'security' Articles

Adobe Releases Critical Security Update for Flash Player on Mac

Adobe has released security updates for Flash Player that address critical vulnerabilities that could put Mac users at risk. Flash Player version and earlier, Flash Player Extended Support Release version and earlier, and Flash Player for Google Chrome version and earlier are affected on macOS Sierra and OS X. Mac users should update to the latest Flash Player version through the built-in update mechanism, or by visiting the Adobe Flash Player Download Center. Mac users running Flash Player 11.3.x or later who have selected the option to "allow Adobe to install updates" will receive the update automatically. Likewise, Google Chrome will automatically update Flash Player to version Safari on macOS Sierra deactivates Flash by default, only turning on the plug-in when user requested. Chrome, Firefox, and most other modern web browsers also have web plug-in safeguards in place due to repeated security risks. Similar critical security updates were issued in March, for example, while Adobe released an "emergency" Flash Player security update in April to address ransomware attacks affecting Flash-based advertisements on Mac and other platforms. Ransomware is a type of malware that encrypts a user's hard drive and demands payment in order to decrypt it. These type of threats often display images or use voice-over techniques containing instructions on how to pay the ransom. The latest vulnerabilities, discovered by Palo Alto Networks, Trend Micro, Tencent, and other researchers, could lead to nondescript "code

macOS Sierra Addresses Dropbox Security Concerns by Explicitly Asking for Accessibility User Permission

Following Dropbox-related security concerns that surfaced earlier this month, developer Phil Stokes has confirmed that macOS Sierra now explicitly requires apps to ask for user permission to access Accessibility (via Daring Fireball). Users can give access to an app, or click "not now" to deny the request. Concerns were raised after it was demonstrated that Dropbox appears in System Preferences > Security & Privacy under Accessibility, despite the fact that users were never prompted to grant access to the features. More details can be found in our previous coverage and in a Dropbox support document.Let’s assume for the sake of argument that Dropbox never does any evil on your computer. It remains the fact that the Dropbox process has that ability. And that means, if Dropbox itself has a bug in it, it’s possible an attacker could take control of your computer by hijacking flaws in Dropbox’s code. Of course, that’s entirely theoretical, but all security risks are until someone exploits them. The essence of good computer security and indeed the very reason why OSX has these kinds of safeguards in place to begin with is that apps should not have permissions greater than those that they need to do their job.At the time, Dropbox said it was working with Apple to reduce its dependence on elevated access in macOS Sierra, and would respect when people disable the app's Accessibility permissions, but now a much-needed safeguard exists regardless. In a new blog post, Dropbox still recommends that Mac users running macOS Sierra update their Accessibility permissions, if

iOS Device Ransom Attacks Continue to Target Users in U.S. and Europe

A few years ago, a number of users in Australia were victimized by attackers remotely locking iPhones, iPads, and Macs using Find My iPhone on iCloud. Compromised devices typically displayed Russian ransom messages demanding payments of around $50 to $100 for the device to be unlocked. A ransom message targeting a Mac in 2014 with the common pseudonym "Oleg Pliss" At the time, IT security expert Troy Hunt noted that the attackers were likely using compromised emails and passwords exposed from various online security breaches to log in to iCloud accounts. AOL and eBay, for example, were among several high-profile companies that suffered data breaches in 2014. Apple later confirmed that iCloud was not compromised, and that the eventually-arrested attackers had instead gained access to Apple IDs and passwords through external sources. Russian website MKRU said the attackers obtained the credentials via phishing pages and social engineering techniques. Since then, CSO security blog Salted Hash has discovered that, since at least February of this year, these ransom attacks have returned and now target users in the U.S. and Europe. The methods used by attackers are said to be the same ones used in 2014, starting with a compromised Apple ID.It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim's device into lost mode. At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it. In each of the cases reported publicly, the ransom demanded is usually

What You Need to Know About Mac Malware 'Backdoor.MAC.Eleanor'

