Researcher draws attention to long-standing security vulnerability in OS X operating systems

Posted by:
Date: Thursday, August 29th, 2013, 10:19
Category: News, security, Software

applelogo_silver

After five months, it might be time to fix this sucker…

Per mitre.org and Ars Technica, a unaddressed bug in Apple’s Mac OS X discovered five months ago allows hackers to bypass the usual authentication measures by tweaking specific clock and user timestamp settings, granting near unlimited access to a computer’s files.

While the security flaw has been around for nearly half a year, a new module created by developers of testing software Metasploit makes it easier to exploit the vulnerability in Macs.

The bug revolves around a Unix program called sudo, which allows or disallows users operational access based on privilege levels. Top tier privileges grant access to files belonging to other users’ files, though that level of control is password protected.

Instead of inputting a password, the flaw works around authentication by setting a computer’s clock to Jan. 1, 1970, or what is referred to as the Unix epoch. Unix time starts at zero hours on this date and is the basis for calculations. By resetting a Mac’s clock, as well as the sudo user timestamp, to epoch, time restrictions and privilege limitations can be bypassed.

“The bug is significant because it allows any user-level compromise to become root, which in turn exposes things like clear-text passwords from Keychain and makes it possible for the intruder to install a permanent rootkit,” said H.D. Moore, founder of the open-source Metasploit and chief research officer at security firm Rapid7.

Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings. As a result, all versions of the operating system from OS X 10.7 to the current 10.8.4 are affected. The same problem exists in Linux builds, but many of those iterations password protect clock changes.

While powerful, the bypass method has limitations. In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before. As noted by the National Vulnerability Database, the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.

Apple has yet to respond or issue a patch for the bug.

“I believe Apple should take this more seriously but am not surprised with the slow response given their history of responding to vulnerabilities in the open source tools they package,” Moore said.

Stay tuned for additional details as they become available.

Parallels Desktop 9 announced, adds cloud support, Windows 8 Start button, other new features

Posted by:
Date: Thursday, August 29th, 2013, 09:47
Category: News

21252

Parallels announced its Parallels Desktop 9 for Mac client today, the new version of the virtualization software offering the following set of fixes and features:
- Cloud storage optimizations for iCloud, Dropbox, Google Drive and SkyDrive.

- Support for OS X Launchpad in Windows applications

- Enhanced support for Apple’s forthcoming OS X 10.9 Mavericks.

- Incorporates the familiar Start menu and Windows Start button for Windows 8 users..

- Extends the OS X PowerNap feature to Windows and Windows applications.

- Allows Mountain Lion Dictionary gesture compatibility in Windows apps.

- Allows users to connect Thunderbolt and FireWire devices to either their Mac or virtual machine, just like with USB.

- Enhances the virtual machine wizard, making it easier to create new systems by automatically locating operating systems on a Mac. Users can also manually select a range of media types to install.

- 40 percent better disk performance than the previous version.

- Virtual machines shut down up to 25 percent faster than the previous version.

- Virtual machines suspend up to 20 percent faster than the previous version.

- 3D graphics and web browsing is 15 percent faster than the previous version.

- A new Security Center in Parallels Desktop 9 is said to make it easier to ensure that files are secure, both on the Mac and in a Windows virtual machine.

- In addition, Parallels Desktop 9 comes with a six-month subscription to Parallels Access for iPad, announced earlier this week. That new software allows customers to remotely access and experience Windows and Mac applications as if they were designed for Apple’s iPad.

- Mac gestures inside Windows apps: Parallels Desktop now includes the addition of the Dictionary lookup gesture in Windows applications.

- PDF printer for Windows: Lets people print from any Windows application to a PDF on the Mac desktop, even if the application doesn’t have that functionality.

- Sticky multi-monitor setup: When using Windows in Full Screen mode and connecting to an external monitor, Parallels Desktop will remember settings and put the Windows virtual machine back in full screen mode on the remote monitor.

- Custom keyboard: Editable keyboard shortcuts help customize the Windows experience.

- Linux guest integration: Parallels Desktop customers who use Linux now have additional and enhanced integration with the Mac OS.

Parallels Desktop 9 for Mac will become broadly available for purchase next Thursday, Sept. 5. It is now available as a US$50 upgrade for legacy Parallels users, and a free upgrade for those who recently bought Parallels Desktop 8.

Thursday’s launch of Parallels Desktop 9 is available for existing customers for US$49.99, while those who recently purchased may be eligible for a free upgrade. Customers who buy Parallels Desktop 8 today will also be eligible to upgrade to the new version at no additional charge.

Stay tuned for additional details as they become available.

Parallels Access debuts, brings Parallels features to iPad

Posted by:
Date: Wednesday, August 28th, 2013, 06:28
Category: iOS, iPad, News, Software

21252

You can’t knock a company that also goes in a subscription-based direction.

