OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Important security updates

Published March 15th, 2013 at 10:02 AM EDT , modified March 15th, 2013 at 10:02 AM EDT

Apple posted a couple updates yesterday with some very important security content, and I advise updating as soon as you can. Both Mac OS X 10.8.3 and Security Update 2013-001, available for both Snow Leopard and Lion, contain a number of important security updates. However, one in particular is likely to cause the hair to stand up on the back of the neck of anyone who has been following the saga of Java’s recent descent into vulnerability perdition.

Tucked discreetly away in Apple’s page giving information about the security content of these updates is the following concerning bit of information:

CoreTypes

Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled

Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory.

CVE-ID

CVE-2013-0967

Note the section that I have highlighted… I’ll give you a moment to think about the implications of that.

Okay, you have the heebie-jeebies yet? If you, like me, don’t even have Java installed, probably not. But if you are one of those folks who has Java installed and thought you were safe to just disable it in the web browser… well, guess not!

Fortunately, I have seen absolutely no indications that this vulnerability was known to hackers or that malware has been seen “in the wild” taking advantage of it. However, the fact that the cat is out of the bag now means that hackers will probably start looking for ways to use this bug to install malware on systems that have not yet been updated. This makes installing the update far more important!

Keep in mind that installing updates can be a potential source of problems. Updates can sometimes have bugs that bite early adopters, so it’s probably okay to way a day or so to make sure the update is sitting well with most folks. After all, Apple hasn’t exactly said how this vulnerability can be exploited, so it will take hackers a little time to find it. I wouldn’t give them more than a couple days, though… there are a lot of smart hackers out there these days!

In addition, updates can cause problems if your system is not in good health, so be sure that you have adequate backups (a minimum of two fully separate backups) before updating, and that at least one of them is a full-system backup so you can quickly revert to a working system if something goes wrong. It would also be wise to repair the hard drive with Disk Utility prior to installing the update.

Tags: , , ,

25 Comments

  • Someone says:

    So, if I have a computer that shipped with Mountain Lion (therefore, doesn’t have Java installed) then I don’t need to install this update?

  • Timothy says:

    I’m glad to see that Snow Leopard is receiving a security update but I’m also a bit confused…
    There were several security updates issued after the release of Mountain Lion that were not made available for Snow Leopard. So, it seems that Apple is only partially supporting SL from a security perspective. I guess that is better than nothing, but it is important to remember that despite the recent Java updates for SL and this Security Update that SL does have unpatched vulnerabilities .

    • Someone says:

      I’m guessing that the reason Apple isn’t supporting SL much is that they want you to pay 20-30 bucks to upgrade to ML.

  • Timothy says:

    Wouldn’t the automatic launch of the java webstart apps be mitigated by disabling “open safe files after downloading’ in Safari prefs?
    Do other browsers (Chrome, Firefox) auto launch downloads??

    • Al Varnell says:

      Yes for Safari, which is the only thing this update affects as far as I can tell. There are similar capabilities for Firefox on an individual application basis, but Java applets don’t seem to be included. Don’t know about Chrome.

      • Someone says:

        I do know about Chrome, as it is my primary browser. On my computer running 10.8.2 (don’t know if this makes a difference), when I download something, it warns me that the file could potentially harm my computer, and then, after I confirm the download, it downloads. It does NOT open automatically, even if it’s a JPEG or something. I’ve looked through the settings multiple times, and there seems to be no way to change this.

  • Darren Kehrer says:

    After the update, in SL, Safari even got bumped to 5.1.8. The Java part of the security fix was only mentioned to apply to ML and Lion. Does that mean SL didn’t suffer from that?

  • Sean says:

    “Fortunately, I have seen absolutely no indications that this vulnerability was known to hackers or that malware has been seen “in the wild” taking advantage of it.”

    Dude,

    Apple hasn’t shared the Java exploit used by the watering hole attack at iphonedevsdk with the AV community. And sharing is something Apple normally does with other malware samples… it shared the backdoors used in those attacks. But not the Java exploit, why?

    Based on the timing of this update, and the fact there is no researcher credit given for the CVE — the attack via iphonedevsdk didn’t use an exploit — it didn’t need to. It used this JavaWS feature of OS X. #facepalm

    Timothy, yes, disabling the open “safe” files is an excellent mitigation to protect your Mac from allowing attacks to “just work”.

    • Thomas says:

      I certainly can’t deny that the recent Pintsized infections could have used this vulnerability, and that that is what brought it to Apple’s attention. That would make sense, and could tie this in with that watering hole attack.

      At the same time, though, that’s not necessary to explain what happened. Java has become such a flimsy mess that it would have taken no more than visiting the iPhoneDevSDK site with Java turned on in the browser. Many folks are still keeping Java turned on for “trusted sites,” not realizing that there’s really no such thing as a trusted site these days. There were certainly a lot of CVE’s included in Apple’s Java update following the attack:

      http://support.apple.com/kb/HT5666

      My mind is open. Perhaps I should not have so emphatically stated that there were no signs of this in the wild, but at the same time, there really isn’t any concrete indication that this was involved… unless you know something I don’t? 🙂

      • Sean says:

        Well… having access to the Mac malware AV-researcher mailing list, and seeing who from which company shared what and when (including the follow up discussions) — I feel very comfortable suggesting I have a particular view behind the scenes that you don’t. But I cannot say that I know (absolutely) something you don’t. There are far too many other unknowns currently as Facebook/Apple aren’t sharing anything much about the pintsized investigation.

        Just the number of unique connections made to the backdoors’ C&C (sinkholed) server would be nice for peace of mind. If tens of dozens, fine, keep the details closed. But if there are hundreds or more… then they really ought to be sharing a bit more about it.

        And promoting 10.8.3 as critical for businesses to apply ASAP.

        As far as “in the wild” goes… there isn’t anything currently in the wild as far as consumers running into mass-market crimeware. So I am in total agreement with you in that sense.

        But watering holes? That’s a completely different story. And so I think it is necessary to explain what happened.

        The really big problem is that while most folks can (easily) live without Java installed on their computer, lots of mobile application developers can’t. Ex: apps they code link to back end services written in Java. (The back end is where Java belongs). And so they need to have Java developer tools installed on their computer. No way around it. Another ex: if they write Android apps, those are basically written in Java. If you’re a developer, there is very little way around having Java installed. (And lots of other tools, too.)

        At this point, I don’t think that companies with developers using Macs (and Linux, and certainly Windows) can make any assumptions about what’s in the wild. They need to act as though it is a fact that there’s a zero-day out there targeting them. All the time.

        AND:

        It isn’t just Java. The 10.8.3 update patched several other (anonymously reported) CVEs that could just as easily be of use to a dedicated attacker: http://www.f-secure.com/weblog/archives/00002526.html

        TIFF files, Images, PDFs, and QuickTime files — really difficult to avoid.

        Developers working for big companies are high value targets, and so they should take nothing for granted. Regardless of their OS.

        • Thomas says:

          Yup, I can’t (and wouldn’t want to) argue with any of that, and I definitely appreciate your inside perspective. Your point regarding targeted attacks, like these “watering hole” attacks, is a very good one.

        • Al Varnell says:

          The SANS institute mentioned in their newsletter last week that there are four separate internal investigations going on with no information sharing. I also read early on that the FBI was involved in at least one of them, which may be partially responsible for keeping a lid on things.

  • Someone says:

    If your system is “in good health,” as I believe mine to be (I just got the computer in December) do you need to make backups/use Disk Utility?

    • Someone says:

      I know that backups are important; I’m talking about making backups specifically because of this update.

  • Carl says:

    Yesterday I mistakenly clicked on a link inan email for a website that wasn’t there and the email had been sent from a family member who didn’t send it.. i.e. they had been hacked (a windows machine i believe) Being very nervy about these kind of things, I was going to follow your advice (given in your malware section, that Sophos was a reasonable AV to use if we decided it was required) and try it just to make sure everything was Ok, but then I saw this discussion on the site relating to sophos breaking this major update, which is clearly very important. Thoughts or experience with it?

    Thanks

    HEv8 breaks 3/14/13 Mac OS 10.6.8 security patch (workaround requires uninstalling SophosHE)
    Options
    ‎03-18-2013 12:45 AM

    Have been running Sophos HomeEdition v8 for some time with daily updates working as expected (thanks Sophos for making a slick product available to us!).

    Got the latest 3/14/2013 Mac OS security update (http://support.apple.com/kb/HT5672), went to install and it failed.

    After trying again following a clean reboot with as many extensions/packages turned off/disabled as possible (including Sophos on-access scanning turned off, etc), it still failed noting the file may have been corrupted.

    The update failure left finder repeatedly restarting itself — couldn’t open a window in it for more than 2-3 seconds. Luckily, I was able to run terminal (have it on my Dock) and use it to uninstall auto-run 3rd party software. With removal of each one (BoxCryptor, Dropbox, etc) I’d try the MacOS update again, and it continued to fail even with just Sophos HE as the only third-party product left running.
    Uninstalled SophosHE, and re-ran the update again (yet another full download of the 333MB update file) and the MacOS update finally worked. Finder no longer restarted repeatedly and I was able to reinstall my other apps too.

    Just an FYI for others with “older” hardware (e.g. either not 10.7/10.8 capable, or 10.710./8 just too slow — my situation).

    Running 10.6.8 on core-2 duo Macbook w/ 4GB DDR2 ram.

    • Timothy says:

      FWIW I was able to install the 10.6.8 2013-001 Security Update on a system with Sophos Anti-Virus 8.0.11C ( i did turn off the on-Access Scanner prior to doing the actual update, and then turned it back on after the install/restart).
      I too decided to install Sophos after seeing the excellent detection results in Thomas’s (excellent) anti-virus study.
      However, I don’t love the application – it seems to significantly slow down the copying of large files and it completely breaks Java apps (not a major issue for me but it is something to be aware of). I also find it strange that a full scan cannot be run unless logged-in as an admin. So, while it may have good detection capabilities I find it cumbersome to use.

    • Carl says:

      I should also have said that my setup is very similar to what is described here – 10.6.8 on 2.66 GHz Intel core 2 duo with 4 GN DDR3 Ram on an Imac

  • Timothy says:

    >> I was going to follow your advice (given in your malware section, that Sophos was a reasonable AV to use if we decided it was required) and try it just to make sure everything was Ok

    If you are hesitant to install Sophos because of possible system issues, but you still want to scan your system maybe Intego Virus Barrier Express or Dr. Webb Light (both free in the Mac App Store) would be reasonable alternatives. They both have very low impact on the System since they are standalone apps that don’t run any components in the background. You just need to run the app and scan your system. Both had very good detection results in Thomas’s study.

  • Darren Kehrer says:

    For one, Safari 5.1.8 was bundled with this update. But, I just noticed that in the System Preferences, Security, General..there has been a replacement: There use to be a toggle for the Xprotect system, now it states:
    “Automatically Install important security updates.”

    Note: posted this in wrong topic before, sorry.

  • Darren Kehrer says:

    I noticed two things regarding SL and security update 2013-001:
    1.) Safari got an update to verison 5.1.8
    2.) In Security-General, the “update safe downloads list” option has been modified to say “Automatically update important updates.”

    Strikes me as odd since you would think Software Update settings would control this. So far, I can not find anything on Apple’s website to lend any info.

  • Hilary Lambert says:

    Tried to install update but the security update software but for some reason it requires 27Gb of free disc space! Which I don’t currently have because my system folder is now hugh. Any suggestions anybody? Thanks

This post is more than 90 days old and has been locked. No further comments are allowed.