August 17, 2019

New malware spies on Mac users via Firefox, Safari and Skype

(LiveHacking.Com) – A new piece of Mac malware has been discovered which has been designed to spy on users. Known as either Crisis or Morcut, the malware is passed around as a Java program pretending to be AdobeFlash. The filename is called something like AdobeFlashPlayer.jar or adobe.jar. JAR files are archives used to package up Java programs and normally contain a .class file which is the executable run inside the Java Virtual Machine (JVM). In this case the .class file is called WebEnhancer.class but it is anything but a web enhancer.

When the WebEnhancer applet is run it will cause a digital signature alert warning the user that the software is from an untrusted publisher. However if users believe that this is a genuine file they will probably just ignore this warning.

Once installed Morcut/Crisis adds a backdoor which opens up the Mac to others on your network and adds a command-and-control module so it can accept remote instructions.

Analysis of the malware shows that it was designed with spying in mind, as it has functions to monitor the webcam, the microphone and intercept instant messages on Skype, Adium and MSN Messenger. Other spying function include the monitoring of:

  • mouse coordinates
  • location
  • clipboard contents
  • key presses
  • running applications
  • web URLs
  • screenshots
  • calendar data & alerts
  • device information
  • address book contents

With such spying capabilities the malware could be used to capture passwords and banking details. It is able to give hackers enough information about its victims for them to perform sophisticated identity theft.

“In short, if this malware managed to infect your Mac computer it could learn an awful lot about you, and potentially steal information which could read your private messages and conversations, and open your email and other online accounts,” a Sophos spokesperson said in a statement. “By the way, if you’re curious about where the name ‘Crisis’ came from, it’s a name which appears inside the malware’s code. As far as we can tell, the author appears to have wanted his malware to be called ‘Crisis’.”

The good new is that this malware hasn’t been spotted in the wild yet so the threat remains low. Every Mac user should install anti-virus software and if you don’t need Java, uninstall it.

Incredibly Apple releases Java update for OS X on the same day as Oracle

(LiveHacking.Com) – In the past Apple has come under heavy criticism due to the unacceptable amount of time it takes the Cupertino company to release Java updates for its OS X operating system. April and May saw a massive malware breakout on OS X due to a vulnerability in Java. The problem was that Oracle fixed the vulnerability in February but Apple didn’t release a patch until April. In the intervening months over half a million Macs got infected with the Flashback Trojan.

This time around Oracle has patched a number of Critical vulnerabilities in Java and Apple has stepped up its game. On the same day as Oracle, Apple released a Java update for  Mac OS X v10.6 Snow Leopard and OS X Lion v10.7 Lion.

The Java update fixes 14 security issues, 12 of these vulnerabilities can be remotely exploitable without authentication. This means that they can be exploited over a network without the need for a username and password. The most serious of the vulnerabilities allows an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.

The OS X update also includes some security hardening measures. First, the Java browser plugin and Java Web Start are deactivated if they are no used for 35 days. By default they are automatically deactivated. Secondly, the Java browser plugin and Java Web Start are deactivated if they do not meet the criteria for minimum safe version. The minimum safe version of Java is updated daily, as needed. To re-enable Java a newer versions needs to be installed.

The update from Oracle affects the following versions of Java:

  • JDK and JRE 7 Updates 4 and earlier
  • JDK and JRE 6 Update 32 and earlier
  • JDK and JRE 5.0 Update 35 and earlier
  • SDK and JRE 1.4.2_37 and earlier
  • JavaFX 2.1 and earlier

Oracle to patch 14 security vulnerabilities in Java this week

Java has become a consistent target for hackers in their attempts to find system vulnerabilities which allow them to execute arbitrary code on a victim’s machine. Recently a vulnerability in Java was responsible for one of the largest outbreaks of malware on Apple’s OS X operating system. Oracle has now announced that it will patch a further 14 security vulnerabilities in Java this week, 12 of these can be remotely exploited without authentication.

This Critical Patch Update contains 14 new security fixes for Oracle Java SE.  12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” wrote Oracle.

Affected versions are JDK and JRE 7 Update 4 and earlier, JDK and JRE 6 Update 32 and earlier, JDK and JRE 5.0 Update 35 and earlier, SDK and JRE 1.4.2_37 and earlier and JavaFX 2.1 and earlier.

Once Oracle has released it patches the questions remains – will Apple update its built-in version of Java quickly and will users upgrade to the latest version?

I’ve repeatedly encouraged readers to uninstall this program,” said Brian Krebs former in house security expert for The Washington Post. “Not only because of the constant updating it requires, but also because there seem to be a never-ending supply of new exploits available for recently-patched or undocumented vulnerabilities in the program.

 

 

Flashback Still a Problem, Large Number of Macs Still Infected

(LiveHacking.Com) – According to new figures released by Dr Web, over half a million Macs are still infected with the Flashback Trojan. The number of infected Macs rose to over 650,000 on April 4th and has remained consistent since even though Apple has released patches to fix the vulnerability used by the trojan. These numbers are in stark contrast to figures released by Symantec who say that “currently, it appears that the number of infected computers has tapered off, but remains around the 140,000 mark.”

Computerworld spoke with Symantec who have now revised their outlook and are agreeing with Dr. Web’s analysis. “We’ve been talking with them about the discrepancies in our numbers and theirs,” said Liam O Murchu, manager of operations at Symantec’s security response center, in an interview. “We now believe that their analysis is accurate, and that it explains the discrepancies.” To count the number of infections Symantec uses sinkholes and according to a blog update, these “sinkholes are receiving limited infection counts for” Flashback.

Flashback is spreading due to a Java concurrency vulnerability (CVE-20120-0507) which was fixed in Java Version 6 Update 31, or Java 7 Update 3 on Feb. 15, 2012 but only on the Windows platform. This left Mac users vulnerable. Apple finally fixed the vulnerability in early April, but by then the trojan had started to spread rapidly.

The exploit used by Flashback is based on a vulnerability in AtomicReferenceArray which allows the malware to disable the Java runtime sandbox mechanism. This is done by creating a special serialized object data which due to a logic error (and not a memory corruption) allows the attacker to run arbitrary code on the victim’s Mac. The Flashback trojan, which is so named as the first variant was distributed as a fake Flash Player installer, uses Java vulnerabilities dating back to 2009 through 2011.

Here at LiveHacking we urge Mac users to to install the Java updates and afterwards scan your system to check if it has been infected. Apple have released a Flashback Removal tool.

Apple Updates Java to Stop Mac Flashback Malware Which Exploits Java Concurrency Vulnerability

(LiveHacking.Com) – Almost six weeks after Oracle updated Java for the Windows platform, Apple has released the same Java fixes for Mac OS X 10.7 and 10.6. According to the security advisory the update includes a fix for  a serious vulnerability which “which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.” This is of course referring to the Java concurrency vulnerability which is being used by the  BlackHole exploit kit on Windows and the Flashback malware on OS X.

According to Apple, Macs can become infected with malware which exploit this bug just by visiting a web page containing a maliciously crafted untrusted Java applet. Since the vulnerability allows hackers to break out of the sandbox Apple note that this “may lead to arbitrary code execution with the privileges of the current user.”

Thankfully the update is available for OS X 10.6 Snow Leopard as well as 10.7 Lion. There were concerns that Apple would silently drop supporting 10.6 as it has done for 10.5. OS X Leopard as it was known runs on Intel Macs but Apple insist on users upgrading. Recently Apple dropped 10.6 as a viable platform for developing iOS applications when it didn’t release the iPad 3 SDK for that version. The full list of OS X versions supported with the update are: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, Lion Server v10.7.3.

Once you have updated open Terminal and type “java -version” to check the Java version number, you should see “java version 1.6.0_31” if the upgrade was successful.

Since OS X 10.5 Leopard isn’t updates, users should disable Java immediately. You can find instructions on how to do this here or how to disable Java browser plugins can been in this short video.

This release updates Java to Java version 1.6.0 31 and Apple are recommending that users read the Java website at http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html for more information.

Mac Flashback Malware Updated to Exploit Java Concurrency Vulnerability

(LiveHacking.Com) – Following the news that various exploit kits for Windows (including BlackHole) have been updated to integrate exploits for the Java concurrency vulnerability (CVE-20120-0507), it is now being reported that the OS X specific malware known as Flashback has also been updated to exploit the same vulnerability. The vulnerability was fixed in Java Version 6 Update 31, or Java 7 Update 3 on Feb. 15, 2012 but only on the Windows platform. This left Mac users vulnerable.

The latest version of OS X (10.7 – Lion) doesn’t include Java by default however it can be downloaded and installed when needed. The last update Apple released for Java was in November 2011. Secondly there is a portion of Mac users who have remained on OS X 10.6 Snow Leopard (which included Java by default). Apple has been quietly dropping support for 10.6 and it remains to be seen if any eventual Java updates include the older platform.

The exploit used by Flashback is based on a vulnerability in AtomicReferenceArray which allows the malware to disable the Java runtime sandbox mechanism. This is done by creating a special serialized object data which due to a logic error (and not a memory corruption) allows the attacker to run arbitrary code on the victim’s Mac. The exploit is very reliable.

Flashback, which is so named as the first variant was distributed as a fake Flash Player installer, uses Java vulnerabilities dating back to 2009 through 2011. But all the vulnerabilities have been previously patched, up until now that is. Now this latest variant can install itself on any Mac – even those with all the latest updates installed.

Although Oracle released the fix for the concurrency vulnerability back in February,  Apple distributes its own self-compiled version of Java for Macs from Oracle’s source code and subsequent patches. However its release schedule is behind that of the Oracle builds for Java in Windows. It has long been said that this delay in shipping security related patches for Java  on Mac OS could be used by malware writers to their advantage, and the new Flashback.K malware confirms exactly that.

The best advice right now is for Mac users to disable Java completely unless it is absolutely necessary. You can find instructions on how to do this here.

Exploit Kits Having Success with Recent Java Concurrency Vulnerability

(LiveHacking.Com) – Well-known security blogger Brian Krebs has released an overview of how different exploit kits, including the widely use BlackHole pack, have now integrated exploits for a Java concurrency vulnerability (CVE-20120-0507) that was fixed in Java Version 6 Update 31, or Java 7 Update 3 on Feb. 15, 2012. According to Microsoft’s Malware Protection Center new malware samples are coming to light that are proving highly successful at exploiting the flaw. The malware which Microsoft analysed loaded the ZeuS Trojan (PWS:Win32/Zbot.gen!Y) but the exploit kits allow hackers to install the malware of their choosing.

The exploit used in the automated kits uses a vulnerability in AtomicReferenceArray to disable the Java runtime sandbox mechanism. To do this the attacker deliberately creates a special serialized object data which due to a logic error (and not a memory corruption) allows the attacker to run arbitrary code on the victim’s PC. The exploit is very reliable.

Java seems to yield a never-ending supply of new exploits for attackers to use. “On at least two Underweb forums where I regularly lurk, there are discussions among several core members about the sale and availability of an exploit for an as-yet unpatched critical flaw in Java,” wrote Krebs. “I have not seen firsthand evidence that proves this 0 day exploit exists, but it appears that money is changing hands for said code.”

According to Marcus Carey, a security researcher at Rapid7, upwards of 60 to 80 percent of users probably have not yet applied the latest Java patches. And over the long term research has shown that upwards of 60% of Java installations are never up to the current patch level allowing even older exploits can be used to compromise a victim’s PC.

Rapid7 researched the typical patch cycle for Java and identified a telling pattern of behavior, namely that during the first month after a Java patch is released,  adoption is less than 10%. After 2 months, approximately 20% have applied patches and after 3 months, maybe more than 30% are patched.  They determined that the highest patch rate last year was 38% with Java Version 6 Update 26 3 months after its release.

New Variants of Flashback Trojan for OS X Found

(LiveHacking.Com) – New variants of the Flashback trojan for OS X have been spotted by Security researchers from Intego. Flashback.G does not use an installer (unlike the previous incarnations) meaning if a user visits a web page (and they have not applied Apple’s Java updates) then the installation will occur without any user interaction. For those with up to date Java installations the trojan will trigger a certificate alert but they won’t be asked for the user password.

The trojan horse uses three methods to infect Macs. First it tries to install via one of two known Java vulnerabilities, one from way back in 2008, the other from last year. Successful exploitation of these vulnerabilities means the machine becomes infected without any user intervention. Those running Mac’s with the latest Java updates will not be affected by these first two attempts. However if the Java exploits fail then the trojan attempts again with a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Users who click on “Continue” will open the machine to infection.

Once installed the trojan patches applications like Safari and Skype to sniff out usernames and passwords, specially for sites like Google, Yahoo!, CNN and PayPal. A possible clue that a Mac has become infected is that applications like Safari start to crash as the trojan code makes the programs unstable.

“I don’t want to give [the hackers] more credit than they deserve, but [Flashback.G] is particularly sophisticated,” said Peter James, a spokesman for Intego, who spoke to ComputerWorld. “The Java vulnerability [approach] doesn’t require user interaction, and they’re putting victims into a strainer,” he added, referring to the social engineered-style fake certificate tactic that’s employed only if the Mac is invulnerable to the Java exploits.

Oracle Releases Critical Patch Update for Java

(LiveHacking.Com) – Oracle has released a collection of patches to address multiple security vulnerabilities in Java. The “Critical Patch Update” contains 14 security fixes for the following products:

  • JDK and JRE 7 Update 2 and earlier
  • JDK and JRE 5 Update 30 and earlier
  • JDK and JRE 5.0 Update 33 and earlier
  • SDK and JRE 1.4.2_35 and earlier
  • JavaFX 2.0.2 and earlier

All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Little else is known about the patches except that 5 of the 14 have a Common Vulnerability Scoring System (CVSS), the severity ratings system used by Oracle, of 10 out of 10.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply the update fixes as soon as possible.

Microsoft First to Patch Universal Hash Table Collision Vulnerability with Out-of-band Update

(LiveHacking.Com) – Security Researchers have exposed a flaw in the way the popular Web programming languages (like PHP, ASP.NET and Python) handle hash table collisions resulting in huge CPU usage and a subsequent denial of service. The discoveries were announced yesterday (Wednesday) at the Chaos Communication Congress event in Germany. The flaw is industry-wide and affects many popular web technologies including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, Apache Geronimo, Jetty, and Glassfish, as well as Google’s open source JavaScript engine V8.

Although hash collision denial-of-service attacks have been discussed since 2003, Alexander Klink and Julian Wälde have now shown that many programming languages use hash tables while parsing POST forms to make them easily accessible by application developers. And so it is possible for an attacker to send a small number of specially crafted posts to a server, causing high CPU utilization and creating a denial of service condition.

“If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request” write the pair in their advisory.

Microsoft have been one of the first to respond to this issue with several announcements including  Security Advisory 2659883 and an advance notification for an out-of-band security update to address the issue. The release is scheduled for today, December 29, at approximately 10 a.m. PST.

According to Microsoft’s security advisory this vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 – 110 seconds. Tthe .NET Framework is vulnerable from version 1.0 right through to version 4.0.

Microsoft are rating this out-of-band bulletin as “Critical” and it is likely it will will release updates for

  • Microsoft .NET Framework 1.0 Service Pack 3 (Media Center Edition 2005 and Tablet PC Edition 2005 only)
  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 3.5 Service Pack 1
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4

For Windows XP, Server 2003, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 across Intel 32 bit, Intel 64 bit and Itanium where applicable.

The Ruby Security Team has updated Ruby 1.8.7. The Ruby 1.9 series is not affected by this attack. Additional information can be found in the ruby 1.8.7 patchlevel 357 release notes.

More information regarding this vulnerability can be found in US-CERT Vulnerability NoteVU#903934 and n.runs Security Advisory n.runs-SA-2011.004.