vulnerability

A new vulnerability in Sparkle has put a “huge” number of Mac applications at risk for hijacking. For those unfamiliar, Sparkle is a tool used often by third-party apps that are not in the App Store to allow updates to be pushed to users. Apps susceptible to this hijacking hack include Camtasia, uTorrent, DuetDisplay, and Sketch. The attack applies to both OS X Yosemite and El Capitan (via Ars Technica).

Expand
Expanding
Close

A serious vulnerability in Macs more than a year old would allow an attacker to take permanent control of the machine, retaining control even if the user reinstals OS X or reformats the drive.

The vulnerability was discovered by security researcher Pedro Vilaca, who found a way to reflash the BIOS – code stored in flash memory, not on the drive. This means that the machine remains compromised even if the hard drive is physically replaced … 
Expand
Expanding
Close

Phoenix; RootPipe Reborn from patrick wardle on Vimeo.

A former NSA staffer says that the OS X 10.10.3 update which Apple claims fixed a significant security vulnerability has failed to do so, reports Forbes. Patrick Wardle, who now heads up research at security firm Synack, demonstrated the vulnerability in a video (without revealing exactly how it was done) to allow Apple time to issue a further fix.

The Rootpipe vulnerability allows an attacker with local access to a Mac to escalate their privileges to root – allowing them full control of the machine – without further authentication. A second security researcher confirmed the flaw … 
Expand
Expanding
Close

The buggy code highlighted by arsTechnica

A bug in the way that 1,500 iOS apps establish secure connections to servers leaves them vulnerable to man-in-the-middle attacks, according to analytics company SourceDNA (via arsTechnica). The bug means anyone intercepting data from an iPhone or iPad could access logins and other sensitive information sent using the HTTPS protocol.

A man-in-the-middle attack allows a fake WiFi hotspot to intercept data from devices connecting to it. Usually, this wouldn’t work with secure connections, as the fake hotspot wouldn’t have the correct security certificate. However, the bug discovered by SourceDNA means that the vulnerable apps fail to check the certificate … 
Expand
Expanding
Close

A plethora of reports are swirling around the internet that countless private celebrity photos have leaked (no, we’re not going to link you), and—what are as of right now baseless—rumors claim that someone found a vulnerability in Apple’s iCloud platform and exploited it to obtain the images. Of the celebrities reportedly involved are Jennifer Lawrence, Kate Upton, Avril Livigne, Mary Elizabeth Winstead, Mary Kate Olsen, Hillary Duff, and many others.

Expand
Expanding
Close

Update: Apple says an OS X fix is coming soon.

Yesterday Apple released iOS update 7.0.6 alongside new builds for iOS 6 and Apple TV  that it said provided “a fix for SSL connection verification.” While Apple didn’t provide much specific information on the bug, it wasn’t long before the answer was at the top of Hacker News. It turns out that minor security fix was actually a major flaw that could in theory allow attackers to intercept communications between affected browsers and just about any SSL-protected site. Not only that, but the bug is also present in current builds of OS X that Apple has yet to release a security patch for.

Researchers from CrowdStrike described the bug in a report:

“To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system),”

Adam Langley, a senior software engineer at Google, also wrote about the flaw on his blog ImperialViolet and created a test site to check if you have the bug (pictured above):
Expand
Expanding
Close

Image: joyenjoys.com

A two minute SIM card hack could allow an intruder to listen to your phone calls, send text messages from your phone number and make mobile payments from your account. The vulnerability, discovered by a German security researcher, is present in an estimated 750 million SIM cards – around one in four of all SIM cards.

Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it … 
Expand
Expanding
Close

Following an attack on a smaller number of corporate Macs that exploited a flaw in the Java browser plug-in, researchers from security firm FireEye warned users of yet another new Java zero-day vulnerability. According to a blog post published yesterday (via IDG), browsers running Java v1.6 Update 41 and Java v1.7 Update 15 are now vulnerable to a malware attack that installs a remote access tool known as McRAT. The exploit is reportedly different from the one used to attack Facebook, Twitter, Apple, and several other companies last month. Following the earlier attack, Apple released an update to Java for users to version 1.6.0_41. These recent vulnerabilities come after several updates over the last year to Java addressing exploits.

FireEye recommended users disable Java until Oracle addresses the issue:

We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to “High” and do not execute any unknown Java applets outside of your organization.

Oracle provided the instructions below for uninstalling Java on Mac:
Expand
Expanding
Close

Update (Feb 21st): This has been fixed according to a reader. The iTunes and App Stores use HTML on the backend so Apple can “push” updates via backend code changes:

As of this morning, the bug is gone! No update required! Looks
like the somehow they pushed the update! I can no longer change the
account in the App Store or iTunes store! This reminds me when I was
beta testing 6.0 and Apple changed the behavior of downloading updates
not requiring a password (they also allowed free apps with no password
for a short while). That didn’t need an update to change either.
They seem to have ways of fixing App Store behavior without needing to
update iOS. I’m still running 6.1 on my devices, haven’t gone to
6.1.2 yet.

Would be nice for an official answer from Apple, but so far, it’s
working correctly! Also, I see redeem and send gift are grayed out
also, at the bottom of the App Store. Same for iTunes Store.

For those unaware, iOS 6 received some beefed up Restriction settings when it was released that allowed users to select “Don’t Allow Changes” for an entire account linked to an iOS device. This option was particularly useful for schools and organizations that wanted to limit a device to a specific account and keep students and others from installing apps not approved by the institution. Without the restriction, students or employees could easily change the iTunes account linked to the iOS device. Unfortunately, as noticed by one frustrated 9to5Mac reader, it seems there are several backdoor methods of bypassing the setting…

Expand
Expanding
Close