Apple secretly updates Mac malware protection

Apple’s 10.6.4 operating system upgrade earlier this week silently updated the malware protection built into Mac OS X to protect against a backdoor Trojan horse that can allow hackers to gain remote control over your treasured iMac or MacBook.

 

Although there is no mention of it that we could find in Apple’s release notes for Mac OS X 10.6.4, or the accompanying security bulletin, Apple has updatedXProtect.plist – the rudimentary file that contains elementary signatures of a handful of Mac threats – to detect what they call HellRTS.

 

HellRTS, which Sophos products have been detecting as OSX/Pinhead-B since April, has been distributed by malicious hackers disguised as iPhoto, the photo application which ships on modern Mac computers.

 

If you did get infected by this malware then hackers would be able to send spam email from your Mac, take screenshots of what you are doing, access your files and clipboard and much more.

 

Unfortunately, many Mac users seem oblivious to security threats which can run on their computers. And that isn’t helped when Apple issues an anti-malware security update like this by stealth, rather than informing the public what it has done. You have to wonder whether their keeping quiet about an anti-malware security update like this was for marketing reasons. “Shh! Don’t tell folks that we have to protect against malware on Mac OS X!”

 

It seems their own employees can be amongst the worst offenders when it comes to giving users security advice. Just a few days ago I saw a former colleague of minetweet about the poor advice about malware protection being offered in Apple retail stores.

 

READ MORE…

 

Critical security updates from Microsoft and Adobe

It was “Patch Tuesday” yesterday, which means another parcel of security updates for computer users to unwrap, and this time the fixes aren’t just from Microsoft, but from Adobe too.

 

First on the menu is Microsoft, which has served up two security bulletins detailing vulnerabilities that could be exploited by hackers to execute malicious code (such as a worm) on your computer.

 

The first of these security holes exists in Outlook Express, Windows Mail, and Windows Live Mail. Microsoft’s Security Research & Defense blog goes into some detail about the vulnerability, explaining that although the security hole is given a “critical rating” on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008, it is considered less serious for Windows 7 users as Windows Live Mail is not installed by default on that platform.

 

The other patch from Microsoft addresses a vulnerability in Visual Basic for Applications, a component used by Microsoft Office and other third-party products. Microsoft has given this security update its highest possible rating – “Critical” – for all supported versions of Microsoft Visual Basic for Applications SDK and third-party applications that use Microsoft Visual Basic for Applications. It is also rated “Important” for all supported editions of Microsoft Office XP, Microsoft Office 2003, and the 2007 Microsoft Office System.

 

Next up is Adobe, who have released patches to squash over 20 security vulnerabilities in its Shockwave and ColdFusion products.

 

The critical vulnerabilities identified in Adobe Shockwave Player 11.5.6.606 and earlier versions impact both Windows and Macintosh users, and could allow attackers to run malicious code on your computer.

 

Adobe recommends that users update their version of Adobe Shockwave Player to version 11.5.7.609.

 

Details of the ColdFusion vulnerabilities, classed as “important”, are provided in Adobe Security Bulletin APSB10-11.

 

Enough of waffle. Download and install the patches if your computer is affected.

 

By Graham Cluley, Sophos

 

McAfee signature update Kill Windows systems

 

A flawed signature update (DAT 5958) from McAfee yesterday (Wednesday) caused the system file svchost.exe to be identified and quarantined as the virus W32/Wecorl.a under Windows XP SP3. This resulted in affected systems rebooting (30 second countdown) and then entering an endless boot loop, repeatedly restarting.

 

According to McAfee’s user forum, large numbers of businesses are affected. To resolve the problem, the vendor is advising users to download an updated signature (DAT 5959) on an unaffected computer, copy it to a USB drive, restart the affected computer in safe mode with network support (press F8 while booting) and connect the USB drive. Double-clicking on the file 5959xdat.exe will then install the new signature. In most cases, users will then need to restore the svchost.exe file. McAfee has provided instructions for doing so.

 

Alternatively, the file extra.dat (direct download) can be used to prevent the flawed signature from disabling the system. Users should copy this file onto a USB drive, copy it from there into the c:\Program Files\Common Files\McAfee\Engine folder on the affected system (in safe mode) and restart the computer. Here again, svchost.exe will need to be manually restored or retrieved from quarantine.

 

These fixes involve a fair bit work for administrators, as it is not possible to resolve the problem from a central management console. On large networks this is likely to result in a few late nights. McAfee has also released an automated solution in the form of an executable file (direct download).

 

McAfee has a function for intercepting false positives, but this only works for files on the hard drive – the problem here, according to McAfee, is that the false positive is triggered by the memory scan, which can’t be intercepted.

 

As an interesting side note, McAfee’s bug added an extra dose of realism to a disaster exercise being held by one Iowa community, when the emergency centre computers and communications systems failed. The teams were forced tofall back on old radio systems.

 

As past stories from The H show, McAfee is not alone among anti-virus vendors in causing disruption through issuing a flawed update.

