September 20, 2014

iOS 6.1 released by Apple with dozens of security fixes

ios6(LiveHacking.Com) – Apple has released an upgrade for the iOS firmware running on its range of smartphones and tablets. iOS 6.1 adds some new features, including LTE support for extra carriers and the ability for iTunes Match subscribers to download individual songs from iCloud, and to fix dozens of security vulnerabilities.

The fixes come  in two categories, iOS specific fixes and WebKit fixes. Since various parts of iOS rely heavily on WebKit including the iTunes stores and the Safari web browser these WebKit fixes impact the whole of iOS.

First the iOS specific fixes. Apple lists several crucial fixes including:

  • An error handling issue existed in Identity Services. If the user’s AppleID certificate failed to validate, the user’s AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust.
  • Visiting a maliciously crafted website may lead to a cross-site scripting attack.
  • JavaScript may be enabled in Mobile Safari without user interaction. If a user disabled JavaScript in Safari Preferences, visiting a site which displayed a Smart App Banner would re-enable JavaScript without warning the user.

There are also two fixes which are shared with the recent Apple TV 5.2 release:

  • A user-mode process may be able to access the first page of kernel memory.
  • A remote attacker on the same WiFi network may be able to temporarily disable WiFi because of an out of bounds read issue exists in Broadcom’s BCM4325 and BCM4329 firmware’s handling of 802.11i information elements.

The WebKit changes fix vulnerabilities where visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution because of different  memory corruption issues in WebKit. Many of these problem where previously fixed by Google in its Chrome web browser. There is also a WebKit fix for and issue where copying and pasting content on a malicious website may lead to a cross-site scripting attack.

Finally, the update also deals with the intermediate CA certificates that were issued by TURKTRUST.

iOS 6.1 is available for iPhone 3GS and later, iPod touch (4th generation) and later and iPad 2 and later.

Apple TV updated with security fixes

(LiveHacking.Com) – Apple has released V5.1 of its Apple TV software to add some new features, like Photo Stream sharing, new screen savers and a way to switch iTunes accounts, as well as to address some security issues.

Apple TV 5.1, which is available for Apple TV 2nd generation devices and later, addresses 21 separate issues some of which could lead to arbitrary code execution.

The first issues resolves a problem with the handling of Sorenson encoded movie files where viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution. The same issue was fixed by Apple in Quicktime 7.7.2 and iOS 6. Apple also fixed problems when viewing a maliciously crafted TIFF files, PNG files and JPEG files.

Multiple vulnerabilities existed in libxml and JavaScriptCore the most serious of which may lead to an unexpected application termination or arbitrary code execution. The result is that an attacker with a privileged network position may cause an unexpected application termination or arbitrary code execution. These issues were fix by using the latest versions of these libraries.

Apple also fixed a problem with how may broadcast MAC addresses of previously accessed networks per the DNAv4 protocol. This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi networks.

To check to see which version of of the OS your device is using , select “Settings -> General -> About”. Most users won’t need to do anything as Apple TV will regularly check for software updates. Alternatively, you may manually check for software updates by selecting “Settings -> General -> Update Software”.

In brief: Apples releases updates for OS X and Safari

(LiveHacking.Com) – Having released iOS 6 with a large number of security fixes, Apple has now released an update to OS X and a new verison of Safari. For OS X, Mountain Lion has been updated to v10.8.2, Lion jumps to v10.7.5 and for OS X 10.6 Snow Leopard Apple has released Security Update 2012-004. Safari has recevied a minor update to 6.0.1 to address a range of security issues.

The updates to OS X upgrade or fix a number of low level OS X components including:

  • Apache has been updated to version 2.2.22 to address several vulnerabilities, the most serious of which may lead to a denial of service.
  • A reachable assertion issue existed in the handling of DNS records. This issue was addressed by updating to BIND 9.7.6-P1.
  • PHP is updated to version 5.3.15 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.

Other components updated include: CoreText, DirectoryService, ImageIO, Kernel, Mail and QuickTime.

Safari has also been updated including a large set of fixes for WebKit. OS X Mountain Lion v10.8.2  automatically updates Safari to Safari 6.0.1.

Plethora of security updates in iOS 6

(LiveHacking.Com) – Yesterday Apple launched the latest version of its mobile operating system for the iPhone, iPad and iPod Touch. iOS 6 brings new features like Facebook integration and is the default OS for the new iPhone 5 which starts shipping on Friday. The new OS also includes lots of important security fixes.

