Apple lets some Big Sur network traffic bypass firewalls

A somewhat cartoonish diagram illustrates issues with a firewall.

Patrick Wardle

Firewalls aren’t just for corporate networks. Large numbers of security- or privacy-conscious people also use them to filter or redirect traffic flowing in and out of their computers. Apple recently made a major change to macOS that frustrates these efforts.

Beginning with macOS Catalina released last year, Apple added a list of 50 Apple-specific apps and processes that were to be exempted from firewalls like Little Snitch and Lulu. The undocumented exemption, which didn’t take effect until firewalls were rewritten to implement changes in Big Sur, first came to light in October. Patrick Wardle, a security researcher at Mac and iOS enterprise developer Jamf, further documented the new behavior over the weekend.

“100% blind”

To demonstrate the risks that come with this move, Wardle—a former hacker for the NSA—demonstrated how malware developers could exploit the change to make an end-run around a tried-and-true security measure. He set Lulu and Little Snitch to block all outgoing traffic on a Mac running Big Sur and then ran a small programming script that had exploit code interact with one of the apps that Apple exempted. The python script had no trouble reaching a command and control server he set up to simulate one commonly used by malware to exfiltrate sensitive data.

“It kindly asked (coerced?) one of the trusted Apple items to generate network traffic to an attacker-controlled server and could (ab)use this to exfiltrate files,” Wardle, referring to the script, told me. “Basically, ‘Hey, Mr. Apple Item, can you please send this file to Patrick’s remote server?’ And it would kindly agree. And since the traffic was coming from the trusted item, it would never be routed through the firewall… meaning the firewall is 100% blind.”

Wardle tweeted a portion of a bug report he submitted to Apple during the Big Sur beta phase. It specifically warns that “essential security tools such as firewalls are ineffective” under the change.

Apple has yet to explain the reason behind the change. Firewall misconfigurations are often the source of software not working properly. One possibility is that Apple implemented the move to reduce the number of support requests it receives and make the Mac experience better for people not schooled in setting up effective firewall rules. It’s not unusual for firewalls to exempt their own traffic. Apple may be applying the same rationale.

But the inability to override the settings violates a core tenet that people ought to be able to selectively restrict traffic flowing from their own computers. In the event that a Mac does become infected, the change also gives hackers a way to bypass what for many is an effective mitigation against such attacks.

“The issue I see is that it opens the door for doing exactly what Patrick demoed… malware authors can use this to sneak data around a firewall,” Thomas Reed, director of Mac and mobile offerings at security firm Malwarebytes, said. “Plus, there’s always the potential that someone may have a legitimate need to block some Apple traffic for some reason, but this takes away that ability without using some kind of hardware network filter outside the Mac.”

People who want to know what apps and processes are exempt can open the macOS terminal and enter sudo defaults read /System/Library/Frameworks/NetworkExtension.framework/Resources/Info.plist ContentFilterExclusionList.

NKEs

The change came as Apple deprecated macOS kernel extensions, which software developers used to make apps interact directly with the OS. The deprecation included NKEs—short for network kernel extensions—that third-party firewall products used to monitor incoming and outgoing traffic.

In place of NKEs, Apple introduced a new user-mode framework called the Network Extension Framework. To run on Big Sur, all third-party firewalls that used NKEs had to be rewritten to use the new framework.

Apple representatives didn’t respond to emailed questions about this change. This post will be updated if they respond later. In the meantime, people who want to override this new exemption will have to find alternatives. As Reed noted above, one option is to rely on a network filter that runs from outside their Mac. Another possibility is to rely on PF, or Packet Filter firewall built into macOS.

The security consequences of massive change in how we work

Organizations underwent an unprecedented IT change this year amid a massive shift to remote work, accelerating adoption of cloud technology, Duo Security reveals.

security consequences work

The security implications of this transition will reverberate for years to come, as the hybrid workplace demands the workforce to be secure, connected and productive from anywhere.

The report details how organizations, with a mandate to rapidly transition their entire workforce to remote, turned to remote access technologies such as VPN and RDP, among numerous other efforts.

As a result, authentication activity to these technologies swelled 60%. A complementary survey recently found that 96% of organizations made cybersecurity policy changes during the COVID-19, with more than half implementing MFA.

Cloud adoption also accelerated

Daily authentications to cloud applications surged 40% during the first few months of the pandemic, the bulk of which came from enterprise and mid-sized organizations looking to ensure secure access to various cloud services.

As organizations scrambled to acquire the requisite equipment to support remote work, employees relied on personal or unmanaged devices in the interim. Consequently, blocked access attempts due to out-of-date devices skyrocketed 90% in March. That figure fell precipitously in April, indicating healthier devices and decreased risk of breach due to malware.

“As the pandemic began, the priority for many organizations was keeping the lights on and accepting risk in order to accomplish this end,” said Dave Lewis, Global Advisory CISO, Duo Security at Cisco. “Attention has now turned towards lessening risk by implementing a more mature and modern security approach that accounts for a traditional corporate perimeter that has been completely upended.”

Additional report findings

So long, SMS – The prevalence of SIM-swapping attacks has driven organizations to strengthen their authentication schemes. Year-over-year, the percentage of organizations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1%.

Biometrics booming – Biometrics are nearly ubiquitous across enterprise users, paving the way for a passwordless future. Eighty percent of mobile devices used for work have biometrics configured, up 12% the past five years.

Cloud apps on pace to pass on-premises apps – Use of cloud apps are on pace to surpass use of on-premises apps by next year, accelerated by the shift to remote work. Cloud applications make up 13.2% of total authentications, a 5.4% increase year-over-year, while on-premises applications encompass 18.5% of total authentications, down 1.5% since last year.

Apple devices 3.5 times more likely to update quickly vs. Android – Ecosystem differences have security consequences. On June 1, Apple iOS and Android both issued software updates to patch critical vulnerabilities in their respective operating systems.

iOS devices were 3.5 times more likely to be updated within 30 days of a security update or patch, compared to Android.

Windows 7 lingers in healthcare despite security risks – More than 30% of Windows devices in healthcare organizations still run Windows 7, despite end-of-life status, compared with 10% of organizations across Duo’s customer base.

Healthcare providers are often unable to update deprecated operating systems due to compliance requirements and restrictive terms and conditions of third-party software vendors.

Windows devices, Chrome browser dominate business IT – Windows continues its dominance in the enterprise, accounting for 59% of devices used to access protected applications, followed by macOS at 23%. Overall, mobile devices account for 15% of corporate access (iOS: 11.4%, Android: 3.7%).

On the browser side, Chrome is king with 44% of total browser authentications, resulting in stronger security hygiene overall for organizations.

UK and EU trail US in securing cloud – United Kingdom and European Union-based organizations trail US-based enterprises in user authentications to cloud applications, signaling less cloud use overall or a larger share of applications not protected by MFA.

Nmap 7.90 released: New fingerprints, NSE scripts, and Npcap 1.0.0

Over a year has passed since Nmap had last been updated, but this weekend Gordon “Fyodor” Lyon announced Nmap 7.90.

Nmap 7.90

About Nmap

Nmap is a widely used free and open-source network scanner.

The utility is used for network inventorying, port scanning, managing service upgrade schedules, monitoring host or service uptime, etc.

It works on most operating systems: Linux, Windows, macOS, Solaris, and BSD.

Nmap 7.90

First and foremost, Nmap 7.90 comes with Npcap 1.0.0, the first completely stable version of the raw packet capturing/sending driver for Windows.

Prior to Npcap, Nmap used Winpcap, but the driver hasn’t been updated since 2013, didn’t always work on Windows 10, and depended on long-deprecated Windows APIs.

“While we created Npcap for Nmap, it turns out that many other projects and companies had the same need. Wireshark switched to Npcap with their big 3.0.0 release last February, and Microsoft publicly recommends Npcap for their Azure ATP (Advanced Threat Protection) product,” Lyon explained.

“We introduced the Npcap OEM program allowing companies to license Npcap OEM for use within their products or for company-internal use with commercial support and deployment automation. This project that was expected to be a drain on our resources (but worthwhile since it makes Nmap so much better) is now helping to fund the Nmap project. The Npcap OEM program has also helped ensure Npcap’s stability by deploying it on some of the fastest networks at some of the largest enterprises in the world.”

Nmap 7.90 also comes with:

  • New fingerprints for better OS and service/version detection
  • 3 new NSE scripts, new protocol libraries and payloads for host discovery, port scanning and version detection
  • 70+ smaller bug fixes and improvements
  • Build system upgrades and code quality improvements

“We also created a special ‘Nmap OEM Edition’ for the companies who license Nmap to handle host discovery within their products. We have been selling such licenses for more than 20 years and it’s about time OEM’s have an installer more customized to their needs,” Lyon added.

Apple-notarized malware foils macOS defenses

Shlayer adware creators have found a way to get their malicious payload notarized by Apple, allowing it to bypass anti-malware checks performed by macOS before installing any software.

What is Apple Notarization?

Apple uses a number of technologies to prevent malware from being offered for download on the App Store and from being run on Apple-developed devices:

  • App Review: Apps are reviewed by Apple before being published on the App Store, and have to comply with specific guidelines to get accepted
  • Code Signing: Developers sign their apps with a developer certificate issued by Apple to assure users that it is from a known source and the app hasn’t been modified since it was last signed. The macOS Gatekeeper verifies the developer certificate and checks the known-malware list when the application is first opened, and blocks the app from running if its known malware or if it doesn’t recognize the developer (certificate)
  • Notarization: An automated check that scans software for malicious content and checks for code-signing issues. If the package passes the check, it gets a ticket that proves notarization has been successful and the ticket “tells” Gatekeeper that Apple notarized the software, i.e., that is effectively safe to run it.

Apple Notarization is a relatively new security mechanism that, in theory, should detect malicious software and prevent it from being installed on a macOS system. But, as it turns out, it’s not foolproof.

Notarized macOS malware

The first known instance of notarized macOS malware was discovered last week, by a college student who noticed that people who want to download Homebrew (downloadable from brew.sh) and make the mistake of entering the wrong URL (homebrew.sh) are getting served with a warning saying their Adobe Flash Player is out of date and offering an update for download.

Security researcher Patrick Wardle analyzed the served package and confirmed that it is not, in fact, an update, but a notarized version of the macOS Shlayer adware, which doesn’t get detected as malicious by Gatekeeper.

notarized macOS malware

This particular variant of this common adware would be detected by various third-party antivirus applications, but there are still many macOS users that don’t run one as they believe that Macs can’t get malware.

How is this possible?

“We’re still not exactly sure what the Shlayer folks did to get their malware notarized, but increasingly, it’s looking like they did nothing at all,” said Apple security expert Thomas Reed, who compared the code of the notarized and that of an older (not notarized) Shlayer sample and spotted minor changes.

