Java update for OS X patches Flashback malware exploit

Java update for OS X patches Flashback malware exploit – CNET:

Following the recent Flashback malware developments for OS X where unpatched vulnerabilities in the latest Java runtime for OS X were being exploited, Apple has issued an update that brings Java up-to-date and patches these vulnerabilities.

The patch is available via Software Update for systems that have Java installed, but can also be downloaded from the following Apple support Web pages. The update is available only for OS X 10.6 and 10.7, since Apple has stopped supporting prior versions of OS X.

Java for Mac OS X 10.6 Update 7
Java for OS X Lion 2012-001

EDIT:

Mac Botnet Infects More Than 600,000 Apple Computers – eWeek

Apple’s security code of silence: A big problem – CNET
:

Security industry insiders have long known the Mac platform has its holes. The Flashback Trojan is the first in-the-wild issue that’s confirmed this, and big-time. More will follow unless Apple steps up its game.


Secure your Mac from Flashback infection – USAToday
:

Flashback is technically not a trojan-horse application at all, but a “drive-by download” that infects computers by exploiting a vulnerability in Web software.

That makes it much worse than a trojan: You just need to visit a malicious site, without downloading the wrong app or entering an admin password, to have this program silently take command of your Mac and begin altering the content of Web pages.

Find Out if Your Mac Has the Flashback Trojan — the Fast and Easy Way – Mashable – Two quick Applescript scripts if you are squeemish about running commands in a commandline terminal. I have not used them as I checked in commandline. Use at your own risk.

..

It is tragic that for all the online virus/malware scanners that are out there for Windows users, there do not appear to be any for Mac OS X. Now that is tragic.

Java 6 Update 24 Plugs 21 Securty Holes

[tweetmeme source=”franscomputerservices” only_single=false]Java 6 Update 24 Plugs 21 Securty Holes (Krebs On Security)

A new version of Java fixes at least 21 security flaws in the widely-distributed software bundle. Updates are available for Windows, Linux and Solaris users.

Windows users that have Java installed should update as soon as possible. Usually Windows users will see the orange Java update icon in the System Tray (by the clock in the lower right side). When the Java update icon is presented, click on it and follow instructions. Be sure to unclick extra installs for Google Chrome, toolbars, etc. if you don’t want them.

If you haven’t been presented with the Java update icon, go to the Java.com site to download the Java update for Windows.

If you use a Mac, you will have to wait till Apple does the update and hope they do it quickly. Soon Mac users will also be updating through the Oracle Java website like Windows, Linux and Solaris users do now. But not yet.

Race Conditions aka TOCTOU and now KHOBE

[tweetmeme source=”franscomputerservices” only_single=false]There is a ‘supposedly new’ threat on the horizon for Windows XP users, and more so on multi-core systems called KHOBE (Kernel HOok Bypassing Engine).

Although this is a threat, it is not a new threat — in fact, this type of thing has been a threat to computing since 1998 when it was written about in PDF format: RaceConditions.pdf, and in 1996 in this PDF: racecond.pdf and many times since then in articles online about TOCTOU (noted below in this posting).

It definitely sounds pretty bad when it is reported that this ‘new’ KHOBE can bypass EVERY Windows security product in an article by the respected Adrian Kingsley-Hughes at ZDNet Blogs and as reported and tested by MATOUSEC here. And it certainly isn’t a non-issue…

However, let’s look at this objectively. First this is not the first, last or only situation that has or will arise. Race Conditions as noted above have been created by TOCTOU (Time of check to time of use) situations since the dawn of computing and yes, they are not easy to test for in all situations/hardware prior to release of software/Operating Systems, but these types of conditions have been a potential threat for a very long time in all kinds of software.

A time-of-check-to-time-of-use bug (TOCTTOU − pronounced “TOCK too”) is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition.

Before Windows was capable of true multi-tasking/multi-threading, it was possible to create these conditions on UNIX machines as noted in this 2001 article at InformationWorld.

So, why the fuss now? Windows 7 is basically claimed to be immune — by its omission in the ‘affected Windows Operating Systems’ list. Apparently only Windows XP (ONLY about 60% of Windows users –eeek! — per Adrian Kingsley-Hughes article above), or earlier Windows OSes are affected and in this particular case, and then only by security software that use the KHOBE (Kernel HOok Bypassing Engine).

Graham Cluely at his Sophos Blog notes,

Because KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec describes is a way of “doing something extra” if the bad guys’ malicious code manages to get past your anti-virus software in the first place.

In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that’s one of the reasons, of course, why we – and to their credit other vendors – offer a layered approach using a variety of protection technologies.

In addition, Paul Ducklin’s Sophos blog notes,

The security panic of the week is the widely-reported story of a “vulnerability” called KHOBE. One news headline goes so far as to announce that this “new attack bypasses virtually all AV protection”.

