Eleanor Mac Backdoor – Daily Security Byte EP. 284

Many Mac users think they’re immune to malware, but unfortunately that’s untrue. Though Windows malware variants still greatly outweigh Apple ones, Mac malware is starting to appear more regularly. Today’s Byte video covers a new Mac trojan discovered by Bitdefender, and what you can do to avoid it. 

(Episode Runtime: 3:04

Direct YouTube Link: https://www.youtube.com/watch?v=6K4lU6bcQ_w

EPISODE REFERENCES:

• Research blog post about  Eleanor Mac OS X trojan – Bitdefender
• Technical paper on the Eleanor OS X Backdoor – Bitdefender

— Corey Nachreiner, CISSP (@SecAdept)

Mac Ransomware – Daily Security Byte EP. 226

Antivirus companies have found incomplete versions of Mac ransomware, researchers have created proof-of-concept (PoC) variants to demonstrate the possibility, and criminals have experimented with ineffective web-based “policeware” for Macs, but we’ve not seen Cryptolocker-level ransomware targeting Macs in the wild… that is until now. Watch today’s Security Byte video to learn more about the new KeRanger ransomware, and how to defend yourself against it.

(Episode Runtime: 4:42)

Direct YouTube Link: https://www.youtube.com/watch?v=9wPy8GaX10g

EPISODE REFERENCES:

• Researcher’s post on ransomware in OS X Transmission installer – Palo Alto Networks
• Reuters article on Apple Ransomware – Reuters
• Article about KeRanger and past Mac ransomware – Digital Trends
• Transmission’s site with ransomware alert – TransmissionBT
• Updates on how the Transmission hack happened – MacRumors

— Corey Nachreiner, CISSP (@SecAdept)

Oracle & Apple Patches – Daily Security Byte EP. 206

Another week, another pile of patches. If you use Apple or Oracle products, it’s time to download the latest updates to keep your computers and servers safe. Watch today’s video for a quick summary of the affected products and issue, and check the link below to learn more.

(Episode Runtime: 2:18)

Direct YouTube Link: https://www.youtube.com/watch?v=NT5OqG8VG9k

EPISODE REFERENCES:

• Summary of Apple security updates – Apple
• Summary of Oracle’s January CPU – Oracle

— Corey Nachreiner, CISSP (@SecAdept)

GateKeeper Bypassed Again – Daily Security Byte EP. 205

Many Apple fans think their Macs are immune to malware. Unfortunately, Apple’s computers—though less targeted—are as susceptible to threats as any other computer. In fact, attackers can even evade OS X’s built-in anti-malware mechanism. Watch today’s video to learn why GateKeeper is vulnerable and how you can keep your Mac safe.

(Episode Runtime: 2:36)

Direct YouTube Link: https://www.youtube.com/watch?v=kPaMkmUDK0A

EPISODE REFERENCES:

• Researcher’s blog post about his second GateKeeper bypass vulnerability – Synack
• Article describing this new GateKeeper bypass – Ars Technica
• Old Daily Byte video covering the first GateKeeper bypass – WatchGuard Blog

— Corey Nachreiner, CISSP (@SecAdept)

WireLurker – WSWiR Episode 128

Mega Patch Day, Password Hijack, and WireLurker

What new security updates do I need? Are attackers exploiting new zero day attacks that affect me? Should I be concerned with any new attack campaigns? What can I learn from the latest network breaches? If you’ve asked yourself these questions, but don’t have time to find the answers, this is the weekly video for you. In it, I summarize the biggest security news from the week and explore what we might learn from it.

Today’s episode talks about the upcoming humongous Microsoft Patch day, explores a password hijack that succeeded despite good security practices, and covers two major threats that affect Apple’s OS X and iOS devices. Watch the video for details, and check out the links below for other interesting stories.

Have a safe and fun weekend!

(Episode Runtime: 11:20)

Direct YouTube Link: https://www.youtube.com/watch?v=PXJ1t23K5hY

Episode References:

• Expect a crazy big Microsoft Patch Tuesday next week – Microsoft
• Very interesting password hack, despite good password practices – @gb on Ello
• Rootpipe: Local elevation of privilege flaw in OS X Yosemite – Macworld
  • Video of Rootpipe in action – YouTube
• WireLurker – New malware infects iOS devices via OS X – Seattle Times
  • Full research whitepaper on WireLurker [PDF] – Palo Alto
  • Apple updates mitigate WireLurker – ZDNet
  • UPDATE: WireLurker now affects Windows machines – CNR Onlinb

Extras:

