Adobe releases Flash Player 11.4.402.287 update

Posted by:
Date: Monday, October 8th, 2012, 08:33
Category: News, security, Software

adobelogo

On Monday, Adobe released Flash Player 11.4.402.287 for Mac OS X, a 11.9 megabyte download via MacUpdate. The new version is for Adobe Flash Player 11.4.402.265 and earlier versions and adds the following fixes and changes:

– Fixes for critical vulnerabilities identified in Security Bulletin APSB12-22.

Flash Player 11.4.402.287 requires an Intel-based Mac running Mac OS X 10.6 or later to install and run.

If you’ve tried the new version and have any feedback, please feel free to hurl your two cents in via the comments.

Apple releases Java for Mac OS X 10.6 Update 10, Java for OS X Lion 2012-005

Posted by:
Date: Thursday, September 6th, 2012, 06:18
Category: News, security, Software

applelogo_silver

If there’s a Java update out there, it might be worth snagging.

Per the cool cats at The Mac Observer, Apple updated Java for OS X Lion and Mountain Lion Wednesday with the release of Java for OS X 2012-005 along with the release of Apple Java for Mac OS X 10.6 Update 10. The updates, which vary in terms of download size given the version used, tweak Java controls by automatically turning the Java plugin off when no Java applets have been run for an extended period of time.

Apple’s patch notes also specify that if users hadn’t installed the previous version of Java (Java for for OS X Lion 2012-004), that the Java plugin will be disabled immediately.

The releases add the following fixes and changes:

– Delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_35.

The updates can be located, snagged and installed with Mac OS X’s Software Update feature.

Java for Mac OS X 10.6 Update 10 requires an Intel-based Mac running Mac OS X 10.6 or later to install and run while the Java for OS X Lion 2012-005 update requires an Intel-based Mac running Mac OS X 10.7 or later to install and run.

If you’ve tried the updates and have any feedback to offer, please let us know in the comments.

Oracle releases patch for Java 1.7, works to close hole on discovered security flaw

Posted by:
Date: Friday, August 31st, 2012, 06:33
Category: News, security, Software

With any luck, the patch fixed the issue.

Per AppleInsider, Oracle on Thursday released a patch for the Java 1.7 runtime, plugging a recently discovered security hole that allowed malware to take over any operating system when a user visits a malicious website.

In an update to its “CVE-2012-4681″ security alert, Oracle addressed three separate vulnerabilities and one “security-in-depth” issue affecting Java 7.

It was reported on Monday that a new zero-day exploit had been discovered and proven to be effective within the Java 1.7 runtime, which includes the latest Java 7 update, in browsers on any operating system.

According to researchers, the flaw allows malware to breach the security of a Mac or PC by having a user visit a compromised website hosting the attack code. Because Java came bundled with older versions of OS X like Leopard or Snow Leopard, Macs running the legacy software are potentially more vulnerable to the attack than those with the latest 10.8 Mountain Lion.

Apple removed Java from OS X last year with the release of 10.7 Lion after a security flaw in Oracle’s software allowed the infamous Flashback trojan to affect a reported 600,000 Macs. As a safety precaution, users must now authenticate browser requests to download and install Java, proactively blocking potential exploits.

From Oracle’s alert:
“If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system. Note that this malware may in some instances be detected by current antivirus signatures upon its installation.”

The patch for Java 1.7 can be downloaded directly from Oracle’s java.com web site, while more information about the security issues can be found at the company’s security page

Stay tuned for additional details as they become available.

Opera web browser updated to 12.02, now available

Posted by:
Date: Friday, August 31st, 2012, 06:34
Category: News, Software

operalogo

Late Thursday, Opera Software released version 12.02 of its web browser. The new version, a 28.2 megabyte download via MacUpdate, boasts the following fixes and changes:

General and User Interface:
– Several general fixes and stability improvements.

– Resolved an issue with Speed Dial thumbnails when automatic scaling is enabled.

Security:
– Fixed an issue where truncated dialogs may be used to trick users; see our advisory.

Opera 12.02 is available for free and requires and Intel-based Mac running Mac OS X 10.5 or later to install and run.

Analyst: Java 1.7 zero-day less likely to affect Mac users due to lack of current installed base on platform

Posted by:
Date: Wednesday, August 29th, 2012, 07:53
Category: News, security

Yesterday, we posted as to a new Java vulnerability that could open the gates for additional malware on the Mac.