 

 

Source : www.h-online.com

Adobe Patch Tuesday to bring automatic updates

On Tuesday April 13th it’s not only the regular appointment for system administrators around the world to expect the latest bunch of monthly security updates from Microsoft, it will also be time for a scheduled quarterly update from Adobe for its reader and Acrobat products.

 

Adobe says that its upcoming update to Adobe Reader and Acrobat 9.3.2 and 8.2.2 will utilise its new updater technology on Windows and Mac – previously only enabled for selected beta-testers.

 

Windows users will find an option to “Automatically install updates” on their Preferences/Updater tab. Alternatively they can select “Automatically download updates, but let me choose when to install them” or “Do not download or install updates automatically” (These last two options are the only choices presently available on the Mac version).

 

Adobe’s Steve Gottwals describes the new updating feature as a demonstration that user security is a key priority for the company. It is hoped that in the future Adobe’s PDF-handling software will include a screen prompting end-users to select auto-update to ensure further updates occur automatically behind the scenes.

 

The majority of attacks we are seeing are exploiting software installations that are not up-to-date with the latest security fixes. We therefore believe that the automatic update option is the best choice for most end-users. We are currently evaluating options for the best long-term solution for users, which could involve presenting the user with an opt-in screen for the automatic update option as part of the next phase in the roll-out.

Chances are that these new update preferences will be more eagerly welcomed amongst home users than corporations – as firms often wish to test security updates before rolling them out across their entire organisation.

 

But the security community as a whole should probably give this new Adobe feature a thumbs-up – if the new feature works as advertised it sounds like it will definitely be a step in the right direction. Let us hope that more of Adobe’s customers will do a better job of keeping their systems up-to-date as a result of this enhancement.

 

It’s also of note that there is no news yet of an auto-updating facility for Flash – another Adobe technology that is frequently exploited by hackers. Lets hope that that isn’t too far away.

 

Although Tuesday’s Adobe updates will resolve critical security issues in its Acrobat and Reader products, it is not yet known if the currently high profile PDF /Launch security hole will be amongst them.

 

By Graham Cluley, Sophos

 

 

Related Blogs

Microsoft to release emergency Internet Explorer patch on Tuesday

Microsoft has announced that it will be issuing an emergency out-of-band patch for a critical security hole in some versions of Internet Explorer on Tuesday 30 March.

 

According to a Microsoft advisory, the emergency fix is designed to protect users of Internet Explorer 6 and Internet Explorer 7.

 

Microsoft normally bundles its security updates into a monthly package, known in the industry as “Patch Tuesday” (the second Tuesday of each month), and it is relatively unusual for the company to issue a fix for a security vulnerability outside of this cycle. Clearly Microsoft considers the bug particularly important to patch as soon as possible.

 

And in my opinion they’re right not to leave this vulnerability unpatched until April 13th. Earlier this month I described how hackers are actively exploiting the vulnerability, in their attempt to infect computers.

 

The researchers in SophosLabs reported some of the malicious spam messages we have seen being distributed which attempt to trick users into visiting websites that will exploit the zero day vulnerability and infect Windows PCs.

 

More information about the security flaw can be found in Sophos’s analysis of the problem.

 

So, if you are still using Internet Explorer versions 6 or 7, please be sure to update your systems as soon as Microsoft releases the fix. But, in all honesty, what are you doing running such old versions of IE anyway? Shouldn’t you have upgraded to Internet Explorer 8 by now?

 

By Graham Cluley, Sophos

 

 

Related Blogs

AVG Rescue CD A powerful toolset for rescue & repair of infected machines

The AVG Rescue CD is a powerful must-have toolkit for the rescue and repair of infected machines. It provides essential utilities for system administrators and other IT professionals and includes the following features:

• Comprehensive administration toolkit
• System recovery from virus and spyware infections
• Suitable for recovering MS Windows and Linux operating systems (FAT32 and NTFS file systems)
• Ability to perform a clean boot from CD or USB stick
• Free support and service for paid license holders of any AVG product
• FAQ and Free Forum self-help support for AVG Free users

 

 

Key technologies

 

• Anti-virus: protection against viruses, worms and Trojans
• Anti-spyware: protection against spyware, adware and identity theft
• Administration toolkit: system recovery tools

 

The AVG Rescue CD is essentially a portable version of AVG Anti-Virus supplied through Linux distribution. It can be used in the form of a bootable CD or bootable USB flash drive to recover your computer when the system cannot be loaded normally, such as after an extensive or deep-rooted virus infection. In short, the AVG Rescue CD enables you to fully remove infections from an otherwise inoperable PC and render the system bootable again.

 

Apart from the usual AVG functions (malware detection and removal, updates from internet or external device, etc.), the AVG Rescue CD also contains the following set of administration tools:

• Midnight Commander – a two-panel file manager
• Windows Registry Editor– simple registry editor for more experienced users
• TestDisk – powerful hard drive recovery tool
• Ping – to test the availability of network resources (servers, domains, IP addresses)
• Common Linux programs and services– vi text editor, OpenSSH daemon, ntfsprogs etc.

