CRITICAL Java Updates: Mac OS X 10.6 Update 7 and 10.7 Update 2012-002 (formerly 001)

--
[Updated 2012-04-06:
For users of Mac OS X 10.7, Java update 2012-002 has been released today to correct an error in the .DMG installation file for 2012-001. The 2012-001 installer has been withdrawn. I interpret this to mean that the flaw in 001 was critical. Therefore, please install Java for OS X 2012-002 IMMEDIATELY! It has been reported that over 600,000 (not a typo) Macs are now infected with the Flashback Trojan horse / botnet malware! This is unprecedented in Mac history. This Java update kills off a Drive-By method of Mac infection by the Flashback malware.]

If you haven't already installed the latest Java update for Mac OS X 10.6 Snow Leopard and 10.7 Lion, INSTALL IT NOW. No excuses. The best method of installation in this case is via Software Update, available under the Apple menu. There is currently a problem with the direct download version for 10.7 whereby it FAILs the fsck check the OS runs during DMG file verification. See details below.

This particular update is CRITICAL because there is an active exploit against the older version of Java that results in Drive-By infection of Mac machines without requiring the user to provide a password. This is unheard of on Macs. It is specifically a Java problem, NOT a Mac OS X problem. Don't blame Apple. Blame the lazy crapcoders at ORACLE.

Windows users have had this particular Java update for MONTHS. Supposedly Apple and Oracle have an arrangement whereby Oracle are now writing Mac updates for Java. But that arrangement is FAILing.

Earlier today I posted reviews of this update at both VersionTracker/CNET and MacUpdate. I have provided a somewhat redundant summary below which with details about how to turn OFF Java, which I highly recommend, as well as some rant action.

8 8 8 8 8 8 8 8 8 8 8 8

Good: This CRUCIAL Java update patches an active exploit against Macs. Better a late update than never. Java is occasionally useful.

Bad: Java is now one of the most INSECURE Internet technologies. If you don't use Java, TURN IT OFF! Oracle and Apple are NOT providing Mac Java updates in a timely manner. This Java update for Mac provides an update that Windows users have had for months. For over a week, there has been an active malware exploit against Mac users with the unpatched version of Java.

It is terrific that Apple jumped on this exploit so quickly. However, Apple users MUST be provided with Java patches at the same time as Windows users. Delaying Java patches for Mac users is NOT acceptable.

I have verified that the direct download file of the 10.7 version of Java for OS X 2012-001,  FAILs the Mac OS X fsck check during file verification. This is evident in the Console. This is BAD. If you used this downloaded installer, IMMEDIATELY update to the Java for OS X 2012-002 installer!

The BEST way to install this update is from Software Update. You will find it under your Mac's Apple menu. This installation works perfectly.


Now For My Rant:

Java has become a BANE of the Internet. I have turned it OFF. I am sick of the recent Java exploits against Mac users. I don't deal with it. I suggest you turn Java OFF as well, unless you use it regularly.

HOW TO TURN OFF JAVA: 

If you use multiple web browsers (I use six) then the best and simplest way to turn Java OFF is via the Java Preferences app found in your Mac's Utilities folder. Follow these steps:

1) Open the Java Preferences app.

2) Under the 'General' tab, check OFF "Enable applet plug-in and Web Start applications". (Mac OS X 10.6 users: Instead uncheck the plugins for Java SE 6 in the box inside the window).

3) Quit the Java Preferences app.

4) VERIFY IT'S OFF: Open the Java Preferences app, again. Verify that the "Enable..." checkbox remains OFF. If you find it on again, check the damned thing OFF again. Quit Java Preferences. Verify AGAIN as required.

I add this VERIFY step because I personally have seen this checkbox turn on again. If you want to be extra-special certain the box doesn't turn on again, you can go down to the box under the 'General' tab and turn OFF both 64 and 32-bit "Java SE 6", then turn off "Enable". That definitely does the trick.

My #2 Rant: 

SHAME ON ORACLE. That company has RUINED OpenOffice. The LibreOffice branch is now off and running and far superior, leaving the source OpenOffice project irrelevant. Oracle has been just as obtuse with Java, which is now a DETRIMENT to the Internet.

Maybe Java will be made open source, at long last. That would help. Perhaps great developers like those on the LibreOffice team will grab it and make Java seriously great. Until then, BEWARE OF JAVA. I fully expect more Java exploit malware to come. (o_0) 


Now I go all sentimental: 

Remember when Java was supposed to be 100% secure, never able to access your computer directly, entirely safe in its sandboxed little Just-In-Time runtime machine? Remember 'write once, run anywhere'? Remember 'secure memory management'? Fun times in Fantasy Land. 
:-P

QuickTime v7.6.9 Update For 10.5.8 & Windows

~~
On December 7, 2010 Apple released QuickTime version 7.6.9 for Mac OS X 10.5.8 and Windows XP, Vista and 7ista. No update is required for Mac OS X 10.6.8 users. It contains 15 security patches, some for both Windows and Mac OS X, a couple are Windows only. As usual, most of these vulnerabilities are due to memory overflow programming errors. You can read about the security patchs at:

About the security content of QuickTime 7.6.9

I'm a bit concerned at the moment that Apple have this update listed as being for only Windows. This is INCORRECT. Hopefully Apple will correct their error today. Most likely they will add a separate listing for the Mac OS X 10.5.8 version.

According to Apple:

QuickTime is incorporated into Mac OS X v10.6 and later.
QuickTime 7.6.9 is not presented to systems running
Mac OS X v10.6 or later.

I double-checked and verified that all of these CVE issues have already been patched in 10.6.8. Therefore, be certain that your installation of Snow Leopard is up-to-date.

If you've read my previous posts you know that Apple's QuickTime is the very least secure of Apple's software. A great deal of the problem has to do with JavaScript/ECMAScript Hell, as I call it. As usual, I consider JavaScript to be the bane of the Internet and wish it would be entirely scrapped and replaced with a secure scripting language. Read back in my posts if you're interested in my rants about why JavaScript is a catastrophe.

Below is a quick summary of the security holes patched in QuickTime v7. Click on the CVE numbers for further details.

Common Vulnerabilities and Exposures IDs Patched:

CVE-2010-3787 - Heap-based buffer overflow in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JP2 image.

CVE-2010-3788 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of JP2 image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JP2 file.

CVE-2010-3789 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted AVI file.

CVE-2010-3790 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file.

CVE-2010-3791 - Buffer overflow in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MPEG movie file.

CVE-2010-3792 - Integer signedness error in QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MPEG movie file.

CVE-2010-3793 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Sorenson movie file.

CVE-2010-3794 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of FlashPix image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted FlashPix file.

CVE-2010-3795 - QuickTime in Apple Mac OS X 10.6.x before 10.6.5 accesses uninitialized memory locations during processing of GIF image data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GIF file.

CVE-2010-3800 - Viewing a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution.

CVE-2010-3801 - Viewing a maliciously crafted FlashPix image may lead to an unexpected application termination or arbitrary code execution.

CVE-2010-3802 - Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution.

CVE-2010-1508 - Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Windows only.

CVE-2010-0530 - A local user may have access to sensitive information. Windows only.

CVE-2010-4009 - Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.

Note: Not all of the CVE numbers have been listed at the National Vulnerability Database. Therefore, I instead provided links to their references at the Common Vulnerabilities and Exposures site. Check back at the CVE site as these CVEs progress beyond 'candidate' status.

Share and Enjoy!

:-D
~~

Adobe 'Out Of Band' CRITICAL Updates Parade: Acrobat and Reader v9.3.4

--
And the parade marches on. At last we have the latest in CRITICAL Adobe security hole updates. This time the updates are for Adobe Acrobat and Adobe Reader. GET THEM NOW!

Because the process of getting to actual download links at the Adobe site is a huge PITA, here are direct URLs for English Intel Mac users. Send me virtual luv:

Acrobat Reader v9.3.4 update

Adobe Acrobat 9.3.4 Pro update

The general update page for all other users and versions is HERE.

What's so CRITICAL? The update's security bulletin is HERE.

To quote Adobe:

These updates address CVE-2010-2862, which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. They also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-16.

My summary:

1) The updates patch memory corruption vulnerabilities that could lead to hacked code execution on your Mac and/or program crashes. IOW its more of the same old buffer overflow problem that plagues current computer coding in general. (As found in CVE-2010-2862).

Quoting from the CVE:

Integer overflow in CoolType.dll in Adobe Reader 8.2.3 and 9.3.3, and Acrobat 9.3.3, allows remote attackers to execute arbitrary code via a TrueType font with a large maxCompositePoints value in a Maximum Profile (maxp) table.

2) They solve a social engineering attack security hole via PDF files that could lead to hacked code execution on your Mac. (As found in CVE-2010-1240).

Quoting from the CVE:

Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message.

~~~~~~~~~~

BTW: Looking up CVE reports is easy, if snooze inducing. Just go to the National Vulnerability Database site (at the National Institute of Standards and Technology) and search on the CVE number. Here is the URL to get you started:

National Vulnerability Database (NVD) Search Vulnerabilities

And now for a rant:

If you're wondering why these simple and specific CVE searches take a long time (zzzzz) to resolve, it's the decrepit US government. It's Microsoft Windows. It's ancient old PCs the government is too cheap to replace, cranking away on stuff that takes any modern Mac a microsecond. (But of course, the government did manage to fund the infamous 'Bridge To Nowhere' in Alaska, hardy har har, porky pork, oinky oink, so long Ted Stevens you parasite).

I was once offered a job at the Department of Wildlife. I took one look at their computers and wondered what would be the appropriate response: Running away screaming OR sauntering out laughing?

In any case, if you've ever wondered why it's so incredibly easy for The Red Hacker Alliance in Red China and other such scum to hack into US government computers, look no further for your answer. Much as I hated the Bush League, much as I'd like to support the Obama Era, this stupid state of affairs continues. Note the fact that the Obama Administration hired ex-Microsoft executives and coders to help them solve their computer security crisis. That's right! They hired the CAUSE of the problem to SOLVE the problem.
(o_0)

Hmm. What would be the appropriate response? I'll leave it to you to decide.

CUL8R!
Stay safe.
Stay secure.
Don't touch my cookies.

;-Derek
--

Windows Users ONLY:Adobe Screw Up Yet-Again!Acrobat & Reader UpdatesDON'T Fix PDF Security Hole

--
For Frack's sake! Adobe = Idiotic Security.

I'm patience counting again: 1 - 2 - 3 . . .

NOTE: This is ONLY a Windows user problem. We Mac OS X users can sit back and gasp. But we are NOT affected (as far as we can tell at this time).

We know Adobe security is bad. We know their attitude toward their security problems is bad. But now we can verify that Adobe are indeed idiots at security. This incident throws their security incompetence into a whole other ballpark.

Enough ranting from me. Windows Users, read and weap this message from Intego:

Last Adobe Reader and Acrobat Update Doesn�t Fix PDF Bug

"... It turns out that Adobe�s fix was not enough. Adobe is aware of the issue and will be issuing an update to the update soon."

Keep in mind, Mac users, that if you use Windows you ARE affected. This means if you load Windows via virtualization or natively via Boot Camp. This PDF exploit is active in-the-wild. Beware.

Again, only Acrobat 8 and Reader 8 are safe. You can roll back to those versions and you're fine. It's Windows versions 9.x that are being exploited. Do NOT use them at this time on the Internet. Do NOT use them with any PDF file that you have not verified as 100% authentic and safe.

And of course, if you're affected, write Adobe a great big 'Thank You' note for being so kind, caring and conscientious toward their customers. /s

[Newbies: "/s" designates sarcasm]
--

64-bit 7ista Twice Hacked via both IE 8 and Firefox 3!The End Is Nigh!

I should also mention that both Mac OS X 10.6 Snow Leopard and the iPhone got hacked via Safari. Just doing a little back-at-you priority swapping. These days it is a BIG DEAL when Mac OS X gets hacked because of its reputation as the safest GUI OS on the planet. Hacking Windows is ho hum because it happens every day.

Here are some links to somewhat detailed articles about the Day 1 results from the Pwn2Own contest at CanSecWest 2010 in Vancouver, Canada:

TippingPoint blog.
CNet.
MacWorld.

The contest still has two more days of hacking to go. But here is the current list of winners from Day 1:

PWNED! Vincenzo Iozzo and Ralf Philipp Weinmann - iPhone
PWNED! Charlie Miller - Safari [on Mac OS X 10.6]
Nils - Safari (Prize Claimed) [on Mac OS X 10.6]
PWNED! Peter Vreugdenhil - Internet Explorer 8 [on 7ista]
MemACCT - Internet Explorer 8 (Prize Claimed) [on 7ista]
Anonymous - Nokia
Anonymous - iPhone (Prize already won)
PWNED! Nils - Firefox [on 7ista]

Congratulations to all the hackers and thank you for making it clear that Internet surfing can be dangerous no matter the operating system or web browser. Details of each zero day hack are not published until they have been addressed by the companies or groups in charge of affected programs and operating systems. When the Mac OS X hacks have been published, I'll report them and provide links here.

I'll also post more from CanSecWest as it progresses. Dr. Charlie Miller will be presenting his 20 Mac OS X 10.6 Snow Leopard hacks.

The successful hacking of Windows 7ista is of particular interest because it involved bypassing the much lauded ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) built into 7ista. So much for those security technologies!

In each hack the victim computers were directed to websites containing exploit code. I'm going to hazard a wild guess that the sites used code written at least in part in the catastrophic mess known as ECMAScript, aka JavaScript/JScript. Readers of this blog will already know my low opinion of this scripting language and my desire that it be banished from the Internet forever. Listeners to the SecurityNow Podcast know that Steve Gibson of Gibson Research Corporation (GRC) called out ECMAScript as dangerous years ago. He recommends surfing the net with scripting turned OFF in all web browsers by default, only turning it on at trusted websites.

Java exploits are also well known at this time, indicating the need to also turn off Java while surfing the net, except again at trusted websites. What a shame.

(Note that JavaScript and Java have nothing whatsoever to do with each other apart from a similar name caused by a marketing moron deal between Netscape and Sun Microsystems, both companies now defunct).

Microsoft Senior Security Architect Said WHAT?!

Someone needs a good spanking and a time out for bad behavior. He's considered to be a professional computer security expert, (so it's not me!).

This afternoon I was checking out the Intego Mac Security Blog and read about interviews ZDNet Australia had done with security specialists regarding the question "Do Mac Users Need Antivirus Software?" (They got the software category wrong as usual. It's anti-malware, not 'anti-virus'. I'll go down in history as the curmudgeon who chanted this fact to the grave, and nobody cared. Poor me). So I clicked over to ZDNet OZ, read their article and watched the video, found HERE.

In the video, note the fellow in the white shirt with a British accent. That's Greg Singh from RSA. As Intego point out, Singh is incorrect to say Mac users will have to get used to the degradation in performance caused by anti-malware applications. He could be talking specifically about Symantec's Norton Antivirus for Mac, in which case no one could argue with him. He also insinuates that Apple have said Mac OS X is not susceptible to 'viruses'. Oops, I think he got his Apples mixed up. He must have meant Apple Corps, the folks who make Beatles CDs. Yeah, I'd agree that Beatles recordings are not susceptible to viruses. **snicker**

Then there's the guy in the black t-shirt and hat reading 'ULTIMATE-DEFENCE". That's Rocky Heckman from Microsoft. He has the title of "Microsoft Senior Security Architect". I was freaked at what was coming out of his mouth. First he thinks BSD is something new to Mac OS X Tiger. He was born yesterday. Then he says that because BSD is part of Mac OS X, hackers are now realizing they can write 'viruses' for it, "and there have been a couple out there." He's from the Bizarro World. There are no viruses for Mac OS X. There are only Trojans, and he knows the difference. I wrote a ripping comment about Mr. Heckman over at the ZDNet OZ site. See below.

Then there's an Australian fellow in a white striped shirt with a big pad and marker hanging around his neck. I don't know his name, sorry. His odd statement, if you listen carefully, is that anti-malware products for Mac OS X are 'immature'. Based on what information? Based on ignorance. Very strange.

OK, so where were all these incorrect people when they were interviewed? The AusCERT 2009 IT Security Conference. The mind boggles.

Here is the concerned comment I wrote to ZDNet Australia regarding the statements of Mr. Heckman from Microsoft:

Microsoft Senior Security Architect Said WHAT?!

"Microsoft senior security architect Rocky Heckman said AV became necessary when Apple in 2001 decided to underpin OS X Tiger with the BSD operating system because it made Macs an easier platform to write malicious code for."

Why did anyone ask Mr. Heckman his opinion? We certainly have no reason to care. Windows is the single LEAST secure operating system, commercial or Open Source, available on the planet.

Why Heckman's opinion is lunatic:

1) Apple didn't decide to underpin Tiger with BSD. NeXT decided to underpin NeXTStep with BSD decades ago! Mac OS X inherited it when Apple decided to make NeXTStep/OpenStep the foundation for Rhapsody, which was then developed into Mac OS X.

2) The three most secure operating systems on the planet have been repeatedly proven to be:
A) OpenBSD
B) FreeBSD
C) Mac OS X
Mac OS X incorporates elements of both OpenBSD and FreeBSD into it's core OS called Darwin OS. So what Mr. Heckman it talking about is incomprehensible. He is either a blithering idiot or is pulling a FUD manoeuvre by telling the opposite of the truth in order to fool the public that black is white, war is peace, hate is love, the usual doublespeak routine from the book '1984'. Shame on Mr. Heckman.

This has to be one of the most dishonest statements from a Microsoft executive of all time. It's running neck-and-neck with Bill Gates' moronic statement that Mac OS X is exploited everyday, when it fact it is HIS operating system that is exploited every day.

Or maybe there's lead in the water over at Redmond. (o_0)

--

May 12: Massive Mac Update Day

--
Macintosh updates on the second Tuesday of the month?! D�ja vu man. Is Apple syncing updates with Microsoft? Is this to make Enterprise IT folks happy? I strongly suspect so.

I prefer the ASAP approach. Waiting around for the second-Tuesday-of-the-month is a dim idea from my POV. Hmph. What happens in the Microsoft world is that hackers get geared up for THE DAY and pounce on all the announced security holes via new malware. This works very well because only a small percentage of people update their Microsoft software on THE DAY. This allows hackers a window of opportunity to get into user machines while the getting is good. Alternatively, the ASAP approach provides no expectation time for hackers. It also gets security patches out in the field immediately rather than waiting around for potentially weeks, during which time each security hole sits out there ripe for the hacking.

Therefore, I hope this second-Tuesday-of-the-month security update is merely coincidence. Sorry Enterprise IT folks! Having THE DAY each month for security patches may be convenient, but it is BAD security protocol. Security wins in this business.


Rules for System Update Preparation:

1) You know what I'm going to say: Make A Backup! Expect updates to go wrong. They often do.

2) Repair your boot system! It is amazing how many system updates go bad simply because the boot system was corrupt. What else would you expect? Boot from your system installation disk and run the repairs inside Disk Utility.

3) Repair your boot system preferences! Despite the myths, bad file permissions are also a prominent reason why system updates go bad. Again, what else would you expect? Note: You also need to repair your permissions AFTER the update. Adobe always leave behind a mess. Even Apple make slip ups! Apple left behind bad permission settings after Leopard Server Update 10.5.6! Expect it to happen. Use Disk Utility.

4) Don't forget to update! Keeping up with system updates is very important! Check this out:

An example of how few computer users actually apply updates: The Microsoft Windows security hole exploited by the Conficker worm was patched way back in October, 2008. And yet, the Conficker worm zombied an estimated 15 MILLION+ Windows boxes after Microsoft provided the patch. Incredible.

The Update List:

Your Mac's System Update app will tell you what updates are necessary for your particular setup. The list of updates from 5/12 is long. All the links below are for each update's general description and download page. Each page has a further link to its detailed information page. If you would like to go directly to the security improvements list for each update, please go HERE.

Safari v3.2.3 for Windows, 19.69 MB

Safari v3.2.3 for Tiger, 26.29 MB

Safari v3.2.3 for Leopard, 40 MB

Safari v4.0 Public Beta Security Update for Tiger, Leopard, Windows XP and Windows Vista

Security Update 2009-002 for Tiger PPC, 75 MB

Security Update 2009-002 for Tiger Intel, 165 MB

Security Update 2009-002 for Tiger Server PPC, 130 MB

Security Update 2009-002 for Tiger and Leopard Server, Universal, 203 MB

Mac OS X Combo Update 10.5.7 Leopard, including 2009-002, 729 MB

Mac OS X Server Combo Update 10.5.7 Leopard, including 2009-002, 951 MB

Mac OS X Update 10.5.7 Leopard, including 2009-002, 442 MB

Mac OS X Server Update 10.5.7 Leopard, including 2009-002, 452 MB

Coming up will be my summary and analysis of the security improvements provided by these updates.
--