May 24, 2013

You are here: Home / Archives for Macintosh

OS X Lion FileVault Passwords Written to Debug Log in Plain Text

May 7, 2012 by

(LiveHacking.Com) – It has been discovered that the latest OS X Lion 10.7.3 update now logs the FileVault password in a system wide logfile readable by anyone with root or admin access. The problem is that the .3 update left a debugging option switched on which logs, in clear text, the FileVault passwords for every user who logged in since the update was applied.

According to David I. Emery who disclosed his find on the  the Cryptome mailing list, “the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file.” The result is that an attacker could now break into an encrypted partitions without any prior knowledge of the passwords used.

“One wonders why such a debug switch exists in shipped production code… clearly it could be invoked covertly in specific situations, this seems to be an example of someone turning it on for the entire release by accident,” he added. “Nobody breaks encryption by climbing the high walls in front … when the garden gate is open for millions of machines.”

ZDNet has found a post on the Apple Support Communities, where a user noticed the flaw three months ago:

I’ve tried it on another Mac as well, same result: The login of a normal network user writes this log line as his homedir gets mounted. This poses a security risk. We have some users who are local admins, they could ask another user to login on their Mac and look for the password afterwards. Extration in single user mode would be possible as well. Is this a “speciality” of our environment or is this a known bug? Can I turn this behavior off?

Nobody got back to him.

 

Filed Under: Apple, Apple, Macintosh, Vulnerability Tagged With: , ,

New Variants of Flashback Trojan for OS X Found

February 28, 2012 by

(LiveHacking.Com) – New variants of the Flashback trojan for OS X have been spotted by Security researchers from Intego. Flashback.G does not use an installer (unlike the previous incarnations) meaning if a user visits a web page (and they have not applied Apple’s Java updates) then the installation will occur without any user interaction. For those with up to date Java installations the trojan will trigger a certificate alert but they won’t be asked for the user password.

The trojan horse uses three methods to infect Macs. First it tries to install via one of two known Java vulnerabilities, one from way back in 2008, the other from last year. Successful exploitation of these vulnerabilities means the machine becomes infected without any user intervention. Those running Mac’s with the latest Java updates will not be affected by these first two attempts. However if the Java exploits fail then the trojan attempts again with a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Users who click on “Continue” will open the machine to infection.

Once installed the trojan patches applications like Safari and Skype to sniff out usernames and passwords, specially for sites like Google, Yahoo!, CNN and PayPal. A possible clue that a Mac has become infected is that applications like Safari start to crash as the trojan code makes the programs unstable.

“I don’t want to give [the hackers] more credit than they deserve, but [Flashback.G] is particularly sophisticated,” said Peter James, a spokesman for Intego, who spoke to ComputerWorld. ”The Java vulnerability [approach] doesn’t require user interaction, and they’re putting victims into a strainer,” he added, referring to the social engineered-style fake certificate tactic that’s employed only if the Mac is invulnerable to the Java exploits.

Filed Under: Apple, Macintosh, Malware Tagged With: , , ,

Nothing Wrong With Desktop Versions of Windows This Month

May 6, 2011 by

Microsoft has made available the advance notification of security bulletins that it intends to release on May 10, 2011, or Patch Tuesday as it iscommonly known. This month Microsoft isn’t fixing any vulnerabilities in the desktop versions Windows (meaning XP, Vista or Windows 7). Instead it will issue a patch for a critical remote code execution vulnerability in Windows Server 2003 and 2008.

Along with the Windows Server patch, Microsoft is fixing a remote code execution vulnerability in Microsoft Office. Affected versions are Microsoft Office XP, Microsoft Office 2003 and Microsoft Office 2007. The issues seems to be with PowerPoint. But it isn’t only the Windows versions of Office which are affected. The patch will also address the same issue in Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac and the Open XML File Format Converter for Mac.

This month’s meager two security bulletins is in sharp contrast to last month’s patch Tuesday when Microsoft patched a titanic 64 vulnerabilities across the following Microsoft products: Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, SMB, .NET Framework and GDI+.

Filed Under: Macintosh, Microsoft, Vulnerability Tagged With: ,

BlackHole RAT – New Mac Trojan

February 28, 2011 by

Security researchers from Sophos have spotted a new piece of malware. Which in itself isn’t unusual, but this one is as it targets Mac OS X and not Windows.

According to the client end of the malware, used by the attacker to send commands to the remote machine, the software is still beta quality and not yet finished. The implication is that development is on-going and a more sophisticated version of the software is planned.

Known as BlackHole RAT the software seems to be a port of the well-known Remote Access Tool/Trojan (RAT) for Windows known as darkComet. SophosLabs have dubbed the trojan as OSX/MusMinim-A.

At the moment there are no reports of this tool spreading in the wild and the doesn’t come with a deliverly mechanism meaning that attackers wishing to use it need to find a way to infect the remote Mac with the server component via a vulnerability in a browser or plugins etc.

The functionality of the so-called beta is fairly limited and current only allows the attacker to:

  • Placing text files on the desktop
  • Sending restart, shutdown or sleep commands
  • Running arbitrary shell commands
  • Placing a full screen window with a message that only allows you to click reboot
  • Sending URLs to the client to open a website
  • Popping up a fake “Administrator Password” window to try and solicit the administration credentials from the victim

However this is enough to cause damage to the remote machine and has the potential for online fraud.

http://ithreats.net have posted a YouTube video of BlackHole RAT in action.

Filed Under: Attack, Attacks, Macintosh, Malware Tagged With: , , ,

Unscheduled Security Update for Adobe Reader and Acrobat

November 17, 2010 by

The unscheduled security update for Adobe Reader and Acrobat to fixes more than 18 security holes. Here is the release note from Adobe Security Bulletin:

Critical vulnerabilities have been identified in Adobe Reader 9.4 (and earlier versions) for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 (and earlier 9.x versions) for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

In addition to addressing CVE-2010-3654 noted in Security Advisory APSA10-05 and CVE-2010-4091 referenced in the Adobe PSIRT blog (“Potential issue in Adobe Reader“), these updates also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-26.

[ad code=6 align=left]

Adobe recommends users of Adobe Reader 9.4 and earlier versions for Windows and Macintosh update to Adobe Reader 9.4.1, available now. Adobe recommends users of Adobe Reader 9.4 and earlier versions for UNIX update to Adobe Reader 9.4.1, expected to be available on November 30, 2010. Adobe recommends users of Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh update to Adobe Acrobat 9.4.1.

Note that these updates represent an out-of-cycle release. The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.

Please visit Adobe Security Bulletins for more information about this update.

Source:[Adobe Security Bulletins]

Filed Under: Adobe, Linux, Macintosh, Security, Windows Tagged With: , , , , ,