Category Archives: Security

how to: check for Sparkle vulnerability

Screen Shot 2016-02-12 at 15.32.18

[updated Mon 15th:]

Here’s what we know about the widely-reported vulnerability found in Sparkle so far:

1. It requires a version of Sparkle earlier than 1.13
AND
2.1 It requires the SUFeedURL address to be an unencrypted http address AND/OR
2.2 the release notes address to be an unencrypted http address.

Condition 1 and one (or more) of conditions 2 need to be true to make the exploit possible. You can check to see if condition 2.1 is true for many apps on your system with the following procedure:

1. Control-click on the app in the Finder
2. Choose ‘Show Package Contents’
3. Navigate to /Contents/Info.plist
4. Hit the space bar to open in quick look, scroll down for the SUFeedURL field (it won’t have one if it doesn’t use Sparkle). The field will show you whether the address is https or not.

To make life easier, you can run this script in the AppleScript Editor (/Applications/Utilites/Script Editor.app) to do the job for you.


#script version 1.64
#regression to 1.52 and then
#added: now includes apps that do not have SUFeedURL key in plist and reports their Sparkle version number
#added: borrowed Bill Cheeseman's idea of using choose list and offering to launch the app
#added: borrowed reverse_offset handler from Nigel Garvey's post on MacScripter
#changed: test if Sparkle is < 1.13.1 first
#shows the Sparkle version number for each entry in the list
#added logic for opening prefPanes if chosen from the list
#changed the mdfind command to improve speed
#searches for keys of the form "SUFeedURL*" rather than just "SUFeedURL"



on extractSUFeedURL(aRecord)

set aRec to "httpx"
try
set aRec to item 1 of aRecord
on error errorMessage
set aRec to errorMessage
set aRec to my parseErrorMsg(aRec)
end try

return aRec

end extractSUFeedURL

on parseErrorMsg(aErr)

set what to "SUFeedURL" --define the full or partial record name you're trying to find
if aErr contains what then
set theStart to offset of what in aErr
set thisString to text theStart thru -1 of aErr
set theEnd to offset of "," in thisString
set subString to text 1 thru theEnd of thisString
--log subString --see the record name and its value in Script Editor's Messages pane
return subString
end if
end parseErrorMsg

on reverse_offset(d, t)
set astid to AppleScript's text item delimiters
set AppleScript's text item delimiters to d
set ro to (count t) - (count text item -1 of t)
set AppleScript's text item delimiters to astid
return ro
end reverse_offset

set foundCounter to 0
set infoFilePath to "/Contents/info.plist"

set theApps to do shell script "mdfind \"kMDItemFSName == '*.prefPane'cd || kMDItemFSName == '*.app'cd'\""
set theApps to paragraphs of theApps
set sparkleAppsList to {}

tell application "System Events"
repeat with anApp in theApps
set anApp to anApp as text
set aFrameWork to anApp & "/Contents/Frameworks/Sparkle.framework"

if exists disk item aFrameWork then
try
--get Sparkle Version first
set aSparklePlist to aFrameWork & "/Versions/A/Resources/Info.plist"
set thePlist to contents of property list file aSparklePlist
set theValue to value of thePlist
try
set sparkleVersion to CFBundleShortVersionString of theValue as text
on error
set sparkleVersion to CFBundleVersion of theValue as text
end try
end try
-- compare version num
considering numeric strings
set vulnerable to sparkleVersion < "1.13.1"
end considering
if vulnerable then
--get SUFeedURL if it exists
set thePlist to contents of property list file (anApp & infoFilePath)
set theValue to value of thePlist

try
set thisSUFeedURL to my extractSUFeedURL(theValue)
if length of thisSUFeedURL = 0 then

set thisSUFeedURL to "httpx"
end if
on error
set thisSUFeedURL to "httpx"
end try

if thisSUFeedURL contains "http:" then
set end of sparkleAppsList to anApp & " : uses insecure update URL (not https) " & "with Sparkle v" & sparkleVersion
set foundCounter to foundCounter + 1
else if thisSUFeedURL contains "httpx" then

set end of sparkleAppsList to anApp & " : update URL unknown (http/https??); uses Sparkle v" & sparkleVersion & linefeed & linefeed
set foundCounter to foundCounter + 1

end if

end if
end if
end repeat
end tell

set thePrompt to "Found " & foundCounter & " items that may be using a vulnerable form of the Sparkle framework: " & linefeed & linefeed

choose from list sparkleAppsList with title "Sparkle Vulnerability Check" with prompt thePrompt OK button name "Launch"

if result is not false then
set appPath to item 1 of result
get offset of " :" in appPath
set appPath to text 1 thru (result - 1) of appPath
set ro to reverse_offset("/", appPath)
set appPath to text (ro + 1) thru -1 of appPath
if appPath contains "prefPane" then
set paneOffset to offset of "." in appPath
set paneName to text 1 thru (paneOffset - 1) of appPath
log paneName
tell application "System Preferences"
activate
try
reveal (first pane whose name is paneName)
end try
end tell
else
tell me to launch application appPath
end if
end if

#EOF

However, be aware that this script will not find certain plug-ins (e.g., Mail plug-ins that use Sparkle).

