before. As noted by the National Vulnerability Database, the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.

Apple has yet to respond or issue a patch for the bug.

“I believe Apple should take this more seriously but am not surprised with the slow response given their history of responding to vulnerabilities in the open source tools they package,” Moore said.

Stay tuned for additional details as they become available.

Georgia Institute of Technology security researchers prove App Store security flaw via “Jekyll and Hyde” attack

Posted by:
Date: Tuesday, August 20th, 2013, 07:18
Category: iOS, News, security, Software

The good news is that it’s getting a bit harder to sneak malware into the App Store.

The bad news is that it can still be done and Apple might need to invest in more security/screening features.

Per 9to5Mac and Ars Technica, researchers from the Georgia Institute of Technology managed to get a malicious app approved by Apple and included in the App Store by using a ‘Jekyll & Hyde’ approach, where the behaviour of a benign app was remotely changed after it had been approved and installed.

It appeared to be a harmless app that Apple reviewers accepted into the iOS App Store. They were later able to update the app to carry out a variety of malicious actions without triggering any security alarms. The app, which the researchers titled “Jekyll,” worked by taking the binary code that had already been digitally signed by Apple and rearranging it in a way that gave it new and malicious behaviors.

The researchers presented their findings in a paper at the USENIX Security Forum.

“Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process. Once the app passes the review and is installed on an end user’s device, it can be instructed to carry out the intended attacks. The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.”

An Apple spokesman stated that changes have been made to iOS as a result of the exploit, but it’s not yet clear whether the change is to iOS 7 or the older iOS 5 and 6 versions that had been attacked. The researchers only left their app in the store for a few minutes and said that it was not downloaded by anyone outside the project in that time.

Apple Senior Vice President Phil Schiller tweeted back in March about a study revealing the rising incidences of malware on Android. The study showed that Android accounted for 79 percent of all mobile malware in 2012, while iOS came in at less than 1 percent.

Stay tuned for additional details as they become available.

Adobe releases Flash Player 11.8.800.146 beta

Posted by:
Date: Friday, August 16th, 2013, 09:19
Category: News, security, Software

When in doubt, there’s always the public beta to make things a bit better.

On Thursday, Adobe released Flash Player 11.8.800.115 for Mac OS X, an 18 megabyte download via MacUpdate. The new version adds the following fixes and changes:

- Includes new features as well as enhancements and bug fixes related to security, stability, performance, and device compatibility.

The Adobe Flash Player 11.8.800.146 beta requires an Intel-based Mac running Mac OS X 10.6 or later to install and run.

If you’ve tried the new Flash Player and have any feedback to offer, please let us know in the comments.

President Obama, Tim Cook, others meet to discuss PRISM surveillance

Posted by:
Date: Friday, August 9th, 2013, 07:54
Category: News, security

324963-nsa-prism

It’s not the happiest topic, but they’re meeting to discuss it.

On Thursday, President Obama met with Tim Cook and other tech executives from companies like Google and AT&T to discuss government surveillance according to Politico.

Civil liberties leaders were also at the closed-door meeting. The White House declined to comment about the details of the meeting, and all the attendees also declined to comment to Politico about any specifics. However, a White House aide did tell Politico:

“This is one of a number of discussions the administration is having with experts and stakeholders in response to the president’s directive to have a national dialogue about how to best protect privacy in a digital era, including how to respect privacy while defending our national security.”

These meetings are no doubt in response to the PRISM document leaks that occurred in June. These documents revealed that major tech companies may be cooperating with the US government to gather surveillance data about its users.

Stay tuned for additional details as they become available.

Microsoft releases Office 2011 14.3.6 update

Posted by:
Date: Wednesday, July 17th, 2013, 12:30
Category: News, security, Software

An update’s an update.

Microsoft on Wednesday released version 14.3.6 of its Microsoft Office 2011 suite for the Mac. The update, a 113 megabyte download, features the following changes:
- This update fixes an issue in which Outlook repeatedly tried to send messages that exceeded certain server-side size limits from the Outbox. Now, messages that exceed these size limits are put in the local Drafts folder after three unsuccessful attempts to send the messages.

- This update fixes an issue in which syncing a folder from which many messages were deleted on another client frequently caused Microsoft Outlook for Mac to freeze.

- This update fixes an issue that causes Word to be unable to save files to an SMB share.

- Full release notes can be found here.

The update can also be located and installed via the Microsoft AutoUpdate feature.

Microsoft Office 2011 14.3.6 requires an Intel-based Mac running Mac OS X 10.5.8 or later to install and run.

If you’ve tried the new version and have any feedback to offer, let us know in the comments.

