It always was obvious to me, that rich features for communicating with the guest operating systems (almost any modern desktop virtualisation software has them) might be dangerous. Recently I finally decided to check, how exactly they can be dangerous on example of the virtualisation software that I’m using on OS X (and millions of other users too). It’s a nice product and I think that currently it has a much less attention of security researchers than it actually deserving.
In 2011, Apple told its developers that it would be deprecating OS X’s Common Data Security Architecture including OpenSSL, describing it as an outdated relic of the late 1990s. Nearly three years later, OpenSSL was hit by a severe flaw that affected a wide swath of vendors and their users, but not Apple.
The hackers who took advantage of the EA server created a phishing site that attempted to steal Apple IDs from consumers. This site appeared legitimate, asking for the user’s Apple ID and password – as well as verification of name, phone number, date of birth, mother’s maiden name, credit card number, expiration date, verification code, and other information that could be used to steal the user’s identity. If the victim made it through the entire process, he or she was simply redirected to the actual Apple ID site, most likely never realizing the information had been stolen by a third party.
In comparison, the proprietary Apple software recently had a major security flaw, known as the “GOTO Fail” bug which was around for as long as Heart Bleed (according to Apple). But we know very little about it. We have no history, do not know who made the mistake and whether it was intentional and we have no idea what the company has done to fix it. We don’t really know if we’re now safe from that security flaw. We simply have to trust Apple to be honest about all that because it will never let us see its logs.
Microsoft blames Apple for compromise, customers blame Microsoft.
“During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations,” the company said on its Security Response Center website Friday.
The patch fixed a very long list of vulnerabilities — 163 issues in all — to WebKit, an open source technology for rendering HTML used by iTunes and many other applications, including Safari, Googles Chrome, and Yahoo Messenger. Using WebKit as the basic framework for its technologies means that Apple gets many of the benefits of open source, including a well-vetted codebase and the fast reporting of vulnerabilities. In this case, for example, Google found nearly half of the 163 vulnerabilities, while Apple found 26.
It is important to check that the recovery partition exists before performing the upgrade from Lion to Mountain Lion. In testing the Gold Master (GM) release, I found that the installation will start and progress as expected until the system reboots into the installation boot. At that point, it will fail and you will be caught in a perpetual loop if your recovery partition is non-existant. Always make sure you have a recent backup before performing the upgrade or any of these steps. Read the rest of this entry »
Adobe today shipped a new version of its ever-present Flash Player software with fixes for at least seven dangerous security holes and the addition of support for the Gatekeeper technology that coming in Mac OS X Mountain Lion.
The security update, available for Windows, Mac OS X and Linux operating systems, address vulnerabilities that “could cause a crash and potentially allow an attacker to take control of the affected system.”
Apple on Wednesday released OS X 10.7.4, the latest update to the companys Lion operating system which brings various improvements including a fix for a recently-exposed FileVault bug.
The update, which is recommended for all OS X Lion users, patches a security bug found in certain configurations of the previous 10.7.3 version that allowed for inadvertent access to user passwords.