Critical flaw leads Apple to push OS X update for first time

Apple has pushed an automatic update to Macs for the first time, in order to fix a critical vulnerability in the network time protocol (NTP), which is used to synchronize computers’ clocks.

The company typically uses its software update mechanism to issue security updates, with users consciously being involved in the process, but this one was extraordinarily urgent, and led [company]Apple[/company] to use an automatic update mechanism that it developed a couple years back but had not used until Monday.

Apple spokesman Bill Evans told Reuters that the firm wanted to protect customers as quickly as possible – and indeed, when it was first released on Monday ahead of the automated push, the update was unusually entitled: “Install this update as soon as possible.”

The flaw was discovered by [company]Google[/company] researchers and flagged up by the U.S. government on Friday – it doesn’t just affect Macs, but also systems all the way up to industrial control systems, and the government needed to warn those running critical infrastructure. According to that warning:

These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available…
A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the [NTP daemon] process.

Evans told Reuters that Apple was not aware of any exploitations of the flaw in Macs. The update, which doesn’t require a restart, was released for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.1.

This article was updated a couple minutes after initial publication to change the word “forces” in the headline to “leads” — it occurred to me that “forces” sounded unnecessarily harsh, given that the company is trying to protect its users from a vulnerability that wasn’t of its own making.

If Apple can’t beat jailbreakers, it’ll recruit them

For Comex, a 19-year-old iPhone hacker whose real name is Nicholas Allegra, jailbreaking the iPhone comes easy. The iPhone Dev Team member may have hacked himself a golden ticket, since Apple has come calling and he now has an internship at the company.

Apple working on a fix for potential iOS security threat

Apple is already working on a fix for a security flaw reported by the German Federal Office for Information Security Wednesday. The Mac maker said in a statement that it is “developing a fix that will be available to customers in an upcoming software update.”

Twitter Website Hacked, User Accounts Filled With Spam

The Twitter website has been hit by a security breach that allows hackers to send bogus messages and malicious links through a user’s account, and all a user has to do to trigger the spam is to move their mouse over a link on the site.

Jailbreakers: First iPhone Worm Discovered, Features Rick Astley

ikee-170The first iPhone worm has been discovered. It comes to us via Australia, and appears to be limited to that country for now, although it has the potential to spread. It also stars Rick Astley, so to speak. The work changes the iPhone’s wallpaper to an image of the 1980s pop singer, who’s enjoyed a recent resurgence thanks to the Rick-rolling Internet phenomenon.

The worm has the ability to break into jailbroken iPhones only. Even if you’ve jailbroken, you still aren’t vulnerable unless you’ve also installed SSH, and not changed the default password after doing so. As a result, only a small fraction of the larger iPhone community is probably susceptible to the “ikee virus,” as it is called in its own source code. Read More about Jailbreakers: First iPhone Worm Discovered, Features Rick Astley

Critical Security Vulnerability in Adobe Acrobat and Reader

Nearly everyone working on the web uses PDF files from time to time. If you use Adobe Acrobat or Adobe Reader to view those PDF files, be warned that Adobe yesterday issued a security bulletin about a critical vulnerability affecting its software.

A buffer overflow exploit has been discovered that could render your computer vulnerable to attack; a malicious party could potentially use the exploit to take control of your machine. All versions of Acrobat and Reader from 7 onwards on all platforms are vulnerable to attack.  Patches to these products will not be available until March 11th. Until Adobe issue an update, it may be advisable to switch to an alternative PDF reader (Foxit works well for Windows), and, as always, it would be a good idea to make sure that your antivirus software is up-to-date and exercise extreme caution when opening files from untrusted sources.

(via DownloadSquad)

Remote Denial of Service For OS X (Leopard)

Given the large amount of “feedback” I receive from many venues on why I’m crazy for suggesting that OS X users employ some type of client-side security software, I wanted to point out a very recent exploit that I saw over at Joel Esler’s blog. The vulnerability is around the IPv6 networking layer of the underlying BSD operating system. Here’s the code:

ORIGINAL
md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
if (!m) {

WHAT IT SHOULD HAVE BEEN
md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
if (!md) {

A one character difference in source code in an open source component trickled it’s way up to our shiny new operating system.

Anti-virus software won’t help you on this one (and I’m sure someone will point that out and continue to defend the lack of need for client security), but it provides a clear example of how coding errors in the operating system can – and will – be exploited, which is a strong enough reason to put up defenses in other areas. Again, it’s completely based on your risk appetite and there is a contingent of OS X users that swear by the notion of not investing in security until there is overt reason to. This example should prod some of those folks to start thinking more about how vulnerable their invulnerable systems really are.

The problem exists only in the IPv6 networking layer, and – since most folks do not need IPv6 enabled – you can disable IPv6 in each of the network interfaces in your Network System Preferences to give yourself a bit of protection. Here’s an example of that via the Airport configuration panel:

Disable IPv6 in Aiport configuration

Apple should be fixing this in the next security update.

More info on the exploit: Secunia, InformationWeek, digit labs

Zero Day Exploit For QuickTime Flaw

InformationWeek is reporting that an Italian security researcher has posted a exploit for a zero-day vulnerability in QuickTime 7.3.1 that impacts both OS X and Windows versions of the software. This exploit will allow an attacker to execute malicious code on the target system.

The “researcher”, Luigi Auriemma, describes the exploit as being based on a flaw in QuickTime’s parsing of HTTP error messages and has not provided Apple with advance notice before publishing the proof-of-concept code. Symantec has confirmed that the flaw can produce a Denial of Service, but has not confirmed the remote code execution claim.
As of this post, Apple has not posted a fix to this issue, but here are some steps you can take to protect yourself (via US-CERT):

  • Uninstall QuickTime (OK, kinda extreme)
  • Block the rtsp:// protocol (given how much we love streaming media, not likely either)
  • Disable the RTSP protocol handler (reasonable, depending on your risk tolerance) Mac OS X users can disable the RTSP protocol handler by editing the ~/Library/Preferences/com.apple.LaunchServices.plist file with Property List Editor. Change the LSHandlerRoleAll value associated with the rtsp LSHanlderURLScheme to something other than com.apple.quicktimeplayer. This process can be simplified by using an application such as RCDefaultApp.
  • Disable QuickTime as the RTSP protocol handler on OS X (reasonable…you can pick RealPlayer as an alternative). To disable the RTSP registered protocol handler in OS X open ~/Library/Preferences/com.apple.LaunchServices.plist and look through ahundred or more entries to find RTSP and change it to something else.
  • Do not access QuickTime files from untrusted sources (duh). Attackers may host malicious QuickTime files on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.
  •