Apple releases Security Update 2013-003 for Mountain Lion users

Posted by:
Date: Wednesday, July 3rd, 2013, 06:38
Category: News, security, Software

You might want to snag this.

Per the Mac Observer, Apple released Security Update 2013-003 for Mountain Lion on Tuesday.

The update’s specific security changes can be found here.

Security Update 2013-003 showed up earlier in the day on Tuesday, but quickly disappeared from Apple’s site. It reappeared late in the afternoon with a “1.0″ appended to the update’s name in Software Update on the Mac App Store, where it’s available now and is also available as a 20.84 megabyte download and requires OS X 10.8.4 or later to install and run.

If you’ve tried the update and have any feedback to offer about it, please let us know in the comments.

iOS 7 developer beta incorporates password disable feature

Posted by:
Date: Wednesday, June 26th, 2013, 07:00
Category: iOS, News, security, Software

ios7logo

As mentioned before, it’s the beta versions that point out the cool stuff on the horizon.

Per AppleInsider, Apple’s latest beta build of iOS 7 makes it more difficult for thieves to get away with stealing an iOS device by requiring a user’s password to be entered when disabling the “Find My iPhone” functionality.

The new feature, found in pre-release builds of iOS 7 made available to developers, also applies to the iPad. Users can open the Settings application, choose iCloud, then “Find My iPhone,” and flipping the switch to off brings up a password prompt.

The addition addresses a potential issue that users have noticed for years, since the “Find My iPhone” functionality came to iOS 4 in 2010. With iOS 7, users who may not feel the need to utilize the passcode lock screen can still enjoy added security for the Find My iPhone feature, making it more difficult for a thief to turn it off.

Of course, someone who has stolen an iPhone or iPad could simply turn off the device, or remove a SIM card. But the new feature is just an added level of security for those who may be unfortunate enough to have their device stolen.

Still, not a bad addition.

Please let us know what you think of this in the comments.

Apple releases Java 2013-004 update for Mac OS X 10.7, 10.8 operating systems

Posted by:
Date: Wednesday, June 19th, 2013, 05:00
Category: News, security, Software

applelogo_silver

A well-timed security update never hurts.

On Wednesday, Apple released its Java 2013-004 update for its Mac OS X 10.7 and 10.8 operating systems. The update, a 64 megabyte download, adds the following fixes and changes:
- Java for OS X 2013-004 supersedes all previous versions of Java for OS X.

- This release updates the Apple-provided system Java SE 6 to version 1.6.0_51 and is for OS X versions 10.7 or later.

- This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled “Missing plug-in” to go download the latest version of the Java applet plug-in from Oracle.

- This update also removes the Java Preferences application, which is no longer required to configure applet settings.

The Java 2013-004 update requires an Intel-based Mac running Mac OS X 10.7 to install and run. If you’ve installed this new update and have any feedback to offer, please let us know in the comments.

Apple releases Java for Mac OS X 10.6 Update 16

Posted by:
Date: Tuesday, June 18th, 2013, 14:07
Category: News, security, Software

applelogo_silver

This might come in handy.

On Tuesday, Apple released Java for Mac OS X 10.6 Update 16, a security update that stands as a 69.48 megabyte download and offers the following fixes and changes:

- This update enables website-by-website control of the Java plug-in within Safari 5.1.9 or later, and supersedes all previous versions of Java for Mac OS X v10.6.

- This release updates the Apple-provided system Java SE 6 to version 1.6.0_51 for Mac OS X v10.6.

The update requires an Intel-based Mac running Mac OS X 10.6.8 or later to install and run.

The updates can be located, snagged and installed via the Software Update feature built into the Mac OS X operating system.

If you’ve tried the updates and have any feedback to offer, please let us know in the comments.

Apple to include “kill switch” feature in iOS 7, require Apple ID and password to reenable stolen devices

Posted by:
Date: Wednesday, June 12th, 2013, 07:44
Category: iOS, iPhone, News, security, Software

iOS-7-Logo

This shouldn’t be overlooked.

According to CNN, Apple will add an Activation Lock features as part of iOS 7. The feature, which functions as a “kill switch”, will require an Apple ID and password before an iOS device’s “Find My iPhone” feature can be turned off or any data can be erased.

At a keynote address opening its annual Worldwide Developers Conference, the company said the same ID and password will be needed to reactivate a device after it’s been remotely erased. The same ID and password will still be required even after the SIM card has been removed from the stolen device.

As mobile devices become more popular, stealing them has become a unique sort of crime that has law enforcement and government officials taking notice.

In New York, a special police unit has been created to deal with stolen mobile devices.

Stay tuned for additional details as they become available.