Sunday, February 4, 2018

Active Adobe Flash Zero-Day Exploit Active


Same old story. Don't Use Flash v28.0.0.137 (or earlier) until Adobe provides an update! The update should be out this coming week. Keep an eye out.

The current known attack vector, CVE-2018-4878, is a malicious Microsoft Excel document containing a malware Flash object which, when opened, triggers the installation of ROKRAT, (Remote Administration Tool), capable of taking over the infected computer. At this time, the infection vector is assumed to have originated in North Korea and is primarily targeting South Korea.

Adobe's Security Advisory:
A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

Adobe will address this vulnerability in a release planned for the week of February 5.
More about the exploit from Dan Goodin at Ars Technica:

An Adobe Flash 0day is being actively exploited in the wild
Adobe plans to have a fix for the critical flaw next week.
... While the number of in-the-wild attacks exploiting Flash zerodays has dropped significantly over the past year or two, the risk posed by the Adobe media player remains unacceptably high relative to the benefit it provides most users. And now that word of the vulnerability is circulating, it wouldn't be surprising for other groups to use it against a much wider audience.
[Note that Ars Technica quotes the CVE as "2018-4877" as opposed to 2018-4878. I consider '2018-4877' to be a typo. Sadly, as usual, Dan's article is being quoted verbatim around the Internet along with the wrong CVE number. Stick with CVE-2018-4878, the CVE identified by Adobe. Because of the precautions taken at, it's impossible to identify the differences between these two CVE numbers until after the current zero-day as been patched. Meanwhile, the NIST (National Standards of and Technology) CVE database doesn't yet list either number. Bureaucracy at work. Zzzz.]


Don't use Microsoft Excel
Don't use Adobe Flash



Tuesday, July 25, 2017

Adobe Flash Marked For Death
At The Stroke of Midnight
December 31, 2020


Adobe will be assassinating the pestilence that is Flash at the end of 2020. They've posted the hit contract here:

Adobe has long played a leadership role in advancing interactivity and creative content – from video, to games and more – on the web. Where we’ve seen a need to push content and interactivity forward, we’ve innovated to meet those needs. Where a format didn’t exist, we invented one – such as with Flash and Shockwave.
No actually. Adobe bought both Flash and Shockwave along with Macromedia in 2005.
And over time, as the web evolved, these new formats were adopted by the community, in some cases formed the basis for open standards, and became an essential part of the web. . . .
Given this progress, and in collaboration with several of our technology partners – including Apple, Facebook, Google, Microsoft and Mozilla – Adobe is planning to end-of-life Flash. Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats. . . .
Looking ahead, Adobe will continue to . . .
...Yeah, yeah.

We now have (as of today) another 3.4 years of Flash & Shockwave insecurity to endure. And after, there shall of course be those who cling to Flash as an orphaned rat still suckles...

Remember, if you must use Flash, be certain to keep it Up-To-Date! Else peril awaits like a ravenous zombie shackled with rusting chains...

Party at my place, New Year's Eve 2021.

Who wants to set up a web timer?

Monday, June 19, 2017

Stack Clash:
A UNIX Security bug likely to affect macOS


I'm posting this information as a warning to those running macOS as a server. The 'Stack Clash' security bug is likely to affect macOS owing to the fact that macOS is certified BSD UNIX.

Apple has been notified and no doubt will examine the situation and provide a patch ASAP if required. (Likely required).

For now, have a read of this article by Dan Goodwin over at Ars Technica.

Serious privilege escalation bug in Unix OSes imperils servers everywhere
“Stack Clash” poses threat to Linux, FreeBSD, OpenBSD, and other OSes.
Anyone running a Unix-based OS should check with the developer immediately to find out if a patch or security advisory is available. The best bet is to install a patch if one is available or, as a temporary workaround, set the hard RLIMIT STACK and RLIMIT_AS of local users and remote services to a low value. 
The Stack Clash security bug is listed as CVE-2017-1000364.

This isn't a PaNiC situation. But it's important to be aware that this bug is likely to affect macOS.

There will be more information available shortly, no doubt. I'll post here as it is released.



Tuesday, February 28, 2017

Making My Own Trouble: Calling Out Kaspersky



It's been fairly quiet regarding Mac security. There have recently been three malware out-in-the-wild, but they've proven to be not much of anything. Therefore, I haven't bothered to FUD anyone about them. I don't like FUD.

