Adobe Flash Player Install Manager (the application) checks for updates automatically, and will present you with a window asking if you want to continue with the install. That’s a legitimate application from Adobe. If you see something that looks like a Flash Player install window, and the app name is not exactly Adobe Flash Player Install Manager, quit the app immediately.

If you’re ever in doubt — or if it just makes you more comfortable — you can quit Adobe Flash Player Install Manager, go direct to Adobe.com and click on the Flash Player link (at the lower right when I just checked). The next page will allow you to download the Flash Player installer dmg. Open that, run the app inside, and you’ll get the same window as if Adobe Flash Player Install Manager started itself. It’s incredibly unlikely that Adobe’s site could be hacked, so this is a very safe way to keep Flash Player up to date. And, unless you never have Flash turned on, you need to keep Flash Player up to date.

Adobe Flash Player Install Manager can also be used to uninstall Flash Player.

Thanks to Stephen Hart

Additionally, depending on your OS (this works in Lion, at least) there is a Flash pane in System Preferences, where an option can be set to check for updates. If you click on it you’re taken to Adobe’s page where your Flash version is checked and the current version is noted, and if you don’t have the current version you’re directed to Adobe’s download page.

This is a sure way to keep Flash updated safely.

Related posts:

1. How do you know if a Flash Update notification is legit? MacFixIt’s Topher Kessler has a great post addressing this. I...
2. Gmail users may be at risk from a Flash bug  Yesterday (06/06/11) Adobe told the world that the Flash Player...
3. Turn Off Java — Flashback Trojan Risk Originaly posted on the Mac Performance Guide MacRumors has an...

Related posts brought to you by Yet Another Related Posts Plugin.

One question I’ve heard a lot recently is “how can I securely send or share files, so only the person intended can read them?”

One solution is Dropkey, currently available on the Mac App Store for $19.99.

Check here to see the web site and download a trial, and let me know how you like it.

One thing I’m not yet sure of but have inquired about is if I send files to Windows users, will this work? Also, if Mac users don’t use Address Book, but Outlook or another app for contacts, will it work?

I’ll post the answers to these questions when I receive them.

Related posts:

1. Trojan masquerades as image files Intego reported that a new version of the Imuler trojan...

Related posts brought to you by Yet Another Related Posts Plugin.

MacFixIt’s Topher Kessler has a great post addressing this. I highly suggest you read it carefully.

In part:

if you are browsing the Web and see a notice pop up about the need to update Reader, there are several things you can do.

1. Do not trust it
Immediately be skeptical of any automatic software update, especially those for Flash or Reader. Instead of accepting it and downloading the update, check the interface for any apparent typos or grammar errors, and if found, then close it down. Additionally, check online by simply doing a Google search (or more accurately visiting Adobe’s support site) to see if any updates have been recently issued.

Right-click the Flash installer package in the Dock, and reveal it in the Finder to see if it is in your user account or in a location that would first require authentication before the program could be placed there.

2. Standalone application
Adobe’s updates are automatically distributed via utilities such as Update Adobe Flash Player, which are run from the Adobe Flash Player Install Manager program that is installed when you install Flash or Reader. To see if this program is what is running, right-click the installer icon in the Dock and select the option to show it in the Finder.

If the program is in your downloads folder, or somewhere in your user account, then do not trust it and throw it out. However, if it is in the /Applications or /Applications/Utilities/ folder, then it suggests the program is legitimate, since installing to these locations would first require a username and password (as is needed when installing Flash for the first time).

3. Quit your browser
Often malware will be presented as a download from within a specially crafted browser window that displays a Web page which is intended to look like a program running on your system. If you see a notice to install Flash, and then quit your Web browser and the notice goes away, then this is a good indication that it is not legitimate and is likely an attempt to lure you into downloading malicious software.

If you observe these three steps when dealing with an automatic update window that suddenly appears, you should be able to better avoid malware attempts on your system.

As a final note, the easiest method by far for avoiding malware attempts when updating your programs (any software, and not just Adobe’s) is to avoid the automatic update solutions altogether. Instead, enable them to notify you when an update is available, and then only download the update directly from the developer. By doing this you will be sure the software you download is legitimate and up-to-date. In the case of Adobe’s products, you can easily get them from the following Web pages:

• Adobe Flash Player
• Adobe Reader

Related posts:

1. Gmail users may be at risk from a Flash bug  Yesterday (06/06/11) Adobe told the world that the Flash Player...
2. Turn Off Java — Flashback Trojan Risk Originaly posted on the Mac Performance Guide MacRumors has an...
3. Adobe to release Reader and Acrobat security patches tomorrow A “pre-notification” from Adobe announced patches for “critical” security flaws...

Related posts brought to you by Yet Another Related Posts Plugin.