If the app runs on 10.6, it’s not possible for Sparkle to be updated to the latest secure version, 1.13.1, so you need to check with the developers that they’re using https addresses for both the appcast feed and the release notes html.

Rest assured that Sqwarq apps that use Sparkle (App Fixer, DetectX, FastTasks 2, and OSXClock) all use encrypted https update feeds and release notes addresses, so as far as we’re aware at the moment, none of our apps are vulnerable to the exploit regardless of what version of Sparkle they’re using.

As said above, we’ll update this post if things change as the story unfolds.

Credits: Thanks to Yvan for significantly improving my earlier drafts of the AppleScript and writing the code for retrieving the Sparkle bundle number. Thanks to Chris Stone for tweaking and eeking a bit more speed out of the mdfind command. Thanks to Al for pointing out that in earlier versions of the script the Display Dialog message could get truncated.

Advertisements

how to recover Safari from a browser hijack

Screen Shot 2015-12-10 at 13.32.39.png

The quickest way to get out of a persistent popup that won’t go away (unless you do what it demands!) is to quit or force quit* the browser then restart Safari holding down the ‘Shift’ key.

Holding down Shift allows Safari (or any other app) to restart without resuming its last state.

While this is a great, fast way to solve the problem, it can be annoying if you had other tabs open, and you don’t want to loose those too (or any unsaved data they may contain).

Here’s how you get rid of these kinds of Javascript hijacks without losing your other tabs.

1. Go to Terminal and paste this command (it’s all one line):

defaults write com.apple.safari "com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled" 0; killall Safari

This turns off Javascript and quits Safari.

2. Reopen Safari
You’ll get all your tabs back including the hijacked tab, but the pop up won’t appear, and you can now close the hijacked tab.

3. Go to Safari Preferences and reenable JavaScript in the Security prefs
(alternatively you can do that in Terminal).
Don’t forget this step, or you’ll think the web is broken!

More sophisticated or persistent adware and malware attacks can be mitigated by using apps like my free App Fixer or DetectX.

*You can force quit an app by pressing the following keys in combination on your keyboard <command><option><esc> then choosing the app you want to quit.

 

Screen Shot 2015-12-10 at 13.39.57.png

 

 

how to see active internet connections

Screen Shot 2015-12-03 at 15.55.56.png

I was playing around with some ways of detecting active network connections to add as a function in one of my apps — didn’t really work out, so far — but as I was prototyping the code in AppleScript I came up with this little ditty which some of you might be able to make use of:

1. Open the Script Editor

2. Paste the code below into it and hit ‘Run’

#start of script

on getConnections()

set theCmd to "lsof +c 0 -i -n | grep -i established | cut -d \" \" -f 1 | awk '!_[$0]++'"

set theMsg to (do shell script theCmd)

display dialog "The following apps & processes are actively using your internet connection: " & return & return & theMsg with title "Net Tattler" buttons {"Refresh", "OK"} default button "OK"

set theRes to button returned of the result as string

if theRes = "Refresh" then

getConnections()

end if

end getConnections

getConnections()

#eof

 

If you need more information than just the names of the process, you can play around in Terminal with lsof -iHere’s a great little tutorial.

For something a bit more heavy-duty, check out either Little Snitch or Charles Web Debugging Proxy, both of which are paid-apps but offer free trials. If even those aren’t enough to satisfy your network monitoring desires, head on over to MurusFirewall.com and check out their packet filter GUI offerings for the Mac.

Enjoy 🙂

 

Acknowledgements

Thanks to the folks over at Etresoft for additional suggestions.

how Keyloggers get around OS X security

Elite instal

With the release of Elite Keylogger Version 1.7.327, we’ve noticed some unexpected changes to how the developers are installing and hiding their work.

Let’s take a quick look at what happens when you install the free demo of this keylogger. First, you’ll notice that the app isn’t codesigned and requires you to override any GateKeeper settings.

