Friday, November 16, 2012

Apple Updates XProtect Functionality

Without any fanfare, Apple added new functionality to the Safe Downloads List (XProtect) feature of Mac OS X in late September. The new feature allows Apple to block certain known-vulnerable versions of browser plug-ins such as Oracle Java and Adobe Flash Player.

Apple is currently only blocking certain very old versions of Flash Player and one particular version of the Java plug-in. More recent versions of these plug-ins with numerous publicly exploited vulnerabilities are not currently blocked by Apple, so in practice this feature does not currently provide a lot of protection.

More details about recent XProtect updates can be found in my article at The Mac Security Blog:

Apple Updates XProtect Malware Definitions for Latest Imuler Variant

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Friday, September 7, 2012

Is Apple Still Releasing Snow Leopard Updates?

Is Apple still releasing security updates for Mac OS X v10.6 Snow Leopard? Oddly, the answer isn't a simple yes or no.

In the past, Apple typically released security updates only for the current and one previous version of OS X.  However, Apple recently switched from a roughly two-year OS cycle to a yearly cycle, and this may or many not have changed how long Apple will continue releasing security updates for previous versions of its desktop operating system.

So far, Apple has been releasing Java security updates for Snow Leopard since the release of OS X v10.8 Mountain Lion (which was released approximately one year after OS X v10.7 Lion and three years after Snow Leopard). However, Apple has NOT been releasing updates for the Snow Leopard version of Safari, the browser that comes bundled with Mac OS X.

While Microsoft makes known to the public exactly how long its operating systems and software will be patched, Apple makes no such public disclosure.

Read my article at The Mac Security Blog for more information:

Apple's Java Update Surprise for Snow Leopard

UPDATE, 7 Jan 2013: Net Applications has released its Web traffic analytics for December 2012, which indicate that Snow Leopard accounts for just over 29% of Web traffic from Macs—slightly higher than Lion which accounts for just over 28%. Both are only slightly behind Mountain Lion at just over 32%. The percentages are roughly the same when filtering for Macs browsing with Safari.

Given the apparently high percentage of Mac users still browsing Web sites on Snow Leopard, in my opinion it is inexcusable for Apple to no longer release security updates for the Snow Leopard version of Safari. At the very least, Apple should warn these users (and Windows Safari users) that their browser is no longer being updated and is no longer safe to use online.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Wednesday, August 1, 2012

What to Do if Your Mac Can't Run Mountain Lion

With each successive version of Apple's Mac OS X operating system, more Mac hardware gets left behind. The recent release of OS X Mountain Lion (v10.8) is no exception.

There are some good reasons why Apple might drop support for older hardware. For example, Apple might want to clear our legacy code to make its software run more efficiently on newer computers, and some brand new or updated features of the OS may run much better on newer hardware.

On the other hand, one could argue that it's also in Apple's best interest to enforce scheduled hardware obsolescence so the company can generate revenue from new hardware sales.

Whereas Microsoft makes the operating system but not the hardware—and thus generates more profits by continuing to support very old PCs with each new version of Windows—Apple makes both the hardware and the operating system. At $29.99 per OS upgrade (or apparently $19.99 annually beginning with Mountain Lion), it's clear that Apple stands to make a lot more money by getting customers to buy a $1000+ Mac every 5 or 6 years (and perhaps a few OS upgrades in between) rather than merely sell them $100 worth of OS upgrades over the same time period.

And so with Mountain Lion, Apple has dropped a lot more hardware.  Every Mac made before mid-2007—and even some 2008 models—are no longer supported by Apple's latest desktop operating system.

So what can you do if your Mac is no longer supported?  I've written an in-depth article covering which models are supported by Mountain Lion, which Macs max out at Lion, and why Snow Leopard may no longer be completely safe to use—and what you can do if you're stuck with an unsupported Mac. Read the full article on The Mac Security Blog:

What to Do if Your Mac Can't Run Mountain Lion

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Monday, July 30, 2012

Windows and Snow Leopard: No More Safari Security Updates

To coincide with the release of Mac OS X v10.8 Mountain Lion, Apple also released the new Safari 6 Web browser (which comes with Mountain Lion) for OS X v10.7 Lion.