Exerpted from MacFixIt

This new minimum-threat malware development for OS X copies Flashback and suggests criminals jump on opportunistic bubbles.

Recently the Flashback malware attacks on OS X gained headlines, not because of the presence of the Trojan, which had been around for some months prior to the increase in attention, but rather because it gained the possibility of installation in a drive-by-download attack that did not require any interaction from the user in order to install.
This development was made possible because of a vulnerability in Java that allowed for a maliciously crafted applet to break the Java sandbox and write files to the disk. Apple has since patched this issue and it, along with other companies, have released Flashback Trojan removal tools to combat the malware; however, in its prime, the malware did reach more than 600,000 Mac users.
While this vulnerability has been linked in the media to Flashback, it appears the same vulnerability is being attempted by other criminal malware developers as well.
When exploits to vulnerabilities are found by criminals, many times they are packaged in underground software development kits that are then distributed, making malware development around these vulnerabilities far easier to do. According to computer security expert Brian Krebs, the CVE-2012-0507 vulnerability in Java that was used by Flashback was included in one of these kits (called Blackhole), and therefore has been available to criminal software developers for some time.

Check these two folders for files called “com.apple.PubSabAgent.plist” and “com.apple.PubSabAgent.pfile,” and remove them from the system if they are present.
(Credit: Screenshot by Topher Kessler/CNET)

Over the weekend, another Trojan called PubSab has been identified for OS X that uses the same Java vulnerability in an attempt to infect Mac systems. There is a little uncertainty over exactly how this malware attacks the system, but Sophos suggests it uses the same CVE-2012-0507 vulnerability found in Java, and SecureList’s analysis shows it uses CVE-2009-0563, which was a vulnerability in Microsoft Office that was patched years ago.
When installed, as with other Trojans and malware of its kind, it creates a launcher file and the malware executable within user accounts that it tries to disguise as a legitimate Apple-supplied file, and then uses the launcher to keep the malware running on affected systems. The malware then tries to upload personal information such as screenshots to remote servers, and can accept commands from remote servers.
Because both the Java and Office vulnerabilities that this malware uses have been patched, moving forward this is not considered a serious threat as long as you have kept your system and software up-to-date. Additionally, it being distributed in part through rogue Word documents makes avoiding it a bit easier by simply deleting attachments and e-mails of unknown origin. As with the Flashback malware, OS X systems that ship with Lion are safe from attack, and anyone who has updated Microsoft Office within the past couple of years is also safe from this exploit.
Despite this, to ensure your system is clear, you can check for the malware by going to the Library folder within your user account (hold the Option button and select Library from the Finder’s “Go” menu in OS X Lion), and then open the LaunchAgents folder and the Preferences folder within the user library. In the LaunchAgents folder, locate and remove the file called “com.apple.PubSabAgent.plist.” Then go to the Preferences folder and remove the file called “com.apple.PubSabAgent.pfile” (note the extension “pfile” instead of “plist”). The first document here is the launcher that keeps the process running, and the second is the process itself.
Alternatively to using the Finder to locate and remove these files, you can run the following two commands in the Terminal application (in the /Applications/Utilities/ folder):
rm ~/Library/LaunchAgents/com.apple.PubSabAgent.plist
rm ~/Library/Preferences/com.apple.PubSabAgent.pfile
After you have removed these files, log out and log back in to your system to clear them from the system’s memory and from the launch manager for your user account.
Note that if you use a full system backup option like Time Machine, then these files may have been backed up, and therefore might be restored if you need to restore your system from backup. Therefore, when in these folders invoke Time Machine and then locate the files in the Time Machine backup. Then right-click the files (or control-click) and choose the option to delete all backups of the files. Additionally, after removing the files be sure to have Time Machine or your other backup solutions make a full, fresh backup instance of your system to ensure you have a new starting point that is malware-free.

Not to be confused with this malware, the “PubSub” folder within user accounts is used by the system for syncing RSS feeds.
(Credit: Screenshot by Topher Kessler/CNET)

The name of this malware suggests the criminals behind it are attempting to confuse users with legitimate technologies in OS X. One of the services Apple includes with OS X is called “PubSub,” and is used by OS X for syncing RSS feeds among devices. Therefore, you may periodically see a process called PubSub or PubSubAgent running in Activity Monitor; however, you should not see a process with “PubSab” in its name.

The use of these known vulnerabilities in these and other malware attacks suggest that when a vulnerability in OS X or common applications and technologies used on OS X is found, then it is likely that more than one malware developer may be attempting to use it. A while ago we discussed this as a possibility, and this latest development supports this notion where criminals might jump on opportunities presented to them by the distribution of exploits in kits like Blackhole and others.

