Another flaw found in macOS Mojave’s privacy protection

By John E Dunn

Ever since Apple announced enhanced privacy protection for macOS Mojave 10.14 last September, a dedicated band of researchers has been poking away at it looking for security flaws.

Embarrassingly for Apple, it’s not proved a tough challenge with the first turning up on launch day when one researcher reported a surprising bypass of privacy protection using an ordinary app (i.e. no admin permission) to access the address book.

Accessed via System Preferences > Security & Privacy > Privacy, other reported bypasses followed soon after, all apparently addressed by updates to Mojave.

Last week, just when it looked as if Apple might have got on top of the issue, StopTheMadness browser extension developer Jeff Johnson announced a new issue affecting all versions of Mojave including the 10.14.3 supplemental update released only days earlier.

According to Johnson, he discovered a way to access ~/Library/Safari without asking the system or user for permission – a directory that should only be accessible via privileged apps such as the macOS Finder.

There are no permission dialogs, it Just Works™. In this way, a malware app could secretly violate a user’s privacy by examining their web browsing history.

The only caveat was that the bypass doesn’t work for sandboxed apps and applied to those running outside that as “notarised” apps (i.e. those signed by a Developer ID that have passed Apple’s automated malware checks).

Read more at https://nakedsecurity.sophos.com/2019/02/13/another-flaw-found-in-macos-mojaves-privacy-protection/

Evil USB O.MG Cable opens up Wi-Fi to remote attacks

By Lisa Vaas

Take a look at one of your USB cables and you’ll probably see an icon. It might look like a trident, with a vector, circle and square stemming off the main branch.

What do those three symbols mean? You can find multiple suggestions online. We’re less inclined to believe that it was created by Al Gore to represent a three-pronged attack on the earth, and more comfortable with the suggestion that the icon likely indicates that the cable delivers three things: data, power, and audio/video.

Well, thanks to a tinkerer, that USB icon is going to need a fourth tine, perhaps ending in an image of a burglar – because he’s rigged a USB cable to allow remote attackers to attack via Wi-Fi. Security researcher Mike Grover, who goes by the alias MG, has implanted this open door into a USB-C cable that looks like any other innocuous cable you’d see lying around in a conference room.

Why bother with USB drives? They’re already suspicious enough. Go for the cable instead, his thinking was.

The cable, dubbed the O.MG Cable, can be plugged into a Linux, Mac or Windows computer and allows attackers to execute commands over Wi-Fi as if they were sitting in front of the system, issuing commands with a mouse and keyboard.

That’s because the operating system detects the cable as part of an input device, or what’s known as a human interface device (HID). Because operating systems consider HID devices to be input devices, they can be used to input commands as if those commands are being typed on a keyboard.

Read more at https://nakedsecurity.sophos.com/2019/02/13/evil-usb-o-mg-cable-opens-up-wi-fi-to-remote-attacks/

620 million records from 16 websites listed for sale on the Dark Web

By Lisa Vaas

The pockets of credential stuffers and spammers have been potentially fattened by another 617 million pilfered accounts, hacked out of 16 websites and now allegedly up for sale on the Dark Web.

The Register reports that a seller on the Dream Market – a Dark Web marketplace hidden by the encrypted layers of Tor – began offering these stolen databases with this many accounts on Monday:

• Dubsmash: 162 million
• MyFitnessPal: 151 million
• MyHeritage: 92 million
• ShareThis: 41 million
• HauteLook: 28 million
• Animoto: 25 million
• EyeEm: 22 million
• 8fit: 20 million
• Whitepages: 18 million

Read more at https://nakedsecurity.sophos.com/2019/02/13/620-million-records-from-16-websites-listed-for-sale-on-the-dark-web/

Security firm beats Adobe by patching reader flaw first

By Danny Bradbury

Adobe has patched a flaw that enabled attackers to slurp a user’s network authentication details – but not before someone else patched it first.

Security researcher Alex Inführ discovered a flaw in Adobe Reader which enabled a malicious PDF file to trigger a callback from the program. A compromised program would communicate with a server using Microsoft’s SMB protocol, sending it the user’s hashed authentication details.

The flaw stemmed from the XML Form Architecture (XFA), which is an XML structure inside a PDF that enables users to fill out forms. Loading a remote XML-based stylesheet relating to XFA with an insecure HTTPS-based URL prompts a file to ask for user confirmation before visiting that URL. By using a Universal Naming Convention (UNC) path, the attacker can stop that security dialog appearing. The result is that the infected file causes the user’s machine to send their NTML (NT Lan Manager) v2 hash to the attacker.

That’s pretty significant, because this hash is the digest of a password for the Windows NT Lan Manager authentication protocol. Various hackers have already detailed methods of cracking the NTLMv2 hash using automated tools.

Read more at https://nakedsecurity.sophos.com/2019/02/13/security-firm-beats-adobe-by-patching-reader-flaw-first/