Not surprisingly, Apple did not release the new browser for Mac OS X v10.6 Snow Leopard, which was released 3 years prior to Mountain Lion and is now two major OS versions old.

However, what is surprising is that Apple did not release the Safari update for Windows, either. Nor did Apple release a security-only patch for the Windows or Snow Leopard versions of Safari 5.1 to close the 121 security vulnerabilities fixed in Safari 6.0.

This means that anyone still using Safari on Windows or Snow Leopard is unknowingly leaving their system vulnerable to exploitation and infection.

Read the detailed article I wrote for Sophos Naked Security for more information:

Where are the Safari security updates for Windows and Snow Leopard? Users left exposed

UPDATE, 7 Jan 2013: Apple has since released Safari 6.0.1 and 6.0.2, patching an additional 63 vulnerabilities. No corresponding security updates have been released for the Windows or Snow Leopard versions of Safari.

See also Is Apple Still Releasing Snow Leopard Updates?

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Wednesday, July 25, 2012

Windows Malware Found in iOS App Store

Yes, you read that headline correctly.

Yesterday it was discovered that a Windows worm was embedded inside an iOS application. The app, called "Instaquotes-Quotes Cards for Instagram," was available in the iOS App Store from July 19 through July 24. It contained two infected files:


This is unlikely to have caused any actual harm to anyone's systems given that iPhones and iPads can't run Windows programs, and any Windows user who may have downloaded the infected iOS app would have had to manually extract an .exe file and consciously decide to run it on his or her PC.

The most interesting part of this discovery is that it seems to indicate that Apple may not be scanning apps for viruses as part of its vetting process. Let's hope Apple adds this to the app approval checklist right away.

Please see my article at Sophos Naked Security for more details.

Meanwhile, Mac antivirus firm Intego reported yesterday that it had discovered new Mac malware, which the company dubbed OSX/Crisis (Sophos identifies it as OSX/Morcut-A). Intego said that as of yesterday, the malware had not yet been found in the wild.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Friday, July 13, 2012

Hacked E-mails and Web Sites Pushing Weight Loss Drug Spam

A recent hack/spam/fraud campaign has recently been flooding the Internet with weight loss spam. I began investigating this on Tuesday night when a close relative's e-mail account was hacked.

On Wednesday, Sophos' Fraser Howard wrote up lots of details about this campaign on Naked Security. The article has lots of screenshots so you can see exactly what the e-mails, hacked sites, and spam sites look like.

If your e-mail account or Web site has been compromised, please read that article.

One side note before I continue: if you're using AOL Mail for your personal e-mail and you ever want to check it via the Web when connected to a public Wi-Fi network, don't. The current mobile version of the AOL Mail site does offer any option for securing the connection, and the non-mobile version isn't completely secure either. If you must use AOL for some reason, set up an e-mail application to connect to AOL's IMAP and SMTP servers over SSL/TLS using these instructions (it's even easier for iPhone, iPad, and iPod touch users).

In my opinion, though, you're better off switching to Gmail, arguably the most security-conscious personal e-mail provider, and enable two-factor authentication (and preferably configure it to text you at a different phone number than that of the device you're using to check your mail).

And no matter which e-mail provider you use, never check your e-mail or type any passwords at a public kiosk (such as those you might find at a library or hotel).

Anyway, back to the hack/spam/fraud campaign...

I collected information from a few different e-mails sent from my relative's hacked e-mail account and used this to begin my search. Google searches were immensely helpful in finding hacked Web sites.

In total I discovered 366 hacked sites that are currently hosting pages that usually redirect to fake Fox News sites with "articles" advertising an "HCG Ultra Drops" weight loss drug. The hacked domains hosted various files with any of 76 file names, and these files linked to about 30 fake news domains.

Those numbers are just the tip of the iceberg.

