Flashback Malware Exploiting Unpatched Java on Macs [Updated]
There’s a piece of Mac malware, known as ‘Flashback’, that’s going around and takes advantage of a Java vulnerability in order to compromise and infect Macs online. Although the vulnerability isn’t Mac-specific, and was patched back in February, Apple has yet to distribute that update to everyone via Software Update, leaving everyone vulnerable.
Apparently the team behind this malware is quite efficient at updating it, and so they have been successful in spreading it around. Lion doesn’t come with Java by default, so unless you’ve manually installed it, you’re safe. If you have installed Java on Lion however, I don’t know yet whether Lion’s built-in anti-malware is being updated quickly enough to keep up with the new malware variants (although I highly doubt it).
If you are running Snow Leopard (or earlier), or Lion with a manually-installed Java, then the best thing to do is disable it. The majority of web users do not need Java on a regular basis. I recommend disabling Java system-wide by going to Applications > Utilities > Java Preferences and then unchecking all the checkboxes in the General tab. If you use Safari to browse, you can disable Java by going to Safari > Preferences > Security and unchecking ‘Enable Java‘.
Keep an eye out for an upcoming Java update from Apple.
[Updated] Seems all the talk about this has nudged Apple to act! They’ve released Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7. F-Secure have released a free Flashback remover tool, and Apple have announced they are also working on software to detect and remove Flashback malware.
Source: F-Secure
Charlie Miller Discovers iOS Code-Signing Bypass Vulnerability
Security researcher Charlie Miller (@0xcharlie) has discovered a significant flaw in iOS which may allow a malicious app on the App Store to download and execute arbitrary unsigned code. What this means for iPhone, iPad and iPod Touch users is that installing a malicious app may allow an attacker to obtain shell access to your device, and download contacts or images.
Apple reviews every app submitted to the App Store, which has meant that iOS users have not had to worry about outright malware. Since this vulnerability allows the apps to fetch code remotely, they can perform actions not reviewed by the App Store staff. Charlie had submitted a proof-of-concept app that was approved (see video below), but has since been removed by Apple.
The reason this vulnerability works is based around some changes Apple made in iOS 4.3 last year, which allowed Mobile Safari to run javascript at a more privileged level on the devices. This change required Apple to make an exception for Safari to execute unsigned code in a particular area of memory. Charlie Miller’s bug is allegedly a very unique case that allows any app to take advantage of this, and hence run their own unsigned code.
Charlie will be presenting the vulnerability in detail at the SysCan conference in Taiwan next week. Apple has already released a developer beta of iOS 5.0.1 which patches the recent iPad Smart Cover lock screen bypass, but I would not be at all surprised if they release another beta which includes a fix for this bug. Until then, be careful to only install apps from developers you trust.
[Update] Apple has kicked Charlie out of the Developer program. At first I felt that this was an extremely bad reaction on Apple’s part. That said, Apple is probably most upset that Charlie’s proof-of-concept app could have been installed by legitimate users. Regardless of Charlie’s intentions, this could constitute malware, and he should have removed the app as soon as he saw the flaw existed. The posting of his video above probably didn’t help matters either.
Apple Releases Slew of Security Updates (OSX, Safari, iTunes, iOS 5, aTV)
I wasn’t going to post about last week’s fairly significant iTunes update, but then Apple went and patched a whole bunch of vulnerabilities across the board. Some of these are fairly significant so I thought I would provide a short breakdown of the changes. Either way, you should definitely be patching all of your Apple devices and software tonight.
Hit the jump for a summary of the key vulnerabilities patched in Apple’s security updates.
Security Update 2011-005 Fixes DigiNotar SSL Vulnerability
Apple has finally issued Security Update 2011-005 to address the recent issues around compromised Dutch certificate authority DigiNotar. It was discovered that at least 531 fraudulent SSL certificates were issued by DigiNotar, leading to their root certificate being revoked in all major operating systems and browsers over the past two weeks. A man-in-the-middle attacker in possession of one of these certs (eg. Google, Skype), would be able to intercept SSL-encrypted traffic to those sites. It is believed that the use of these fraudulent certs may have been limited to the Iranian government.
This patch removes the DigiNotar CA from the trusted root certificates in the Mac OS X keychain (which is also used by Safari) for Lion and Snow Leopard. Unfortunately no patch has been issued for Leopard (10.5) users, leaving them at a heightened risk from these bad certificates. It is recommended that Leopard users delete the DigiNotar CA certificate from the Keychain using the following steps:
- Open Keychain Access (/Applications/Utilities/Keychain Access)
- Click on the System Roots keychain in the top-left hand panel
- Click on Certificates in the bottom-left hand panel
- Type DigiNotar into the search field in the top right.
- Right-click on the DigiNotar Root CA, and select Delete.
# sudo /usr/bin/security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C /System/Library/Keychains/SystemRootCertificates.keychain
Firefox users should update to the latest version of Firefox. Here is the full Apple description for this update:
Security Update 2011-005
- Certificate Trust Policy Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.1, Lion Server v10.7.1Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information
Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.
Low Risk MACDefender Trojan is Easily Avoided
There have been widespread reports of people installing a trojan that masquerades as an anti-virus program dubbed MacDefender. When visiting a malicious or compromised website promoted by SEO (search engine) poisoning, some Mac OS X users using Safari are experiencing the automatic download of a disk image which then automatically mounts and launches an installer. Intego’s blog has a detailed report which shows that they’ve discovered instances of scareware, where the websites (ironically displaying a faux-Windows GUI) show a fake virus scan and inform the user that their computer is infected.
Note: The automatic mounting and execution of the installer can easily be prevented by unchecking the “Open ‘safe’ files after downloading” option in the Safari Preferences.
If the user installs it, the MacDefender app look very professionally done and is unlike any other OSX malware to date. It will periodically open porn sites, pop up warnings that the user’s computer is infected, and prompt them to purchase the MacDefender anti-virus software. The software purchase page is just a place to get the user’s credit card number, and no product is delivered.
For the most part this is a very low-risk trojan, and can easily be avoided by disabling the ‘safe files’ option, and not installing software that randomly appears on your computer. No website can arbitrarily scan your computer for malware, and if they tell you that you’re infected, they’re lying. If common sense and good security practice aren’t enough, you can install an anti-virus (eg. VirusBarrier or Sophos) that will pick up this trojan.
If you did accidentally install the trojan, it can be removed with the following steps:
- Open Activity Monitor (in /Applications/Utilities/), and find the MacDefender.app process in the list. If it’s there, select it and click ‘Quit Process’.
- Open System Preferences (in the Apple menu) and click on Accounts. Click on the Login Items tab for your user, and find MacDefender in the list. If it’s there, select it and remove it using the minus [-] button below the list.
- Delete MacDefender from your Applications folder.
Check out my article on Securing Leopard and Top 100 Security and Privacy Tips!
[Update 5/5/11] There are reports of variants of the MACDefender trojan going around under the name “Mac Security” or “Mac Shield”. For the reversers, check out this reverse engineering of the MACDefender binary.
Updates: Mac OS X 2011-002, Safari 5.0.5, iOS 4.3.2
Apple has released several security updates which patch vulnerabilities in the way Mac OS X and iOS handle certificate trust. This comes off the back of the recent Comodo hack in which several fraudulent – yet valid – SSL certificates were created for a number of prominent websites, rendering users vulnerable to potential man-in-the-middle attacks. These updates (2011-002 and iOS 4.3.2/4.2.7) improve the way certificate verification is performed in OSX and iOS. The Safari 5.0.5 update patches two critical bugs which could result in remote code execution.
In other news: Updates to Safari in Mac OS X 10.7 “Lion” have shown that the browser will bring support for the new Do-Not-Track functionality, intended to give users the ability to opt-out from tracking by Third Party tracking and ad companies. Whether or not this functionality will be fully respected by third parties remains to be seen. Lastly, a tethered jailbreak for iOS 4.3.2 has already been released.