Internet security software company Bitdefender's research lab has disclosed new malware targeting Macs called Backdoor.MAC.Eleanor [PDF]. Learn more about the malware and how to keep your Mac protected against attackers. What is Backdoor.MAC.Eleanor? Backdoor.MAC.Eleanor is new OS X/macOS malware arising from a malicious third-party app called EasyDoc Converter, which poses as a drag-and-drop file converter. What is EasyDoc Converter? "EasyDoc" is a third-party Mac app that poses as a drag-and-drop file converter. The app has the following fake description:EasyDoc Converter is a fast and simple file converter for OS X. Instantly convert your FreeOffice (.fof) and SimpleStats (.sst) docs to Microsoft Office (.docx) by dropping your file onto the app. EasyDoc Converter is great for employees and students looking for a simple tool for quickly convert files to the popular Microsoft format. EasyDoc Converter lets you get to work quickly by using a simple, clean, drag-and-drop interface. The converted document will be saved in the same directory of the original file.EasyDoc Converter was previously available on software download website MacUpdate, but the app was removed by July 5. It may remain available for download elsewhere online. The app was never available through the Mac App Store. The app was created with Platypus, a developer tool used for native Mac apps from shell, Perl, Python or Ruby scripts. How is Backdoor.MAC.Eleanor distributed? Backdoor.MAC.Eleanor infects Macs with EasyDoc Converter installed. The app installs a malicious

Google Simplifies 2-Step Verification Process With iOS Search App Prompt

Google is making the two-factor authentication process to log into a user account a simpler affair by integrating it into the company's iOS search app. Two-factor authentication adds an extra layer of security to users' Google Apps accounts by requiring them to enter a verification code in addition to their username and password when signing into their account. The two-step verification process prevents unauthorized access if someone obtains a user password. Previously, users had to opt to receive a text message or phone call to get an authentication code, or alternatively use the Google Authenticator mobile app, which generates time-limited numerical codes that users needed to enter into their account log-in page. The change, which is being rolled out from today, means that when a user tries to sign into a Google account with two-step verification enabled, a notification from the Google search app now asks if they are trying to sign in. A simple tap on the option "Yes, allow sign-in" quickly authenticates the account. To enable two-factor authentication, users need to sign into Google's My Account section and select Google prompt under Sign-in & Security -> Signing in to Google -> 2-Step Verification. Google notes that the option requires a data connection to work, and that it may take up to three days for the feature to appear across all account pages. The Google app is a free download for iPhone and iPad available on the App Store. [Direct Link]

Adobe Issues 'Emergency' Flash Player Security Update for OS X to Address Ransomware Attacks

Adobe has issued Flash Player security updates for OS X, Windows, Linux, and Chrome OS to address "critical vulnerabilities that could potentially allow an attacker to take control of the affected system" by way of ransomware. Ransomware is a type of malware that encrypts a user's hard drive and demands payment in order to decrypt it. These type of threats often display images or use voice-over techniques containing instructions on how to pay the ransom. In this particular "CERBER" attack (via Reuters), affecting Flash-based advertisements, attackers have reportedly demanded between around $500 and $1,000, to retrieve the encrypted files. Adobe says it is aware of Windows 10 being "actively exploited" by this attack, but it is unclear if any Macs have actually been victimized. Just last month, popular BitTorrent client Transmission was temporarily infected with the first ransomware found on the Mac platform. Currently, all servers hosting these malvertisements are now inaccessible. Some reports mentioned that CERBER is being peddled in the Russian underground market as ransomware-as-service (RaaS). This not only proves the suggestion presented by the configuration file’s code above, but also confirms that we will be seeing more of CERBER in the near future.Adobe recommends that Flash Player users on Mac update to version through the update mechanism within the software when prompted, or by visiting the Adobe Flash Player Download Center. Adobe Flash Player installations within Chrome, Microsoft Edge, and Internet Explorer for Windows 8.1 or later should

