A host of new security enhancements is coming to iOS and macOS

(credit: Nathan Mattise)
Apple on Monday previewed a variety of security and privacy features it plans to add to macOS and iOS operating systems, including encrypted Facetime group calls, password-management tools, and camera and microphone protecti…

(credit: Nathan Mattise)

Apple on Monday previewed a variety of security and privacy features it plans to add to macOS and iOS operating systems, including encrypted Facetime group calls, password-management tools, and camera and microphone protections. The company also released a beta version of the upcoming iOS 12 that, according to Motherboard, all but kills off two iPhone unlocking tools used by police forces around the world.

The feature, known as USB Restricted Mode, requires that users unlock their iPhone with a password when connecting to it a USB device. Motherboard said the beta requires a password each time a phone that hasn’t been unlocked in the past hour tries to connect to a device using a Lightning connection. The password requirement largely neutralizes iPhone unlocking tools provided by companies called Cellebrite and GrayShift, which reportedly use USB connectivity to bypass iOS restrictions on the number of incorrect PIN guesses can be entered into an unlocked iPhone. With those limitations removed, police can make an unlimited number of PIN guesses when attempting to unlock a confiscated iPhone.

Previous iOS betas had USB restrictions that required the entering of a password when it hadn’t been unlocked for seven days. Those USB Restricted Modes were later removed before Apple issued final versions of iOS. The restrictions this time around are much more stringent, because police would have no more than 60 minutes between the time they obtain an iPhone and connect it to an unlocking tool. Readers should remember that Apple has previously removed USB Restricted Mode before releasing final versions and may do so again with iOS 12.

Read 5 remaining paragraphs | Comments

Meltdown and Spectre: Here’s what Intel, Apple, Microsoft, others are doing about it

Enlarge (credit: Jen)
The Meltdown and Spectre flaws—two related vulnerabilities that enable a wide range of information disclosure from every mainstream processor, with particularly severe flaws for Intel and some ARM chips—were originally revealed…

Enlarge (credit: Jen)

The Meltdown and Spectre flaws—two related vulnerabilities that enable a wide range of information disclosure from every mainstream processor, with particularly severe flaws for Intel and some ARM chips—were originally revealed privately to chip companies, operating system developers, and cloud computing providers. That private disclosure was scheduled to become public some time next week, enabling these companies to develop (and, in the case of the cloud companies, deploy) suitable patches, workarounds, and mitigations.

With researchers figuring out one of the flaws ahead of that planned reveal, that schedule was abruptly brought forward, and the pair of vulnerabilities was publicly disclosed on Wednesday, prompting a rather disorderly set of responses from the companies involved.

There are three main groups of companies responding to the Meltdown and Spectre pair: processor companies, operating system companies, and cloud providers. Their reactions have been quite varied.

Read 52 remaining paragraphs | Comments

Apple says Face ID didn’t actually fail during its iPhone X event

Enlarge (credit: Apple)
The first public demo of Apple’s Face ID phone unlocking system didn’t go exactly as planned.
During the company’s big iPhone X reveal this week, Apple software engineering chief Craig Federighi suffered a semi-cringew…

Enlarge (credit: Apple)

The first public demo of Apple’s Face ID phone unlocking system didn’t go exactly as planned.

During the company’s big iPhone X reveal this week, Apple software engineering chief Craig Federighi suffered a semi-cringeworthy moment when he was unable to unlock the new handset onstage using the new authentication tech. The device prompted Federighi to use a passcode instead, leading him to switch to a backup unit, which worked properly.

The mishap led some to immediately doubt the effectiveness of the Face ID setup—which completely replaces the usual Touch ID fingerprint scanner on the iPhone X—and, according to some reports, even led to a brief dip in Apple’s share price.

Read 5 remaining paragraphs | Comments

Macro Malware Targets Macs

Macro malware has been spreading for years. New techniques arise all the time to hide malicious code and thus increase the difficulty of analysis. However, just targeting Microsoft Windows no longer seems to be enough for the malware authors. The Mac a…

Macro malware has been spreading for years. New techniques arise all the time to hide malicious code and thus increase the difficulty of analysis. However, just targeting Microsoft Windows no longer seems to be enough for the malware authors. The Mac appears to be the new challenge, and attackers appear to be rising to this challenge.

In previous versions of macro threats, the malicious code was hidden in user forms and macros in Microsoft Office files. (See Macro Malware Associated With Dridex Finds New Ways to Hide.) The latest member of this family seems to have learned a new trick or two, as we now will see.

  • The malicious code is now hidden in the properties of Excel worksheet files:

A malicious Excel file ready to be executed.

When the file is opened we see this message.

If we access the file’s properties, we can read the Powershell script code.

The full content in Properties.

Location of hidden content.

An extract of the Powershell content.

  • The malicious code runs Powershell, which downloads malware after the victim enables macros.

  • The macro searches for the hidden code in Properties and runs it using Powershell, but this works only on Windows systems. How does the malicious code execute on the Mac? The malware developers use MacScript:

The macro code verifies whether WScript.Shell is present. In case of an error, the code executes the module macshell:

This script runs the code on the Mac. The script runs with the same permissions as Microsoft Office.

As we ran this analysis, the control server contacted by this malware sample was not running; so we were unable obtain the payload.

The MD5 hash for the samples we found:

  • 952A36F4231C8628ACEA028B4145DAEC

Full descriptions of the W97M and X97M malware families are available in our Threat Advisories:

During our analysis, the malware attempted contacted the following server (with URL modified for safety):

  • hxxp://ndur0.net

Intel Security advises users to keep their antimalware signatures up to date at all times. Intel Security products detect this malicious Office Trojan as X97M/Downloader.bf.

The post Macro Malware Targets Macs appeared first on McAfee Blogs.