Therefore, despite OS X having a fraction of the malware that is being developed daily for Windows systems, when an attack happens there may be others that follow in tow that attempt to use the same means of compromising a system, so be sure to patch any found vulnerabilities for the software you use on your system. OS X is a relatively new operating system, but its market share is on the rise in both the United States and worldwide, making it a more enticing target for attackers to use as we’ve seen with the increase in attacks (both opportunistically and otherwise) over the past few years.

NOTE: The name of this malware may cause a bit of confusion. Some have called it “SabPub,” and others have called it SubPab, PubSab, and other permutations of the name, resulting in a bit of a tongue-twister. For now it is known to write files to the hard drive that use the term “PubSab” in their names; however, popularity and security companies are referring to it primarily as SabPub.

Topher Kessler, 04.16.12

Related posts:

1. New Security Update provides more malware protection for Snow Leopard Security Update 2011-003 was released a couple of days ago...

Related posts brought to you by Yet Another Related Posts Plugin.

from tuaw.com 04.16.12

Just days after Apple released its official Flashback trojan patch, another Java trojan has been discovered that could possibly infect Macs. The trojan is known as “LuckyCat.” As Kaspersky Lab Expert Costin Raiu explains in a blog post (see my previous post), LuckyCat takes advantage of an exploit in Microsoft Word that allows malware to be spread via documents that take advantage of the CVE-2009-0563 vulnerability:

One of the biggest mysteries is the infection vector of these attacks. Given the highly targeted nature of the attack, there are very few traces. Nevertheless, we found an important detail which is the missing link: Six Microsoft Word documents, which we detect as Exploit.MSWord.CVE-2009-0563.a. In total we have six relevant Word .docs with this verdict — with four dropping the MaControl bot. The remaining two drop SabPub.

The most interesting thing here is the history of the second SabPub variant. In our virus collection, it is named “8958.doc”. This suggests it was extracted from a Word document or was distributed as a Doc-file.

Currently there are no details on how the average user can detect if they are infected with the LuckyCat trojan, nor how to remove it. One can expect that the Microsoft Word vulnerability will be patched in an Office for Mac update.

Thanks to Michael Grothaus

Related posts:

1. Turn Off Java — Flashback Trojan Risk Originaly posted on the Mac Performance Guide MacRumors has an...
2. More good information about Flashback trojan and Java vulnerability AppStorm Mac has a very cogent article posted this morning...
3. Flashback trojan info, and a detection app Auto-installing Flashback trojan varient infecting Macs worldwide First, I’d like...

Related posts brought to you by Yet Another Related Posts Plugin.

Apple promised, and they delivered. The latest updates to Java, Java for OS X Lion 2012-003 and Java for Mac OS X 10.6 Update 8, contains the removal tool, as well as disabling automatic execution of Java applets by default. You can choose to renable automatic applet execution if you choose… after a while (not sure how long) of not running any Java applets, your Mac will disable auto-execution again.

Software update or a download from Apples site will get you the tool for Lion users.

Snow Leopard users can use Software update or download from this Apple page.

Related posts:

1. Apple Developing a Flashback Removal Tool Last night Apple announced that they are developing a tool...
2. Flashback Removal Tool Available F-Secure released a free tool to detect and remove the...
3. Turn Off Java — Flashback Trojan Risk Originaly posted on the Mac Performance Guide MacRumors has an...

Related posts brought to you by Yet Another Related Posts Plugin.

F-Secure released a free tool to detect and remove the Flashback trojan. Download it here.

Anti malware software can remove the trojan, and the upcoming tool from Apple will as well, but this is the first free remedy specifically for the Flashback trojan that does not require use of Terminal.

Related posts:

1. Apple Developing a Flashback Removal Tool Last night Apple announced that they are developing a tool...
2. New strain of Mac Flashback Trojan horse – serious threat Macworld posted this morning that Intego has discovered a new...
3. Turn Off Java — Flashback Trojan Risk Originaly posted on the Mac Performance Guide MacRumors has an...

Related posts brought to you by Yet Another Related Posts Plugin.

Last night Apple announced that they are developing a tool to remove the Flashback trojan that I’ve posted about several times.

Apple released an update to Java on April 3 for Snow Leopard and Lion (10.6 and 10.7) to patch the vulnerability… if you haven’t run Software Update recently, do. It’s important to keep your system up to date, especially to keep any security updates current.

Apple is also working with ISPs to shut down servers that are used by Flashback to send info back to it’s creators, and to perform commands.

