Tuesday, March 10, 2015

CIA Hacked Apple Hardware and Software!
Including: Xcode Development Software, the OS X Updater, iPhone and iPad

--
This post is to draw attention to a report out today from The Gaurdian that the US CIA hacked together a corrupt version of Apple's XCode development software that allowed the insertion of surveillance backdoors into the resulting developed programs.

CIA 'tried to crack security of Apple devices'
Agency tried to create dummy version of development software that would allow it to insert surveillance back doors into apps
The modified version of Xcode would allow the CIA, NSA or other agencies to insert surveillance backdoors into any app created using the compromised development software. The revelation has already provoked a strong backlash among security researchers on Twitter and elsewhere, and is likely to prompt security audits among Apple developers.

The latest revelations of sustained hacking efforts against Apple devices are set to further strain already difficult relations between the technology company and the US government.

Apple had previously been a partner in the Prism programme, in effect a legal backdoor to obtain user information by the NSA and its allies, but in the wake of the Snowden revelations it has stepped up efforts to protect user privacy, including introducing end-to-end encryption on iMessages.

Tim Cook, the CEO of Apple, warned Barack Obama in public remarks this month that history had shown “sacrificing our right to privacy can have dire consequences”.
The original report of this situation was published on The Intercept website earlier today:

THE CIA CAMPAIGN TO STEAL APPLE’S SECRETS
BY JEREMY SCAHILL AND JOSH BEGLEY
RESEARCHERS WORKING with the Central Intelligence Agency have conducted a multi-year, sustained effort to break the security of Apple’s iPhones and iPads, according to top-secret documents obtained by The Intercept.

The security researchers presented their latest tactics and achievements at a secret annual gathering, called the “Jamboree,” where attendees discussed strategies for exploiting security flaws in household and commercial electronics. The conferences have spanned nearly a decade, with the first CIA-sponsored meeting taking place a year before the first iPhone was released.
By targeting essential security keys used to encrypt data stored on Apple’s devices, the researchers have sought to thwart the company’s attempts to provide mobile security to hundreds of millions of Apple customers across the globe. Studying both “physical” and “non-invasive” techniques, U.S. government-sponsored research has been aimed at discovering ways to decrypt and ultimately penetrate Apple’s encrypted firmware. This could enable spies to plant malicious code on Apple devices and seek out potential vulnerabilities in other parts of the iPhone and iPad currently masked by encryption.
. . . .
The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple’s App Store.

The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.

Researchers also claimed they had successfully modified the OS X updater, a program used to deliver updates to laptop and desktop computers, to install a “keylogger.”
[All bolding above is mine, added for the emphasis of key information.]

The depth of success of the CIA's Apple gear hacking strategies is unclear. But it is evident that a corrupt version of Xcode was successfully created with the intention of distributing it to unsuspecting software developers. Presumably, back-doored Mac and iOS software resulting from the use of this corrupt version of Xcode exist in the wild. No doubt there will now be efforts to determine exactly what software is affected.

Me Stuff

My point of view regarding the incessant hacking of computer technology by the US CIA, NSA, etc. is mixed. 

We already know that the CIA and NSA have illegally spied on US citizens on US soil without a legal warrant or justified cause specified in the Fourth Amendment to the US Constitution. All such acts must be prosecuted, without question. It makes no difference if the resulting impeachments reach the top of the executive office or US Congress. These are treasonous crimes. Trials for treason are required.

The legality of secretly damaging/hacking copyrighted and patented software for the purpose of surveillance is out of the scope of my knowledge. However, I find it difficult to imagine these acts could be found to be legally justified.

Whether these acts have been and continue to be in pursuit of the protection and defense of US citizens remains significantly unanswered. There has been to this point extremely little publicly released data that indicates these efforts by the US CIA, NSA, etc. have resulted in useful information. We may never know. We're stuck having to hear statements asserting that governmental hacking has been useful and important from the mouths of proven liars such as James R. Clapper, the current US Director of National Intelligence. I've heard retired General Clapper speak publicly. He appears to be an intelligent, serious and earnest defender of US citizens. And yet he is guilty of knowingly lying under oath to the US Congress. He is also a vehement critic of whistle-blower and patriot Edward Snowden. With such people representing US intelligence strategies, clearly the credibility of the ongoing damaging/hacking of computer technology is extremely dubious. That's shameful. 

All US citizens of course would like to believe their government behaves legally in their best interests, instead of against them. We are left instead with a government that has severely damaged its credibility. New information further damaging that credibility continues to be published on a consistent basis. No evidence of reform of US intelligence gathering agencies or their methods has been forthcoming. The phrase 'hell bent' comes to my mind. I'm not interested in 'hell' anything. I personally demand that my government be 100% accountable to, loyal to and in the defense of its citizens at all times within the framework of the US Constitution and laws. 

If the US intelligence agencies can work within their mandatory legal framework, then I support them. If not, then I want those responsible tried and punished for their crimes against US citizens, We The People, even if that includes impeachment of the current and past Presidents of the USA. 

I've stated my views regarding government surveillance crimes in public on many occasions. My statements here are nothing new to those concerned and I am glad to report that there have been thus far no obvious repercussions. I wish and hope that every US citizen speaks up against illegal government surveillance of US citizens on US soil. If we don't, the obvious consequence is a totalitarian police state, as history has consistently proven. That would be a very bad and criminal thing.
--

Coming up: Coverage of Apple's security updates for March! I'm impressed.
--

Wednesday, March 4, 2015

Java Installs Adware With Plugin,
Part Of Growing Mac Adware Attacks

--

Sadly, like a lot of customer adverse companies, Oracle is now packing adware with its Java plugin installer. Beware!

My colleague Thomas Reed caught up with the situation and has done some testing to see what's going on. I recommend reading his 'The Safe Mac' article found here:

Java now installing adware
Despite the fragility of the adware install process, this is still going to be a problem for many people installing Java. Oracle should be ashamed of themselves! Since Java has repeatedly posed security problems in the past, and Oracle has now shown a willingness to infect their own users with adware, I strongly recommend avoiding Java if at all possible. For those who must have Java, Trouton has posted information in his Der Flounder article on how to run the Java installer only, found inside the adware-riddled Java 8 Update 40 application, which should install Java without the toolbar. 
For those affected by this Ask Toolbar, I have added detection of the Ask browser extensions and support files to my AdwareMedic app and my Adware Removal Guide. And thanks to Rich Trouton for bringing attention to this issue!
Rich Trouton's article on the Java adware problem can be found here:

Oracle’s Java 8 Update 40 – The Good, the Bad and the Ugly
You will be prompted to set Ask.com as your browser homepage, with the choice to do so checked off by default. If left checked, Safari’s homepage will be set with a search.ask.com URL and a Safari extension will be used to install an Ask.com toolbar.


Thomas Reed found that the Java installer will install a corresponding plugin depending upon which web browser you have set as your default. With regards to Safari, he found that it also had to be running at the time for the adware installer to work, if it worked at all.

Needless to say, DON'T fall for the adware installation! You don't want that crap on your Mac. If you do get skewered, grab a copy of Thomas' free/donationware Adware Medic and get rid of it.


ATTACK OF THE ADWARE!

The Windows community has been getting hammered with adware for many years. Now the adware rats have caught up with the Mac community and are infesting the stuff into everything possible. I wrote an article last year, over at MacSmarticles, about the ruination of VersionTracker after CNET/CBS made it just as bad as the rest of their Downloads.CNET.com website. It is now nearly impossible to download anything from the CNET site without having adware foisted at you by its installers. The same thing is going on at just about every other downloads website. I gladly point out that MacUpdate.com is an exception as well as MajorGeeks.com. These are the only two download websites I trust at this point in time.

Recently, the computer manufacturer Lenovo has been slammed by the computer community for infesting their computers with crapware that included a diabolical adware program called Superfish. The adware was built on a code foundation provided by the company Komodia. Their awful software features:

- Faked security certificates used to allow the software to spy on your SSL/TLS, HTTPS connections over the Internet.
- A private encryption key that is protected by the password "komodia". That password doesn't just work in Superfish, but in ALL Komodia software that makes use of spying on HTTPS web streams. The number of affected applications is expected to be near 100.

It has also been discovered that other programs pull the same security trickery:

EFF unearths evidence of possible Superfish-style attacks in the wild
Crypto-busting apps may have been exploited against visitors of Google and dozens more.
by Dan Goodin

One such program is PrivDog, provided by Internet security certificate provider Comodo Group, who have already suffered scandal by releasing nine fraudulent certificates faking themselves to be the likes of Google, Yahoo, Skype and Windows Live. This gives Comodo two black eyes.

Then add to this situation the fact that at least two anti-malware applications have been found to perform the same faked security certificate trick as a method for catching malware being downloaded to your computer. They are provided as 'deep inspection' features of their software, which I obviously suggest you TURN OFF. Those two anti-malware programs are Malwarebytes and Avast. I found out about Malwarebytes via word-of-mouth and am waiting for solid verification.

No doubt, other such questionable software, crapware and adware will be uncovered in the coming months and some of it will run on Macs.


The message: 
Be Careful What You Install.

--

Monday, February 2, 2015

CRITICAL Adobe Flash FAIL Yet-Again:
Third Zero-Day Attack ITW In Three Weeks

--

[UPDATE 3: Adobe's patched version of Flash Player, v16.0.0.305, is now universally available. I added the link and summary text of their relevant security document below. Apple also updated XProtect to prevent use of earlier, vulnerable versions of Flash Player. Thank you Apple! 

And there is peace again across our land for at least this day. But the wary eye remains ever vigilant.

Update 2: Adobe Flash Player v16.0.0.305 is now available directly from Adobe's website:

https://get.adobe.com/flashplayer/

Please download and install now in order to avoid the ongoing exploit of previous versions of Flash.

Update 1: Adobe updated their related security statement on Wednesday:

(February 4): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.305 beginning on February 4. This version includes a fix for CVE-2015-0313. Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.
]

~ ~ ~ ~ ~


There is an exploit of older versions of Adobe Flash Player active in-the-wild (ITW). Adobe has now provided Flash Player version v16.0.0.305 at its website, as noted in the updates above. P
lease download and install the update ASAP! 

My pal and collaborator Al V notes that Apple has updated their XProtect system in OS X to disable exploited/vulnerable versions of Flash Player, those being earlier than 16.0.0.305 and 13.0.0.269.


• Here is Adobe's full security bulletin about the zero-day and update:

https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
Summary

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.  

Adobe is aware of reports that CVE-2015-0313 is actively being exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.  Adobe recommends users update their product installations to the latest versions: 

Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 16.0.0.305

Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.269. 

Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.442. 

Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.305.
• Here is Adobe's earlier alert about the zero-day exploit:

https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
Summary

A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh.  Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

Adobe expects to release an update for Flash Player during the week of February 2.
A relevant article on the attack over at Forbes:

Hackers Abuse Another Adobe Zero-Day To Attack Thousands Of Web Users
Visitors to any affected site would have been redirected to an attacker-controlled page where an exploit kit would attempt to compromise the target system by targeting the Adobe Flash zero-day.
My brief advice:

Have a Flash blocking add-on in ALL your web browsers. ALL.

Safari has it's own Flash blocking system which you can reach in its Preferences here:

1) Preferenced: Security: Manage Website Settings... (button):

2) On the left of the pane, choose 'Adobe Flash Player'.

3) On the resulting right side:

- a) REMOVE all 'Configured Websites' using the minus (-) button.

- b) Set 'When visiting other websites' to 'Block' using the popup menu.

This setting forces Safari to put up a 'blocked' notice. You can then click that notice to approve each individual website you visit. Just remember that at this point some very prominent, usually safe websites are being compromised with this zero-day. Be extremely careful what you unblock.

OR: Just UNINSTALL nasty Flash. POS.


--

ADDENDUM:

Snarky The Register posted a fun and poignant article on the subject:

According to Trend Micro, the Angler exploit kit was updated to leverage this particular flaw, and used to inject malware into PCs visiting web video site dailymotion.com via a dodgy ad network. 
Web browsers were told to fetch retilio.com/skillt.swf, which was booby-trapped to exploit the zero-day security hole. 
"So far we’ve seen around 3,294 hits related to the exploit, and with an attack already seen in the wild, it’s likely there are other attacks leveraging this zero-day, posing a great risk of system compromise to unprotected systems," said Peter Pi, threats analyst at Trend. . . .
The worst, very worst, part of it all is that Steve Jobs was right. ® 
(^_^)

Tuesday, January 27, 2015

OS X 10.10.2 Yosemite, Safari Updates and
Security Update 2015-001 From Apple:
58 New Security Patches

--

[Update: The link to Apple's security document for 10.10.2 & 2015-001 has be added below.]

