{"id":64279,"date":"2017-03-24T09:57:21","date_gmt":"2017-03-24T16:57:21","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=64279"},"modified":"2017-03-24T09:57:21","modified_gmt":"2017-03-24T16:57:21","slug":"month-in-review-apple-security-in-march-2017","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/month-in-review-apple-security-in-march-2017\/","title":{"rendered":"Month in Review: Apple Security in March 2017"},"content":{"rendered":"

\"Month<\/p>\n

Last month, February, was a doozy<\/a> with several\u00a0reports of Mac malware in the wild. What notable security events have happened in\u00a0March 2017 that impact\u00a0users of Macs, iPhones, iPads, and other Apple devices? Read on to find out.<\/p>\n

Mac Hackers Get Root at Pwn2Own<\/h3>\n

Each year at the CanSecWest security conference, hackers compete for cash prizes and geek cred\u00a0in the Pwn2Own hacking competition. Zero-day vulnerabilities exploited during the contest\u00a0are disclosed to the vendors, so bugs get fixed and end users ultimately benefit from increased security.<\/p>\n

On the first day of Pwn2Own, researchers Samuel Gro\u00df and Niklas Baumstark chained together multiple exploits to “get root” (obtain full administrator privileges) on a MacBook Pro. They earned style points by displaying “pwned by niklasb & saelo” across the Touch Bar.<\/p>\n

\n

Awesome pwnage with @_niklasb<\/a> #pwn2own<\/a> \ud83d\ude42 pic.twitter.com\/Zk0empswbW<\/a><\/p>\n

\u2014 Samuel Gro\u00df (@5aelo) March 15, 2017<\/a><\/p><\/blockquote>\n

(As a fun aside, back in 2010 I interviewed<\/a> four-time Pwn2Own winner Charlie Miller about Mac security and fuzzing after his third-year victory.)<\/p>\n

Apple Denies Alleged iCloud Breach; Refuses Ransom<\/h3>\n

\"\"Vice’s Motherboard blog reports<\/a> that a group calling itself “Turkish Crime Family” has demanded that Apple pay a ransom of $75,000 in cryptocurrency or $100,000 in iTunes gift cards\u00a0to prevent a mass attack on iCloud users.<\/p>\n

The extortionists, who threaten to remotely wipe Apple\u00a0devices and reset iCloud accounts if Apple has not paid them by April 7,\u00a0claim to have access to as many as 559 million accounts including some with\u00a0@icloud.com and @me.com domains.<\/p>\n

Apple claims that there has not been a breach of iCloud or Apple\u00a0ID systems, and that the extortionists’ list of e-mail addresses and passwords appears to have come from previous attacks on third-party services. Apple told Motherboard:<\/p>\n

“We’re actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved.
\n 
\n“To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication.”<\/p><\/blockquote>\n

Enabling two-step verification for your Apple ID is a good safety precaution.<\/p><\/div>\n

We offer the same advice about not reusing passwords across multiple sites. If you may have used your Apple\u00a0ID or iCloud account\u00a0password on\u00a0another site in the past, change your password as a precaution, and be sure\u00a0to use one that’s\u00a0unique\u00a0and hasn’t been used elsewhere. And yes,\u00a0definitely\u00a0enable two-step authentication<\/a>; adding “something you have” to your sign-in process can make it significantly\u00a0more difficult for an attacker to breach your account.<\/p>\n

WikiLeaks’ Vault 7 and DarkMatter Disclosures<\/h3>\n

\"\"WikiLeaks has recently made waves with a series of alleged leaks of U.S. Central Intelligence Agency documents, collectively dubbed “Vault\u00a07.” The alleged leaks contain documents, which date from 2012 to 2016 according to security expert Bruce Schneier’s report<\/a>, that include details of both previously known and new attacks on software and hardware platforms of companies such as Apple, Cisco, Google, Microsoft, and Samsung\u2014some of which were supposedly\u00a0used\u00a0by\u00a0the CIA a decade or longer ago.<\/p>\n