Every time I searched Google for another of the file names, I found more file names and more fake news domains. I only did comprehensive searching of Google for 11 out of the 76 file names before I had to force myself to call it quits (I do have a life, you know).

To any budding security researchers who may want to continue my work, here are the 76 file names I'm aware of, with Google links for each one. I thoroughly searched the first 11 (the ones with an asterisk):

jjllrt.html*, rehrt.html*, oelas.html*, dofpla.html*, efkcnsd.html*, lkdndrb.html*, mdnnka.html*, golrua.html*, dfgseg.html*, nvlauty.html*, rumyn.html*, xxxxt.html, xxklfd.html, cnmasd.html, llkdr.html, ttfbm.html, ggtero.html, owgle.html, uibjrq.html, tstx.html, dfgqp.html, rtvea.html, weelk.html, gjrhbd.html, pagnrk.html, upmfks.html, polmtn.html, xntsb.html, ollsn.html, jtosag.html, olgrus.html, olgruss.html, ghehgs.html, klang.html, lgkssa.html, ptmase.html, nsdlls.html, tyusa.html, sorrbn.html, fhgre.html, tttt.html, therpo.html, wpxml.html, eadfs.html, toshy.html, csndra.html, dfpois.html, uimnf.html, ollfje.html, doremj.html, mlllka.html, wrehge.html, jhglpd.html, llxsa.html, ppuds.html, otldcv.html, pscda.html, chopa.html, hslkgs.html, kmbre.php, oosdn.php, pprds.php, phnll.html, ssddl.html, xclrp.html, etropk.html, resus.html, pgflls.html, rldka.html, trifr.html, vbepo.html, gmolad.html, lgkesa.html, tjgey.html, toepr.html, vvert.html

If you manage any Web servers, be sure to check your servers for any file names like the ones above. If you find any evidence that your server has been compromised, don't merely delete the files. Assume the worst. Restore your server from a clean backup if possible, scan for rootkits and other malware (and get a second opinion, for example from Windows Defender Offline or another antivirus boot disc), change all passwords on the server (and be sure to use good, strong, long, and unique passwords; if you need some advice, read the detailed explanations of what makes a password secure at GRC's perfect passwords and password haystacks pages), disable any services you don't use, and make sure all the software on the server is up-to-date and has all the latest security patches.

Many of these files have at most a 14 out of 42 detection rate on VirusTotal (see the scan results for chopa.html, csndra sample 2, dfgseg.html, nvlauty.html, resus.html, rumyn.html, trifr.html, tstx.html sample 1, tstx.html sample 2). Avast, BitDefender, F-Secure, GData, Kaspersky, Norman, nProtect, and Sophos seem to offer pretty consistent detection of most files, and Antiy-ATL, Avira AntiVir, Comodo, Emsisoft, Fortinet, Ikarus, TrendMicro-HouseCall, and ViRobot have hit-or-miss detection, for these files under the following malware names:

HTML:Refresher-A, HTML:Refresher-A [Trj], HTML.A.Redirector.174, HTML.A.Redirector.176.D, HTML.A.Redirector.176.E, HTML.Refresher, HTML.Refresher!IK, HTML/Redirect.EM, HTML/Redirector.AM!tr, Redirector.FL, TROJ_GEN.RCBH1GD, TROJ_GEN.RFFH1G4, TROJ_GEN.RFFH1G5, Troj/Redir-O, Trojan.HTML.Redirector, Trojan.HTML.Redirector!IK, Trojan.HTML.Redirector.AI,, Trojan/HTML.Redirector, UnclassifiedMalware, W32/Redir.O!tr

Note that many popular anti-virus vendors, including but not limited to AVG, ClamAV, Dr.WEB, McAfee, Microsoft (Security Essentials, Forefront), Symantec (Norton), and Panda (Cloud Antivirus), do not currently detect the redirection files as malicious.

If a victim browses to one of these pages, it will briefly display a message before redirecting, usually "You are here because one of your friends have invited you. Page loading, please wait...."

