KeRanger ransomware, an attempt at detection & removal via the JSS

Standard

Screenshot 2016-03-07 14.31.40

Transmission is a popular BitTorrent client for Mac, over the weekend it emerged that a version of their app available from the projects website had been swapped with another version.

This version contained the KeRanger ransomware, this seems to be the first functioning example of ransomware affecting OS X.

Below is more information, as well as a script that should alert or clean up affected Macs.

Continue reading

Sparkle Updater Framework HTTP man-in-the-middle vulnerability

Standard

sparkle-logo

Sparkle is an open source update framework that is used within thousands of Mac apps, including my own AutoCasperNBI & AutoImagrNBI.

A vulnerability within which was recently disclosed, with an update to Sparkle issued soon after.

However, the update may take some time to reach all the apps that are on the Macs that we admin. So the below is some more detail, methods of mitigation & detection.

Continue reading

Check EFI Password State Extension Attribute

Standard

JAMF have a great article on deploying the binary needed to set a firmware password on 2010+ Macs via the Casper Suite, here.

I recently had a chance to play with it, but found that the below command (which is used by the following EA to check EFI Password status) often returns nothing or just 0 after running. Regardless if an EFI password is set or not.

So below is a different version of the before linked Extension Attribute, using “expect” & maybe a inelegant check.. but hey, if it works!

Continue reading