• Flaw found in “chip-n-pin” credit cards that allows million dollar fraudulent transactions – Wired
• Alleged Silk Road 2.0 administrator arrested; site downed – Krebs on Security
  • Actually, multiple “Darkweb” market sites seized – DeepDotWeb
• Five most Common FaceBook scam bait topics – Security Affairs
• How can Verizon customers defeat their ISP’s super tracking cookie? VPN. – The Register
• Detailed writeup on a buffer overflow found in a consumer Belkin router – Integrity Labs
• Smuggler: Using 802.11 wireless traffic as a covert communication backchannel – Spider Labs
• New phishing attack in Japan is even more advanced and stealthy – Softpedia
• Chinese attacker allegedly attacking fracking firms for IP – Slashdot
• More than half of home routers use the manufacturer’s default password – BetaNews
• I’ve said it before, but MD5 is very dead (crypto weakness) – Ars Technica
• Hilton Honor rewards points stolen via four pin brute force attack – The Register
• Banks collaborate to launch cyber attack intelligence sharing (Soltra Edge) – Reuters
• More watering hole attacks; popular music site redirects to exploit kit – Symantec
• Web site links to all the insecure, default password IP webcams – Network World
• Google paper on manual account hacking/hijacking [PDF] – Google
• 158 malware variants born a minute (likely not new but recrypted variants) – The Register
• Information Commissioner’s Office (ICO) suffered a SQL injection (SQLi) breach – v3.co.uk
• A DHS “background check” contracter suffered a breach (chain-of-trust attack) – The Register
• Backoff PoS malware continues to evolve – SC Magazine
• Australian spear phishing campaign baits with fake speed trap fines – Naked Security
• Also, E-Z Pass spear phishing campaigns target US drivers – Network World
• Researchers say Apple’s iWorm fix is insufficient – Network World
• Home Depot breach due to a chain-of-trust attack – Network World
• China building “secure” private networks – Telegraph
• US government wants more “hacking” powers – TechDirt
• Speaking of social engineering, this is a good example – YouTube

— Corey Nachreiner, CISSP (@SecAdept)

Time to Polish Your Apple: OS X & Safari Updates

Severity: High

Summary:

• These vulnerabilities affect: Apple OS X 10.6.x-10.8.x and Safari 6.0.4 and below
• How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files (often multimedia files), or visiting malicious websites
• Impact: Various results; in the worst case, an attacker can execute code with your privileges
• What to do: Install the appropriate OS X and Safari, or let Apple’s Software updater do it for you.

Exposure:

Yesterday, Apple released two security updates to fix many vulnerabilities in OS X and Safari (Mac version only). If you use Mac computers, you should apply these significant updates quickly. I summarize Apple’s alerts below:

• OS X Update Fixes 33 Vulnerabilities

Apple released an update to fix vulnerabilities in all current versions of OS X. The update patches about 33 (number based on CVE-IDs) security issues in 11 of the components that ship as part of OS X, including QuickTime, OpenSSL, and Ruby. The flaws differ in scope and impact, but the worst allow attackers to execute code with your privileges simply by enticing you into viewing a malicious file. Most of these file handling issue involve multimedia files, such as movies and pictures. If you use a Mac, you should install the update as quickly as you can. See Apple’s alert for more detail on each flaw.

WatchGuard rating: Critical

• Safari Update (6.0.5) for Mac

Apple also released an update to fix about 26 security flaws in Safari for Mac (Apple seems to have discontinued supporting Safari for Windows). The majority of these are memory corruption issues that attackers could exploit to run arbitrary code on your Mac, with your privileges. Of course, they’d have to lure you to a web site with malicious code in order to trigger the attack. Many of these vulnerabilities are ideal for drive-by download attacks. Again, if you have a Mac, I recommend you patch Safari, even if you don’t use it as your primary browser. See Apple’s alert for more detail.

WatchGuard rating: Critical

Solution Path:

Apple has released update for all these products. If you use Mac computers, you should download and install the updates as soon as you can, or let Apple’s Software Updater do it for you. That said, the OS X update is rather large, and will require a reboot, so plan that update accordingly.

Personally, I have not had any problems with Apple’s automatic updates, so I recommend you use the Automatic Updater to download and remind you of patches regularly, at least on your client machines (you may need to plan your OS X server updates more carefully).

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured UTM appliance can help mitigate the risk of some of these issues. That said, it cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Apple’s updates are your best solution.

Status:

Apple has released patches correcting these issues.

References:

• Apple’s June OS X security alert
• Apple’s June Safari security alert
• Apple’s manual download page

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

---

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

Four Office-related Updates Fix Productivity Software Vulnerabilities

Severity: High

Summary:

• These vulnerabilities affect: Microsoft Visio Viewer 2010, SharePoint Server 2010, OneNote 2010, and Outlook for Mac
• How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting malicious URLs
• Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
• What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing vulnerabilities in some of their Office-related productivity packages,  including Visio Viewer, SharePoint, OneNote, and Outlook for Mac. We summarize the four security bulletins below, in order of severity:

• MS13-023: Visio Viewer Code Execution Vulnerability

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams. Visio Viewer is a free program that anyone can use to view those diagrams. Visio Viewer suffers from a memory-related code execution vulnerability, having to do with the way it handles specially crafted Visio diagrams. If an attacker can entice one of your users into downloading and opening a maliciously crafted Visio document, he can exploit this vulnerability to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects the 2010 version of Visio Viewer.

Microsoft rating: Critical

• MS13-024: Various SharePoint Vulnerabilities
  

SharePoint and SharePoint Foundation are Microsoft’s web and document collaboration and management platforms. They suffer from four different security issues, including a few elevation of privilege flaws, a Cross-Site Scripting vulnerability (XSS), and a Denial of Service (DoS) issue. By either enticing one of your users into clicking a malicious URL, or by inputting a specially crafted URL into a vulnerable SharePoint server, an attacker could exploit the worst of these flaws to gain elevated access to your SharePoint server, allowing him to view or change the documents your user could. These flaws only affect the latest 2010 version of SharePoint.

Microsoft rating: Critical.

• MS13-025: OneNote 2010 Information Disclosure Flaw

Microsoft OneNote is a digital notebook that provides you a place to easily take notes on your digital device. It ships with most recent versions of Office. OneNote suffers from an information disclosure flaw. If an attacker can entice one of your users into downloading and opening a maliciously crafted OneNote (.ONE) file, she can leverage this flaw to read arbitrary data from your computer’s memory. Depending on what you are doing on your computer at the time, this flaw could allow the attacker to gain access to some of your sensitive information, including usernames and passwords. The issue only affects the 2010 version of OneNote.

Microsoft rating: Important

• MS13-026: Outlook for Mac Information Disclosure Flaw

Outlook for Mac (the Apple OS X version of Microsoft’s email client) suffers from a relatively minor information disclosure vulnerability having to do with how it previews certain HTML email messages. If an attacker can lure you into opening a specially crafted HTML email, they can verify your email address is accurate and confirm you previewed the message. At best, this vulnerability may help attackers enumerate valid email addresses for later use in their spam and phishing attacks. However, it does not give attackers any further access to your email messages or computer. For that reason, we believe it poses a fairly low risk.

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

• MS13-023
• MS13-024
• MS13-025
• MS13-026

For All WatchGuard Users:

Attackers can exploit these vulnerabilities using diverse methods. Though you can configure WatchGuard appliances to block some of the Office documents related to a few of these attacks, and you can leverage our security services to mitigate the risk of malware delivered via these attacks, we cannot protect you against all of them; especially the local ones. We recommend you apply Microsoft’s patches to best protect your network.

That said, our IPS signature team has developed new signatures that can detect and block some of the SharePoint attacks:

• WEB Microsoft SharePoint Server Callback Function Vulnerability (CVE-2013-0080)
• WEB Microsoft SharePoint XSS Vulnerability (CVE-2013-0083)
• WEB Microsoft Share Point Directory Traversal Vulnerability -1 (CVE-2013-0084)
• WEB Microsoft Share Point Directory Traversal Vulnerability -2 (CVE-2013-0084)
• WEB Microsoft Share Point Directory Traversal Vulnerability -3 (CVE-2013-0084)

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

• MS Security Bulletin MS12-023
• MS Security Bulletin MS12-024
• MS Security Bulletin MS12-025
• MS Security Bulletin MS12-026

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Apple and Facebook Breaches Result in Multi-Platform Java Updates

If you’re still using Java, you need to patch it yet again—even if you’re using a Mac.

Over the last few days both Facebook and Apple have reported network breaches. In both cases, employees at those companies visited a particular web site that was infected with a zero day Java exploit, which then infected the victims with malware. Though Facebook and Apple admit that they found malware on their systems, both claim that there is no evidence suggesting the attackers stole any sensitive customer data.

With all the zero day Java vulnerabilities we’ve reported recently, this probably doesn’t come as a huge surprise. Attackers are obviously targeting this popular web plugin. Yet, this incident is a very significant admission from Apple. Not only does it prove what security professionals have been arguing for years—that Macs aren’t immune from malware—but it demonstrates that even large enterprises, like Apple are suffering from cyber attacks.

Attack disclosures aside, both Oracle and Apple have released Java security updates as a result of these attacks. Despite just releasing an earlier Java update this month, Oracle released yet another emergency update on February 19th, fixing five more security vulnerabilities in Java. If you use Java on Windows, Linux, or Solaris computers, you should go get that update immediately. Apple also released their own Java update for OS X today. If you’re a Mac user,  you should also install either Java for OS X 2013-001 or Mac OS X v10.6 Update 13 immediately.

After repeated cases of zero day exploits over the past fews months, you’ve probably discerned that Java is very dangerous right now. Apparently, it is rife with security holes and there is no doubt that attackers have focused their efforts on finding them before Oracle does. I’ve said this before, but if there is any way you can live without Java on your computer, you should remove it. Frankly, this advice is easier said than done. Unfortunately, many business applications (even some security ones) rely on Java to function. These applications may prevent you from removing Java immediately. That said, with the current prevalence of Java attacks, perhaps it’s time to re-evaluate any applications that forces Java upon you.— Corey Nachreiner, CISSP (@SecAdept)

Nasty RTFs Nudge Word Into Submission

Severity: High

Summary:

• These vulnerabilities affect: Word (and Office) 2003 through 2010 for Windows (and related components)
• How an attacker exploits it: By enticing one of your users to open a malicious RTF document
• Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
• What to do: Install Microsoft’s Word update as soon as possible, or let Microsoft’s automatic update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing a serious security vulnerability in the Windows version of Word — part of Microsoft Office package. The flaw doesn’t affect the Mac versions, but does affect the Word viewer and Office Compatibility Packs.

The vulnerability stems from an unspecified memory corruption fkaw having to do with how Word handles rich text format (RTF) documents. If an attacker can entice one of your users into downloading and opening a maliciously crafted RTF document, he can exploit the flaw to execute code on that user’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Solution Path

Microsoft has released Word and Office updates to correct these vulnerabilities. If you use Office or Word, download, test, and deploy the appropriate updates as quickly as possible, or let Windows Update do it for you.

You’ll find links to these updates in the “Affected and Non-Affected Software” section for of Microsoft’s Word bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed a signature, which detects and blocks this Word RTF vulnerability:

• EXPLOIT Microsoft Word RTF listoverridecount Remote Code Execution Vulnerability (CVE-2012-2539)

Your appliance should get this new IPS update shortly.

You can also configure WatchGuard devices to block RTF documents. However, this will block all RTFs, whether legitimate or malicious. If you decide you want to block them, the links below contain instructions that will help you configure proxy’s content blocking features for your device:

• XTM Appliance with WSM 11.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP Proxy?

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy

• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Microsoft has released Word updates to fix these vulnerabilities.

References:

• MS Security Bulletin MS11-079

This alert was researched and written by Corey Nachreiner, CISSP.

Four Critical Spreadsheet Handling Flaws in Excel

Severity: Medium

Summary:

• These vulnerabilities affect: Excel (and Office) 2003 through 2010 for Mac and PC (and related components)
• How an attacker exploits it: By enticing one of your users to open a malicious Excel document
• Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
• What to do: Install Microsoft’s Excel updates as soon as possible, or let Microsoft’s automatic update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing four vulnerabilities found in Excel — part of Microsoft Office for Windows and Mac. The flaws also affect the Excel viewer and Office Compatibility Package.

Though the four vulnerabilities differ technically, they are all memory corruption issues which share the same scope and impact. If an attacker can entice one of your users into downloading and opening a maliciously crafted Excel document, he can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Solution Path

Microsoft has released Excel and Office updates to correct these vulnerabilities. If you use Office or Excel on a PC or Mac, download, test, and deploy the appropriate updates as quickly as possible, or let Windows Update do it for you.

You’ll find links to these updates in the “Affected and Non-Affected Software” section for of Microsoft’s Excel security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed four signatures, which can detect and block these new Excel file handling vulnerabilities:

• EXPLOIT Microsoft Excel SST Invalid Length Use After Free Vulnerability (CVE-2012-1887)
• EXPLOIT Microsoft Excel Memory Corruption Vulnerability (CVE-2012-1886)
• EXPLOIT Microsoft Excel SerAuxErrBar Heap Overflow Vulnerability (CVE-2012-1885)
• EXPLOIT Microsoft Excel Stack Overflow Vulnerability (CVE-2012-2543)

Your appliance should get this new IPS update shortly.

You can also configure certain WatchGuard devices to block Microsoft Excel documents. However, this will block all Excel documents, whether legitimate or malicious. If you decide you want to block Excel files, the links below contain instructions that will help you configure proxy’s content blocking features for your device:

• XTM Appliance with WSM 11.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP Proxy?

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy

• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Microsoft has released Excel updates to fix these vulnerabilities.

References:

• MS Security Bulletin MS11-076

This alert was researched and written by Corey Nachreiner, CISSP.