I came across one file (trifr.html) with a different message: "You are here because one of your friends have invited you to try our FREE TRIAL!!! Page loading, please wait...." This page redirected to a site advertising the weight loss drug, but this time it wasn't a fake Fox News site (see the last domain in the list below).

Following are the 30 fake news domains. The five with an asterisk are actually fake "7 Money News" sites with the headline "Work At Home Mum Makes $10,397/Month Part-Time" rather than fake Fox News sites with a headline of "HCG Ultra Drops to Help Your Weight Drop" like the first 25. The 31st domain listed below just advertises the weight loss drug without a fake news motif, but it was also linked from one of the files listed above. Note that these links lead to the Web of Trust reports, not the spamvertised domains themselves:,,,,,,,,,,,,,,,,,,,,,,,,,*,*,*,*,*,

Here are the 366 hacked domains that are currently hosting one or more of the files listed above. Again, these are links to Web of Trust reports, not the hacked domains themselves:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, (a Turkey government domain... whoops),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

It's clear looking through this list that very few locales and types of organizations have been spared from attacks by this hack-and-spam campaign. Churches, porn sites, government sites, and more have been compromised. You'll notice a surprising number of TLDs in there as well, representing a huge variety of countries and cultures (for example: .ar, .au, .ba, .bd, .be, .bg, .br, .ca, .cl, .cn, .cr, .cz, .de, .ec, .ee, .es, .eu, .fr, .gr, .hk, .hu, .il, .in, .it, .jm, .jp, .lt, .lv, .kg, .kw, .mc, .mx, .nl, .np, .pl, .ro, .rs, .sk, .th, .tr, .uk, .uy, .vn, .za, and even .cat).

Again, I recommend reading the Sophos article about this hack/spam/fraud campaign for additional tips on how to protect your e-mail accounts and Web servers.

UPDATE, 14 July 2012: I've added anti-virus detection information for some of the redirect files. I also added details about the messages displayed momentarily before a page redirection occurs.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Sunday, July 1, 2012

On Mac and iOS Security, a Twitter Hack Epidemic, and Bindaas Spaces Spam

Here are links to a few articles I wrote recently for Sophos' award-winning blog, Naked Security, that I haven't mentioned yet on the JoshMeister on Security.

After the Sophos article links and descriptions, keep reading for some tidbits about the Bindaas Spaces spam group and more.
  • How secure are Apple's iPhone and iPad from malware, really? (29 June 2012)
    In the five years since the first iPhone was released, there has never been a serious known case of iOS malware on an non-jailbroken device.
    But should users really be congratulating Apple for iOS devices' apparent security?

    I wrote this article in response to a recent tweet from F-Secure's CRO, Mikko Hypponen:

  • Do the Mac App Store and Gatekeeper provide sufficient protection? (21 June 2012)
    Apple is pushing its users more and more to download apps from the Mac App Store. But what happens if the software on the Mac App Store is less secure than non-App Store versions?
    The article mentions (among many other things) that Apple is dragging its feet at approving the recent security update for Opera. The browser has now been outdated in the Mac App Store for over 2 weeks and counting; Apple has yet to approve 11.65.

  • Twitter account hack epidemic - Don't fall for "CNBC" spam! (20 June 2012)
    Throughout the month of June, Twitter accounts have been getting hacked and have subsequently been sending spam that links to fake CNBC news articles. Be cautious about links in direct messages or tweets, even if they're sent from a friend's account!
Bindaas Spaces spam still persists
I just updated my article about the Bindaas Spaces spam group based in India. Yep, they're still in operation after no less than 5 years of sending spam and refusing to let people opt out. Unfortunately, their operation doesn't seem to be big enough to get much attention, so I've been one of very few people trying to bring their activities into the public spotlight.

Here are the Web of Trust reports for the two domains I just added:
The company being advertised calls itself "Abhinav Institute of Technology & Management," and it claims to offer degrees and certificates. However, the site does not say anything about its accreditation status, which implies it is not accredited.

