November 21, 2014

Apple patches security flaws in iOS 8, OS X 10.10 and Apple TV 7

Apple-logo(LiveHacking.Com) – Apple has released new versions of three of its major software products. The new versions of iOS, OS X and Apple TV address multiple security vulnerabilities. iOS 8.1.1, which is available for the iPhone 4s and later; the iPod touch (5th generation) and later; and the iPad 2 and later; addresses nine separate vulnerabilities. Apple TV 7.0.2, which is available for Apple TV 3rd generation and later, addresses four vulnerabilities, all of which are common with the iOS release. OS X 10.10.1 patches four flaws, two of which are common with the iOS release and two which are specific to OS X.

The common fixes are as follows:

  • iOS and OS X: A privacy issue existed where browsing data could remain in the cache after leaving private browsing. (CVE-2014-4460)
  • iOS and OS X: The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user’s approximate location before a user entered a query. (CVE-2014-4453)
  • iOS and Apple TV: A state management issue existed in the handling of Mach-O executable files with overlapping segments. (CVE-2014-4455)
  • iOS and Apple TV: A malicious application may be able to execute arbitrary code with system privileges due to a validation issue that existed in the handling of certain metadata fields in IOSharedDataQueue objects. (CVE-2014-4461)
  • iOS and Apple TV: Due to multiple memory corruption issues in WebKit, visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. (CVE-2014-4452 and CVE-2014-4462)

The iOS specific fixes are:

  • In some circumstances, the failed passcode attempt limit was not enforced. (CVE-2014-4451)
  • The Leave a Message option in FaceTime may have allowed viewing and sending photos from the device. (CVE-2014-4463)
  • A permissions issue existed with the debugging functionality for iOS that allowed the spawning of applications on trusted devices that were not being debugged. (CVE-2014-4457)

The OS X only patches are:

  • The request made by About This Mac to determine the model of the system and direct users to the correct help resources included unnecessary cookies. (CVE-2014-4458)
  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution due to a use after free issue existed in the handling of page objects. (CVE-2014-4459)

More information about all these patches can be found on Apple’s Security Updates web site: http://support.apple.com/kb/HT1222

Source code for BadUSB vulnerability posted on GitHub

usb-flash-drive(LiveHacking.Com) – Back in August, security researchers  Karsten Nohl and Jakob Lell demonstrated how a USB device can be reprogrammed and used to infect a computer without the user’s knowledge. Dubbed BadUSB, the pair published their findings during the Black Hat conference, however they did not publish the source code or the reversed engineered firmware needed to perform the attack. Nohl and Lell said they did not release code in order to give firms making USB-controller firmware time to work out how to combat the problem.

Now two other researchers, Adam Caudill and Brandon Wilson have done their own research on BadUSB and produced code that can be used to exploit it. The source-code can be found on Github. Unlike Nohl and Lell, Caudill and Wilson think it is in the public’s interest to release the source code for public consumption.

“We’re releasing everything we’ve done here, nothing is being held back,” said Mr Wilson during his presentation at DerbyCon. “We believe that this information should not be limited to a select few as others have treated it. It needs to be available to the public.”

The BBC contacted Karsten Nohl about the new release, he said that “full disclosure” can motivate USB device makers to improve the security on their devices. However he also noted that the problem with BadUSB is not one particular device but rather, “the standard itself is what enables the attack and no single vendor is in a position to change that.” He added that, “it is unclear who would feel pressured to improve their products by the recent release.”

According to the GitHub page for the new source-code the following devices can be reprogrammed and used as attack vectors:

  • Patriot 8GB Supersonic Xpress
  • Kingston DataTraveler 3.0 T111 8GB
  • Silicon power marvel M60 64GB
  • Toshiba TransMemory-MX™ Black 16 GB
  • Patriot Stellar 64 Gb Phison

Shellshock: Code injection vulnerability found in Bash

bash-man-page(LiveHacking.Com) – A code injection vulnerability in the Bourne again shell (Bash) has been disclosed on the internet. If exploited then arbitrary commands can be executed, and where Bash is used in relation to a network service, for example in CGI scripts on a web server, then the vulnerability will allow remote code execution.

The problem resolves about the way that Bash processes environment variables used to export shell functions to other bash instances. Bash uses environment variables named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the process environment. The problem is that Bash does not stop after processing the function definition; it continues to parse and execute any shell commands following the function definition.

This means that shell commands can be tagged onto the end of environment variables and they will be executed by the shell. The vulnerability is deemed as critical because Bash is used widely on many types of UNIX-like operating systems including Linux, BSD, and Mac OS X.

The most prominent attack vector is via HTTP requests sent to CGI scripts executed by Bash. Also, if SSH has been configured to allow remote users to run a set of restricted commands, like rsync or git, this bug means that an attacker can use SSH to execute any command and not just the restricted command.

The initial bug was designated as CVE-2014-6271, and a patch was subsequently issued. However it was later discovered that the patch had an issue in the parser and did not fully address the problem. As a result a second CVE was assigned, CVE-2014-7169, to cover the remaining problems after the application of the first patch.

To test your system to see if your version of bash is vulnerable, run these two commands:

env X="() { :;} ; echo vulnerable" /bin/sh -c "echo completed"
env X="() { :;} ; echo vulnerable" `which bash` -c "echo completed"

In either case, if the word “vulnerable” is displayed then your shell needs patching.

The United States Computer Emergency Readiness Team (US-CERT) has issued a statement: Bourne Again Shell (Bash) Remote Code Execution Vulnerability, along with the following alert: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169).

Red Hat has posted a special report on its security blog: Bash specially-crafted environment variables code injection attack. Akamai, a provider of cloud services, has also posted a blog post called Environment Bashing.

 

Apple releases iOS 8 with 56 security patches

ios8-logo(LiveHacking.Com) – Along side the release of the iPhone 6 and iPhone 6 Plus Apple has also released a new version of its mobile operating system. iOS 8 includes improvements to Siri and the ability for third parties to add widgets to the notification area. Apple are calling it “huge for developers,  massive for everyone else.” iOS 8 also includes some important security fixes. Overall Apple addressed 56 unique CVEs in this release.

Among the changes are fixes for bugs which could allow an attacker with access to an iOS device to access sensitive user information from logs, allow a local attacker to escalate privileges and install unverified applications, and fixes for bugs that allow some kernel hardening measures may be bypassed.

Other fixes include a patch to stop maliciously crafted PDF files that can allow an attacker to run arbitrary code, and a patch to stop malicious applications executing arbitrary code with system privileges. Most of these issues revolve around NULL pointer dereferencing and bounds checking. For example an out-of-bounds read issue existed in the handling of an IOHIDFamily function. As a result, a malicious application may be able to read kernel pointers and then bypass kernel address space layout randomization. According to Apple’s release notes, “this issue was addressed through improved bounds checking.” A phrase that is found several times in Apple’s document that describes the security content of iOS 8.

Webkit, the open source HTML rendering engine used by Apple, also received a lot of patches (12 in total). According to Apple visiting a maliciously crafted website in previous versions of iOS may lead to an unexpected application termination or arbitrary code execution. This was because of multiple memory corruption issues in WebKit. These issues were addressed through improved memory handling.

As well as releasing iOS 8, Apple also released new versions of OS X, OS X Server, Safari, and Apple TV. These are all maintenance releases which fix bug and patch security vulnerabilities. The full list of updates including links to the relevant security information follows:

LinkedIn can be tricked into revealing personal email addresses

linkedin(LiveHacking.Com) – Benjamin Caudill and Bryan Seely, founders of Rhino Security, have discovered an unintentional side effect of LinkedIn’s obsession with making sure you are “linked” with just about everyone you have had contact with. According to the new research, which was published in part by Brian Krebs, it is possible to troll LinkedIn and discover the email addresses of public figures including leading CEOs, celebrities and company executives.

On a normal day LinkedIn will only let you connect with users that you claim to know professionally or personally. If you don’t know some you can get an introduction via a common third party. To ensure that you are linked to everyone you know LinkedIn will optionally trawl through your Google/Yahoo/Hotmail address book to see if anyone in your address book is already using LinkedIn. Sounds great, very helpful.

The problem is that if you start to create fake email addresses in your list of contacts then LinkedIn will helpfully show you the profiles of users with addresses that match your address book. This is because LinkedIn assumes that if you have their email address then you must know the person.

Now all you need to do is populate your address book with hundreds of combinations of email addresses based on people’s names, and then add @gmail.com or @yahoo.com etc on to the end.

When you import the list of names then LinkedIn will not only show you the profiles which match the addresses, it will also tell you which addresses don’t match any known profiles. If you got lucky and found the address of a high profile user then you just need to use a process of elimination to whittle down the list of emails that didn’t match a profile and you can discover the private email address of the target LinkedIn user.

To prove their point Cludill and Seely discovered the email address of Mark Cuban, the owner of the Dallas Mavericks. Seely said they found success in locating the email addresses of other celebrities using the same method about nine times out of ten.

“We created several hundred possible addresses for Cuban in a few seconds, using a Microsoft Excel macro,” Seely said. “It’s just a brute-force guessing game, but 90 percent of people are going to use an email address that includes components of their real name.”

According to LinkedIn the company will be implementing a couple of changes over the next few weeks to alter the way the service handles email addresses.

Researchers at Black Hat conference demo USB’s fatal flaw

usb-flash-drive(LiveHacking.Com) – Security experts Karsten Nohl and Jakob Lell have demonstrated how any USB device can be reprogrammed and used to infect a computer without the user’s knowledge.

During a presentation at the Black Hat Security conference, and in a subsequent interview with the BBC, the duo have raised the question about the future security of USB devices.

As part of the demo, a normal looking smartphone was connected to a laptop, maybe something a friend or colleague might ask you to do so they can charge the device. But the smartphone was modified to present itself as a network card and not a USB media device. The result was that the malicious software on the phone was able to redirect traffic from legitimate web sites to shadow servers, which fake and the look and feel of the genuine sites, but are actually designed just to steal login credentials.

According to a blog entry posted by the pair, USB’s great versatility is also its Achilles heel. “Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing,” wrote the researchers.

The experts, who work for Security Research Labs in Germany, gave a presentation at the Black Hat conference called “BadUSB — On accessories that turn evil.” Every USB device has a micro-controller that isn’t visible to the user. It is responsible for talking with the host device (e.g. a PC) and interfacing with the actual hardware. The firmware for these microcontrollers is different on every USB device and what the micro-controller software does is different on every device. Webcams, keyboards, network interfaces, smartphones and flash drives all perform different tasks and the software is developed accordingly.

However, the team managed to reverse engineer and hack the firmware on different devices in under two months. As a result they can re-program the devices and get them to act as something they are not.

During their Black Hat presentation, a standard USB drive was inserted into a computer. Malicious code implanted on the stick tricked the PC into thinking a keyboard had been plugged in. The fake keyboard then began typing in commands – and forced the computer to download malware from the internet.

Defending against this type of attack includes tactics like code-signing of the micro-controller firmware updates or the disabling of firmware changes in hardware. However these must all be implemented by the USB device makers and isn’t something that end users can enforce.

You can download the slides from the presentation here: https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf

Oracle fixes 113 security vulnerabilities, 20 just in Java

Oracle_ai(LiveHacking.Com) – Oracle has released a mammoth set of patches to address 113 security related problems across a wide range of its products. The patch release, which Oracle refers to as a Critical Patch Update (CPU), contains 113 new security fixes for a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, Oracle Java SE, Oracle Linux and Virtualization, Oracle MySQL, and Oracle and Sun Systems Products Suite.

Although all of the patches from Oracle should be considered important, the set that will get the most attention are the latest patches for Java. Oracle patched 20 vulnerabilities in Java. Eight of the 20 vulnerabilities could allow a hacker to completely compromise a target client. These vulnerabilities are described as being remote exploits which don’t require authentication. In total the CPU provides fixes for 17 Java SE client vulnerabilities, 1 for a JSSE vulnerability affecting client and server, and 2 vulnerabilities affecting Java client and server.

Oracle also points out that Windows XP users should upgrade to a new operating system. The security advisory says that “running unsupported operating systems, particularly one as prevalent as Windows XP, create a very significant risk to users of these systems as vulnerabilities are widely known, exploit kits routinely available, and security patches no longer provided by the OS provider.”

This CPU also includes 5 fixes for the Oracle Database, 29 new security fixes for Oracle Fusion Middleware, 5 fixes for Oracle E-Business Suite, and 3 for the Oracle Sun Systems Products Suite. According to the United States Computer Emergency Readiness Team (US-CERT), the update also include 15 patches for Oracle Virtualization products, and 10 fixes for MySQL.

“Critical Patch Update fixes are intended to address significant security vulnerabilities in Oracle products and also include code fixes that are prerequisites for the security fixes. As a result, Oracle recommends that this Critical Patch Update be applied as soon as possible by customers using the affected products,” wrote Eric Maurice on Oracle’s security blog.

Oracle releases Critical Patch Updates the Tuesday closest to the 17th day of January, April, July and October. The next CPU is due on 14 October 2014.

Microsoft, Adobe release security patches plus high profile domains rush to fix XSS vulnerability

(LiveHacking.Com) – The last few days have seen lots of security related activity from some of the world’s leading software vendors. Both Microsoft and Adobe have released patches for some of their key software while almost simultaneously a Google engineer has released details of an obscure cross-scripting request forgery bug that left several high profile domains scrambling to protect themselves over the weekend.

Microsoft

microsoft logoMicrosoft has released six new security bulletins, to tackle 29 different vulnerabilities in Microsoft Windows and Internet Explorer. Two of these security bulletins are rated Critical, while the rest are either rated as Important or Moderate.

The first of the two Critical level bulletins (MS14-037) is a cumulative security update for Internet Explorer. The update fixes one publicly disclosed vulnerability and twenty-three privately reported vulnerabilities in Microsoft’s web browser. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using IE. This security update is rated Critical for IE 6 through to IE 11 on Microsoft Windows desktop operating systems. For the server versions of Windows the update is rated as Moderate.

The other Critical level update (MS14-038) fixes a remote code execution vulnerability that exists because of the way that Windows Journal parses specially crafted files. The vulnerability could be exploited if a user opens a specially crafted Journal file. The fix is rated Critical for all supported editions of Windows Vista, Windows Server 2008 (excluding Itanium), Windows 7, Windows Server 2008 R2 (excluding Itanium), Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

The other bulletins release by Microsoft are:

  • MS14-039 – Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker uses a vulnerability in a low integrity process to execute the On-Screen Keyboard (OSK) and upload a specially crafted program to the target system.
  • MS14-040 – Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker logs onto a system and runs a specially crafted application.
  • MS14-041 – Vulnerability in DirectShow Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker first exploits another vulnerability in a low integrity process and then uses this vulnerability to execute specially crafted code in the context of the logged on user.
  • MS14-042Vulnerability in Microsoft Service Bus Could Allow Denial of Service. The vulnerability could allow denial of service if a remote authenticated attacker creates and runs a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system.

Adobe

adobe-logoAdobe has released security updates for Adobe Flash Player on Windows, OS X and Linux. The updates patch vulnerabilities that could potentially allow a remote attacker to take control of the affected system. The affected software versions are:

  • Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.378 and earlier versions for Linux
  • Adobe AIR 14.0.0.110 SDK and earlier versions
  • Adobe AIR 14.0.0.110 SDK & Compiler and earlier versions
  • Adobe AIR 14.0.0.110 and earlier versions for Android

As well as fixing two, as yet undisclosed, security bypass vulnerabilities (CVE-2014-0537, CVE-2014-0539), the update also includes additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs (CVE-2014-4671).

XSS

rosettaflash_convertAs mentioned above, the update to Adobe Flasher Player includes additional validation checks for an obscure cross-scripting request forgery bug that was disclosed by Google’s information security engineer Michele Spagnuolo over the weekend. In his blog “Abusing JSONP with Rosetta Flash,” Michele details how his tool Rosetta Flash can convert Adobe SFW files from binary to text. Attackers can then upload the “weaponised” SWF file to a domain where they will be loaded by a victim’s browser and executed by Adobe Flash Player.

Several high-profile websites were vulnerable, including most Google domains, Instagram, Tumblr and eBay. Many of these sites have worked over the weekend to protect themselves against the vulnerability.

Because of the sensitivity of this vulnerability, Spagnuolo first disclosed it internally to Google, and then privately to Adobe. He also told Twitter, eBay, Tumblr and Instagram before going public with his findings.

Apple fixes 44 security bugs in iOS

Apple-logo(LiveHacking.Com) – Apple has released a new point release of iOS 7 to address 44 different security issues with Apple’s mobile operating system. Among the patches are bug fixes for vulnerabilities in the iOS kernel, and fixes for errors in “launchd,” which could allow a malicious application to execute arbitrary code with system privileges. There are also lots of fixes for WebKit, the HTML rendering engine used by Safari.

The kernel vulnerability, which could cause an iOS device to unexpectedly restart, exists because of a null pointer de-reference in the handling of IOKit API arguments. This problem was addressed through additional validation of IOKit API arguments.

launchd has been patched quite extensively in this release. The program is responsible for starting, stopping and managing back ground processes and apps on iOS. According to Apple’s security notice for iOS 7.1.2, launchd has several different vulnerabilities including a heap buffer overflow in the handling of IPC messages, a heap buffer overflow in the handling of log messages, and some unspecified integer overflow/underflow issues. All of these could possibly allow a malicious application to execute arbitrary code with system privileges.

The WebKit HTML rendering engine was also heavily patched with 28 unique bugs being squashed. Many of the bugs were discovered either by Google’s Chrome Security Team or by renowned security researchers like “miaubiz” who were participating in Google’s Vulnerability Rewards Program for Chromium. However Apple did find several bugs on its own. In total, the discovery of 12 of the 28 vulnerabilities is attributed (or co-attributed) to Apple. The result of the “multiple memory corruption issues” in WebKit was that a user visiting a maliciously crafted website could lead to an unexpected application termination or arbitrary code execution.

Two other WebKit vulnerabilities were also found by Erling Ellingsen of Facebook. The first was an encoding issue that existed in the handling of unicode characters in URLs. The result was that a malicious site could send messages to a connected frame or window in a way that might circumvent the receiver’s origin check. The other problem was a spoofing issue that existed in the handling of URLs.

Another interesting issue fixed in this version of iOS was a problem with Siri and lock codes. If a Siri request referred to one of several possible contacts, Siri displayed a list of choices and the option ‘More…’ for a complete contact list. When used at the lock screen, Siri did not require the passcode before viewing the complete contact list.

iOS 7.1.2 is available now for the iPhone 4 and later, the iPod touch (5th generation) and later, and the iPad 2 and later.

Microsoft, Adobe and Google release security patches for Critical vulnerabilities

binarycodeMicrosoft, Adobe and Google have released patches for their products to fix Critical security vulnerabilities. Microsoft released eight security bulletins – two rated Critical and six rated Important – to address 13 different vulnerabilities in .NET Framework, Office, SharePoint, Internet Explorer, and Windows. Adobe released security updates to address multiple vulnerabilities in Reader, Acrobat, Flash Player, and Illustrator. For both companies, some of the vulnerabilities could allow hackers to run arbitrary code and take control of the affected system. Google also updated its Chrome web browser with the new version of Adobe Flash, but it also took the opportunity to patch some vulnerabilities in the internals of its browser.

Microsoft

Listed among Microsoft’s updates is a patch for IE which fixes the zero-day vulnerability that attackers were using against the browser at the end of April. Microsoft released this particular patch on May 1 2014 and the patch also applied to Windows XP. However the same can’t be said of the rest of Microsoft’s updates. XP is now officially dead, from a support point of view anyway.

May’s patches also include another update for IE. This time to fix two privately reported vulnerabilities in the browser. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. IE 6 to IE 11 are all affected.

Microsoft are also recommending that system administrators ensure that their systems are updated with  MS14-024 and MS14-025. The former fixes a vulnerability in the MSCOMCTL common controls library that could allow a security feature bypass if a user views a specially crafted webpage with a web browser capable of instantiating COM components, such as Internet Explorer. The latter patches a vulnerability in Windows that could allow elevation of privilege if the Active Directory Group Policy preferences are used to distribute passwords across the domain. The update removes the ability to configure and distribute passwords that use certain Group Policy preference extensions because such actions could allow an attacker to retrieve and decrypt the password stored with Group Policy preferences.

Adobe

Adobe’s updates cover three main product groups: Adobe Reader and AcrobatAdobe Flash Player and Adobe Illustrator (CS6). The affected versions are as follows:

  • Adobe Reader XI 11.0.07 for Windows and Macintosh
  • Adobe Reader X 10.1.10 for Windows and Macintosh
  • Adobe Acrobat XI (11.0.07) for Windows and Macintosh
  • Adobe Acrobat X (10.1.10) for Windows and Macintosh
  • Adobe Flash Player 13.0.0.214 for Windows, Macintosh, and Linux
  • Adobe Flash Player 11.2.202.359 for Linux
  • Adobe AIR SDK and Compiler 13.0.0.111 for Windows and Macintosh
  • Adobe Illustrator (subscription) 16.2.2 for Windows and Macintosh
  • Adobe Illustrator (non-subscription) 16.0.5 for Windows and Macintosh

The patch for Adobe Illustrator (CS6) for Windows and Macintosh fixes a “vulnerability that could be exploited to gain remote code execution on the affected system”, while the updates for Adobe Flash Player “address vulnerabilities that could potentially allow an attacker to take control of the affected system.” All the updates are rated as Critical including the third set which patch Adobe Reader and Acrobat XI to “address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.”

Google

With the release of a new version of Adobe Flash, Google released Chrome 34.0.1847.137 for Windows, Mac and Linux to include Flash Player 13.0.0.214. However the search giant also took the opportunity to fix three security problems. The non-Google researchers who contributed to finding the vulnerabilities where rewarded $4500 between them for their efforts:

  • [$2000][358038] High CVE-2014-1740: Use-after-free in WebSockets. Credit to Collin Payne.
  • [$1500][349898] High CVE-2014-1741: Integer overflow in DOM ranges. Credit to John Butler.
  • [$1000][356690] High CVE-2014-1742: Use-after-free in editing. Credit to cloudfuzzer.