Researchers Uncover Multiple OS X and Safari Exploits at Pwn2Own 2016

The sixteenth annual CanSecWest security conference is underway in downtown Vancouver, British Columbia, and researchers participating in the Pwn2Own computer hacking contest have already discovered multiple vulnerabilities in OS X and the Safari web browser on the desktop. On day one of the event, independent security researcher JungHoon Lee earned $60,000 after exploiting both OS X and Safari. Lee uncovered four vulnerabilities in total, including one exploit in Safari and three other vulnerabilities within the OS X operating system, according to security firm Trend Micro.JungHoon Lee (lokihardt): Demonstrated a successful code execution attack against Apple Safari to gain root privileges. The attack consisted of four new vulnerabilities: a use-after-free vulnerability in Safari and three additional vulnerabilities, including a heap overflow to escalate to root. This demonstration earned 10 Master of Pwn points and US$60,000.Meanwhile, the report claims that the Tencent Security Team Shield group successfully executed code that enabled them to gain root privileges to Safari using "two use-after-free vulnerabilities," including one in Safari and the other in a "privileged process." The researchers were awarded $40,000 in prize money. The five participating teams earned a total of $282,500 in prizes on day one, including a leading $132,500 earned by the 360Vulcan Team, according to the report. Other web browsers and plugins that were successfully targeted include Adobe Flash, Google Chrome, and Microsoft Edge on Windows. Apple representatives have attended

Adobe Releases Flash Player Update for 'Critical' Security Vulnerability on Mac

Adobe has released security updates for Flash Player that address critical vulnerabilities that "could potentially allow an attacker to take control of the affected system." Adobe is aware of "limited, targeted attacks" on OS X, Windows, and Linux. Adobe lists the affected Flash Player and AIR versions in a security bulletin on its website. Mac or PC users running an affected version should immediately uninstall the web plugin or update their installation to the newest version outlined on Adobe's website. Apple blocks many older or vulnerable versions of web plugins from functioning, including Adobe Flash and Java, to help limit exposure to potential "zero day" exploits. The web plugins remain blocked in Safari until you install the latest updates. Chrome, Firefox, and most other modern web browser also have web plugin safeguards in place due to the high number of past security

Apple Acquired Firmware Security Company LegbaCore Last November

Apple acquired firmware security company LegbaCore in November 2015, according to security researcher Trammell Hudson, who revealed the acquisition in his presentation at the 32C3 conference in December. LegbaCore's goal, according to founder Xeno Kovah, is "to help build systems that are as secure as we know how to make." In November, Kovah and fellow LegbaCore founder Corey Kallenberg revealed that they had joined Apple as full-time employees. Just a couple days before that, LegbaCore's website announced that it would "not be accepting any new customer engagements", noting that the website would remain up "to serve as a reference for LegbaCore's past work." LegbaCore had collaborated with Hudson on Thunderstrike 2, the first firmware worm to affect Mac computers. The malware is impossible to remove, resistant to both firmware and software updates. LegbaCore and Hudson had alerted Apple to Thunderstrike 2's vulnerabilities and Apple began work on fixes, issuing one in June 2015. On Twitter, Kovah said that Apple began discussions with LegbaCore after the consultancy's presentation in summer 2015. It soon became clear to Kovah and Kallenberg that Apple had "some *very* interesting and highly impactful work" that the two could participate in. They were eventually convinced to wind down LegbaCore's existing contracts and begin work at Apple. What did Apple hire us to do? We can’t say. :) Well, we can probably say something like “low level security” (I don’t know our job titles)— Xeno Kovah (@XenoKovah) November 10, 2015 While LegbaCore is a security consultancy

Apple's Strict Bluetooth LE Security Requirements Slowing Rollout of HomeKit Accessories

While it has been more than a year since Apple launched HomeKit, a software framework for communicating with and controlling light bulbs, thermostats, door locks and other connected accessories in the home, only five HomeKit-approved products have been released to date: the Ecobee3, Elgato Eve, iHome iSP5 SmartPlug, Insteon Hub and Lutron Caseta Wireless Lighting Starter Kit. The slow rollout of HomeKit-enabled hardware accessories is not because of a lack of interest in the platform, but rather Apple's strict security requirements for Bluetooth LE (low energy) devices, according to Forbes. In particular, the strong level of encryption required to use the HomeKit protocol through Bluetooth LE has resulted in lag times that essentially render some accessories useless.For example, a smartlock that makes its user wait 40 seconds before it opens is clearly inferior to a traditional lock. One of HomeKit’s selling point is that it provides a more reliable user experience, so these kinds of lag times will need to be sorted out before Apple can become a major platform for the smart home. Elgato Eve smart home sensors for doors, windows and energy consumption Chipmakers such as Broadcom and Marvell have reportedly been working to improve their Bluetooth LE chips to more effectively handle Apple's level of encryption, an important step if the company wants to become a major player in the smart home. In the meantime, developers have either been focusing on Wi-Fi-based HomeKit hardware or working on temporary solutions to the problem.For the time being, Elgato has found a

iOS and OS X Security Flaws Enable Malicious Apps to Steal Passwords and Other Data