Today, there’s some better news regarding this.

Per The Unofficial Apple Weblog, online backup service CrashPlan co-founder Matthew Dornquist had the following to offer about the new Java vulnerability and what it could mean for the Mac.

In a recent study of a random sample of 200K recent users; Dornquist’s numbers showed that the overwhelming majority of CrashPlan’s Mac users are on Java 1.6 (92%) and a small minority on the older 1.5 version. The percentage on the 1.7 version targeted by the malware? Approximately zero.

Research shop FireEye identified a Java zero-day exploit this weekend that is already targeting fully patched versions of the Java JRE version 1.7 running on Windows machines. The exploit attempts to install a dropper executable (Dropper.MsPMs) on the machines it attacks. In theory, a separate dropper could be crafted to attack Mac or Linux systems, although none has yet been observed in the wild.

That’s a reason for Mac users to rest a little more easily, but it’s not the big one. As noted by CNET, the vulnerable edition of the JRE — 1.7 — isn’t installed by default in a stock configuration of OS X. The Java that Apple delivers on Snow Leopard, Lion and Mountain Lion is JRE 1.6 (and on Lion and Mountain Lion, it’s only installed on demand when needed to run Java applications); in order to be on 1.7 and be theoretically susceptible, you’d have to install the Oracle beta build manually.

If you did install the Oracle build and you’re concerned about the new exploit, you can disable the Java plugin in each of your browsers individually, or uninstall 1.7 entirely. While it bears repeating that there is no evidence of a Mac payload for this exploit at this time, if you don’t have a specific reason to run the new version then it’s probably safest to stick with JRE 1.6 instead (or turn off Java completely if you don’t need it). In response to past exploits including Flashback, Apple’s Java web plugin is now set to auto-disable when it isn’t used for some time, further reducing the attack surface for Mac users.

So, yeah, try to avoid manually updating to Java 1.7 on your Mac until this is sorted out and we’ll have additional details as they become available.

Java vulnerability discovered, researchers warn of potential new malware for Mac OS X platform

Posted by:
Date: Tuesday, August 28th, 2012, 06:53
Category: News, security, Software

You’ll never lack a job in IT security…

Per Computerworld, researchers announced on Monday that hackers are taking advantage of a zero-day vulnerability in Oracle’s Java 7, with the newly discovered flaw able to exploit any platform, including Apple’s OS X.

According to Tod Beardsley, engineering manager for open-source testing framework Metasploit, hackers can use the bug to compromise any system through a web browser running the latest Java software.

While there have yet to be reports of the new exploit affecting Macs, Errata Security confirmed the Metasploit exploit is effective against the latest Java 1.7 runtime on Apple’s latest OS X 10.8 Mountain Lion.

Mac users running older versions of OS X, like Snow Leopard or Leopard, could be more vulnerable as those operating systems came bundled with Java, however the new exploit is actually in Oracle’s latest software, dubbed “Update 6.”

“The vulnerability is not in Java 6, it’s in new functionality in Java 7,” said Beardsley.

He went on to call the bug “super dangerous” and said a potential piece of malware can feasibly compromise the security of a Mac by simply having a user visit a website that is host to the attack code. This means both purpose-built malicious sites as well as those which have been hacked can compromise a system.

“What is more worrisome is the potential for this to be used by other malware developers in the near future,” said antivirus vendor Intego. “Java applets have been part of the installation process for almost every malware attack on OS X this year.”

As Oracle has not yet released a patch for the exploit, Beardsley recommends users disable Java until one is pushed out.

Mac users can visit Java’s site here to check if they have the 1.7 runtime installed. Alternately, the “Java Preferences” application can also be used to make sure the software is disabled.

The new flaw is the latest in a number of security holes found in Java code on OS X, including the infamous Flashback trojan that reportedly affected some 600,000 Macs worldwide. Apple released a removal tool specifically tailored for the malware, later disabling the Java runtime in subsequent versions of Safari. Java was removed from OS X when Lion was released last year, forcing users to authorize a browser request to download and install the software if an applet for the runtime appears.

Stay tuned for additional details as they become available.

Apple advocates use of iMessage in wake of SMS bug discovery

Posted by:
Date: Monday, August 20th, 2012, 07:11
Category: iPhone, News, security, Software

Ok, this is going to require a fix.

