Apple quietly disables Oracle’s Java 7 Update 11 fix via XProtect anti-malware feature in OS X

Posted by:
Date: Thursday, January 31st, 2013, 08:19
Category: News, security, Software

javaicon

When it comes to Java, there’s always an argument to be had between Apple and Oracle.

Per MacGeneration, the recently released Java 7 Update 11 has been blocked by Apple through its XProtect anti-malware feature in OS X.

Oracle issued the latest update to Java earlier this month to fix a serious zero-day security flaw. The threat was so serious that the U.S. Department of Homeland Security had recommended that all Java 7 users disable or uninstall the software until a patch was issued.

Apple took action on its own and quietly disabled the plugin through its OS X anti-malware system. As noted by the article, Apple has again updated its OS X XProtect list, this time to block Java 7 Update 11.

Because Oracle has yet to issue a newer version of Java that addresses any outstanding issues, Mac users are prevented from running Java on their system.

Over the last few years, Apple has moved to gradually remove Java from OS X. The company dropped the Java runtime from the default installation for OS X 10.7 Lion when the operating system update launched in 2010. Java vulnerabilities have been a common exploit used by malicious hackers looking to exploit the OS X platform.

Most notably, the “Flashback” trojan that spread last year was said to have infected as many as 600,000 Macs worldwide at its peak. Apple addressed the issue by releasing a removal tool specifically tailored for the malware, and also disabled the Java runtime in its Safari web browser starting with version 5.1.7.

Oracle releases updated Java 7 Update 11 security fix, now available for download

Posted by:
Date: Monday, January 14th, 2013, 08:28
Category: News, security, Software

javaicon

Following up on the discovery of a Java 7 flaw that prompted Apple to disable the software in OS X, Oracle issued a statement saying it is currently working on a fix and released a patch over the weekend.

Oracle released the statement late Friday following a U.S. Department of Homeland Security recommendation that all Java 7 users disable or uninstall the software until a patch was issued, reports Reuters. Taking action on its own, Apple quietly disabled the plugin through its OS X anti-malware system shortly after hearing of the exploit.

The U.S. Department of Homeland Security said that Java’s most-recent vulnerability is being “attacked in the wild, and is reported to be incorporated into exploit kits.”

For its part, Oracle noted in its statement that the flaw only affects the most up-to-date version of Java 7 and Java software designed to run in Internet browsers.

Java and Apple have had a rocky relationship over the past few years, including a move to drop the Java runtime from OS X 10.7 Lion’s default installation when the OS debuted in 2010. Another flaw in Oracle’s internet plugin was responsible for the most widespread Mac malware ever when the “Flashback” trojan reportedly affected some 600,000 OS X machines in April 2012.

Apple continued efforts to deprecate Java from OS X over the past year, culminating in the company’s final official in-house Java update issued in May 2012. From that point, all responsibility for future updates was handed over to Oracle.

Oracle on Sunday released a fix to a Java 7 flaw discovered on Friday. Users can download the release here.

The update requires an Intel-based Mac running Mac OS X 10.7.3 or later to install and run.

From the release notes:
“The fixes in this Alert include a change to the default Java Security Level setting from “Medium” to “High”. With the “High” setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.”

If you’ve tried the Java update and have any feedback to offer, please let us know in the comments.

Hacker cites iOS 6 code as becoming more secure, offering “tougher protections”

Posted by:
Date: Wednesday, December 26th, 2012, 07:18
Category: iOS, News, security, Software

Hacking an iOS device may be getting tougher to do.

Per iPodNN, in a recent tweet, hacker i0n1c has revealed that the forthcoming iOS 6.1 update adds “again tougher protections” to the codebase even compared to iOS 6, suggesting that security has been dramatically improved.

While many users have perfectly legitimate reasons (beyond just wanting to) for jailbreaking their iOS devices, because the technique relies on finding an exploitable “hole” in the OS code that could also be used for malicious purposes, Apple is naturally very eager to close up avenues by which unofficial or dangerous code could be injected into the device — even though many “unofficial” apps are simply ones that were rejected by Apple for App Store guideline violations, mostly for altering core OS elements.