Screen Shot 2015-11-16 at 17.15.52

Secondly, it’ll ask you for your admin password to escalate its privileges so it can write to wherever it wants in the system. So far nothing new. But here’s where the new release gets interesting.

What it does next is automagically insert itself into System Preferences/Security & Privacy/Privacy/Accessibility without throwing the required authorisation dialogue:

Screen Shot 2015-11-16 at 17.20.27

Forcing apps to be in this list if they want to leverage System Events to control a computer was a change brought in with OS X Lion 10.7, and it isn’t supposed to be circumventable.

The idea was that to get in this list, apps were forced to throw an authorisation dialog to get the user’s permission, even if the user had already given the app admin privileges elsewhere.

Unofficially, we’ve heard that Apple had once promised to crackdown on developers who tried to circumvent this security feature and to close any gaps that were exposed. As it is, we’ve not only been aware of a way around this security feature since late 2013, but it seems it’s not just the less reputable that are at it. Dropbox has been inserting itself into the Accessibility list since at least 10.10.5, without asking for permissions (in our screenshot, we never authorised either of these apps to be in this list, nor did we ever unlock the padlock to let them in).

The way that Elite Keylogger does this is through a sql database insertion, you can see the code they use here:

sql insertion

Another interesting development is that Elite’s developers, widestep, are now leveraging a hidden binary called FScript64 that is placed and hidden with the chflags -hidden flag set here:

/Library/ScriptingAdditions/FScript64.osax

We first saw this binary used in Refog’s Hoverwatch keylogger, but this is the first time we’ve seen the same code shared with other keyloggers. We can only speculate as to why developers from apparently-competing products are sharing code.

A couple of other things to note with Elite: If you drag the app to the Trash, the secret FScript64.osax will be left behind. If you use the uninstaller, the hidden binary will be removed, but another hidden data file will be placed here:

~/.ek

Our troubleshooting app DetectX already knows about both of these files, so if you want to check whether you’ve got rid of both of these or have other keylogger files present, download a free copy from sqwarq.com.

DetectX registers the addition of Elite Keylogger

DetectX registers the addition of Elite Keylogger

Finally, note that even if you use Elite Keylogger’s uninstaller, the app will remain in the list of Accessibility apps and it will remain in your list of login items. You’ll need to manually remove them both, and the hidden .ek file AND the osax if you didn’t use the uninstaller or didn’t use DetectX to help you remove the crud.

As always, be careful about what you download, use apps like DetectX or FastTasks 2 that can log changes that downloaded apps make to your system, and beware of all apps that require your admin password in order to be installed. There are legitimate reasons for that in some cases, but not many.

how to detect WireLurker malware

wirelurker malware


Security researchers have this week been getting themselves het up about a new malware threat to both iOS and OS X. WireLurker appears to be emanating out of Chinese file exchange sites and, at least at the moment, looks fairly limited in both its spread and its damage (update: Business Insider is reporting that Apple has blocked WireLurker-infected apps from launching).

However, researchers at Paolo Alto Networks are pointing out that what makes WireLurker particularly worrying is that the malware exploits weaknesses in Apple’s software that could, they claim, be easily be used for far more dangerous threats.

You can easily scan for the malware threat with my free app FastTasks 2 (v 1.53 or later). If you don’t see the warning as in the screenshot above or any results in the Analyser ‘Issues’ pane, you’re clean of any of the currently known files associated with WireLurker. If you do see the warning, locate the infectious files from the Analyser pane and delete (OS X will demand your Admin password to remove some of them), then restart your mac.

🙂


how to fix the “Shellshock” security flaw

shellshock update bash

Apple have today released updates to Bash for Lion, Mountain Lion and Mavericks. All users are recommended to update to Bash version 3.2.53(1) to patch the recently found “Shellshock” exploit.

At the time of writing the update for 10.9 wasn’t coming through OS X’s built in ‘Software Update’. The updates are available for download and install here:

http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X Mavericks





how to easily encrypt your files

EncryptMe

Keep the spooks and data thieves out of your personal data with this easy-to-use, drag-and-drop 128-bit AES encryption applet. It’s a simple 1-2-3 process:

 

1. Download EncryptMe, copy to your Applications folder and drag the icon to your Dock.

Download link…📀
Encrypt Me (small)

 





2. Select the files you want to encrypt and drop them onto EncryptMe’s Dock icon.

Add files


3. Choose a password and you’re done!

password

That’s really all there is to it, but let’s take a moment to go over the details of Step 2 and 3.

 

How does it all work?

