Apple Releases Security Updates for OS X and iTunes

Original release date: May 16, 2014 | Last revised: May 19, 2014

Apple has released updates to OS X and iTunes to address multiple vulnerabilities, some of which could allow an attacker to execute arbitrary code, obtain website credentials, or take control of the affected system. 

Updates are available:

  • OS X Mavericks 10.9.3 for OS X Mavericks 10.9 to 10.9.2
  • iTunes 11.2 for Windows 8, 7, Vista, and XP SP3 or later
  • iTunes 11.2.1 for Mac OS X v10.6.8 or later

Users and administrators are encouraged to review Apple Security Updates HT6246, HT6245, and HT6251, and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: May 16, 2014 | Last revised: May 19, 2014

Apple has released updates to OS X and iTunes to address multiple vulnerabilities, some of which could allow an attacker to execute arbitrary code, obtain website credentials, or take control of the affected system. 

Updates are available:

  • OS X Mavericks 10.9.3 for OS X Mavericks 10.9 to 10.9.2
  • iTunes 11.2 for Windows 8, 7, Vista, and XP SP3 or later
  • iTunes 11.2.1 for Mac OS X v10.6.8 or later

Users and administrators are encouraged to review Apple Security Updates HT6246, HT6245, and HT6251, and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Spammers Quick to Take Advantage of Second Posthumous Michael Jackson Album

May 13, 2014 witnessed the release of another posthumous compilation album of Michael Jackson recordings, named Xscape. This reworked collection of Jackson tracks was highly anticipated by music lovers, ever since its announcement in March, 2014. News of the album release has once again made Michael Jackson a hot topic and, unsurprisingly, spammers have been quick to exploit this.

This spam campaign uses a very simple email which is crafted to appear like personal mail. It uses Michael Jackson’s name and some of his song titles to create intriguing subject lines. The body of the email contains a link along with a generic comment. A name is used to sign the email message, as seen in Figure 1, in an effort to give the impression that an acquaintance has sent you an email with a link to the new Jackson album. The URL in the body of the email redirects to a fake pharmacy domain which promises cheap medicines without prescription.

The following are subject lines seen in this spam campaign:

  • Subject: $ Planet Earth (Michael Jackson poem) $
  • Subject: * List of songs recorded by Michael Jackson *
  • Subject: * List of unreleased Michael Jackson songs *
  • Subject: [ Hold My Hand (Michael Jackson and Akon song) ]

 

SpamImage1.png

Figure 1. Example of Michael Jackson spam email

We expect more spam exploiting this news in the coming days and believe the possibility of such emails being phishing attempts or containing malware to be very strong.

Users are advised to adhere to the following best practices:

  • Do not open emails from unknown senders
  • Do not click on links in suspicious emails
  • Never enter personal information on suspicious websites, as they may have been created for phishing purposes
  • Keep your security software up-to-date to stay protected from phishing attacks and malware

May 13, 2014 witnessed the release of another posthumous compilation album of Michael Jackson recordings, named Xscape. This reworked collection of Jackson tracks was highly anticipated by music lovers, ever since its announcement in March, 2014. News of the album release has once again made Michael Jackson a hot topic and, unsurprisingly, spammers have been quick to exploit this.

This spam campaign uses a very simple email which is crafted to appear like personal mail. It uses Michael Jackson’s name and some of his song titles to create intriguing subject lines. The body of the email contains a link along with a generic comment. A name is used to sign the email message, as seen in Figure 1, in an effort to give the impression that an acquaintance has sent you an email with a link to the new Jackson album. The URL in the body of the email redirects to a fake pharmacy domain which promises cheap medicines without prescription.

The following are subject lines seen in this spam campaign:

  • Subject: $ Planet Earth (Michael Jackson poem) $
  • Subject: * List of songs recorded by Michael Jackson *
  • Subject: * List of unreleased Michael Jackson songs *
  • Subject: [ Hold My Hand (Michael Jackson and Akon song) ]

 

SpamImage1.png

Figure 1. Example of Michael Jackson spam email

We expect more spam exploiting this news in the coming days and believe the possibility of such emails being phishing attempts or containing malware to be very strong.

Users are advised to adhere to the following best practices:

  • Do not open emails from unknown senders
  • Do not click on links in suspicious emails
  • Never enter personal information on suspicious websites, as they may have been created for phishing purposes
  • Keep your security software up-to-date to stay protected from phishing attacks and malware

Mean Doge Vault attack snags user passwords, private account keys

Stop transferring funds into Doge Vault addresses, online service warns.

Last weekend's hack of cryptocurrency repository Doge Vault was worse than previously thought because it gave attackers full access to the underlying system, including the databases that stored private keys for all user wallet addresses and cryptographically protected user passwords.

The exposure means that users should presume all Doge Vault addresses are compromised and immediately cease using any of them to transfer funds, Doge Vault officials advised in a brief announcement posted Thursday. Although the announcement said that passwords were protected by a "strong one-way hashing algorithm," users should presume the large majority of them will be converted into plaintext in a matter of hours, days, or weeks, depending on the specifics of the Doge Vault hashing regimen. As a result, people should stop using the passwords on all sites. Doge Vault users should also be on the lookout for highly targeted phishing attacks, since the hack exposed user account data that may be considered sensitive.

"It is believed the attacker gained access to the node on which Doge Vault’s virtual machines were stored, providing them with full access to our systems," Thursday's announcement stated. "It is likely our database was also exposed containing user account information; passwords were stored using a strong one-way hashing algorithm. All private keys for addresses are presumed compromised, please do not transfer any funds to Doge Vault addresses."

Read 2 remaining paragraphs | Comments