I disagree.

The sample “attack”, which claims to be an 8.0 earthquake for desktop security software, describes a way in which the tamper protection implemented by some anti-malware products might potentially be bypassed. Assuming you can get your malicious code past the anti-malware product in the first place, of course.

Much more in his blog entry. All of these links are must read if you wish to understand as much as is possible what the real threat is.

So, given all this, is the game over on security software because this is now disclosed to be possible (READ: it was always possible) — at least till they figure out how to prevent Race Conditions in security software?

Hardly. But due to the release of the information, this situation may make life interesting security-wise for Windows XP users (earlier Windows OSes like Win2K, Win98, WinME, WinNT shouldn’t even be on the net at this point for many reasons, the least of which is this situation).

So, if you are a Windows user what can you do in the meantime?

  • Keep your systems up to date
  • Make sure you have a hardware NAT or SPI Firewall/Router on your local network, and a software firewall in place and working properly and updated (if it’s a third party firewall – Windows Firewall is updated with your Windows Updates)
  • Keep your browsers up to date
  • Keep your browser plugins (Adobe products, Apple products, Java, etc.) and extensions (like Firefox’s AdBlock Plus, etc.) up to date
  • Keep all Internet facing programs (Adobe, Microsoft, etc.) up to date
  • Run your CCleaner (or other Temporary Files/Temporary Internet Files cleaner program) frequently (I actually run mine several times a day) – Fully close any browsers before running your ‘cleaner’ and then re-open it as needed after you run the ‘cleaner’
  • Make sure your antivirus software is updating as it should and doing its scheduled scans
  • Update and Run any cleaner software and secondary anti-malware programs (like Malwarebytes Anti-malware) at least once a week or more often and immediately if something seems odd on your computer
  • Don’t open suspicious emails, even from known senders
  • Be careful where you go on the Internet. Even some legitimate sites have been hacked
  • Be careful about links and friends on Facebook (if you haven’t deactivated your account yet), Twitter, LinkedIn, and other Web 2.0/dynamic Social Networking sites.

In short, do what you should always be doing to keep yourself safe. Because this isn’t over. It was always a possibility whether we were aware or not, and it will likely be a possibility for a long time to come.

You might also consider installing a preventative program like BillP’s WinPatrol on your system to make you aware of potential changes to your system. *See EDIT below for a note from BillP about WinPatrol and kernel hooks.

And as I noted earlier, the focus of this issue, at this time, is apparently Windows XP, but any operating system is vulnerable to this type of attack and always has been — and that is not likely going to change any time soon.

EDIT: Added the following comment from BillP who developed WinPatrol:

* Thanks! I’m honored by the mention.
It’s a great topic and mentioning WinPatrol is appropriate since I don’t use any kernel hooking to detect changes. Thumbs Up!

Bill

Oracle Sun ships Java patch as attacks surface

[tweetmeme source=”franscomputerservices” only_single=false]As attacks surface, Sun ships Java sudden Java patch (ZDNet):

In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks.

The release notes that accompanies the new Java 6 Update 20 makes no mention of the public flaw disclosure or subsequent attacks but I’ve been able to confirm that the patch does cover the vulnerability released by Google security researcher Tavis Ormandy.

Much more in the article by Ryan Naraine at ZDNet blogs linked above.

Glad to hear they have finally released a patch.

Might want to go get the latest Java 6 Update 20 asap at Manual Downloads at Java.com

Unpatch Java Exploit Spotted in-the-wild

[tweetmeme source=”franscomputerservices” only_single=false]Unpatch Java Exploit Spotted in-the-wild (Krebs on Security):

Last week, a Google security researcher detailed a little-known feature built into Java that can be used to launch third-party applications. Today, security experts unearthed evidence that a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to install malicious software.

As I mentioned last time, it is sad that Java is needed to help keep your systems safer through Secunia’s OSI (Online Software Inspector) by helping you keep your Internet facing programs up to date.

For now, if you are not sure if you have Java on your system, you can look in Add/Remove Programs (Windows XP) or Programs, Uninstall Programs (Vista and Windows 7) to see if it is installed. The best option at this point is to probably uninstall Java entirely on Windows computers until Oracle realizes the dangers this problem poses to Windows users.

Of course if you would prefer, you could use the link to SANS Internet Storm Center (New bug/exploit for javaws) to review your options.

Another option would be to use Firefox with the NoScript Extension and only allow scripting on trusted sites. NOTE: Even though java is not javascript, most plugins use some sort of scripting to wrap their plugins in to work in a browser so using NoScript would go a long way to protecting users and still be able to use Secunia’s OSI noted earlier in this article.

However, note that there is still the possibility that the malware cocktail could still potentially gain access through Internet Explorer even if you are not using Internet Explorer. To prevent this, Windows users might consider installing BillP Studios’ WinPatrol so they are alerted to any changes to their system before it happens and be given an opportunity to prevent it – You can try it out for free, but it is one of the best $19.99 you ever spent ($10 off right now, normal price $29.99). BillP Studios used to have a free version which can still be found on sites like FileHippo.com (note, however that it is not the new version which is apparently only offered in Trial/Buy).

According to the article, popular lyrics site: songlyrics dot com (I did not create a link to it and I would NOT recommend going there if you have Java installed!) the “Crimepack” exploit kit is being used to foist a cocktail of malware on Windows users’ computers.

I mentioned this Java vulnerability in my last posting. If you want more information, please see my earlier post and Brian Kreb’s Krebs on Security article above.

Tavis Ormand tried to get through to Oracle about the danger, but they chose to rate it as not that important. They indicated that it could wait till the normal patch cycle. However, apparently, they didn’t fix it then either because when all the Oracle quarterly cycle patches came out this week it wasn’t in their list of fixed vulnerabilities — which means they apparently intend to wait till the NEXT cycle!

Roger Thompson, chief research officer at AVG says:

the site appears to use the very same code mentioned in Ormandy’s proof-of-concept to silently redirect songlyrics.com visitors to a site that loads the “Crimepack” exploit kit, a relatively new kit designed to throw a heap of software exploits at visiting browsers…

It is hard to say whether visiting sites like the lyrics site would hurt other OSes like Mac OS X (especially Tiger which hasn’t had a Java update in ages!), or Linux because Brian Krebs’ article was geared to Windows users.

Firefox 3.6 released

[tweetmeme source=”franscomputerservices” only_single=false]On January 21, 2010, Firefox 3.6 was released.

Full release notes and what’s new in Firefox 3.6 here.

Firefox now has what is called Personas. Some folks may enjoy them. I am not all that thrilled with that but maybe that’s because I don’t generally use alternate themes which is very similar.

Notable Firefox 3.6 features include:

  • Available in more than 70 languages – get your local version.
  • Support for a new type of theme called Personas, which allow users to change Firefox’s appearance with a single click.
  • Protection from out-of-date plugins to keep users safer as they browse.
  • Open, native video can now be displayed full screen and supports poster frames.
  • Improved JavaScript performance, overall browser responsiveness, and startup time.
  • The ability for web developers to indicate that scripts should run asynchronously to speed up page load times.
  • Continued support for downloadable web fonts using the new WOFF font format.
  • Support for new CSS attributes such as gradients, background sizing, and pointer events.
  • Support for new DOM and HTML5 specifications including the Drag & Drop API and the File API, which allow for more interactive web pages.
  • Changes to how third-party software can integrate with Firefox in order to prevent crashes.

Personally, I think that the biggest news is the HTML5 support.

Although there will be some growing pains, it will be very welcome news when the dust settles as it does with all major changes to HTML.

One of the lofty aims of HTML5 specifications is:

HTML5 aims to reduce the need for proprietary plug-in-based rich Internet application (RIA) technologies such as Adobe Flash, Microsoft Silverlight, and Sun JavaFX.

Although these technologies are free for users to view Flash content, etc., the cost to companies to make use of them can be very expensive indeed. If you have ever noted how expensive the Adobe Suite(s) are then you may already know what I mean.

Technologies like Flash, Silverlight and Java can be considered a combination of a container and delivery mechanism for presenting various types of file such as video and audio, etc. in a browser environment.

The video and audio codecs themselves used to present these files can vary. You can see audio files in mp3, m4a, wma, ogg, etc. audio formats, or video files in H.264, Windows Media, Ogg Theora, etc., video formats.

Patch arrives for IE hole targeted by Chinese – WindowsSecrets.com

[tweetmeme source=”franscomputerservices” only_single=false]Patch arrives for IE hole targeted by Chinese (WindowsSecrets.com newsletter comp link)

As of this writing, Microsoft is scheduled to release on Jan. 21 an update that fixes the Internet Explorer vulnerability behind the recent, highly publicized cyberattacks on Google and other major corporations.

Be sure to get your IE (Internet Explorer) update through Windows Updates.

If you have, or are using an older version (IE6 or IE7) of Internet Explorer — whether you use Internet Explorer as your default browser or not, make sure to get IE8 (Internet Explorer 8 ) from Microsoft’s website here. The Internet Explorer browser engine is used by many programs and by Windows, so it is very important to keep it updated.

Adrian Kingsley at ZDNet also has an article about the need to update your Internet Explorer browser to the latest version and answers the question whether to dump IE and to make sure you get other updates (Flash, etc.) that are equally important here.

I personally keep all my browsers updated to the latest version and all my Internet facing supporting programs like Flash, Java, Quicktime, etc. Even so, I generally use Mozilla Firefox as my default browser. I like the Extensions for Firefox that help make it more useful and secure.