“It’s entirely possible that something in this code, somewhere, was modified to break any detection that Apple might have had for this adware. Without knowing how (if?) Apple was detecting the older sample, it would be quite difficult to identify whether any changes were made to the notarized sample that would break that detection,” he pointed out.

“This leaves us facing two distinct possibilities, neither of which is particularly appealing. Either Apple was able to detect Shlayer as part of the notarization process, but breaking that detection was trivial, or Apple had nothing in the notarization process to detect Shlayer, which has been around for a couple years at this point.”

Wardle notified Apple about the notarized Shlayer adware on August 28 and they revoked the used notarization certificates immediately. Two days later, though, the adware delivery campaign was still going strong: it was serving another Shlayer sample that had been notarized with another Apple Developer ID.

“The attackers’ ability to agilely continue their attack (with other notarized payloads) is noteworthy. Clearly in the never ending cat & mouse game between the attackers and Apple, the attackers are currently (still) winning,” Wardle commented.

Reed pointed out that notarizing malicious software is just one of the ways adware distributors are trying to bypass macOS and user defenses.

“We’re seeing quite a few cases where malware authors have stopped signing their software, and have instead been shipping it with instructions to the user on how to run it,” he explained.

“The malware comes on a disk image (.dmg) file with a custom background. That background image shows instructions for opening the software, which is neither signed nor notarized.”

AweSun update supports macOS to accelerate the progress of building connections from anywhere

AweRay, an international remote desktop service provider, released AweSun updated version which supports macOS in the US and worldwide. Since its initial launch, AweSun solutions for remote desktop have already covered Windows, iOS and Android devices.

And now, its support for macOS comprehensively achieve the goal of cross-platform connections. The technology firm is dedicated to achieve their work ambition: make connections anywhere, anytime.

AweSun Remote Desktop enables people to connect to remote work computer, from home laptop, iPad or iPhone. It facilitates remote access to any device as if users were right in front of them. As the most affordable remote desktop solution on the market, AweSun offers free yet powerful features which users expect to find in other paid software.

Including all the features the Free Version provides, the upgraded Pro Version enables users to perform Remote CMD and access to the remote camera. IT professionals and experts can get more convenience from the enhanced features.

AweSun Game Version, which attracts much attention, makes the software stand out among its competitors. The Game Version enables users to customize a gaming keyboard on the mobile device. Users can therefore freely play favourite PC games on their phones.

As a remote access service provider, AweSun is deeply aware that our users pose great emphasis on security and privacy. Out of security concern, AweSun adopts a two-factor authentication with RSA/AES (256-bit) encryption method to ensure a secure line. Privacy security is AweSun’s priority.

Meanwhile, AweSun has never stopped continuously updating and developing products. In March, 2020, AweSun launched the AweSun Client app installed for mobile devices. The app offers a great solution for users who want to assist their family, friends, or clients with phone setup, app installation, or troubleshooting.

In June, 2020, AweSun for Windows 1.5 provides users with a series of new features and upgrades, including two-way audio, dual-authentication access to optimize remote connection.

Maybe that’s one of the reasons that AweSun received many thanks letters this year. Remote work is not an experimental trail or an ideal concept today. Technology firms like AweSun are making smart tools for all.

During recent work from home wave, the surge in the number of users is obvious and “many users expressed their gratitude to AweSun for providing a free and practical tool that help them quickly adapt to remote work,” said Joseph Chan, CEO of AweRay Limited.

The release of AweSun for macOS strengthens AweSun’s position in the market as the most reliable and most affordable remote desktop solution available. Multi-platform remote connection offers our customers a more effective user experience. As AweRay’s vision goes, empowering everyone with the tools they need to do great work and have great fun.

New EvilQuest macOS ransomware is a smokescreen for other threats

A new piece of ransomware dubbed EvilQuest is being delivered bundled up with pirated versions of popular macOS software, researchers warned.

But the ransomware is also a smokescreen, as its “noisiness” is meant to hide other things happening on the system in the background: the installation of a keylogger and a reverse shell, and the exfiltration of files that contain valuable information (keys to cryptocurrency wallets, code-signing certificates, and more).

About EvilQuest

First spotted in late June, the EvilQuest macOS ransomware has now been analyzed by a slew of threat researchers.

Dinesh_Devadoss , a malware researcher with K7 Lab, spotted the ransomware impersonating the Google Software Update program. Thomas Reed, Director of Mac & Mobile at Malwarebytes, found it on popular torrent sites, injected in installers wrapping pirated versions of popular macOS software such as Little Snitch, Ableton Live, and Mixed in Key.

Patrick Wardle, Principal Security Researcher at Jamf and creator of many security tools for Macs, confirmed that the malware has capabilities beyond encrypting files and asking for a (small) ransom.

EvilQuest macOS ransomware

The malware is able to see whether its running in a virtual machine, whether there are security and antivirus solutions running on the system, and to implement several persistence tricks.

In some cases, the malware turned out to be too buggy to run properly, but when it does, it encrypts random files and shows the ransom note.

The fact that the note contains no contact information for victims to get in touch with the attacker once they pay the ransom made researchers believe that this might be just a smokescreen.

They subsequently discovered they were right: aside from the ransomware component, the malicious installers also download a keylogger and open a reverse shell on the target computer, so that the attacker can continue to access it and steal sensitive information users enter with the keyboard.

Finally, the malware attempts to exfiltrate files with a variety of extensions:

EvilQuest macOS ransomware

Prevention and remediation

A variety of macOS antimalware solutions now detect this malware and remove it. Wardle’s RansomWhere? utility detects and stops malicious encryption processes.

For those who got infected, the danger is great: they might lose important files if they don’t have separate backups (there is no indication that the files can be decrypted or that the attacker means to decrypt them even if the victim pays the ransom), but they have also lost control of sensitive information contained in exfiltrated files, and may end up losing control of accounts, cryptocurrency wallets, etc.

Microsoft is adding Linux, Android, and firmware protections to Windows

Screenshot of antivirus protection.

Microsoft is moving forward with its promise to extend enterprise security protections to non-Windows platforms with the general release of a Linux version and a preview of one for Android. The software maker is also beefing up Windows security protections to scan for malicious firmware.

The Linux and Android moves—detailed in posts published on Tuesday here, here, and here—follow a move last year to ship antivirus protections to macOS. Microsoft disclosed the firmware feature last week.

Premium pricing

All the new protections are available to users of Microsoft Advanced Threat Protection and require Windows 10 Enterprise Edition. Public pricing from Microsoft is either non-existent or difficult to find, but according to this site, costs range from $30 to $72 per machine per year to enterprise customers.

In February, when the Linux preview became available, Microsoft said it included antivirus alerts and “preventive capabilities.” Using a command line, admins can manage user machines, initiate and configure antivirus scans, monitor network events, and manage various threats.

“We are just at the beginning of our Linux journey and we are not stopping here!” Tuesday’s post announcing the Linux general availability said. “We are committed to continuous expansion of our capabilities for Linux and will be bringing you enhancements in the coming months.”

The Android preview, meanwhile, provides several protections, including:

  • The blocking of phishing sites and other high-risk domains and URLs accessed through SMS/text, WhatsApp, email, browsers, and other apps. The features use the same Microsoft Defender SmartScreen services that are already available for Windows so that decisions to block suspicious sites will apply across all devices on a network.
  • Proactive scanning for malicious or potentially unwanted applications and files that may be downloaded to a mobile device.
  • Measures to block access to network resources when devices show signs of being compromised with malicious apps or malware.
  • Integration to the same Microsoft Defender Security Center that’s already available for Windows, macOS, and Linux.

Last week, Microsoft said it had added firmware protection to the premium Microsoft Defender. The new offering scans Unified Extensible Firmware Interface, which is the successor to the traditional BIOS that most computers used during the boot process to locate and enumerate hardware installed.

The firmware scanner uses a new component added to virus protection already built into Defender. Hacks that infect firmware are particularly pernicious because they survive reinstallations of the operating system and other security measures. And because firmware runs before Windows starts, it has the ability to burrow deep into an infected system. Until now, there have been only limited ways to detect such attacks on large fleets of machines.

It makes sense that the extensions to non-Windows platforms are available only to enterprises and cost extra. I was surprised, however, that Microsoft is charging a premium for the firmware protection and only offering it to enterprises. Plenty of journalists, attorneys, and activists are equally if not more threatened by so-called evil maid attacks, in which a housekeeper or other stranger has the ability to tamper with firmware during brief physical access to a computer.

Microsoft has a strong financial incentive to make Windows secure for all users. Company representatives didn’t respond to an email asking if the firmware scanner will become more widely available.

New fuzzing tool for USB drivers uncovers bugs in Linux, macOS, Windows

With a new fuzzing tool created specifically for testing the security of USB drivers, researchers have discovered more than two dozen vulnerabilities in a variety of operating systems.

“USBFuzz discovered a total of 26 new bugs, including 16 memory bugs of high security impact in various Linux subsystems (USB core, USB sound, and network), one bug in FreeBSD, three in macOS (two resulting in an unplanned reboot and one freezing the system), and four in Windows 8 and Windows 10 (resulting in Blue Screens of Death), and one bug in the Linux USB host controller driver and another one in a USB camera driver,” Hui Peng and Mathias Payer explained.

11 of the Linux bugs have already received a patch.

Making fuzzing USB drivers easier

USBFuzz, which Peng and Payer plan to open source on GitHub in the near future, is a modular testing framework that can be used for fuzzing USB drivers in different OS kernels.

fuzzing USB drivers

Fuzzing (or fuzz testing) involves the automated inputing of invalid, unexpected, or random data into software (in this case drivers), looking how the program behaves – whether it crashes, shows memory leaks, etc. – and checking whether these behaviors can be exploited for malicious ends.

“Fuzzing device drivers is challenging due to the difficulty in providing random input from a device. Dedicated programmable hardware devices are expensive and do not scale as one device can only be used to fuzz one target. More importantly, it is challenging to automate fuzzing on real hardware due to the required physical actions (attaching and detaching the device) for each test,” the researchers explained the motivation for creating USB-Fuzz.

They wanted to make the fuzing device cost-effective, hardware-independent and able to work on different OSes and platforms.

“At its core, USB-Fuzz uses a software-emulated USB device to provide random device data to drivers (when they perform IO operations). As the emulated USB device works at the device level, porting it to other platforms is straight-forward.”

USB-Fuzz works on Linux, FreeBSD, macOS, and Windows, and can be used to perform dumb fuzzing, focused fuzzing, and coverage-guided fuzzing (where coverage collection is supported).

Apple delivers March 2020 security updates for iDevices and software

If you haven’t yet opted for automatic Apple security updates, it’s time to update your iDevices and software again.

Apple security March 2020

The lightweight Apple security updates

The security update for Xcode – an integrated development environment for macOS containing a suite of software development tools developed by Apple for developing software for macOS, iOS, iPadOS, watchOS, and tvOS – offers no details about fixed security issues.

The iCloud (1, 2) and iTunes for Windows updates contain the same fixes:

  • Three buffer overflow flaws in libxml2, a software library for parsing XML documents
  • Ten security vulnerabilities in the WebKit browser engine, six of which could lead to arbitrary code execution if maliciously crafted web content is processed.

The tvOS update contains all those fixes, plus patches for a few kernel flaws, several vulnerabilities that could allow a malicious application to execute arbitrary code with system privileges, and one vulnerability stemming from poor handling of icon<</strong> caches that could be exploited by a malicious application to identify what other applications a user has installed.

The watchOS update also fixes that last flaw, as well as some of the three libxml2 vulnerabilities, several of the code execution flaws affecting WebKit, the kernel security holes, and a logic issue affecting Messages, which could allow a person with physical access to a locked device to respond to messages even when replies are disabled.

The heftier updates

iOS 13.4 and iPadOS 13.4 bring, among other things, fixes for:

  • The aforementioned WebKit, libxml2, kernel and Icon flaws
  • CVE-2020-9770, a logic issue that could allow an attacker in a privileged network position to intercept Bluetooth traffic
  • The aforementioned flaw affecting the privacy of Messages on a locked device
  • A flaw in Mail that could allow a local user to view deleted content in the app switcher
  • Two Safari flaws, one of which could make users grant website permissions to a site they didn’t intend to
  • A WebApp flaw that could allow a maliciously crafted page to interfere with other web contexts

Safari 13.1 delivers all the WebKit fixes and plugs a hole that could allow a malicious iframe to use another website’s download settings. (With Safari 13.1, Apple also started blocking third-party cookies.)

The macOS security updates (macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra) fix a wider variety of flaws, including:

  • Those already mentioned in libxml2, kernel, icons
  • Bluetooth vulnerabilities that could allow a malicious application to read restricted memory or execute arbitrary code with kernel privileges
  • CVE-2020-9776, a flaw that could allow a malicious application to access a user’s call history
  • Several flaws that could allow an application to gain elevated privileges
  • An injection issue affecting Mail that could allow a remote attacker to cause arbitrary javascript code execution
  • A sudo issue that could allow an attacker to run commands as a non-existent user
  • CVE-2020-3906, a vulnerability that could allow a maliciously crafted application to bypass code signing enforcement.

Microsoft releases PowerShell 7 for Windows, macOS and Linux

Microsoft has released PowerShell 7, the latest major update to its popular task automation tool and configuration management framework that can be used on various operating systems.

PowerShell 7

What is PowerShell?

PowerShell was initially a Windows component, but was open-sourced in 2016 and made available for Windows, macOS and various Linux distributions.

The system utility includes a command-line shell, object-oriented scripting language, and a set of tools for executing scripts, cmdlets (specialized commands that implement specific functions) and managing modules.

PowerShell enables administrators to perform administrative tasks on both local and remote systems and network devices. Unfortunately, its capabilities are also exploited by cyber attackers, who increasingly take advantage of tools that are already deployed in the target environment.

What’s new in PowerShell 7?

Each new PowerShell version includes new cmdlets/APIs and bug fixes, but PowerShell 7 also comes with several new features:

  • Pipeline parallelization with ForEach-Object -Parallel
  • A simplified and dynamic error view and Get-Error cmdlet for easier investigation of errors
  • A compatibility layer that enables users to import modules in an implicit Windows PowerShell session
  • Automatic new version notifications
  • The ability to invoke to invoke DSC resources directly from PowerShell 7 (still experimental).
  • New operators:
    • Ternary operator: a ? b : c
    • Pipeline chain operators: || and &&
    • Null conditional operators: ?? and ??=

More details about each are available here.

“The shift from PowerShell Core 6.x to 7.0 also marks our move from .NET Core 2.x to 3.1. .NET Core 3.1 brings back a host of .NET Framework APIs (especially on Windows), enabling significantly more backwards compatibility with existing Windows PowerShell modules,” noted Joey Aiello, Program Manager at Microsoft for PowerShell Core.

“If you weren’t able to use PowerShell Core 6.x in the past because of module compatibility issues, this might be the first time you get to take advantage of some of the awesome features we already delivered since we started the Core project!”

PowerShell 7 supports a variety of operating systems on x64, including:

  • Windows 8.1 and 10
  • Windows Server 2012, 2012 R2, 2016, and 2019
  • macOS 10.13+
  • Red Hat Enterprise Linux (RHEL) / CentOS 7
  • Fedora 30+
  • Debian 9
  • Ubuntu LTS 16.04+
  • Alpine Linux 3.8+.

“Additionally, we support ARM32 and ARM64 flavors of Debian and Ubuntu, as well as ARM64 Alpine Linux,” Aiello pointed out and added that, while not officially supported, the community has also provided packages for Arch and Kali Linux.

Finally, he announced that Microsoft will be releasing a new version of the tool on an annual basis.

Critical RCE flaw in OpenSMTPD, patch available

Qualys researchers have discovered a critical vulnerability (CVE-2020-7247) in OpenBSD’s OpenSMTPD mail server, which can allow attackers to execute arbitrary shell commands on the underlying system as root.

CVE-2020-7247

“We developed a simple proof of concept and successfully tested it against OpenBSD 6.6 (the current release) and Debian testing (Bullseye); other versions and distributions may be exploitable,” they noted in the accompanying security advisory.

What is OpenSMTPD?

OpenSMTPD is an open source implementation of the Simple Mail Transfer Protocol. It is developed as part of the OpenBSD project.

Its portable version can run on many other operating systems, such as FreeBSD, NetBSD, DragonFlyBSD, Mac OS X, and various Linux distributions. OpenSMTPD has also been incorporated in some of them.

About CVE-2020-7247

CVE-2020-7247 has been found in OpenSMTPD’s smtp_mailaddr() function, which is responsible for validating sender and recipient mail addresses.

The vulnerability can be exploited by sending to a vulnerable server a specially crafted SMTP message.

Qualys researchers were able to overcome certain exploitation limitations by using a technique from the Morris Worm, one of the first computer worms distributed via the Internet, to make sure the body of the email they sent is executed as a shell script.

“This vulnerability is exploitable since May 2018 and allows an attacker to execute arbitrary shell commands as root: either locally, in OpenSMTPD’s default configuration (which listens on the loopback interface and only accepts mail from localhost); or locally and remotely, in OpenSMTPD’s ‘uncommented’ default configuration (which listens on all interfaces and accepts external mail),” the researchers explained.

Patch available

The flaw has been responsibly disclosed to OpenSMTPD developers, who have released a patch for OpenBSD. A portable versions of the implementation (OpenSMTPD 6.6.2p1) has also been made available.

They did not say which versions of OpenSMTPD are affected, but promised to provide more details about the flaw “when things settle down”.

Hopefully the fix will be propagated into affected OS distributions soon, as the bug is being already debated online and Qualys’s advisory is pretty on point.

Apple releases macOS Catalina 10.15.2, iOS, and iPadOS 13.3

The 2019 16-inch MacBook Pro with the lid closed

Enlarge / The 2019 16-inch MacBook Pro.
Samuel Axon

As has become a custom, Apple has simultaneously released software updates for nearly its entire suite of consumer products today—including iOS 13.3, iPadOS 13.3, macOS Catalina 10.15.2, watchOS 6.1.1, tvOS 13.3—and an update for HomePods. All updates should be available to all users by the end of the day.

iOS 13.3 and iPadOS 13.3 together make for arguably the most notable update. They introduce yet another feature that was originally pitched by Apple as part of iOS 13 but was delayed before that annual update’s release this September: Communication Limits in ScreenTime. Parents can now whitelist contacts for their kids’ accounts, which allows them to block their kids from communicating with anyone outside the list on Apple-made apps like Messages and FaceTime, with exceptions for emergency calls and services like 911.

These two updates also introduce new layouts for certain publications in Apple News+, adds a new interface for liking or disliking stories in News, and expands on the news options and coverage in the Stocks app.

macOS Catalina 10.15.2 gets most of these same News and Stocks features, plus the restoration of the column browser view in Apple Music and the addition of Apple Remote app support for the Music and TV apps on Macs.

Additionally, tvOS 13.3 is a somewhat notable update for recent Apple TV streaming boxes. It includes a slight homescreen redesign for video previews as well as a change to the top shelf of content visible on that screen. Whereas it previously showed you the next items in your TV app queue while that app was selected, it will now recommend new content there by displaying trailers and previews. However, an option has been adding to settings to let you switch back to the old way.

Today’s HomePod update improves voice recognition for family members and “allows individual family members to enable/disable personal requests.” watchOS 6.1.1 is a minor update that contains unspecified bug fixes and optimizations. Apple also released a security update for watchOS 5 for users who do not have an iPhone capable of running iOS 13, as watchOS 6 requires the latest iPhone software.

All of the updates today also have a plethora of bug fixes and security updates for their respective platforms, which you can find in Apple’s release notes below.

iOS and iPadOS 13.3 release notes

iOS 13.3 includes improvements, bug fixes, and additional parental controls for Screen Time.

Screen Time

  • New parental controls provide more communication limits over who their children can call, FaceTime, or Message
  • Contact list for children lets parents manage the contacts that appear on their children’s devices

Apple News

  • New layout for Apple News+ stories from The Wall Street Journal and other leading newspapers
  • Easily like or dislike stories with a tap

Stocks

  • Stories from Apple News are now available in Canada in English and French
  • Continue reading with links to related stories or more stories from the same publication
  • Breaking and Developing labels for Top Stories

This update also includes bug fixes and other improvements. This update:

  • Enables the creation of a new video clip when trimming a video in Photos
  • Adds support for NFC, USB, and Lightning FIDO2-compliant security keys in Safari
  • Fixes issues in Mail that may prevent downloading new messages
  • Addresses an issue that prevented deleting messages in Gmail accounts
  • Resolves issues that could cause incorrect characters to display in messages and duplication of sent messages in Exchange accounts
  • Fixes an issue where the cursor may not move after long-pressing on the space bar
  • Addresses an issue that may cause screenshots to appear blurry when sent via Messages
  • Resolves an issue where cropping or using Markup on screenshots may not save to Photos
  • Fixes an issue where Voice Memos recordings may not be able to be shared with other audio apps
  • Addresses an issue where the missed call badge on the Phone app may not clear
  • Resolves an issue where the Cellular Data setting may incorrectly show as off
  • Fixes an issue that prevented turning off Dark Mode when Smart Invert was enabled
  • Addresses an issue where some wireless chargers may charge more slowly than expected

Newly discovered Mac malware uses “fileless” technique to remain stealthy

Newly discovered Mac malware uses “fileless” technique to remain stealthy

Hackers believed to be working for the North Korean government have upped their game with a recently discovered Mac trojan that uses in-memory execution to remain stealthy.

In-memory execution, also known as fileless infection, never writes anything to a computer hard drive. Instead, it loads malicious code directly into memory and executes it from there. The technique is an effective way to evade antivirus protection because there’s no file to be analyzed or flagged as suspicious.

In-memory infections were once the sole province of state-sponsored attackers. By 2017, more advanced financially motivated hackers had adopted the technique. It has become increasingly common since then.

The malware isn’t entirely fileless. The first stage poses as a cryptocurrency app with the file name UnionCryptoTrader.dmg. When it first came to light earlier this week, only two out of 57 antivirus products detected it as suspicious. On Friday, according to VirusTotal, detection had only modestly improved, with 17 of 57 products flagging it.

Once executed, the file uses a post-installation binary that, according to a detailed analysis by Patrick Wardle, a Mac security expert at enterprise Mac software provider Jamf, can do the following:

  • move a hidden plist (.vip.unioncrypto.plist) from the application’s Resources directory into /Library/LaunchDaemons
  • set it to be owned by root
  • create a /Library/UnionCrypto directory
  • move a hidden binary (.unioncryptoupdater) from the application’s Resources directory into /Library/UnionCrypto/
  • set it to be executable
  • execute this binary (/Library/UnionCrypto/unioncryptoupdater)

The result is a malicious binary named unioncryptoupdated that runs as root and has “persistence,” meaning it survives reboots to ensure it runs constantly.

Wardle said that the installation of a launch daemon whose plist and binary are stored hidden in an application’s resource directory is a technique that matches Lazarus, the name many researchers and intelligence officers use for a North Korean hacking group. Another piece of Mac malware, dubbed AppleJeus, did the same thing.

Another trait that’s consistent with North Korean involvement is the interest in cryptocurrencies. As the US Department of Treasury reported in September, industry groups have unearthed evidence that North Korean hackers have siphoned hundreds of millions of dollars’ worth of cryptocurrencies from exchanges in an attempt to fund the country’s nuclear weapons development programs.

Begin in-memory infection

It is around this point in the infection chain that the fileless execution starts. The infected Mac begins contacting a server at hxxps://unioncrypto[.]vip/update to check for a second-stage payload. If one is available, the malware downloads and decrypts it and then uses macOS programming interfaces to create what’s known as an object file image. The image allows the malicious payload to run in memory without ever touching the hard drive of the infected Mac.

“As the layout of an in-memory process image is different from its on disk-in image, one cannot simply copy a file into memory and directly execute it,” Wardle wrote. “Instead, one must invoke APIs such as NSCreateObjectFileImageFromMemory and NSLinkModule (which take care of preparing the in-memory mapping and linking).”

Wardle was unable to obtain a copy of the second-stage payload, so it’s not clear what it does. Given the theme of cryptocurrency in the file and domain names—and North Korean hackers’ preoccupation with stealing digital coin—it’s a decent bet the follow-on infection is used to access wallets or similar assets.

When Wardle analyzed the malware earlier this week, the control server at hxxps://unioncrypto[.]vip/ was still online, but it was responding with a 0, which signaled to infected computers that no additional payload was available. By Friday, the domain was no longer responding to pings.

Patrick Wardle

While fileless infections are a further indication that Lazarus is growing increasingly more adept at developing stealthy malware, AppleJeus.c, as Wardle has dubbed the recently discovered malware, is still easy for alert users to detect. That’s because it’s not signed by an Apple-trusted developer, a shortcoming that causes macOS to display the warning to the right.

As is typical when applications are installed, macOS also requires users to enter their Mac password. This isn’t automatically a tip-off that something suspicious is happening, but it does prevent the first stage from being installed through drive-bys or other surreptitious methods.

It’s unlikely anyone outside of a cryptocurrency exchange would be targeted by this malware. Those who want to check can look for the existence of (1) /Library/LaunchDaemons/vip.unioncrypto.plist and (2) the running process or binary /Library/UnionCrypto/unioncryptoupdater.

Silent Mac update nukes dangerous webserver installed by Zoom

Pedestrians use crosswalk in large metropolis.

Apple said it has pushed a silent macOS update that removes the undocumented webserver that was installed by the Zoom conferencing app for Mac.

The webserver accepts connections from any device connected to the same local network, a security researcher disclosed on Monday. The server continues to run even when a Mac user uninstalls Zoom. The researcher showed how the webserver can be abused by people on the same network to force Macs to reinstall the conferencing app. Zoom issued an emergency patch on Tuesday in response to blistering criticism from security researchers and end users.

Apple on Wednesday issued an update of its own, a company representative speaking on background told Ars. The update ensures the webserver is removed—even if users have uninstalled Zoom or haven’t installed Tuesday’s update. Apple delivered the silent update automatically, meaning there was no notification or action required of end users. The update was first reported by TechCrunch.

Apple’s update causes Zoom users who click on a conference link to receive a prompt requiring them to confirm they want to join. Previously, clicking on a link—or even encountering a link hidden in a malicious website—automatically opened Zoom and put them into the conference. Zoom developers came under criticism for this behavior as well, because it had the potential to catch users off-guard and expose them to hackers.

Apple occasionally issues silent updates to block malware that’s actively circulating on the Internet. It’s less common for the company to issue silent updates that block or remove something installed by an app users installed by choice. The Apple representative said the company took this action to protect users against risks posed by the webserver. The Zoom app is installed on about 4 million Macs, researcher Jonathan Leitschuh estimated.

Representatives from Zoom didn’t respond to an email seeking comment for this post.

The clever cryptography behind Apple’s “Find My” feature

The 2018 15-inch Apple MacBook Pro with Touch Bar.

Enlarge / The 2018 15-inch Apple MacBook Pro with Touch Bar.
Samuel Axon

When Apple executive Craig Federighi described a new location-tracking feature for Apple devices at the company’s Worldwide Developer Conference keynote on Monday, it sounded—to the sufficiently paranoid, at least—like both a physical security innovation and a potential privacy disaster. But while security experts immediately wondered whether Find My would also offer a new opportunity to track unwitting users, Apple says it built the feature on a unique encryption system carefully designed to prevent exactly that sort of tracking—even by Apple itself.

In upcoming versions of iOS and macOS, the new Find My feature will broadcast Bluetooth signals from Apple devices even when they’re offline, allowing nearby Apple devices to relay their location to the cloud. That should help you locate your stolen laptop even when it’s sleeping in a thief’s bag. And it turns out that Apple’s elaborate encryption scheme is also designed not only to prevent interlopers from identifying or tracking an iDevice from its Bluetooth signal, but also to keep Apple itself from learning device locations, even as it allows you to pinpoint yours.

“Now what’s amazing is that this whole interaction is end-to-end encrypted and anonymous,” Federighi said at the WWDC keynote. “It uses just tiny bits of data that piggyback on existing network traffic so there’s no need to worry about your battery life, your data usage, or your privacy.”

In a background phone call with WIRED following its keynote, Apple broke down that privacy element, explaining how its “encrypted and anonymous” system avoids leaking your location data willy nilly, even as your devices broadcast a Bluetooth signal explicitly designed to let you track your device. The solution to that paradox, it turns out, is a trick that requires you to own at least two Apple devices. Each one emits a constantly changing key that nearby Apple devices use to encrypt and upload your geolocation data, such that only the other Apple device you own possesses the key to decrypt those locations.

That system would obviate the threat of marketers or other snoops tracking Apple device Bluetooth signals, allowing them to build their own histories of every user’s location. “If Apple did things right, and there are a lot of ifs here, it sounds like this could be done in a private way,” says Matthew Green, a cryptographer at Johns Hopkins University. “Even if I tracked you walking around, I wouldn’t be able to recognize you were the same person from one hour to the next.”

In fact, Find My’s cryptography goes one step further than that, denying even Apple itself the ability to learn a user’s locations based on their Bluetooth beacons. That would represent a privacy improvement over Apple’s older tools like Find My iPhone and Find Friends, which don’t offer such safeguards against Apple learning your location.

Here’s how the new system works, as Apple describes it, step by step:

  • When you first set up Find My on your Apple devices—and Apple confirmed you do need at least two devices for this feature to work—it generates an unguessable private key that’s shared on all those devices via end-to-end encrypted communication so that only those machines possess the key.
  • Each device also generates a public key. As in other public key encryption setups, this public key can be used to encrypt data such that no one can decrypt it without the corresponding private key, in this case the one stored on all your Apple devices. This is the “beacon” that your devices will broadcast out via Bluetooth to nearby devices.
  • That public key frequently changes, “rotating” periodically to a new number. Thanks to some mathematical magic, that new number doesn’t correlate with previous versions of the public key, but it still retains its ability to encrypt data such that only your devices can decrypt it. Apple refused to say just how often the key rotates. But every time it does, the change makes it that much harder for anyone to use your Bluetooth beacons to track your movements.
  • Say someone steals your MacBook. Even if the thief carries it around closed and disconnected from the internet, your laptop will emit its rotating public key via Bluetooth. A nearby stranger’s iPhone, with no interaction from its owner, will pick up the signal, check its own location, and encrypt that location data using the public key it picked up from the laptop. The public key doesn’t contain any identifying information, and since it frequently rotates, the stranger’s iPhone can’t link the laptop to its prior locations, either.
  • The stranger’s iPhone then uploads two things to Apple’s server: the encrypted location, and a hash of the laptop’s public key, which will serve as an identifier. Since Apple doesn’t have the private key, it can’t decrypt the location.
  • When you want to find your stolen laptop, you turn to your second Apple device—let’s say an iPad—which contains both the same private key as the laptop and has generated the same series of rotating public keys. When you tap a button to find your laptop, the iPad uploads the same hash of the public key to Apple as an identifier so that Apple can search through its millions upon millions of stored encrypted locations and find the matching hash. One complicating factor is that iPad’s hash of the public key won’t be the same as the one from your stolen laptop, since the public key has likely rotated many times since the stranger’s iPhone picked it up. Apple didn’t quite explain how this works. But Johns Hopkins’ Green points out that the iPad could upload a series of hashes of all its previous public keys so that Apple could sort through them to pull out the previous location where the laptop was spotted.
  • Apple returns the encrypted location of the laptop to your iPad, which can use its private key to decrypt it and tell you the laptop’s last known location. Meanwhile, Apple has never seen the decrypted location, and since hashing functions are designed to be irreversible, it can’t even use the hashed public keys to collect any information about where the device has been.

As staggeringly complex as that might sound, Apple warns that it’s still a somewhat simplified version of the Find My protocol, and that the system is still subject to change before it’s actually released in MacOS Catalina and iOS 13 later this year. The true security of the system will depend on the details of its implementation, warns Johns Hopkins’ Green. But he also says that if it works as Apple described to Wired, it might indeed offer all the privacy guarantees Apple has promised.

“I give them nine out of 10 chance of getting it right,” Green says. “I have not seen anyone actually deploy anything like this to a billion people. The actual techniques are pretty well known in the scientific sense. But actually implementing this will be pretty impressive.”

This story originally appeared on wired.com.