Included in the fixes is an update to WebKit, the open source HTML rendering engine which Apple created and is also used in Google Chrome. Apple updated iTunes recently with a very similar set of WebKit fixes as those found in iOS 6. Apple describes the WebKit vulnerabilities by saying that “Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.” Which it explains is due to “multiple memory corruption issues existed in WebKit. These issues are addressed through improved memory handling.”

Other WebKit fixes also include several cross-site scripting fixes and better URL handling. According to Apple the Unicode fonts embedded in Safari could can been used to create a URL which contains look-alike characters. These look-alike characters can be used by a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain.

Apple also spent some time fixing issues with passcode which can be set from within iOS to stop unwanted access to the device. This included a design flaw in the support for viewing photos that were taken while the screen was locked. Previously to determine which photos should be displayed the passcode lock checked the time at which the device was locked and compared it to the time that a photo was taken. However, by spoofing the current time an attacker could gain access to photos that were taken before the device was locked. To fix this, iOS now explicitly keeps track of the photos that were taken while the device was locked.

Other fixes are:

  • CFNetwork – An issue existed in CFNetwork’s handling of malformed URLs. CFNetwork may send requests to an incorrect hostname, resulting in the disclosure of sensitive information. This issue was addressed through improvements to URL handling.
  • CoreGraphics – Multiple vulnerabilities existed in FreeType, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. These issues were addressed by updating FreeType to version 2.4.9. Further information is available via the FreeType site at http://www.freetype.org/
  • CoreMedia – An uninitialized memory access existed in the handling of Sorenson encoded movie files. This issue was addressed through improved memory initialization.
  • DHCP – Upon connecting to a Wi-Fi network, iOS may broadcast MAC addresses of previously accessed networks per the DNAv4 protocol. This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi networks.
  • ImageIO – A buffer overflow existed in libtiff’s handling of ThunderScan encoded TIFF images. This issue was addressed by updating libtiff to version 3.9.5.
  • ImageIO – Multiple memory corruption issues existed in libpng’s handling of PNG images. These issues were addressed through improved validation of PNG images.
  • ImageIO – A double free issue existed in ImageIO’s handling of JPEG images. This issue was addressed through improved memory management.
  • ImageIO – An integer overflow issue existed in libTIFF’s handling of TIFF images. This issue was addressed through improved validation of TIFF images.
  • International Components for Unicode – A stack buffer overflow existed in the handling of ICU locale IDs. This issue was addressed through improved bounds checking.
  • IPSec – A buffer overflow existed in the handling of racoon configuration files. This issue was addressed through improved bounds checking.
  • Kernel – An invalid pointer dereference issue existed in the kernel’s handling of packet filter ioctls. This may allow an attacker to alter kernel memory. This issue was addressed through improved error handling.
  • Kernel – An uninitialized memory access issue existed in the Berkeley Packet Filter interpreter, which led to the disclosure of memory content. This issue was addressed through improved memory initialization.
  • libxml – Multiple vulnerabilities existed in libxml, the most serious of which may lead to an unexpected application termination or arbitrary code execution. These issues were addressed by applying the relevant upstream patches.
  • Mail – A logic issue existed in Mail’s handling of attachments. If a subsequent mail attachment used the same Content-ID as a previous one, the previous attachment would be displayed, even in the case where the 2 mails originated from different senders. This could facilitate some spoofing or phishing attacks. This issue was addressed through improved handling of attachments.
  • Mail – A logic issue existed in Mail’s use of Data Protection on email attachments. This issue was addressed by properly setting the Data Protection class for email attachments.
  • Mail – S/MIME signed messages displayed the untrusted ‘From’ address, instead of the name associated with the message signer’s identity. This issue was addressed by displaying the address associated with the message signer’s identity when it is available.
  • Messages – When a user had multiple email addresses associated with iMessage, replying to a message may have resulted in the reply being sent from a different email address. This may disclose another email address associated to the user’s account. This issue was addressed by always replying from the email address the original message was sent to.