Closing down jailbreaking loopholes will also close off one of the principle sources of pirated apps, also giving Apple considerable incentive to cut off the practice. Holes in Android code are frequently used to install scamware, malware, privacy-compromising and even virus-ridden apps — a growing problem for Google, though the ability to heavily customize and “root” Android devices is a major selling point to the most technically-proficient of Android’s audience.

The hacker community believes that iOS 6 will eventually get an “untethered” (meaning “persistent through restarts”) jailbreak, but that iOS 6.1 may represent the end of the free jailbreaking road. The security may simply have reached a point where only those likely to sell any remaining exploit secrets are likely to be able to come up with any.

Apple has made security a top priority on iOS, since it is the only platform where malware is all but completely unknown. Many of the security improvements made in iOS have also been transferred to the Mac as applicable, including complete sandboxing of applications and developer “signatures” on apps.

In his tweet, i0n1c refers to a “changing of the guard” that has brought much-improved security to iOS. It’s unknown if this refers to Craig Federighi’s recent promotion to handle both iOS and OS X, or if this is a reference to Kristin Paget, a top white-hat hacker herself who is now listed on LinkedIn as a “Core OS Security Researcher” at Apple.

Stay tuned for additional details as they become available.

iOS 6 security bug in wild, reenables JavaScript under Safari without input from user

Posted by:
Date: Monday, December 24th, 2012, 08:57
Category: News, security, Software

This is the reason bug fixes were invented.

Per AppleInsider the Safari web browser in Apple’s iOS 6 platform has a potentially serious JavaScript bug that could have major security and privacy implications.

The new “Smart App Banner” feature in iOS 6 is designed to allow developers the ability to promote App Store software within Safari. The Smart App Banner detects whether a user has a specific application installed, and invites them to view the software on the App Store or open it on their iOS device.

But for users who choose to turn off JavaScript in the Safari Web browser, the appearance of a Smart App Banner on a website will automatically and permanently turn JavaScript back on without notifying the user.

iOS device owners can test this issue by opening the Settings application and choosing Safari, then turning off JavaScript. Then simply launch the Safari browser and visit a website with a Smart App Banner.

Users can then go back into the Settings application to verify that the JavaScript setting switch has been flipped back to the “on” position without warning. Accordingly, JavaScript features on websites will begin working again.

The issue has reportedly existed since the release of iOS 6 months ago, though it has not been widely reported. In addition, people familiar with the latest beta of iOS 6.1 said the problem also remains in Apple’s pre-release test software on the iPhone.

Peter Eckersley, technology products director with digital rights advocacy group the Electronic Frontier Foundation, said he would characterize such an issue as a “serious privacy and security vulnerability.”

Neither Eckersley nor the EFF had heard of the bug in iOS 6, nor had they independently tested to confirm that they were able to replicate the issue. But Eckersley said that if the problem is in fact real, it’s something that Apple should work to address as quickly as possible.

“It is a security issue, it is a privacy issue, and it is a trust issue,” Eckersley said. “Can you trust the UI to do what you told it to do? It’s certainly a bug that needs to be fixed urgently.”

But Lysa Myers, a virus hunter at security firm Intego, said she doesn’t see the bug as a major concern for the vast majority of iOS device owners.

“While this issue is certainly not an ideal situation, by itself it actually isn’t that large a problem,” said Myers. “At the moment it doesn’t pose a threat, but we’ll continue to monitor it to make sure it doesn’t become more exploitable. There’s also the fact that few people actually disable JavaScript completely as it can partially, or totally, disable the majority of websites.”

Stay tuned for additional details as they become available.

Trojan.SMSSend.3666 goes into the wild, poses as Mac OS X software

Posted by:
Date: Thursday, December 13th, 2012, 08:14
Category: News, security, Software

You should listen to your more paranoid relatives around the holiday dinner table when they say that there’ll always be someone trying to run a scam on someone else.

Just because they’re paranoid doesn’t make them wrong.

Per CNET, Russian security firm Dr. Web has uncovered another malware attempt on OS X systems that tries to exploit users with SMS fraud.

The new malware is a Trojan horse, dubbed “Trojan.SMSSend.3666,” and is part of a family of Trojan malware for Windows and other platforms that have affected Windows users for years.

