Sophos AV Ends Support for Mac OS X 10.6 and 10.7

Sophos Anti-Virus is ending support for Mac OS X 10.6 (Snow Leopard) and 10.7 (Lion) on October 31, 2015. Computers running those operating systems will stop receiving Sophos updates after that date. Information regarding this change can be found at:

https://www.sophos.com/en-us/support/knowledgebase/122477.aspx

Apple stopped releasing security updates for both OS X 10.6 (in February 2014) and 10.7 (in September 2014), so continuing to run computers with those operating systems on the network is not recommended. IS&T strongly encourages you to upgrade those machines to the latest Mac OS if possible to ensure that they are protected.

As always, MIT users who need help or have questions, can contact the IS&T Help Desk at 617.253.1101 or helpdesk@mit.edu, or submit a request online.

Recent Security Flaws and Updates

Drupal

Updates for the Drupal content management system are available. The Drupal security team’s advisory describes one critical and three “less critical” vulnerabilities that the updates address. The critical flaw lies in Drupal’s implementation of OpenID; it allows attackers to log in to websites as administrators. The issues affect Drupal versions 6 and 7.

Samsung Galaxy Smartphones

Samsung plans to release a fix for a critical security flaw that affects more than 600 million of its mobile phones. The issue affects Galaxy smartphones that come with the SwiftKey keyboard preinstalled. The flaw could be exploited to access data on the devices. Galaxy devices running Knox security software will receive a new security policy that makes the vulnerability invalid. Phones that are not running Knox will have to wait until a firmware update is ready. See Krebs on Security for this story and the Apple KeyChain story below.

Apple KeyChain

A security flaw (a zero-day bug) in Apple’s OS X and iOS could be exploited to steal information from the Apple keychain and from applications. The problem lies in the operating systems’ application sandboxes and can be exploited by specially created apps. Read the full story in the news.

Apple Security Update

Apple has issued its second security update this month. Turns out the security holes fixed the previous week needed a repatch. The company released security update 2015-003 for OS X Yosemite last week, addressing 2 vulnerabilities.  One vulnerability could potentially allow an attacker with a “privileged network position” to execute arbitrary code.  The other vulnerability is an privilege escalation issue.

Users can update by going to the App Store and clicking Updates. To receive updates automatically, go to System Preferences > App Store, then check the boxes for installing and downloading available updates.

Learn more about this security update.

Apple Updates for iOS and OS X

Apple has released security updates for iOS and OS X. Both include fixes for the FREAK vulnerability in SSL/TLS. Apple’s Security Update 2015-002 addresses five vulnerabilities; Apple’s iOS 8.2 addresses six vulnerabilities and includes Apple Watch capabilities. Be sure to accept the updates as they occur, or on your computer go to the App Store and click on Updates.

Read the full story in the news.

Apple Issues iCloud Security Advisory

Last week Apple issued a security warning about attacks attempting to steal information from iCloud users with fraudulent certificates. An Apple support page warns users to heed invalid certificate warnings while visiting iCloud, saying they should never enter login information into websites that present certificate warnings.

Learn to verify that your browser is securely connected to iCloud.com

Updates on Disabling SSL 3.0

Due to the recent POODLE flaw, Apple will stop supporting SSL 3.0 for push notifications and switch to the TLS encryption standard. Apple announced on its developer site that it will make the switch on October 29.

The push notification service from Apple forwards notifications of third-party applications to iOS devices; it may include badges, sounds or custom text alerts. Apple notes that providers that only support SSL 3.0 will need to transfer to TLS as soon as possible to ensure the service continues to perform as expected.

Other vendors are also updating their services. Twitter already notified users that is has disabled SSL 3.0 support.

Mozilla advised Firefox users to install a Mozilla security add-on that disables SSL 3.0. It will be disabling the old protocol in Firefox 34, the next version of its browser, by the end of November.

University of Michigan researchers have detailed how to disable SSL 3.0 for Internet Explorer and other sites.

Read the story online.