Apple has released the latest OS X update to OS X 10.10.2 Yosemite as well as Security Update 2015-001. Included with these updates are new updates of Safari with its own security patches. There is a total of 58 new security patches. You can obtain the updates via the Updates tab in the App Store application or eventually at:

http://www.apple.com/support/downloads/


Below, I have provided the full Apple security documents for 10.10.2, Security Update 2015-001 and Safari. You can also access them at Apple's website:


The security content document for OS X 10.10.2 Yosemite as well as Security Update 2015-001 can be found at:

http://support.apple.com/en-us/HT204244

The security content document for Safari 8.0.3, 7.1.3 and 6.2.3 is available at:


https://support.apple.com/kb/HT204243


I've highlighted at the CVE numbers in Apple's OS X 10.10.2 security document. (CVE = Common Vulnerabilities and Exposures). If you'd like more information about any of the CVEs, use the link on the right of this page marked 'CVE Search'. It will take you to the search page at Mitre.org. If you can't find a specific CVE there or the CVE has no description, it is because the developer of the affected software has requested that the CVE information not yet be made public.


~ ~ ~ ~ ~

APPLE-SA-2015-01-27-4 
OS X 10.10.2 and Security Update 2015-001

OS X 10.10.2 and Security Update 2015-001 are now available and address the following:

AFP Server
Available for:  OS X Mavericks v10.9.5
Impact:  A remote attacker may be able to determine all the network addresses of the system
Description:  The AFP file server supported a command which returned all the network addresses of the system. This issue was addressed by removing the addresses from the result.
CVE-ID
CVE-2014-4426 : Craig Young of Tripwire VERT

bash
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  Multiple vulnerabilities in bash, including one that may allow local attackers to execute arbitrary code 
Description:  Multiple vulnerabilities existed in bash. These issues were addressed by updating bash to patch level 57. 
CVE-ID
CVE-2014-6277
CVE-2014-7186
CVE-2014-7187

Bluetooth
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  An integer signedness error existed in IOBluetoothFamily which allowed manipulation of kernel memory. This issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems.
CVE-ID
CVE-2014-4497

Bluetooth
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  An error existed in the Bluetooth driver that allowed a malicious application to control the size of a write to kernel memory. The issue was addressed through additional input validation. 
CVE-ID
CVE-2014-8836 : Ian Beer of Google Project Zero

Bluetooth
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  Multiple security issues existed in the Bluetooth driver, allowing a malicious application to execute arbitrary code with system privilege. The issues were addressed through additional input validation.
CVE-ID
CVE-2014-8837 : Roberto Paleari and Aristide Fattori of Emaze Networks

CFNetwork Cache
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  Website cache may not be fully cleared after leaving private browsing
Description:  A privacy issue existed where browsing data could remain in the cache after leaving private browsing. This issue was addressed through a change in caching behavior. CVE-ID
CVE-2014-4460

CoreGraphics
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution 
Description:  An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. 
CVE-ID
CVE-2014-4481 : Felipe Andres Manzano of the Binamuse VRT, via the iSIGHT Partners GVP Program

CPU Software
Available for:  OS X Yosemite v10.10 and v10.10.1, for: MacBook Pro Retina, MacBook Air (Mid 2013 and later), iMac (Late 2013 and later), Mac Pro (Late 2013) 
Impact:  A malicious Thunderbolt device may be able to affect firmware flashing
Description:  Thunderbolt devices could modify the host firmware if connected during an EFI update. This issue was addressed by not loading option ROMs during updates.
CVE-ID
CVE-2014-4498 : Trammell Hudson of Two Sigma Investments

CommerceKit Framework
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  An attacker with access to a system may be able to recover Apple ID credentials
Description:  An issue existed in the handling of App Store logs. The App Store process could log Apple ID credentials in the log when additional logging was enabled. This issue was addressed by disallowing logging of credentials.
CVE-ID
CVE-2014-4499 : Sten Petersen

CoreGraphics
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  Some third-party applications with non-secure text entry and mouse events may log those events
Description:  Due to the combination of an uninitialized variable and an application's custom allocator, non-secure text entry and mouse events may have been logged. This issue was addressed by ensuring that logging is off by default. This issue did not affect systems prior to OS X Yosemite.
CVE-ID
CVE-2014-1595 : Steven Michaud of Mozilla working with Kent Howard

CoreGraphics
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 
Impact:  Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution 
Description:  A memory corruption issue existed in the handling of PDF files. The issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems. 
CVE-ID
CVE-2014-8816 : Mike Myers, of Digital Operatives LLC

CoreSymbolication
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  Multiple type confusion issues existed in coresymbolicationd's handling of XPC messages. These issues were addressed through improved type checking. 
CVE-ID
CVE-2014-8817 : Ian Beer of Google Project Zero

FontParser
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Processing a maliciously crafted .dfont file may lead to an unexpected application termination or arbitrary code execution 
Description:  A memory corruption issue existed in the handling of .dfont files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4484 : Gaurav Baruah working with HP's Zero Day Initiative

FontParser
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution 
Description:  A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking. 
CVE-ID
CVE-2014-4483 : Apple

Foundation
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Viewing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution 
Description:  A buffer overflow existed in the XML parser. This issue was addressed through improved bounds checking. 
CVE-ID
CVE-2014-4485 : Apple

Intel Graphics Driver
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Multiple vulnerabilities in Intel graphics driver 
Description:  Multiple vulnerabilities existed in the Intel graphics driver, the most serious of which may have led to arbitrary code execution with system privileges. This update addresses the issues through additional bounds checks.
CVE-ID
CVE-2014-8819 : Ian Beer of Google Project Zero CVE-2014-8820 : Ian Beer of Google Project Zero 
CVE-2014-8821 : Ian Beer of Google Project Zero

IOAcceleratorFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A null pointer dereference existed in IOAcceleratorFamily's handling of certain IOService userclient types. This issue was addressed through improved validation of IOAcceleratorFamily contexts.
CVE-ID
CVE-2014-4486 : Ian Beer of Google Project Zero

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A buffer overflow existed in IOHIDFamily. This issue was addressed with improved bounds checking. 
CVE-ID
CVE-2014-4487 : TaiG Jailbreak Team

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in IOHIDFamily's handling of resource queue metadata. This issue was addressed through improved validation of metadata.
CVE-ID
CVE-2014-4488 : Apple

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A null pointer dereference existed in IOHIDFamily's handling of event queues. This issue was addressed through improved validation of IOHIDFamily event queue initialization. 
CVE-ID
CVE-2014-4489 : @beist

IOHIDFamily
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Executing a malicious application may result in arbitrary code execution within the kernel
Description:  A bounds checking issue existed in a user client vended by the IOHIDFamily driver which allowed a malicious application to overwrite arbitrary portions of the kernel address space. The issue is addressed by removing the vulnerable user client method. 
CVE-ID
CVE-2014-8822 : Vitaliy Toropov working with HP's Zero Day Initiative

IOKit
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved validation of IOKit API arguments.
CVE-ID
CVE-2014-4389 : Ian Beer of Google Project Zero

IOUSBFamily
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A privileged application may be able to read arbitrary data from kernel memory
Description:  A memory access issue existed in the handling of IOUSB controller user client functions. This issue was addressed through improved argument validation.
CVE-ID
CVE-2014-8823 : Ian Beer of Google Project Zero

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  Specifying a custom cache mode allowed writing to kernel read-only shared memory segments. This issue was addressed by not granting write permissions as a side-effect of some custom cache modes.
CVE-ID
CVE-2014-4495 : Ian Beer of Google Project Zero

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID
CVE-2014-8824 : @PanguTeam

Kernel
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A local attacker can spoof directory service responses to the kernel, elevate privileges, or gain kernel execution Description:  Issues existed in identitysvc validation of the directory service resolving process, flag handling, and error handling. This issue was addressed through improved validation. 
CVE-ID
CVE-2014-8825 : Alex Radocea of CrowdStrike

Kernel
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  A local user may be able to determine kernel memory layout 
Description:  Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization.
CVE-ID
CVE-2014-4371 : Fermin J. Serna of the Google Security Team 
CVE-2014-4419 : Fermin J. Serna of the Google Security Team 
CVE-2014-4420 : Fermin J. Serna of the Google Security Team 
CVE-2014-4421 : Fermin J. Serna of the Google Security Team

Kernel
Available for:  OS X Mavericks v10.9.5
Impact:  A person with a privileged network position may cause a denial of service
Description:  A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking.
CVE-ID
CVE-2011-2391

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Maliciously crafted or compromised applications may be able to determine addresses in the kernel
Description:  An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them.
CVE-ID
CVE-2014-4491 : @PanguTeam, Stefan Esser

Kernel
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in the handling of certain metadata fields of IOSharedDataQueue objects. This issue was addressed through relocation of the metadata. CVE-ID
CVE-2014-4461 : @PanguTeam

LaunchServices
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious JAR file may bypass Gatekeeper checks 
Description:  An issue existed in the handling of application launches which allowed certain malicious JAR files to bypass Gatekeeper checks. This issue was addressed through improved handling of file type metadata.
CVE-ID
CVE-2014-8826 : Hernan Ochoa of Amplia Security

libnetcore
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious, sandboxed app can compromise the networkd daemon
Description:  Multiple type confusion issues existed in networkd's handling of interprocess communication. By sending networkd a maliciously formatted message, it may have been possible to execute arbitrary code as the networkd process. The issue is addressed through additional type checking.
CVE-ID
CVE-2014-4492 : Ian Beer of Google Project Zero

LoginWindow
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A Mac may not lock immediately upon wake 
Description:  An issue existed in the rendering of the lock screen. This issue was address through improved screen rendering while locked.
CVE-ID
CVE-2014-8827 : Xavier Bertels of Mono, and multiple OS X seed testers

lukemftp
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Using the command line ftp tool to fetch files from a malicious http server may lead to arbitrary code execution 
Description:  A command injection issue existed in the handling of HTTP redirects. This issue was addressed through improved validation of special characters.
CVE-ID
CVE-2014-8517

OpenSSL
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Multiple vulnerabilities in OpenSSL 0.9.8za, including one that may allow an attacker to downgrade connections to use weaker cipher-suites in applications using the library 
Description:  Multiple vulnerabilities existed in OpenSSL 0.9.8za. These issues were addressed by updating OpenSSL to version 0.9.8zc. 
CVE-ID
CVE-2014-3566
CVE-2014-3567
CVE-2014-3568

Sandbox
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 
Impact:  A sandboxed process may be able to circumvent sandbox restrictions
Description:  A design issue existed in the caching of sandbox profiles which allowed sandboxed applications to gain write access to the cache. This issue was addressed by restricting write access to paths containing a "com.apple.sandbox" segment. This issue does not affect OS X Yosemite v10.10 or later. 
CVE-ID
CVE-2014-8828 : Apple

SceneKit
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 
Impact:  A malicious application could execute arbitrary code leading to compromise of user information
Description:  Multiple out of bounds write issues existed in SceneKit. These issues were addressed through improved bounds checking.
CVE-ID
CVE-2014-8829 : Jose Duart of the Google Security Team

SceneKit
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Viewing a maliciously crafted Collada file may lead to an unexpected application termination or arbitrary code execution 
Description:  A heap buffer overflow existed in SceneKit's handling of Collada files. Viewing a maliciously crafted Collada file may have led to an unexpected application termination or arbitrary code execution. This issue was addressed through improved validation of accessor elements.
CVE-ID
CVE-2014-8830 : Jose Duart of Google Security Team

Security
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A downloaded application signed with a revoked Developer ID certificate may pass Gatekeeper checks
Description:  An issue existed with how cached application certificate information was evaluated. This issue was addressed with cache logic improvements.
CVE-ID
CVE-2014-8838 : Apple

security_taskgate
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  An app may access keychain items belonging to other apps 
Description:  An access control issue existed in the Keychain. Applications signed with self-signed or Developer ID certificates could access keychain items whose access control lists were based on keychain groups. This issue was addressed by validating the signing identity when granting access to keychain groups. 
CVE-ID
CVE-2014-8831 : Apple

Spotlight
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  The sender of an email could determine the IP address of the recipient
Description:  Spotlight did not check the status of Mail's "Load remote content in messages" setting. This issue was addressed by improving configuration checking.
CVE-ID
CVE-2014-8839 : John Whitehead of The New York Times, Frode Moe of LastFriday.no

Spotlight
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  Spotlight may save unexpected information to an external hard drive
Description:  An issue existed in Spotlight where memory contents may have been written to external hard drives when indexing. This issue was addressed with better memory management. 
CVE-ID
CVE-2014-8832 : F-Secure

SpotlightIndex
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  Spotlight may display results for files not belonging to the user
Description:  A deserialization issue existed in Spotlight's handling of permission caches. A user performing a Spotlight query may have been shown search results referencing files for which they don't have sufficient privileges to read. This issue was addressed with improved bounds checking.
CVE-ID
CVE-2014-8833 : David J Peacock, Independent Technology Consultant

sysmond
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1
Impact:  A malicious application may be able to execute arbitrary code with root privileges
Description:  A type confusion vulnerability existed in sysmond that allowed a local application to escalate privileges. The issue was addressed with improved type checking.
CVE-ID
CVE-2014-8835 : Ian Beer of Google Project Zero

UserAccountUpdater
Available for:  OS X Yosemite v10.10 and v10.10.1 
Impact:  Printing-related preference files may contain sensitive information about PDF documents
Description:  OS X Yosemite v10.10 addressed an issue in the handling of password-protected PDF files created from the Print dialog where passwords may have been included in printing preference files. This update removes such extraneous information that may have been present in printing preference files.
CVE-ID
CVE-2014-8834 : Apple

Note: OS X Yosemite 10.10.2 includes the security content of Safari 8.0.3. For further details see https://support.apple.com/kb/HT204243

OS X Yosemite 10.10.2 and Security Update 2015-001 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

~ ~ ~ ~ ~

About the security content of Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3

This document describes the security content of Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3. 

Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3

WebKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
CVE-ID
CVE-2014-3192 : cloudfuzzer
CVE-2014-4476 : Apple
CVE-2014-4477 : lokihardt@ASRT working with HP’s Zero Day Initiative
CVE-2014-4479 : Apple




--




Sunday, January 25, 2015

Adobe Flash Player v16.0.0.296 Critical Update!
Plus: How to update Flash via System Preferences

--

The THIRD version of the Adobe Flash Player plug-in within two weeks is now available. It is critical to UPDATE NOW.


Today's current version of Flash Player plug-in is:


v16.0.0.296


All other versions are being exploited in the wild. Get rid of them now. Or just get rid of Flash altogether.

Adobe's Security Bulletin regarding this update is here:

http://helpx.adobe.com/security/products/flash-player/apsa15-01.html
UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.
~ ~ ~ ~ ~

Adobe is initially pushing out this Critical update via it's Flash Player preferences pane. (Gawd knows why. I consider it laziness). Therefore, here are:

Instructions For Updating Flash Via System Preferences

1) Open System Preferences... under the Apple menu.

2) In the lowest area of System Preferences, find the 'Flash Player' preferences icon and click it. (If you don't have the Flash Player preference pane installed, you either have an ancient version of Flash Player installed or you don't have it installed at all, good for you).

3) In the resulting Flash Player preferences pane, click the 'Advanced' tab.

4) Look down the pane to the 'Updates' area.

5) Click on 'Check Now'.

This will trigger looking for the latest version of Flash Player for OS X. If you need to update, the download and installation process will start. You'll need to close your web browsers for the installation to complete. You can open them again after.

~ ~ ~ ~ ~

Following the instructions above, at least as of today, you should see this:



Note the listed version of the Flash Player plug-in. 16.0.0.296. Further updates will show newer version numbers.

(You may wish to change the radio button from 'Allow Adobe to install updates (recommended)' to 'Notify me to install updates'. I personally choose the second option because the first option requires Adobe's annoying launch daemon to be running 24/7).

BTW: NPAPI and PPAPI are competing Internet plug-in standards. Google created PPAPI and use it in the Chromium web browsers, including Opera. No other web browsers bother with it. Everyone else uses the NPAPI standard. You can ignore 'PPAPI Plug-in is not installed.'

~ ~ ~ ~ ~

Are you sick of Adobe Flash Player security rubbish going on and on as if forever? Tell Adobe about it:

Contact | Adobe

Click 'Contact Customer Care'.
Click 'Adobe Flash Player'
Click 'How-to's and troubleshooting'
Click 'Still need help? Contact us.'
This forces you to go to the Adobe Flash Player Forum.

OR go directly to the Flash Player forum:

https://forums.adobe.com/community/flashplayer/using_flashplayer

Check if a topic specific to Flash Player security hell has already been started. If not, start your own.

OR choose an Adobe office near you and call them:

http://www.adobe.com/company/contact/offices.html

--
Thank you, as always, to my Mac security friend Al V for his help!
--