As with all Trojans, these pose as legitimate programs that are made available for download from a number of underground Web sites, with this current one for OS X appearing to be an installer for a program called VKMusic 4, a utility whose legitimate version is used for communication between machines on a European social network called VK.

During its installation, the malware triggers an SMS fraud routine where it asks users to enter cell phone numbers, then sends them SMS messages to confirm, which then subscribes the users to a scam that charges high fees for junk messages being sent to their phones.

Unlike recent malware targeted at OS X, this one is not a Java-based attempt to hack the system and install dropper programs that open backdoor access to the system. This one is built as a Mach-O binary that uses the OS X native runtime; however, this change does not alter the threat level significantly. Since the malware is distributed through underground means and requires specific user interaction both to install, and then subsequently and knowingly provide private information, it is a relatively minimal threat.

However, despite its slight impact, it does add yet another instance to the relatively short list of malware for OS X as compared to those for Windows and other platforms.

As with other recent malware for OS X, this one appears to be built specifically to fool those that use the European VK social network, as opposed to being a more widespread attempt, as was seen with the “MacDefender” malware.

Apple’s current XProtect malware definitions have not yet been updated to identify this new scourge, but as it gets analyzed and identified by security firms, the definitions will spread out for various anti-malware utilities. However, overall the main security tips emphasized by this development are to first check where any installer for your system came from, and then be cautious about giving out personal information including phone numbers and addresses. This is especially true for any installer you downloaded from a site that is not directly from the developer itself.

Stay tuned for additional details as they become available.

Adobe releases Flash Player 11.6.602.108 update

Posted by:
Date: Thursday, December 13th, 2012, 07:11
Category: News, security, Software

adobelogo

On Monday, Adobe released Flash Player 11.6.602.108 for Mac OS X, a 11.9 megabyte download via MacUpdate. The new version is for Adobe Flash Player 11.6.602.108 and earlier versions and adds the following fixes and changes:

- Bug fixes related to security, stability, performance, and device compatibility.

Full release notes are available here and the new version requires an Intel-based Mac running Mac OS X 10.6 or later to install and run.

If you’ve tried the new Flash Player and have any feedback to offer, please let us know in the comments.

Apple hires Kristin Paget to help strengthen OS X’s security protocols

Posted by:
Date: Friday, December 7th, 2012, 07:59
Category: News, security, Software

applelogo_silver

If you’re going to be a target for hackers, you might want to hire someone with extensive experience for a company that’s long been a target…

Per Wired, tt was discovered on Thursday that famed hacker and former Microsoft employee Kristin Paget is now working for Apple as a core operating system security researcher, suggesting the Cupertino company is beefing up OS X safeguards amid recent Mac-directed malware attacks.

When employed by Microsoft, Paget worked alongside a small team of hackers tasked to find security holes in Windows Vista before the OS was released to the public in 2007. The group apparently found so many flaws that Vista’s launch date was pushed back while fixes were put in place.

According to her LinkedIn profile, as of September, Paget is listed as being a “Core OS Security Researcher at Apple” based out of Cupertino. Previously, she held the position of chief hacker at security firm Recursion Ventures, but said in June that she wanted to find a job building “security-focused hardware.”

Paget, formerly known as Chris Paget, gained notoriety for a number of hacker feats of strength, including a cellphone call-intercepting station at the Defcon hacker conference and a long-range RFID identifier duplication device.

While the hacker’s responsibilites at Apple remain unknown, it can be speculated that she will be working to thwart future attacks like the Flashback trojan that affected an estimated 600,000 Macs in April. Most recently, a piece of Mac-targeted malware similar to Flashback was found embedded in a webpage dedicated to the Dalai Lama.

“Dockster” trojan for the Mac goes into the wild, plays on the same Java vulnerability as “Flashback”

Posted by:
Date: Tuesday, December 4th, 2012, 08:57
Category: News, security, Software

Ok, this shouldn’t be happening again.

Per F-Secure, a new piece of malware that takes advantage of a well-documented Java vulnerability has been found on a website dedicated to the Dalai Lama, with the trojan able to install itself on an unwitting Mac user’s computer to capture keystrokes and other sensitive data.

