macOS Sierra and Safari 10 Security Updates

AppleBuilding(own)(editorialuseonly)

Today brings a new version of macOS (formerly known as Mac OS X formerly known as Mac OS) with macOS Sierra 10.12. It also includes a new version of Safari with the release of version 10. While many will write about the cool new features such as Siri on the Mac or Apple Pay via the web, let’s talk about the vulnerabilities fixed and why enterprises should care.

macOS Sierra

macOS Sierra 10.12 fixed 65 vulnerabilities. Many of the vulnerabilities relate to escalation of privilege, denial of service, information disclosure. Some of the more interesting vulnerabilities include:

  • CVE-2016-4702: an Audio component vulnerability where a remote attacker may be able to execute a malicious program.
  • CVE-2016-4738: an libxslt component vulnerability where malicious web content could lead to executing a malicious program

These examples are noteworthy because they are often used as the starting point to exploiting a system through social engineering. Once the hacker has access, the other vulnerabilities may be useful to gain additional access or information.

Safari 10

Today also marks the release of Safari 10 which is embedded with macOS Sierra and available as an update for OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6. This update fixed a total of 21 vulnerabilities, 16 for which processing malicious web content may lead to arbitrary code execution. This is Apple speak for visiting bad websites or web ads may result in running malware. Needless to say, this update should be applied on all systems. If you still have systems on OS X Mavericks v10.9.x, time to upgrade.

Summary

With 60 vulnerabilities fixed in macOS Sierra and 21 in Safari 10, there are many reasons to upgrade. Based on the nature of the vulnerabilities, upgrading all systems to Safari should take priority as many of those vulnerabilities could be used in phishing and other web exploits. Finally, this release effectively ends support for OS X Mavericks.

Apple Mac OS X Security Updates for September 1, 2016

Mac OS X and Safari underwent a few updates today which appear to be a late response to the iOS zero-day vulnerabilities patched last week on iOS 9.3.5. These updates should be treated as critical and quickly applied quickly.

iOS 9.3.5

First, we must we must explore iOS 9.3.5 that came out on August 25, 2016 in order to better understand these updates.

Lookout and Citizen Lab analysts found that Pegasus, a spyware product, uses zero-day vulnerabilities and sophisticated techniques for mobile-targeted attacks.

This “Trident Exploit Chain” (the three vulnerabilities) are the following:

  • CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution
  • CVE-2016-4655: An application may be able to disclose kernel memory
  • CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges

The exploit actions are summarized by Lookout:

“The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.”

The spyware, once installed, can be used to gather data from everything from messages, phone calls, and application data. It has already targeted a human rights activitst from the United Arab Emirates, unknown people from Kenya, and a Mexican journalist.

Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite

These updates also included two kernal vulnerabilities.

There are a few insights with iOS 9.3.5 as a background. For starters, OS X and iOS have a lot of code in common. This isn’t news, but the latest update reinforces this fact. The potential for exploits exists on both platforms.

Secondly, why the delay? It could be a case of engineering timelines, but security professionals should again consider that what happens on iOS may affect Mac OS X and the other way around.

Noticeably absent from these updates is an update for the nearly three-year-old OS X Mavericks. There are a few conclusions that you can make based on this difference: OS Mavericks isn’t vulnerable, or Apple didn’t choose to fix these issues.

If there have ever been vulnerabilities worth fixing, this set would be it. That said, if I’m a betting man, I would say that Apple decided not to fix these issues. As I’ve noted in previous articles, Apple is selective about fixing issues for the older versions of Mac OS X and staying current on the latest version is important as applying the latest patches. I can’t state for a fact that OS X Mavericks is vulnerable, but I would be shocked if somehow it didn’t have these vulnerabilities.

Safari 9.1.3

Safari 9.1.3 fixes the vulnerability where a maliciously crafted website may lead to arbitrary code execution. We see such vulnerabilities addressed in almost every Safari update and, this should be a warning as these are prime for exploit through phishing or any other method which cons unsuspecting users to click on a link.

Summary

If there are few takeaways for IT and security teams here, they are:

  • Consider iOS and Mac OS X vulnerabilities to be related to each other
  • Older versions of Mac OS X are not going to have updates to fix every vulnerability including obvious critical ones
  • Don’t ignore your Apple devices – they get exploited too

Blog-CTA-Whitepaper-527x150

Apple July 2016 Mac OS X Updates

AppleBuilding(own)(editorialuseonly)

Apple’s July 2016 Mac OS X Updates apply to Mac OS X, including versions El Capitan 10.11.6; Security Update 2016-004 for Mavericks 10.9.5 and Yosemite 10.10.5; and Safari with a new version 9.1.2. In total, there were 72 vulnerabilities fixed, many creating high risk to enterprises.

For the full analysis, see this post on Shavlik.com.

Mobility Management and its Role in Unified Endpoint Management

It’s an annual event that we look forward to at LANDESK, the release of the Gartner Magic Quadrants (MQ) for our various solutions.  For me, the Magic Quadrant for Enterprise Mobility Management Suites is special.  Not because of the days we invest preparing our response (it’s a lot of work), but the MQ gives an opportunity for those of us who live with these products day-in/day-out a chance to step back realize how fast this area of technology moves, and what it means to our customers.

It makes sense, when you think about it: Users exchange their mobile devices every 12-18 months, and that can cross two generations of smartphone models.  With that compressed lifecycle, and the evolution of functionality that comes with each new generation of device, keeping up with the technology is worthy of an annual assessment like the MQ.  Mobile, on its own (and that’s how the EMM Magic Quadrant is determined) is so dynamic, so when we see the MQ publication, we are always happy to see the market assessment aligning with big challenges our customers are looking for us to help them solve.

One of the biggest changes this past year has been the desire to consolidate the toolsets needed to manage everything users carry – from their laptop (and it could be Windows, Mac, etc.) to their smartphone/tablet/other (Android, iOS, etc.). The term is “Unified Endpoint Management”, and we have been hearing a lot from our customers about the desire for clients of all types (traditional and mobile) to be managed together in this way.  It enables user-centered IT management with huge efficiencies. This is the first time that UEM rankings have been part of Gartner’s Magic Quadrant criteria.

For the IT admin, it offers a single system for configuring and managing everything a user carries.  A truly integrated UEM solution, such as LANDESK Management Suite 2016, delivers this in such a way that make it super easy to see, configure and manage all the devices in a user’s portfolio, together and simultaneously.  For the end user, they can count on consistent access across the screens they use, because the policies are configured uniformly based on their role, not the device itself.  Simple, easy user management.

We don’t want to spoil the fun of reading the Gartner Magic Quadrant for Enterprise Mobility Management for yourselves, but we’re extremely proud of our inclusion and move into the “Visionaries” quadrant of the MQ (no vendor saw as significant a shift in the positive direction)!  We’re also honored to have been recognized for our Unified Endpoint Management approach, which leverages our historic strength in Client Management Tools, and brings EMM into the same LDMS product for a truly integrated solution.  Take a look Gartner’s assessments, then take a look at all the devices your users carry.  Do you have all the visibility you need to confidently manage it all?

Remove Apple Quicktime for Windows Today

Remove Apple QuickTime

If you didn’t hear already, it’s time to remove Apple Quicktime for Windows ASAP. Chris Goettl, from our Shavlik team provides the details.

Apple has announced the end of availability for QuickTime 7 on Windows systems.  In their announcement they explained their reason for pulling support:

“QuickTime 7 for Windows is no longer supported by Apple. New versions of Windows since 2009 have included support for the key media formats, such as H.264 and AAC, that QuickTime 7 enabled. All current Windows web browsers support video without the need for browser plug-ins. If you no longer need QuickTime 7 on your PC, follow the instructions for uninstalling QuickTime 7 for Windows.”

To add to this, there are two known vulnerabilities that will go unpatched for QuickTime 7 on Windows which elevates the need to remove it.  While the vulnerabilities are not being exploited, to anybodies knowledge, security experts are calling for removal of QuickTime as quickly as possible and are treating these two vulnerabilities as Zero Days since they have been disclosed and will never be fixed.

Original article at http://blog.shavlik.com/remove-apple-quicktime-windows-systems/

How to Install Microsoft Office 2016 for Mac Using LANDESK Management Suite

Goodbye 2011 and hello 2016!  After five long years, Microsoft has finally replaced its outdated and very un-Macish Office 2011 product with an ultra-sleek and modern Office 2016 for Mac. Re-written from the ground up, Microsoft is promising an “unmistakably Office” experience; something we Mac users have not previously enjoyed without compromising the Mac experience itself.

The one major caveat for the Office 2016 for Mac release…you must be an Office 365 subscriber, or you must be a student to get access to the product today. If you don’t fall into one of those two categories, you’re going to need to hold tight. While the full details are not yet known, such as the exact release date or price, the one-time product purchase option will have you waiting until September sometime. If you don’t feel you can wait that long, head over to office.com/mac and become a subscriber today.

Where’s the moat around my OS X castle?

Bodiam castleWe all want to feel secure and protected, right? Kings, queens and other powerful individuals from ages past, built moats to protect their investments and the people they cared for. Today, while we may not all be kings or queens, we still have the desire to protect ourselves and our personal property.

If you’re a Mac user with the belief that your OS X moat is impenetrable, protecting you from all foreign potential conquerors, it’s time to perk up and use a bit of caution.

According to Pedro Vilaca, a well-known security expert for OS X, the moat around your personal world housed on your Mac has a major flaw. In Pedro’s blog titled, The Empire Strikes Back Apple – how your Mac firmware security is completely broken, he discusses that by simply putting your machine to sleep, an attacker can compromise the device; gaining root access to the firmware.
So where did your moat around our OS X castle go?

Are You Ignoring the Apple Elephant in the Room?

Managing your Mac devices can help your department reduce cost, increase productivity and gain control of end user environments.

A couple of months ago, I found myself in the San Jose International Airport. As I waited for my plane, I noticed that nearly everyone in the terminal was using a Mac laptop or an iOS device. (And I mean it when I say nearly everyone.)  While it was interesting thing to notice, San Jose is practically in Apple’s backyard so I dismissed it as an effort to support the local employer.

Several weeks later, while waiting for my plane to arrive at the Charles de Gaulle International Airport in Paris, France, I started noticing the devices used by others waiting in the terminal. Much to my surprise, nearly all of the devices in use were either Mac laptops or iOS devices.  Since Paris isn’t in Apple’s backyard and thus the usage trend became ever more intriguing. It’s obvious that times are changing and according to Apple’s 2012 fiscal numbers, they’re changing in big ways.

Last month Apple’s 2012 fiscal report showed they sold more than 125 million iPhones, 58 million iPads, 18 million Macs and 35 million iPods with more than $156 billion in total sales and over $44 billion in profit.

Just in case you’re not great at math, I’ll add it up for you: 125 million iPhones + 58 million iPads + 18 million Macs = 1 very large elephant (of the Apple variety) sitting in the IT office.  Thus the $156 billion dollar question becomes: “Are you ignoring the elephant in the room?”

If you are, it’s time to review LANDesk’s management portfolio again. Built within LANDesk’s renowned integrated console is power to manage those millions of iPhones, iPads and Mac devices wandering around your office.  Managing your Mac devices can help your department reduce cost, increase productivity and gain control of end user environments. With the number of Mac devices in use, you can’t afford not to do it.