Per AppleInsider, Parallels, the company known for its virtualization software, rolled out a new iPad app and subscription service on Tuesday called Parallels Access that promises to run both Mac and PC programs on Apple’s tablet with near-native performance.

With Parallels Access, the company has built a completely new way to naturally interact with desktop applications on an iPad. A number of developers have fielded similar apps that promise full remote control functionality from Apple’s tablet, but many resort to clunky interfaces that draw users out of the “iPad experience.”

Unlike other apps, Access offers the full gamut of iPad gestures, with taps, swipes and pinches all supported by almost any desktop program. To bridge the gap between computer and tablet, the system translates mouse clicks and movement into iPad-friendly gestures.

Parallels claims its new product can handle a variety of tasks, including business programs, streaming video and even games. Internet speeds are supposedly a non-factor, though degradation may be expected when connecting over cellular networks.

The system is actually split into two parts: the iOS app and a Mac or PC client that runs on the host computer. Access authenticates via a Parallels account and links the two devices with a 256-bit AES secured SSL connection.

At the heart of Access is the App Launcher, which is basically a Springboard-like layout of compatible desktop applications. Programs can be added or deleted from this view in much the same way as iOS.

The App Switcher seamlessly moves users between programs, a necessary tool since Access only works in “full screen” mode. Parallels calls this method “applifying.”

Navigating within running programs is an intuitive experience thanks to the combination of SmartTap and the iOS magnifying glass. SmartTap is a contextual cursor control that, in tandem with magnifying glass, allows users to perform advanced mouse actions like drag and drop.

One difficult maneuver that many VNC and other remote desktop apps have trouble with is scrolling. Access’ gesture translation engine doesn’t appear to suffer from the same problems, making in-window navigation less of a chore.

The app’s keyboard is also tweaked from the standard iOS version, offering users dedicated keys for functions, arrows, and even the “Windows” button.

Those interested can try Parallels Access for free for 14 days on a Mac and 90 days on a Windows machine. Subscription pricing is set at US$79.99 per year for each computer running a registered client. The iPad app and Mac or PC clients can be downloaded for free from the App Store and Parallels’ webpage, respectively.

Apple releases Digital Camera Raw Compatibility Update 4.08

Posted by:
Date: Friday, August 23rd, 2013, 07:12
Category: News, Software

eliphoto

Late Thursday, Apple posted its Digital Camera Raw Compatibility Update 4.08, an update designed to extend RAW image compatibility for the Aperture 3 and iPhoto ’11 applications.

The update, a 6.9 megabyte download, adds support for the following cameras:
- Canon EOS 70D

- Fujifilm X-M1

- Leica M

- Leica M Monochrome

- Nikon COOLPIX P330

- Pentax 645D

- Sony Cyber-shot DSC-RX1R

- Sony Cyber-shot DSC-RX100 II

The update requires an Intel-based Mac running Mac OS X 10.7.5 or later to install and run and is also available via Mac OS X’s built-in Software Update feature.

If you’ve tried the new Digital Camera RAW update and noticed any changes, please let us know how it went.

Drive Genius updated to 3.2.3

Posted by:
Date: Friday, August 23rd, 2013, 07:11
Category: News, Software

17099

Prosoft Engineering has released Drive Genius 3.2.3, an updated version of its drive repair and recovery program for Mac OS X.

The new version, a 15.2 megabyte download” target=”_blank”>download, offers the following fixes and changes:

- Bug fixes.

Drive Genius retails for US$99 and requires an Intel-based Mac running Mac OS X 10.6.7 or later installed to install and run.

If you’ve tried the new version and have any feedback to offer, let us know in the comments.

Google Chrome updated to 29.0.1547.57

Posted by:
Date: Wednesday, August 21st, 2013, 07:05
Category: News, Software

google-chrome-logo

On Tuesday, Google released version 29.0.1547.57 of its Chrome web browser. The update, a 51.5 megabyte download, adds the following fixes and changes:
- Improved Omnibox suggestions based on the recency of sites you have visited.

- Ability to reset your profile back to its original state.

- Many new apps and extensions APIs.

Lots of stability and performance improvements:
- Incomplete path sanitization in file handling.

- Information leak via overly broad permissions on shared memory files.

- Integer overflow in ANGLE.

- Use after free in XSLT.

- Use after free in media element.

- Use after free in document parsing.

- Various fixes from internal audits, fuzzing and other initiatives.

Google Chrome 29.0.1547.57 requires an Intel-based Mac with Mac OS X 10.6 or later to install and run. If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Firefox updated to 23.0.1

Posted by:
Date: Monday, August 19th, 2013, 07:41
Category: News, Software

elfirefox

You can’t turn down a helpful web browser update.

On Friday, Mozilla.org released version 23.0.1 of its Firefox web browser. The new version, a 44.4 megabyte download via MacUpdate, adds the following fixes and changes:
- [Fixed] Spellchecking broken with non-ASCII characters in profile path.