Safari, Mac OS X and Fraudulent SSL Certificates (Comodo)
Following the recent hacking of Comodo, a certificate authority that distributes SSL certificates, web users to the following domains are at a higher risk of phishing and sniffing attacks:
- login.live.com
- mail.google.com
- www.google.com
- login.yahoo.com
- login.skype.com
- addons.mozilla.org
Attackers were able to obtain SSL certificates for these domains, essentially allowing them to pose as those websites. The certificates have since been revoked by Comodo, however this relies on browsers checking for them by checking Comodo’s Certificate Revocation List (CRL) and having the Online Certificate Status Protocol (OCSP) enabled. Firefox and Chrome were updated last week to block the fraudulent certs, but Safari doesn’t do CRL and OCSP checking by default.
Hit the jump for how to enable these checks in OSX and Safari. Read more
Browser and Smartphone Exploits Fly at Pwn2Own [Recap]
With Google offering $20,000 for a Chrome sandbox exploit, Apple releasing fresh security updates, and the organisers allowing researchers to target mobile phone basebands, it was sure make for an interesting Pwn2Own contest at CanSecWest this year.
For the fifth year running, Pwn2Own invited security researchers to discover vulnerabilities and develop exploits for the most popular browsers on Mac OS X and Windows (for some reason Linux is left out this year). Traditionally IE, Firefox and Safari have gotten exploited, with Chrome being the last browser standing at last year’s competition. Google upped the ante by making it significantly more attractive to target their browser this year.
In short: Safari, Internet Explorer, iPhone and Blackberry were all successfully compromised. Chrome and Firefox survive. Hit the jump for the full details! Read more
Safari Errorjacking Vulnerability and Exploit [Patched]
One of the vulnerabilities patched in Safari 5.0.4 is a fairly critical issue in WebKit (CVE-2011-0167) that allows Javascript to jump into the local zone, and access any file on the local computer that is accessible to the current user. This could be used by malicious websites to extract files and information from the victim’s computer. The vulnerability affects Safari on Mac OS X and Windows, and could affect other WebKit-based browsers, although Chrome is safe due to added restrictions.
The bug exists because most browser error pages are loaded from the local “file:” zone, a zone that Javascript is not normally allowed to access directly. Since a child browser window remains under the control of the parent, it is possible to cause a child browser window to error, thus entering the normally-restricted local zone, and then instructing the child window to access local files using this elevated local-zone privilege.
This issue was a nice catch, discovered by Aaron Sigel who has a detailed explanation, video demo and proof-of-concept on his blog. It probably goes without saying, but Safari users should run Software Update as soon as possible.
Apple Drops iOS 4.3 and Safari 5.0.4 Security Updates Ahead of Pwn2Own Contest
In awesome day-before-just-to-try-and-screw-with-your-exploits style, Apple has released significant security patches for iOS, Safari and Apple TV. Safari, which is one of the targets at CanSecWest’s Pwn2Own contest where hackers come to demonstrate 0day exploits, has received an update to 5.0.4, and fixes over 62 bugs including major vulnerabilities in WebKit (eg. Errorjacking) and the ImageIO and libxml libraries.
iOS 4.3 patches largely the same issues in MobileSafari, as well as a remote code execution vulnerability in CoreGraphics. iOS is expected to get a lot of attention at Pwn2Own, with at least four researchers having developed exploits. Charlie Miller and Dionysus Blazakis (@dionthegod) have one exploit which doesn’t work on update, although allegedly the vulnerability hasn’t been patched yet.
Whether or not these updates thwart some of the exploits developed for Pwn2Own remains to be seen. It’ll be cool if it prevents at least one. Either way, good job to Apple for trying.
Update: Just found out that target iPhones at Pwn2Own won’t be running the latest iOS 4.3 which does indeed prevent a number of exploits. Here’s a recap of the Pwn2Own action.
Lastly, Apple TV has been updated to 4.2 to patch a couple not-so-critical vulnerabilities in libfreetype and libtiff that could allow code execution if a malicious image were opened.
Hi the jump for the long list of issues fixed in iOS 4.3. Read more
Loading ...
