In an eyebrow raising announcement, users of Mozilla's Firefox browser are urgently warned to upgrade to Firefox 72.0.1, Firefox Extended Support Release (ESR) 68.4.1, and Thunderbird 68.4.1 (which uses the Firefox engine) or later right away.
All software have bugs, and Mozilla's software is no exception. Also, bad guys will ruin everything on the Internet.
What makes this warning from the United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) so important is that there are active attacks being made on Firefox compromised websites that have been infected with malicious web pages. Once an unpatched version of Firefox is successfully exploited, an attacker will be able to gain control over the Mac or Windows PC that the browser is running on.
"Mozilla has released security updates to address a vulnerability in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisories for Firefox 72.0.1 and Firefox ESR 68.4.1 and Thunderbird 68.4.1 and apply the necessary updates."
Mozilla has provided directions for upgrading your copy of Firefox to the latest release on their support website.
Keep yourself safe. Apply this update, even if you normally do not like to apply software patches and upgrades.
Today, Apple has posted a set of updates that are designed to patch recently reported vulnerabilities found in Intel and ARM CPU processors. These are very important security updates. You should install them as soon as you can.
The vulnerability, which impacts all modern Intel and ARM CPUs, can be found in just about every PC, smartphone, and tablet on sale. Microsoft Windows, Linux distributions, and hardware vendors all need to update patches to prevent the "Meltdown" and "Spectre" vulnerabilities from being exploited and granting cyber-attackers access to highly sensitive data that is held in a computer's protected memory space.
Confused about all of this processor vulnerabilities and patching? It's totally understandable. If you really want to understand what's going on, check out Rene Ritchie's excellent Meltdown and Spectre FAQ at iMore.com.
On December 12, Apple released a pair of AirPort firmware updates to close the WPA2 key reinstallation attack vulnerability. The vulnerability was first publicly announced in October, after alerting vendors of the vulnerability much earlier in the year.
The AirPort firmware updates can be applied using the iOS AirPort Utility, available for free from the Apple iOS App Store. If you have an Apple AirPort running in your home or office, you need to update it right away to close this serious vulnerability.
About this time last year, I wrote about my doubling-down on Apple AirPort hardware in the face of media reports (aka: rumors) that Apple had abandoned the AirPort product line. I still hold that there are much better Wi-Fi solutions available today, even for die hard Apple fans like us. The Wirecutter (https://thewirecutter.com/reviews/best-wi-fi-mesh-networking-kits/) has a very good review of mesh network Wi-Fi devices from vendors such as Eero and Netgear. You really should be running them over Apple's AirPort at this point. Still, despite Apple reportedly walking away from AirPort, as a customer, I am glad that Apple tool on the task of releasing a pair of security updates for the aging devices. It seems only fair to customers, since Apple is still selling the AirPort hardware online and in retail stores.
What About My Other Apple Gear?
Apple updated iOS 11, macOS, watchOS, and tvOS back in October. If you are running iOS 11.1, watchOS 4.1, tvOS 11.1, or the latest versions of macOS High Sierra 10.13, Sierra 10.12, or El Capitan 10.11 you have already installed the WAP2 patch. Use the Software Update feature of these operating systems to verify that you are up-to-date or install the latest software releases if need be.
If you are still running macOS/OS X Mavericks 10.10, you should consider upgrading to High Sierra to gain the WPA2 patch. Mavericks and earlier versions of macOS will not be patched.
What About Everything Else?
The WPA2 key reinstallation vulnerability is not a flaw or vulnerability that is specific to Apple hardware and software. It is a flaw in the WAP2 system itself. Thankfully, the flaw can be fixed with software. What that means, though, is that to improve your chances of being protected against attacks using the WAP2 vulnerability, you must patch all of your Wi-Fi equipment, including routers/modems, smart devices (i.e.: light bulbs, switches, and cameras), TVs, Blu-ray player, and gaming consoles, for example.
Yesterday, an unusually dangerous security vulnerability in macOS 10.13.1 High Sierra was uncovered. Less than 24-hours later, Apple has issued a patch to correct the situation. The vulnerability allowed access to the Unix 'root' account - the most powerful ID on a Unix system - without the use of a password.
Apple support article HT208315 gives you the specifics about this vulnerability. If you haven't already done so, go to the Mac App Store and install Security Update 2017-001. It is a small update that does not require the Mac to be rebooted.
John Gruber over at Daring Fireball received a statement from Apple stating the company's regret and apology for rolling out High Sierra 10.13.1 with this bug in it. The statement to Daring Fireball also noted that "starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra."
It was later reported, again by Gruber, that the Security Update 2017-001 patch inadvertently breaks file sharing in macOS High Sierra. If you experience the post Security Update 2017-001 file sharing bug, Apple has posted support article HT208317 on how to fix file sharing. To apply the file sharing bug fix, open Terminal.app and issue the command:
There is no output from the command. When you are done, quit Terminal.
