If you’re reading this, hoping for information about how to score yourself a free cheeseburger, I’m sorry to disappoint. Nope, this is about how Apple’s Macintosh security has fallen down and gone boom. Yes, that’s right. Just in the last couple of days it has come to light that some 550,000 Apple Macintosh computers have been turned into zombie PCs by malware that only infects Apple Macintosh computers.

The zombie virus, named Flashback, is a Mac OS specific piece of malware that exploits a security hole in Java that Apple has only just patched on Tuesday. A hole that had been fixed in Windows for six weeks. Flashback infects Macintosh computers with a backdoor (BackDoor.Flashback.39) after a user is redirected to a website where JavaScript code is used to run a Java applet containing the trojan. That backdoor can then be used for just about anything, such as loading even more malware onto the infected Mac, such as password sniffers, banking information stealers, search hijackers, etc.

If you’re a Mac owner, you should probably be patching Java immediately. And maybe checking to see just how much malware may be on your Mac.

And to anyone who claims that a Macintosh is more secure than any other PC (Windows, Linux, or otherwise): Welcome to reality.

Apple announces record Macintosh growth over 2011.  Apple Macintosh virus infection runs amok at the start of 2012.  Coincidence?  I think not.  It’s time for Macintosh owners to start taking their security seriously.

Adobe has released an update to its Flash Player that fixes a cross-site scripting vulnerability across all platforms (Windows, Linux, Macintosh, Solaris, and even Android), which is really not much of a surprise as Adobe is full of security holes and often used as an attack vector. Time to update, yet again. Vuln ident APSB11-13 is, according to Adobe, spotted being used in the great wilds of the interwebs through malicious links sent to you through email, so you really should update right away.

Adobe has only patched Flash, and only on real computers. The Android patch for Flash will come sometime this week.

Adobe claims to not have seen attacks targeting the Adobe Reader or Adobe Acrobat products (hence why they only updated Flash) but that doesn’t mean that these products aren’t also vulnerable to the same (or a related) security hole. Just that Adobe hasn’t gotten any proof that they’re being exploited in the same fashion as Flash in this case.

Blah blah blah. When it comes to Adobe, we’ve heard it all before. The specific vuln may be different, but it’s still the same old tune on a permanent loop, which is why it is critical to keep your Adobe products updated regularly.

What IS news however is that this Adobe rushed this update out on Sunday. Their staff must have been burning the weekend oil. But as Adobe themselves even list their latest Flash patch as merely “important” and not “critical”, one has to ask: Why?

Could Sony’s current woes have put everyone on heightened security?

Well, whatever the case, CVE-2011-2107 is worth checking out. Update now, while supplies last. 

Oh, and as always, don’t open stuff from emails that you aren’t sure of!

The problem with computers and smart devices is that they’re just too complex to ever be 100% secure.  You can try all you like, but ultimately, the code itself will let you down.

We start off with an attack reminiscent of the recent Firefox 0-day vuln exploited on the Nobel Peace Prize website. Only this time it’s, you guessed it, Microsoft Internet Explorer … and can be found on Amnesty International’s Hong Kong website.  Unlike Firefox’s security hole that was fixed in a day however, this IE zero-day vulnerability has actually already been discovered a week ago and has now moved on to a bigger target.  Making it, a what, one-week vuln?  Either way, Microsoft Internet Explorer 6 and 7 are vulnerable to the exploit.  The security hole however doesn’t work against IE 8 because of Data Execution Prevention (DEP).  For those of you still using IE6, what the heck are you even thinking? Bad dog!  Naughty!  Go sit in the corner!  But for IE 6 and 7 users who want the protection of DEP, which should protect you from this 0-day vuln, find out more about Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and get it here.

Don’t think that’s the only infection to the Amnesty International website however.  it’s also infected with attacks on Adobe’s Flash and Shockwave player and Apple’s QuickTime media player.  He hates these cans.  Stay away from the cans!