Oddly, the site's only contact information is a Gmail address. There's nothing wrong with Gmail; I strongly recommend it for personal e-mail accounts because its focus on security is unrivaled. However, companies should really have e-mail at their own domain in order to look professional. (If nothing else, they can use Google Apps for Business which gives them all the benefits of Gmail and more, but with their own domain in their e-mail addresses.)

Between engaging in blatant unsolicited spam, lack of accreditation acknowledgement, and unprofessional contact information, this supposedly degree-granting "institute" and its site are devoid of credibility.

How to Preview Shortened URLs: More interesting than LOST, apparently
On a more personal and lighthearted note, I just discovered that my popular article on How to Preview Shortened URLs (which I originally wrote in 2009 and updated again in June) has nearly as many pageviews as my entire LOST blog, which I thought was fairly popular back when the TV show was on the air.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Thursday, June 14, 2012

Apple Turning Over New Leaf About Mac Security

I was surprised while watching Apple's Worldwide Developers Conference (WWDC) keynote on Monday when Craig Federighi mentioned the upcoming OS X feature "Gatekeeper, to help keep your system free from malware."

As far as I'm aware, this is the first time Apple has ever acknowledged the existence of Mac malware in a keynote address.

I commented in my article over at Sophos' Naked Security blog that
"This may indicate a shift in the right direction for Apple in terms of openly recognizing the imperfections of its security. It's certainly a far cry from Apple's "Hello, I'm a Mac" television advertisements from 2006-2009, which strongly (and falsely) implied that Macs were invulnerable to infection."
(For more of my observations about security and privacy in the keynote—the good and the bad—see my full article.)

Today, Kevin McLaughlin, senior editor for CRN, observed that "Apple recently changed the wording in the 'Why You'll Love A Mac' section of its Web site, removing longstanding claims about Macs being more secure than Windows PCs."  Note the major differences (image credit CRN):

McLaughlin had thoughts very similar to mine about the seeming shift in thinking about security at Apple. Check out McLaughlin's interesting two-page article for more of his thoughts as well as insights from others in the security industry.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Thursday, May 24, 2012

Yahoo! Axis Chrome Extension Leaks Own Private Key

Here's a link to my latest article published at Sophos' award-winning blog, Naked Security:
  • Yahoo! leaks its own private key via new Axis Chrome extension (24 May 2012)

    Yahoo! just released a new iOS browser called Axis, along with corresponding extensions for desktop browsers Chrome, Firefox, Safari, and Internet Explorer 9.

    The Chrome extension came with a little something extra: Yahoo!'s private key.

See the full article for details about the ramifications of Yahoo!'s big mistake.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Tuesday, May 22, 2012

Recent Articles at Sophos Naked Security Blog

Here are some articles that I've written recently for Sophos' award-winning blog, Naked Security, that I haven't mentioned yet on the JoshMeister on Security:
In other news, the review of Sophos Anti-Virus for Mac Home Edition that I wrote for the January 2011 issue of MacTech Magazine—nota bene: prior to when I started blogging for Sophos—is now available to read online.

Also, I just updated my classic and still quite popular article on How to Preview Shortened URLs. If you haven't read it before (or if it's been a while), be sure to check it out and see what's new.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Thursday, March 15, 2012

"2012 Apple iPhone 5 Giveaway" Facebook Scam

I just wrote an article for Sophos' Naked Security blog in which I provide details and screenshots of a new Facebook scam claiming to give away free iPhones—from the future.

In short, the scam involves receiving a Facebook event notice about an iPhone 5 giveaway, and ultimately it ends up being a survey scam. If you fall for the scam and click on the link on the event page, you'll be presented with a JavaScript alert similar to this one:

Following is a list of domains involved with the scam (note that the links lead to the Web of Trust report for each domain): (flagged as malicious by AVG and Opera) (redirection page) (redirection page) ("red" rating on Web of Trust, and apparently blacklisted previously by a WOT-trusted source) ("red" rating on Web of Trust) (alleged "Reward Status" page, which prompts for an e-mail address and password)

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .