Last week we spoke about the Boonana cross-platform malware, using a malicious Java applet to deliver a cross-platform attack that attempts to download further malware to computers running Windows, Unix and Mac OS X.
Since then some we have seen variants of the original Boonana attack. The samples we have seen have been functionally the same, with the hackers behind them seemingly having obfuscated their code to try and waltz around detection.
Their attempts haven’t been good enough to get past Sophos’s products so far (including our new free anti-virus for Mac home users), and we haven’t had to update our generic detection method.
In the samples we have analysed to date, the attack specifically targets Windows and Mac OS X systems, and just happens to infect other platforms that run Java. Depending upon the flavour of Unix, it doesn’t usually complete its ‘life cycle’ if you’re not running Windows or Mac OS X systems.
Of course, we will update our detection of Troj/Boonana should we see new variants that require it.
In the meantime, watch this video I made last week demonstrating the original version of this attack on Windows, Mac OS X and Ubuntu:
A website that has made it simple for iPhone and iPad users to jailbreak their devices may not just be a headache for Apple, but also a portent for future malicious attacks.
Owners of Apple gadgets who visit the JailbreakMe website in Safari have found that all they need to jailbreak their device is slide a button to give permission, opening up the possibility of installing apps that have not been approved by the official AppStore.
Previously, jailbreaking has required users to connect their device to a computer before they can start to tamper with the set-up of their iPhone or iPad and gain access to the Cydia underground app store.
The drive-by jailbreak is possible because the website exploits a vulnerability in the way that the mobile edition of Safari (the default browser used in the iOS operating system) handles PDF files – specifically its handling of fonts.
As a number of YouTube videos have demonstrated, it’s a pretty slick process:
What concerns me, and others in the security community, however, is that if simply visiting a website with your iPhone can cause it to be jailbroken – just imagine what else could hackers do by exploiting this vulnerability? Cybercriminals would be able to create booby-trapped webpages that could – if visited by an unsuspecting iPhone, iPod Touch or iPad owner – run code on visiting devices without the user’s permission.
Adobe has issued a security bulletin detailing critical vulnerabilities that have been discovered in the current versions of Adobe Flash Player for Windows, Macintosh, Solaris and Linux.
An update issued by Adobe claims to resolve 32 vulnerabilities in Flash Player – which if left unpatched could leave open a door for hackers to infect innocent users’ computers. Some of the security holes are already being exploited by malicious hackers.
Adobe is recommending that users upgrade to Adobe Flash Player 10.1.53.64.
If you’re not sure which version of the Adobe Flash Player you have installed, visit theAbout Flash Player page. Remember that if you use more than one browser on your computer you should check the version number on each.
Adobe further recommends that users of Adobe AIR version 220.127.116.1130 and earlier versions update to Adobe AIR 2.02.12610.
It is becoming more and more common for cybercriminals to exploit vulnerabilities in Adobe’s software – so it would be a very good idea for everyone to update vulnerable computers as soon as possible.
Whether you own a Windows or Mac OS X computer, if you’re a user of Apple’s Safari browser, it’s time to update your computer against a swarm of security vulnerabilities.
With the attention of most Apple devotees diverted this week towards the sleek new iPhone 4, some may have missed that the Cupertino-based company has also issued a brand new version of its web browser, Safari.
Most interestingly to us, however, is the news that Safari 5.0 not only includes new functionality, but also plugs at least 48 different security vulnerabilities that (if left unpatched) could be exploited by hackers.
Mac OS X version 10.4 users (which Safari 5 doesn’t support) aren’t left in the lurch either. Apple has issued Safari version 4.1 for those customers, which addresses the same set of security issues.
Apple’s Safari browser contains a critical, unpatched bug that attackers can use to infect Windows PCs with malicious code, researchers at US-CERT and other security firms said today.
Hackers could compromise PCs with simple “drive-by” attack tactics, researchers added.
The vulnerability, first reported by Danish vulnerability tracker Secunia and confirmed by the United States Computer Emergency Readiness Team (US-CERT), was disclosed by Polish researcher Krystian Kloskowski on Friday. The bug is caused by an error in the handling of the browser’s parent windows.
“This can be exploited to execute arbitrary code when a user visits a specially-crafted web page and closes opened pop-up windows,” said Secunia’s alert.
The vulnerability can also be exploited by attackers who dupe users into opening rigged HTML-based e-mail within Safari, added US-CERT in its advisory. That scenario likely would involve tricking users into opening malicious messages in a Web mail service, such as Gmail or Windows Live Hotmail.
Both Secunia and US-CERT confirmed today that the proof-of-concept attack code published by Kloskowski successfully compromises the Windows version of Safari 4.0.5, the most up-to-date edition. Secunia rated the vulnerability as “highly critical,” the second-most-dangerous ranking in its five-step threat scoring system.
It’s not known whether the vulnerability also exists in the much more widely used Mac OS X version of Apple’s software. “Other versions may also be affected,” cautioned US-CERT.
Charlie Miller, the noted vulnerability researcher who won $10,000 by hacking a Mac in March at the Pwn2Own contest, was out of his office and not able to verify that the bug also exists in Safari on Mac OS X.
Apple last patched Safari in mid-March when it fixed 16 flaws, including six that applied only to the Windows version of the browser. It’s not unusual for Apple to patch Windows-only vulnerabilities when it updates Safari.
Apple patched Miller’s $10,000 vulnerability in mid-April by plugging a hole in ATS (Apple Type Services), a font renderer included with Mac OS X. Miller accessed the ATS bug via Safari during Pwn2Own.
By Gregg Keizer, techworld.com
Pinhead or HellRTS? What’s in a name?
Mac malware is making the headlines again – this time in the form of a remote access trojan which has been given the name OSX/HellRTS.D by French security firm Intego.
The folks at Intego blogged about the new Mac threat they discovered, which when run on a Mac OS X computer can allow remote hackers to gain access.
Users of Sophos Anti-Virus for Mac are protected, as we detect the malware as OSX/Pinhead-B, but presently it looks like this is not considered a serious threat and we have received no reports of infections from customers.
It does, however, appear to have been distributed disguised as iPhoto, the photo application which ships on modern Mac computers. This is clearly an attempt to fool victims via a social engineering trick into installingt the malicious code on their computers.
As always, be careful about the origin of applications you run on your computer, and keep your protection up-to-date. As many Mac users do not presently run any anti-virus software at all, they could be considered a soft target for more attacks like this in the future.
There’s a lot less malicious software for Mac computers than Windows PCs, but the fact that so many Mac owners don’t take security seriously enough might encourage an increasing amount of crime on their platform going forward.
By Graham Cluley, Sophos
Apple has released version 4.0.5 of its Safari browser, fixing a number of issues with its browser for Windows and Mac OS X including – most importantly – a grand total of 16 security vulnerabilities.
If you dilly-dally over updating your computer, it’s possible that hackers could exploit the security bugs – including some that could mean that simply visiting a webpage with a maliciously crafted image could lead to malicious code being automatically run on your computer.
Interestingly, one of the bugs (CVE-2009-2285) fixed in Safari 4.0.5 was announced and patched in Mac OS X 10.6.2 back in December 2009, and in Mac OS X 10.5 since January, meaning that Windows users of Safari have been vulnerable for over two months to the way their browser handles booby-trapped TIFF images.
But it doesn’t matter whether you own a Mac or PC, if you run Safari the message is clear: It’s time to update your browser and ensure that you are protected against hackers exploiting the security holes detailed in the security advisory on Apple’s website.
Safari users should practise safe computing, and update their systems as soon as possible.
By Graham Cluley, Sophos
Adobe has issued a security bulletin urging users of its Adobe PDF Reader and Acrobat products to update their software before hackers take advantage of two critical vulnerabilities.
Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh are vulnerable to a flaw that could be exploited by hackers to make unauthorised cross-domain requests. This same vulnerability was revealed in Adobe Flash Player last week.
Meanwhile, another flaw could give hackers an opportunity to inject malicious code onto computers via vulnerable installations of Reader and Acrobat.
As we’ve mentioned many times before, it’s essential that you keep your installations of Adobe’s software up-to-date as they are increasingly being taken advantage of by hackers to launch attacks.
Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1 if possible. Similarly, Adobe Acrobat should be updated to version 9.3.1. It’s a shame, therefore, that Adobe’s Reader advisory makes such a bad job of linking to the right files.
For instance, the link it is giving for the Mac update actually links to a page full of Windows files:
Hopefully Adobe will sort that out soon, and make it clearer where users can download the right patches for their operating system from. I, for one, am still finding it difficult to locate Adobe Reader 9.3.1.
By Graham Cluley, Sophos
IT security and control firm Sophos is reminding all Twitter users of the importance of ensuring their computer security is up to date following news that internet celebrity, Guy Kawasaki’s Twitter account has been used to spread malware that targets both Windows and Mac users.