  • Office – Viewer An information disclosure issue existed in the support for viewing Microsoft Office files. When viewing a document, the Office Viewer would write a temporary file containing data from the viewed document to the temporary directory of the invoking process. For an application that uses data protection or other encryption to protect the user’s files, this could lead to information disclosure. This issue was addressed by avoiding creation of temporary files when viewing Office documents.
  • OpenGL – Multiple memory corruption issues existed in the handling of GLSL compilation. These issues were addressed through improved validation of GLSL shaders.
  • Passcode Lock – A logic issue existed with the display of the “Slide to Power Off” slider on the lock screen. This issue was addressed through improved lock state management.
  • Passcode Lock – A logic issue existed in the termination of FaceTime calls from the lock screen. This issue was addressed through improved lock state management.
  • Passcode Lock – A design issue existed in the support for viewing photos that were taken at the lock screen. In order to determine which photos to permit access to, the passcode lock consulted the time at which the device was locked and compared it to the time that a photo was taken. By spoofing the current time, an attacker could gain access to photos that were taken before the device was locked. This issues was addressed by explicitly keeping track of the photos that were taken while the device was locked.
  • Passcode Lock – A logic issue existed in the Emergency Dialer screen, which permitted FaceTime calls via Voice Dialing on the locked device. This could also disclose the user’s contacts via contact suggestions. This issue was addressed by disabling Voice Dialing on the Emergency Dialer screen.
  • Passcode Lock Using the camera from the screen lock could in some cases interfere with automatic lock functionality, allowing a person with physical access to the device to bypass the Passcode Lock screen. This issue was addressed through improved lock state management.
  • Passcode Lock – A state management issue existed in the handling of the screen lock. This issue was addressed through improved lock state management.
  • Restrictions – After disabling Restrictions, iOS may not ask for the user’s password during a transaction. This issue was addressed by additional enforcement of purchase authorization.
  • Safari – Websites could use a Unicode character to create a lock icon in the page title. This icon was similar in appearance to the icon used to indicate a secure connection, and could have lead the user to believe a secure connection had been established. This issue was addressed by removing these characters from page titles.
  • Safari – Password input elements with the autocomplete attribute set to “off” were being autocompleted. This issue was addressed through improved handling of the autocomplete attribute.
  • System Logs – Sandboxed apps had read access to /var/log directory, which may allow them to obtain sensitive information contained in system logs. This issue was addressed by denying sandboxed apps access to the /var/log directory.
  • Telephony – Messages displayed the return address of an SMS message as the sender. Return addresses may be spoofed. This issue was addressed by always displaying the originating address instead of the return address.
  • Telephony – An off-by-one buffer overflow existed in the handling of SMS user data headers. This issue was addressed through improved bounds checking.
  • UIKit – Applications that use UIWebView may leave unencrypted files on the file system even when a passcode is enabled. This issue was addressed through improved use of data protection.
  • WebKit – A cross-origin issue existed in the handling of CSS property values. This issue was addressed through improved origin tracking.
  • WebKit – A cross-origin issue existed in the handling of iframes in popup windows. This issue was addressed through improved origin tracking.
  • WebKit – A cross-origin issue existed in the handling of iframes and fragment identifiers. This issue was addressed through improved origin tracking.
  • WebKit – The International Domain Name (IDN) support and Unicode fonts embedded in Safari could have been used to create a URL which contains look-alike characters. These could have been used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain. This issue was addressed by supplementing WebKit’s list of known look-alike characters. Look- alike characters are rendered in Punycode in the address bar.
  • WebKit – A canonicalization issue existed in the handling of URLs. This may have led to cross-site scripting on sites which use the location.href property. This issue was addressed through improved canonicalization of URLs.
  • WebKit – An HTTP header injection issue existed in the handling of WebSockets. This issue was addressed through improved WebSockets URI sanitization.
  • WebKit – A state management issue existed in the handling of session history. Navigations to a fragment on the current page may cause Safari to display incorrect information in the URL bar. This issue was addressed through improved session state tracking.
  • WebKit – An uninitialized memory access issue existed in the handling of SVG images. This issue was addressed through improved memory initialization.

