Security

Researchers Create Mac "Firmworm" That Spreads Via Thunderbolt Ethernet Adapters 95 95

BIOS4breakfast writes: Wired reports that later this week at BlackHat and Defcon, Trammell Hudson will show the Thunderstrike 2 update to his Thunderstrike attack on Mac firmware (previously covered on Slashdot). Trammell teamed up with Xeno Kovah and Corey Kallenberg from LegbaCore, who have previously shown numerous exploits for PC firmware. They found multiple vulnerabilities that were already publicly disclosed were still present in Mac firmware. This allows a remote attacker to break into the Mac over the network, and infect its firmware. The infected firmware can then infect Apple Thunderbolt to Ethernet adapters' PCI Option ROM. And then those adapters can infect the firmware of any Mac they are plugged into — hence creating the self-propagating Thunderstrike 2 "firmworm." Unlike worms like Stuxnet, it never exists on the filesystem, it only ever lives in firmware (which no one ever checks.) A video showing the proof of concept attack is posted on YouTube.
OS X

A Tweet-Sized Exploit Can Get Root On OS X 10.10 129 129

vivaoporto writes: The Register reports a root-level privilege-escalation exploit that allows one to gain administrator-level privileges on an OS X Yosemite Mac using code so small that fits in a tweet. The security bug, documented by iOS and OS X guru Stefan Esserwhich, can be exploited by malware and attackers to gain total control of the computer. This flaw is present in the latest version of Yosemite, OS X 10.10.4, and the beta, version 10.10.5 but is already fixed in the preview beta of El Capitan (OS X 10.11) Speaking of exploits: Reader trailrunner 7 notes that "HP’s Zero Day Initiative has released four new zero days in Internet Explorer that can lead to remote code execution."
Chrome

Chrome 44 Launches With Tweaks To Push Messaging and Notifications 67 67

An anonymous reader writes: Google has launched Chrome 44 for Windows, Mac, and Linux with new developer tools. Aside from a host of security fixes, this release focuses mainly on developer features. The API for push notifications was updated to match the specification, a new implementation of multi-column layout was added, and they've extended support for Unicode escapes in strings. The full changelog notes a number of performance improvements as well.
Privacy

Free Tools For Detecting Hacking Team Malware In Your Systems 62 62

An anonymous reader writes: Worried that you might have been targeted with Hacking Team spyware, but don't know how to find out for sure? IT security firm Rook Security has released Milano, a free automated tool meant to detect the Hacking Team malware on a computer system. Facebook has also offered a way to discover if your Mac(s) have been compromised by Hacking Team malware: they have provided a specific query pack for its open source OS analysis tool osquery.
Graphics

Square Enix Pulls, Apologizes For Mac Version of Final Fantasy XIV 94 94

_xeno_ writes: Just over a week after Warner Bros. pulled the PC version of Batman: Arkham Knight due to bugs, Square Enix is now being forced to do the same thing with the Mac OS X version of Final Fantasy XIV (which was released at the same time as Batman: Arkham Knight). The rather long note explaining the decision apologizes for releasing the port before it was ready and blames OS X and OpenGL for the discrepancy between the game's performance on identical Mac hardware running Windows. It's unclear when (or even if) Square Enix will resume selling an OS X version — the note indicates that the development team is hopeful that "[w]ith the adoption of DirectX 11 for Mac, and the replacement of OpenGL with a new graphics API in Apple's next OS, the fundamental gap in current performance issues may soon be eliminated." (I'm not sure what "the adoption of DirectX 11 for Mac" refers to. OS X gaining DirectX 11 support is news to me — and, I suspect, Microsoft.) Given that the game supports the aging PS3 console, you'd think the developers would be able to find a way to get the same graphics as the PS3 version on more powerful Mac OS X hardware.
Firefox

Firefox 39 Released, Bringing Security Improvements and Social Sharing 172 172

An anonymous reader writes: Today Mozilla announced the release of Firefox 39.0, which brings an number of minor improvements to the open source browser. (Full release notes.) They've integrated Firefox Share with Firefox Hello, which means that users will be able to open video calls through links sent over social media. Internally, the browser dropped support for the insecure SSLv3 and disabled use of RC4 except where explicitly whitelisted. The SafeBrowsing malware detection now works for downloads on OS X and Linux. (Full list of security changes.) The Mac OS X version of Firefox is now running Project Silk, which makes animations and scrolling noticeably smoother. Developers now have access to the powerful Fetch API, which should provide a better interface for grabbing things over a network.
Security