Dubbed “Dockster,” the malware was first found by antivirus and security firm Intego to have been uploaded to the VirusTotal detection service on Nov. 30. At the time of its discovery, the remote address associated with trojan was not active, possibly indicating that the code’s creators were testing whether it would be detected, but as of this writing the malicious code is now “in the wild.”

Similar to the Flashback exploit from September 2011, Dockster leverages the same Java vulnerability to drop the backdoor onto a Mac, which then executes code to create an agent that feeds keylogs and other sensitive information to an off-site server.

In the case of Flashback, which was also discovered by Intego, a reported 600,000 Macs were affected before both Apple and Oracle released a Java patches to remove the malware and protect against future attacks.

Although the newly-found Dockster takes advantage of an already fixed weakness, users who haven’t yet updated their Macs or are running older software may still be at risk.

In which case, try to ensure that your friends and family with older, pre-OS X 10.6 software are up to date and be careful out there.

Twitter sends out e-mails to significant number users needing passwords on “compromised accounts”

Posted by:
Date: Thursday, November 8th, 2012, 07:40
Category: News, security, Software

If you found that your Twitter password was reset, there’s a valid reason for it.

Per CNET and the TweetSmarter blog, an unknown number of Twitter users have received a genuine e-mail from the company warning they should change their password as soon as possible.

In the e-mail, the microblogging company noted: “Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.”

The company did not say in the e-mail that there has been a hack, a breach of data, or anything out of the ordinary, however. At this stage, it’s unclear how many have been affected or what’s caused the mass e-mailing of its users.

A post on Wednesday noted that in some cases when “large numbers of Twitter accounts have been hijacked,” the company sends out these e-mails en masse, even sending messages to accounts that may not have been affected by any hack or hijack to err on the side of caution.

So far, a few high profile accounts have noted interference, including David Mitchell, who said:

“Got an e-mail from twitter telling me that my password had to be changed because they thought my account had been hacked,” adding in another tweet: “So I’ve changed it, but the only evidence of hacking I can find is that my tweet about my Observer column last Sun has disappeared. Weird.”

Stay tuned for additional details as they become available.

Google Chrome updated to 23.0.1271.64

Posted by:
Date: Wednesday, November 7th, 2012, 08:53
Category: News, security, Software

google-chrome-logo

It’s the bug fixes that make a difference.

Late Tuesday, Google released a beta of version 23.0.1271.64 of its Chrome web browser. The update, a 56.5 megabyte download, adds the following fixes and changes:

- Medium CVE-2012-5127: Integer overflow leading to out-of-bounds read in WebP handling. Credit to Phil Turnbull.

- High CVE-2012-5116: Use-after-free in SVG filter handling. Credit to miaubiz.

- [Mac OS only] [149717] High CVE-2012-5118: Integer bounds check issue in GPU command buffers. Credit to miaubiz.

- High CVE-2012-5121: Use-after-free in video layout. Credit to Atte Kettunen of OUSPG.

- Low CVE-2012-5117: Inappropriate load of SVG subresource in img context. Credit to Felix Groebert of the Google Security Team.

- Medium CVE-2012-5119: Race condition in Pepper buffer handling. Credit to Fermin Serna of the Google Security Team.

- Medium CVE-2012-5122: Bad cast in input handling. Credit to Google Chrome Security Team (Inferno).

- Medium CVE-2012-5123: Out-of-bounds reads in Skia. Credit to Google Chrome Security Team (Inferno).

- High CVE-2012-5124: Memory corruption in texture handling. Credit to Al Patrick of the Chromium development community.

- Medium CVE-2012-5125: Use-after-free in extension tab handling. Credit to Alexander Potapenko of the Chromium development community.

- Medium CVE-2012-5126: Use-after-free in plug-in placeholder handling. Credit to Google Chrome Security Team (Inferno).

- High CVE-2012-5128: Bad write in v8. Credit to Google Chrome Security Team (Cris Neckar).

Google Chrome 23.0.1271.64 requires an Intel-based Mac with Mac OS X 10.5 or later to install and run. If you’ve tried the new version and have any feedback to offer, please let us know in the comments.