Site icon The Mac Security Blog

Month in Review, Part 2: Vulnerabilities and Patches

This article continues our Month in Review coverage. If you missed it, see also Part 1: Database Breaches, Compromised Passwords.

When it comes to computer security news, the past month or so has been pretty jam-packed. Following are more noteworthy security news stories you might have missed.

Multiple Adobe Updates – And Lack Thereof for Shockwave

First there was a zero-day vulnerability in Adobe Flash Player at the end of April, prompting Adobe to release version 13.0.0.206. Then several more vulnerabilities were patched in yet another Flash update (version 13.0.0.214) two weeks ago, and on the same day Adobe fixed multiple flaws in Adobe Reader XI (releasing version 11.0.07; see Adobe’s security bulletin). If you use Flash or Reader, make sure you’ve got the latest version installed.

What you may not have heard is that Adobe Shockwave Player contains an embedded component of Flash that according to security reporter Brian Krebs hasn’t been patched since January 2013, and thus doesn’t include fixes for several zero-day Flash vulnerabilities. Adobe is reportedly “reviewing [its] security update process in order to mitigate risks in Shockwave Player,” but in the mean time if you’ve got the plug-in installed and aren’t sure you need it, now would probably be a good idea to uninstall it.

Windows XP Zero-day Vulnerabilities

We’ve previously covered the end of Windows XP’s support lifecycle, noting that Mac users should take the opportunity to upgrade Windows in their VMWare/Parallels/VirtualBox virtual machines or Boot Camp partitions, and that it may even be a good opportunity for some PC users to switch to Apple.

Since Microsoft officially ended support for the nearly 13-year-old desktop operating system in mid-April, new vulnerabilities affecting Windows XP have come to light.

The first was a zero-day remote code execution vulnerability (CVE-2014-1776) affecting Internet Explorer versions from all the way back to IE 6 to the current IE 11. Microsoft begrudgingly patched this vulnerability for Windows XP users on May 1st. The updates can be downloaded from Microsoft’s site.

Included amongst May’s second-Tuesday patches on May 13th was a security update fixing two remote code execution vulnerabilities (CVE-2014-0310 and CVE-2014-1815) for IE 6 through 11. In this case, however, Microsoft opted not to patch the issues for Windows XP’s versions of Internet Explorer.

According to NIST’s National Vulnerability Database, CVE-2014-1815 has already been exploited in the wild. And since Microsoft has no plans to patch any more vulnerabilities for XP, this seems to be among the first of many “perpetual zero-days”—that is, vulnerabilities in Windows XP that have been exploited in the wild and will never be patched by Microsoft.

If you have Windows XP on your Mac, or if you know someone who still has an old PC running XP, you can mitigate this issue to some degree by setting Chrome or Firefox as the default browser and making sure the user knows not to use Internet Explorer anymore. However, more vulnerabilities affecting XP will continue to be discovered, so the better solutions would be to upgrade to a supported version of Windows or replace old computers that are still running XP.

iOS 7.1.1 Reportedly Not Encrypting E-mail Attachments

German researcher Andreas Kurtz noticed that in iOS 7, the Mail app apparently doesn’t encrypt e-mail attachments. Kurtz claims to have been able to access any IMAP, POP, and ActiveSync account’s e-mail attachments on his iPhone 4 even after upgrading to iOS 7.1.1, the current version as of this writing.

This revelation is significant because Apple specifically claims, “When you use a passcode, it automatically encrypts and protects your email and third-party apps.”

According to iMore’s Rene Ritchie, newer iOS devices should be relatively safe due to the lack of a working and publicly available jailbreak for iOS 7.1 on anything other than the iPhone 4. Ritchie indicates that an attacker with physical access to a victim’s iPhone 4 would need to either know/guess/brute-force your password or jailbreak your device in order to access unencrypted attachments.

Of course, if an attacker already knew or could easily guess your password, or if you have no passcode at all, then anyone could get into your device and see all your e-mail attachments anyway, not to mention having complete access to everything on your device.

If you’ve got an iPhone 4 and you’re concerned about this issue, an Apple spokesperson told CNET that a fix is in the works, although no specific timeframe has been announced.

Multiple Apple Updates

In the past two weeks, Apple released several Mac updates:

• OS X Mavericks version 10.9.3
• iTunes 11.2 and then 11.2.1
• OS X Server 3.1.2 (which fixes a Ruby vulnerability)
• Safari 6.1.4 and 7.0.4

See our previous coverage, and patch your Macs as necessary (as well as Windows PCs with iTunes).

Heartbleed Still Affects 300,000 Servers

Back in April, the Heartbleed OpenSSL vulnerability became public knowledge. If you missed it, be sure to read our previous coverage for details about the vulnerability and how it affects you (in short: there’s a pretty good chance that you may need to change some of your online account passwords):

• Heartbleed OpenSSL bug: FAQ for Mac and iOS users
• Heartbleed Threat Alert Update

On May 8th, about a month after the Heartbleed problem became widely known, security veteran Robert Graham scanned the Internet probing port 443 to find out how many HTTPS servers are still vulnerable. He found that the number of Heartbleed-affected servers had dropped by half, from 600,000 to 300,000 servers, since his first scan a month earlier.

Although it’s great that the number of affected servers has decreased substantially, it’s also rather disconcerting that such a high number of servers are still affected.

Graham points out that he did not scan other common SSL ports, for example SMTP; Simple Mail Transfer Protocol (SMTP) and Internet Message Access Protocol (IMAP) e-mail servers that rely on OpenSSL may also be affected by Heartbleed.

If you’re still concerned about how Heartbleed might have impacted you, I’ve compiled lists of some major sites that were confirmed to be affected by Heartbleed or were likely affected given available evidence. Although certainly not comprehensive, these lists include some original research of my own that hasn’t been published anywhere else. I’ve also included links to several sites that you can use to check the Heartbleed status of servers you access, including Secure IMAP and SMTP servers.

Share this: