![\"Month](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/04\/month-in-security-april-2017.jpg\")
<\/p>\n<\/p>\n
The end of April is upon us, can you believe it’s almost May already?\u00a0A\u00a0lot has happened since this time last month, so let’s jump right in\u00a0with April’s security news\u00a0roundup.<\/p>\n
Some of the highlights in April include Apple security updates, a phishing scam targeting iPhone users, and an update on the Apple ID extortion attempt, among a slue of other important security news. Read on for the details!<\/p>\n
![\"Apple](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/03\/Apple-macOS-Sierra-10.12.4-300x150.jpeg\")
Apple released several\u00a0security updates in late March and early April.<\/p>\n
We covered\u00a0the following updates in this article<\/a> late last month:<\/p>\n Apple subsequently released the following security updates:<\/p>\n Along with these security updates, however, Apple inadvertently introduced a new\u00a0insecurity<\/em>\u00a0as well.<\/p>\n According to Mac\u00a0security researcher Patrick Wardle, Apple unintentionally introduced a new zero-day vulnerability in\u00a0macOS Sierra 10.12.4 in an attempt to fix another security bug\u00a0that Wardle had reported.<\/p>\n Apple ‘fixed’ one of my reported kernel bugs in macOS 10.12.4 by 1) not fixing it at all 2) introducing an 0day kernel info leak ?\u200d\u2642\ufe0f #0day<\/a> https:\/\/t.co\/YtMDjrj9uP<\/a><\/p>\n \u2014 patrick wardle (@patrickwardle) April 6, 2017<\/a><\/p><\/blockquote>\n Exploitation of the vulnerability requires network-level auditing to be enabled, which Wardle notes must\u00a0be turned on with root privileges. For this reason, it’s unlikely that many end users will be affected by this vulnerability before Apple releases a fix.<\/p>\n More than two weeks after Wardle published the complete details<\/a> of his findings, Apple still has not\u00a0released an update for macOS Sierra to address this vulnerability.<\/p>\n BGR reported<\/a> that phishing scam text messages targeting iPhone users have been\u00a0making the rounds this past week.<\/p>\n Some iPhone users have been receiving SMS text messages claiming that their Apple ID will be disabled, unless they confirm their “informations” by tapping on a shortened URL.<\/p>\n Apple has not disabled your Apple ID; don’t fall for this scam. Image credit: BGR<\/a><\/p><\/div>\n Apple will\u00a0never\u00a0disable your Apple ID until you tap on a link in a text message.<\/p>\n Anyone who may have fallen victim to this scam should change their password immediately at https:\/\/appleid.apple.com<\/a>. We also advise Apple users to\u00a0enable two-factor authentication<\/a> for their Apple\u00a0ID to help avoid their account becoming compromised by similar\u00a0scams.<\/p>\n Last month<\/a> Apple claimed last month that iCloud itself had not been breached, and this claim was corroborated by a report in early April\u00a0from “Have I Been Pwned?” creator Troy Hunt, who confirmed<\/a> that the primary\u00a0source of the Apple\u00a0e-mail addresses and passwords that Turkish Crime Family had shared with reporters seemed to have been a previous breach of gaming company Evony.<\/p>\n So what happened on April 7? There were no major media reports indicating that a large number of devices had been remotely erased or iCloud accounts reset. As for Turkish Crime Family,\u00a0a Twitter account apparently belonging to the group claimed that more than $476,000 worth of Bitcoin had been paid\u00a0to the group on April 7.\u00a0The implication that the ransom had been paid\u00a0seems rather suspicious considering that the group had only asked Apple for $75,000.<\/p>\n The crime group’s Twitter account\u00a0has not\u00a0been updated\u00a0since April 7.<\/p>\n The Mac Observer reported<\/a> that it’s possible to disable Apple’s Find My Mac<\/a> feature by simply resetting a\u00a0Mac’s NVRAM (a classic Mac repair feature that was once known as “zapping the PRAM”).<\/p>\n Thus,\u00a0if a thief steals your Mac, in theory they\u00a0could simply reboot your Mac (holding down the Command-Option-P-R\u00a0keystroke) and prevent you from\u00a0being able to locate your computer.<\/p>\n This keystroke can be used to disable Find My Mac unless you have a firmware password set. Image credit: JohnHWiki<\/a><\/p><\/div>\n To mitigate the weakness, TMO recommended setting a firmware password on your Mac. On a\u00a0Mac\u00a0with a firmware\u00a0password, the\u00a0NVRAM cannot be reset without first entering the password at boot time.<\/p>\n Image credit: iTnews<\/a><\/p><\/div>\n An unofficial app store was temporarily available within an app in Apple’s official App Store, according to a report<\/a> from iTnews.<\/p>\n According to the report, a\u00a0Japanese-language\u00a0app that claimed to have been a household financial helper program was, in fact, a subversive way of getting an unofficial Mandarin Chinese-language app store past Apple’s vetting process to get it into the official App Store.