Motherboard\u00a0reports<\/a> that WikiLeaks has been in touch with Apple, Google, and Microsoft with an offer to share the details of several vulnerabilities disclosed in Vault\u00a07. According to Motherboard, WikiLeaks would only disclose the details to Apple and other companies if they would promise to patch the vulnerabilities within 90 days.<\/p>\n

A Microsoft spokesperson confirmed that Microsoft had been contacted, but Apple and Google have neither commented on Motherboard’s inquiry nor a follow-up inquiry<\/a> from Forbes. However, BuzzFeed reported earlier this month\u00a0that\u00a0Apple had\u00a0stated\u00a0that “many of the issues leaked [on the first day of Vault\u00a07] were already patched in the latest iOS,” and that Apple would “continue to work to rapidly address any identified vulnerabilities.”<\/p>\n

\n

Here’s Apple’s statement on iOS-related stuff in the WikiLeaks CIA data dump. pic.twitter.com\/QiAWx8ZXpT<\/a><\/p>\n

\u2014 John Paczkowski (@JohnPaczkowski) March 8, 2017<\/a><\/p><\/blockquote>\n

Forbes reported<\/a>\u00a0this week on a Vault\u00a07 update that WikiLeaks is calling “DarkMatter,” which alleges that the CIA has been targeting the iPhone since a year after Apple debuted its groundbreaking smartphone. The CIA was allegedly developing\u00a0rootkit malware called NightSkies in 2008, which Forbes indicates\u00a0would have given\u00a0the CIA complete control over a\u00a0compromised\u00a0iPhone.<\/p>\n

There was also allegedly a version of NightSkies in development that targeted Macs, as well as a way to combine multiple attacks to embed persistent rootkit malware into the EFI firmware and operating system.<\/p>\n

One alleged CIA trick from 2012 called “Sonic Screwdriver” is similar to Thunderstrike<\/a> and Thunderstrike\u00a02<\/a>, which Apple partially mitigated years ago in 2014 with\u00a0OS X 10.10.2 and in 2015 with 10.10.4.<\/p><\/div>\n

As noted<\/a> by 9to5Mac, security researcher Will Strafach believes that the vulnerabilities in the DarkMatter release have largely been fixed, and that end users need\u00a0not worry.<\/p>\n

\n

I truly hope it goes without saying, but if not: I have verified that the new release contains nothing of concern. most things are ancient. https:\/\/t.co\/0JSSc0UgF0<\/a><\/p>\n

\u2014 Will Strafach (@chronic) March 23, 2017<\/a><\/p><\/blockquote>\n

Apple Hires Jonathan Zdziarski<\/h3>\n

Credit: Zdziarski’s blog<\/p><\/div>\n

Earlier this month, leading iOS security expert Jonathan Zdziarski announced<\/a> that he had accepted a position with Apple’s Security Engineering and Architecture team. On his acceptance of the position, Zdziarski commented:<\/p>\n

“Privacy is sacred; our digital lives can reveal so much about us \u2013 our interests, our deepest thoughts, and even who we love. I am thrilled to be working with such an exceptional group of people who share a passion to protect that.”<\/p><\/blockquote>\n

Although it could certainly benefit Apple and its customers to have Zdziarski as part of Apple’s security team, AppleInsider notes<\/a> that this also likely means that the researcher will reveal little about iOS security on his blog while employed by Apple.<\/p>\n

It appears that Zdziarski has deleted his Twitter account.<\/p>\n

Unpatched Vulnerability in Adium IM Client<\/h3>\n

\"\"The Register reports<\/a> that Adium, a multi-protocol instant messaging app for macOS, contains an outdated and vulnerable version of the libpurple library.<\/p>\n

Users of Adium<\/a> are advised to discontinue using the software until version 1.5.10.3 is released to address the vulnerability.<\/p>\n

ICYMI: RSA Conference 2017 Highlights<\/h3>\n

\"\"In February’s update, we mentioned that RSAC 2017 coverage was coming soon. In case you missed it, you can check it out here:<\/p>\n

RSA Conference 2017 Highlights<\/a><\/p><\/blockquote>\n