- [Fixed] Audio static/”burble”/breakup in Firefox to Firefox WebRTC calls.

Firefox 23.0.1 requires an Intel-based Mac running Mac OS X 10.6 or later to install and run.

If you’ve tried the new version and have any feedback to offer, please let us know in the comments.

Apple releases iTunes 11.0.5 update

Posted by:
Date: Monday, August 19th, 2013, 06:22
Category: News, Software

You can’t really argue against a substantial iTunes bug fix.

Late Friday, Apple released version 11.0.5 of its iTunes multimedia/jukebox application. The new version, a 196.6 megabyte download, adds the following fixes and changes:

- Corrected an issue with iTunes in the Cloud, where some purchases may download or play unexpected items.

iTunes 11.0.5 requires an Intel-based Mac running Mac OS X 10.6.8 or later to install and run.

If you’ve tried the new version and have any feedback, please let us know in the comments.

Adobe releases Flash Player 11.8.800.146 beta

Posted by:
Date: Friday, August 16th, 2013, 09:19
Category: News, security, Software

When in doubt, there’s always the public beta to make things a bit better.

On Thursday, Adobe released Flash Player 11.8.800.115 for Mac OS X, an 18 megabyte download via MacUpdate. The new version adds the following fixes and changes:

- Includes new features as well as enhancements and bug fixes related to security, stability, performance, and device compatibility.

The Adobe Flash Player 11.8.800.146 beta requires an Intel-based Mac running Mac OS X 10.6 or later to install and run.

If you’ve tried the new Flash Player and have any feedback to offer, please let us know in the comments.

CrossOver updated to 12.5

Posted by:
Date: Tuesday, August 13th, 2013, 10:44
Category: News, Software

You can’t knock an appreciable update.

CrossOver, the popular virtualization program from CodeWeavers, has been updated to version 12.5. The new version, an 84.9 megabyte download, is available as a demo, offers the following fix:

WHAT’S NEW:
- Drag and Drop.

- System Tray Icons in the Mac Menu Bar.

- Shaped windows and transparency.

- Better mouse handling for many games.

- Support for command-tab switching in full-screen mode.

- Better integration with the OS X Dock, and features such as Expose and Spaces.

- Better international keyboard support.

- Improved clipboard (cut and paste) support.

- Support for mice with more than three buttons.

- Fixes for many window ordering problems.

- Force-feedback joysticks are supported.

- Improved input method support for non-Latin characters.

Application Support:
Microsoft Outlook:
- Microsoft Outlook will now maintain its connection when the computer sleeps or the network configuration changes.

- Improved auto-discovery for Exchange account setup.

- Outlook will no longer crash if the Exchange server is unavailable.

- Fixed a crash when editing contacts.

- Right-click to format will now work.

- Improved NTLM authentication – you can now change your password if you have ‘smbpasswd’ installed.

- Improved sharepoint list display in profile.

- Characters can now be inserted from the character palette.

- Fixed printing of calendar items.

- Attachment preview will now work.

- Outlook Today can now be customized.

- Phone numbers now accept a ‘+’ character for international notation.

Microsoft Excel:
- Fixed a crash when copying a worksheet.

- Improved macro support.

- Fixed a problem opening read-only files.

- Fixed garbage when opening xlsx documents.

Quicken:
- Fixed display of help topics in Quicken 2012.

- Fixed a bug in the ‘Change Assumptions’ function of Quicken 2013.

Internet Explorer 7:
- More web sites will now work.

- Fixed a bug which sometimes caused failure during installation.

- Fixed a crash in the print dialog.

World of Tanks:
- Fixed a crash connecting to the server on certain Macs.

- Fixed a crash when zooming in on targets.

Microsoft Office:
- Fixed problems in which drop-down menus could not be dismissed.

- Microsoft Office 2010 Simplified Chinese Edition will now install.

- Fixed a bug which caused Microsoft Office 2007 to fail to install on some machines.

- Fixed an installation conflict between .Net 4.0 and DirectX 9.

- Fixed an installation problem with Microsoft Money 2001.

- Fixed an issue where Microsoft Visio 2010 would not open .vxd files.

- Fixed installation problems with .Net 3.5.

- Fixed graphical glitches in Wizard101.

- Fixed problems with the patcher in Pirate101.

- Fixed a crash on login in Starcraft II.

- Fixed crashes on install of Rift’s Storm Legion expansion.

- Fixed Rift graphics bugs on Nvidia hardware.

- Fixed various errors in ChemSketch 12.

- Fixed a crash in Baseball Mogul 2013 and 2014.

Other Improvements:
- CrossOver 12.5.0 is based on the new stable Wine 1.6 release. This includes innumerable fixes for various Windows applications.

- CrossOver can be configured for compatibility with Windows 7.

CrossOver 12.5 retails for US$59.95 and requires Mac OS X 10.6 and or later and an Intel-based Mac to install and run.

If you’ve tried the new version and have any feedback to offer, please let us know in the comments.