Following a discovery last week wherein Pod2G uncovered a SMS flaw in iOS that lets someone send a spoofed SMS (in this scenario, the SMS would appear to be from a trusted source, but the response would actually be sent to someone else), the cool cats at Engadget reached out to Apple for comment and received the following reply:

“Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they’re directed to an unknown website or address over SMS.”

Stay tuned for additional details as they become available and with any luck, a fix should be en route soon.

Adobe releases Flash Player 11.3.300.271 update

Posted by:
Date: Tuesday, August 14th, 2012, 15:39
Category: News, security, Software

adobelogo

Late Wednesday, Adobe released Flash Player 11.3.300.271 for Mac OS X, a 11.6 megabyte download via MacUpdate. The new version adds a slew of security fixes outlined here.

Flash Player 11.3.300.271 requires an Intel-based Mac running Mac OS X 10.6 or later to install and run.

If you’ve tried the new version and have any feedback, please feel free to hurl your two cents in via the comments.

Adobe Reader, Adobe Acrobat Pro updated to 10.1.4

Posted by:
Date: Tuesday, August 14th, 2012, 14:20
Category: News, Software

On Tuesday, Adobe released version 10.1.4 of its Adobe Reader and Adobe Acrobat Pro applications. The updates, which can also be snagged through the Adobe Update Utility, adds the following fixes and changes:

– This is a regular quarterly update that provides security mitigations, feature enhancements, and bug fixes.

– Added support for Mac OS X 10.8.

– Safari 5.1 for 10.6.8-10.7, Safari 6.0 for 10.8.

Acrobat Reader 10.1.4 and Acrobat Pro requires an Intel-based processor and Mac OS X 10.5.8 or later to install and run.

If you’ve tried the new versions and noticed any differences, please let us know what you think.

Opera web browser updated to 12.01

Posted by:
Date: Thursday, August 2nd, 2012, 06:02
Category: News, Software

operalogo

On Thursday, Opera Software released version 12.01 of its web browser. The new version, a 26.9 megabyte download, boasts the following fixes and changes:

Several general fixes and stability improvements:
– Website thumbnail memory usage improvements.

– Address bar inline auto-completion no longer prefers shortest domain.

– Corrected an error that could occur after removing the plugin wrapper.

– Resolved an issue where favicons were squeezed too much when many tabs were open.

– Fixed a problem where the Adobe PDF plugin is picked up and used by Opera.

Display and Scripting:
– Resolved an error with XHR transfers where content-type was incorrectly determined.

– Improved handling of object literals with numeric duplicate properties.

– Changed behavior of nested/chained comma expressions: now expressing and compiling them as a list rather than a tree.

– Aligned behavior of the #caller property on function code objects in ECMAScript 5 strict mode with the specification.

– Fixed an issue where input type=month would return an incorrect value in its valueAsDate property.

– Resolved an issue with JSON.stringify() that could occur on cached number conversion.

– Fixed a problem with redefining special properties using Object.defineProperty().

Network and Site-Specific:
– Fixed an issue where loading would stop at “Document 100%” but the page would still be loading.

– tuenti.com: Corrected behavior when long content was displayed
https://twitter.com: Fixed an issue with secure transaction errors

– Fixed an issue with Google Maps Labs that occured when compiling top-level loops inside strict evals.

– Corrected a problem that could occur with DISQUS.

– Fixed a crash occurring on Lenovo’s “Shop now” page.

– Corrected issues when calling window.console.log via a variable at watch4you.

– Resolved an issue with Yahoo! chat.

Mail, News, Chat:
– Resolved an issue where under certain conditions the mail panel would continuously scroll up.

– Fixed a crash occurring when loading mail databases on startup.

Security:
– Re-fixed an issue where certain URL constructs could allow arbitrary code execution, as reported by Andrey Stroganov; see our advisory.

– Fixed an issue where certain characters in HTML could incorrectly be ignored, which could facilitate XSS attacks; see our advisory.

– Fixed another issue where small windows could be used to trick users into executing downloads as reported by Jordi Chancel; see our advisory.

– Fixed an issue where an element’s HTML content could be incorrectly returned without escaping, bypassing some HTML sanitizers; see our advisory.

– Fixed a low severity issue, details will be disclosed at a later date.

Opera 12.01 is available for free and requires and Intel-based Mac running Mac OS X 10.5 or later to install and run.