Late last night, my father of all people, tipped me off to a story making the rounds on the Internet about a security vulnerability with an iPhone 6s or iPhone 6s Plus running iOS 9.3.1. The reported vulnerability allowed a malicious user to by-pass the iPhone's lock screen using the hands free "Hey, Siri" command. When successfully executed, an attacker would be able to see all of the contacts and photos on the device.
"You might want to wait before downloading the latest version of Apple’s operating system for iPhones. If you own an iPhone 6S or 6S Plus and have upgraded to iOS 9.3.1, other people can access your contacts and photos without entering a passcode to unlock the phone. It’s an elaborate and finicky but nonetheless startling loophole."
With my iPhone 6s Plus unlocked and running iOS 9.3.1, the "finicky" exploit worked. However, if I repeated the process with my iPhone locked, the attack was stopped dead in it's tracks.
This morning I tried to reproduce the attack, I received a notice from Siri that I needed to unlock my iPhone first. I made this short video that was posted to YouTube this afternoon.
"While initial reports and claims from the bug’s discoverers said that the issue was an iOS 9 glitch, it turns out it was a Siri problem. On Tuesday morning, after seeing the rash of reports on the issue, Apple issued an update to Siri fixing the problem. Therefore, users who were previously subject to the issue are now safe and do not require a software update to get the fix."
Security and privacy conscious iPhone 6s and iPhone 6s Plus users can go back to their day without further worry.
Apple is further enhancing their iPhone unlock security with the upcoming release of iOS 8.3; which is currently in beta testing.
PIN code required when TouchID is not used to unlock the device in 48 hours
My pal, and fellow 1SRC Palm Podcast host, Jeff Kirvin, has informed me that iOS requires a PIN or passcode if not used for 48 hours right now with iOS 8.2.
I hate it when he's right. I still think this is a good feature.
In the future, if you have not unlocked your iPhone using Touch ID in the past 48 hours, you be required to reenter your PIN or passcode. With iOS 8.0 up to and including iOS 8.2, Apple only required that you enter your PIN or passcode after restarting your iPhone.
The above screen appeared after I left my iPhone 5S running a beta version of iOS 8.3 at home for two days.
I think that while this may generate a few help desk calls when iOS 8.3 is deployed to corporate iOS devices that get left at work or unused over the weekend, it is a really good move for people who may accidentally lose their device.
Apple has not announced when iOS 8.3 will ship. The pre-release software is being tested by registered developers (a $99 annual fee is required to join the program) and by select members of the iOS and OS X public beta testers.
Some bloggers believe that iOS 8.3 will ship next month at about the same time the Apple Watch is released.
Adobe has issued a security bulletin urging Flash users to upgrade to the latest release, version 14.0.125. Windows PCs, Macs, and machines running Linux with unlatched versions of Flash are vulnerable that could allow an attacker to take control of the computer.
"Adobe has released security updates for Adobe Flash Player 126.96.36.199 and earlier versions for Windows and Macintosh and Adobe Flash Player 188.8.131.529 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions[.]"
A new article by The Wall Street Journal says that officials at Target were made aware of the potential security risks that lead to the November 27 - December 18 attack last year.
"Target Corp.'s computer security staff raised concerns about vulnerabilities in the retailer's payment card system at least two months before hackers stole 40 million credit and debit card numbers from its servers, people familiar with the matter said."
In Target's defense, the Journal also reports:
"The sheer volume of warnings that retailers receive makes it hard to know which to take seriously. Target has an extensive cybersecurity intelligence team, which sees numerous threats each week and could prioritize only so many issues at its monthly steering committee meetings, the former employee said."
As an IT professional, I find a report like this to be disappointing. It's a constant battle between setting business objectives and setting priorities and "good house keeping" such as installing infrastructure and security upgrades and patches. Sometimes those priorities get muddy.
As a Target customer who had their personal data stolen in the breach, I'm more than annoyed to learn that the situation was preventable. It is also my opinion that most of these types of breaches are preventable with frequent software updates.
I think security breaches, both large and small, along with the ever growing data stockpile that companies are amassing about their customers is a growing concern for customers and IT departments alike. We all know that our online habits are being tracked and that companies are collecting an amazing amount of personal data about who we are so that this information can be used to either make more money from you with targeted advertising or by selling the collected information to third-parties.
While I don't think that personal data collection will go away anytime soon, if ever, I would hope that as a society, we put new laws and limits on what businesses and clearing houses can do with the data they collect about us.
Click the source link below to read the full article online (login required).
Earlier today, Ibrahim Balic, a "security researcher" identified himself as the hacker who breached Apple's Developer Center portal.
According to AppleInsider, Balic identified himself as the person who hacked into Apple's servers on the TechCrunch website.
"Balic said he found a total of 13 bugs on Apple's site, one of which provided him with access to user information. He claims to have taken 73 user details — all of whom are Apple employees — and given them to the company as an example."
"Security researcher" or "hacker," I think we should let the courts decide, don't you?