 

Free of charge

 

The AVG Rescue CD is a free-to-use product that anyone can download. This also covers any new program versions and virus database updates. If you have any other paid AVG license, you are also entitled to receive our full technical support.

 

Download:

Download Rescue CD (for CD creation)

Download Rescue CD (for USB stick)

 

 

Critical Firefox security hole fixed – have you updated?

Mozilla has responded to concern about a critical security vulnerability in Firefox 3.6, by releasing version 3.6.2 of its popular browser ahead of schedule.

 

Firefox 3.6.2 fixes a vulnerability first discovered by security researcher Evgeny Legerov last month, which could allow hackers to launch malicious code on users’ computers.

 

As I blogged yesterday, concern about the bug was so high that the likes of the German government had advised internet users to switch to an alternative browser until a fix from Mozilla was available (at the time that fix was not scheduled until March 30th).

 

However, concern about the severity of the security flaw encouraged Mozilla to accelerate its timetable for release and speed up the schedule.

 

If you are a Firefox 3.6 user, go to the Help menu and choose “Check for Updates” to update your installation of Firefox to the latest version. You can also visit www.getfirefox.com if you wish to download the full version.

 

I would also strongly recommend that all Firefox users consider using NoScript, the Firefox addon that provides a higher level of protection by allowing you to choose which websites are allowed to run active content (such as JavaScript).

 

By Graham Cluley, Sophos

 

 

Apply the Critical Security Updates for Internet Explorer Vulnerabilities (MS10-002 – Critical)

This cumulative security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. This security update is rated Critical for all supported releases of Internet Explorer.

 

Executive Summary

This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

 

This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8 (except Internet Explorer 6 for supported editions of Windows Server 2003). For Internet Explorer 6 for supported editions of Windows Server 2003 as listed, this update is rated Moderate.

 

The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes.

 

This security update also addresses the vulnerability first described in Microsoft Security Advisory 979352.

 

Recommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

 

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

 

[ Download MS10-002 ]

 

New Free SUPERAntiSpyware Online Scanner/Remover!

 

Follow the instructions below to initiate the SUPERAntiSpyware Online Scan. The scanner will detect AND remove over 1,000,000 spyware/malware infections. The scanner does NOT install anything on your Start Menu or Program Files and does NOT need to be uninstalled.

 

The SUPERAntiSpyware Online Safe Scan is free for personal use.

 

How To Use :

 

1. Start the Scan

Click on the button to start the scanner download process.

 

2. Download the Scanner

Click the RUN button when prompted. If you are using a browser other than Internet Explorer then prompt may be different.

 

3. Wait for the Scanner to Download

The scanner will download in just a few seconds.

 

 

4. Run the Scanner

Click the RUN button when prompted. This will start the scanner.

 

 

5. Do the scanner and removal

Click the “Click here to Start” button and then “Check for Updates” to update the  Definition then click on “Scan your Computer” button to start the scanning process.

 

 

Microsoft user? Adobe user? Update your systems now

As part of its regular “Patch Tuesday” cycle, Microsoft has released a number of fixes for a number of its widely deployed products to patch critical security vulnerabilities.

 

Eight of the critical patches, addressing vulnerabilities in Windows, Microsoft Office, Internet Explorer, Silverlight, SQL Server, Forefront, Visual Studio, and other products, aim to stop hackers dead in their tracks from launching malicious attacks remotely.

 

A further five of the patches are classified as “important.”

 

In total, 34 security holes are fixed in what is Microsoft’s largest ever bundle of Patch Tuesday security updates.

 

Microsoft’s security response center has also released a chart, showing the severity of each vulnerability. “Red” means “critical” – in other words, that’s as bad as thing gets.

 

So the amount of “red” you see below should be a good indication of how serious these vulnerabilities are. If any more underlining of the importance were necessary, bear in mind that functioning code which exploits some of the vulnerabilities addressed by Microsoft’s patches has already been published.

 

You can learn much more about the patches in an advisory posted on Microsoft’s website.

 

Meanwhile, Adobe has also issued advice regarding critical vulnerabilities in Adobe Reader and Adobe Acrobat. Unlike the patches released by Microsoft, Adobe’s fixes cover Windows, Apple Mac OS X, and Unix/Linux.

 

In total, the Adobe fixes patch a stonking 29 vulnerabilities. Sophos has already seen malware which exploits some of the vulnerabilities affecting the Adobe PDF file format.

 

Over on his blog, Chet has some interesting things to say about these latest patches – looking in greater detail at some of the vulnerabilities, and questioning whether Adobe could learn a thing or two from Microsoft when it comes to responding to flaws in their code.

 

Whether you agree with Chet or not, one thing is clear – if you’re an affected Microsoft or Adobe user, you need to roll these patches out as a matter of priority.

 

by Graham Cluley, Sophos

Next Page »