Apple releases iTunes 10.7 with support for iOS 6 plus it fixes 163 WebKit vulnerabilities

(LiveHacking.Com) – In the wake of the new iPhone 5 announcement, Apple  has released iTunes 10.7 for Windows  7, Vista and XP to include support for iOS 6 and the new iPhone plus it has taken the opportunity to update the built-in WebKit based web browser. The iTunes Store is web powered and as such uses WebKit to display the current songs, movies and TV which Apple are offering.

WebKit is an open source HTML rendering engine which Apple created. It is also used in Google Chrome. As a result when Apple or Google fix a security issue in WebKit everyone benefits, even iTunes users! This update fixes 163 vulnerabilities.

Apple explains these 163 vulnerabilities in the succinct statement: “Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.” Which it explains is due to “multiple memory corruption issues existed in WebKit. These issues are addressed through improved memory handling.”

Many of these vulnerabilities have been previously fixed in Google’s Chrome web browser with many of the vulnerabilities being credited to  the “Google Chrome Security Team” or to security researchers who receive rewards from Google for finding bugs like Miaubiz. However Apple did do its fair share of the work with at least 25 of the vulnerabilities being discovered by Apple itself.

iOS 6 will become available on Wednesday, Sept. 19. It will be available for the new iPhone 5 and fifth-generation iPod Touch plus users of the iPhone 4S, iPhone 4, iPhone 3GS, new iPad, iPad 2, and fourth-generation iPod touch will be able to upgrade for free.

You can download iTunes 10.7 from Apple’s official website.

Safari 6.0 released with fixes for security vulnerabilities

(LiveHacking.Com) – Apple has released Safari 6.0 as part of the launch of OS X 10.8 Mountain Lion. The new version of the Mac OS includes an updated version of Apple’s web browser which has also been back ported to OS X 10.7 Lion. As well as new features, Safari 6.0 addresses multiple security issues.

The fixes included in version 6.0 include:

  • A cross-site scripting issue existed in the handling of feed:// URLs. This update removes handling of feed:// URLs.
  • An access control issue existed in the handling of feed:// URLs. This update removes handling of feed:// URLs.
  • Password input elements with the autocomplete attribute set to “off” were being autocompleted. This update addresses the issue by improved handling of the autocomplete attribute.
  • An issue existed in Safari’s support for the ‘attachment’ value for the HTTP Content-Disposition header. This header is used by many websites to serve files that were uploaded to the site by a third-party, such as attachments in web-based e-mail applications. Any script in files served with this header value would run as if the file had been served inline, with full access to other resources on the origin server. This issue is addressed by downloading resources served with this header, rather than displaying them inline.

Safari 6.0 uses the open source WebKit (which Apple created) as its rendering engine. WebKit contained multiple memory corruption issues which, if exploited, means that a user visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. These issues are addressed through improved memory handling inside WebKit.

Many of the WebKit vulnerabilities have been previously fixed in Google’s Chrome web browser (which also uses WebKit) with many of the vulnerabilities being credited to  the “Google Chrome Security Team” or to security researchers who receive rewards from Google for finding bugs like Miaubiz. However Apple did do its fair share of the work with a good number of the WebKit vulnerabilities being discovered by Apple itself.

Safari 6.0 isn’t available for OS X 10.5 Snow Leopard which has now been abandoned by Apple (leaving users with a 32 bit Intel Mac vulnerable). Also at this time there is no news about Safari 6.0 for Windows.

Incredibly Apple releases Java update for OS X on the same day as Oracle

(LiveHacking.Com) – In the past Apple has come under heavy criticism due to the unacceptable amount of time it takes the Cupertino company to release Java updates for its OS X operating system. April and May saw a massive malware breakout on OS X due to a vulnerability in Java. The problem was that Oracle fixed the vulnerability in February but Apple didn’t release a patch until April. In the intervening months over half a million Macs got infected with the Flashback Trojan.

This time around Oracle has patched a number of Critical vulnerabilities in Java and Apple has stepped up its game. On the same day as Oracle, Apple released a Java update for  Mac OS X v10.6 Snow Leopard and OS X Lion v10.7 Lion.

The Java update fixes 14 security issues, 12 of these vulnerabilities can be remotely exploitable without authentication. This means that they can be exploited over a network without the need for a username and password. The most serious of the vulnerabilities allows an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.

The OS X update also includes some security hardening measures. First, the Java browser plugin and Java Web Start are deactivated if they are no used for 35 days. By default they are automatically deactivated. Secondly, the Java browser plugin and Java Web Start are deactivated if they do not meet the criteria for minimum safe version. The minimum safe version of Java is updated daily, as needed. To re-enable Java a newer versions needs to be installed.

The update from Oracle affects the following versions of Java:

  • JDK and JRE 7 Updates 4 and earlier
  • JDK and JRE 6 Update 32 and earlier
  • JDK and JRE 5.0 Update 35 and earlier
  • SDK and JRE 1.4.2_37 and earlier
  • JavaFX 2.1 and earlier

New iOS 5.1.1 Safari Browser Denial Of Service Vulnerability Found

(LiveHacking.Com) – Alberto Ortega, a vulnerability researcher at AlienVault and author of PenTBox (a set of security tools written in Ruby), has discovered a new denial of service vulnerability in Apple’s iOS. The problem, which occurs in the Safari web browser, has been seen to manifest itself on iOS 5.0.1, 5.1.0 and 5.1.1 and affects the iPod Touch, the iPhone and the iPad.

According to the security advisory, published by Alberto, when the JavaScript function match() gets a big buffer as a parameter the browser unexpectedly crashes. It also seems as if the search() function is also affected.

“iOS has a lot of mitigations to avoid successful exploitation,” Ortega said. “This software has errors and holes but you will need to bypass those hard mitigations and find more weaknesses to have something ‘usable’.” He believes that this vulnerailibty is a “step to achieve a real exploitation”.

To test the vulnerability you need to run the code posted in the advisory in Ruby and then open the URL of the running script in Safari. The Ruby script will send a specially crafted web page, which contains the relevant Javascript, to the iOS device. When attempting to run the Javascript Safari will crash.

This latest discovery comes only a few days after the Chronic-Dev Team published an untethered jailbreak for iOS 5.1.1.

At the time of disclosure, Ortega had already reported the problem to Apple, but there has been no official response.

New Versions of Popular Media Players QuickTime and RealPlayer Fix Multiple Security Vulnerabilities

(LiveHacking.Com) – Apple has released a new version of QuickTime to address multiple vulnerabilities that if exploited could allow an attacker to execute arbitrary code or cause a denial-of-service condition. In an unrelated release RealNetworks have released a new version of RealPlayer. These releases underline that multimedia files (video, audio and images) are a valid attack vector for hackers.

QuickTime 7.7.2 for Windows fixes a number of serious security problems most of which are triggered or by viewing a maliciously crafted website  or by viewing a maliciously crafted  multimedia file ( MP4 file, MPEG file, PNG file, QTVR movie file or JPEG2000 encoded movie file) and could lead to an unexpected application termination or arbitrary code execution.

The vulnerabilities existed because of:

  • Multiple stack overflows existed in QuickTime’s handling of TeXML files.
  • A heap overflow existed in QuickTime’s handling of text tracks.
  • A heap buffer overflow existed in the handling of H.264 encoded movie files.
  • An uninitialized memory access issue existed in the handling of MP4 encoded files.
  • An off by one buffer overflow existed in the handling of rdrf atoms in QuickTime movie files.
  • A buffer overflow existed in the handling of audio sample tables.
  • An integer overflow existed in the handling of MPEG files.
  • A stack buffer overflow existed in the QuickTime plugin’s handling of QTMovie objects.
  • A buffer overflow existed in the handling of PNG files.
  • A signedness issue existed in the handling of QTVR movie files.
  • A use after free issue existed in the handling of JPEG2000 encoded movie files.
  • A buffer overflow existed in the handling of RLE encoded movie files.
  • A buffer overflow existed in QuickTime’s handling of Sorenson encoded movie files.
  • An integer overflow existed in QuickTime’s handling of sean atoms.
  • A memory corruption issue existed in the handling of .pict files.
  • An integer underflow existed in QuickTime’s handling of audio streams in MPEG files.

Additionally opening a file in a maliciously crafted path may lead to an unexpected application termination or arbitrary code execution due to stack buffer overflow existed in QuickTime’s handling of file paths.

Some of these issues have been previously fixed on OS X in either OS X Lion v10.7.4 or Security Update 2012-001 for OS X 10.6 Snow Leopard.

RealPlayer

RealNetworks has released a new version of its RealPlayer media player application for Windows to address multiple security vulnerabilities including a MP4 file handling memory corruption, a RealMedia ASMRuleBook parsing error that can allow remote code execution and a RealJukebox Media parser buffer overrun. RealNetworks says that it has no reports of any machines actually being compromised as a result of the now-remedied vulnerabilities.

 

Apple Releases First OS X 10.5 Update For Nearly a Year – But Doesn’t Patch Any Known Vulnerabilities

(LiveHacking.Com) – Apple have made the interesting move of releasing a security update for OS X 10.5 Leopard which doesn’t actually patch any known vulnerabilities. Instead the update for the oldest of the OS X versions that runs on Intel Macs disables out-of-date versions of Adobe Flash Player.

Leopard Security Update 2012-003 disables Adobe Flash Player if it is older than 10.1.102.64. It does this by moving its files to a new directory. If the update disables Flash Player the user is presented with the option to install an updated version of from the Adobe website. Apple disabled Flash Player older than 10.1.102.64 on OS X Snow Leopard and OS X Lion a few days ago.

Apple have also released a version of the Flashback malware removal tool designed for Leopard. Apple released the same tool for Snow Leopard and Lion almost a month ago. According to the advisory: “This update runs a malware removal tool that will remove the most common variants of the Flashback malware. If the Flashback malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found.”

Leopard has been left languishing without any updates from Apple for nearly a year. The last application update was for iTunes in November 2011, while the last operating system level update was in June of the same year.

There are of course still users of OS X 10.4 and OS X 10.5 for the PowerPC which it seems Apple has completely abandoned.