The Mac Security Blog
Google has issued yet another update to its Chrome browser this week, fixing seven vulnerabilities, six of which were rated “high” risk. The new Chrome version number is the mnemonically simple 12.0.742.112, and you can update your version of Chrome by launching the browser and allowing its auto-updater to do its thing.
Apple has released updates to Java for both Mac OS X 10.5 Leopard, and Mac OS X 10.6 Snow Leopard. These updates apply to both the client and server versions of Mac OS X, and fix 19 vulnerabilities, in the Mac OS X 10.5 version, and 11 vulnerabilities in the Mac OX X 10.6 version.
Multiple vulnerabilities exist…, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
The updates are 120 MB and 75 MB respectively. Full information about these updates is available here and here.
A number of serious data breaches have occurred recently affecting many company’s websites. Hackers steal e-mail addresses and passwords, in the hope that people re-use the same passwords on other sites, such as PayPal or their bank’s website. The Privacy Rights Clearinghouse keeps a database of such breaches, which may range from a few dozen addresses being stolen from a small business to more than 300,000 swiped from Citibank, or more than a million taken from Sony servers. But these are obviously only those data breaches that have been reported. Many others go unnoticed.
In some cases, hackers commit the breach to show a weakness in a company’s security, and even publish the list of e-mail addresses (and sometimes passwords) that they have obtained.
Daniel Grezlak has created a website that provides a search of these published databases. Grezlak says:
LulzSec and other groups have been hacking an assortment of prominent organisations. Forgood or for bad, they have also been publishing their databases, which typically include emails and passwords. Given that most people re-use their passwords, this site allows the average person to check if their password(s) may have been compromised and need to be changed.
At ShouldIChangeMyPassword, you can enter your e-mail address(es) and see if they are part of the affected databases.
Given the number of high-profile databases that have been compromised, it’s a good idea to check your address and see if it’s in this database. If it is, you should change your password immediately. In either case, you should read this Mac Security Blog article, Passwords In the News – Are Yours Secure? for some tips on using a solid password. Make sure not to use the same password twice, at least not for any important sites.
Following Apple’s release of a Mac OS X 10.6.8 update, which contained a number of security fixes, the company has released a security update for Mac OS X 10.5 Leopard. The Leopard client update is 256 MB, and the Leopard Server update is 500 MB.
At the time of this writing, Apple has not yet published information about the security fixes in this update, but it is likely that some of them are the same as for the Mac OS X 10.6.8 update.
Apple has released Mac OS X 10.6.8, the latest update to Snow Leopard (and perhaps the last, as OS X 10.7 Lion is due out in July). This update, which is 474 MB, includes a number of security fixes, for such elements as AirPort, the AppStore, Core Graphics, FTP server, and several third-party elements such as MySQL and OpenSSL. Altogether, 40 bugs are fixed in this update. We’d like to highlight a kernel vulnerability, whereby “A null dereference issue existed in the handling of IPV6 socket options. A local user may be able to cause a system reset,” discovered by Intego engineer Thomas Clement.
Apple also updated Mac OS X Server, with a 542 MB updater, to version 10.6.8.
Full information about this security update is available here.
The FBI has arrested two individuals from Latvia involved in cyber-crime distributing fake antiviruses over the internet. The FBI also seized computers, servers and bank accounts, from a cyber-crime ring thought to have defrauded people for more than $72 million.
These cyber-criminals were distributing fake antiviruses, or scareware, similar to the MacDefender, MacSecurity, MacProtector and MacShield fake antiviruses targetting Mac users. Through an operation with foreign law enforcement offices, warrants issued in the United States led to the arrest of two men, plus computer equipment in the Netherlands, Latvia, Germany, France, Lithuania, Sweden and the United Kingdom.
The FBI’s Operation Trident Tribunal estimates that this group scammed some 960,000 users for an estimated $72 million over three years.
According to the indictment, the defendants created a phony advertising agency and claimed that they represented a hotel chain that wanted to purchase online advertising space on the Minneapolis Star Tribune’s news website, startribune.com. The defendants provided an electronic version of the advertisement for the hotel chain to the Star Tribune, and technical staff at startribune.com tested the advertising and found it to operate normally.
According to court documents, after the advertisement began running on the website, the defendants changed the computer code in the ad so that the computers of visitors to the startribune.com were infected with a malicious software program that launched scareware on their systems. The scareware caused users’ computers to “freeze up” and then generate a series of pop-up warnings in an attempt to trick users into purchasing purported “antivirus” software, which was in fact fake. Users’ computers “unfroze” if the users paid the defendants for the fake antivirus software, but the malicious software remained hidden on their computers. Users who failed to purchase the fake antivirus software found that all information, data and files stored on the computer became inaccessible.
If convicted, the defendants face penalties of up to 20 years in prison and fines of up to $250,000 on the wire fraud and conspiracy charges, and up to 10 years in prison and fines of up to $250,000 on the computer fraud charge. The defendants also face restitution and forfeiture of their illegal profits.
Assistant Attorney General Lanny A. Breuer of the Criminal Division said, “These criminal enterprises infected the computers of innocent victims with malicious scareware, and then duped them into purchasing fake anti-virus software. Cyber crime is profitable, and can prey upon American consumers and companies from nearly any corner of the globe. We will continue to be aggressive and innovative in our approach to combating this international threat. At the same time, computer users must be vigilant in educating themselves about cyber security and taking the appropriate steps to prevent dangerous and costly intrusions.”
While Intego’s security researchers are convinced that this group was not behind the fake antiviruses targeting Macs, these arrests send a strong message that cyber-criminals are not immune to prosecution, no matter where they are.