Next on the chopping block would be Apple’s Mac OS X Leopard, haunted by the ghost of jailbreaking past.  The security hole in iOS which allowed the JailbreakMe 2.0 software to work on your iPhone, at least until Apple patched it, was also in Mac OS X.  And while Apple also later plugged that security hole in the latest versions of Mac OS X, they still as of yet have not patched Leopard and older versions of the Mac OS, leaving those older users still vulnerable to this exploit.  According to Core Security Technologies and their CoreLabs Research advisory, Apple is basically just sitting on the fix, not releasing it.  “According to information provided to us by Apple, a patch for this fix has already been developed. Apple provided us a release date for this patch in two opportunities but then failed to meet their our deadlines without giving us any notice or explanation.”

And since we’ve jumped over to smartphones now, let’s visit our last security hole over on good old Google Android.  Phones based on Android have a new threat, a bug which allows attackers to sneak any installs they want into a legitimate install.  A proof-of-concept app on the Android Market (until Google yanked it at least) was disguised as an expansion to the Angry Birds game.  The hack piggybacked on the legitimate sanctioned install to further add apps that could transmit data to a remote server, view the phones contacts and location information, and even gain full control of the phone’s SMS functionality which could be used to spam people at will.  All without the phone’s user having any clue that these were installed by abusing flaws in Android’s token system.  And that was just to prove that it could be done.  Imagine the terror that this security hole could cause by someone truly malicious.  Google is, of course, working on a fix.  And Google’s sage advice for avoiding being hacked?  “As always, we advise users to only install applications they trust.“  Brilliant!  Why didn’t I think of that?

So there you have it.  From new to old, computer to cell phone, Microsoft to Apple to Google, no one is safe.  Because while we all might like to think of computers as infallible, to err is human, and so apparently is it in anything human-created.  We make mistakes, even in, especially in, writing code.

Some of you faithful readers may remember that Adobe has recently had a spat of zero-day vulnerabilities exploited in the wild, rendering their software unsafe once again.  Nothing new really.  But, for those diehard Flash users and Reader fans of PDF documents, you’re in luck … for now … mostly.  Because Adobe has patched some of those nasty security holes.

The other 0-day sploit still at large, a stack overflow vuln still in the wild and hitting Windows boxes by tricking people into opening poisoned PDF documents sent around by email, is scheduled to be patched on October 4th.

So there you go.  Chances are most of you out there have to update twice, once for Flash, once for Reader.  If you use either of them, get to it!

Yep, it’s that time again.  Time for hackers to have found another two zero-day vulnerabilities in Adobe’s products to exploit.  First up is, of course, Adobe Flash, vulnerability CVE-2010-2884.  Now, the specific is that in-the-wild exploitation of this security hole has only been performed on Adobe Flash Player 10.1.82.76 and earlier on Windows.  It allows crashing your PC and even potentially taking control of your PC.  Loverly.

Of course that’s the narrow view.  Technically, as of this moment, all versions of Flash and Reader and Acrobat are affected, as this hole hasn’t been closed in any of them, with any version.  So updating any of your Adobe products right now won’t help.  You’ll have to wait until Adobe gets around to releasing fixes.  And that means not just on Windows, but also on Macintosh, Linux, UNIX, Solaris, and even Android!  It’s just that no one  has actually seen any hackers using it against anything but Flash on Windows.

It is suggested that you turn off Flash in the meantime, such as by using the NoScript plugin with Firefox.  Since so many websites like YouTube, Gmail, etc. use Flash it could very well be impossible to simply turn off scripting altogether in your browser, which is where plugins like NoScript come in handy as they will allow you to whitelist trusted websites while blocking Flash everywhere else.

The second 0-day exploit attacks Adobe Reader 9.3.4 and earlier versions with a poisoned PDF document.  Making it equally potential to hit Windows, Mac OS X, Linux, UNIX, etc.  It is most commonly distributed via email.  So, once again, really just don’t open attachments that you weren’t expecting.

This security hole manages to bypass Microsoft’s security features such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP), so don’t think you’re safe just because you have the latest version of Windows.  (Ha ha.  Yes.  Very funny, I know.)

Adobe seems to think that one of these days, when they get around to finishing up their “sandbox” feature, they won’t be vulnerable to these types of attacks anymore because from then on your operating system is separated from their applications by an abstraction layer.  We’ll see.

It’s theoretically possible that alternative PDF viewers might be safe from this vuln.  But then again, if they reverse engineered the same hole, they just might not be.

So there you go, once again Adobe shines through … the holes in your computer’s (and now smartphone’s) security.