<\/p>\n It’s unclear what exactly\u00a0the\u00a0developer’s intention was;\u00a0perhaps it was intended as a way to install third-party apps, or modified versions of apps, without having to jailbreak a device. However, one app that was available on the unofficial store was a jailbreaking app.<\/p>\n The important take-away for users of iPhone, iPad, and iPod touch devices is that Apple’s app vetting process is not perfect, and occasionally some dubious apps make their way into the App Store. Users should exercise caution with any\u00a0App Store apps\u00a0that are either new or\u00a0have very few reviews.<\/p>\n Essentially, an attacker can register a domain with a\u00a0URL that in Firefox and Opera\u00a0(and old\u00a0versions of Chrome) will look identical, or nearly identical, to the address of a legitimate site.<\/p>\n Wordfence used the example of epic.com, a healthcare site, and registered the domain “xn--e1awd7f.com” which uses look-alike, internationalized domain name (IDN) characters that in some browsers appears as “epic.com” in the address bar.<\/p>\n Less than a week after Wordfence published its findings, another researcher registered a look-alike apple.com domain,\u00a0xn--80ak6aa92e.com, as reported<\/a> by Ars Technica.<\/p>\n Firefox displays this site’s address as https:\/\/www.apple.com rather than https:\/\/www.xn--80ak6aa92e.com<\/p><\/div>\n Both example sites have a free TLS (“SSL”) certificate from LetsEncrypt, adding legitimacy to the\u00a0way the sites\u00a0appear in affected browsers’ address bars.<\/p>\n The idea of IDN homograph attacks is not new; there’s actually a Wikipedia article<\/a> for it.\u00a0However, after\u00a0the recent\u00a0media attention, two of the three affected browsers are taking action to address the issue.<\/p>\n Google\u00a0has already mitigated this issue by releasing\u00a0Chrome version\u00a058<\/strong>.<\/p>\n Opera users can use the beta<\/a> version, 45<\/strong>, or the developer version, 46, which mitigate the issue. \u00a0The current stable release, version 44 (44.0.2510.1218), does not address\u00a0the issue.<\/p>\n Meanwhile, according to Ars Technica, Mozilla’s lead developers have indicated that they do not plan to address the issue by changing Firefox’s default behavior. Firefox users who wish to mitigate this issue\u00a0themselves<\/strong> may do the following:<\/p>\n Apple’s Safari browser does not<\/em> display these sites’ addresses\u00a0in a misleading manner.<\/p>\n The Electronic Frontier Foundation\u00a0has released a report (summary<\/a>; full report<\/a>) detailing privacy concerns with regard to\u00a0devices issued by schools to students. Those who work\u00a0in\u00a0education, or concerned parents, may be interested in reviewing the report, which mentions iPads and some popular\u00a0edtech apps.<\/p>\n Ed tech apps show troubling trends in data retention and encryption. Read more in our new student privacy report. https:\/\/t.co\/bxckLiNz4h<\/a><\/p>\n \u2014 EFF (@EFF) April 15, 2017<\/a><\/p><\/blockquote>\n Be sure to subscribe to\u00a0The Mac Security Blog<\/strong>\u00a0to stay informed about Apple security throughout each month.<\/p>\n If you missed Intego’s previous Apple security news roundups for 2017, you can check them out here:<\/p>\n Month in Review: Apple Security in March 2017<\/a><\/p><\/blockquote>\n\n
\n
\n
SMS Phishing Scam Targets iPhone Users<\/h3>\n
![](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/04\/ios-phishing-edited.png\")
Apple ID “Breach” Extortion Update<\/h3>\n
![](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/hacking-thumb-300x195.jpg\")
<\/a>, we reported that a group of extortionists calling itself\u00a0Turkish Crime Family was threatening to remotely wipe Apple devices and reset iCloud accounts if Apple had not paid a hefty US $75,000 ransom by April 7.<\/p>\nFind My Mac Easily\u00a0Disabled with Physical Access<\/h3>\n
![](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/04\/Apple_iMac_Keyboard_A1242-PRAM-1024x464.png\")
Unofficial App Store Hidden in an App Store App<\/h3>\n
![](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/04\/unofficial-app-store-in-app-267x300.png\")
![](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/04\/xzibit-app-stores-meme.png\")
<\/p>\nUnicode Implementation Issue Facilitates Phishing<\/h3>\n
![](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/04\/firefox-opera-chrome-300x100.png\")
An implementation issue in the way that Mozilla Firefox, Opera, and\u00a0Google Chrome browsers have displayed URLs could\u00a0make it easier for an attacker to\u00a0make\u00a0a\u00a0very convincing\u00a0phishing site, as explained<\/a>\u00a0by Wordfence.<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/04\/xn-80ak6aa92e_com-not-apple_com-1024x437.png\")
\n
EFF Releases “Troubling” Report on Ed-Tech App Privacy<\/h3>\n
\n
Stay Tuned! Subscribe to The Mac Security Blog<\/h3>\n