Therefore, having a low boredom tolerance, I often make my own trouble for my own amusement. I decided to share this particular experience with those here who are interested. It's my call out to Kaspersky for distribution of BS.

The Article Of Interest:

I visit snarky The Register every day for computer security news, among several other websites. I get tired of the puerile cockney humor but they do a good job covering the subject. This was the article that inspired my trouble making today:

Apple's macOS is the safer choice – but not for the reason you think
Eugene Kaspersky looks forward to a new darker dawn
Apple's Mac operating system may be the safer choice – but only because cybercriminals can't get their hands on people who know how to exploit it.

That's according to security showman Eugene Kaspersky, who gave a keynote at the Mobile World Congress in Barcelona on Monday. In recent months, Kaspersky has made a habit of giving MacOS a kicking, and this keynote was no different.

"People still think MacOS is safe," he told attendees with some measure of incredulity. But it's not. While there is certainly less malware for the operating system than, say, Windows, it's more a case of difficulty in hacker recruitment than evidence of stronger inherent security.

Of course, this zeal may have something to do with a big push from Kaspersky for its security software for the Mac, not that you'd need it from Eugene's logic. And that may have something to do with Kaspersky's huge certificate cock-up at the start of the year that exposed millions of people to interception attacks. . . .

So what's the solution? A complete redesign of all of our systems, starting from scratch by building on top of secure platforms and software. He dreams of systems that are no longer "secure" but "immune."
Emphasis mine. Before I continue, let me point out that creating an 'immune' operating system is exactly what we want. Let's all champion that effort.

But Mr. Kaspersky's keynote comments about the Mac remind me of something from way back in 2005 when lousy (IMHO) Symantec attempted to FUD Mac users into believing their chosen computer platform was going to be inundated with malware, just like Windows. It was only a matter of time.

Symantec: Mac users deluding themselves over security

Symantec's 2005 FUD campaign, obviously an attempt to promote Norton for Mac sales, was the impetus that inspired me to study and write about Mac security. Thank you Symantec! I hate you. 

Therefore, here's what I have to say back to assertions Mr. Kaspersky made in his keynote, which is what I posted at The Register:

Maybe Aricept Can Help

"So what's the solution? A complete redesign of all of our systems, starting from scratch by building on top of secure platforms and software. He dreams of systems that are no longer "secure" but "immune.""

OS X (macOS) is an operating system started from scratch by building on top of a secure platform and software. It was built on top of BSD UNIX, which remains the single most secure (by testing and reputation) operating system available. OS X is certified BSD UNIX. 
So Mr. Kaspersky, maybe Aricept can help. Either that or do your research before you blether.

An "immune" OS is something else entirely. We have no such thing at this time apart from running a standalone computer with no input and no output, no EM radiation or sound emanations, etc.

Hint To Kaspersky: 
One reason your anti-malware isn't a hit on OS X (macOS) is that, thanks to the work of many people, both volunteer and paid, malware is discovered, described and tested with the results passed along to Apple. On a good day, Apple then responds ASAP by providing automatic OS subsystem updates blocking that malware within their XProtect anti-malware system. (Yes, Apple has plenty of bad days when they don't keep up, such as their current forgetfulness about blocking out-of-date versions of Adobe's supremely dangerous Flash Player Internet plug-in).

As a result, there's very little point in bothering to write malware for OS X seeing as it will typically be squashed by Apple within a brief period of time, thanks again to the work of many of us OUTSIDE of Apple.

Mr. Kaspersky, realism is always welcome. Pulling bonehead Symantec quality FUD manoeuvres is NEVER welcome. Make your choice.

In any case, thank you Kaspersky for your many contributions to the computer security community. Apologies that they don't result in profits from your Mac software.
If I die before I wake, you know why. ;-)

Oh and here's The Register's 4 Jan 2017 article about "Kaspersky's huge certificate cock-up" mentioned above:

Kaspersky fixing serious certificate slip
Security smashed for 400 MEEELLION users
Kaspersky is moving to fix a bug that disabled certificate validation for 400 million users. 
Discovered by Google's dogged bug-sleuth Tavis Ormandy, the flaw stems from how the company's antivirus inspects encrypted traffic. . . .
~ ~ ~ ~ ~


Monday, December 12, 2016

Apple Adds 'Junk' Option To iCloud Calendar:
Spam Rats Exterminated


Apple has kindly responded, in part, to the Calendar spam nightmare. They've now provided a couple ways to 'Junk' the spam directly inside the iCloud Calendar rather than forcing victims to 'Accept', 'Decline' or 'Maybe' the spam, none of which were acceptable options.

Apple activates Calendar spam reporting feature
By AppleInsider Staff 
Sunday, December 11, 2016, 09:31 pm PT (12:31 am ET)
Apple on Sunday instituted a new junk content reporting feature on its web portal, the first step in what appears to be an activation of countermeasures against iCloud Calendar spam invites users began to receive in volume last month.
There are two ways to attack invitation spam in the iCloud Calendar.

(Click to enlarge)

In the screenshot above, we notice the invitation spam via both a Calendar entry, marked as A, and the Notifications counter at the bottom of the window, marked as B. AppleInsider, in the article linked above, has described how to use the Notifications counter to 'Junk' the invitation spam. I'm going to describe how to perform the same function using the invitation spam Calendar entry.

(Click to enlarge)

In the screenshot above, I've double-clicked the invitation spam entry in my Calendar. The result is a detailed information sub-window. I prefer this approach for removing invitation spam specifically because of the details provided. The text in the sub-window is a bit scrambled, but we can make out some typical signs of spam. The sender is Chinese. The invitation spam was sent to victims on an alphabetical spam-it list. The invitation spam directs the victim to an unfamiliar website.

Note that Apple has added 'Report Junk' link beneath the text "This sender is not in your contacts." Click "Report Junk" and this new sub-window appears:

(Click to enlarge)

Click 'OK' and the deed is done! The invitation spam will be safely removed from both the Calendar and the Notifications counter. Extermination achieved. Perform this procedure on further invitation spam. When you're done, your Calendar will be clean and back to normal.

(Click to enlarge)

It is assumed at this time that Apple is using Calendar 'Junk' reports to create a 'Black List' that will keep future invitation spam out of the Calendar. Because of the very similar coding used for email spam, I expect Apple will eventually combine both their email spam and Calendar invitation spam filtering systems. We'll see.


1) Apple still has to provide a 'Junk' reporting method in both the macOS and iOS Calendar applications.

2) Apple still has to provide a fix for Photo Sharing invitation spam.

Little steps to solve big problems.


Tuesday, November 29, 2016

Permanent Solution To Calendar Spam Attacks!


Over the US Thanksgiving holiday weekend, I was bombarded with two further Calendar spam rat attacks foisting fraudulent flotsam from China. I happily dispatched them with the previously prescribed method, no dangerous 'decline' required.

But better yet! Yesterday (11-29) Sean Gallagher of Ars Technica posted a permanent solution to Calendar spam rat attacks that works the charm. It shoves off spam 'invitations' (infestations) into the Mail application instead, where the crapulent assaults will be forced through your spam filtration system, killing them dead. 

√ Spam rat exterminated.

How to stop the wave of Apple Calendar invite spam
Deleting them just encourages them—and confirms your address is live.
Sean Gallagher, Ars Technica, 2016-11-28

Here is my slightly simplified set of instructions. Note that this must be performed on a desktop/laptop computer. It will not work using iOS!

1) Sign in (log in) to your iCloud account at:

2) Click on the Calendar icon.

3) When your Calendar page is loaded, look down at the bottom left for the gear symbol. Click on it and choose 'Preferences'.

4) In the Preferences sub-window, click on the 'Advanced' tab.

5) In the bottom section of the 'Advanced' window, labeled 'Invitations', you'll see the default radio button setting is 'In-app notifications'. Click instead 'Email to ...' your iCloud email address. (Ignore 'Use this option if...).

6) Click 'Save' in the bottom right.

No more 'invitation' infestations into your Calendar. But note! Any legitimate Calendar invitations will also be sent to your email account. Therefore, be careful when perusing your email to watch for invitations you'd like to accept. In Mail you can choose to have them added to your Calendar.

When you receive spam rat 'invitations' in Mail you can simply mark them as 'Junk'. More garbage from the same spam rats should in future be flung into your 'Junk' without your having to ask.

Reporting Calendar 'Invitation' Spam:

I had a chat with tech support over at about Calendar 'invitation' spam. They kindly declined to recode their spam reporting website software to accept this new spam variety and instead referred me to another organization that might take up the challenge. But the fix Sean Gallagher provided solves the problem. I can in future toss off 'invitation' spam to SpamCop directly from Mail.

Remaining problem, iCloud Photo Sharing spam:

Sadly, there is no similar preference fix to stop iCloud Photo Sharing spam. That one is Apple's burden to solve.


Friday, November 18, 2016

The New Spam Rat Vectors:
Calendar and Photo Sharing


Today, I ran into one of the new spam rat vectors. Without any approval on my part, a two day event was shoved into my Calendar for today and tomorrow. It came from a persistent source of spam that attempts to foist ads for fake Chinese Ray-Ban sunglasses before my eyes. I've received (and reported to quite a few of their spam emails. Now they're using this new vector to get attention. How they pulled off the spam is new to me! The thing was sent via my account.

It should be easy to Delete anything inserted into the macOS Calendar. Right? That's the intuitive thing to do. Apple of course provide that option if you use the contextual menu while clicking on the spam calendar event. Except it's NOT delete at all. We're forced to either 'Cancel' and keep the spam or 'Decline' the event. When we 'Decline' the event, this is the same as shouting to the spam rat 'HEY! I'M A LIVE BODY! SPAM ME SOME MORE!' That's the very last thing we want to do. The spam rats will spam us further as a direct result of hitting 'Decline'.

The only recourse available is to ignore the Calendar spam. It will sit there in your Calendar forever. I hate that.

Result: Apple has inadvertently allowed a spam vector we cannot avoid! That has to end. I'll be sending Apple a kindly request to end this madness immediately. I'll also be corresponding with to see if they can incorporate the reporting of such spam into their system. At the moment, their interface has no idea what to do with this kind of spam, despite the URL for the spam rat being incorporated in the 'Invite' code.

Meanwhile, similar spam is reported to be infesting iCloud Photo Sharing. Another great one Apple. :-P

Thankfully, there is a solution to this stupid spam problem in Calendar. I've provided some links to articles with the solution below. Sadly, there is not yet any solution the stupid spam problem in iCloud Photo Sharing. The best you can do is turn off iCloud Photo Sharing. When a solution arrives or Apple get their act together, I'll post again.

If you can read Dutch, this is the first website to figure out how to kill off the stupid spam problem in Calendars:

appletips, 2016-11-08

Both 9TO5MAC and TechTimes have provided translations of the solution as well as discussion:

9TO5MAC, 2016-11-09
Performing the steps below will move the spam invitation to a separate calendar, and from there, that calendar can be deleted. Thus, removing the spam invitation without having to hit “Decline” on the actual notification. . . .
Anu Passary, Tech Times, 2016-11-09
Any Solution For iCloud Photo Sharing Spam?The only option is to turn off the feature completely. To do so follow these steps: . . .
~ ~ ~ ~ ~

For those interested in the code buried behind these spam abominations, here is what I received (with personal and potentially dangerous data removed, as indicated in italic brackets):
PRODID:-//Apple Inc.//Mac OS X 10.12.1//EN
DESCRIPTION:[URL of spam rat removed] $19.99 Ray-ban&Oakley Sunglasses Onli
 ne.Up To 80% Off Sunglasses.Compare And Save.
SUMMARY:$19.99 Ray-ban&Oakley Sunglasses Online.Up To 80% Off Sunglasses
 .Compare And Save. [URL of spam rat removed]
 VP=TRUE:mailto:[Victim at]
 VP=TRUE:mailto:[Victim at]
 VP=TRUE:mailto:[Victim at]
 VP=TRUE:mailto:[Victim at]
 VP=TRUE:mailto:[Victim at]
 VP=TRUE:mailto:[Victim at]
 VP=TRUE:mailto:[Victim at]
 VP=TRUE:mailto:[Victim at]
 VP=TRUE:mailto:[Victim at]
ATTENDEE;CN="黄周朝";CUTYPE=INDIVIDUAL;EMAIL="[Nonsensical email address]";PARTSTA
The victim email addresses were apparently copied and pasted alphabetically from a distributed spam-it list. The victim IDs in this case all started with 'derek'-something. The victim email addresses were not exclusive to iCloud, as I've indicated above.

So Apple! What's with the sloppy attention to security lately? Wake up! You're making Google look good. And that's bad.