See my previous posts on how to detect and eliminate or avoid the Flashback trojan or for more information. F-Secure has thorough information on how to remove the Flasback trojan, using Terminal. I recommend that you do NOT do this if you’re unfamiliar with terminal, as you’re “monkeying around” under the hood, so to speak, and a mistype can cause problems. Contact me or your preferred Mac professional for assistance, unless you know what you’re doing. VirusBarrier X6 will find and eliminate Flashback, and can be purchased from Intego or click the link in the right sidebar on my website

Kapersky has a web site page to check if you’re infected, and has three suggestions to clean your Mac… one is a free tool, the second is to buy their software, the third to remove it manually.

There is no release date for Apple’s new removal tool as yet, but I’d expect it soon.

Related posts:

1. Flashback trojan info, and a detection app Auto-installing Flashback trojan varient infecting Macs worldwide First, I’d like...
2. More good information about Flashback trojan and Java vulnerability AppStorm Mac has a very cogent article posted this morning...
3. New strain of Mac Flashback Trojan horse – serious threat Macworld posted this morning that Intego has discovered a new...

Related posts brought to you by Yet Another Related Posts Plugin.

AppStorm Mac has a very cogent article posted this morning with even more good info about the Flashback trojan and various ways to be protected.

I found the following to be very helpful… it seems that having some kind of malware protection will prevent infection from the start.

After you visit a compromised website, FlashBack installs and runs a small executable on your Mac, which subsequently scans for software (most of which would otherwise detect and remove the threat) in the following locations on your Mac’s hard drive:

• /Library/Little Snitch
• /Developer/Applications/Xcode.app/Contents/MacOS/Xcode
• /Applications/VirusBarrier X6.app
• /Applications/iAntiVirus/iAntiVirus.app
• /Applications/avast!.app
• /Applications/ClamXav.app
• /Applications/HTTPScoop.app
• /Applications/Packet Peeper.app

If these files aren’t found, then the trojan uses a special routine which generates a list of control servers and installs the malicious code onto the user’s Mac, compromising overall system security.

I highly recommend everyone having a look at this article, as it appears that Macs are now being targeted in a way they never have before.

Related posts:

1. Turn Off Java — Flashback Trojan Risk Originaly posted on the Mac Performance Guide MacRumors has an...
2. Flashback trojan info, and a detection app Auto-installing Flashback trojan varient infecting Macs worldwide First, I’d like...
3. New strain of Mac Flashback Trojan horse – serious threat Macworld posted this morning that Intego has discovered a new...

Related posts brought to you by Yet Another Related Posts Plugin.

Auto-installing Flashback trojan varient infecting Macs worldwide

First, I’d like to mention that while the news media is making a lot of the Flashback trojan and the “600,000″ infections worldwide, the number may be suspect, and even if true, is less that 1% of Macs in use.

Second, while the Flashback trojan is a serious threat, it is not difficult to protect against, especially if your Mac is running Mac OS X 10.7 (Lion), which has pretty good anti-malware protection built in, and was recently patched for this new varient.

Flashback information

Macworld has a very good post titled “What you need to know about the Flashback trojan” that explains:

• what it is
• how you may be at risk
• what you may be able to do to prevent problems
• how you can protect yourself

The post also discusses how the number of infections were determined, and the responsibility of Apple and others regarding delays in issuing patches for this vulnerability.

The real danger of the Flashback trojan is that unlike previous trojans, which needed the user to actually install the malware after being tricked into believing it was an Adobe update or other legitimate scenario, infection can come simply from browsing to a malicious or infected web site. The malware uses an unpatched Java vulnerability to install itself.

Secure your Mac from Flashback infection

This post from Rob Pegoraro on the USA Today|Tech page answers the question: “What’s the best way to keep my Mac safe from the Flashback Trojan that has been in the news?” as well as any I’ve seen so far.

Magmatic.com has a post called Java Hardening Tips, which provides very good instructions on how to turn Java off, or if you actually need Java, how to set up preferences to provide maximum protection.

Anti Flashback-trojan app

Moritz Wette has created an application to determine if your Mac has been infected with the Flashback-Trojan, which reportedly has infected over 600,000 Macs worldwide. Statistically, your chances of infection are low, as there are around 100 million Macs in use (estimates made in 2010 by several sources), but this is an important security risk.

Download here. The zipped file will be downloaded to your Downloads folder, or wherever else you’ve specified downloads to go. It should automatically uncompress – if it doesn’t just doubleclick on the .zip file – and all you need to do is double-click on the icon of the app, and you’ll get a dialogue box stating that your Mac may be clean, or that it is infected.

If you’ve found an infection, please contact me immediately for a cure.

Related posts:

1. Turn Off Java — Flashback Trojan Risk Originaly posted on the Mac Performance Guide MacRumors has an...
2. New strain of Mac Flashback Trojan horse – serious threat Macworld posted this morning that Intego has discovered a new...
3. DevilRobber Trojan disguised as PixelMator A new attempt to steal data from Mac users is...

Related posts brought to you by Yet Another Related Posts Plugin.