The Verge yesterday reported that “Major security hole allows Apple passwords to be reset with only email address, date of birth“ which pretty much sums up the story, except that the 4th update to the story indicates that the vulnerability has been fixed. It’s worth noting that the exploit apparently didn’t work where Apple’s new two-factor authentication was enabled. Unfortunately, it turns out that the sign-up process for that also has some problems: some people have been told that they can’t sign up for three days. (Tested and confirmed by Sophos.)

So, as Paul Ducklin also pointed out in the Sophos blog, it’s been something of a “good-bad-good-bad week” for Apple, security-wise.

Hat tip to Anders Nilsson for drawing my attention to the issue.

David Harley 
Small Blue-Green World
ESET Senior Research Fellow

Nice post from my ESET colleague Stephen Cobb  on Yontoo: From flicks to clicks: Mac OS X Trojan Adware.Yontoo infects via fake codec.

Previously noted here and additional commentary from John Leyden for The Register here.

David A. Harley
Small Blue-Green World
ESET Senior Research Fellow

Intego’s Lysa Myers has a nice article in USA Today on Myths about malware that refuse to die. Stuff that AV researchers are all-too-used to hearing, but a  debunking job well done. But I’d expect no less.

Nothing Mac-specific in that article – which doesn’t mean that Mac users couldn’t learn anything from it – but a follow-up article on the Intego blog makes up for that: 5 More Mac Malware Myths and Misconceptions looks at misapprehensions that continue to be broadcast despite all the evidence to the contrary over the last few years.

David Harley 
Small Blue-Green World
ESET Senior Research Fellow

Kevin Townsend gathers some expert opinion for Infosecurity Magazine on Apple’s venture into optional two-step authentication using trusted devices in Apple rolls out 2-factor authentication. Perhaps I should say ‘some expert opinion plus mine’

While I have a slight reservation about the way in which the service is presented, I think the idea is a good step forward for Apple ID users. The only weak point right now is the issue about iGadget screenlocking in iOS 6.1.3, as long as people do actually realize that they need to take steps to protect a trusted device, not only in terms of physical security, but in terms of hampering unauthorized access.

David Harley CITP FBCS CISSP
Mac Virus/Small Blue-Green World
ESET Senior Research Fellow

Who’d be Apple? Fix a bug, find another, fix it, find another…

Commentary by:

• Infosecurity Magazine:
  • New lock screen bypass bug in Apple’s latest iOS
  • Apple locks down jailbreaking, patches lockscreen bypass bug
• Commentary assembled by Richi Jennings: Apple’s buggy iOS 6.1.3 breaks iPhone jailbreak

I may have a little more to say on this later…

David Harley CITP FBCS CISSP
Small Blue-Green World
ESET Senior Research Fellow

DrWeb tells us that Trojan.Yontoo.1 leads among new adware Trojans for Mac. The adware downloads and installs an adware browser plugin onto an infected system.

Also discussed in the Hacker News. (Also at The Next Web)

David Harley

Something a little different: a paper at the SANS Reading Room by Tim Proffitt.

Forensic Analysis on iOS Devices

Even if you’re not interested in forensics, you might find the insight into iOS internals of use and interest.

Insert your own pun about ‘hacking for fun and Proffitt’ here.

David Harley CITP FBCS CISSP
Small Blue-Green World
ESET Senior Research Fellow

[Updated to take account of a link forwarded by Randy Knobloch]

Some of my eagle-eyed colleagues in the security industry have noted something kind of interesting in the(copious) latest updates from Apple, namely the fix for CVE-2013-0967.

Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled

Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory.

Paul Ducklin notes for Sophos:

It’ll be something of a surprise for anyone who was relying on Apple’s new-found strictness against Java to find that turning Java off in your browser didn’t necessarily have the desired effect!

Commentary from:

• F-Secure: About the Security Content of OS X Mountain Lion v10.8.3
• Kaspersky: Apple Fixes OS X Flaw That Allowed Java Apps to Run With Plugin Disabled
• Sophos: Apple ships OS X 10.8.3 – 11 remote code execution vulns patched, Snow Leopard and Lion get fixes too

Randy Knobloch (yet another hat tip) drew my attention to an article by Gregg Keizer that points out an apparent shift in Apple update policy:

Apple also patched Macs running Lion and Snow Leopard with Security Update 2013-001. The Snow Leopard update was notable because it arrived a record eight months after the introduction of Mountain Lion, reinforcing the idea that Apple has changed its support policy and will patch “n-2,” where “n” is the current edition of OS X.

Keizer attributes this shift to “the refusal of Snow Leopard to go away“, given that as of last month 28% of Macs were still running 10.6.x. He also points out, however, that there will be no further support for Java 6, and Java 7 runs only on Lion and Mountain Lion.

David Harley
Small Blue-Green World
ESET Senior Research Fellow

More comment from Intego on the Pintsize issue previously mentioned here (and many other places, in more detail…): More Details Surface About Recent Apple “Hack”

Almost as interesting is a comment made to that article from someone who suggests that if AV doesn’t detect unknown malware, that helps justify his not using it on his Mac. I’d say that’s a better justification for not relying on AV (or any other single layer of protection), and in fact that’s not too dissimilar to Lysa Myers’ response to that comment.

However, I suspect that what the first comment was about was the assumption that once a threat is known, Apple itself will build detection into OS X, as it has indeed been doing quite consistently for a while now. However, even if we can assume that Apple’s response will be as timely as that of a commercial product, I’m not sure you can assume it will be as effective in terms of heuristic detection of future variants as a specialist product. Perhaps I should come back to the Apple versus commercial AV product again: I’ve a feeling that argument will run and run…

David Harley 

Well, I am English. How could I possibly resist a cricketing pun? Especially since Google itself decided to call its own app screening mechanism Bouncer?

However, Paul Ducklin has drawn our attention to the fact that Google, while in the process of adding its own detection of known malicious apps to Android, has chosen to remove a number of ad-blocking apps from Google Play, citing section 4.4 of the Developer Distribution Agreement. This prohibits developers from activities that disrupt or access without authorization any third party’s devices, services, servers or networks. That’s fine insofar as it facilitates the removal by Google itself of certain types of malicious software, and you may even think it’s reasonable – or sound business practice – for Google to prioritize the desire of companies that pay Google to advertise rather than the desire of some Android users not to receive advertising. Even so, the wording of the Agreement doesn’t make any exception for nuisances or unequivocally malicious software, and that  leaves it open to Google to take the same action against other types of security product.

It seems unlikely that Google would intentionally defend the rights of the authors of Android Trojans, but it’s not a long step from adware to ‘potentially unwanted’ – well, clearly those who install apps like AdAway don’t want ads – and Google has shown a tendency towards hostility towards security vendors in the past.

(Additional research by Buffy the Umpire Slayer.)

David Harley CITP FBCS CISSP
Small Blue-Green World