How malware developers could bypass Mac’s Gatekeeper without really trying

(credit: Patrick Wardle)

In September, Ars reported a drop-dead simple exploit that completely bypassed an OS X security feature known as Gatekeeper. Apple shipped a fix, but now the security researcher who discovered the original vulnerability said he found an equally obvious work-around.

Patrick Wardle said the security fix consisted of blacklisting a small number of known files he privately reported to Apple that could be repackaged to install malicious software on Macs, even when Gatekeeper is set to its most restrictive setting. Wardle was able to revive his attack with little effort by finding a new Apple trusted file that hadn't been blocked by the Apple update. In other words, it was precisely the same attack as before, except it used a new, previously unblocked Apple-trusted file. Notably, that file was offered by security company Kaspersky Lab. Late on Thursday, Apple released an update blocking that file, too.

"It literally took me five minutes to fully bypass it," Wardle, who is director of research of security firm Synack, told Ars, referring to the updated Gatekeeper. "So yes, it means that the immediate issue is mitigated and cannot be abused anymore. However the core issue is not fixed so if anybody finds another app that can be abused we are back to square one (full gatekeeper bypass)."

Read 4 remaining paragraphs | Comments

Support scams that plagued Windows users for years now target Mac customers

Enlarge (credit: Malwarebytes)

For years, scammers claiming that they're "calling from Windows" have dialed up Microsoft customers and done their best to trick them into parting with their money or installing malicious wares. Now, the swindlers are turning their sights on Mac users.

Researchers at antivirus provider Malwarebytes spotted a Web-based campaign that attempts to trick OS X and iOS users into thinking there's something wrong with their devices. The ruse starts with a pop-up window that's designed to look like an official OS notification. "Critical Security Warning!" it says. "Your Device (iPad, iPod, iPhone) is infected with a malicious adward [sic] attack." It goes on to provide a phone number people can call to receive tech support.

The site ara-apple.com is designed to masquerade as https://ara.apple.com/, Apple's official remote technical support page. People who are experiencing problems with their Macs can go there to get an official Apple tech support provider to remotely access the person's computer desktop. Ara-apple provides links to the remote programs the supposed technician will use to log in to targets' Macs.

Read 1 remaining paragraphs | Comments

Apple Retires Support Leaving 20% Of Macs Vulnerable

There’s been a lot of news and scrambling lately related to the Apple SSL vulnerability, and this week Apple announced it would no longer be supporting OS X 10.6 AKA Snow Leopard. It looks like Lion and Mountain Lion will be supported for a while, and an upgrade to Mavericks is free, so there’s no [...] The post Apple Retires Support...

Read the full post at darknet.org.uk

Apple purges OS X flaw that let Java apps run when plugin was disabled

Apple has updated OS X to patch more than a dozen security flaws, including one that allowed attackers to exploit Web-based Java flaws even when end users had disabled the widely abused browser plugin.

The CoreTypes vulnerability in OS X Lion and Mountain Lion posed a threat because it undermined widely repeated advice for Mac users to disable Java in browser plugins. The measure is designed to repel a surge of attacks that exploit vulnerabilities in the Oracle-controlled software. Criminal hackers use them to surreptitiously install malware when computers visit booby-trapped websites. According to a bulletin accompanying Thursday's OS X update, attackers could override the protective measure by manipulating the Java Network Launching Protocol, or JNLP, which allows applications to launch directly from a browser.

"Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled," the bulletin explained. "Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory."

Read 1 remaining paragraphs | Comments