A team of six researchers from Indiana University, Georgia Tech and Peking University have published an in-depth report exposing a series of security vulnerabilities that enable sandboxed malicious apps, approved on the App Store, to gain unauthorized access to sensitive data stored in other apps, including iCloud passwords and authentication tokens, Google Chrome saved web passwords and more. The thirteen-page research paper "Unauthorized Cross-App Resource Access on Mac OS X and iOS" details that inter-app interaction services, ranging from the Keychain and WebSocket on OS X to the URL Scheme on OS X and iOS, can be exploited to steal confidential information and passwords, including those stored in popular password vaults such as 1Password by AgileBits."We completely cracked the keychain service - used to store passwords and other credentials for different Apple apps - and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps."The different cross-app and communication mechanism vulnerabilities discovered on iOS and OS X, identified as XARA weaknesses, include Keychain password stealing, IPC interception, scheme hijacking and container cracking. The affected apps and services include iCloud, Gmail, Google Drive, Facebook, Twitter, Chrome, 1Password, Evernote, Pushbullet, Dropbox, Instagram, WhatsApp, Pinterest, Dashlane, AnyDo, Pocket and several others. Lead researcher Luyi Xing told The

Apple Issues Security Updates Fixing 'FREAK' Security Flaw

Just under a week after researchers uncovered a security flaw referred to as "FREAK" (Factoring Attack on RSA-EXPORT Keys) that left many devices vulnerable to hacking attempts, Apple has issued fixes for all of its platforms. The fix is available in Apple TV 7.1 for Apple TV 3rd generation and later, iOS 8.2 for iPhone 4s and later, iPod touch 5th generation and later and iPad 2 and later. It's also available for Macs with OS X Mountain Lion 10.8.5, Mavericks 10.9.5 and Yosemite 10.10.2. The vulnerability had stemmed from a former U.S. government policy that prevented companies from exporting strong encryption, instead requiring them to create weak "export-grade" products to ship to its customers outside of the United States. Though the policy was lifted more than a decade ago, the weaker encryption continued to be used by software companies. Apple's fix addresses the issue by removing support for those weak "export grade" products, also known as RSA keys. The updates for iOS 8.2, Apple TV 7.1 and Mac OS X Mountain Lion, Mavericks and Yosemite are available

OS X 10.10.2 Includes Fix for 'Thunderstrike' Hardware Exploit Affecting Macs

Apple is readying a fix in OS X 10.10.2 for the so-called "Thunderstrike" hardware exploit targeting Macs equipped with Thunderbolt ports, iMore has learned. According to the report, Apple patched the vulnerability by making code changes in the upcoming software update that prevent a Mac's bootrom from being replaced or rolled back to a previous state in which it could be attacked.To secure against Thunderstrike, Apple had to change the code to not only prevent the Mac's boot ROM from being replaced, but also to prevent it from being rolled back to a state where the attack would be possible again. According to people with access to the latest beta of OS X 10.10.2 who are familiar with Thunderstrike and how it works, that's exactly the deep, layered process that's been completed.Thunderstrike is a serious vulnerability discovered earlier this year by security researcher Trammell Hudson, enabling an attacker to replace a Mac's bootrom with malicious code without a user knowing. Since the malicious code is stored in a low level inaccessible to the user, the problem would remain even if the bootrom was replaced. The proof-of-concept attack is limited in scope, however, as an attacker would require physical access to the Mac or savvy social engineering skills in order to trick a user into attacking his or her Mac themselves. Apple has already addressed the issue in its latest hardware, including the iMac with Retina 5K Display and new Mac mini. OS X 10.10.2 has been in pre-release testing for over two months and should be made available to the public in the coming