Hackers Exploit MacKeeper Flaw To Spread OS X Malware 63 63

An anonymous reader writes: Controversial OS X 'clean-up utility' MacKeeper is being exploited by cybercriminals to diffuse Mac malware OSX/Agent-ANTU, according to the BAE cyber security unit. A single line of JavaScript on a malicious web-page is enough to hand over control of the user's system via MacKeeper. Lead security researcher Sergei Shevchenko said 'attackers might simply be 'spraying' their targets with the phishing emails hoping that some of them will have MacKeeper installed, thus allowing the malware to be delivered to their computers and executed,' The malware enables remote control over commands, uploads and downloads, and the setting of execution permissions, as well as granting access to details of VPN connections, user names, and lists of processes and statuses.
Open Source

LibreOffice Now Available On Apple's Mac App Store 132 132

sfcrazy writes: It's an event of historical magnitude: One of the most popular Open Source projects, LibreOffice, is now available directly from Apple's Mac App Store. You can get LibreOffice on OSX with automatic updates, long-term maintenance, and optional professional support, for the first time. There are two editions of LibreOffice available on the Mac App Store: LibreOffice from Collabora and LibreOffice Vanilla. While the Vanilla edition can be downloaded free of cost, LO from Collabora has a price tag of $10. "Free through the App store" is an implicit endorsement that plain old "free" can't beat, even taking open-source licensing out of the picture.
Security

Researchers Find Major Keychain Vulnerability in iOS and OS X 78 78

An anonymous reader notes a report from El Reg on a major cross-app resource vulnerability in iOS and Mac OS X. Researchers say it's possible to break app sandboxes, bypass App Store security checks, and crack the Apple keychain. The researchers wrote, "specifically, we found that the inter-app interaction services, including the keychain and WebSocket on OS X and URL Scheme on OS X and iOS, can all be exploited by [malware] to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the App sandbox on OS X was found to be vulnerable, exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications." Their full academic paper (PDF) is available online, as are a series of video demos. They withheld publication for six months at Apple's request, but haven't heard anything further about a fix.
Microsoft

Microsoft Manufacturing Surface Hub In the US 124 124

overThruster writes: According to the New York Times, Microsoft has chosen to manufacture its Surface Hub in Wilsonville, Oregon. The announcement follows Apple’s decision to build the Mac Pro in Texas. "It makes a lot of sense to manufacture in the U.S.," said Steve Hix, an entrepreneur who founded several Portland-area tech companies, including one that had a manufacturing facility in Wilsonville. "The key issue is quality."
IOS

WWDC 2015 Roundup 415 415

Here's an overview of the main announcements and new products unveiled at WWDC today.
  • The latest OS X will be named OS X El Capitan. Features include: Natural language searches and auto-arrange windows. You can make the cursor bigger by shaking the mouse and pin sites in Safari now. 1.4x faster than Yosemite. Available to developers today, public beta in July, out for free in the fall.
  • Metal, the graphics API is coming to Mac. "Metal combines the compute power of OpenCL and the graphics power of OpenGL in a high-performance API that does both." Up to 40% greater rendering efficiency.
  • iOS 9: New Siri UI. There’s an API for search. Siri and Spotlight are getting more integrated. Siri getting better at prediction with a far lower word error rate. You can make checklists, draw and sketch inside of Notes. Maps gets some love. New app called News "We think this offers the best mobile reading experience ever." Like Flipboard it pulls in news articles from your favorite sites. HomeKit now supports window shades, motion sensors, security systems, and remote access via iCloud. Public Beta for iOS 9.
  • Apple Pay: All four major credit card companies and over 1 million locations supporting Apple Pay as of next month. Apple Pay reader developed by Square, for peer-to-peer transactions. Apple Pay coming to the UK next month support in 250,000 locations including the London transportation system. Passbook is being renamed "Wallet."
  • iPad: Shortcuts for app-switching, split-screen multitasking and QuickType. Put two fingers down on the keyboard and it becomes a trackpad. Side by side apps. Picture in picture available on iPad Air and up, Mini 2 and up.
  • CarPlay: Now works wirelessly and supports apps by the automaker.
  • Swift 2,the latest version of Apple’s programing language . Swift will be open source.
  • The App Store: Over 100 billion app downloads, and $30 billion paid to developers.
  • Apple Watch: watchOS 2 with new watch faces. Developers can build their own "complications" (widgets with a terrible name that show updates and gauges on the watch face). A new feature called Time Travel lets you rotate the digital crown to zoom into the future and see what’s coming up. More new features: reply to email, bedside alarm clock, send scribbled messages in multiple colors. You can now play video on the watch. Developer beta of watchOS 2 available today, wide release in the fall for free.
  • Apple Music: “The next chapter in music. It will change the way you experience music forever,” says Cook. Live DJs broadcasting and hosting live radio streams you can listen to in 150 countries. Handpicked suggestions. 24/7 live global radio. Beats Connect lets unsigned artists connect with fans. Beats Music has all of iTunes’ music, to buy or stream. With curated recommendations. Launching June 30th in 100 countries with Android this fall, with Windows and Android versions. First three months free, $9.99 a month or $14.99 a month for family plan for up to six.
Bug

Typing 'http://:' Into a Skype Message Trashes the Installation Beyond Repair 225 225

An anonymous reader writes: A thread at the Skype community forums has brought to light a critical bug in Microsoft's Skype clients for Windows, iOS and Android: typing the incorrect URL initiator http://: into a text message on Skype will crash the client so badly that it can only be repaired by installing an older version and awaiting a fix from Microsoft. The bug does not affect OS X or the 'Metro'-style Windows clients — which means, effectively, that Mac users could kill the Skype installations on other platforms just by sending an eight-character message.
PC Games (Games)

How Cities: Skylines Beat SimCity At Its Own Game 86 86

An anonymous reader writes: Maxis, the studio behind SimCity, was shuttered earlier this year. Fortunately, another studio has taken up its mantle. The small team at Colossal Order has already won acclaim for city-builder game Cities: Skylines (and sold millions), earning a great reputation with the modding community by avoiding all the mistakes the last SimCity release made, such as enforced online/multiplayer. A new behind the scenes feature looks at how the game came about — it was not a response to SimCity, surprisingly — as well as what's next from the studio.

"We are planning to start another game project sometime soon," says Colossal CEO Mariina Hallikainen. "We definitely want to focus on old-school simulator games and definitely PC. PC, Mac and Linux, those are our 'thing.' But I think we're maybe going to do something a little bit different."
DRM

Firefox 38 Arrives With DRM Required To Watch Netflix 371 371

An anonymous reader writes with this excerpt from VentureBeat: Mozilla today launched Firefox 38 for Windows, Mac, Linux, and Android. Notable additions to the browser include Digital Rights Management (DRM) tech for playing protected content in the HTML5 video tag on Windows, Ruby annotation support, and improved user interfaces on Android. Firefox 38 for the desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play. Note that there is a separate download for Firefox 38 without the DRM support. Our anonymous reader adds links to the release notes for desktop and Android.
Security

GPU Malware Can Also Affect Windows PCs, Possibly Macs 49 49

itwbennett writes: A team of anonymous developers who recently created a Linux rootkit that runs on graphics cards has released a new proof-of-concept malware program that does the same on Windows. A Mac OS X implementation is also in the works. The problem the developers are trying to highlight lies not with the operating systems, such as Windows or Linux, nor with the GPU (graphics processor unit) vendors, but rather with existing security tools, which aren't designed to scan the random access memory used by GPUs for malware code.
IOS

Swift Vs. Objective-C: Why the Future Favors Swift 270 270

snydeq writes: InfoWorld's Paul Solt argues that It's high time to make the switch to the more approachable, full-featured Swift for iOS and OS X app dev. He writes in Infoworld: "Programming languages don't die easily, but development shops that cling to fading paradigms do. If you're developing apps for mobile devices and you haven't investigated Swift, take note: Swift will not only supplant Objective-C when it comes to developing apps for the Mac, iPhone, iPad, Apple Watch, and devices to come, but it will also replace C for embedded programming on Apple platforms. Thanks to several key features, Swift has the potential to become the de-facto programming language for creating immersive, responsive, consumer-facing applications for years to come."
Security

MacKeeper May Have To Pay Millions In Class-Action Suit 41 41

jfruh writes: If you use a Mac, you probably recognize MacKeeper from the omnipresent popup ads designed to look vaguely like system warnings urging you to download the product and use it to keep your computer safe. Now the Ukranian company behind the software and the ads may have to pay millions in a class action suit that accuses them of exaggerating security problems in order to convince customers to download the software.
Security

Researcher Discloses Methods For Bypassing All OS X Security Protections 130 130

Trailrunner7 writes: For years, Apple has enjoyed a pretty good reputation among users for the security of its products. That halo has been enhanced by the addition of new security features such as Gatekeeper and XProtect to OS X recently, but one researcher said that all of those protections are simple to bypass and gaining persistence on a Mac as an attacker isn't much of a challenge at all. Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial. "Gatekeeper doesn't verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper," Wardle said in a talk at the RSA Conference here Thursday. "It only verifies the app bundle. If Macs were totally secure, I wouldn't be here talking," Wardle said. "It's trivial for any attacker to bypass the security tools on Macs."
Chrome

Chrome 42 Launches With Push Notifications 199 199

An anonymous reader writes: Google today launched Chrome 42 for Windows, Mac, and Linux with new developer tools. Chrome 42 offers two new APIs (Push API and Notifications API) that together allow sites to send notifications to their users even after the given page is closed. While this can be quite an intrusive feature for a browser, Google promises the users have to first grant explicit permission before they receive such a message.