First of all, note that EncryptMe is an Automator “droplet” app. That means you use it by dropping files on it, not by clicking or double-clicking the icon (which will just produce an error message). If you want to know how EncryptMe works (or make your own), just open up Automator.app and take a look a the ‘New Disk Image’ action. EncryptMe sizes the disk image to fit the files you drop on its icon as long as you have enough free space on your drive.

automator action

Secondly, take a moment to pause and think about the password options. You can use OS X’s built-in password generator or make one up of your own. However, be careful. This encryption won’t just keep the bad guys out; it’ll keep you out too if you forget the password!

For that reason, you’ll need to think carefully about whether you’re going to tick the ‘Remember password in my Keychain‘ checkbox or not. Doing so gives you far more insurance against losing the password. The flipside is that anyone will be able to access your encrypted files if they gain access to your computer while you’re logged in. Leaving the box unchecked is more secure: the password you set here will have to be supplied every time an attempt to open the files is made even when you’re logged in. The bad news? Forget the password, and you’ll be in the same boat as the spooks and the data thieves, locked out of your data forever. So choose carefully here.

pwd generator





how to remove Google’s secret update software from your mac

don'tbeevil
If you’ve ever downloaded Chrome, even for just a trial (guilty!), you might not be aware that Google have slipped a little bit of hidden software into your Library.

This software is called Google Updater, and it secretly “calls home” on a regular basis and downloads updates to your Google software without either asking before, or notifying you after, doing so. In Developer circles, this is considered very shady practice. Users should be asked for consent and informed when software makes changes to either itself or the user’s computer, and ideally those notifications should tell the user what has been changed and how the changes could impact them.

Before I beat this drum any harder, however, I owe you at least the other side of the story. If I worked for Google, I’d probably come up with this response: “Hey look, a major source of computer virus and malware infections is that users are often using out-of-date software that hasn’t been patched to combat newly-discovered exploits. No matter how much we tell users to keep ther software up-to-date, the truth is the majority don’t. We provide an automatic updater so that users don’t have to worry about it, and can be assured they’re always using the latest and safest version of our software”.

I’ve heard this argument so many times, I don’t doubt it’s something close to what Google would actually argue. My problem with this is that while automatic updates can be a good thing if they’re security related, it’s not at all clear why an app should be updating itself automatically for any other reason, or why it’s updating itself without providing notifications about when and what updates were made.

If an independent developer did that, they’d almost certainly find their software labelled as “suspicious” at best, and “dangerous” at worst. The fact that Google is a multinational, global enterprise with a stranglehold on the internet, and which is often tangling with the law in countries throughout the world, may make you feel more or less confident that they can be trusted more than independent developers, whose income depends very much on their reputation. I’ll leave that one for the reader to decide. 😉

Do I have Google Updater?
To see if you’ve got Google Updater hiding on your system, try this quick test in Terminal. Triple click the line of code below to highlight it.

defaults read com.google.Keystone.Agent

If you’ve previously installed my Terminal workflow, just hit control-opt-cmd-T or right/control click and choose “Services > Run in Terminal” from the contextual menu. Alternatively, if you have my free utility app FastTasks 2, the Analyser’s Profile view will show you if Google Updater is installed (see ‘Locate Google Updater’ below for the locations to check in the profile view). Elsewise, manually copy and paste it into a Terminal window.

If the result comes back as

Domain com.google.Keystone.Agent does not exist

you’re fine. Google Updater has not found its way into your system. Anything else and you’re going to need to decide whether you want to remove it or not. If you’re a regular Chrome user, keeping Updater might prove convenient, though you’ll have to live with the idea that the app is updating itself in ways over which you have no control. If you rarely or never use Chrome, there’s no reason to have this hidden process regularly calling home to Google every time you’re connected to the net.

How do I remove it?
You have two options. You can either disarm it or you can nuke it. Disarming it is simplest, it’s a one-line Terminal command:

defaults write com.google.Keystone.Agent checkInterval 0

This command tells the Updater how often to “call home”. A value of 0 basically means ‘never’. Disarming it is probably better than nuking it if you still keep Chrome on your system and use it occasionally. You can temporarily set it back to something like ‘once a week’ from time to time to check for security updates with

defaults write com.google.Keystone.Agent checkInterval 604800

Nuking the Google Updater is a bit more complex. You’ll want to run some uninstaller commands, and then you’ll want to go and clear up the crud that is still left behind. And before you can do either of those, you need to find out where it’s hiding. So, we have a three-step process.

1. Locate Google Updater
Triple click the first of these two lines, and choose ‘Services > Reveal in Finder’ from the contextual menu (that’s another right-click or control-click on the selected line), and then repeat for the second line:

~/Library/Google
/Library/Google

You will likely get the error message “The operation can’t be completed because the item can’t be found” from one of these lines, but not the other. Note that the difference is all in the presence or absence of the tilde ~. Make a note of which one worked, and run the appropriate commands in step 2.

2. Run the uninstaller commands

Run these in Terminal (again, triple clicking to highlight and doing the usual trick afterwards with shortcut key or Services menu if you have my workflow installed), one at a time:

If the Updater was in your user library (with the tilde ~), then first do this (it’s all one line):

Update: please read the Comments for latest commands
python ~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/\
Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/Resources/\
install.py --uninstall

then this:

touch ~/Library/Google/GoogleSoftwareUpdate

If the Updater was in your domain library (no tilde ~), then first do this (it’s all one line):

sudo python /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/\
Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/Resources/\
install.py --uninstall

and enter your Admin password (note that you won’t see any indication of your password being typed in the Terminal window). Then do this:

sudo touch /Library/Google/GoogleSoftwareUpdate

3. Clear up the crud
If the updater was in your user library, open that now and go to

~/Library/Google/

and delete the folder called ‘GoogleSoftwareUpdate’. If you don’t use any other Google software (I don’t), you can just delete the entire ‘Google’ parent folder.

If the updater was in your domain library, search for the same folder and send it to the trash. You will need to give Finder your admin password to authorise the move.

Next, let’s just check the uninstaller was successful. Look for the following. If you don’t find them, good (the installer did its job). If you do, help them on their way to oblivion by sending them to the trash:

~/Library/Caches/com.google.Keystone.Agent
~/Library/LaunchAgents/com.google.Keystone.agent.plist
~/Library/Preferences/com.google.Keystone.Agent.plist

If you’ve deleted Chrome from your Applications folder too, then you might as well hunt down and exterminate its prefs list while you’re at it:

~/Library/Preferences/com.google.Chrome.plist
The following sources were used in researching this post:
http://wireload.net/products/guu-google-update-uninstaller/
http://raamdev.com/2008/howto-remove-google-software-update-on-mac-os-x/
http://blog.slaunchaman.com/2010/06/30/google-earth-now-available-without-automatic-updates/
https://support.google.com/installer/answer/147176?hl=en
‘Don’t be evil’ picture was remediated from here.

how to clear Safari’s cookies on quit

If ever there was a free app that deserved more recognition, it’s Safari Cleaner (direct download). Developed out of a simple applescript, this app does what many people would expect Safari to have an option to do in the Preferences panels: automatically clear stored information when Safari quits.

Personally, I’ve found this particularly needsome since signing into any Google service seems to be particularly irritating. Gmail, for example, needs several clicks just to be told that you don’t want to be remembered. Safari Cleaner takes care of automatically ‘forgetting’ as much or as little info as you want without you having to remember to clear cookies or caches. It’ll also, thankfully, forget Top Sites. 🙂

Safari Cleaner

Personally, I leave my history as that’s something I regularly need across sessions, but the rest, I’m happy to be forgotten. If you’re wondering why anyone might care, well, there’s a whole bunch of reasons including protecting you from malware and malicious websites, but at least one other is nicely detailed in this Ars Technica article, which explains how cookies can be used to track your physical whereabouts.

One caveat to note with Safari Cleaner: in my tests, I’ve noticed that if you click and restart Safari in rapid succession (within about 5 seconds or less), the script hasn’t had time to complete running and caches and cookies aren’t cleared. To be safe, you probably want a nice 10 secs or so between quitting and relaunching Safari if you absolutely must be sure the previous session was wiped out.

Once you’ve run and set up Safari Cleaner’s options, you can quit the app and it’ll just carry on working in the background. Launch the app only if you want to change your options. If you want to uninstall it, note that there’s an uninstaller in the DMG, so don’t throw that away.

Get Safari Cleaner (direct download)

 

check for security flaw in OS X and iOS

Update: Mavericks users can now update to 10.9.2 which fixes the flaw. 🙂

News is just breaking of a flaw in Apple’s implementation of SSL security, which could affect anyone using iOS and 10.9 OSX over public/open access wifi ‘hotspots’.

If you’re using iOS, please ensure you do Software Update immediately as a patch has already been released by Apple.

No word from Apple on OS X at time of writing. You can test to see if you have the problem by clicking the following link. Basically, if SSL is working properly you shouldn’t be able to read the message on this page:

https://www.imperialviolet.org:1266

If you can read the message on that website from your Mac computer, the best advice to date is to stay off public/open access wifi networks until we hear something more from Apple.

Ars Technica have more information on the security flaw here.

%d bloggers like this: